Add support for ovn bgp agent
Conflict:
deployment/frr/frr-container-ansible.yaml
Depends-On: https://review.opendev.org/c/openstack/tripleo-ansible/+/834144
Change-Id: Iba6492dad085cec94a93acf119666b0d5c67306e
Co-Authored-By: Carlos Goncalves <cgoncalves@redhat.com>
Co-Authored-By: Luis Tomas Bolivar <ltomasbo@redhat.com>
(cherry picked from commit 0fa959acb8
)
This commit is contained in:
parent
89f6aec9c3
commit
5096c4757f
|
@ -7,6 +7,9 @@ parameters:
|
|||
ContainerFrrImage:
|
||||
description: The container image for Frr
|
||||
type: string
|
||||
ContainerOvnBgpAgentImage:
|
||||
description: The container image for the BGP Agent
|
||||
type: string
|
||||
EndpointMap:
|
||||
default: {}
|
||||
description: Mapping of service endpoint -> protocol. Typically set
|
||||
|
@ -30,6 +33,24 @@ parameters:
|
|||
default: {}
|
||||
description: Parameters specific to the role
|
||||
type: json
|
||||
EnableInternalTLS:
|
||||
type: boolean
|
||||
default: false
|
||||
InternalTLSCAFile:
|
||||
default: '/etc/ipa/ca.crt'
|
||||
type: string
|
||||
description: Specifies the default CA cert to use if TLS is used for
|
||||
services in the internal network.
|
||||
CertificateKeySize:
|
||||
type: string
|
||||
default: '2048'
|
||||
description: Specifies the private key size used when creating the
|
||||
certificate.
|
||||
OvnBgpAgentCertificateKeySize:
|
||||
type: string
|
||||
default: ''
|
||||
description: Override the private key size used when creating the
|
||||
certificate for this service
|
||||
FrrBfdEnabled:
|
||||
default: false
|
||||
description: Enable Bidirectional Forwarding Detection
|
||||
|
@ -136,10 +157,56 @@ parameters:
|
|||
description: Either peer with internal (iBGP) or external (eBGP) neighbors.
|
||||
constraints:
|
||||
- allowed_values: ['internal', 'external']
|
||||
NeutronBridgeMappings:
|
||||
description: >
|
||||
The OVS logical->physical bridge mappings to use. See the Neutron
|
||||
documentation for details. Defaults to mapping br-ex - the external
|
||||
bridge on hosts - to a physical name 'datacentre' which can be used
|
||||
to create provider networks (and we use this for the default floating
|
||||
network) - if changing this either use different post-install network
|
||||
scripts or be sure to keep 'datacentre' as a mapping network name.
|
||||
type: comma_delimited_list
|
||||
default: "datacentre:br-ex"
|
||||
tags:
|
||||
- role_specific
|
||||
FrrOvnBgpAgentDriver:
|
||||
description: >
|
||||
Configures how VM IPs are advertised via BGP. EVPN driver exposes VM IPs
|
||||
on provider networks and FIPs associated to VMs on tenant networks via
|
||||
MP-BGP IPv4 and IPv6 unicast. BGP driver exposes VM IPs on the tenant
|
||||
networks via MP-BGP EVPN VXLAN.
|
||||
type: string
|
||||
default: 'ovn_evpn_driver'
|
||||
constraints:
|
||||
- allowed_values: [ 'ovn_bgp_driver', 'ovn_evpn_driver' ]
|
||||
tags:
|
||||
- role_specific
|
||||
FrrOvnBgpAgentExposeTenantNetworks:
|
||||
description: >
|
||||
Exposes VM IPs on tenant networks via MP-BGP IPv4 and IPv6 unicast.
|
||||
Requires the BGP driver (see THT parameter FrrOvnBgpAgentDriver).
|
||||
type: boolean
|
||||
default: false
|
||||
FrrOvnBgpAgentAsn:
|
||||
default: 64999
|
||||
description: >
|
||||
Autonomous System Number to be used by the agent when running in BGP
|
||||
mode.
|
||||
type: number
|
||||
FrrOvnBgpAgentOvsdbConnection:
|
||||
default: 'tcp:127.0.0.1:6640'
|
||||
description: >
|
||||
The connection string for the native OVSDB backend. Use tcp:IP:PORT
|
||||
for TCP connection.
