469 lines
19 KiB
YAML
469 lines
19 KiB
YAML
heat_template_version: wallaby
|
|
|
|
description: >
|
|
OpenStack Octavia service configured with Puppet
|
|
|
|
parameters:
|
|
ContainerOctaviaApiImage:
|
|
description: image
|
|
type: string
|
|
ContainerOctaviaConfigImage:
|
|
description: The container image to use for the octavia config_volume
|
|
type: string
|
|
OctaviaApiLoggingSource:
|
|
type: json
|
|
default:
|
|
tag: openstack.octavia.api
|
|
file: /var/log/containers/octavia/api.log
|
|
EndpointMap:
|
|
default: {}
|
|
description: Mapping of service endpoint -> protocol. Typically set
|
|
via parameter_defaults in the resource registry.
|
|
type: json
|
|
ServiceData:
|
|
default: {}
|
|
description: Dictionary packing service data
|
|
type: json
|
|
ServiceNetMap:
|
|
default: {}
|
|
description: Mapping of service_name -> network name. Typically set
|
|
via parameter_defaults in the resource registry. Use
|
|
parameter_merge_strategies to merge it with the defaults.
|
|
type: json
|
|
RoleName:
|
|
default: ''
|
|
description: Role name on which the service is applied
|
|
type: string
|
|
RoleParameters:
|
|
default: {}
|
|
description: Parameters specific to the role
|
|
type: json
|
|
DeployIdentifier:
|
|
default: ''
|
|
type: string
|
|
description: >
|
|
Setting this to a unique value will re-run any deployment tasks which
|
|
perform configuration on a Heat stack-update.
|
|
EnableInternalTLS:
|
|
type: boolean
|
|
default: false
|
|
OctaviaUserName:
|
|
description: The username for the Octavia database and keystone accounts.
|
|
type: string
|
|
default: 'octavia'
|
|
OctaviaPassword:
|
|
description: The password for the Octavia database and keystone accounts.
|
|
type: string
|
|
hidden: true
|
|
OctaviaProjectName:
|
|
description: The project name for the keystone Octavia account.
|
|
type: string
|
|
default: 'service'
|
|
KeystoneRegion:
|
|
type: string
|
|
default: 'regionOne'
|
|
description: Keystone region for endpoint
|
|
MonitoringSubscriptionOctaviaApi:
|
|
default: 'overcloud-octavia-api'
|
|
type: string
|
|
OctaviaApiPolicies:
|
|
description: |
|
|
A hash of policies to configure for Octavia API.
|
|
e.g. { octavia-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
|
|
default: {}
|
|
type: json
|
|
OctaviaFlavorProperties:
|
|
default:
|
|
ram : '1024'
|
|
disk : '3'
|
|
vcpus: '1'
|
|
description: Dictionary describing the nova flavor for amphora.
|
|
type: json
|
|
OctaviaManageNovaFlavor:
|
|
default: true
|
|
description: Configure the nova flavor for the amphora.
|
|
type: boolean
|
|
OctaviaEnableDriverAgent:
|
|
default: true
|
|
description: Set to false if the driver agent needs to be disabled for some reason.
|
|
type: boolean
|
|
MemcacheUseAdvancedPool:
|
|
type: boolean
|
|
description: |
|
|
Use the advanced (eventlet safe) memcached client pool.
|
|
default: true
|
|
|
|
resources:
|
|
ContainersCommon:
|
|
type: ../containers-common.yaml
|
|
|
|
MySQLClient:
|
|
type: ../database/mysql-client.yaml
|
|
|
|
OctaviaProviderConfig:
|
|
type: ./providers/ovn-provider-config.yaml
|
|
properties:
|
|
EndpointMap: {get_param: EndpointMap}
|
|
ServiceData: {get_param: ServiceData}
|
|
ServiceNetMap: {get_param: ServiceNetMap}
|
|
RoleName: {get_param: RoleName}
|
|
RoleParameters: {get_param: RoleParameters}
|
|
|
|
OctaviaBase:
|
|
type: ./octavia-base.yaml
|
|
properties:
|
|
EndpointMap: {get_param: EndpointMap}
|
|
ServiceData: {get_param: ServiceData}
|
|
ServiceNetMap: {get_param: ServiceNetMap}
|
|
RoleName: {get_param: RoleName}
|
|
RoleParameters: {get_param: RoleParameters}
|
|
|
|
OctaviaWorker: # provides Nova flavor
|
|
type: ./octavia-worker-container-puppet.yaml
|
|
properties:
|
|
EndpointMap: {get_param: EndpointMap}
|
|
ServiceData: {get_param: ServiceData}
|
|
ServiceNetMap: {get_param: ServiceNetMap}
|
|
RoleName: {get_param: RoleName}
|
|
RoleParameters: {get_param: RoleParameters}
|
|
|
|
outputs:
|
|
role_data:
|
|
description: Role data for the Octavia API role.
