From 094918d859d1a4425ad386aa54ac32a6dc0c77aa Mon Sep 17 00:00:00 2001 From: ramishra Date: Fri, 14 May 2021 12:22:58 +0530 Subject: [PATCH] Simplify octavia service templates Change-Id: I96266bd25093a77d3ce26921e6aaed70cfbb4fb8 --- .../octavia/octavia-api-container-puppet.yaml | 32 +--- deployment/octavia/octavia-base.yaml | 167 +++++++++--------- .../octavia/octavia-deployment-config.j2.yaml | 94 +++++----- ...tavia-health-manager-container-puppet.yaml | 11 +- ...octavia-housekeeping-container-puppet.yaml | 13 +- .../octavia-worker-container-puppet.yaml | 4 +- .../providers/ovn-provider-config.yaml | 46 ++--- 7 files changed, 155 insertions(+), 212 deletions(-) diff --git a/deployment/octavia/octavia-api-container-puppet.yaml b/deployment/octavia/octavia-api-container-puppet.yaml index 0fccdf2aa5..37e853005b 100644 --- a/deployment/octavia/octavia-api-container-puppet.yaml +++ b/deployment/octavia/octavia-api-container-puppet.yaml @@ -88,14 +88,7 @@ parameters: description: Set to false if the driver agent needs to be disabled for some reason. type: boolean -conditions: - - internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} - use_tls_proxy: {equals : [{get_param: EnableInternalTLS}, true]} - enable_driver_agent: {equals: [{get_param: OctaviaEnableDriverAgent}, true]} - resources: - ContainersCommon: type: ../containers-common.yaml @@ -203,12 +196,9 @@ outputs: - list_concat: - - 'amphora: The Octavia Amphora driver.' - 'octavia: Deprecated alias of the Octavia Amphora driver.' - - - if: - - enable_driver_agent + - if: + - {get_param: OctaviaEnableDriverAgent} - {get_attr: [OctaviaProviderConfig, role_data, provider_driver_labels]} - - [] - service_config_settings: rsyslog: tripleo_logging_sources_octavia_api: @@ -345,25 +335,20 @@ outputs: volumes: list_concat: - {get_attr: [ContainersCommon, volumes]} - - - - /var/lib/kolla/config_files/octavia_api.json:/var/lib/kolla/config_files/config.json:ro + - - /var/lib/kolla/config_files/octavia_api.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/octavia:/var/lib/kolla/config_files/src:ro - /var/log/containers/octavia:/var/log/octavia:z - /run/octavia:/run/octavia:shared,z - /var/log/containers/httpd/octavia-api:/var/log/httpd:z - if: - - internal_tls_enabled + - {get_param: EnableInternalTLS} - - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro - - [] - - if: - - internal_tls_enabled - - - /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro - - [] + - /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro - {get_attr: [OctaviaProviderConfig, role_data, volumes]} environment: KOLLA_CONFIG_STRATEGY: COPY_ALWAYS - if: - - enable_driver_agent + - {get_param: OctaviaEnableDriverAgent} - octavia_driver_agent: start_order: 2 image: *octavia_api_image @@ -373,15 +358,12 @@ outputs: volumes: list_concat: - {get_attr: [ContainersCommon, volumes]} - - - - /var/lib/kolla/config_files/octavia_driver_agent.json:/var/lib/kolla/config_files/config.json:ro + - - /var/lib/kolla/config_files/octavia_driver_agent.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/octavia:/var/lib/kolla/config_files/src:ro - /var/log/containers/octavia:/var/log/octavia:z - /run/octavia:/run/octavia:shared,z environment: KOLLA_CONFIG_STRATEGY: COPY_ALWAYS - - {} - host_prep_tasks: - name: create persistent directories file: diff --git a/deployment/octavia/octavia-base.yaml b/deployment/octavia/octavia-base.yaml index a5a7bb3149..9a33ddf67f 100644 --- a/deployment/octavia/octavia-base.yaml +++ b/deployment/octavia/octavia-base.yaml @@ -208,11 +208,14 @@ parameters: type: boolean