heat_template_version: wallaby description: > Configures FRR on the host parameters: ContainerFrrImage: description: The container image for Frr type: string tags: - role_specific ContainerOvnBgpAgentImage: description: The container image for the BGP Agent type: string tags: - role_specific EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json ServiceData: default: {} description: Dictionary packing service data type: json ServiceNetMap: default: {} description: Mapping of service_name -> network name. Typically set via parameter_defaults in the resource registry. Use parameter_merge_strategies to merge it with the defaults. type: json RoleName: default: '' description: Role name on which the service is applied type: string RoleParameters: default: {} description: Parameters specific to the role type: json EnableInternalTLS: type: boolean default: false InternalTLSCAFile: default: '/etc/ipa/ca.crt' type: string description: Specifies the default CA cert to use if TLS is used for services in the internal network. CertificateKeySize: type: string default: '2048' description: Specifies the private key size used when creating the certificate. OvnBgpAgentCertificateKeySize: type: string default: '' description: Override the private key size used when creating the certificate for this service FrrBfdEnabled: default: false description: Enable Bidirectional Forwarding Detection type: boolean FrrBgpEnabled: default: true description: Enable BGP type: boolean FrrBgpAsn: default: 65000 description: Default ASN to be used within FRR type: number FrrBgpIpv4Enabled: default: true description: Enable BGP advertisement of IPv4 routes type: boolean FrrBgpIpv4AllowASIn: default: false description: Allow for IPv4 routes to be received and processed even if the router detects its own ASN in the AS-Path. type: boolean FrrBgpIpv4SrcNetwork: default: ctlplane description: The name of the Neutron network from where the IP address of the node will be taken and set as source IPv4 address on the default route. type: string FrrBgpIpv6Enabled: default: true description: Enable BGP advertisement of IPv6 routes type: boolean FrrBgpIpv6AllowASIn: default: false description: Allow for IPv6 routes to be received and processed even if the router detects its own ASN in the AS-Path. type: boolean FrrBgpIpv6SrcNetwork: default: ctlplane description: The name of the Neutron network from where the IP address of the node will be taken and set as source IPv6 address on the default route. type: string FrrBgpUplinks: default: ['nic1', 'nic2'] description: List of uplink network interfaces. type: comma_delimited_list FrrBgpUplinksScope: default: 'internal' type: string description: Either peer with internal (iBGP) or external (eBGP) neighbors. constraints: - allowed_values: ['internal', 'external'] FrrLoggingSource: type: json default: tag: system.frr file: /var/log/containers/frr/frr.log FrrLogLevel: default: 'informational' type: string description: log level constraints: - allowed_values: ['emergencies', 'alerts', 'critical', 'errors', 'warnings', 'notifications', 'informational', 'debugging'] FrrZebraEnabled: default: true description: enable Zebra type: boolean FrrPacemakerVipNic: default: 'lo' description: Name of the nic that the pacemaker VIPs will be added to when runninng with FRR. type: string FrrBgpNeighborTtlSecurityHops: default: 1 description: Enforce Generalized TTL Security Mechanism (GTSM) where only neighbors that are the specified number of hops away will be allowed to become neighbors. Setting