openstack/tripleo-heat-templates
Code Issues Proposed changes
643c3d25d9
tripleo-heat-templates/deployment/octavia/octavia-api-container-puppet.yaml
Takashi Kajinami 89fde273ea Add support for keystone_authtoken/memcache_use_advanced_pool 
This change introduces a single parameter, MemcacheUseAdvancedPool,
to enable usage of advanced connection pool in keystone middleware.
This is useful to avoid bursting connection to memcached.

Note that the default value of memcached_use_advanced_pool was changed
from false to true during Xena cycle[1], so this parameter is no longer
required in master. However the change in keystonemiddleware will
never be backported. This change is created so that we can switch to
advanced pool even in older releases.

[1] https://review.opendev.org/c/openstack/keystonemiddleware/+/773939

(To Victoria)
Conflicts:
	deployment/aodh/aodh-api-container-puppet.yaml
	deployment/glance/glance-api-container-puppet.yaml
	deployment/gnocchi/gnocchi-api-container-puppet.yaml
	deployment/manila/manila-api-container-puppet.yaml
	deployment/nova/nova-api-container-puppet.yaml

Closes-Bug: #1931047
Change-Id: I2887249af44ccfdae1592dd9120d3366fa059876
(cherry picked from commit 09bcacd25a)
(cherry picked from commit 9a89b9add6)
2021-06-25 07:44:11 +00:00

479 lines
19 KiB
YAML
Raw Blame History

heat_template_version: rocky
description: >
OpenStack Octavia service configured with Puppet
parameters:
ContainerOctaviaApiImage:
description: image
type: string
ContainerOctaviaConfigImage:
description: The container image to use for the octavia config_volume
type: string
OctaviaApiLoggingSource:
type: json
default:
tag: openstack.octavia.api
file: /var/log/containers/octavia/api.log
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. This
mapping overrides those in ServiceNetMapDefaults.
type: json
DefaultPasswords:
default: {}
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
DeployIdentifier:
default: ''
type: string
description: >
Setting this to a unique value will re-run any deployment tasks which
perform configuration on a Heat stack-update.
EnableInternalTLS:
type: boolean
default: false
OctaviaUserName:
description: The username for the Octavia database and keystone accounts.
type: string
default: 'octavia'
OctaviaPassword:
description: The password for the Octavia database and keystone accounts.
type: string
hidden: true
OctaviaProjectName:
description: The project name for the keystone Octavia account.
type: string
default: 'service'
KeystoneRegion:
type: string
default: 'regionOne'
description: Keystone region for endpoint
MonitoringSubscriptionOctaviaApi:
default: 'overcloud-octavia-api'
type: string
OctaviaApiPolicies:
description: |
A hash of policies to configure for Octavia API.
e.g. { octavia-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
default: {}
type: json
OctaviaFlavorProperties:
default:
ram : '1024'
disk : '3'
vcpus: '1'
description: Dictionary describing the nova flavor for amphora.
type: json
OctaviaManageNovaFlavor:
default: true
description: Configure the nova flavor for the amphora.
type: boolean
OctaviaEnableDriverAgent:
default: true
description: Set to false if the driver agent needs to be disabled for some reason.
type: boolean
MemcacheUseAdvancedPool:
type: boolean
description: |
Use the advanced (eventlet safe) memcached client pool.
default: true
conditions:
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
use_tls_proxy: {equals : [{get_param: EnableInternalTLS}, true]}
enable_driver_agent: {equals: [{get_param: OctaviaEnableDriverAgent}, true]}
resources:
ContainersCommon:
type: ../containers-common.yaml
MySQLClient:
type: ../database/mysql-client.yaml
OctaviaProviderConfig:
type: ./providers/ovn-provider-config.yaml
properties:
EndpointMap: {get_param: EndpointMap}
ServiceData: {get_param: ServiceData}
ServiceNetMap: {get_param: ServiceNetMap}
DefaultPasswords: {get_param: DefaultPasswords}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
OctaviaBase:
type: ./octavia-base.yaml
properties:
EndpointMap: {get_param: EndpointMap}
ServiceData: {get_param: ServiceData}
ServiceNetMap: {get_param: ServiceNetMap}
DefaultPasswords: {get_param: DefaultPasswords}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
OctaviaWorker: # provides Nova flavor
type: ./octavia-worker-container-puppet.yaml
properties:
EndpointMap: {get_param: EndpointMap}
ServiceData: {get_param: ServiceData}
ServiceNetMap: {get_param: ServiceNetMap}
DefaultPasswords: {get_param: DefaultPasswords}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
outputs:
role_data:
description: Role data for the Octavia API role.