conditions: - octavia_ca_cert_unset: {equals: [{get_param: OctaviaCaCert}, '']} - octavia_ca_key_unset: {equals: [{get_param: OctaviaCaKey}, '']} - octavia_client_cert_unset: {equals: [{get_param: OctaviaClientCert}, '']} - octavia_topology_unset: {equals : [{get_param: OctaviaLoadBalancerTopology}, ""]} - enable_sqlalchemy_collectd: {equals : [{get_param: EnableSQLAlchemyCollectd}, true]} + octavia_ca_cert_set: + not: {equals: [{get_param: OctaviaCaCert}, '']} + octavia_ca_key_set: + not: {equals: [{get_param: OctaviaCaKey}, '']} + octavia_client_cert_set: + not: {equals: [{get_param: OctaviaClientCert}, '']} + octavia_topology_set: + not: {equals : [{get_param: OctaviaLoadBalancerTopology}, '']} outputs: role_data: @@ -220,88 +223,80 @@ outputs: value: service_name: octavia_base config_settings: - map_merge: - - octavia::logging::debug: + octavia::logging::debug: + if: + - {get_param: OctaviaDebug} + - true + - {get_param: Debug} + octavia::purge_config: {get_param: EnableConfigPurge} + octavia::notification_driver: {get_param: NotificationDriver} + octavia::db::database_connection: + make_url: + scheme: {get_param: [EndpointMap, MysqlInternal, protocol]} + username: {get_param: OctaviaUserName} + password: {get_param: OctaviaPassword} + host: {get_param: [EndpointMap, MysqlInternal, host]} + path: /octavia + query: if: - - {get_param: OctaviaDebug} - - true - - {get_param: Debug} - octavia::purge_config: {get_param: EnableConfigPurge} - octavia::notification_driver: {get_param: NotificationDriver} - octavia::db::database_connection: - make_url: - scheme: {get_param: [EndpointMap, MysqlInternal, protocol]} - username: {get_param: OctaviaUserName} - password: {get_param: OctaviaPassword} - host: {get_param: [EndpointMap, MysqlInternal, host]} - path: /octavia - query: - if: - - enable_sqlalchemy_collectd - - - read_default_file: /etc/my.cnf.d/tripleo.cnf - read_default_group: tripleo - plugin: collectd - collectd_program_name: octavia - collectd_host: localhost - - - read_default_file: /etc/my.cnf.d/tripleo.cnf - read_default_group: tripleo - - octavia::service_auth::auth_url: {get_param: [EndpointMap, KeystoneV3Internal, uri]} - octavia::service_auth::auth_type: 'password' - octavia::service_auth::username: {get_param: OctaviaUserName} - octavia::service_auth::password: {get_param: OctaviaPassword} - octavia::service_auth::project_name: {get_param: OctaviaProjectName} - octavia::service_auth::project_domain_name: 'Default' - octavia::service_auth::user_domain_name: 'Default' - octavia::service_auth::region_name: {get_param: KeystoneRegion} - octavia::certificates::ca_certificate: {get_param: OctaviaCaCertFile} - octavia::certificates::ca_private_key: {get_param: OctaviaCaKeyFile} - octavia::certificates::client_cert: {get_param: OctaviaClientCertFile} - octavia::certificates::server_certs_key_passphrase: {get_param: OctaviaServerCertsKeyPassphrase} - octavia::certificates::ca_private_key_passphrase: {get_param: OctaviaCaKeyPassphrase} - octavia::controller::amp_boot_network_list: {get_param: OctaviaAmphoraNetworkList} - octavia::controller::amp_flavor_id: {get_param: OctaviaFlavorId} - octavia::controller::amp_image_tag: {get_param: OctaviaAmphoraImageTag} - octavia::controller::amp_ssh_key_name: {get_param: OctaviaAmphoraSshKeyName} - octavia::controller::enable_ssh_access: true - octavia::controller::timeout_client_data: {get_param: OctaviaTimeoutClientData} - octavia::controller::timeout_member_connect: {get_param: OctaviaTimeoutMemberConnect} - octavia::controller::timeout_member_data: {get_param: OctaviaTimeoutMemberData} - octavia::controller::timeout_tcp_inspect: {get_param: OctaviaTimeoutTcpInspect} - octavia::controller::connection_max_retries: {get_param: OctaviaConnectionMaxRetries} - octavia::controller::connection_logging: {get_param: OctaviaConnectionLogging} - octavia::controller::build_active_retries: {get_param: OctaviaBuildActiveRetries} - octavia::controller::port_detach_timeout: {get_param: OctaviaPortDetachTimeout} - octavia::controller::admin_log_targets: {get_param: OctaviaAdminLogTargets} - octavia::controller::administrative_log_facility: {get_param: OctaviaAdminLogFacility} - octavia::controller::forward_all_logs: {get_param: OctaviaForwardAllLogs} - octavia::controller::tenant_log_targets: {get_param: OctaviaTenantLogTargets} - octavia::controller::user_log_facility: {get_param: OctaviaTenantLogFacility} - octavia::controller::user_log_format: {get_param: OctaviaUserLogFormat} - octavia::controller::disable_local_log_storage: {get_param: OctaviaDisableLocalLogStorage} - octavia::nova::enable_anti_affinity: {get_param: OctaviaAntiAffinity} - - - if: - - octavia_topology_unset - - {} - - octavia::controller::loadbalancer_topology: {get_param: OctaviaLoadBalancerTopology} - - - if: - - octavia_ca_cert_unset - - {} - - octavia::certificates::ca_certificate_data: {get_param: OctaviaCaCert} - - - if: - - octavia_ca_key_unset - - {} - - octavia::certificates::ca_private_key_data: {get_param: OctaviaCaKey} - - - if: - - octavia_client_cert_unset - - {} - - octavia::certificates::client_cert_data: {get_param: OctaviaClientCert} + - {get_param: EnableSQLAlchemyCollectd} + - read_default_file: /etc/my.cnf.d/tripleo.cnf + read_default_group: tripleo + plugin: collectd + collectd_program_name: octavia + collectd_host: localhost + - read_default_file: /etc/my.cnf.d/tripleo.cnf + read_default_group: tripleo + octavia::service_auth::auth_url: {get_param: [EndpointMap, KeystoneV3Internal, uri]} + octavia::service_auth::auth_type: 'password' + octavia::service_auth::username: {get_param: OctaviaUserName} + octavia::service_auth::password: {get_param: OctaviaPassword} + octavia::service_auth::project_name: {get_param: OctaviaProjectName} + octavia::service_auth::project_domain_name: 'Default' + octavia::service_auth::user_domain_name: 'Default' + octavia::service_auth::region_name: {get_param: KeystoneRegion} + octavia::certificates::ca_certificate: {get_param: OctaviaCaCertFile} + octavia::certificates::ca_private_key: {get_param: OctaviaCaKeyFile} + octavia::certificates::client_cert: {get_param: OctaviaClientCertFile} + octavia::certificates::server_certs_key_passphrase: {get_param: OctaviaServerCertsKeyPassphrase} + octavia::certificates::ca_private_key_passphrase: {get_param: OctaviaCaKeyPassphrase} + octavia::controller::amp_boot_network_list: {get_param: OctaviaAmphoraNetworkList} + octavia::controller::amp_flavor_id: {get_param: OctaviaFlavorId} + octavia::controller::amp_image_tag: {get_param: OctaviaAmphoraImageTag} + octavia::controller::amp_ssh_key_name: {get_param: OctaviaAmphoraSshKeyName} + octavia::controller::enable_ssh_access: true + octavia::controller::timeout_client_data: {get_param: OctaviaTimeoutClientData} + octavia::controller::timeout_member_connect: {get_param: OctaviaTimeoutMemberConnect} + octavia::controller::timeout_member_data: {get_param: OctaviaTimeoutMemberData} + octavia::controller::timeout_tcp_inspect: {get_param: OctaviaTimeoutTcpInspect} + octavia::controller::connection_max_retries: {get_param: OctaviaConnectionMaxRetries} + octavia::controller::connection_logging: {get_param: OctaviaConnectionLogging} + octavia::controller::build_active_retries: {get_param: OctaviaBuildActiveRetries} + octavia::controller::port_detach_timeout: {get_param: OctaviaPortDetachTimeout} + octavia::controller::admin_log_targets: {get_param: OctaviaAdminLogTargets} + octavia::controller::administrative_log_facility: {get_param: OctaviaAdminLogFacility} + octavia::controller::forward_all_logs: {get_param: OctaviaForwardAllLogs} + octavia::controller::tenant_log_targets: {get_param: OctaviaTenantLogTargets} + octavia::controller::user_log_facility: {get_param: OctaviaTenantLogFacility} + octavia::controller::user_log_format: {get_param: OctaviaUserLogFormat} + octavia::controller::disable_local_log_storage: {get_param: OctaviaDisableLocalLogStorage} + octavia::nova::enable_anti_affinity: {get_param: OctaviaAntiAffinity} + octavia::controller::loadbalancer_topology: + if: + - octavia_topology_set + - {get_param: OctaviaLoadBalancerTopology} + octavia::certificates::ca_certificate_data: + if: + - octavia_ca_cert_set + - {get_param: OctaviaCaCert} + octavia::certificates::ca_private_key_data: + if: + - octavia_ca_key_set + - {get_param: OctaviaCaKey} + octavia::certificates::client_cert_data: + if: + - octavia_client_cert_set + - {get_param: OctaviaClientCert} update_tasks: &ensure_start_up_files - name: make sure that post-deploy.conf exists before restarting containers on update or upgrade when: step|int == 5 diff --git a/deployment/octavia/octavia-deployment-config.j2.yaml b/deployment/octavia/octavia-deployment-config.j2.yaml index 6947c6b615..5a6bfb09d4 100644 --- a/deployment/octavia/octavia-deployment-config.j2.yaml +++ b/deployment/octavia/octavia-deployment-config.j2.yaml @@ -207,53 +207,6 @@ resources: type: OS::Nova::KeyPair external_id: default {% endif %} - OctaviaVars: - type: OS::Heat::Value - properties: - type: json - value: - vars: - os_auth_type: "password" - os_identity_api_version: "3" - amp_image_name: { get_param: OctaviaAmphoraImageName } - amp_image_filename: {get_param: OctaviaAmphoraImageFilename } - amp_image_tag: { get_param: OctaviaAmphoraImageTag } - amp_hw_arch: { get_param: OctaviaAmphoraImageArchitecture } - amp_ssh_key_name: { get_param: OctaviaAmphoraSshKeyName } - amp_ssh_key_path: { get_param: OctaviaAmphoraSshKeyFile } -{% if not octavia_standalone %} - amp_ssh_key_data: { get_attr: [default_key_pair, public_key] } -{% endif %} -{% raw %} - amp_to_raw: {if: [octavia_raw_image_check, true, false]} - auth_username: { get_param: OctaviaUserName } - auth_password: { get_param: OctaviaPassword } - auth_project_name: { get_param: OctaviaProjectName } - lb_mgmt_net_name: { get_param: OctaviaControlNetwork } - lb_mgmt_subnet_name: { get_param: OctaviaControlSubnet } - lb_sec_group_name: { get_param: OctaviaControlSubnet } - lb_mgmt_subnet_cidr: { get_param: OctaviaControlSubnetCidr } - lb_mgmt_subnet_gateway: { get_param: OctaviaControlSubnetGateway } - lb_mgmt_subnet_pool_start: { get_param: OctaviaControlSubnetPoolStart } - lb_mgmt_subnet_pool_end: { get_param: OctaviaControlSubnetPoolEnd } - ca_cert_path: { get_param: OctaviaCaCertFile } - ca_private_key_path: { get_param: OctaviaCaKeyFile } - server_certs_key_passphrase: {get_param: OctaviaServerCertsKeyPassphrase} - ca_passphrase: { get_param: OctaviaCaKeyPassphrase } - client_cert_path: { get_param: OctaviaClientCertFile } - generate_certs: { get_param: OctaviaGenerateCerts } - mgmt_port_dev: { get_param: OctaviaMgmtPortDevName } - os_password: { get_param: AdminPassword } - os_project_name: 'admin' - os_username: 'admin' - octavia_ansible_playbook: '/usr/share/ansible/tripleo-playbooks/octavia-files.yaml' - os_auth_url: { get_param: [EndpointMap, KeystoneV3Public, uri] } - os_int_auth_url: { get_param: [EndpointMap, KeystoneInternal, uri] } - octavia_local_tmpdir: "{{playbook_dir}}/octavia-ansible/local_dir" - octavia_group_vars_dir: "{{playbook_dir}}/octavia-ansible/group_vars" - container_cli: { get_param: ContainerCli } - enable_log_offloading: { get_param: OctaviaLogOffload } - stack_action: { get_param: StackAction } outputs: role_data: @@ -272,7 +225,48 @@ outputs: block: - name: Set up group_vars set_fact: - octavia_ansible_group_vars: { get_attr: [OctaviaVars, value, vars] } + octavia_ansible_group_vars: + os_auth_type: "password" + os_identity_api_version: "3" + amp_image_name: { get_param: OctaviaAmphoraImageName } + amp_image_filename: {get_param: OctaviaAmphoraImageFilename } + amp_image_tag: { get_param: OctaviaAmphoraImageTag } + amp_hw_arch: { get_param: OctaviaAmphoraImageArchitecture } + amp_ssh_key_name: { get_param: OctaviaAmphoraSshKeyName } + amp_ssh_key_path: { get_param: OctaviaAmphoraSshKeyFile } + {% if not octavia_standalone %} + amp_ssh_key_data: { get_attr: [default_key_pair, public_key] } + {% endif %} + amp_to_raw: {if: [octavia_raw_image_check, true, false]} + auth_username: { get_param: OctaviaUserName } + auth_password: { get_param: OctaviaPassword } + auth_project_name: { get_param: OctaviaProjectName } + lb_mgmt_net_name: { get_param: OctaviaControlNetwork } + lb_mgmt_subnet_name: { get_param: OctaviaControlSubnet } + lb_sec_group_name: { get_param: OctaviaControlSubnet } + lb_mgmt_subnet_cidr: { get_param: OctaviaControlSubnetCidr } + lb_mgmt_subnet_gateway: { get_param: OctaviaControlSubnetGateway } + lb_mgmt_subnet_pool_start: { get_param: OctaviaControlSubnetPoolStart } + lb_mgmt_subnet_pool_end: { get_param: OctaviaControlSubnetPoolEnd } + ca_cert_path: { get_param: OctaviaCaCertFile } + ca_private_key_path: { get_param: OctaviaCaKeyFile } + server_certs_key_passphrase: {get_param: OctaviaServerCertsKeyPassphrase} + ca_passphrase: { get_param: OctaviaCaKeyPassphrase } + client_cert_path: { get_param: OctaviaClientCertFile } + generate_certs: { get_param: OctaviaGenerateCerts } + mgmt_port_dev: { get_param: OctaviaMgmtPortDevName } + os_password: { get_param: AdminPassword } + os_project_name: 'admin' + os_username: 'admin' + octavia_ansible_playbook: '/usr/share/ansible/tripleo-playbooks/octavia-files.yaml' + os_auth_url: { get_param: [EndpointMap, KeystoneV3Public, uri] } + os_int_auth_url: { get_param: [EndpointMap, KeystoneInternal, uri] } +{% raw %} + octavia_local_tmpdir: "{{playbook_dir}}/octavia-ansible/local_dir" + octavia_group_vars_dir: "{{playbook_dir}}/octavia-ansible/group_vars" + container_cli: { get_param: ContainerCli } + enable_log_offloading: { get_param: OctaviaLogOffload } + stack_action: { get_param: StackAction } no_log: "{{ hide_sensitive_logs | bool }}" - name: Make needed directories on the undercloud become: true @@ -297,11 +291,9 @@ outputs: content: | octavia_nodes: hosts: - {%- set octavia_groups = ['worker'] -%} {%- for octavia_group in octavia_groups -%} {%- if 'octavia_' ~ octavia_groups %} - {% for host in groups['octavia_' ~ octavia_group] -%} {{ hostvars.raw_get(host)['ansible_facts']['hostname'] | lower}}: ansible_user: {{ hostvars.raw_get(host)['ansible_ssh_user'] | default('heat-admin') }} @@ -309,10 +301,8 @@ outputs: canonical_hostname: {{ hostvars.raw_get(host)['canonical_hostname'] | default(host) | lower }} ansible_become: true {% endfor %} - {%- endif -%} {%- endfor %} - Undercloud: hosts: {% for host in groups['Undercloud'] -%} diff --git a/deployment/octavia/octavia-health-manager-container-puppet.yaml b/deployment/octavia/octavia-health-manager-container-puppet.yaml index 7de27f06d7..8af1bd9b06 100644 --- a/deployment/octavia/octavia-health-manager-container-puppet.yaml +++ b/deployment/octavia/octavia-health-manager-container-puppet.yaml @@ -61,12 +61,7 @@ parameters: the controller logs. type: boolean -conditions: - - log_offload_enabled: {equals: [{get_param: OctaviaLogOffload}, true]} - resources: - ContainersCommon: type: ../containers-common.yaml @@ -167,14 +162,13 @@ outputs: volumes: list_concat: - {get_attr: [ContainersCommon, volumes]} - - - - /var/lib/kolla/config_files/octavia_health_manager.json:/var/lib/kolla/config_files/config.json:ro + - - /var/lib/kolla/config_files/octavia_health_manager.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/octavia:/var/lib/kolla/config_files/src:ro - /var/log/containers/octavia:/var/log/octavia:z environment: KOLLA_CONFIG_STRATEGY: COPY_ALWAYS - if: - - log_offload_enabled + - {get_param: OctaviaLogOffload} - octavia_rsyslog: start_order: 2 image: {get_param: ContainerOctaviaRsyslogImage} @@ -190,7 +184,6 @@ outputs: - /var/log/containers/octavia-amphorae:/var/log/octavia:z environment: KOLLA_CONFIG_STRATEGY: COPY_ALWAYS - - {} update_tasks: {get_attr: [OctaviaBase, role_data, update_tasks]} upgrade_tasks: {get_attr: [OctaviaBase, role_data, upgrade_tasks]} host_prep_tasks: diff --git a/deployment/octavia/octavia-housekeeping-container-puppet.yaml b/deployment/octavia/octavia-housekeeping-container-puppet.yaml index d7e578edb9..98a67f9819 100644 --- a/deployment/octavia/octavia-housekeeping-container-puppet.yaml +++ b/deployment/octavia/octavia-housekeeping-container-puppet.yaml @@ -50,10 +50,10 @@ parameters: type: string conditions: - amphora_expiry_is_zero: {equals: [{get_param: OctaviaAmphoraExpiryAge}, 0]} + amphora_expiry_set: + not: {equals: [{get_param: OctaviaAmphoraExpiryAge}, 0]} resources: - ContainersCommon: type: ../containers-common.yaml @@ -78,10 +78,8 @@ outputs: config_settings: map_merge: - get_attr: [OctaviaBase, role_data, config_settings] - - - if: - - amphora_expiry_is_zero - - {} + - if: + - amphora_expiry_set - octavia::housekeeping::amphora_expiry_age: {get_param: OctaviaAmphoraExpiryAge} service_config_settings: rsyslog: @@ -137,8 +135,7 @@ outputs: volumes: list_concat: - {get_attr: [ContainersCommon, volumes]} - - - - /var/lib/kolla/config_files/octavia_housekeeping.json:/var/lib/kolla/config_files/config.json:ro + - - /var/lib/kolla/config_files/octavia_housekeeping.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/octavia:/var/lib/kolla/config_files/src:ro - /var/log/containers/octavia:/var/log/octavia:z environment: diff --git a/deployment/octavia/octavia-worker-container-puppet.yaml b/deployment/octavia/octavia-worker-container-puppet.yaml index 20eb1fffe3..5cdeb46979 100644 --- a/deployment/octavia/octavia-worker-container-puppet.yaml +++ b/deployment/octavia/octavia-worker-container-puppet.yaml @@ -47,7 +47,6 @@ parameters: type: string resources: - ContainersCommon: type: ../containers-common.yaml @@ -124,8 +123,7 @@ outputs: volumes: list_concat: - {get_attr: [ContainersCommon, volumes]} - - - - /var/lib/kolla/config_files/octavia_worker.json:/var/lib/kolla/config_files/config.json:ro + - - /var/lib/kolla/config_files/octavia_worker.