tripleo-heat-templates/deployment/octavia/octavia-api-container-puppet.yaml

469 lines
19 KiB
YAML

heat_template_version: wallaby
description: >
OpenStack Octavia service configured with Puppet
parameters:
ContainerOctaviaApiImage:
description: image
type: string
ContainerOctaviaConfigImage:
description: The container image to use for the octavia config_volume
type: string
OctaviaApiLoggingSource:
type: json
default:
tag: openstack.octavia.api
file: /var/log/containers/octavia/api.log
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. Use
parameter_merge_strategies to merge it with the defaults.
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
DeployIdentifier:
default: ''
type: string
description: >
Setting this to a unique value will re-run any deployment tasks which
perform configuration on a Heat stack-update.
EnableInternalTLS:
type: boolean
default: false
OctaviaUserName:
description: The username for the Octavia database and keystone accounts.
type: string
default: 'octavia'
OctaviaPassword:
description: The password for the Octavia database and keystone accounts.
type: string
hidden: true
OctaviaProjectName:
description: The project name for the keystone Octavia account.
type: string
default: 'service'
KeystoneRegion:
type: string
default: 'regionOne'
description: Keystone region for endpoint
MonitoringSubscriptionOctaviaApi:
default: 'overcloud-octavia-api'
type: string
OctaviaApiPolicies:
description: |
A hash of policies to configure for Octavia API.
e.g. { octavia-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
default: {}
type: json
OctaviaFlavorProperties:
default:
ram : '1024'
disk : '3'
vcpus: '1'
description: Dictionary describing the nova flavor for amphora.
type: json
OctaviaManageNovaFlavor:
default: true
description: Configure the nova flavor for the amphora.
type: boolean
OctaviaEnableDriverAgent:
default: true
description: Set to false if the driver agent needs to be disabled for some reason.
type: boolean
MemcacheUseAdvancedPool:
type: boolean
description: |
Use the advanced (eventlet safe) memcached client pool.
default: true
resources:
ContainersCommon:
type: ../containers-common.yaml
MySQLClient:
type: ../database/mysql-client.yaml
OctaviaProviderConfig:
type: ./providers/ovn-provider-config.yaml
properties:
EndpointMap: {get_param: EndpointMap}
ServiceData: {get_param: ServiceData}
ServiceNetMap: {get_param: ServiceNetMap}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
OctaviaBase:
type: ./octavia-base.yaml
properties:
EndpointMap: {get_param: EndpointMap}
ServiceData: {get_param: ServiceData}
ServiceNetMap: {get_param: ServiceNetMap}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
OctaviaWorker: # provides Nova flavor
type: ./octavia-worker-container-puppet.yaml
properties:
EndpointMap: {get_param: EndpointMap}
ServiceData: {get_param: ServiceData}
ServiceNetMap: {get_param: ServiceNetMap}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
outputs:
role_data:
description: Role data for the Octavia API role.
value:
service_name: octavia_api
firewall_rules:
'120 octavia api':
dport:
- 9876
- 13876
keystone_resources:
octavia:
endpoints:
public: {get_param: [EndpointMap, OctaviaPublic, uri]}
internal: {get_param: [EndpointMap, OctaviaInternal, uri]}
admin: {get_param: [EndpointMap, OctaviaAdmin, uri]}
project: {get_param: OctaviaProjectName}
users:
octavia:
name: {get_param: OctaviaUserName}
password: {get_param: OctaviaPassword}
project: {get_param: OctaviaProjectName}
region: {get_param: KeystoneRegion}
service: 'load-balancer'
monitoring_subscription: {get_param: MonitoringSubscriptionOctaviaApi}
config_settings:
map_merge:
- {get_attr: [OctaviaBase, role_data, config_settings]}
- {get_attr: [OctaviaWorker, role_data, config_settings]}
- {get_attr: [OctaviaProviderConfig, role_data, config_settings]}
- octavia::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri] }
octavia::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
octavia::keystone::authtoken::project_name: {get_param: OctaviaProjectName}
octavia::keystone::authtoken::password: {get_param: OctaviaPassword}
octavia::keystone::authtoken::user_domain_name: 'Default'
octavia::keystone::authtoken::project_domain_name: 'Default'
octavia::keystone::authtoken::region_name: {get_param: KeystoneRegion}
octavia::keystone::authtoken::interface: 'internal'
octavia::keystone::authtoken::memcache_use_advanced_pool: {get_param: MemcacheUseAdvancedPool}
octavia::policy::policies: {get_param: OctaviaApiPolicies}
octavia::worker::manage_nova_flavor: {get_param: OctaviaManageNovaFlavor}
octavia::worker::nova_flavor_config: {get_param: OctaviaFlavorProperties}
octavia::api::service_name: 'httpd'
octavia::api::enable_proxy_headers_parsing: true
octavia::wsgi::apache::ssl: {get_param: EnableInternalTLS}
# NOTE: bind IP is found in hiera replacing the network name with the local node IP
# for the given network; replacement examples (eg. for internal_api):
# internal_api -> IP
# internal_api_uri -> [IP]
# internal_api_subnet - > IP/CIDR
octavia::wsgi::apache::bind_host:
str_replace:
template:
"%{hiera('$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, OctaviaApiNetwork]}
octavia::wsgi::apache::servername:
str_replace:
template:
"%{hiera('fqdn_$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, OctaviaApiNetwork]}
# Bind to localhost if internal TLS is enabled, since we put a TLS
# proxy in front.
octavia::api::host:
str_replace:
template:
"%{hiera('$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, OctaviaApiNetwork]}
- octavia::api::provider_drivers:
list_join:
- ','
- list_concat:
- - 'amphora: The Octavia Amphora driver.'
