Run Octavia configuration on the overcloud

Fully configuring Octavia requires resources such as the load balancer
management network and amphora image to be created in the overcloud
during deployment. This is handled through some ansible driven through a
mistral workflow. This patch enables configuring and triggering this
workflow from heat.

Co-Authored-By: Brent Eagles <beagles@redhat.com>
Depends-on: If07ded033be9f44b7c7a7e09214032fa89a02e77

Change-Id: I2d10dbd33b3a0ed0463096849d01aa2c1b9f293e

docker/services/octavia-worker.yaml

@@ -66,7 +66,10 @@ outputs:
         config_volume: octavia
         puppet_tags: octavia_config
         step_config:
-          get_attr: [OctaviaWorkerPuppetBase, role_data, step_config]
+          list_join:
+            - "\n"
+            - - "['nova_flavor'].each |String $val| { noop_resource($val) }"
+              - {get_attr: [OctaviaWorkerPuppetBase, role_data, step_config]}
         config_image: {get_param: DockerOctaviaConfigImage}
       kolla_config:
         /var/lib/kolla/config_files/octavia_worker.json:
@@ -108,6 +111,15 @@ outputs:
                   - /var/log/containers/octavia:/var/log/octavia
             environment:
               - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
+      docker_puppet_tasks:
+        step_5:
+          config_volume: octavia
+          puppet_tags: nova_flavor
+          step_config:
+            get_attr: [OctaviaWorkerPuppetBase, role_data, step_config]
+          config_image: {get_param: DockerOctaviaConfigImage}
+          volumes:
+            - /var/lib/config-data/puppet-generated/nova/etc/nova:/etc/nova:ro
       host_prep_tasks:
         - name: create persistent logs directory
           file:
@@ -120,6 +132,13 @@ outputs:
               Log files from octavia containers can be found under
               /var/log/containers/octavia and /var/log/containers/httpd/octavia-api.
           ignore_errors: true
+        - name: Ensure packages required for configuring octavia are present
+          yum: name={{item}}  state=present
+          tags: step4
+          with_items:
+            - python2-neutronclient
+            - python2-openstackclient
+            - openssl
       upgrade_tasks:
         - name: Stop and disable octavia_worker service
           when: step|int == 2

