Add Octavia OVN Provider configuration

This patch supports configuring the OVN provider and sets up a pattern that will later be expanded on to support multiple provider drivers without requiring modification of the core Octavia configuration. Depends-On: https://review.opendev.org/#/c/711333/ Depends-On: https://review.opendev.org/#/c/705728/ Change-Id: If199f6e2841f8c7bbfe1fb56538b0283ac04681c Related-Bug: #1861886
2020-03-03 16:11:12 -05:00 · 2020-03-03 16:11:12 -05:00 · d8a6495692
commit d8a6495692
parent bb30b51eb8
3 changed files with 177 additions and 24 deletions
--- a/deployment/octavia/octavia-api-container-puppet.yaml
+++ b/deployment/octavia/octavia-api-container-puppet.yaml
@ -86,13 +86,6 @@ parameters:
    default: true
    description: Configure the nova flavor for the amphora.
    type: boolean
-  # We enable the driver agent and configure the OVN provider by default if OVN
-  # is enabled.
-  NeutronMechanismDrivers:
-    default: 'ovn'
-    description: |
-        The mechanism drivers for the Neutron tenant network.
-    type: comma_delimited_list
  OctaviaEnableDriverAgent:
    default: true
    description:  Set to false if the driver agent needs to be disabled for some reason.
@ -102,7 +95,6 @@ conditions:

  internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
  use_tls_proxy: {equals : [{get_param: EnableInternalTLS}, true]}
-  is_ovn_in_neutron_mechanism_driver: {contains: ['ovn', {get_param: NeutronMechanismDrivers}]}
  enable_driver_agent: {equals: [{get_param: OctaviaEnableDriverAgent}, true]}

 resources:
@ -113,6 +105,16 @@ resources:
  MySQLClient:
    type: ../database/mysql-client.yaml

+  OctaviaProviderConfig:
+    type: ./providers/ovn-provider-config.yaml
+    properties:
+      EndpointMap: {get_param: EndpointMap}
+      ServiceData: {get_param: ServiceData}
+      ServiceNetMap: {get_param: ServiceNetMap}
+      DefaultPasswords: {get_param: DefaultPasswords}
+      RoleName: {get_param: RoleName}
+      RoleParameters: {get_param: RoleParameters}
+
  OctaviaBase:
    type: ./octavia-base.yaml
    properties:
@ -159,6 +161,7 @@ outputs:
        map_merge:
          - {get_attr: [OctaviaBase, role_data, config_settings]}
          - {get_attr: [OctaviaWorker, role_data, config_settings]}
+          - {get_attr: [OctaviaProviderConfig, role_data, config_settings]}
          - octavia::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri] }
            octavia::policy::policies: {get_param: OctaviaApiPolicies}
            octavia::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
@ -207,10 +210,8 @@ outputs:
                    - 'octavia: Deprecated alias of the Octavia Amphora driver.'
                  -
                    if:
-                      - and:
-                          - is_ovn_in_neutron_mechanism_driver
                      - enable_driver_agent
-                      - ['ovn: Octavia OVN driver.']
+                      - {get_attr: [OctaviaProviderConfig, role_data, provider_driver_labels]}
                      - []

