heat_template_version: wallaby

parameters:
  EndpointMap:
    default: {}
    description: Mapping of service endpoint -> protocol. Typically set
                 via parameter_defaults in the resource registry.
    type: json
  ServiceData:
    default: {}
    description: Dictionary packing service data
    type: json
  ServiceNetMap:
    default: {}
    description: Mapping of service_name -> network name. Typically set
                 via parameter_defaults in the resource registry. Use
                 parameter_merge_strategies to merge it with the defaults.
    type: json
  RoleName:
    default: ''
    description: Role name on which the service is applied
    type: string
  RoleParameters:
    default: {}
    description: Parameters specific to the role
    type: json
  NeutronMechanismDrivers:
    default: 'ovn'
    description: |
        The mechanism drivers for the Neutron tenant network.
    type: comma_delimited_list
  OctaviaOvnProviderProtocol:
    default: ''
    description: |
        The protocol used by OVN driver to connect to northbound database.
    type: string
  EnableInternalTLS:
    type: boolean
    default: false
  InternalTLSCAFile:
    default: '/etc/ipa/ca.crt'
    type: string
    description: Specifies the default CA cert to use if TLS is used for
                 services in the internal network.
  CertificateKeySize:
    type: string
    default: '2048'
    description: Specifies the private key size used when creating the
                 certificate.
  OctaviaCertificateKeySize:
    type: string
    default: ''
    description: Override the private key size used when creating the
                 certificate for this service

conditions:
  is_ovn_in_neutron_mechanism_driver: {contains: ['ovn', {get_param: NeutronMechanismDrivers}]}
  ovn_and_tls: {and: [is_ovn_in_neutron_mechanism_driver, {get_param: EnableInternalTLS}]}
  octavia_provider_ovn_protocol_set:
    not: {equals: [{get_param: OctaviaOvnProviderProtocol}, '']}
  key_size_override_set:
    not: {equals: [{get_param: OctaviaCertificateKeySize}, '']}

outputs:
  role_data:
    description: OVN provider driver configuraton
    value:
      config_settings:
        map_merge:
          - if:
              - is_ovn_in_neutron_mechanism_driver
              - octavia::driver_agent::enabled_provider_agents: 'ovn'
          - if:
              - octavia_provider_ovn_protocol_set
              - tripleo::profile::base::octavia::provider::ovn::protocol: {get_param: OctaviaOvnProviderProtocol}
              - if:
                  - {get_param: EnableInternalTLS}
                  - tripleo::profile::base::octavia::provider::ovn::protocol: 'ssl'
                  - tripleo::profile::base::octavia::provider::ovn::protocol: 'tcp'
          - if:
              - ovn_and_tls
              - tripleo::profile::base::octavia::provider::ovn::ovn_nb_ca_cert: {get_param: InternalTLSCAFile}
                tripleo::profile::base::octavia::provider::ovn::ovn_nb_certificate: '/etc/pki/tls/certs/ovn_octavia.crt'
                tripleo::profile::base::octavia::provider::ovn::ovn_nb_private_key: '/etc/pki/tls/private/ovn_octavia.key'
      puppet_tags: octavia_ovn_provider_config
      provider_driver_labels:
        if:
          - is_ovn_in_neutron_mechanism_driver
          - ['ovn: Octavia OVN driver.']
      step_config:
          if:
            - is_ovn_in_neutron_mechanism_driver
            - "include tripleo::profile::base::octavia::provider::ovn"
            - "\n"
      metadata_settings:
        if:
          - ovn_and_tls
          - - service: ovn_octavia
              network: {get_param: [ServiceNetMap, OvnDbsNetwork]}
              type: node
      volumes:
         if:
           - ovn_and_tls
           - - /etc/pki/tls/certs/ovn_octavia.crt:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/ovn_octavia.crt:ro
             - /etc/pki/tls/private/ovn_octavia.key:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/ovn_octavia.key:ro
      kolla_permissions:
        if:
          - ovn_and_tls
          - - path: /etc/pki/tls/certs/ovn_octavia.crt
              owner: octavia:octavia
              perm: '0644'
            - path: /etc/pki/tls/private/ovn_octavia.key
              owner: octavia:octavia
              perm: '0640'
      kolla_config_files:
        if:
          - ovn_and_tls
          - - source: "/var/lib/kolla/config_files/src-tls/*"
              dest: "/"
              merge: true
              preserve_properties: true
      deploy_steps_tasks:
        if:
          - ovn_and_tls
          - - name: Certificate generation
              when: step|int == 1
              block:
                - include_role:
                    name: linux-system-roles.certificate
                  vars:
                    certificate_requests:
                      - name: ovn_octavia
                        dns:
                          str_replace:
                            template: "{{fqdn_$NETWORK}}"
                            params:
                              $NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
                        principal:
                          str_replace:
                            template: "ovn_octavia/{{fqdn_$NETWORK}}@{{idm_realm}}"
                            params:
                              $NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
                        key_size:
                          if:
                            - key_size_override_set
                            - {get_param: OctaviaCertificateKeySize}
                            - {get_param: CertificateKeySize}
                        ca: ipa