... so that we can use /healthcheck request path to check availability
of these api services by haproxy.
Depends-on: https://review.opendev.org/773278
Change-Id: If0e0cb76a3635903ca684da8146a733c190bf2db
The octavia_tls_proxy container was removed during the Rocky cycle by
commit f4460a580d .
The octavia_tls_proxy container might be deployed in an old Queens
deployment but the container should be deleted when the deployment is
updated/upgraded to one of
- Latest Queens (before to Train)
- Rocky
so the cleanup step is no longer required in Stein and later.
Closes-Bug: #1933712
Change-Id: I91f23f8508201d2489650d1121019b7e71ccc768
The patch fixes an issue where the driver agent's configuration data
wasn't being set nor the puppet executed.
Change-Id: I3bcdacc3d93f868ab15070b5d265f71a7a8e0bcc
The filename for the kolla_config octavia json file was incorrect
causing there to be no database initialization for octavia deployments.
Closes-Bug: #1931428
Change-Id: Ic18f07f01a2b4053d042dc0a1b783b397d985d9e
This change introduces a single parameter, MemcacheUseAdvancedPool,
to enable usage of advanced connection pool in keystone middleware.
This is useful to avoid bursting connection to memcached.
Note that the default value of memcached_use_advanced_pool was changed
from false to true during Xena cycle[1], so this parameter is no longer
required in master. However the change in keystonemiddleware will
never be backported. This change is created so that we can switch to
advanced pool even in older releases.
[1] https://review.opendev.org/c/openstack/keystonemiddleware/+/773939
Closes-Bug: #1931047
Change-Id: I2887249af44ccfdae1592dd9120d3366fa059876
Today for some services we mount in /var/lib/config-data/<service>/etc
which is actually an output from the container-puppet process. We should
be using kolla to ensure that we properly create the configurations
based on the puppet generated configurations and things in the
container. Some services correctly leverage the kolla_config that the
associated api/service uses when running their db sync. This patch
aligns the rest to follow the similar pattern.
Change-Id: I0e3d5748a50937880a55413b75fe6eca479c9160
This simplifies the ServiceNetMap/VipSubnetMap interfaces
to use parameter merge strategy and removes the *Defaults
interfaces.
Change-Id: Ic73628a596e9051b5c02435b712643f9ef7425e3
... so that Octavia API can set up the correct request URL even when
SSL/TLS is enabled.
Depends-on: https://review.opendev.org/#/c/736446/
Change-Id: I3ff7d557fc3f544affd35da3a23e56f287b8112f
With I57047682cfa82ba6ca4affff54fab5216e9ba51c Heat has added
a new template version for wallaby. This would allow us to use
2-argument variant of the ``if`` function that would allow for
e.g. conditional definition of resource properties and help
cleanup templates. If only two arguments are passed to ``if``
function, the entire enclosing item is removed when the condition
is false.
Change-Id: I25f981b60c6a66b39919adc38c02a051b6c51269
This is using linux-system-roles.certificate ansible role,
which replaces puppet-certmonger for submitting certificate
requests to certmonger. Each service is configured through
it's heat template.
Partial-Implements: blueprint ansible-certmonger
Depends-On: https://review.rdoproject.org/r/31713
Change-Id: Ib868465c20d97c62cbcb214bfc62d949bd6efc62
Containers are restarted with new command lines during upgrade/updates
before the external_deploy_task are run that create a configuration file
that is used on the command line. This results in octavia services
failing to start.
Note: this was originally merged as:
https://review.opendev.org/#/c/750986/
but the OctaviaBase references in templates was incorrect so the
original patch was reverted through:
https://review.opendev.org/#/c/763561/
As the original patch had not been backported, it makes more sense to
revert and get a correct fix in place and backport that instead of
requiring backporting a series or backporting a squashed commit.
Change-Id: Ib3476e53f89b50bae72b9c95a5d3dec51ed3de7e
Related-Bug: #1863595
This was mainly there as an legacy interface which was
for internal use. Now that we pull the passwords from
the existing environment and don't use it, we can drop
this.
Reduces a number of heat resources.
Change-Id: If83d0f3d72a229d737a45b2fd37507dc11a04649
This change makes octavia services on unupgrade controller nodes get
stopped, because all services in the unupgrade controllers should be
stopped before we start the upgraded controller[1].
[1] 8529ce60da
Change-Id: I51855841c269ec593933288af4135f5d06a139fe
Containers are restarted with new command lines during upgrade/updates
before the external_deploy_task are run that create a configuration file
that is used on the command line. This results in octavia services
failing to start.
Change-Id: I741059afad42d0aa1e17b5becd56cbbbb0003c82
Related-Bug: #1863595
For Octavia, we have OctaviaUserName and OctaviaProjectName to define
user/project used for octavia service.
Currently tripleo creates the service project and user according to
these parameters, but the octavia user always belong to 'service'
project, not to the project defined by OctaviaProjectName.
This change ensures the octavia user belongs to the project defined by
the OctaviaProjectName parameter.