|
|
value:
|
|
service_name: octavia_api
|
|
firewall_rules:
|
|
'120 octavia api':
|
|
dport:
|
|
- 9876
|
|
- 13876
|
|
keystone_resources:
|
|
octavia:
|
|
endpoints:
|
|
public: {get_param: [EndpointMap, OctaviaPublic, uri]}
|
|
internal: {get_param: [EndpointMap, OctaviaInternal, uri]}
|
|
admin: {get_param: [EndpointMap, OctaviaAdmin, uri]}
|
|
project: {get_param: OctaviaProjectName}
|
|
users:
|
|
octavia:
|
|
name: {get_param: OctaviaUserName}
|
|
password: {get_param: OctaviaPassword}
|
|
project: {get_param: OctaviaProjectName}
|
|
region: {get_param: KeystoneRegion}
|
|
service: 'load-balancer'
|
|
monitoring_subscription: {get_param: MonitoringSubscriptionOctaviaApi}
|
|
config_settings:
|
|
map_merge:
|
|
- {get_attr: [OctaviaBase, role_data, config_settings]}
|
|
- {get_attr: [OctaviaWorker, role_data, config_settings]}
|
|
- {get_attr: [OctaviaProviderConfig, role_data, config_settings]}
|
|
- octavia::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri] }
|
|
octavia::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
|
|
octavia::keystone::authtoken::project_name: {get_param: OctaviaProjectName}
|
|
octavia::keystone::authtoken::password: {get_param: OctaviaPassword}
|
|
octavia::keystone::authtoken::user_domain_name: 'Default'
|
|
octavia::keystone::authtoken::project_domain_name: 'Default'
|
|
octavia::keystone::authtoken::region_name: {get_param: KeystoneRegion}
|
|
octavia::keystone::authtoken::interface: 'internal'
|
|
octavia::keystone::authtoken::memcache_use_advanced_pool: {get_param: MemcacheUseAdvancedPool}
|
|
octavia::policy::policies: {get_param: OctaviaApiPolicies}
|
|
octavia::worker::manage_nova_flavor: {get_param: OctaviaManageNovaFlavor}
|
|
octavia::worker::nova_flavor_config: {get_param: OctaviaFlavorProperties}
|
|
octavia::api::service_name: 'httpd'
|
|
octavia::api::enable_proxy_headers_parsing: true
|
|
octavia::wsgi::apache::ssl: {get_param: EnableInternalTLS}
|
|
# NOTE: bind IP is found in hiera replacing the network name with the local node IP
|
|
# for the given network; replacement examples (eg. for internal_api):
|
|
# internal_api -> IP
|
|
# internal_api_uri -> [IP]
|
|
# internal_api_subnet - > IP/CIDR
|
|
octavia::wsgi::apache::bind_host:
|
|
str_replace:
|
|
template:
|
|
"%{hiera('$NETWORK')}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, OctaviaApiNetwork]}
|
|
octavia::wsgi::apache::servername:
|
|
str_replace:
|
|
template:
|
|
"%{hiera('fqdn_$NETWORK')}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, OctaviaApiNetwork]}
|
|
# Bind to localhost if internal TLS is enabled, since we put a TLS
|
|
# proxy in front.
|
|
octavia::api::host:
|
|
str_replace:
|
|
template:
|
|
"%{hiera('$NETWORK')}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, OctaviaApiNetwork]}
|
|
- octavia::api::provider_drivers:
|
|
list_join:
|
|
- ','
|
|
- list_concat:
|
|
- - 'amphora: The Octavia Amphora driver.'