docker/services/octavia/octavia-deployment-config.yaml

@@ -0,0 +1,155 @@
+heat_template_version: pike
+
+description: >
+  Configuration of Octavia as-a-service resources in the overcloud.
+
+parameters:
+  ServiceData:
+    default: {}
+    description: Dictionary packing service data
+    type: json
+  ServiceNetMap:
+    default: {}
+    description: Mapping of service_name -> network name. Typically set
+                 via parameter_defaults in the resource registry.  This
+                 mapping overrides those in ServiceNetMapDefaults.
+    type: json
+  DefaultPasswords:
+    default: {}
+    type: json
+  RoleName:
+    default: ''
+    description: Role name on which the service is applied
+    type: string
+  RoleParameters:
+    default: {}
+    description: Parameters specific to the role
+    type: json
+  EndpointMap:
+    default: {}
+    description: Mapping of service endpoint -> protocol. Typically set
+                 via parameter_defaults in the resource registry.
+    type: json
+  OctaviaPostWorkflowName:
+    description: Mistral workflow name for octavia configuration steps
+                 once the overcloud is ready.
+    type: string
+    default: 'tripleo.octavia_post.v1.octavia_post_deploy'
+  OctaviaAmphoraImageName:
+    description: The glance image name used when spawning amphorae
+    type: string
+    default: 'octavia-amphora'
+  OctaviaAmphoraImageFilename:
+    description: Filename for the amphora image
+    type: string
+    default: '/usr/share/openstack-octavia-amphora-images/amphora-x64-haproxy.qcow2'
+  OctaviaAmphoraImageTag:
+    default: 'amphora-image'
+    description: Glance image tag for identifying the amphora image.
+    type: string
+  OctaviaControlNetwork:
+    description: The name for the neutron network used for the amphora
+                 control network
+    type: string
+    default: 'lb-mgmt-net'
+  OctaviaControlSubnet:
+    description: The name for the neutron subnet used for the amphora
+      control network
+    type: string
+    default: 'lb-mgmt-subnet'
+  OctaviaControlSecurityGroup:
+    description: The name for the neutron security group used to
+      control access on the amphora control network
+    type: string
+    default: 'lb-mgmt-sec-group'
+  OctaviaControlSubnetCidr:
+    description: Subnet for amphora control subnet in CIDR form.
+    type: string
+    default: '192.168.199.0/24'
+  OctaviaControlSubnetGateway:
+    description: IP address for control network gateway
+    type: string
+    default: '192.168.199.1'
+  OctaviaControlSubnetPoolStart:
+    description: First address in amphora control subnet address
+                 pool.
+    type: string
+    default: '192.168.199.50'
+  OctaviaControlSubnetPoolEnd:
+    description: First address in amphora control subnet address
+                 pool.
+    type: string
+    default: '192.168.199.200'
+  OctaviaCaCertFile:
+    type: string
+    default: '/etc/octavia/certs/ca_01.pem'
+    description: Octavia CA certificate file path.
+  OctaviaCaKeyFile:
+    type: string
+    default: '/etc/octavia/certs/private/cakey.pem'
+    description: Octavia CA private key file path.
+  OctaviaCaKeyPassphrase:
+    description: CA private key passphrase.
+    type: string
+    hidden: true
+  OctaviaClientCertFile:
+    default: '/etc/octavia/certs/client.pem'
+    description: client certificate for amphoras
+    type: string
+  OctaviaGenerateCerts:
+    type: boolean
+    default: false
+    description: Enable internal generation of certificates for secure
+                 communication with amphorae for isolated private clouds or
+                 systems where security is not a concern. Otherwise, use
+                 OctaviaCaCert, OctaviaCaKey, OctaviaCaKeyPassphrase and
+                 OctaviaClientCert to configure Octavia.
+  OctaviaMgmtPortDevName:
+    type: string
+    default: "o-hm0"
+    description: Name of the octavia management network interface using
+                 for communication between octavia worker/health-manager
+                 with the amphora machine.
+  AdminPassword:
+    description: The password for the keystone admin account, used for monitoring, querying neutron etc.
+    type: string
+    hidden: true
+
+outputs:
+  role_data:
+    description: Role data for the Octavia configuration service
+    value:
+      service_name: octavia_deployment_config
+      upgrade_tasks: []
+      puppet_config:
+        config_image: ''
+        config_volume: ''
+        step_config: ''
+      docker_config: {}
+      config_settings: {}
+      workflow_tasks:
+        step5:
+          - name: octavia_post_workflow
+            workflow: { get_param: OctaviaPostWorkflowName }
+            input:
+              amp_image_name: { get_param: OctaviaAmphoraImageName }
+              amp_image_filename: {get_param: OctaviaAmphoraImageFilename }
+              amp_image_tag: { get_param: OctaviaAmphoraImageTag }
+              lb_mgmt_net_name: { get_param: OctaviaControlNetwork }
+              lb_mgmt_subnet_name: { get_param: OctaviaControlSubnet }
+              lb_sec_group_name: { get_param: OctaviaControlSubnet }
+              lb_mgmt_subnet_cidr: { get_param: OctaviaControlSubnetCidr }
+              lb_mgmt_subnet_gateway: { get_param: OctaviaControlSubnetGateway }
+              lb_mgmt_subnet_pool_start: { get_param: OctaviaControlSubnetPoolStart }
+              lb_mgmt_subnet_pool_end: { get_param: OctaviaControlSubnetPoolEnd }
+              ca_cert_path: { get_param: OctaviaCaCertFile }
+              ca_private_key_path: { get_param: OctaviaCaKeyFile }
+              ca_passphrase: { get_param: OctaviaCaKeyPassphrase }
+              client_cert_path: { get_param: OctaviaClientCertFile }
+              generate_certs: { get_param: OctaviaGenerateCerts }
+              mgmt_port_dev: { get_param: OctaviaMgmtPortDevName }
+              overcloud_password: { get_param: AdminPassword }
+              overcloud_project: 'admin'
+              overcloud_admin: 'admin'
+              octavia_ansible_playbook: '/usr/share/tripleo-common/playbooks/octavia-files.yaml'
+              overcloud_pub_auth_uri: { get_param: [EndpointMap, KeystoneV3Public, uri] }

