89fde273ea
This change introduces a single parameter, MemcacheUseAdvancedPool, to enable usage of advanced connection pool in keystone middleware. This is useful to avoid bursting connection to memcached. Note that the default value of memcached_use_advanced_pool was changed from false to true during Xena cycle[1], so this parameter is no longer required in master. However the change in keystonemiddleware will never be backported. This change is created so that we can switch to advanced pool even in older releases. [1] https://review.opendev.org/c/openstack/keystonemiddleware/+/773939 (To Victoria) Conflicts: deployment/aodh/aodh-api-container-puppet.yaml deployment/glance/glance-api-container-puppet.yaml deployment/gnocchi/gnocchi-api-container-puppet.yaml deployment/manila/manila-api-container-puppet.yaml deployment/nova/nova-api-container-puppet.yaml Closes-Bug: #1931047 Change-Id: I2887249af44ccfdae1592dd9120d3366fa059876 (cherry picked from commit09bcacd25a
) (cherry picked from commit9a89b9add6
)
479 lines
19 KiB
YAML
479 lines
19 KiB
YAML
heat_template_version: rocky
|
|
|
|
description: >
|
|
OpenStack Octavia service configured with Puppet
|
|
|
|
parameters:
|
|
ContainerOctaviaApiImage:
|
|
description: image
|
|
type: string
|
|
ContainerOctaviaConfigImage:
|
|
description: The container image to use for the octavia config_volume
|
|
type: string
|
|
OctaviaApiLoggingSource:
|
|
type: json
|
|
default:
|
|
tag: openstack.octavia.api
|
|
file: /var/log/containers/octavia/api.log
|
|
EndpointMap:
|
|
default: {}
|
|
description: Mapping of service endpoint -> protocol. Typically set
|
|
via parameter_defaults in the resource registry.
|
|
type: json
|
|
ServiceData:
|
|
default: {}
|
|
description: Dictionary packing service data
|
|
type: json
|
|
ServiceNetMap:
|
|
default: {}
|
|
description: Mapping of service_name -> network name. Typically set
|
|
via parameter_defaults in the resource registry. This
|
|
mapping overrides those in ServiceNetMapDefaults.
|
|
type: json
|
|
DefaultPasswords:
|
|
default: {}
|
|
type: json
|
|
RoleName:
|
|
default: ''
|
|
description: Role name on which the service is applied
|
|
type: string
|
|
RoleParameters:
|
|
default: {}
|
|
description: Parameters specific to the role
|
|
type: json
|
|
DeployIdentifier:
|
|
default: ''
|
|
type: string
|
|
description: >
|
|
Setting this to a unique value will re-run any deployment tasks which
|
|
perform configuration on a Heat stack-update.
|
|
EnableInternalTLS:
|
|
type: boolean
|
|
default: false
|
|
OctaviaUserName:
|
|
description: The username for the Octavia database and keystone accounts.
|
|
type: string
|
|
default: 'octavia'
|
|
OctaviaPassword:
|
|
description: The password for the Octavia database and keystone accounts.
|
|
type: string
|
|
hidden: true
|
|
OctaviaProjectName:
|
|
description: The project name for the keystone Octavia account.
|
|
type: string
|
|
default: 'service'
|
|
KeystoneRegion:
|
|
type: string
|
|
default: 'regionOne'
|
|
description: Keystone region for endpoint
|
|
MonitoringSubscriptionOctaviaApi:
|
|
default: 'overcloud-octavia-api'
|
|
type: string
|
|
OctaviaApiPolicies:
|
|
description: |
|
|
A hash of policies to configure for Octavia API.
|
|
e.g. { octavia-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
|
|
default: {}
|
|
type: json
|
|
OctaviaFlavorProperties:
|
|
default:
|
|
ram : '1024'
|
|
disk : '3'
|
|
vcpus: '1'
|
|
description: Dictionary describing the nova flavor for amphora.
|
|
type: json
|
|
OctaviaManageNovaFlavor:
|
|
default: true
|
|
description: Configure the nova flavor for the amphora.
|
|
type: boolean
|
|
OctaviaEnableDriverAgent:
|
|
default: true
|
|
description: Set to false if the driver agent needs to be disabled for some reason.
|
|
type: boolean
|
|
MemcacheUseAdvancedPool:
|
|
type: boolean
|
|
description: |
|
|
Use the advanced (eventlet safe) memcached client pool.
