8e052715c8
Today for some services we mount in /var/lib/config-data/<service>/etc which is actually an output from the container-puppet process. We should be using kolla to ensure that we properly create the configurations based on the puppet generated configurations and things in the container. Some services correctly leverage the kolla_config that the associated api/service uses when running their db sync. This patch aligns the rest to follow the similar pattern. Change-Id: I0e3d5748a50937880a55413b75fe6eca479c9160
459 lines
19 KiB
YAML
459 lines
19 KiB
YAML
heat_template_version: wallaby
|
|
|
|
description: >
|
|
OpenStack Octavia service configured with Puppet
|
|
|
|
parameters:
|
|
ContainerOctaviaApiImage:
|
|
description: image
|
|
type: string
|
|
ContainerOctaviaConfigImage:
|
|
description: The container image to use for the octavia config_volume
|
|
type: string
|
|
OctaviaApiLoggingSource:
|
|
type: json
|
|
default:
|
|
tag: openstack.octavia.api
|
|
file: /var/log/containers/octavia/api.log
|
|
EndpointMap:
|
|
default: {}
|
|
description: Mapping of service endpoint -> protocol. Typically set
|
|
via parameter_defaults in the resource registry.
|
|
type: json
|
|
ServiceData:
|
|
default: {}
|
|
description: Dictionary packing service data
|
|
type: json
|
|
ServiceNetMap:
|
|
default: {}
|
|
description: Mapping of service_name -> network name. Typically set
|
|
via parameter_defaults in the resource registry. Use
|
|
parameter_merge_strategies to merge it with the defaults.
|
|
type: json
|
|
RoleName:
|
|
default: ''
|
|
description: Role name on which the service is applied
|
|
type: string
|
|
RoleParameters:
|
|
default: {}
|
|
description: Parameters specific to the role
|
|
type: json
|
|
DeployIdentifier:
|
|
default: ''
|
|
type: string
|
|
description: >
|
|
Setting this to a unique value will re-run any deployment tasks which
|
|
perform configuration on a Heat stack-update.
|
|
EnableInternalTLS:
|
|
type: boolean
|
|
default: false
|
|
OctaviaUserName:
|
|
description: The username for the Octavia database and keystone accounts.
|
|
type: string
|
|
default: 'octavia'
|
|
OctaviaPassword:
|
|
description: The password for the Octavia database and keystone accounts.
|
|
type: string
|
|
hidden: true
|
|
OctaviaProjectName:
|
|
description: The project name for the keystone Octavia account.
|
|
type: string
|
|
default: 'service'
|
|
KeystoneRegion:
|
|
type: string
|
|
default: 'regionOne'
|
|
description: Keystone region for endpoint
|
|
MonitoringSubscriptionOctaviaApi:
|
|
default: 'overcloud-octavia-api'
|
|
type: string
|
|
OctaviaApiPolicies:
|
|
description: |
|
|
A hash of policies to configure for Octavia API.
|
|
e.g. { octavia-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
|
|
default: {}
|
|
type: json
|
|
OctaviaFlavorProperties:
|
|
default:
|
|
ram : '1024'
|
|
disk : '3'
|
|
vcpus: '1'
|
|
description: Dictionary describing the nova flavor for amphora.
|
|
type: json
|
|
OctaviaManageNovaFlavor:
|
|
default: true
|
|
description: Configure the nova flavor for the amphora.
|
|
type: boolean
|
|
OctaviaEnableDriverAgent:
|
|
default: true
|
|
description: Set to false if the driver agent needs to be disabled for some reason.