Change-Id: I32812b3cb1216c0617f3e9ccd498a2d53fec61a6
Following change Iaced2ba676a4e4f651c67da082797cc1c1ffccd1, this patch
adds a new task for the update/upgrades steps in order to ensure we're
in a clean state, with consistent names.
It also takes the opportunity to chase down newly added /var/run
mentions.
Change-Id: I9f069332254d057f80e3d25e9f8b734f8a592810
This change enforces the usage of internal api for token verification,
so that internal requests to keystone uses internal endpoint instead
of admin endpoint which is deployed on provisioning network by default.
Change-Id: I8b5ac36ff1da46844d18fa73f835175e52719a63
Closes-Bug: #1899266
Currently initialization of db is implemented as an independent task
in tripleo-heat-templates and not triggered by puppet.
In puppet, all of sync db jobs are implemented by exec resources but
"exec" is not included in puppet_tags enabled, so these implementations
in puppet are never triggered.
This patch removes sync_db parameters from templates because they are
ineffective and misleading.
Change-Id: Id231c612d8ef0ebc27bf87e0b2acbb76d89c9801
The driver agent and the API processes need permission to manage the
contents of /run/octavia.
Change-Id: I103d88a1acdc9843fc419746779bdaa132ca569f
Related-Bug: #1887801
If the cli is podman we try to remove the octavia tls proxy systemd
service without checking it if exists, resulting in an error on
updates/upgrades. This patch makes those steps conditional on whether
the services exists.
Change-Id: I883e457ea60ebbf5290ab6afa9909386cc2f8f0c
Closes-Bug: #1886833
There is no real value using /var/run instead of /run, especially since
/var/run is a symlink to /run.
This patch also removes duplicated mounts due to this very symlink.
Change-Id: Iaced2ba676a4e4f651c67da082797cc1c1ffccd1
For containers which run httpd, make sure conf.modules.d is also synced
into the container; so apache doesn't fail with:
AH00534: httpd: Configuration error: More than one MPM loaded.
This is now required since:
6425cc46a8
Change-Id: Ib315d10dbdbbad1628f536a74cd1fca371f018f5
Closes-Bug: #1884115
Currently we use apache+wsgi to run Octavia and tls_proxy is no longer
used for internal TLS.
This patch removes remaining hieradata, which isn't loaded actually.
Change-Id: I6fc8adffe5239bf776188c06a55b5d3ce73a9945
Almost every single tripleo service creates a persistent directory. To
simplify the creation, a with_items structure was being used. In which
many times, the mode option was being set. However, that mode option
was not taken into account at the time of creating the file. As a
consequence, the directory was being created with its father directory
rights, instead of the ones being passed in the template.
Change-Id: I215db2bb79029c19ab8c62a7ae8d93cec50fb8dc
Closes-Bug: #1871231
This patch supports configuring the OVN provider and sets up a pattern
that will later be expanded on to support multiple provider drivers
without requiring modification of the core Octavia configuration.
Depends-On: https://review.opendev.org/#/c/711333/
Depends-On: https://review.opendev.org/#/c/705728/
Change-Id: If199f6e2841f8c7bbfe1fb56538b0283ac04681c
Related-Bug: #1861886
Initially to be used to work around issues with ovn provider driver
breaking CI this can be used. We may remove this before it is released
as there are alternate mechanisms that might be better.
Change-Id: If04a719052cf650502258450477713d9fe06015a
This patch makes sure that t-h-t creates keystone resources for octavia
service according to OctaviaProjectName and OctaviaUserName, which are
used to specify the project name and the user name for octavia user.
Depends-on: https://review.opendev.org/#/c/712191/
Change-Id: Ia783ad1f0afbf10bbcaf6b66c727e0a084e97411
While they are, at SELinux level, exactly the same (one is an alias to
the other), the "container_file_t" name is easier to understand (and
shorter to write).
A second pass in a couple of days or weeks will be needed in order to
change files that were merged after this first pass.
Change-Id: Ib4b3e65dbaeb5894403301251866b9817240a9d5
To avoid empty volumes like:
{
(...)
"volumes": [
"/etc/puppet:/etc/puppet:ro",
(...)
"",
""
],
}
Replace '' by [], so heat won't create an item in the list.
It helps to have idempotent containers, since podman_container module
will compare the list of volumes that is given in parameters (containing
the empty entries) vs the list of volumes actually in podman inspect.
Replacing to [] clears out empty volumes and makes these containers
idempotent when podman_container module is used to deploy containers.
Change-Id: I228b01009e7d9980bee5480778dbc88b9e226297
auth_uri parameter in authtoken was already removed from puppet modules[1],
so remove it from hieradata.
Also, some service templates missed www_authenticate_uri, which was
introduced as a replacement of auth_uri, so add it to make sure that
we have a correct parameter confugured.
[1] I12b4049e4942911c8d1d8027c579eb4c0d1a53eb
Change-Id: I1e8378f58662377344194916e8bc336df02d0591
Zuul