heat_template_version: wallaby description: > Configuration of Octavia as-a-service resources in the overcloud. parameters: ServiceData: default: {} description: Dictionary packing service data type: json ServiceNetMap: default: {} description: Mapping of service_name -> network name. Typically set via parameter_defaults in the resource registry. Use parameter_merge_strategies to merge it with the defaults. type: json RoleName: default: '' description: Role name on which the service is applied type: string RoleParameters: default: {} description: Parameters specific to the role type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json StackAction: type: string description: > Heat action on performed top-level stack. Note StackUpdateType is set to UPGRADE when a major-version upgrade is in progress. constraints: - allowed_values: ['CREATE', 'UPDATE'] OctaviaAmphoraImageName: description: The glance image name used when spawning amphorae. Default is an empty string which will use the file name as the image name. type: string default: '' OctaviaAmphoraImageFilename: description: Filename for the amphora image. Image files are expected to be located in directory /usr/share/openstack-octavia-amphora-images. Using the default of an empty string will cause a distro specific default to be used. (e.g. /usr/share/openstack-octavia-amphora-images/amphora-x64-haproxy.qcow2 on CentOS and /usr/share/openstack-octavia-amphora-images/octavia-amphora.qcow2 on Red Hat Enterprise Linux). type: string default: '' OctaviaAmphoraImageFormat: default: 'qcow2' description: Image format ('qcow2' or 'raw') of the amphora image. type: string constraints: - allowed_values: ['qcow2', 'raw'] OctaviaAmphoraImageTag: default: 'amphora-image' description: Glance image tag for identifying the amphora image. type: string OctaviaAmphoraImageArchitecture: default: 'x86_64' description: Architecture of the amphora image. type: string OctaviaAmphoraSshKeyName: type: string default: 'octavia-ssh-key' description: SSH key name. OctaviaAmphoraSshKeyFile: type: string default: '' description: Public key file path. User will be able to SSH into amphorae with the provided key. User may, in most cases, also elevate to root from user 'centos' (CentOS), 'ubuntu' (Ubuntu) or 'cloud-user' (RHEL) (depends on how amphora image was created). Logging in to amphorae provides a convenient way to e.g. debug load balancing services. OctaviaAmphoraSshKeyDir: type: string default: '/etc/octavia/ssh' description: Octavia generated SSH key directory. NovaEnableRbdBackend: default: false description: Whether to enable the Rbd backend for Nova ephemeral storage. type: boolean tags: - role_specific OctaviaControlNetwork: description: The name for the neutron network used for the amphora control network type: string default: 'lb-mgmt-net' OctaviaControlSubnet: description: The name for the neutron subnet used for the amphora control network type: string default: 'lb-mgmt-subnet' OctaviaControlSecurityGroup: description: The name for the neutron security group used to control access on the amphora control network type: string default: 'lb-mgmt-sec-group' OctaviaControlSubnetCidr: description: Subnet for amphora control subnet in CIDR form. type: string default: '172.24.0.0/16' OctaviaControlSubnetGateway: description: IP address for control network gateway type: string default: '172.24.0.1' OctaviaControlSubnetPoolStart: description: First address in amphora control subnet address pool. type: string default: '172.24.0.2' OctaviaControlSubnetPoolEnd: description: First address in amphora control subnet address pool. type: string default: '172.24.255.254' OctaviaCaCertFile: type: string default: '/etc/octavia/certs/ca_01.pem' description: Octavia CA