|
|
default: true
|
|
|
|
conditions:
|
|
|
|
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
|
|
use_tls_proxy: {equals : [{get_param: EnableInternalTLS}, true]}
|
|
enable_driver_agent: {equals: [{get_param: OctaviaEnableDriverAgent}, true]}
|
|
|
|
resources:
|
|
|
|
ContainersCommon:
|
|
type: ../containers-common.yaml
|
|
|
|
MySQLClient:
|
|
type: ../database/mysql-client.yaml
|
|
|
|
OctaviaProviderConfig:
|
|
type: ./providers/ovn-provider-config.yaml
|
|
properties:
|
|
EndpointMap: {get_param: EndpointMap}
|
|
ServiceData: {get_param: ServiceData}
|
|
ServiceNetMap: {get_param: ServiceNetMap}
|
|
DefaultPasswords: {get_param: DefaultPasswords}
|
|
RoleName: {get_param: RoleName}
|
|
RoleParameters: {get_param: RoleParameters}
|
|
|
|
OctaviaBase:
|
|
type: ./octavia-base.yaml
|
|
properties:
|
|
EndpointMap: {get_param: EndpointMap}
|
|
ServiceData: {get_param: ServiceData}
|
|
ServiceNetMap: {get_param: ServiceNetMap}
|
|
DefaultPasswords: {get_param: DefaultPasswords}
|
|
RoleName: {get_param: RoleName}
|
|
RoleParameters: {get_param: RoleParameters}
|
|
|
|
OctaviaWorker: # provides Nova flavor
|
|
type: ./octavia-worker-container-puppet.yaml
|
|
properties:
|
|
EndpointMap: {get_param: EndpointMap}
|
|
ServiceData: {get_param: ServiceData}
|
|
ServiceNetMap: {get_param: ServiceNetMap}
|
|
DefaultPasswords: {get_param: DefaultPasswords}
|
|
RoleName: {get_param: RoleName}
|
|
RoleParameters: {get_param: RoleParameters}
|
|
|
|
outputs:
|
|
role_data:
|
|
description: Role data for the Octavia API role.
|
|
value:
|
|
service_name: octavia_api
|
|
firewall_rules:
|
|
'120 octavia api':
|
|
dport:
|
|
- 9876
|
|
- 13876
|
|
keystone_resources:
|
|
octavia:
|
|
endpoints:
|
|
public: {get_param: [EndpointMap, OctaviaPublic, uri]}
|
|
internal: {get_param: [EndpointMap, OctaviaInternal, uri]}
|
|
admin: {get_param: [EndpointMap, OctaviaAdmin, uri]}
|
|
project: {get_param: OctaviaProjectName}
|
|
users:
|
|
octavia:
|
|
name: {get_param: OctaviaUserName}
|
|
password: {get_param: OctaviaPassword}
|
|
region: {get_param: KeystoneRegion}
|
|
service: 'load-balancer'
|
|
monitoring_subscription: {get_param: MonitoringSubscriptionOctaviaApi}
|
|
config_settings:
|
|
map_merge:
|
|
- {get_attr: [OctaviaBase, role_data, config_settings]}
|
|
- {get_attr: [OctaviaWorker, role_data, config_settings]}
|
|
- {get_attr: [OctaviaProviderConfig, role_data, config_settings]}
|
|
- octavia::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri] }
|
|
octavia::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
|
|
octavia::keystone::authtoken::project_name: {get_param: OctaviaProjectName}
|
|
octavia::keystone::authtoken::password: {get_param: OctaviaPassword}
|
|
octavia::keystone::authtoken::user_domain_name: 'Default'
|
|
octavia::keystone::authtoken::project_domain_name: 'Default'
|
|
octavia::keystone::authtoken::region_name: {get_param: KeystoneRegion}
|
|
octavia::keystone::authtoken::interface: 'internal'
|
|
octavia::keystone::authtoken::memcache_use_advanced_pool: {get_param: MemcacheUseAdvancedPool}
|
|
octavia::policy::policies: {get_param: OctaviaApiPolicies}
|
|
octavia::worker::manage_nova_flavor: {get_param: OctaviaManageNovaFlavor}
|
|
octavia::worker::nova_flavor_config: {get_param: OctaviaFlavorProperties}
|
|
octavia::api::service_name: 'httpd'
|
|
octavia::wsgi::apache::ssl: {get_param: EnableInternalTLS}
|
|
# NOTE: bind IP is found in hiera replacing the network name with the local node IP
|
|
# for the given network; replacement examples (eg. for internal_api):
|
|
# internal_api -> IP
|
|
# internal_api_uri -> [IP]
|
|
# internal_api_subnet - > IP/CIDR
|
|
octavia::wsgi::apache::bind_host:
|
|
str_replace:
|
|
template:
|
|
"%{hiera('$NETWORK')}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, OctaviaApiNetwork]}
|
|
octavia::wsgi::apache::servername:
|
|
str_replace:
|
|
template:
|
|
"%{hiera('fqdn_$NETWORK')}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, OctaviaApiNetwork]}
