openstack/tripleo-heat-templates
Code Issues Proposed changes
01b4d2e76d
tripleo-heat-templates/deployment/octavia/octavia-api-container-puppet.yaml
Gregory Thiemonge 952b73eb6e Fix OctaviaApiLoggingSource default value 
The default file for OctaviaApiLoggingSource was api.log, but it should
be octavia.log [0]

[0] https://opendev.org/openstack/puppet-octavia/src/branch/master/manifests/logging.pp\#L115

wallaby-backport-potential

Change-Id: If5383028f7f92cf5dcd3ca40390ea37e59cbf9ae
(cherry picked from commit 88de441153)
2023-03-20 17:01:31 +01:00

512 lines
21 KiB
YAML
Raw Blame History

heat_template_version: wallaby
description: >
OpenStack Octavia service configured with Puppet
parameters:
ContainerOctaviaApiImage:
description: image
type: string
tags:
- role_specific
ContainerOctaviaConfigImage:
description: The container image to use for the octavia config_volume
type: string
tags:
- role_specific
OctaviaApiLoggingSource:
type: json
default:
tag: openstack.octavia.api
file: /var/log/containers/octavia/octavia.log
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. Use
parameter_merge_strategies to merge it with the defaults.
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
DeployIdentifier:
default: ''
type: string
description: >
Setting this to a unique value will re-run any deployment tasks which
perform configuration on a Heat stack-update.
EnableInternalTLS:
type: boolean
default: false
OctaviaUserName:
description: The username for the Octavia database and keystone accounts.
type: string
default: 'octavia'
OctaviaPassword:
description: The password for the Octavia database and keystone accounts.
type: string
hidden: true
OctaviaProjectName:
description: The project name for the keystone Octavia account.
type: string
default: 'service'
KeystoneRegion:
type: string
default: 'regionOne'
description: Keystone region for endpoint
MonitoringSubscriptionOctaviaApi:
default: 'overcloud-octavia-api'
type: string
OctaviaApiPolicies:
description: |
A hash of policies to configure for Octavia API.
e.g. { octavia-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
default: {}
type: json
OctaviaEnableDriverAgent:
default: true
description: Set to false if the driver agent needs to be disabled for some reason.
type: boolean
MemcacheUseAdvancedPool:
type: boolean
description: |
Use the advanced (eventlet safe) memcached client pool.
default: true
OctaviaWorkers:
default: 0
description: Number of workers for Octavia service.
type: number
OctaviaDefaultListenerCiphers:
type: comma_delimited_list
description: >
Default list of OpenSSL ciphers for new TLS-enabled listeners.
default: []
OctaviaDefaultPoolCiphers:
type: comma_delimited_list
description: >
Default list of OpenSSL ciphers for new TLS-enabled pools.
default: []
OctaviaTlsCiphersProhibitList:
type: comma_delimited_list
description: >
List of OpenSSL ciphers. Usage of these ciphers will be blocked.
default: []
OctaviaListenerTlsVersions:
type: comma_delimited_list
description: >
List of OpenSSL cipher string of TLS versions to use for
new TLS-enabled listeners.
default: ['TLSv1.2', 'TLSv1.3']
OctaviaPoolTlsVersions:
type: comma_delimited_list
description: >
List of TLS versions to use for new TLS-enabled pools.
default: ['TLSv1.2', 'TLSv1.3']
OctaviaMinimumTlsVersion:
type: string
description: >
Minimum allowed TLS version for listeners and pools.
default: ''
conditions:
octavia_workers_set:
not: {equals : [{get_param: OctaviaWorkers}, 0]}
octavia_default_listener_ciphers_set:
not: {equals : [{get_param: OctaviaDefaultListenerCiphers}, []]}
octavia_default_pool_ciphers_set:
not: {equals : [{get_param: OctaviaDefaultPoolCiphers}, []]}
octavia_min_tls_version_set:
not: {equals : [{get_param: OctaviaMinimumTlsVersion}, '']}
resources:
ContainersCommon:
type: ../containers-common.yaml
MySQLClient:
type: ../database/mysql-client.yaml
OctaviaProviderConfig:
type: ./providers/ovn-provider-config.yaml
properties:
EndpointMap: {get_param: EndpointMap}
ServiceData: {get_param: ServiceData}
ServiceNetMap: {get_param: ServiceNetMap}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
OctaviaBase:
type: ./octavia-base.yaml
properties:
EndpointMap: {get_param: EndpointMap}
ServiceData: {get_param: ServiceData}
ServiceNetMap: {get_param: ServiceNetMap}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
OctaviaWorker: # provides Nova flavor
type: ./octavia-worker-container-puppet.yaml
properties:
EndpointMap: {get_param: EndpointMap}
ServiceData: {get_param: ServiceData}
ServiceNetMap: {get_param: ServiceNetMap}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
RoleParametersValue:
type: OS::Heat::Value
properties:
type: json
value:
map_replace:
- map_replace:
- ContainerOctaviaApiImage: ContainerOctaviaApiImage
ContainerOctaviaConfigImage: ContainerOctaviaConfigImage
- values: {get_param: [RoleParameters]}
- values:
ContainerOctaviaApiImage: {get_param: ContainerOctaviaApiImage}
ContainerOctaviaConfigImage: {get_param: ContainerOctaviaConfigImage}
outputs:
role_data:
description: Role data for the Octavia API role.