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/octavia:/var/lib/kolla/config_files/src:ro - /var/log/containers/octavia:/var/log/octavia:z environment: diff --git a/deployment/octavia/providers/ovn-provider-config.yaml b/deployment/octavia/providers/ovn-provider-config.yaml index 88ef1ee2cd..9937f22201 100644 --- a/deployment/octavia/providers/ovn-provider-config.yaml +++ b/deployment/octavia/providers/ovn-provider-config.yaml @@ -54,12 +54,12 @@ parameters: certificate for this service conditions: - - internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} is_ovn_in_neutron_mechanism_driver: {contains: ['ovn', {get_param: NeutronMechanismDrivers}]} - ovn_and_tls: {and: [is_ovn_in_neutron_mechanism_driver, internal_tls_enabled]} - octavia_provider_ovn_protocol_unset: {equals: [{get_param: OctaviaOvnProviderProtocol}, '']} - key_size_override_unset: {equals: [{get_param: OctaviaCertificateKeySize}, '']} + ovn_and_tls: {and: [is_ovn_in_neutron_mechanism_driver, {get_param: EnableInternalTLS}]} + octavia_provider_ovn_protocol_set: + not: {equals: [{get_param: OctaviaOvnProviderProtocol}, '']} + key_size_override_set: + not: {equals: [{get_param: OctaviaCertificateKeySize}, '']} outputs: role_data: @@ -67,26 +67,23 @@ outputs: value: config_settings: map_merge: - - - if: - - octavia_provider_ovn_protocol_unset - - if: - - internal_tls_enabled + - if: + - octavia_provider_ovn_protocol_set + - tripleo::profile::base::octavia::provider::ovn::protocol: {get_param: OctaviaOvnProviderProtocol} + - if: + - {get_param: EnableInternalTLS} - tripleo::profile::base::octavia::provider::ovn::protocol: 'ssl' - tripleo::profile::base::octavia::provider::ovn::protocol: 'tcp' - - tripleo::profile::base::octavia::provider::ovn::protocol: {get_param: OctaviaOvnProviderProtocol} - - if: + - if: - ovn_and_tls - tripleo::profile::base::octavia::provider::ovn::ovn_nb_ca_cert: {get_param: InternalTLSCAFile} tripleo::profile::base::octavia::provider::ovn::ovn_nb_certificate: '/etc/pki/tls/certs/ovn_octavia.crt' tripleo::profile::base::octavia::provider::ovn::ovn_nb_private_key: '/etc/pki/tls/private/ovn_octavia.key' - - {} puppet_tags: octavia_ovn_provider_config provider_driver_labels: if: - is_ovn_in_neutron_mechanism_driver - ['ovn: Octavia OVN driver.'] - - [] step_config: if: - is_ovn_in_neutron_mechanism_driver @@ -98,39 +95,31 @@ outputs: - - service: ovn_octavia network: {get_param: [ServiceNetMap, OvnDbsNetwork]} type: node - - null volumes: if: - ovn_and_tls - - - - /etc/pki/tls/certs/ovn_octavia.crt:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/ovn_octavia.crt:ro + - - /etc/pki/tls/certs/ovn_octavia.crt:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/ovn_octavia.crt:ro - /etc/pki/tls/private/ovn_octavia.key:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/ovn_octavia.key:ro - - [] kolla_permissions: if: - ovn_and_tls - - - - path: /etc/pki/tls/certs/ovn_octavia.crt + - - path: /etc/pki/tls/certs/ovn_octavia.crt owner: octavia:octavia perm: '0644' - path: /etc/pki/tls/private/ovn_octavia.key owner: octavia:octavia perm: '0640' - - [] kolla_config_files: if: - ovn_and_tls - - - - source: "/var/lib/kolla/config_files/src-tls/*" + - - source: "/var/lib/kolla/config_files/src-tls/*" dest: "/" merge: true preserve_properties: true - - [] deploy_steps_tasks: if: - ovn_and_tls - - - - name: Certificate generation + - - name: Certificate generation when: step|int == 1 block: - include_role: @@ -150,8 +139,7 @@ outputs: $NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]} key_size: if: - - key_size_override_unset - - {get_param: CertificateKeySize} + - key_size_override_set - {get_param: OctaviaCertificateKeySize} + - {get_param: CertificateKeySize} ca: ipa - - null