|
|
# Bind to localhost if internal TLS is enabled, since we put a TLS
|
|
# proxy in front.
|
|
octavia::api::host:
|
|
str_replace:
|
|
template:
|
|
"%{hiera('$NETWORK')}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, OctaviaApiNetwork]}
|
|
- octavia::api::provider_drivers:
|
|
list_join:
|
|
- ','
|
|
- list_concat:
|
|
- - 'amphora: The Octavia Amphora driver.'
|
|
- 'octavia: Deprecated alias of the Octavia Amphora driver.'
|
|
-
|
|
if:
|
|
- enable_driver_agent
|
|
- {get_attr: [OctaviaProviderConfig, role_data, provider_driver_labels]}
|
|
- []
|
|
|
|
service_config_settings:
|
|
rsyslog:
|
|
tripleo_logging_sources_octavia_api:
|
|
- {get_param: OctaviaApiLoggingSource}
|
|
mysql:
|
|
octavia::db::mysql::password: {get_param: OctaviaPassword}
|
|
octavia::db::mysql::user: {get_param: OctaviaUserName}
|
|
octavia::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
|
|
octavia::db::mysql::dbname: octavia
|
|
octavia::db::mysql::allowed_hosts:
|
|
- '%'
|
|
- "%{hiera('mysql_bind_host')}"
|
|
# BEGIN DOCKER SETTINGS #
|
|
puppet_config:
|
|
config_volume: octavia
|
|
puppet_tags:
|
|
list_join:
|
|
- ','
|
|
- - octavia_config
|
|
- {get_attr: [OctaviaProviderConfig, role_data, puppet_tags]}
|
|
step_config:
|
|
list_join:
|
|
- "\n"
|
|
- - "include tripleo::profile::base::octavia::api"
|
|
- {get_attr: [OctaviaProviderConfig, role_data, step_config]}
|
|
- {get_attr: [MySQLClient, role_data, step_config]}
|
|
config_image: {get_param: ContainerOctaviaConfigImage}
|
|
kolla_config:
|
|
/var/lib/kolla/config_files/octavia_api.json:
|
|
command: /usr/sbin/httpd -DFOREGROUND
|
|
config_files:
|
|
list_concat:
|
|
-
|
|
- source: "/var/lib/kolla/config_files/src/etc/httpd/conf.d"
|
|
dest: "/etc/httpd/conf.d"
|
|
merge: false
|
|
preserve_properties: true
|
|
- source: "/var/lib/kolla/config_files/src/etc/httpd/conf.modules.d"
|
|
dest: "/etc/httpd/conf.modules.d"
|
|
# TODO(emilien) remove optional flag once we get a promotion
|
|
# https://launchpad.net/bugs/1884115
|
|
optional: true
|
|
merge: false
|
|
preserve_properties: true
|
|
- source: "/var/lib/kolla/config_files/src/*"
|
|
dest: "/"
|
|
merge: true
|
|
preserve_properties: true
|
|
- {get_attr: [OctaviaProviderConfig, role_data, kolla_config_files]}
|
|
permissions:
|
|
list_concat:
|
|
-
|
|
- path: /var/log/octavia
|
|
owner: octavia:octavia
|
|
recurse: true
|
|
- path: /run/octavia
|
|
owner: octavia:octavia
|
|
recurse: true
|
|
- {get_attr: [OctaviaProviderConfig, role_data, kolla_permissions]}
|
|
/var/lib/kolla/config_files/octavia_driver_agent.json:
|
|
command: /usr/bin/octavia-driver-agent --config-file /usr/share/octavia/octavia-dist.conf --config-file /etc/octavia/octavia.conf --log-file /var/log/octavia/driver-agent.log --config-dir /etc/octavia/conf.d/common
|
|
config_files:
|
|
- source: "/var/lib/kolla/config_files/src/*"
|
|
dest: "/"
|
|
merge: true
|
|
preserve_properties: true
|
|
permissions:
|
|
- path: /var/log/octavia
|
|
owner: octavia:octavia
|
|
recurse: true
|
|
- path: /run/octavia
|
|
owner: octavia:octavia
|
|
recurse: true
|
|
container_puppet_tasks:
|
|
step_5:
|
|
config_volume: octavia
|