value to zero or less will disable GTSM. type: number FrrBgpL2VpnEnabled: type: boolean default: false description: Enable BGP L2VPN EVPN address family. FrrBgpL2VpnEbgpMultihop: type: number default: 0 description: > Allows sessions with eBGP neighbors to establish when they are multiple hops away. Value 0 disables multi-hop eBGP peering. FrrBgpL2VpnUplinkActivate: type: boolean default: true description: > Enable the list of uplink network interfaces defined in FrrBgpUplinks. FrrBgpL2VpnPeers: default: [] description: List of EVPN neighbor peers. type: comma_delimited_list FrrBgpL2vpnPeersScope: default: 'external' type: string description: Either peer with internal (iBGP) or external (eBGP) neighbors. constraints: - allowed_values: ['internal', 'external'] NeutronBridgeMappings: description: > The OVS logical->physical bridge mappings to use. See the Neutron documentation for details. Defaults to mapping br-ex - the external bridge on hosts - to a physical name 'datacentre' which can be used to create provider networks (and we use this for the default floating network) - if changing this either use different post-install network scripts or be sure to keep 'datacentre' as a mapping network name. type: comma_delimited_list default: "datacentre:br-ex" tags: - role_specific FrrOvnBgpAgentDriver: description: > Configures how VM IPs are advertised via BGP. EVPN driver exposes VM IPs on provider networks and FIPs associated to VMs on tenant networks via MP-BGP IPv4 and IPv6 unicast. BGP driver exposes VM IPs on the tenant networks via MP-BGP EVPN VXLAN. type: string default: 'ovn_evpn_driver' constraints: - allowed_values: [ 'ovn_bgp_driver', 'ovn_evpn_driver' ] tags: - role_specific FrrOvnBgpAgentExposeTenantNetworks: description: > Exposes VM IPs on tenant networks via MP-BGP IPv4 and IPv6 unicast. Requires the BGP driver (see THT parameter FrrOvnBgpAgentDriver). type: boolean default: false FrrOvnBgpAgentAsn: default: 64999 description: > Autonomous System Number to be used by the agent when running in BGP mode. type: number FrrOvnBgpAgentOvsdbConnection: default: 'tcp:127.0.0.1:6640' description: > The connection string for the native OVSDB backend. Use tcp:IP:PORT for TCP connection. type: string conditions: key_size_override_set: not: {equals: [{get_param: OvnBgpAgentCertificateKeySize}, '']} resources: RoleParametersValue: type: OS::Heat::Value properties: type: json value: map_replace: - map_replace: - ContainerFrrImage: ContainerFrrImage ContainerOvnBgpAgentImage: ContainerOvnBgpAgentImage ovn_bgp_agent_driver: FrrOvnBgpAgentDriver - values: {get_param: [RoleParameters]} - values: ContainerFrrImage: {get_param: ContainerFrrImage} ContainerOvnBgpAgentImage: {get_param: ContainerOvnBgpAgentImage} FrrOvnBgpAgentDriver: {get_param: FrrOvnBgpAgentDriver} outputs: role_data: description: Role data for the FRR and OVN BGP Agent services value: service_name: frr config_settings: tripleo::pacemaker::force_nic: {get_param: FrrPacemakerVipNic} service_config_settings: rsyslog: tripleo_logging_sources_frr: - {get_param: FrrLoggingSource} firewall_rules: '156 bgp tcp': if: - {get_param: FrrBgpEnabled} - proto: 'tcp' dport: 179 '156 bfd udp': if: - {get_param: FrrBfdEnabled} - proto: 'udp' dport: - 3784 - 3785 kolla_config: /var/lib/kolla/config_files/frr.json: # Note: We can drop /usr/libexec/frr/frrinit.sh once we stop supporting/using frr 7.x # Note: This is currently needed because watchfrr *always* demonizes command: bash -c $* -- eval if [ -f /usr/libexec/frr/frrinit.sh ]; then /usr/libexec/frr/frrinit.sh start; else /usr/lib/frr/frr start; fi && exec /bin/sleep infinity config_files: - source: "/var/lib/kolla/config_files/src/*" dest: "/" merge: true preserve_properties: true permissions: - path: /etc/frr owner: frr:frr recurse: true - path: /var/log/frr owner: frr:frr recurse: true - path: /run/frr owner: frr:frrvty recurse: true /var/lib/kolla/config_files/ovn_bgp_agent.json: command: /usr/bin/ovn-bgp-agent --config-dir /etc/ovn-bgp-agent config_files: - source: "/var/lib/kolla/config_files/src/*" dest: "/" merge: true preserve_properties: true permissions: - path: /etc/ovn-bgp-agent owner: ovn-bgp:ovn-bgp recurse: true - path: /var/log/ovn-bgp-agent owner: ovn-bgp:ovn-bgp recurse: true - path: /etc/pki/tls/certs/ovn_bgp_agent.crt owner: ovn-bgp:ovn-bgp optional: true perm: '0644' - path: /etc/pki/tls/private/ovn_bgp_agent.key owner: ovn-bgp:ovn-bgp optional: true perm: '0640' metadata_settings: if: - {get_param: EnableInternalTLS} - - service: ovn_bgp_agent network: {get_param: [ServiceNetMap, OvnDbsNetwork]} type: node docker_config: # NOTE: Create container-startup-config file in step 0 so that TripleO # does not auto-start the FRR container (it does so for containers in # step 1-5). FRR will be started in the pre_deploy_step_tasks step_0: frr: start_order: 0 image: {get_attr: [RoleParametersValue, value, ContainerFrrImage]} net: host restart: always healthcheck: test: /openstack/healthcheck cap_add: - NET_BIND_SERVICE - NET_RAW - NET_ADMIN - SYS_ADMIN # We cannot bind mount the InternalTLSCAFile as freeipa might not # be reachable without frr volumes: - /etc/hosts:/etc/hosts:ro - /etc/localtime:/etc/localtime:ro - /dev/log:/dev/log # OpenSSL trusted CAs - /etc/pki/ca-trust/extracted:/etc/pki/ca-trust/extracted:ro - /etc/pki/ca-trust/source/anchors:/etc/pki/ca-trust/source/anchors:ro - /etc/pki/tls/certs/ca-bundle.crt:/etc/pki/tls/certs/ca-bundle.crt:ro - /etc/pki/tls/certs/ca-bundle.trust.crt:/etc/pki/tls/certs/ca-bundle.trust.crt:ro - /etc/pki/tls/cert.pem:/etc/pki/tls/cert.pem:ro - /var/lib/kolla/config_files/frr.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/ansible-generated/frr:/var/lib/kolla/config_files/src:ro - /var/log/containers/frr:/var/log/frr:z - /run/frr:/run/frr:shared,z environment: KOLLA_CONFIG_STRATEGY: COPY_ALWAYS step_5: ovn_bgp_agent: start_order: 0 image: {get_attr: [RoleParametersValue, value, ContainerOvnBgpAgentImage]} net: host pid: host cgroupns: host restart: always privileged: true healthcheck: test: /openstack/healthcheck # We cannot bind mount the InternalTLSCAFile as freeipa might not # be reachable without frr volumes: list_concat: - - /etc/hosts:/etc/hosts:ro - /etc/localtime:/etc/localtime:ro - /dev/log:/dev/log - /etc/iproute2:/etc/iproute2 # OpenSSL trusted CAs - /etc/pki/ca-trust/extracted:/etc/pki/ca-trust/extracted:ro - /etc/pki/ca-trust/source/anchors:/etc/pki/ca-trust/source/anchors:ro - /etc/pki/tls/certs/ca-bundle.crt:/etc/pki/tls/certs/ca-bundle.crt:ro - /etc/pki/tls/certs/ca-bundle.trust.crt:/etc/pki/tls/certs/ca-bundle.trust.crt:ro - /etc/pki/tls/cert.pem:/etc/pki/tls/cert.pem:ro - /var/lib/kolla/config_files/ovn_bgp_agent.