Define Octavia SSH key name and file path

This will enable Octavia Ansible roles in tripleo-common to get these
values and configure keys for accessing Octavia amphorae via SSH.

This patch also makes the Octavia username and project name
configurable.

Change-Id: I80aa324254e6837e8d3c39e9d05a5e152783f0bb

docker/services/octavia/octavia-deployment-config.yaml

@@ -47,6 +47,18 @@ parameters:
     default: 'amphora-image'
     description: Glance image tag for identifying the amphora image.
     type: string
+  OctaviaAmphoraSshKeyName:
+    type: string
+    default: 'octavia-ssh-key'
+    description: SSH key name.
+  OctaviaAmphoraSshKeyFile:
+    type: string
+    default: '/home/stack/.ssh/id_rsa.pub'
+    description: Public key file path. User will be able to SSH into amphorae
+      with the provided key. User may, in most cases, also elevate to root
+      from user 'centos' (CentOS), 'ubuntu' (Ubuntu) or 'cloud-user' (RHEL)
+      (depends on how amphora image was created). Logging in to amphorae
+      provides a convenient way to e.g. debug load balancing services.
   OctaviaControlNetwork:
     description: The name for the neutron network used for the amphora
                  control network
@@ -114,6 +126,18 @@ parameters:
     description: The password for the keystone admin account, used for monitoring, querying neutron etc.
     type: string
     hidden: true
+  OctaviaUserName:
+    description: The username for the Octavia database and keystone accounts.
+    type: string
+    default: 'octavia'
+  OctaviaPassword:
+    description: The password for the Octavia database and keystone accounts.
+    type: string
+    hidden: true
+  OctaviaProjectName:
+    description: The project name for the keystone Octavia account.
+    type: string
+    default: 'service'
 
 outputs:
   role_data:
@@ -135,6 +159,11 @@ outputs:
               amp_image_name: { get_param: OctaviaAmphoraImageName }
               amp_image_filename: {get_param: OctaviaAmphoraImageFilename }
               amp_image_tag: { get_param: OctaviaAmphoraImageTag }
+              amp_ssh_key_name: { get_param: OctaviaAmphoraSshKeyName }
+              amp_ssh_key_path: { get_param: OctaviaAmphoraSshKeyFile }
+              auth_username: { get_param: OctaviaUserName }
+              auth_password: { get_param: OctaviaPassword }
+              auth_project_name: { get_param: OctaviaProjectName }
               lb_mgmt_net_name: { get_param: OctaviaControlNetwork }
               lb_mgmt_subnet_name: { get_param: OctaviaControlSubnet }
               lb_sec_group_name: { get_param: OctaviaControlSubnet }

puppet/services/octavia-api.yaml

@@ -30,10 +30,18 @@ parameters:
     description: Mapping of service endpoint -> protocol. Typically set
                  via parameter_defaults in the resource registry.
     type: json
+  OctaviaUserName:
+    description: The username for the Octavia database and keystone accounts.
+    type: string
+    default: 'octavia'
   OctaviaPassword:
-    description: The password for the Octavia's database account.
+    description: The password for the Octavia database and keystone accounts.
     type: string
     hidden: true
+  OctaviaProjectName:
+    description: The project name for the keystone Octavia account.
+    type: string
+    default: 'service'
   KeystoneRegion:
     type: string
     default: 'regionOne'
@@ -79,7 +87,7 @@ outputs:
             octavia::db::database_connection:
               make_url:
                 scheme: {get_param: [EndpointMap, MysqlInternal, protocol]}
-                username: octavia
+                username: {get_param: OctaviaUserName}
                 password: {get_param: OctaviaPassword}
                 host: {get_param: [EndpointMap, MysqlInternal, host]}
                 path: /octavia
@@ -87,7 +95,7 @@ outputs:
                   read_default_file: /etc/my.cnf.d/tripleo.cnf
                   read_default_group: tripleo
             octavia::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
-            octavia::keystone::authtoken::project_name: 'service'
+            octavia::keystone::authtoken::project_name: {get_param: OctaviaProjectName}
             octavia::keystone::authtoken::password: {get_param: OctaviaPassword}
             octavia::api::sync_db: true
             tripleo.octavia_api.firewall_rules:
@@ -110,7 +118,7 @@ outputs:
           tripleo_fluentd_sources_octavia_api:
             - {get_param: OctaviaApiLoggingSource}
         keystone:
-          octavia::keystone::auth::tenant: 'service'
+          octavia::keystone::auth::tenant: {get_param: OctaviaProjectName}
           octavia::keystone::auth::public_url: {get_param: [EndpointMap, OctaviaPublic, uri]}
           octavia::keystone::auth::internal_url: { get_param: [ EndpointMap, OctaviaInternal, uri ] }
           octavia::keystone::auth::admin_url: { get_param: [ EndpointMap, OctaviaAdmin, uri ] }
@@ -118,7 +126,7 @@ outputs:
           octavia::keystone::auth::region: {get_param: KeystoneRegion}
         mysql:
           octavia::db::mysql::password: {get_param: OctaviaPassword}
-          octavia::db::mysql::user: octavia
+          octavia::db::mysql::user: {get_param: OctaviaUserName}
           octavia::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
           octavia::db::mysql::dbname: octavia
           octavia::db::mysql::allowed_hosts:

puppet/services/octavia-base.yaml

@@ -70,10 +70,18 @@ parameters:
     description: Driver or drivers to handle sending notifications.
     constraints:
       - allowed_values: [ 'messagingv2', 'noop' ]
+  OctaviaUserName:
+    description: The username for the Octavia database and keystone accounts.
+    type: string
+    default: 'octavia'
   OctaviaPassword:
-    description: The password for the Octavia's database account.
+    description: The password for the Octavia database and keystone accounts.
     type: string
     hidden: true
+  OctaviaProjectName:
+    description: The project name for the keystone Octavia account.
+    type: string
+    default: 'service'
   OctaviaCaCertFile:
     type: string
     default: '/etc/octavia/certs/ca_01.pem'
@@ -125,9 +133,9 @@ outputs:
              octavia::rabbit_port: {get_param: RabbitClientPort}
              octavia::service_auth::auth_url: {get_param: [EndpointMap, KeystonePublic, uri]}
              octavia::service_auth::auth_type: 'password'
-             octavia::service_auth::username: 'octavia'
+             octavia::service_auth::username: {get_param: OctaviaUsername}
              octavia::service_auth::password: {get_param: OctaviaPassword}
-             octavia::service_auth::project_name: 'service'
+             octavia::service_auth::project_name: {get_param: OctaviaProjectName}
              octavia::service_auth::project_domain_name: 'Default'
              octavia::service_auth::user_domain_name: 'Default'
              octavia::service_auth::auth_type: 'password'

puppet/services/octavia-health-manager.yaml

@@ -85,6 +85,3 @@ outputs:
             - {get_param: OctaviaHealthManagerLoggingSource}
       step_config: |
         include tripleo::profile::base::octavia::health_manager
-
-
-

puppet/services/octavia-housekeeping.yaml

@@ -84,5 +84,3 @@ outputs:
             - {get_param: OctaviaHousekeepingLoggingSource}
       step_config: |
         include tripleo::profile::base::octavia::housekeeping
-
-

puppet/services/octavia-worker.yaml

@@ -46,6 +46,10 @@ parameters:
     default: []
     description: List of networks to attach to amphorae.
     type: comma_delimited_list
+  OctaviaAmphoraSshKeyName:
+    type: string
+    default: 'octavia-ssh-key'
+    description: SSH key name.
   OctaviaLoadBalancerTopology:
     default: ''
     description: Load balancer topology configuration.
@@ -76,6 +80,10 @@ parameters:
                  a file on the host with the path provided in OctaviaClientCertFile
                  with the certificate data.
     type: string
+  OctaviaProjectName:
+    description: The project name for the keystone Octavia account.
+    type: string
+    default: 'service'
 
 conditions:
   octavia_topology_unset: {equals : [{get_param: OctaviaLoadBalancerTopology}, ""]}
@@ -104,13 +112,14 @@ outputs:
           - get_attr: [OctaviaBase, role_data, config_settings]
           - octavia::worker::amp_boot_network_list: {get_param: OctaviaAmphoraNetworkList}
             octavia::worker::amp_flavor_id: {get_param: OctaviaFlavorId}
+            octavia::worker::amp_image_tag: {get_param: OctaviaAmphoraImageTag}
+            octavia::worker::amp_project_name: {get_param: OctaviaProjectName}
+            octavia::worker::amp_ssh_key_name: {get_param: OctaviaAmphoraSshKeyName}
             octavia::worker::nova_flavor_config: {get_param: OctaviaFlavorProperties}
             octavia::worker::manage_nova_flavor: {get_param: OctaviaManageNovaFlavor}
             octavia::worker::nova_flavor_config: {get_param: OctaviaFlavorProperties}
+            octavia::worker::enable_ssh_access: true
             octavia::certificates::client_cert: {get_param: OctaviaClientCertFile}
-            octavia::worker::amp_image_tag: {get_param: OctaviaAmphoraImageTag}
-            octavia::worker::amp_project_name: 'service'
-            octavia::worker::enable_ssh_access: false
           -
             if:
             - octavia_topology_unset

releasenotes/notes/octavia-amphora-ssh-245a21a35598440a.yaml

@@ -0,0 +1,3 @@
+---
+features:
+  - Allow users to specify SSH name and public key to add to Octavia amphorae.