|
puppet_tags: nova_flavor
|
|
step_config: |
|
|
include ::octavia::worker
|
|
config_image: {get_param: ContainerOctaviaConfigImage}
|
|
volumes:
|
|
- /var/lib/config-data/puppet-generated/nova/etc/nova:/etc/nova:ro
|
|
metadata_settings: {get_attr: [OctaviaProviderConfig, role_data, metadata_settings]}
|
|
docker_config:
|
|
# Kolla_bootstrap/db_sync runs before permissions set by kolla_config
|
|
step_2:
|
|
octavia_api_init_dirs:
|
|
start_order: 0
|
|
image: &octavia_api_image {get_param: ContainerOctaviaApiImage}
|
|
net: none
|
|
user: root
|
|
volumes:
|
|
# NOTE(mandre) we need extra dir for the service in /etc/octavia/conf.d
|
|
# It is normally created as part of the RPM install, but it is
|
|
# missing here because we use the same config_volume for all
|
|
# octavia services, hence the same container image to generate
|
|
# configuration.
|
|
- /var/lib/config-data/puppet-generated/octavia/etc/octavia:/etc/octavia/
|
|
- /var/log/containers/octavia:/var/log/octavia:z
|
|
- /var/log/containers/httpd/octavia-api:/var/log/httpd:z
|
|
command: ['/bin/bash', '-c', 'mkdir -p /etc/octavia/conf.d/octavia-api; chown -R octavia:octavia /etc/octavia/conf.d/octavia-api; chown -R octavia:octavia /var/log/octavia']
|
|
step_3:
|
|
octavia_db_sync:
|
|
start_order: 0
|
|
image: *octavia_api_image
|
|
net: host
|
|
privileged: false
|
|
detach: false
|
|
user: root
|
|
volumes:
|
|
list_concat:
|
|
- {get_attr: [ContainersCommon, volumes]}
|
|
-
|
|
- /var/lib/config-data/octavia/etc/octavia/:/etc/octavia/:ro
|
|
- /var/lib/config-data/octavia/etc/my.cnf.d/:/etc/my.cnf.d/:ro
|
|
- /var/log/containers/octavia:/var/log/octavia:z
|
|
- /var/log/containers/httpd/octavia-api:/var/log/httpd:z
|
|
command: "/usr/bin/bootstrap_host_exec octavia_api su octavia -s /bin/bash -c '/usr/bin/octavia-db-manage upgrade head'"
|
|
environment:
|
|
TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier}
|
|
step_4:
|
|
map_merge:
|
|
- octavia_api:
|
|
start_order: 2
|
|
image: *octavia_api_image
|
|
net: host
|
|
user: root
|
|
privileged: false
|
|
restart: always
|
|
healthcheck:
|
|
test: /openstack/healthcheck
|
|
volumes:
|
|
list_concat:
|
|
- {get_attr: [ContainersCommon, volumes]}
|
|
-
|
|
- /var/lib/kolla/config_files/octavia_api.json:/var/lib/kolla/config_files/config.json:ro
|
|
- /var/lib/config-data/puppet-generated/octavia:/var/lib/kolla/config_files/src:ro
|
|
- /var/log/containers/octavia:/var/log/octavia:z
|
|
- /run/octavia:/run/octavia:shared,z
|
|
- /var/log/containers/httpd/octavia-api:/var/log/httpd:z
|
|
- if:
|
|
- internal_tls_enabled
|
|
- - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
|
|
- []
|
|
- if:
|
|
- internal_tls_enabled
|
|
- - /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
|
|
- []
|
|
- {get_attr: [OctaviaProviderConfig, role_data, volumes]}
|
|
environment:
|
|
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
|
|
- if:
|
|
- enable_driver_agent
|
|
- octavia_driver_agent:
|
|
start_order: 2
|
|
image: *octavia_api_image
|
|
net: host
|
|
privileged: true
|
|
restart: always
|
|
volumes:
|
|
list_concat:
|
|
- {get_attr: [ContainersCommon, volumes]}
|
|
-
|
|