|
|
type: boolean
|
|
|
|
resources:
|
|
ContainersCommon:
|
|
type: ../containers-common.yaml
|
|
|
|
MySQLClient:
|
|
type: ../database/mysql-client.yaml
|
|
|
|
OctaviaProviderConfig:
|
|
type: ./providers/ovn-provider-config.yaml
|
|
properties:
|
|
EndpointMap: {get_param: EndpointMap}
|
|
ServiceData: {get_param: ServiceData}
|
|
ServiceNetMap: {get_param: ServiceNetMap}
|
|
RoleName: {get_param: RoleName}
|
|
RoleParameters: {get_param: RoleParameters}
|
|
|
|
OctaviaBase:
|
|
type: ./octavia-base.yaml
|
|
properties:
|
|
EndpointMap: {get_param: EndpointMap}
|
|
ServiceData: {get_param: ServiceData}
|
|
ServiceNetMap: {get_param: ServiceNetMap}
|
|
RoleName: {get_param: RoleName}
|
|
RoleParameters: {get_param: RoleParameters}
|
|
|
|
OctaviaWorker: # provides Nova flavor
|
|
type: ./octavia-worker-container-puppet.yaml
|
|
properties:
|
|
EndpointMap: {get_param: EndpointMap}
|
|
ServiceData: {get_param: ServiceData}
|
|
ServiceNetMap: {get_param: ServiceNetMap}
|
|
RoleName: {get_param: RoleName}
|
|
RoleParameters: {get_param: RoleParameters}
|
|
|
|
outputs:
|
|
role_data:
|
|
description: Role data for the Octavia API role.
|
|
value:
|
|
service_name: octavia_api
|
|
firewall_rules:
|
|
'120 octavia api':
|
|
dport:
|
|
- 9876
|
|
- 13876
|
|
keystone_resources:
|
|
octavia:
|
|
endpoints:
|
|
public: {get_param: [EndpointMap, OctaviaPublic, uri]}
|
|
internal: {get_param: [EndpointMap, OctaviaInternal, uri]}
|
|
admin: {get_param: [EndpointMap, OctaviaAdmin, uri]}
|
|
project: {get_param: OctaviaProjectName}
|
|
users:
|
|
octavia:
|
|
name: {get_param: OctaviaUserName}
|
|
password: {get_param: OctaviaPassword}
|
|
project: {get_param: OctaviaProjectName}
|
|
region: {get_param: KeystoneRegion}
|
|
service: 'load-balancer'
|
|
monitoring_subscription: {get_param: MonitoringSubscriptionOctaviaApi}
|
|
config_settings:
|
|
map_merge:
|
|
- {get_attr: [OctaviaBase, role_data, config_settings]}
|
|
- {get_attr: [OctaviaWorker, role_data, config_settings]}
|
|
- {get_attr: [OctaviaProviderConfig, role_data, config_settings]}
|
|
- octavia::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri] }
|
|
octavia::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
|
|
octavia::keystone::authtoken::project_name: {get_param: OctaviaProjectName}
|
|
octavia::keystone::authtoken::password: {get_param: OctaviaPassword}
|
|
octavia::keystone::authtoken::user_domain_name: 'Default'
|
|
octavia::keystone::authtoken::project_domain_name: 'Default'
|
|
octavia::keystone::authtoken::region_name: {get_param: KeystoneRegion}
|
|
octavia::keystone::authtoken::interface: 'internal'
|
|
octavia::policy::policies: {get_param: OctaviaApiPolicies}
|
|
octavia::worker::manage_nova_flavor: {get_param: OctaviaManageNovaFlavor}
|
|
octavia::worker::nova_flavor_config: {get_param: OctaviaFlavorProperties}
|
|
octavia::api::service_name: 'httpd'
|
|
octavia::wsgi::apache::ssl: {get_param: EnableInternalTLS}
|
|
# NOTE: bind IP is found in hiera replacing the network name with the local node IP
|
|
# for the given network; replacement examples (eg. for internal_api):
|
|
# internal_api -> IP
|
|
# internal_api_uri -> [IP]
|
|
# internal_api_subnet - > IP/CIDR
|
|
octavia::wsgi::apache::bind_host:
|
|
str_replace:
|
|
template:
|
|
"%{hiera('$NETWORK')}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, OctaviaApiNetwork]}
|
|
octavia::wsgi::apache::servername:
|
|
str_replace:
|
|
template:
|
|
"%{hiera('fqdn_$NETWORK')}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, OctaviaApiNetwork]}
|
|
# Bind to localhost if internal TLS is enabled, since we put a TLS
|
|
# proxy in front.
|
|
octavia::api::host:
|
|
str_replace:
|
|
template:
|
|
"%{hiera('$NETWORK')}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, OctaviaApiNetwork]}
|
|
- octavia::api::provider_drivers:
|
|
list_join:
|
|
- ','
|
|
- list_concat:
|
|
- - 'amphora: The Octavia Amphora driver.'