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/ansible-generated/ovn-bgp-agent:/var/lib/kolla/config_files/src:ro - /run/frr:/run/frr:shared,z - /run/openvswitch:/run/openvswitch:shared,z - if: - {get_param: EnableInternalTLS} - - list_join: - ':' - - {get_param: InternalTLSCAFile} - {get_param: InternalTLSCAFile} - 'ro' - /etc/pki/tls/certs/ovn_bgp_agent.crt:/etc/pki/tls/certs/ovn_bgp_agent.crt - /etc/pki/tls/private/ovn_bgp_agent.key:/etc/pki/tls/private/ovn_bgp_agent.key - null environment: KOLLA_CONFIG_STRATEGY: COPY_ALWAYS deploy_steps_tasks: - name: Certificate generation when: - step|int == 1 - enable_internal_tls block: - include_role: name: linux-system-roles.certificate vars: certificate_requests: - name: ovn_bgp_agent dns: str_replace: template: "{{fqdn_$NETWORK}}" params: $NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]} principal: str_replace: template: "ovn_bgp_agent/{{fqdn_$NETWORK}}@{{idm_realm}}" params: $NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]} key_size: if: - key_size_override_set - {get_param: OvnBgpAgentCertificateKeySize} - {get_param: CertificateKeySize} ca: ipa host_prep_tasks: - name: create persistent directories file: path: "{{ item.path }}" state: directory setype: "{{ item.setype }}" mode: "{{ item.mode }}" with_items: - { 'path': /var/log/containers/frr, 'setype': container_file_t, 'mode': '0750' } - { 'path': /var/lib/config-data/ansible-generated/frr, 'setype': container_file_t, 'mode': '0750' } - { 'path': /run/frr, 'setype': container_file_t, 'mode': '0750' } - { 'path': /var/log/containers/ovn-bgp-agent, 'setype': container_file_t, 'mode': '0750' } - { 'path': /var/lib/config-data/ansible-generated/ovn-bgp-agent, 'setype': container_file_t, 'mode': '0750' } pre_deploy_step_tasks: - name: Configure FRR import_role: name: tripleo_frr vars: tripleo_frr_config_basedir: /var/lib/config-data/ansible-generated/frr tripleo_frr_bfd: {get_param: FrrBfdEnabled} tripleo_frr_bgp: {get_param: FrrBgpEnabled} tripleo_frr_bgp_asn: {get_param: FrrBgpAsn} tripleo_frr_bgp_ipv4: {get_param: FrrBgpIpv4Enabled} tripleo_frr_bgp_ipv4_allowas_in: {get_param: FrrBgpIpv4AllowASIn} tripleo_frr_bgp_ipv4_src_network: {get_param: FrrBgpIpv4SrcNetwork} tripleo_frr_bgp_ipv6: {get_param: FrrBgpIpv6Enabled} tripleo_frr_bgp_ipv6_allowas_in: {get_param: FrrBgpIpv6AllowASIn} tripleo_frr_bgp_ipv6_src_network: {get_param: FrrBgpIpv6SrcNetwork} tripleo_frr_bgp_neighbor_ttl_security_hops: {get_param: FrrBgpNeighborTtlSecurityHops} tripleo_frr_bgp_uplinks: {get_param: FrrBgpUplinks} tripleo_frr_bgp_uplinks_scope: {get_param: FrrBgpUplinksScope} tripleo_frr_log_level: {get_param: FrrLogLevel} tripleo_frr_zebra: {get_param: FrrZebraEnabled} tripleo_frr_bgp_l2vpn: {get_param: FrrBgpL2VpnEnabled} tripleo_frr_bgp_l2vpn_ebgp_multihop: {get_param: FrrBgpL2VpnEbgpMultihop} tripleo_frr_bgp_l2vpn_uplink_activate: {get_param: FrrBgpL2VpnUplinkActivate} tripleo_frr_bgp_l2vpn_peers: {get_param: FrrBgpL2VpnPeers} tripleo_frr_bgp_l2vpn_peers_scope: {get_param: FrrBgpL2vpnPeersScope} tripleo_frr_ovn_bgp_agent_bridge_mappings: {get_param: NeutronBridgeMappings} tripleo_frr_ovn_bgp_agent_internal_tls_enable: {get_param: EnableInternalTLS} tripleo_frr_ovn_bgp_agent_driver: {get_attr: [RoleParametersValue, value, ovn_bgp_agent_driver]} tripleo_frr_ovn_bgp_agent_expose_tenant_networks: {get_param: FrrOvnBgpAgentExposeTenantNetworks} tripleo_frr_ovn_bgp_agent_bgp_as: {get_param: FrrOvnBgpAgentAsn} tripleo_frr_ovn_bgp_agent_ovsdb_connection: {get_param: FrrOvnBgpAgentOvsdbConnection} - name: Start FRR include_role: name: tripleo_container_manage vars: tripleo_container_manage_config: "/var/lib/tripleo-config/container-startup-config/step_0" tripleo_container_manage_config_id: "frr" tripleo_container_manage_config_patterns: "frr.json" tripleo_container_manage_clean_orphans: false update_tasks: [] upgrade_tasks: []