|
|
- 'octavia: Deprecated alias of the Octavia Amphora driver.'
|
|
- if:
|
|
- {get_param: OctaviaEnableDriverAgent}
|
|
- {get_attr: [OctaviaProviderConfig, role_data, provider_driver_labels]}
|
|
service_config_settings:
|
|
rsyslog:
|
|
tripleo_logging_sources_octavia_api:
|
|
- {get_param: OctaviaApiLoggingSource}
|
|
mysql:
|
|
octavia::db::mysql::password: {get_param: OctaviaPassword}
|
|
octavia::db::mysql::user: {get_param: OctaviaUserName}
|
|
octavia::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
|
|
octavia::db::mysql::dbname: octavia
|
|
octavia::db::mysql::allowed_hosts:
|
|
- '%'
|
|
- "%{hiera('mysql_bind_host')}"
|
|
# BEGIN DOCKER SETTINGS #
|
|
puppet_config:
|
|
config_volume: octavia
|
|
puppet_tags:
|
|
list_join:
|
|
- ','
|
|
- - octavia_config
|
|
- {get_attr: [OctaviaProviderConfig, role_data, puppet_tags]}
|
|
step_config:
|
|
list_join:
|
|
- "\n"
|
|
- - "include tripleo::profile::base::octavia::api"
|
|
- if:
|
|
- {get_param: OctaviaEnableDriverAgent}
|
|
- "include octavia::driver_agent"
|
|
- {get_attr: [OctaviaProviderConfig, role_data, step_config]}
|
|
- {get_attr: [MySQLClient, role_data, step_config]}
|
|
config_image: {get_param: ContainerOctaviaConfigImage}
|
|
kolla_config:
|
|
/var/lib/kolla/config_files/octavia_api.json:
|
|
command: /usr/sbin/httpd -DFOREGROUND
|
|
config_files: &octavia_api_config_files
|
|
list_concat:
|
|
-
|
|
- source: "/var/lib/kolla/config_files/src/etc/httpd/conf.d"
|
|
dest: "/etc/httpd/conf.d"
|
|
merge: false
|
|
preserve_properties: true
|
|
- source: "/var/lib/kolla/config_files/src/etc/httpd/conf.modules.d"
|
|
dest: "/etc/httpd/conf.modules.d"
|
|
merge: false
|
|
preserve_properties: true
|
|
- source: "/var/lib/kolla/config_files/src/*"
|
|
dest: "/"
|
|
merge: true
|
|
preserve_properties: true
|
|
- {get_attr: [OctaviaProviderConfig, role_data, kolla_config_files]}
|
|
permissions: &octavia_api_permissions
|
|
list_concat:
|
|
-
|
|
- path: /var/log/octavia
|
|
owner: octavia:octavia
|
|
recurse: true
|
|
- path: /run/octavia
|
|
owner: octavia:octavia
|
|
recurse: true
|
|
- {get_attr: [OctaviaProviderConfig, role_data, kolla_permissions]}
|
|
/var/lib/kolla/config_files/octavia_driver_agent.json:
|
|
command: /usr/bin/octavia-driver-agent --config-file /usr/share/octavia/octavia-dist.conf --config-file /etc/octavia/octavia.conf --log-file /var/log/octavia/driver-agent.log --config-dir /etc/octavia/conf.d/common
|
|
config_files:
|
|
- source: "/var/lib/kolla/config_files/src/*"
|
|
dest: "/"
|
|
merge: true
|
|
preserve_properties: true
|
|
permissions:
|
|
- path: /var/log/octavia
|
|
owner: octavia:octavia
|
|
recurse: true
|
|
- path: /run/octavia
|
|
owner: octavia:octavia
|
|
recurse: true
|
|
/var/lib/kolla/config_files/octavia_api_db_sync.json:
|
|
command: "/usr/bin/bootstrap_host_exec octavia_api su octavia -s /bin/bash -c '/usr/bin/octavia-db-manage upgrade head'"
|
|
config_files: *octavia_api_config_files
|
|
permissions: *octavia_api_permissions
|
|
container_puppet_tasks:
|
|
step_5:
|
|
config_volume: octavia
|
|
puppet_tags: nova_flavor
|
|
step_config: |
|
|
include ::octavia::worker
|
|
config_image: {get_param: ContainerOctaviaConfigImage}
|
|
volumes:
|
|
- /var/lib/config-data/puppet-generated/nova/etc/nova:/etc/nova:ro
|
|
metadata_settings: {get_attr: [OctaviaProviderConfig, role_data, metadata_settings]}
|
|
deploy_steps_tasks:
|
|
get_attr: [OctaviaProviderConfig, role_data, deploy_steps_tasks]
|
|
docker_config:
|
|
# Kolla_bootstrap/db_sync runs before permissions set by kolla_config
|
|
step_2:
|
|
octavia_api_init_dirs:
|
|
start_order: 0
|
|
image: &octavia_api_image {get_param: ContainerOctaviaApiImage}
|
|
net: none
|
|
user: root
|
|
volumes:
|
|
# NOTE(mandre) we need extra dir for the service in /etc/octavia/conf.d
|
|
# It is normally created as part of the RPM install, but it is
|
|
# missing here because we use the same config_volume for all
|
|
# octavia services, hence the same container image to generate
|
|
# configuration.
|
|
- /var/lib/config-data/puppet-generated/octavia/etc/octavia:/etc/octavia/
|
|
- /var/log/containers/octavia:/var/log/octavia:z
|
|
- /var/log/containers/httpd/octavia-api:/var/log/httpd:z
|
|
command: ['/bin/bash', '-c', 'mkdir -p /etc/octavia/conf.d/octavia-api; chown -R octavia:octavia /etc/octavia/conf.d/octavia-api; chown -R octavia:octavia /var/log/octavia']
|
|
step_3:
|
|
octavia_db_sync:
|
|
start_order: 0
|
|
image: *octavia_api_image
|
|
net: host
|
|
privileged: false
|
|
detach: false
|
|
user: root
|
|
volumes:
|
|
list_concat:
|
|
- {get_attr: [ContainersCommon, volumes]}
|
|
-
|
|
- /var/lib/kolla/config_files/octavia_api_db_sync.json:/var/lib/kolla/config_files/config.json:ro
|
|
- /var/lib/config-data/puppet-generated/octavia:/var/lib/kolla/config_files/src:ro
|
|
- /var/log/containers/octavia:/var/log/octavia:z
|
|
- /run/octavia:/run/octavia:shared,z
|
|
- {get_attr: [OctaviaProviderConfig, role_data, volumes]}
|
|
environment:
|
|
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
|
|
TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier}
|
|
step_4:
|
|
map_merge:
|
|
- octavia_api:
|
|
start_order: 2
|
|
image: *octavia_api_image
|
|
net: host
|
|
user: root
|
|
privileged: false
|
|
restart: always
|
|
healthcheck:
|
|
test: /openstack/healthcheck
|
|
volumes:
|
|
list_concat:
|
|
- {get_attr: [ContainersCommon, volumes]}
|
|
- - /var/lib/kolla/config_files/octavia_api.json:/var/lib/kolla/config_files/config.json:ro
|
|
- /var/lib/config-data/puppet-generated/octavia:/var/lib/kolla/config_files/src:ro
|
|
- /var/log/containers/octavia:/var/log/octavia:z
|
|
- /run/octavia:/run/octavia:shared,z
|
|
- /var/log/containers/httpd/octavia-api:/var/log/httpd:z
|
|
- if:
|
|
- {get_param: EnableInternalTLS}
|
|
- - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
|
|
- /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
|
|
- {get_attr: [OctaviaProviderConfig, role_data, volumes]}
|
|
environment:
|
|
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
|
|
- if:
|
|
- {get_param: OctaviaEnableDriverAgent}
|
|
- octavia_driver_agent:
|
|
start_order: 2
|
|
image: *octavia_api_image
|
|
net: host
|
|
privileged: true
|
|
restart: always
|
|
volumes:
|
|
list_concat:
|
|
- {get_attr: [ContainersCommon, volumes]}
|
|
- - /var/lib/kolla/config_files/octavia_driver_agent.json:/var/lib/kolla/config_files/config.json:ro
|
|
- /var/lib/config-data/puppet-generated/octavia:/var/lib/kolla/config_files/src:ro
|
|
- /var/log/containers/octavia:/var/log/octavia:z
|
|
- /run/octavia:/run/octavia:shared,z
|
|
environment:
|
|
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
|
|