value:
service_name: octavia_api
firewall_rules:
'120 octavia api':
dport:
- 9876
- 13876
keystone_resources:
octavia:
endpoints:
public: {get_param: [EndpointMap, OctaviaPublic, uri]}
internal: {get_param: [EndpointMap, OctaviaInternal, uri]}
admin: {get_param: [EndpointMap, OctaviaAdmin, uri]}
project: {get_param: OctaviaProjectName}
users:
octavia:
name: {get_param: OctaviaUserName}
password: {get_param: OctaviaPassword}
region: {get_param: KeystoneRegion}
service: 'load-balancer'
monitoring_subscription: {get_param: MonitoringSubscriptionOctaviaApi}
config_settings:
map_merge:
- {get_attr: [OctaviaBase, role_data, config_settings]}
- {get_attr: [OctaviaWorker, role_data, config_settings]}
- {get_attr: [OctaviaProviderConfig, role_data, config_settings]}
- octavia::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri] }
octavia::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
octavia::keystone::authtoken::project_name: {get_param: OctaviaProjectName}
octavia::keystone::authtoken::password: {get_param: OctaviaPassword}
octavia::keystone::authtoken::user_domain_name: 'Default'
octavia::keystone::authtoken::project_domain_name: 'Default'
octavia::keystone::authtoken::region_name: {get_param: KeystoneRegion}
octavia::keystone::authtoken::interface: 'internal'
octavia::keystone::authtoken::memcache_use_advanced_pool: {get_param: MemcacheUseAdvancedPool}
octavia::policy::policies: {get_param: OctaviaApiPolicies}
octavia::worker::manage_nova_flavor: {get_param: OctaviaManageNovaFlavor}
octavia::worker::nova_flavor_config: {get_param: OctaviaFlavorProperties}
octavia::api::service_name: 'httpd'
octavia::wsgi::apache::ssl: {get_param: EnableInternalTLS}
# NOTE: bind IP is found in hiera replacing the network name with the local node IP
# for the given network; replacement examples (eg. for internal_api):
# internal_api -> IP
# internal_api_uri -> [IP]
# internal_api_subnet - > IP/CIDR
octavia::wsgi::apache::bind_host:
str_replace:
template:
"%{hiera('$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, OctaviaApiNetwork]}
octavia::wsgi::apache::servername:
str_replace:
template:
"%{hiera('fqdn_$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, OctaviaApiNetwork]}
# Bind to localhost if internal TLS is enabled, since we put a TLS
# proxy in front.
octavia::api::host:
str_replace:
template:
"%{hiera('$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, OctaviaApiNetwork]}
- octavia::api::provider_drivers:
list_join:
- ','
- list_concat:
- - 'amphora: The Octavia Amphora driver.'
- 'octavia: Deprecated alias of the Octavia Amphora driver.'