- /var/lib/kolla/config_files/octavia_driver_agent.json:/var/lib/kolla/config_files/config.json:ro
|
|
- /var/lib/config-data/puppet-generated/octavia:/var/lib/kolla/config_files/src:ro
|
|
- /var/log/containers/octavia:/var/log/octavia:z
|
|
- /run/octavia:/run/octavia:shared,z
|
|
environment:
|
|
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
|
|
- {}
|
|
|
|
host_prep_tasks:
|
|
- name: create persistent directories
|
|
file:
|
|
path: "{{ item.path }}"
|
|
state: directory
|
|
setype: "{{ item.setype }}"
|
|
mode: "{{ item.mode|default(omit) }}"
|
|
with_items:
|
|
- { 'path': /var/log/containers/octavia, 'setype': container_file_t, 'mode': '0750' }
|
|
- { 'path': /var/log/containers/httpd/octavia-api, 'setype': container_file_t, 'mode': '0750' }
|
|
- { 'path': /run/octavia, 'setype': container_file_t, 'mode': '0755' }
|
|
- name: ensure /run/octavia is present upon reboot
|
|
copy:
|
|
dest: /etc/tmpfiles.d/run-octavia.conf
|
|
content: |
|
|
d /run/octavia 0755 root root - -
|
|
update_tasks:
|
|
- name: octavia_api_tmpfile_cleanup
|
|
when: step|int == 1
|
|
block: &octavia_api_tmpfile_cleanup
|
|
- name: octavia_api_tmpfile_cleanup
|
|
file:
|
|
path: /etc/tmpfiles.d/var-run-octavia.conf
|
|
state: absent
|
|
- name: Set internal tls variable
|
|
set_fact:
|
|
internal_tls_enabled: {get_param: EnableInternalTLS}
|
|
- name: remove TLS proxy if configured and running
|
|
when:
|
|
- step|int == 2
|
|
- internal_tls_enabled|bool
|
|
block: &remove_octavia_tls_proxy_tasks
|
|
- name: stop and remove octavia_api_tls_proxy container if docker
|
|
docker:
|
|
name: octavia_api_tls_proxy
|
|
state: absent
|
|
when: container_cli == 'docker'
|
|
- name: "check if tripleo_octavia_api_tls_proxy service exists in systemd"
|
|
stat:
|
|
path: "/etc/systemd/system/tripleo_octavia_api_tls_proxy.service"
|
|
register: systemd_exists
|
|
- name: Remove tripleo_octavia_api_tls_proxy service
|
|
when:
|
|
- container_cli == 'podman'
|
|
- systemd_exists.stat.exists
|
|
block:
|
|
- name: stop and disable octavia_api_tls_proxy container
|
|
systemd:
|
|
name: tripleo_octavia_api_tls_proxy
|
|
state: stopped
|
|
enabled: no
|
|
- name: clean up tripleo service file for octavia_api_tls_proxy
|
|
file:
|
|
state: absent
|
|
path: "/etc/systemd/system/tripleo_octavia_api_tls_proxy.service"
|
|
- name: reload systemd
|
|
systemd:
|
|
daemon-reload: yes
|
|
upgrade_tasks:
|
|
- name: octavia_api_tmpfile_cleanup
|
|
when: step|int == 1
|
|
block: *octavia_api_tmpfile_cleanup
|
|
- name: Set internal tls variable
|
|
set_fact:
|
|
internal_tls_enabled: {get_param: EnableInternalTLS}
|
|
- name: remove TLS proxy if configured and running
|
|
when:
|
|
- step|int == 2
|
|
- internal_tls_enabled|bool
|
|
block: *remove_octavia_tls_proxy_tasks
|
|
external_upgrade_tasks:
|
|
- when:
|
|
- step|int == 1
|
|
tags:
|
|
- never
|
|
- system_upgrade_transfer_data
|
|
- system_upgrade_stop_services
|
|
block:
|
|
- name: Stop octavia api container
|
|
import_role:
|
|
name: tripleo_container_stop
|
|
vars:
|
|
tripleo_containers_to_stop:
|
|
- octavia_api
|
|
tripleo_delegate_to: "{{ groups['octavia_api'] | default([]) }}"
|