host_prep_tasks:
|
|
- name: create persistent directories
|
|
file:
|
|
path: "{{ item.path }}"
|
|
state: directory
|
|
setype: "{{ item.setype }}"
|
|
mode: "{{ item.mode|default(omit) }}"
|
|
with_items:
|
|
- { 'path': /var/log/containers/octavia, 'setype': container_file_t, 'mode': '0750' }
|
|
- { 'path': /var/log/containers/httpd/octavia-api, 'setype': container_file_t, 'mode': '0750' }
|
|
- { 'path': /run/octavia, 'setype': container_file_t, 'mode': '0755' }
|
|
- name: ensure /run/octavia is present upon reboot
|
|
copy:
|
|
dest: /etc/tmpfiles.d/run-octavia.conf
|
|
content: |
|
|
d /run/octavia 0755 root root - -
|
|
update_tasks:
|
|
list_concat:
|
|
- {get_attr: [OctaviaBase, role_data, update_tasks]}
|
|
- - name: octavia_api_tmpfile_cleanup
|
|
when: step|int == 1
|
|
block: &octavia_api_tmpfile_cleanup
|
|
- name: octavia_api_tmpfile_cleanup
|
|
file:
|
|
path: /etc/tmpfiles.d/var-run-octavia.conf
|
|
state: absent
|
|
- name: Set internal tls variable
|
|
set_fact:
|
|
internal_tls_enabled: {get_param: EnableInternalTLS}
|
|
- name: remove TLS proxy if configured and running
|
|
when:
|
|
- step|int == 2
|
|
- internal_tls_enabled|bool
|
|
block: &remove_octavia_tls_proxy_tasks
|
|
- name: stop and remove octavia_api_tls_proxy container if docker
|
|
docker:
|
|
name: octavia_api_tls_proxy
|
|
state: absent
|
|
when: container_cli == 'docker'
|
|
- name: "check if tripleo_octavia_api_tls_proxy service exists in systemd"
|
|
stat:
|
|
path: "/etc/systemd/system/tripleo_octavia_api_tls_proxy.service"
|
|
register: systemd_exists
|
|
- name: Remove tripleo_octavia_api_tls_proxy service
|
|
when:
|
|
- container_cli == 'podman'
|
|
- systemd_exists.stat.exists
|
|
block:
|
|
- name: stop and disable octavia_api_tls_proxy container
|
|
systemd:
|
|
name: tripleo_octavia_api_tls_proxy
|
|
state: stopped
|
|
enabled: no
|
|
- name: clean up tripleo service file for octavia_api_tls_proxy
|
|
file:
|
|
state: absent
|
|
path: "/etc/systemd/system/tripleo_octavia_api_tls_proxy.service"
|
|
- name: reload systemd
|
|
systemd:
|
|
daemon-reload: yes
|
|
|
|
upgrade_tasks:
|
|
list_concat:
|
|
- {get_attr: [OctaviaBase, role_data, upgrade_tasks]}
|
|
- - name: octavia_api_tmpfile_cleanup
|
|
when: step|int == 1
|
|
block: *octavia_api_tmpfile_cleanup
|
|
- name: Set internal tls variable
|
|
set_fact:
|
|
internal_tls_enabled: {get_param: EnableInternalTLS}
|
|
- name: remove TLS proxy if configured and running
|
|
when:
|
|
- step|int == 2
|
|
- internal_tls_enabled|bool
|
|
block: *remove_octavia_tls_proxy_tasks
|
|
external_upgrade_tasks:
|
|
- when:
|
|
- step|int == 1
|
|
tags:
|
|
- never
|
|
- system_upgrade_transfer_data
|
|
- system_upgrade_stop_services
|
|
block:
|
|
- name: Stop octavia api container
|
|
import_role:
|
|
name: tripleo_container_stop
|
|
vars:
|
|
tripleo_containers_to_stop:
|
|
- octavia_api
|
|
tripleo_delegate_to: "{{ groups['octavia_api'] | default([]) }}"
|