diff --git a/docker/services/octavia-worker.yaml b/docker/services/octavia-worker.yaml index 19ee74aaf7..f42e60a2ab 100644 --- a/docker/services/octavia-worker.yaml +++ b/docker/services/octavia-worker.yaml @@ -66,7 +66,10 @@ outputs: config_volume: octavia puppet_tags: octavia_config step_config: - get_attr: [OctaviaWorkerPuppetBase, role_data, step_config] + list_join: + - "\n" + - - "['nova_flavor'].each |String $val| { noop_resource($val) }" + - {get_attr: [OctaviaWorkerPuppetBase, role_data, step_config]} config_image: {get_param: DockerOctaviaConfigImage} kolla_config: /var/lib/kolla/config_files/octavia_worker.json: @@ -108,6 +111,15 @@ outputs: - /var/log/containers/octavia:/var/log/octavia environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + docker_puppet_tasks: + step_5: + config_volume: octavia + puppet_tags: nova_flavor + step_config: + get_attr: [OctaviaWorkerPuppetBase, role_data, step_config] + config_image: {get_param: DockerOctaviaConfigImage} + volumes: + - /var/lib/config-data/puppet-generated/nova/etc/nova:/etc/nova:ro host_prep_tasks: - name: create persistent logs directory file: @@ -120,6 +132,13 @@ outputs: Log files from octavia containers can be found under /var/log/containers/octavia and /var/log/containers/httpd/octavia-api. ignore_errors: true + - name: Ensure packages required for configuring octavia are present + yum: name={{item}} state=present + tags: step4 + with_items: + - python2-neutronclient + - python2-openstackclient + - openssl upgrade_tasks: - name: Stop and disable octavia_worker service when: step|int == 2 diff --git a/docker/services/octavia/octavia-deployment-config.yaml b/docker/services/octavia/octavia-deployment-config.yaml new file mode 100644 index 0000000000..2ecc7b0f7f --- /dev/null +++ b/docker/services/octavia/octavia-deployment-config.yaml @@ -0,0 +1,155 @@ +heat_template_version: pike + +description: > + Configuration of Octavia as-a-service resources in the overcloud. + +parameters: + ServiceData: + default: {} + description: Dictionary packing service data + type: json + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + OctaviaPostWorkflowName: + description: Mistral workflow name for octavia configuration steps + once the overcloud is ready. + type: string + default: 'tripleo.octavia_post.v1.octavia_post_deploy' + OctaviaAmphoraImageName: + description: The glance image name used when spawning amphorae + type: string + default: 'octavia-amphora' + OctaviaAmphoraImageFilename: + description: Filename for the amphora image + type: string + default: '/usr/share/openstack-octavia-amphora-images/amphora-x64-haproxy.qcow2' + OctaviaAmphoraImageTag: + default: 'amphora-image' + description: Glance image tag for identifying the amphora image. + type: string + OctaviaControlNetwork: + description: The name for the neutron network used for the amphora + control network + type: string + default: 'lb-mgmt-net' + OctaviaControlSubnet: + description: The name for the neutron subnet used for the amphora + control network + type: string + default: 'lb-mgmt-subnet' + OctaviaControlSecurityGroup: + description: The name for the neutron security group used to + control access on the amphora control network + type: string + default: 'lb-mgmt-sec-group' + OctaviaControlSubnetCidr: + description: Subnet for amphora control subnet in CIDR form. + type: string + default: '192.168.199.0/24' + OctaviaControlSubnetGateway: + description: IP address for control network gateway + type: string + default: '192.168.199.1' + OctaviaControlSubnetPoolStart: + description: First address in amphora control subnet address + pool. + type: string + default: '192.168.199.50' + OctaviaControlSubnetPoolEnd: + description: First address in amphora control subnet address + pool. + type: string + default: '192.168.199.200' + OctaviaCaCertFile: + type: string + default: '/etc/octavia/certs/ca_01.pem' + description: Octavia CA certificate file path. + OctaviaCaKeyFile: + type: string + default: '/etc/octavia/certs/private/cakey.pem' + description: Octavia CA private key file path. + OctaviaCaKeyPassphrase: + description: CA private key passphrase. + type: string + hidden: true + OctaviaClientCertFile: + default: '/etc/octavia/certs/client.pem' + description: client certificate for amphoras + type: string + OctaviaGenerateCerts: + type: boolean + default: false + description: Enable internal generation of certificates for secure + communication with amphorae for isolated private clouds or + systems where security is not a concern. Otherwise, use + OctaviaCaCert, OctaviaCaKey, OctaviaCaKeyPassphrase and + OctaviaClientCert to configure Octavia. + OctaviaMgmtPortDevName: + type: string + default: "o-hm0" + description: Name of the octavia management network interface using + for communication between octavia worker/health-manager + with the amphora machine. + AdminPassword: + description: The password for the keystone admin account, used for monitoring, querying neutron etc. + type: string + hidden: true + +outputs: + role_data: + description: Role data for the Octavia configuration service + value: + service_name: octavia_deployment_config + upgrade_tasks: [] + puppet_config: + config_image: '' + config_volume: '' + step_config: '' + docker_config: {} + config_settings: {} + workflow_tasks: + step5: + - name: octavia_post_workflow + workflow: { get_param: OctaviaPostWorkflowName } + input: + amp_image_name: { get_param: OctaviaAmphoraImageName } + amp_image_filename: {get_param: OctaviaAmphoraImageFilename } + amp_image_tag: { get_param: OctaviaAmphoraImageTag } + lb_mgmt_net_name: { get_param: OctaviaControlNetwork } + lb_mgmt_subnet_name: { get_param: OctaviaControlSubnet } + lb_sec_group_name: { get_param: OctaviaControlSubnet } + lb_mgmt_subnet_cidr: { get_param: OctaviaControlSubnetCidr } + lb_mgmt_subnet_gateway: { get_param: OctaviaControlSubnetGateway } + lb_mgmt_subnet_pool_start: { get_param: OctaviaControlSubnetPoolStart } + lb_mgmt_subnet_pool_end: { get_param: OctaviaControlSubnetPoolEnd } + ca_cert_path: { get_param: OctaviaCaCertFile } + ca_private_key_path: { get_param: OctaviaCaKeyFile } + ca_passphrase: { get_param: OctaviaCaKeyPassphrase } + client_cert_path: { get_param: OctaviaClientCertFile } + generate_certs: { get_param: OctaviaGenerateCerts } + mgmt_port_dev: { get_param: OctaviaMgmtPortDevName } + overcloud_password: { get_param: AdminPassword } + overcloud_project: 'admin' + overcloud_admin: 'admin' + octavia_ansible_playbook: '/usr/share/tripleo-common/playbooks/octavia-files.yaml' + overcloud_pub_auth_uri: { get_param: [EndpointMap, KeystoneV3Public, uri] } diff --git a/environments/services-docker/octavia.yaml b/environments/services-docker/octavia.yaml index 3af17478b8..64f2ccb3fd 100644 --- a/environments/services-docker/octavia.yaml +++ b/environments/services-docker/octavia.yaml @@ -3,11 +3,14 @@ resource_registry: OS::TripleO::Services::OctaviaHousekeeping: ../../docker/services/octavia-housekeeping.yaml OS::TripleO::Services::OctaviaHealthManager: ../../docker/services/octavia-health-manager.yaml OS::TripleO::Services::OctaviaWorker: ../../docker/services/octavia-worker.yaml + OS::TripleO::Services::OctaviaDeploymentConfig: ../../docker/services/octavia/octavia-deployment-config.yaml