Make it possible to override ServiceNetMap per-role

In spine-and-leaf TLS-e deployments as done in OSP13, services are filter based on role networks when adding metadata for nova-join. This filtering removes valid services due to the fact that the roles network does'nt match the global ServiceNetMap. Add a role based parameter {{role.name}}ServiceNetMap that can be used to override the ServiceNetMap per-role when it's being passed to {{role.name}}ServiceChain and the {{role.name}} resource group. Related: RHBZ#1875508 Closes-Bug: #1904482 Change-Id: I56b6dfe8a0e95385e469d9eac97a0ec24e147450
2020-11-17 01:34:36 +01:00 · 2020-11-17 01:34:36 +01:00 · be6a844a79
commit be6a844a79
parent 666091c949
2 changed files with 40 additions and 2 deletions
--- a/overcloud.j2.yaml
+++ b/overcloud.j2.yaml
@ -322,6 +322,17 @@ parameters:
    description: |
      Name of the subnet on ctlplane network for this role.
    type: string
+
+  {{role.name}}ServiceNetMap:
+    default: {}
+    description: |
+      Role specific ServiceNetMap overrides, the map provided will be merged
+      with the global ServiceNetMap when passing the ServiceNetMap to the
+      {{role.name}}ServiceChain resource and the {{role.name}} resource group.
+      For example:
+      {{role.name}}ServiceNetMap:
+        NovaLibvirtNetwork: internal_api_leaf2
+    type: json
 {% endfor %}

  # Identifiers to trigger tasks on nodes
@ -643,7 +654,10 @@ resources:
    properties:
      Services:
        get_param: {{role.name}}Services
-      ServiceNetMap: {get_attr: [ServiceNetMap, service_net_map]}
+      ServiceNetMap:
+        map_merge:
+          - {get_attr: [ServiceNetMap, service_net_map]}
+          - {get_param: {{role.name}}ServiceNetMap}
      ServiceData:
        net_cidr_map: {get_attr: [NetCidrMapValue, value]}
        net_vip_map: {get_attr: [VipMap, net_ip_map]}
@ -825,7 +839,10 @@ resources:
        properties:
          StackName: {get_param: 'OS::stack_name'}
          CloudDomain: {get_param: CloudDomain}
-          ServiceNetMap: {get_attr: [ServiceNetMap, service_net_map]}
+          ServiceNetMap:
+            map_merge:
+              - {get_attr: [ServiceNetMap, service_net_map]}
+              - {get_param: {{role.name}}ServiceNetMap}
          EndpointMap: {get_attr: [EndpointMapData, value]}
          Hostname:
            str_replace:
--- a/releasenotes/notes/bug-1904482-dbc5162c8245a9b3.yaml
+++ b/releasenotes/notes/bug-1904482-dbc5162c8245a9b3.yaml
@ -0,0 +1,21 @@
+---
+fixes:
+  - |
+    When deploying a spine-and-leaf (L3 routed architecture) with TLS enabled
+    for internal endpoints the deployment would fail because some roles are
+    not connected to the network mapped to the service in ServiceNetMap. To
+    fix this issue a role specific parameter ``{{role.name}}ServiceNetMap`` is
+    introduced (defaults to: ``{}``). The role specific ServiceNetMap parameter
+    allow the operator to override one or more service network mappings
+    per-role. For example::
+
+      ComputeLeaf2ServiceNetMap:
+        NovaLibvirtNetwork: internal_api_leaf2
+
+    The role specific ``{{role.name}}ServiceNetMap`` override is merged with
+    the global ``ServiceNetMap`` when it's passed as a value to the
+    ``{{role.name}}ServiceChain`` resources, and the ``{{role.name}}``
+    resource groups so that the correct network for this role is mapped to
+    the service.
+
+    Closes bug: `1904482 <https://bugs.launchpad.net/tripleo/+bug/1904482>`_.