value:
service_name: octavia_api
firewall_rules:
'120 octavia api':
dport:
- 9876
firewall_frontend_rules:
'100 octavia_haproxy_frontend':
dport:
- 9876
firewall_ssl_frontend_rules:
'100 octavia_haproxy_frontend_ssl':
dport:
- 13876
keystone_resources:
octavia:
endpoints:
public: {get_param: [EndpointMap, OctaviaPublic, uri]}
internal: {get_param: [EndpointMap, OctaviaInternal, uri]}
admin: {get_param: [EndpointMap, OctaviaAdmin, uri]}
project: {get_param: OctaviaProjectName}
users:
octavia:
name: {get_param: OctaviaUserName}
password: {get_param: OctaviaPassword}
project: {get_param: OctaviaProjectName}
roles:
- admin
- service
region: {get_param: KeystoneRegion}
service: 'load-balancer'
roles:
- load-balancer_admin
- load-balancer_quota_admin
- load-balancer_member
- load-balancer_global_observer
- load-balancer_observer
monitoring_subscription: {get_param: MonitoringSubscriptionOctaviaApi}
config_settings:
map_merge:
- {get_attr: [OctaviaBase, role_data, config_settings]}
- {get_attr: [OctaviaWorker, role_data, config_settings]}
- {get_attr: [OctaviaProviderConfig, role_data, config_settings]}
- octavia::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix] }
octavia::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
octavia::keystone::authtoken::project_name: {get_param: OctaviaProjectName}
octavia::keystone::authtoken::password: {get_param: OctaviaPassword}
octavia::keystone::authtoken::user_domain_name: 'Default'
octavia::keystone::authtoken::project_domain_name: 'Default'
octavia::keystone::authtoken::region_name: {get_param: KeystoneRegion}
octavia::keystone::authtoken::interface: 'internal'
octavia::keystone::authtoken::memcache_use_advanced_pool: {get_param: MemcacheUseAdvancedPool}
octavia::policy::policies: {get_param: OctaviaApiPolicies}
octavia::api::service_name: 'httpd'
octavia::api::enable_proxy_headers_parsing: true
octavia::api::healthcheck_enabled: true
octavia::api::tls_cipher_prohibit_list: {get_param: OctaviaTlsCiphersProhibitList}
octavia::api::default_listener_tls_versions: {get_param: OctaviaListenerTlsVersions}
octavia::api::default_pool_tls_versions: {get_param: OctaviaPoolTlsVersions}
octavia::wsgi::apache::access_log_format: 'forwarded'
octavia::wsgi::apache::ssl: {get_param: EnableInternalTLS}
# NOTE: bind IP is found in hiera replacing the network name with the local node IP
# for the given network; replacement examples (eg. for internal_api):
# internal_api -> IP
# internal_api_uri -> [IP]
# internal_api_subnet - > IP/CIDR
octavia::wsgi::apache::bind_host:
str_replace:
template:
"%{lookup('$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, OctaviaApiNetwork]}
octavia::wsgi::apache::servername:
str_replace:
template:
"%{lookup('fqdn_$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, OctaviaApiNetwork]}
# Bind to localhost if internal TLS is enabled, since we put a TLS
# proxy in front.
octavia::api::host:
str_replace:
template:
"%{lookup('$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, OctaviaApiNetwork]}
tripleo::profile::base::octavia::enable_driver_agent: {get_param: OctaviaEnableDriverAgent}
octavia::api::enabled_provider_drivers:
list_join:
- ','
- list_concat:
- - 'amphora: The Octavia Amphora driver.'