|
||||
type: string
|
||||
|
||||
conditions:
|
||||
key_size_override_set:
|
||||
not: {equals: [{get_param: OvnBgpAgentCertificateKeySize}, '']}
|
||||
|
||||
outputs:
|
||||
role_data:
|
||||
description: Role data for the FRR service
|
||||
description: Role data for the FRR and OVN BGP Agent services
|
||||
value:
|
||||
service_name: frr
|
||||
config_settings:
|
||||
|
@ -181,7 +248,34 @@ outputs:
|
|||
- path: /run/frr
|
||||
owner: frr:frrvty
|
||||
recurse: true
|
||||
|
||||
/var/lib/kolla/config_files/ovn_bgp_agent.json:
|
||||
command: /usr/bin/ovn-bgp-agent --config-dir /etc/ovn-bgp-agent
|
||||
config_files:
|
||||
- source: "/var/lib/kolla/config_files/src/*"
|
||||
dest: "/"
|
||||
merge: true
|
||||
preserve_properties: true
|
||||
permissions:
|
||||
- path: /etc/ovn-bgp-agent
|
||||
owner: neutron:neutron
|
||||
recurse: true
|
||||
- path: /var/log/ovn-bgp-agent
|
||||
owner: neutron:neutron
|
||||
recurse: true
|
||||
- path: /etc/pki/tls/certs/ovn_bgp_agent.crt
|
||||
owner: neutron:neutron
|
||||
optional: true
|
||||
perm: '0644'
|
||||
- path: /etc/pki/tls/private/ovn_bgp_agent.key
|
||||
owner: neutron:neutron
|
||||
optional: true
|
||||
perm: '0640'
|
||||
metadata_settings:
|
||||
if:
|
||||
- {get_param: EnableInternalTLS}
|
||||
- - service: ovn_bgp_agent
|
||||
network: {get_param: [ServiceNetMap, OvnDbsNetwork]}
|
||||
type: node
|
||||
docker_config:
|
||||
# NOTE: Create container-startup-config file in step 0 so that TripleO
|
||||
# does not auto-start the FRR container (it does so for containers in
|
||||
|
@ -217,6 +311,76 @@ outputs:
|
|||
- /run/frr:/run/frr:shared,z
|
||||
environment:
|
||||
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
|
||||
step_5:
|
||||
ovn_bgp_agent:
|
||||
start_order: 0
|
||||
image: {get_param: ContainerOvnBgpAgentImage}
|
||||
net: host
|
||||
pid: host
|
||||
cgroupns: host
|
||||
restart: always
|
||||
privileged: true
|
||||
healthcheck:
|
||||
test: /openstack/healthcheck
|
||||
# We cannot bind mount the InternalTLSCAFile as freeipa might not
|
||||
# be reachable without frr
|
||||
volumes:
|
||||
list_concat:
|
||||
-
|
||||
- /etc/hosts:/etc/hosts:ro
|
||||
- /etc/localtime:/etc/localtime:ro
|
||||
- /dev/log:/dev/log
|
||||
- /etc/iproute2:/etc/iproute2
|
||||
# OpenSSL trusted CAs
|
||||
- /etc/pki/ca-trust/extracted:/etc/pki/ca-trust/extracted:ro
|
||||
- /etc/pki/ca-trust/source/anchors:/etc/pki/ca-trust/source/anchors:ro
|
||||
- /etc/pki/tls/certs/ca-bundle.crt:/etc/pki/tls/certs/ca-bundle.crt:ro
|
||||
- /etc/pki/tls/certs/ca-bundle.trust.crt:/etc/pki/tls/certs/ca-bundle.trust.crt:ro
|
||||
- /etc/pki/tls/cert.pem:/etc/pki/tls/cert.pem:ro
|
||||
- /var/lib/kolla/config_files/ovn_bgp_agent.json:/var/lib/kolla/config_files/config.json:ro
|
||||
- /var/lib/config-data/ansible-generated/ovn-bgp-agent:/var/lib/kolla/config_files/src:ro
|
||||
- /run/frr:/run/frr:shared,z
|
||||
- /run/openvswitch:/run/openvswitch:shared,z
|
||||
- if:
|
||||
- {get_param: EnableInternalTLS}