parameter_defaults: NeutronServicePlugins: "qos,router,trunk,lbaasv2" NeutronEnableForceMetadata: true - OctaviaCaCertFile: '/etc/octavia/certs/ca_01.pem' - OctaviaCaKeyFile: '/etc/octavia/certs/private/cakey.pem' - OctaviaCaKeyPassphrase: 'foobar' - OctaviaClientCertFile: '/etc/octavia/certs/client.pem' + + # This flag enables internal generation of certificates for communication + # with amphorae. Use OctaviaCaCert, OctaviaCaKey, OctaviaCaKeyPassphrase + # and OctaviaClient cert to configure secure production environments. + OctaviaGenerateCerts: true + diff --git a/overcloud-resource-registry-puppet.j2.yaml b/overcloud-resource-registry-puppet.j2.yaml index 8d47a6f191..54db54f7f6 100644 --- a/overcloud-resource-registry-puppet.j2.yaml +++ b/overcloud-resource-registry-puppet.j2.yaml @@ -303,6 +303,7 @@ resource_registry: OS::TripleO::Services::OctaviaHealthManager: OS::Heat::None OS::TripleO::Services::OctaviaHousekeeping: OS::Heat::None OS::TripleO::Services::OctaviaWorker: OS::Heat::None + OS::TripleO::Services::OctaviaDeploymentConfig: OS::Heat::None OS::TripleO::Services::MySQLClient: puppet/services/database/mysql-client.yaml OS::TripleO::Services::Vpp: OS::Heat::None OS::TripleO::Services::NeutronVppAgent: OS::Heat::None diff --git a/puppet/services/octavia-worker.yaml b/puppet/services/octavia-worker.yaml index eaa6830f25..06014b4569 100644 --- a/puppet/services/octavia-worker.yaml +++ b/puppet/services/octavia-worker.yaml @@ -60,7 +60,7 @@ parameters: description: Dictionary describing the nova flavor for amphora. type: json OctaviaManageNovaFlavor: - default: false + default: true description: Configure the nova flavor for the amphora. type: boolean OctaviaClientCertFile: diff --git a/roles/Controller.yaml b/roles/Controller.yaml index f2b0616198..67c0f1b72e 100644 --- a/roles/Controller.yaml +++ b/roles/Controller.yaml @@ -120,6 +120,7 @@ - OS::TripleO::Services::Ntp - OS::TripleO::Services::ContainersLogrotateCrond - OS::TripleO::Services::OctaviaApi + - OS::TripleO::Services::OctaviaDeploymentConfig - OS::TripleO::Services::OctaviaHealthManager - OS::TripleO::Services::OctaviaHousekeeping - OS::TripleO::Services::OctaviaWorker diff --git a/roles/ControllerNoCeph.yaml b/roles/ControllerNoCeph.yaml index f03dcc12da..8eb9a1f4b6 100644 --- a/roles/ControllerNoCeph.yaml +++ b/roles/ControllerNoCeph.yaml @@ -116,6 +116,7 @@ - OS::TripleO::Services::Ntp - OS::TripleO::Services::ContainersLogrotateCrond - OS::TripleO::Services::OctaviaApi + - OS::TripleO::Services::OctaviaDeploymentConfig - OS::TripleO::Services::OctaviaHealthManager - OS::TripleO::Services::OctaviaHousekeeping - OS::TripleO::Services::OctaviaWorker diff --git a/roles/ControllerOpenstack.yaml b/roles/ControllerOpenstack.yaml index 5b4a46949e..e61d174a64 100644 --- a/roles/ControllerOpenstack.yaml +++ b/roles/ControllerOpenstack.yaml @@ -94,6 +94,7 @@ - OS::TripleO::Services::Ntp - OS::TripleO::Services::ContainersLogrotateCrond - OS::TripleO::Services::OctaviaApi + - OS::TripleO::Services::OctaviaDeploymentConfig - OS::TripleO::Services::OctaviaHealthManager - OS::TripleO::Services::OctaviaHousekeeping - OS::TripleO::Services::OctaviaWorker diff --git a/roles_data.yaml b/roles_data.yaml index 8590c07ace..4960124f77 100644 --- a/roles_data.yaml +++ b/roles_data.yaml @@ -123,6 +123,7 @@ - OS::TripleO::Services::Ntp - OS::TripleO::Services::ContainersLogrotateCrond - OS::TripleO::Services::OctaviaApi + - OS::TripleO::Services::OctaviaDeploymentConfig - OS::TripleO::Services::OctaviaHealthManager - OS::TripleO::Services::OctaviaHousekeeping - OS::TripleO::Services::OctaviaWorker