environments/services-docker/octavia.yaml

@@ -3,11 +3,14 @@ resource_registry:
   OS::TripleO::Services::OctaviaHousekeeping: ../../docker/services/octavia-housekeeping.yaml
   OS::TripleO::Services::OctaviaHealthManager: ../../docker/services/octavia-health-manager.yaml
   OS::TripleO::Services::OctaviaWorker: ../../docker/services/octavia-worker.yaml
+  OS::TripleO::Services::OctaviaDeploymentConfig: ../../docker/services/octavia/octavia-deployment-config.yaml
 
 parameter_defaults:
     NeutronServicePlugins: "qos,router,trunk,lbaasv2"
     NeutronEnableForceMetadata: true
-    OctaviaCaCertFile: '/etc/octavia/certs/ca_01.pem'
-    OctaviaCaKeyFile: '/etc/octavia/certs/private/cakey.pem'
-    OctaviaCaKeyPassphrase: 'foobar'
-    OctaviaClientCertFile: '/etc/octavia/certs/client.pem'
+
+    # This flag enables internal generation of certificates for communication
+    # with amphorae. Use OctaviaCaCert, OctaviaCaKey, OctaviaCaKeyPassphrase
+    # and OctaviaClient cert to configure secure production environments.
+    OctaviaGenerateCerts: true
+

overcloud-resource-registry-puppet.j2.yaml

@@ -303,6 +303,7 @@ resource_registry:
   OS::TripleO::Services::OctaviaHealthManager: OS::Heat::None
   OS::TripleO::Services::OctaviaHousekeeping: OS::Heat::None
   OS::TripleO::Services::OctaviaWorker: OS::Heat::None
+  OS::TripleO::Services::OctaviaDeploymentConfig: OS::Heat::None
   OS::TripleO::Services::MySQLClient: puppet/services/database/mysql-client.yaml
   OS::TripleO::Services::Vpp: OS::Heat::None
   OS::TripleO::Services::NeutronVppAgent: OS::Heat::None

puppet/services/octavia-worker.yaml

@@ -60,7 +60,7 @@ parameters:
     description: Dictionary describing the nova flavor for amphora.
     type: json
   OctaviaManageNovaFlavor:
-    default: false
+    default: true
     description: Configure the nova flavor for the amphora.
     type: boolean
   OctaviaClientCertFile:

roles/Controller.yaml

@@ -120,6 +120,7 @@
     - OS::TripleO::Services::Ntp
     - OS::TripleO::Services::ContainersLogrotateCrond
     - OS::TripleO::Services::OctaviaApi
+    - OS::TripleO::Services::OctaviaDeploymentConfig
     - OS::TripleO::Services::OctaviaHealthManager
     - OS::TripleO::Services::OctaviaHousekeeping
     - OS::TripleO::Services::OctaviaWorker

roles/ControllerNoCeph.yaml

@@ -116,6 +116,7 @@
     - OS::TripleO::Services::Ntp
     - OS::TripleO::Services::ContainersLogrotateCrond
     - OS::TripleO::Services::OctaviaApi
+    - OS::TripleO::Services::OctaviaDeploymentConfig
     - OS::TripleO::Services::OctaviaHealthManager
     - OS::TripleO::Services::OctaviaHousekeeping
     - OS::TripleO::Services::OctaviaWorker

roles/ControllerOpenstack.yaml

@@ -94,6 +94,7 @@
     - OS::TripleO::Services::Ntp
     - OS::TripleO::Services::ContainersLogrotateCrond
     - OS::TripleO::Services::OctaviaApi
+    - OS::TripleO::Services::OctaviaDeploymentConfig
     - OS::TripleO::Services::OctaviaHealthManager
     - OS::TripleO::Services::OctaviaHousekeeping
     - OS::TripleO::Services::OctaviaWorker

roles_data.yaml

@@ -123,6 +123,7 @@
     - OS::TripleO::Services::Ntp
     - OS::TripleO::Services::ContainersLogrotateCrond
     - OS::TripleO::Services::OctaviaApi
+    - OS::TripleO::Services::OctaviaDeploymentConfig
     - OS::TripleO::Services::OctaviaHealthManager
     - OS::TripleO::Services::OctaviaHousekeeping
     - OS::TripleO::Services::OctaviaWorker