|
||||
-
|
||||
- list_join:
|
||||
- ':'
|
||||
- - {get_param: InternalTLSCAFile}
|
||||
- {get_param: InternalTLSCAFile}
|
||||
- 'ro'
|
||||
- /etc/pki/tls/certs/ovn_bgp_agent.crt:/etc/pki/tls/certs/ovn_bgp_agent.crt
|
||||
- /etc/pki/tls/private/ovn_bgp_agent.key:/etc/pki/tls/private/ovn_bgp_agent.key
|
||||
- null
|
||||
environment:
|
||||
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
|
||||
deploy_steps_tasks:
|
||||
- name: Certificate generation
|
||||
when:
|
||||
- step|int == 1
|
||||
- enable_internal_tls
|
||||
block:
|
||||
- include_role:
|
||||
name: linux-system-roles.certificate
|
||||
vars:
|
||||
certificate_requests:
|
||||
- name: ovn_bgp_agent
|
||||
dns:
|
||||
str_replace:
|
||||
template: "{{fqdn_$NETWORK}}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
|
||||
principal:
|
||||
str_replace:
|
||||
template: "ovn_bgp_agent/{{fqdn_$NETWORK}}@{{idm_realm}}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_set
|
||||
- {get_param: OvnBgpAgentCertificateKeySize}
|
||||
- {get_param: CertificateKeySize}
|
||||
ca: ipa
|
||||
host_prep_tasks:
|
||||
- name: create persistent directories
|
||||
file:
|
||||
|
@ -228,6 +392,8 @@ outputs:
|
|||
- { 'path': /var/log/containers/frr, 'setype': container_file_t, 'mode': '0750' }
|
||||
- { 'path': /var/lib/config-data/ansible-generated/frr, 'setype': container_file_t, 'mode': '0750' }
|
||||
- { 'path': /run/frr, 'setype': container_file_t, 'mode': '0750' }
|
||||
- { 'path': /var/log/containers/ovn-bgp-agent, 'setype': container_file_t, 'mode': '0750' }
|
||||
- { 'path': /var/lib/config-data/ansible-generated/ovn-bgp-agent, 'setype': container_file_t, 'mode': '0750' }
|
||||
pre_deploy_step_tasks:
|
||||
- name: Configure FRR
|
||||
import_role:
|
||||
|
@ -253,6 +419,12 @@ outputs:
|
|||
tripleo_frr_bgp_l2vpn_uplink_activate: {get_param: FrrBgpL2VpnUplinkActivate}
|
||||
tripleo_frr_bgp_l2vpn_peers: {get_param: FrrBgpL2VpnPeers}
|
||||
tripleo_frr_bgp_l2vpn_peers_scope: {get_param: FrrBgpL2vpnPeersScope}
|
||||
tripleo_frr_ovn_bgp_agent_bridge_mappings: {get_param: NeutronBridgeMappings}
|
||||
tripleo_frr_ovn_bgp_agent_internal_tls_enable: {get_param: EnableInternalTLS}
|
||||
tripleo_frr_ovn_bgp_agent_driver: {get_param: FrrOvnBgpAgentDriver}
|
||||
tripleo_frr_ovn_bgp_agent_expose_tenant_networks: {get_param: FrrOvnBgpAgentExposeTenantNetworks}
|
||||
tripleo_frr_ovn_bgp_agent_bgp_as: {get_param: FrrOvnBgpAgentAsn}
|
||||
tripleo_frr_ovn_bgp_agent_ovsdb_connection: {get_param: FrrOvnBgpAgentOvsdbConnection}
|
||||
- name: Start FRR
|
||||
include_role:
|
||||
name: tripleo_container_manage
|
||||
|
|
|
@ -7,3 +7,7 @@ parameter_defaults:
|
|||
# that early in the deployment (i.e. BGP needs to be up and functional for that to work)
|
||||
ValidateControllersIcmp: false
|
||||
ValidateGatewaysIcmp: false
|
||||
# Needed for the BGP Agent
|
||||
KernelIpForward: 1
|
||||
KernelIpv6ConfAllForwarding: 1
|
||||
KernelIpv4ConfAllRpFilter: 2
|
||||
|
|
Loading…
Reference in New Issue