- 'octavia: Deprecated alias of the Octavia Amphora driver.'
- if:
- {get_param: OctaviaEnableDriverAgent}
- {get_attr: [OctaviaProviderConfig, role_data, provider_driver_labels]}
octavia::api::sync_db: false
- if:
- octavia_workers_set
- octavia::wsgi::apache::workers: {get_param: OctaviaWorkers}
- if:
- octavia_default_listener_ciphers_set
- octavia::api::default_listener_ciphers: {get_param: OctaviaDefaultListenerCiphers}
- if:
- octavia_default_pool_ciphers_set
- octavia::api::default_pool_ciphers: {get_param: OctaviaDefaultPoolCiphers}
- if:
- octavia_min_tls_version_set
- octavia::api::minimum_tls_version: {get_param: OctaviaMinimumTlsVersion}
service_config_settings:
rsyslog:
tripleo_logging_sources_octavia_api:
- {get_param: OctaviaApiLoggingSource}
mysql:
octavia::db::mysql::password: {get_param: OctaviaPassword}
octavia::db::mysql::user: {get_param: OctaviaUserName}
octavia::db::mysql::host: '%'
octavia::db::mysql::dbname: octavia
octavia::db::mysql::persistence_dbname: octavia_persistence
horizon:
horizon::dashboards::octavia::policies: {get_param: OctaviaApiPolicies}
# BEGIN DOCKER SETTINGS #
puppet_config:
config_volume: octavia
puppet_tags:
list_join:
- ','
- - octavia_config
- {get_attr: [OctaviaProviderConfig, role_data, puppet_tags]}
step_config:
list_join:
- "\n"
- - "include tripleo::profile::base::octavia::api"
- {get_attr: [OctaviaProviderConfig, role_data, step_config]}
- {get_attr: [MySQLClient, role_data, step_config]}
config_image: {get_attr: [RoleParametersValue, value, ContainerOctaviaConfigImage]}
kolla_config:
/var/lib/kolla/config_files/octavia_api.json:
command: /usr/sbin/httpd -DFOREGROUND
config_files: &octavia_api_config_files
list_concat:
-
- source: "/var/lib/kolla/config_files/src/etc/httpd/conf.d"
dest: "/etc/httpd/conf.d"
merge: false
preserve_properties: true
- source: "/var/lib/kolla/config_files/src/etc/httpd/conf.modules.d"
dest: "/etc/httpd/conf.modules.d"
merge: false
preserve_properties: true
- source: "/var/lib/kolla/config_files/src/*"
dest: "/"
merge: true
preserve_properties: true
- {get_attr: [OctaviaProviderConfig, role_data, kolla_config_files]}
permissions: &octavia_api_permissions
list_concat:
-
- path: /var/log/octavia
owner: octavia:octavia
recurse: true
- path: /run/octavia
owner: octavia:octavia
recurse: true
- {get_attr: [OctaviaProviderConfig, role_data, kolla_permissions]}
/var/lib/kolla/config_files/octavia_driver_agent.json:
command: /usr/bin/octavia-driver-agent --config-file /etc/octavia/octavia.conf --log-file /var/log/octavia/driver-agent.log --config-dir /etc/octavia/conf.d/common
config_files:
list_concat:
-
- source: "/var/lib/kolla/config_files/src/*"
dest: "/"
merge: true
preserve_properties: true
- {get_attr: [OctaviaProviderConfig, role_data, kolla_config_files]}
permissions:
list_concat:
-
- path: /var/log/octavia
owner: octavia:octavia
recurse: true
- path: /run/octavia
owner: octavia:octavia
recurse: true
- {get_attr: [OctaviaProviderConfig, role_data, kolla_permissions]}
/var/lib/kolla/config_files/octavia_api_db_sync.json:
command: "/usr/bin/bootstrap_host_exec octavia_api su octavia -s /bin/bash -c '/usr/bin/octavia-db-manage upgrade head && /usr/bin/octavia-db-manage upgrade_persistence'"
config_files: *octavia_api_config_files
permissions: *octavia_api_permissions
metadata_settings: {get_attr: [OctaviaProviderConfig, role_data, metadata_settings]}
deploy_steps_tasks:
get_attr: [OctaviaProviderConfig, role_data, deploy_steps_tasks]
docker_config:
# Kolla_bootstrap/db_sync runs before permissions set by kolla_config
step_2:
octavia_api_init_dirs:
start_order: 0
image: &octavia_api_image {get_attr: [RoleParametersValue, value, ContainerOctaviaApiImage]}
net: none
user: root
volumes:
# NOTE(mandre) we need extra dir for the service in /etc/octavia/conf.d
# It is normally created as part of the RPM install, but it is
# missing here because we use the same config_volume for all
# octavia services, hence the same container image to generate
# configuration.
- /var/lib/config-data/puppet-generated/octavia/etc/octavia:/etc/octavia
- /var/log/containers/octavia:/var/log/octavia:z
- /var/log/containers/httpd/octavia-api:/var/log/httpd:z
command: ['/bin/bash', '-c', 'mkdir -p /etc/octavia/conf.d/octavia-api; chown -R octavia:octavia /etc/octavia/conf.d/octavia-api; chown -R octavia:octavia /var/log/octavia']
step_3:
octavia_db_sync:
start_order: 0
image: *octavia_api_image
cap_add:
- AUDIT_WRITE
net: host
privileged: false
detach: false
user: root
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
-
- /var/lib/kolla/config_files/octavia_api_db_sync.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/octavia:/var/lib/kolla/config_files/src:ro
- /var/log/containers/octavia:/var/log/octavia:z
- /run/octavia:/run/octavia:shared,z
- if:
- {get_param: OctaviaEnableDriverAgent}
- {get_attr: [OctaviaProviderConfig, role_data, volumes]}
environment:
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier}
step_4:
map_merge:
- octavia_api:
start_order: 2
image: *octavia_api_image
net: host
user: root
privileged: false
restart: always
healthcheck:
test: /openstack/healthcheck
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
- - /var/lib/kolla/config_files/octavia_api.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/octavia:/var/lib/kolla/config_files/src:ro
- /var/log/containers/octavia:/var/log/octavia:z
- /run/octavia:/run/octavia:shared,z
- /var/log/containers/httpd/octavia-api:/var/log/httpd:z
- if:
- {get_param: EnableInternalTLS}
- - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
- /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
- if:
- {get_param: OctaviaEnableDriverAgent}
- {get_attr: [OctaviaProviderConfig, role_data, volumes]}
environment:
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
- if:
- {get_param: OctaviaEnableDriverAgent}
- octavia_driver_agent:
start_order: 2
image: *octavia_api_image
net: host
privileged: true
restart: always
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
- - /var/lib/kolla/config_files/octavia_driver_agent.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/octavia:/var/lib/kolla/config_files/src:ro
- /var/log/containers/octavia:/var/log/octavia:z
- /run/octavia:/run/octavia:shared,z
- {get_attr: [OctaviaProviderConfig, role_data, volumes]}
environment:
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
host_prep_tasks:
- name: create persistent directories
file:
path: "{{ item.path }}"
state: directory
setype: "{{ item.setype }}"
mode: "{{ item.mode|default(omit) }}"
with_items:
- { 'path': /var/log/containers/octavia, 'setype': container_file_t, 'mode': '0750' }
- { 'path': /var/log/containers/httpd/octavia-api, 'setype': container_file_t, 'mode': '0750' }
- { 'path': /run/octavia, 'setype': container_file_t, 'mode': '0755' }
- name: ensure /run/octavia is present upon reboot
copy:
dest: /etc/tmpfiles.d/run-octavia.conf
content: |
d /run/octavia 0755 root root - -
update_tasks:
list_concat:
- {get_attr: [OctaviaBase, role_data, update_tasks]}
- - name: octavia_api_tmpfile_cleanup
when: step|int == 1
block: &octavia_api_tmpfile_cleanup
- name: octavia_api_tmpfile_cleanup
file:
path: /etc/tmpfiles.d/var-run-octavia.conf
state: absent
upgrade_tasks:
list_concat:
- {get_attr: [OctaviaBase, role_data, upgrade_tasks]}
- - name: octavia_api_tmpfile_cleanup
when: step|int == 1
block: *octavia_api_tmpfile_cleanup
external_upgrade_tasks:
- when:
- step|int == 1
tags:
- never
- system_upgrade_transfer_data
- system_upgrade_stop_services
block:
- name: Stop octavia api container
import_role:
name: tripleo_container_stop
vars:
tripleo_containers_to_stop:
- octavia_api
tripleo_delegate_to: "{{ groups['octavia_api'] | difference(groups['excluded_overcloud']) }}"
View Git Blame Copy Permalink