- 'octavia: Deprecated alias of the Octavia Amphora driver.'
- if:
- {get_param: OctaviaEnableDriverAgent}
- {get_attr: [OctaviaProviderConfig, role_data, provider_driver_labels]}
service_config_settings:
rsyslog:
tripleo_logging_sources_octavia_api:
- {get_param: OctaviaApiLoggingSource}
mysql:
octavia::db::mysql::password: {get_param: OctaviaPassword}
octavia::db::mysql::user: {get_param: OctaviaUserName}
octavia::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
octavia::db::mysql::dbname: octavia
octavia::db::mysql::allowed_hosts:
- '%'
- "%{hiera('mysql_bind_host')}"
# BEGIN DOCKER SETTINGS #
puppet_config:
config_volume: octavia
puppet_tags:
list_join:
- ','
- - octavia_config
- {get_attr: [OctaviaProviderConfig, role_data, puppet_tags]}
step_config:
list_join:
- "\n"
- - "include tripleo::profile::base::octavia::api"
- if:
- {get_param: OctaviaEnableDriverAgent}
- "include octavia::driver_agent"
- {get_attr: [OctaviaProviderConfig, role_data, step_config]}
- {get_attr: [MySQLClient, role_data, step_config]}
config_image: {get_param: ContainerOctaviaConfigImage}
kolla_config:
/var/lib/kolla/config_files/octavia_api.json:
command: /usr/sbin/httpd -DFOREGROUND
config_files: &octavia_api_config_files
list_concat:
-
- source: "/var/lib/kolla/config_files/src/etc/httpd/conf.d"
dest: "/etc/httpd/conf.d"
merge: false
preserve_properties: true
- source: "/var/lib/kolla/config_files/src/etc/httpd/conf.modules.d"
dest: "/etc/httpd/conf.modules.d"
merge: false
preserve_properties: true
- source: "/var/lib/kolla/config_files/src/*"
dest: "/"
merge: true
preserve_properties: true
- {get_attr: [OctaviaProviderConfig, role_data, kolla_config_files]}
permissions: &octavia_api_permissions
list_concat:
-
- path: /var/log/octavia
owner: octavia:octavia
recurse: true
- path: /run/octavia
owner: octavia:octavia
recurse: true
- {get_attr: [OctaviaProviderConfig, role_data, kolla_permissions]}
/var/lib/kolla/config_files/octavia_driver_agent.json:
command: /usr/bin/octavia-driver-agent --config-file /usr/share/octavia/octavia-dist.conf --config-file /etc/octavia/octavia.conf --log-file /var/log/octavia/driver-agent.log --config-dir /etc/octavia/conf.d/common
config_files:
- source: "/var/lib/kolla/config_files/src/*"
dest: "/"
merge: true
preserve_properties: true
permissions:
- path: /var/log/octavia
owner: octavia:octavia
recurse: true
- path: /run/octavia
owner: octavia:octavia
recurse: true
/var/lib/kolla/config_files/octavia_api_db_sync.json:
command: "/usr/bin/bootstrap_host_exec octavia_api su octavia -s /bin/bash -c '/usr/bin/octavia-db-manage upgrade head'"
config_files: *octavia_api_config_files
permissions: *octavia_api_permissions
container_puppet_tasks:
step_5:
config_volume: octavia
puppet_tags: nova_flavor
step_config: |
include ::octavia::worker
config_image: {get_param: ContainerOctaviaConfigImage}
volumes:
- /var/lib/config-data/puppet-generated/nova/etc/nova:/etc/nova:ro
metadata_settings: {get_attr: [OctaviaProviderConfig, role_data, metadata_settings]}
deploy_steps_tasks:
get_attr: [OctaviaProviderConfig, role_data, deploy_steps_tasks]
docker_config:
# Kolla_bootstrap/db_sync runs before permissions set by kolla_config
step_2:
octavia_api_init_dirs:
start_order: 0
image: &octavia_api_image {get_param: ContainerOctaviaApiImage}
net: none
user: root
volumes:
# NOTE(mandre) we need extra dir for the service in /etc/octavia/conf.d
# It is normally created as part of the RPM install, but it is
# missing here because we use the same config_volume for all
# octavia services, hence the same container image to generate
# configuration.
- /var/lib/config-data/puppet-generated/octavia/etc/octavia:/etc/octavia/
- /var/log/containers/octavia:/var/log/octavia:z
- /var/log/containers/httpd/octavia-api:/var/log/httpd:z
command: ['/bin/bash', '-c', 'mkdir -p /etc/octavia/conf.d/octavia-api; chown -R octavia:octavia /etc/octavia/conf.d/octavia-api; chown -R octavia:octavia /var/log/octavia']
step_3:
octavia_db_sync:
start_order: 0
image: *octavia_api_image
net: host
privileged: false
detach: false
user: root
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
-
- /var/lib/kolla/config_files/octavia_api_db_sync.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/octavia:/var/lib/kolla/config_files/src:ro
- /var/log/containers/octavia:/var/log/octavia:z
- /run/octavia:/run/octavia:shared,z
- {get_attr: [OctaviaProviderConfig, role_data, volumes]}
environment:
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier}
step_4:
map_merge:
- octavia_api:
start_order: 2
image: *octavia_api_image
net: host
user: root
privileged: false
restart: always
healthcheck:
test: /openstack/healthcheck
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
- - /var/lib/kolla/config_files/octavia_api.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/octavia:/var/lib/kolla/config_files/src:ro
- /var/log/containers/octavia:/var/log/octavia:z
- /run/octavia:/run/octavia:shared,z
- /var/log/containers/httpd/octavia-api:/var/log/httpd:z
- if:
- {get_param: EnableInternalTLS}
- - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
- /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
- {get_attr: [OctaviaProviderConfig, role_data, volumes]}
environment:
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
- if:
- {get_param: OctaviaEnableDriverAgent}
- octavia_driver_agent:
start_order: 2
image: *octavia_api_image
net: host
privileged: true
restart: always
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
- - /var/lib/kolla/config_files/octavia_driver_agent.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/octavia:/var/lib/kolla/config_files/src:ro
- /var/log/containers/octavia:/var/log/octavia:z
- /run/octavia:/run/octavia:shared,z
environment:
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
host_prep_tasks:
- name: create persistent directories
file:
path: "{{ item.path }}"
state: directory
setype: "{{ item.setype }}"
mode: "{{ item.mode|default(omit) }}"
with_items:
- { 'path': /var/log/containers/octavia, 'setype': container_file_t, 'mode': '0750' }
- { 'path': /var/log/containers/httpd/octavia-api, 'setype': container_file_t, 'mode': '0750' }
- { 'path': /run/octavia, 'setype': container_file_t, 'mode': '0755' }
- name: ensure /run/octavia is present upon reboot
copy:
dest: /etc/tmpfiles.d/run-octavia.conf
content: |
d /run/octavia 0755 root root - -
update_tasks:
list_concat:
- {get_attr: [OctaviaBase, role_data, update_tasks]}
- - name: octavia_api_tmpfile_cleanup
when: step|int == 1
block: &octavia_api_tmpfile_cleanup
- name: octavia_api_tmpfile_cleanup
file:
path: /etc/tmpfiles.d/var-run-octavia.conf
state: absent
- name: Set internal tls variable
set_fact:
internal_tls_enabled: {get_param: EnableInternalTLS}
- name: remove TLS proxy if configured and running
when:
- step|int == 2
- internal_tls_enabled|bool
block: &remove_octavia_tls_proxy_tasks
- name: stop and remove octavia_api_tls_proxy container if docker
docker:
name: octavia_api_tls_proxy
state: absent
when: container_cli == 'docker'
- name: "check if tripleo_octavia_api_tls_proxy service exists in systemd"
stat:
path: "/etc/systemd/system/tripleo_octavia_api_tls_proxy.service"
register: systemd_exists
- name: Remove tripleo_octavia_api_tls_proxy service
when:
- container_cli == 'podman'
- systemd_exists.stat.exists
block:
- name: stop and disable octavia_api_tls_proxy container
systemd:
name: tripleo_octavia_api_tls_proxy
state: stopped
enabled: no
- name: clean up tripleo service file for octavia_api_tls_proxy
file:
state: absent
path: "/etc/systemd/system/tripleo_octavia_api_tls_proxy.service"
- name: reload systemd
systemd:
daemon-reload: yes
upgrade_tasks:
list_concat:
- {get_attr: [OctaviaBase, role_data, upgrade_tasks]}
- - name: octavia_api_tmpfile_cleanup
when: step|int == 1
block: *octavia_api_tmpfile_cleanup
- name: Set internal tls variable
set_fact:
internal_tls_enabled: {get_param: EnableInternalTLS}
- name: remove TLS proxy if configured and running
when:
- step|int == 2
- internal_tls_enabled|bool
block: *remove_octavia_tls_proxy_tasks
external_upgrade_tasks:
- when:
- step|int == 1
tags:
- never
- system_upgrade_transfer_data
- system_upgrade_stop_services
block:
- name: Stop octavia api container
import_role:
name: tripleo_container_stop
vars:
tripleo_containers_to_stop:
- octavia_api
tripleo_delegate_to: "{{ groups['octavia_api'] | default([]) }}"