      service_config_settings:
@ -228,17 +229,24 @@ outputs:
      # BEGIN DOCKER SETTINGS #
      puppet_config:
        config_volume: octavia
-        puppet_tags: octavia_config
+        puppet_tags:
+          list_join:
+            - ','
+            - - octavia_config
+              - {get_attr: [OctaviaProviderConfig, role_data, puppet_tags]}
        step_config:
          list_join:
            - "\n"
            - - "include tripleo::profile::base::octavia::api"
+              - {get_attr: [OctaviaProviderConfig, role_data, step_config]}
              - {get_attr: [MySQLClient, role_data, step_config]}
        config_image: {get_param: ContainerOctaviaConfigImage}
      kolla_config:
        /var/lib/kolla/config_files/octavia_api.json:
          command: /usr/sbin/httpd -DFOREGROUND
          config_files:
+            list_concat:
+              -
                - source: "/var/lib/kolla/config_files/src/etc/httpd/conf.d"
                  dest: "/etc/httpd/conf.d"
                  merge: false
@ -247,10 +255,14 @@ outputs:
                  dest: "/"
                  merge: true
                  preserve_properties: true
+              - {get_attr: [OctaviaProviderConfig, role_data, kolla_config_files]}
          permissions:
+            list_concat:
+              -
                - path: /var/log/octavia
                  owner: octavia:octavia
                  recurse: true
+              - {get_attr: [OctaviaProviderConfig, role_data, kolla_permissions]}
        /var/lib/kolla/config_files/octavia_driver_agent.json:
          command: /usr/bin/octavia-driver-agent --config-file /usr/share/octavia/octavia-dist.conf --config-file /etc/octavia/octavia.conf --log-file /var/log/octavia/driver-agent.log --config-dir /etc/octavia/conf.d/common
          config_files:
@ -271,6 +283,7 @@ outputs:
          config_image: {get_param: ContainerOctaviaConfigImage}
          volumes:
            - /var/lib/config-data/puppet-generated/nova/etc/nova:/etc/nova:ro
+      metadata_settings: {get_attr: [OctaviaProviderConfig, role_data, metadata_settings]}
      docker_config:
        # Kolla_bootstrap/db_sync runs before permissions set by kolla_config
        step_2:
@ -336,6 +349,7 @@ outputs:
                        - internal_tls_enabled
                        - - /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
                        - []
+                    - {get_attr: [OctaviaProviderConfig, role_data, volumes]}
                environment:
                  KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
            - if:
--- a/deployment/octavia/providers/ovn-provider-config.yaml
+++ b/deployment/octavia/providers/ovn-provider-config.yaml
@ -0,0 +1,134 @@
+heat_template_version: rocky
+
+parameters:
+  EndpointMap:
+    default: {}
+    description: Mapping of service endpoint -> protocol. Typically set
+                 via parameter_defaults in the resource registry.
+    type: json
+  ServiceData:
+    default: {}
+    description: Dictionary packing service data
+    type: json
+  ServiceNetMap:
+    default: {}
+    description: Mapping of service_name -> network name. Typically set
+                 via parameter_defaults in the resource registry.  This
+                 mapping overrides those in ServiceNetMapDefaults.
+    type: json
+  DefaultPasswords:
+    default: {}
+    type: json
+  RoleName:
+    default: ''
+    description: Role name on which the service is applied
+    type: string
+  RoleParameters:
+    default: {}
+    description: Parameters specific to the role
+    type: json
+  NeutronMechanismDrivers:
+    default: 'ovn'
+    description: |
+        The mechanism drivers for the Neutron tenant network.
+    type: comma_delimited_list
+  OctaviaOvnProviderProtocol:
+    default: ''
+    description: |
+        The protocol used by OVN driver to connect to northbound database.
+    type: string
+  EnableInternalTLS:
+    type: boolean
+    default: false
+  InternalTLSCAFile:
+    default: '/etc/ipa/ca.crt'
+    type: string
+    description: Specifies the default CA cert to use if TLS is used for
+                 services in the internal network.
+
+conditions:
+
+  internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
+  is_ovn_in_neutron_mechanism_driver: {contains: ['ovn', {get_param: NeutronMechanismDrivers}]}
+  ovn_and_tls: {and: [is_ovn_in_neutron_mechanism_driver, internal_tls_enabled]}
+  octavia_provider_ovn_protocol_unset: {equals: [{get_param: OctaviaOvnProviderProtocol}, '']}
+
+outputs:
+  role_data:
+    description: OVN provider driver configuraton
+    value:
+      config_settings:
+        map_merge:
+            -
+              if:
+                - octavia_provider_ovn_protocol_unset
+                - if:
+                  - internal_tls_enabled
+                  - tripleo::profile::base::octavia::provider::ovn::protocol: 'ssl'
+                  - tripleo::profile::base::octavia::provider::ovn::protocol: 'tcp'
+                - tripleo::profile::base::octavia::provider::ovn::protocol: {get_param: OctaviaOvnProviderProtocol}
+            - if:
+              - ovn_and_tls
+              - tripleo::profile::base::octavia::provider::ovn::ovn_nb_ca_cert: {get_param: InternalTLSCAFile}
+                tripleo::profile::base::octavia::provider::ovn::ovn_nb_certificate: '/etc/pki/tls/certs/ovn_octavia.crt'
+                tripleo::profile::base::octavia::provider::ovn::ovn_nb_private_key: '/etc/pki/tls/private/ovn_octavia.key'
+                generate_service_certificates: true
+                ovn_octavia_certificate_specs:
+                  service_certificate: '/etc/pki/tls/certs/ovn_octavia.crt'
+                  service_key: '/etc/pki/tls/private/ovn_octavia.key'
+                  hostname:
+                    str_replace:
+                      template: "%{hiera('fqdn_NETWORK')}"
+                      params:
+                        NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
+                  principal:
+                    str_replace:
+                      template: "ovn_octavia/%{hiera('fqdn_NETWORK')}"
+                      params:
+                        NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
+              - {}
+      puppet_tags: octavia_ovn_provider_config
+      provider_driver_labels:
+        if:
+          - is_ovn_in_neutron_mechanism_driver
+          - ['ovn: Octavia OVN driver.']
+          - []
+      step_config:
+          if:
+            - is_ovn_in_neutron_mechanism_driver
+            - "include tripleo::profile::base::octavia::provider::ovn"
+            - "\n"
+      metadata_settings:
+        if:
+          - ovn_and_tls
+          - - service: ovn_octavia
+              network: {get_param: [ServiceNetMap, OvnDbsNetwork]}
+              type: node
+          - null
+      volumes:
+         if:
+           - ovn_and_tls
+           -
+             - /etc/pki/tls/certs/ovn_octavia.crt:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/ovn_octavia.crt:ro
+             - /etc/pki/tls/private/ovn_octavia.key:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/ovn_octavia.key:ro
+           - []
+      kolla_permissions:
+        if:
+          - ovn_and_tls
+          -
+            - path: /etc/pki/tls/certs/ovn_octavia.crt
+              owner: octavia:octavia
+              perm: '0644'
+            - path: /etc/pki/tls/private/ovn_octavia.key
+              owner: octavia:octavia
+              perm: '0640'
+          - []
+      kolla_config_files:
+        if:
+          - ovn_and_tls
+          -
+            - source: "/var/lib/kolla/config_files/src-tls/*"
+              dest: "/"
+              merge: true
+              preserve_properties: true
+          - []
--- a/releasenotes/notes/add-octavia-provider-ovn-e3780665300e7c58.yaml
+++ b/releasenotes/notes/add-octavia-provider-ovn-e3780665300e7c58.yaml
@ -0,0 +1,5 @@
+---
+features:
+  - |
+    Added enhancements to Octavia's OVN driver configuration, so it can connect
+    to OVN_Northbound DB using SSL/TLS.