|
|
- 'octavia: Deprecated alias of the Octavia Amphora driver.'
|
|
- if:
|
|
- {get_param: OctaviaEnableDriverAgent}
|
|
- {get_attr: [OctaviaProviderConfig, role_data, provider_driver_labels]}
|
|
service_config_settings:
|
|
rsyslog:
|
|
tripleo_logging_sources_octavia_api:
|
|
- {get_param: OctaviaApiLoggingSource}
|
|
mysql:
|
|
octavia::db::mysql::password: {get_param: OctaviaPassword}
|
|
octavia::db::mysql::user: {get_param: OctaviaUserName}
|
|
octavia::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
|
|
octavia::db::mysql::dbname: octavia
|
|
octavia::db::mysql::allowed_hosts:
|
|
- '%'
|
|
- "%{hiera('mysql_bind_host')}"
|
|
# BEGIN DOCKER SETTINGS #
|
|
puppet_config:
|
|
config_volume: octavia
|
|
puppet_tags:
|
|
list_join:
|
|
- ','
|
|
- - octavia_config
|
|
- {get_attr: [OctaviaProviderConfig, role_data, puppet_tags]}
|
|
step_config:
|
|
list_join:
|
|
- "\n"
|
|
- - "include tripleo::profile::base::octavia::api"
|
|
- {get_attr: [OctaviaProviderConfig, role_data, step_config]}
|
|
- {get_attr: [MySQLClient, role_data, step_config]}
|
|
config_image: {get_param: ContainerOctaviaConfigImage}
|
|
kolla_config:
|
|
/var/lib/kolla/config_files/octavia_api.json:
|
|
command: /usr/sbin/httpd -DFOREGROUND
|
|
config_files: &octavia_api_config_files
|
|
list_concat:
|
|
-
|
|
- source: "/var/lib/kolla/config_files/src/etc/httpd/conf.d"
|
|
dest: "/etc/httpd/conf.d"
|
|
merge: false
|
|
preserve_properties: true
|
|
- source: "/var/lib/kolla/config_files/src/etc/httpd/conf.modules.d"
|
|
dest: "/etc/httpd/conf.modules.d"
|
|
merge: false
|
|
preserve_properties: true
|
|
- source: "/var/lib/kolla/config_files/src/*"
|
|
dest: "/"
|
|
merge: true
|
|
preserve_properties: true
|
|
- {get_attr: [OctaviaProviderConfig, role_data, kolla_config_files]}
|
|
permissions: &octavia_api_permissions
|
|
list_concat:
|
|
-
|
|
- path: /var/log/octavia
|
|
owner: octavia:octavia
|
|
recurse: true
|
|
- path: /run/octavia
|
|
owner: octavia:octavia
|
|
recurse: true
|
|
- {get_attr: [OctaviaProviderConfig, role_data, kolla_permissions]}
|
|
/var/lib/kolla/config_files/octavia_driver_agent.json:
|
|
command: /usr/bin/octavia-driver-agent --config-file /usr/share/octavia/octavia-dist.conf --config-file /etc/octavia/octavia.conf --log-file /var/log/octavia/driver-agent.log --config-dir /etc/octavia/conf.d/common
|
|
config_files:
|
|
- source: "/var/lib/kolla/config_files/src/*"
|
|
dest: "/"
|
|
merge: true
|
|
preserve_properties: true
|
|
permissions:
|
|
- path: /var/log/octavia
|
|
owner: octavia:octavia
|
|
recurse: true
|
|
- path: /run/octavia
|
|
owner: octavia:octavia
|
|
recurse: true
|
|
/var/lib/kolla/config_files/octavia_driver_agent_db_sync.json:
|
|
command: "/usr/bin/bootstrap_host_exec octavia_api su octavia -s /bin/bash -c '/usr/bin/octavia-db-manage upgrade head'"
|
|
config_files: *octavia_api_config_files
|
|
permissions: *octavia_api_permissions
|
|
container_puppet_tasks:
|
|
step_5:
|
|
config_volume: octavia
|
|
puppet_tags: nova_flavor
|
|
step_config: |
|
|
include ::octavia::worker
|
|
config_image: {get_param: ContainerOctaviaConfigImage}
|
|
volumes:
|
|
- /var/lib/config-data/puppet-generated/nova/etc/nova:/etc/nova:ro
|
|
metadata_settings: {get_attr: [OctaviaProviderConfig, role_data, metadata_settings]}
|
|
deploy_steps_tasks:
|
|
get_attr: [OctaviaProviderConfig, role_data, deploy_steps_tasks]
|
|
docker_config:
|
|
# Kolla_bootstrap/db_sync runs before permissions set by kolla_config
|
|
step_2:
|
|
octavia_api_init_dirs:
|
|
start_order: 0
|
|
image: &octavia_api_image {get_param: ContainerOctaviaApiImage}
|
|
net: none
|
|
user: root
|
|
volumes:
|
|
# NOTE(mandre) we need extra dir for the service in /etc/octavia/conf.d
|
|
# It is normally created as part of the RPM install, but it is
|
|
# missing here because we use the same config_volume for all
|
|
# octavia services, hence the same container image to generate
|
|
# configuration.
|
|
- /var/lib/config-data/puppet-generated/octavia/etc/octavia:/etc/octavia/
|
|
- /var/log/containers/octavia:/var/log/octavia:z
|
|
- /var/log/containers/httpd/octavia-api:/var/log/httpd:z
|
|
command: ['/bin/bash', '-c', 'mkdir -p /etc/octavia/conf.d/octavia-api; chown -R octavia:octavia /etc/octavia/conf.d/octavia-api; chown -R octavia:octavia /var/log/octavia']
|
|
step_3:
|
|
octavia_db_sync:
|
|
start_order: 0
|
|
image: *octavia_api_image
|
|
net: host
|
|
privileged: false
|
|
detach: false
|
|
user: root
|
|
volumes:
|
|
list_concat:
|
|
- {get_attr: [ContainersCommon, volumes]}
|
|
-
|
|
- /var/lib/kolla/config_files/octavia_api_db_sync.json:/var/lib/kolla/config_files/config.json:ro
|
|
- /var/lib/config-data/puppet-generated/octavia:/var/lib/kolla/config_files/src:ro
|
|
- /var/log/containers/octavia:/var/log/octavia:z
|
|
- /run/octavia:/run/octavia:shared,z
|
|
- {get_attr: [OctaviaProviderConfig, role_data, volumes]}
|
|
environment:
|
|
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
|
|
TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier}
|
|
step_4:
|
|
map_merge:
|
|
- octavia_api:
|
|
start_order: 2
|
|
image: *octavia_api_image
|
|
net: host
|
|
user: root
|
|
privileged: false
|
|
restart: always
|
|
healthcheck:
|
|
test: /openstack/healthcheck
|
|
volumes:
|
|
list_concat:
|
|
- {get_attr: [ContainersCommon, volumes]}
|
|
- - /var/lib/kolla/config_files/octavia_api.json:/var/lib/kolla/config_files/config.json:ro
|
|
- /var/lib/config-data/puppet-generated/octavia:/var/lib/kolla/config_files/src:ro
|
|
- /var/log/containers/octavia:/var/log/octavia:z
|
|
- /run/octavia:/run/octavia:shared,z
|
|
- /var/log/containers/httpd/octavia-api:/var/log/httpd:z
|
|
- if:
|
|
- {get_param: EnableInternalTLS}
|
|
- - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
|
|
- /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
|
|
- {get_attr: [OctaviaProviderConfig, role_data, volumes]}
|
|
environment:
|
|
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
|
|
- if:
|
|
- {get_param: OctaviaEnableDriverAgent}
|
|
- octavia_driver_agent:
|
|
start_order: 2
|
|
image: *octavia_api_image
|
|
net: host
|
|
privileged: true
|
|
restart: always
|
|
volumes:
|
|
list_concat:
|
|
- {get_attr: [ContainersCommon, volumes]}
|
|
- - /var/lib/kolla/config_files/octavia_driver_agent.json:/var/lib/kolla/config_files/config.json:ro
|
|
- /var/lib/config-data/puppet-generated/octavia:/var/lib/kolla/config_files/src:ro
|
|
- /var/log/containers/octavia:/var/log/octavia:z
|
|
- /run/octavia:/run/octavia:shared,z
|
|
environment:
|
|
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
|
|