certificate file path. OctaviaCaKeyFile: type: string default: '/etc/octavia/certs/private/cakey.pem' description: Octavia CA private key file path. OctaviaServerCertsKeyPassphrase: constraints: - length: { min: 32, max: 32} description: Passphrase for encrypting Amphora Certificates and Private Keys. Must be exactly 32 characters. type: string hidden: true OctaviaCaKeyPassphrase: description: CA private key passphrase. type: string hidden: true OctaviaClientCertFile: default: '/etc/octavia/certs/client.pem' description: Octavia client certificate for amphorae. type: string OctaviaGenerateCerts: type: boolean default: false description: Enable internal generation of certificates for secure communication with amphorae for isolated private clouds or systems where security is not a concern. Otherwise, use OctaviaCaCert, OctaviaCaKey, OctaviaCaKeyPassphrase, OctaviaClientCert and OctaviaServerCertsKeyPassphrase to configure Octavia. OctaviaMgmtPortDevName: type: string default: "o-hm0" description: Name of the octavia management network interface using for communication between octavia worker/health-manager with the amphora machine. AdminPassword: description: The password for the keystone admin account, used for monitoring, querying neutron etc. type: string hidden: true OctaviaUserName: description: The username for the Octavia database and keystone accounts. type: string default: 'octavia' OctaviaPassword: description: The password for the Octavia database and keystone accounts. type: string hidden: true OctaviaProjectName: description: The project name for the keystone Octavia account. type: string default: 'service' ContainerCli: type: string default: 'podman' description: CLI tool used to manage containers. constraints: - allowed_values: ['docker', 'podman'] OctaviaLogOffload: default: true description: When true, log messages from the amphora will be forwarded to the administrative log endponts and will be stored with the controller logs. type: boolean conditions: octavia_raw_image_check: or: - equals: - get_param: OctaviaAmphoraImageFormat - raw - get_param: NovaEnableRbdBackend outputs: role_data: description: Role data for the Octavia configuration service value: service_name: octavia_deployment_config upgrade_tasks: [] puppet_config: {} docker_config: {} config_settings: {} external_post_deploy_tasks: - name: octavia_post_deploy block: - name: Set up group_vars set_fact: octavia_ansible_group_vars: os_auth_type: "password" os_identity_api_version: "3" amp_image_name: { get_param: OctaviaAmphoraImageName } amp_image_filename: {get_param: OctaviaAmphoraImageFilename } amp_image_tag: { get_param: OctaviaAmphoraImageTag } amp_hw_arch: { get_param: OctaviaAmphoraImageArchitecture } amp_ssh_key_name: { get_param: OctaviaAmphoraSshKeyName } amp_ssh_key_path: { get_param: OctaviaAmphoraSshKeyFile } amp_ssh_key_dir: { get_param: OctaviaAmphoraSshKeyDir } amp_to_raw: {if: [octavia_raw_image_check, true, false]} auth_username: { get_param: OctaviaUserName } auth_password: { get_param: OctaviaPassword } auth_project_name: { get_param: OctaviaProjectName } lb_mgmt_net_name: { get_param: OctaviaControlNetwork } lb_mgmt_subnet_name: { get_param: OctaviaControlSubnet } lb_sec_group_name: { get_param: OctaviaControlSubnet } lb_mgmt_subnet_cidr: { get_param: OctaviaControlSubnetCidr } lb_mgmt_subnet_gateway: { get_param: OctaviaControlSubnetGateway } lb_mgmt_subnet_pool_start: { get_param: OctaviaControlSubnetPoolStart } lb_mgmt_subnet_pool_end: { get_param: OctaviaControlSubnetPoolEnd } ca_cert_path: { get_param: OctaviaCaCertFile } ca_private_key_path: { get_param: OctaviaCaKeyFile } server_certs_key_passphrase: {get_param: OctaviaServerCertsKeyPassphrase} ca_passphrase: { get_param: OctaviaCaKeyPassphrase } client_cert_path: { get_param: OctaviaClientCertFile } generate_certs: { get_param: OctaviaGenerateCerts } mgmt_port_dev: { get_param: OctaviaMgmtPortDevName } os_password: { get_param: AdminPassword } os_project_name: 'admin' os_username: 'admin' octavia_ansible_playbook: '/usr/share/ansible/tripleo-playbooks/octavia-files.yaml' os_auth_url: { get_param: [EndpointMap, KeystoneV3Public, uri] } os_int_auth_url: { get_param: [EndpointMap, KeystoneInternal, uri] } {% raw %} octavia_local_tmpdir: "{{playbook_dir}}/octavia-ansible/local_dir" octavia_group_vars_dir: "{{playbook_dir}}/octavia-ansible/group_vars" container_cli: { get_param: ContainerCli } enable_log_offloading: { get_param: OctaviaLogOffload } stack_action: { get_param: StackAction } no_log: "{{ hide_sensitive_logs | bool }}" - name: Make needed directories on the undercloud become: true file: path: "{{item}}" state: directory owner: "{{ ansible_user }}" with_items: - "{{playbook_dir}}/octavia-ansible" - "{{ octavia_ansible_group_vars.octavia_local_tmpdir }}" - "{{ octavia_ansible_group_vars.octavia_group_vars_dir }}" - name: Write group_vars file become: true copy: dest: "{{ octavia_ansible_group_vars.octavia_group_vars_dir }}/octavia_vars.yaml" content: "{{ octavia_ansible_group_vars|to_nice_yaml }}" no_log: "{{ hide_sensitive_logs | bool }}" - name: Write octavia inventory become: true copy: dest: "{{playbook_dir}}/octavia-ansible/inventory.yaml" content: | octavia_nodes: hosts: {%- set octavia_groups = ['worker'] -%} {%- for octavia_group in octavia_groups -%} {%- if 'octavia_' ~ octavia_groups %} {% for host in groups['octavia_' ~ octavia_group] -%} {{ hostvars.raw_get(host)['ansible_facts']['hostname'] | lower}}: ansible_user: {{ hostvars.raw_get(host)['ansible_ssh_user'] | default('heat-admin') }} ansible_host: {{ hostvars.raw_get(host)['ansible_host'] | default(host) | lower }} canonical_hostname: {{ hostvars.raw_get(host)['canonical_hostname'] | default(host) | lower }} ansible_become: true {% endfor %} {%- endif -%} {%- endfor %} Undercloud: hosts: {% for host in groups['Undercloud'] -%} {{ hostvars.raw_get(host)['ansible_facts']['hostname'] | lower}}: ansible_host: {{ hostvars.raw_get(host)['ansible_host'] | default(host) | lower }} ansible_become: false ansible_connection: local {%- endfor -%} - name: Check for ssh_private_key in working directory become: true stat: path: "{{ lookup('env', 'ANSIBLE_PRIVATE_KEY_FILE') }}" register: detect_private_key_file - name: Set private key location set_fact: octavia_ansible_ssh_key: "{{ lookup('env', 'ANSIBLE_PRIVATE_KEY_FILE') }}" when: octavia_ansible_ssh_key is not defined and detect_private_key_file.stat.exists - name: Configure octavia command set_fact: config_octavia_cmd: list_join: - ' ' - - ANSIBLE_CONFIG="{{playbook_dir}}/ansible.cfg" ansible-playbook -i "{{playbook_dir}}/octavia-ansible/inventory.yaml" - '--extra-vars @{{ octavia_ansible_group_vars.octavia_group_vars_dir }}/octavia_vars.yaml' - '{% if octavia_ansible_ssh_key is defined %}--private-key {{octavia_ansible_ssh_key}}{% endif %}' - '{{ octavia_ansible_group_vars.octavia_ansible_playbook }}' - set_fact: octavia_log_dir: "{{playbook_dir}}/octavia-ansible/" - debug: msg: "Configure Octavia command is: {{ config_octavia_cmd }}" - name: Configure octavia on overcloud become: true environment: ANSIBLE_HOST_KEY_CHECKING: False ANSIBLE_SSH_RETRIES: 3 ANSIBLE_RETRY_FILES_ENABLED: false ANSIBLE_LOCAL_TEMP: "{{ octavia_ansible_group_vars.octavia_local_tmpdir }}" ANSIBLE_LOG_PATH: "{{ octavia_log_dir }}/octavia-ansible.log" shell: "{{ config_octavia_cmd }}" - name: Purge temp dirs become: true file: state: absent path: "{{ item }}" with_items: - "{{ octavia_ansible_group_vars.octavia_local_tmpdir }}" {% endraw %}