-
if:
- enable_driver_agent
- {get_attr: [OctaviaProviderConfig, role_data, provider_driver_labels]}
- []
service_config_settings:
rsyslog:
tripleo_logging_sources_octavia_api:
- {get_param: OctaviaApiLoggingSource}
mysql:
octavia::db::mysql::password: {get_param: OctaviaPassword}
octavia::db::mysql::user: {get_param: OctaviaUserName}
octavia::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
octavia::db::mysql::dbname: octavia
octavia::db::mysql::allowed_hosts:
- '%'
- "%{hiera('mysql_bind_host')}"
# BEGIN DOCKER SETTINGS #
puppet_config:
config_volume: octavia
puppet_tags:
list_join:
- ','
- - octavia_config
- {get_attr: [OctaviaProviderConfig, role_data, puppet_tags]}
step_config:
list_join:
- "\n"
- - "include tripleo::profile::base::octavia::api"
- {get_attr: [OctaviaProviderConfig, role_data, step_config]}
- {get_attr: [MySQLClient, role_data, step_config]}
config_image: {get_param: ContainerOctaviaConfigImage}
kolla_config:
/var/lib/kolla/config_files/octavia_api.json:
command: /usr/sbin/httpd -DFOREGROUND
config_files:
list_concat:
-
- source: "/var/lib/kolla/config_files/src/etc/httpd/conf.d"
dest: "/etc/httpd/conf.d"
merge: false
preserve_properties: true
- source: "/var/lib/kolla/config_files/src/etc/httpd/conf.modules.d"
dest: "/etc/httpd/conf.modules.d"
# TODO(emilien) remove optional flag once we get a promotion
# https://launchpad.net/bugs/1884115
optional: true
merge: false
preserve_properties: true
- source: "/var/lib/kolla/config_files/src/*"
dest: "/"
merge: true
preserve_properties: true
- {get_attr: [OctaviaProviderConfig, role_data, kolla_config_files]}
permissions:
list_concat:
-
- path: /var/log/octavia
owner: octavia:octavia
recurse: true
- path: /run/octavia
owner: octavia:octavia
recurse: true
- {get_attr: [OctaviaProviderConfig, role_data, kolla_permissions]}
/var/lib/kolla/config_files/octavia_driver_agent.json:
command: /usr/bin/octavia-driver-agent --config-file /usr/share/octavia/octavia-dist.conf --config-file /etc/octavia/octavia.conf --log-file /var/log/octavia/driver-agent.log --config-dir /etc/octavia/conf.d/common
config_files:
- source: "/var/lib/kolla/config_files/src/*"
dest: "/"
merge: true
preserve_properties: true
permissions:
- path: /var/log/octavia
owner: octavia:octavia
recurse: true
- path: /run/octavia
owner: octavia:octavia
recurse: true
container_puppet_tasks:
step_5:
config_volume: octavia
puppet_tags: nova_flavor
step_config: |
include ::octavia::worker
config_image: {get_param: ContainerOctaviaConfigImage}
volumes:
- /var/lib/config-data/puppet-generated/nova/etc/nova:/etc/nova:ro
metadata_settings: {get_attr: [OctaviaProviderConfig, role_data, metadata_settings]}
docker_config:
# Kolla_bootstrap/db_sync runs before permissions set by kolla_config
step_2:
octavia_api_init_dirs:
start_order: 0
image: &octavia_api_image {get_param: ContainerOctaviaApiImage}
net: none
user: root
volumes:
# NOTE(mandre) we need extra dir for the service in /etc/octavia/conf.d
# It is normally created as part of the RPM install, but it is
# missing here because we use the same config_volume for all
# octavia services, hence the same container image to generate
# configuration.
- /var/lib/config-data/puppet-generated/octavia/etc/octavia:/etc/octavia/
- /var/log/containers/octavia:/var/log/octavia:z
- /var/log/containers/httpd/octavia-api:/var/log/httpd:z
command: ['/bin/bash', '-c', 'mkdir -p /etc/octavia/conf.d/octavia-api; chown -R octavia:octavia /etc/octavia/conf.d/octavia-api; chown -R octavia:octavia /var/log/octavia']
step_3:
octavia_db_sync:
start_order: 0
image: *octavia_api_image
net: host
privileged: false
detach: false
user: root
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
-
- /var/lib/config-data/octavia/etc/octavia/:/etc/octavia/:ro
- /var/lib/config-data/octavia/etc/my.cnf.d/:/etc/my.cnf.d/:ro
- /var/log/containers/octavia:/var/log/octavia:z
- /var/log/containers/httpd/octavia-api:/var/log/httpd:z
command: "/usr/bin/bootstrap_host_exec octavia_api su octavia -s /bin/bash -c '/usr/bin/octavia-db-manage upgrade head'"
environment:
TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier}
step_4:
map_merge:
- octavia_api:
start_order: 2
image: *octavia_api_image
net: host
user: root
privileged: false
restart: always
healthcheck:
test: /openstack/healthcheck
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
-
- /var/lib/kolla/config_files/octavia_api.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/octavia:/var/lib/kolla/config_files/src:ro
- /var/log/containers/octavia:/var/log/octavia:z
- /run/octavia:/run/octavia:shared,z
- /var/log/containers/httpd/octavia-api:/var/log/httpd:z
- if:
- internal_tls_enabled
- - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
- []
- if:
- internal_tls_enabled
- - /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
- []
- {get_attr: [OctaviaProviderConfig, role_data, volumes]}
environment:
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
- if:
- enable_driver_agent
- octavia_driver_agent:
start_order: 2
image: *octavia_api_image
net: host
privileged: true
restart: always
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
-
- /var/lib/kolla/config_files/octavia_driver_agent.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/octavia:/var/lib/kolla/config_files/src:ro
- /var/log/containers/octavia:/var/log/octavia:z
- /run/octavia:/run/octavia:shared,z
environment:
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
- {}
host_prep_tasks:
- name: create persistent directories
file:
path: "{{ item.path }}"
state: directory
setype: "{{ item.setype }}"
mode: "{{ item.mode|default(omit) }}"
with_items:
- { 'path': /var/log/containers/octavia, 'setype': container_file_t, 'mode': '0750' }
- { 'path': /var/log/containers/httpd/octavia-api, 'setype': container_file_t, 'mode': '0750' }
- { 'path': /run/octavia, 'setype': container_file_t, 'mode': '0755' }
- name: ensure /run/octavia is present upon reboot
copy:
dest: /etc/tmpfiles.d/run-octavia.conf
content: |
d /run/octavia 0755 root root - -
update_tasks:
- name: octavia_api_tmpfile_cleanup
when: step|int == 1
block: &octavia_api_tmpfile_cleanup
- name: octavia_api_tmpfile_cleanup
file:
path: /etc/tmpfiles.d/var-run-octavia.conf
state: absent
- name: Set internal tls variable
set_fact:
internal_tls_enabled: {get_param: EnableInternalTLS}
- name: remove TLS proxy if configured and running
when:
- step|int == 2
- internal_tls_enabled|bool
block: &remove_octavia_tls_proxy_tasks
- name: stop and remove octavia_api_tls_proxy container if docker
docker:
name: octavia_api_tls_proxy
state: absent
when: container_cli == 'docker'
- name: "check if tripleo_octavia_api_tls_proxy service exists in systemd"
stat:
path: "/etc/systemd/system/tripleo_octavia_api_tls_proxy.service"
register: systemd_exists
- name: Remove tripleo_octavia_api_tls_proxy service
when:
- container_cli == 'podman'
- systemd_exists.stat.exists
block:
- name: stop and disable octavia_api_tls_proxy container
systemd:
name: tripleo_octavia_api_tls_proxy
state: stopped
enabled: no
- name: clean up tripleo service file for octavia_api_tls_proxy
file:
state: absent
path: "/etc/systemd/system/tripleo_octavia_api_tls_proxy.service"
- name: reload systemd
systemd:
daemon-reload: yes
upgrade_tasks:
- name: octavia_api_tmpfile_cleanup
when: step|int == 1
block: *octavia_api_tmpfile_cleanup
- name: Set internal tls variable
set_fact:
internal_tls_enabled: {get_param: EnableInternalTLS}
- name: remove TLS proxy if configured and running
when:
- step|int == 2
- internal_tls_enabled|bool
block: *remove_octavia_tls_proxy_tasks
external_upgrade_tasks:
- when:
- step|int == 1
tags:
- never
- system_upgrade_transfer_data
- system_upgrade_stop_services
block:
- name: Stop octavia api container
import_role:
name: tripleo_container_stop
vars:
tripleo_containers_to_stop:
- octavia_api
tripleo_delegate_to: "{{ groups['octavia_api'] | default([]) }}"
View Git Blame Copy Permalink