host_prep_tasks:
|
|
- name: create persistent directories
|
|
file:
|
|
path: "{{ item.path }}"
|
|
state: directory
|
|
setype: "{{ item.setype }}"
|
|
mode: "{{ item.mode|default(omit) }}"
|
|
with_items:
|
|
- { 'path': /var/log/containers/octavia, 'setype': container_file_t, 'mode': '0750' }
|
|
- { 'path': /var/log/containers/httpd/octavia-api, 'setype': container_file_t, 'mode': '0750' }
|
|
- { 'path': /run/octavia, 'setype': container_file_t, 'mode': '0755' }
|
|
- name: ensure /run/octavia is present upon reboot
|
|
copy:
|
|
dest: /etc/tmpfiles.d/run-octavia.conf
|
|
content: |
|
|
d /run/octavia 0755 root root - -
|
|
update_tasks:
|
|
list_concat:
|
|
- {get_attr: [OctaviaBase, role_data, update_tasks]}
|
|
- - name: octavia_api_tmpfile_cleanup
|
|
when: step|int == 1
|
|
block: &octavia_api_tmpfile_cleanup
|
|
- name: octavia_api_tmpfile_cleanup
|
|
file:
|
|
path: /etc/tmpfiles.d/var-run-octavia.conf
|
|
state: absent
|
|
- name: Set internal tls variable
|
|
set_fact:
|
|
internal_tls_enabled: {get_param: EnableInternalTLS}
|
|
- name: remove TLS proxy if configured and running
|
|
when:
|
|
- step|int == 2
|
|
- internal_tls_enabled|bool
|
|
block: &remove_octavia_tls_proxy_tasks
|
|
- name: stop and remove octavia_api_tls_proxy container if docker
|
|
docker:
|
|
name: octavia_api_tls_proxy
|
|
state: absent
|
|
when: container_cli == 'docker'
|
|
- name: "check if tripleo_octavia_api_tls_proxy service exists in systemd"
|
|
stat:
|
|
path: "/etc/systemd/system/tripleo_octavia_api_tls_proxy.service"
|
|
register: systemd_exists
|
|
- name: Remove tripleo_octavia_api_tls_proxy service
|
|
when:
|
|
- container_cli == 'podman'
|
|
- systemd_exists.stat.exists
|
|
block:
|
|
- name: stop and disable octavia_api_tls_proxy container
|
|
systemd:
|
|
name: tripleo_octavia_api_tls_proxy
|
|
state: stopped
|
|
enabled: no
|
|
- name: clean up tripleo service file for octavia_api_tls_proxy
|
|
file:
|
|
state: absent
|
|
path: "/etc/systemd/system/tripleo_octavia_api_tls_proxy.service"
|
|
- name: reload systemd
|
|
systemd:
|
|
daemon-reload: yes
|
|
|
|
upgrade_tasks:
|
|
list_concat:
|
|
- {get_attr: [OctaviaBase, role_data, upgrade_tasks]}
|
|
- - name: octavia_api_tmpfile_cleanup
|
|
when: step|int == 1
|
|
block: *octavia_api_tmpfile_cleanup
|
|
- name: Set internal tls variable
|
|
set_fact:
|
|
internal_tls_enabled: {get_param: EnableInternalTLS}
|
|
- name: remove TLS proxy if configured and running
|
|
when:
|
|
- step|int == 2
|
|
- internal_tls_enabled|bool
|
|
block: *remove_octavia_tls_proxy_tasks
|
|
external_upgrade_tasks:
|
|
- when:
|
|
- step|int == 1
|
|
tags:
|
|
- never
|
|
- system_upgrade_transfer_data
|
|
- system_upgrade_stop_services
|
|
block:
|
|
- name: Stop octavia api container
|
|
import_role:
|
|
name: tripleo_container_stop
|
|
vars:
|
|
tripleo_containers_to_stop:
|
|
- octavia_api
|
|
tripleo_delegate_to: "{{ groups['octavia_api'] | default([]) }}"
|