cff6378fb1
Adding the ability to specifies the private key size
used when creating the certificate. We have defined the
default value the same as we have before 2048 bits.
Also, it'll be able to override the key_size value
per service.
Depends-on: I4da96f2164cf1d136f9471f1d6251bdd8cfd2d0b
Change-Id: Ic2edabb7f1bd0caf4a5550d03f60fab7c8354d65
(cherry picked from commit 9760977529)
399 lines
16 KiB
YAML
399 lines
16 KiB
YAML
heat_template_version: rocky
|
|
|
|
description: >
|
|
OpenStack containerized OVN Metadata agent
|
|
|
|
parameters:
|
|
ContainerOvnMetadataImage:
|
|
description: image
|
|
type: string
|
|
ContainerNeutronConfigImage:
|
|
description: The container image to use for the neutron config_volume
|
|
type: string
|
|
OvnMetadataAgentLoggingSource:
|
|
type: json
|
|
default:
|
|
tag: openstack.neutron.agent.ovn-metadata
|
|
file: /var/log/containers/neutron/networking-ovn-metadata-agent.log
|
|
OVNEnableHaproxyDockerWrapper:
|
|
description: Generate a wrapper script so that haproxy is launched in a separate container.
|
|
type: boolean
|
|
default: true
|
|
Debug:
|
|
type: boolean
|
|
default: false
|
|
description: Set to True to enable debugging on all services.
|
|
OVNWrapperDebug:
|
|
type: boolean
|
|
default: false
|
|
description: Controls debugging for the wrapper scripts.
|
|
ContainerCli:
|
|
type: string
|
|
default: 'podman'
|
|
description: CLI tool used to manage containers.
|
|
constraints:
|
|
- allowed_values: ['docker', 'podman']
|
|
ServiceData:
|
|
default: {}
|
|
description: Dictionary packing service data
|
|
type: json
|
|
ServiceNetMap:
|
|
default: {}
|
|
description: Mapping of service_name -> network name. Typically set
|
|
via parameter_defaults in the resource registry. This
|
|
mapping overrides those in ServiceNetMapDefaults.
|
|
type: json
|
|
DefaultPasswords:
|
|
default: {}
|
|
type: json
|
|
EndpointMap:
|
|
default: {}
|
|
description: Mapping of service endpoint -> protocol. Typically set
|
|
via parameter_defaults in the resource registry.
|
|
type: json
|
|
RoleName:
|
|
default: ''
|
|
description: Role name on which the service is applied
|
|
type: string
|
|
RoleParameters:
|
|
default: {}
|
|
description: Parameters specific to the role
|
|
type: json
|
|
DeployIdentifier:
|
|
default: ''
|
|
type: string
|
|
description: >
|
|
Setting this to a unique value will re-run any deployment tasks which
|
|
perform configuration on a Heat stack-update.
|
|
NeutronMetadataProxySharedSecret:
|
|
description: Shared secret to prevent spoofing
|
|
type: string
|
|
hidden: true
|
|
NeutronMetadataWorkers:
|
|
default: ''
|
|
description: |
|
|
Sets the number of worker processes for the neutron OVN metadata agent.
|
|
The default value results in the configuration being left unset and a
|
|
system-dependent default will be chosen (usually the number of
|
|
processors). Please note that this can result in a large number of
|
|
processes and memory consumption on systems with a large core count. On
|
|
such systems it is recommended that a non-default value be selected that
|
|
matches the load requirements.
|
|
type: string
|
|
NeutronPassword:
|
|
description: The password for the neutron service and db account, used by neutron agents.
|
|
type: string
|
|
hidden: true
|
|
OVNSouthboundServerPort:
|
|
description: Port of the OVN Southbound DB server
|
|
type: number
|
|
default: 6642
|
|
OVNDbConnectionTimeout:
|
|
description: Timeout in seconds for the OVSDB connection transaction
|
|
type: number
|
|
default: 180
|
|
MonitoringSubscriptionOvnMetadata:
|
|
default: 'overcloud-ovn-metadata'
|
|
type: string
|
|
Debug:
|
|
type: boolean
|
|
default: false
|
|
description: Set to True to enable debugging on all services.
|
|
OvnMetadataAgentDebug:
|
|
default: ''
|
|
description: Set to True to enable debugging for OVN Metadata agent.
|
|
type: string
|
|
constraints:
|
|
- allowed_values: [ '', 'true', 'True', 'TRUE', 'false', 'False', 'FALSE']
|
|
EnableInternalTLS:
|
|
type: boolean
|
|
default: false
|
|
InternalTLSCAFile:
|
|
default: '/etc/ipa/ca.crt'
|
|
type: string
|
|
description: Specifies the default CA cert to use if TLS is used for
|
|
services in the internal network.
|
|
DockerAdditionalSockets:
|
|
default: ['/var/lib/openstack/docker.sock']
|
|
description: Additional domain sockets for the docker daemon to bind to (useful for mounting
|
|
into containers that launch other containers)
|
|
type: comma_delimited_list
|
|
OVNRemoteProbeInterval:
|
|
description: Probe interval in ms
|
|
type: number
|
|
default: 60000
|
|
CertificateKeySize:
|
|
type: string
|
|
default: '2048'
|
|
description: Specifies the private key size used when creating the
|
|
certificate.
|
|
OvnMetadataCertificateKeySize:
|
|
type: string
|
|
default: ''
|
|
description: Override the private key size used when creating the
|
|
certificate for this service
|
|
|
|
conditions:
|
|
haproxy_wrapper_enabled: {equals: [{get_param: OVNEnableHaproxyDockerWrapper}, true]}
|
|
docker_enabled: {equals: [{get_param: ContainerCli}, 'docker']}
|
|
service_debug_unset: {equals : [{get_param: OVNWrapperDebug}, false]}
|
|
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
|
|
neutron_metadata_workers_unset: {equals : [{get_param: NeutronMetadataWorkers}, '']}
|
|
key_size_override_unset: {equals: [{get_param: OvnMetadataCertificateKeySize}, '']}
|
|
|
|
resources:
|
|
|
|
ContainersCommon:
|
|
type: ../containers-common.yaml
|
|
|
|
NeutronBase:
|
|
type: ../neutron/neutron-base.yaml
|
|
properties:
|
|
EndpointMap: {get_param: EndpointMap}
|
|
ServiceData: {get_param: ServiceData}
|
|
ServiceNetMap: {get_param: ServiceNetMap}
|
|
DefaultPasswords: {get_param: DefaultPasswords}
|
|
RoleName: {get_param: RoleName}
|
|
RoleParameters: {get_param: RoleParameters}
|
|
|
|
NeutronLogging:
|
|
type: OS::TripleO::Services::Logging::NeutronCommon
|
|
properties:
|
|
NeutronServiceName: ovn-metadata-agent
|
|
|
|
outputs:
|
|
role_data:
|
|
description: Role data for OVNMetadata agent
|
|
value:
|
|
service_name: ovn_metadata
|
|
monitoring_subscription: {get_param: MonitoringSubscriptionOvnMetadata}
|
|
config_settings:
|
|
map_merge:
|
|
- get_attr: [NeutronBase, role_data, config_settings]
|
|
- get_attr: [NeutronLogging, config_settings]
|
|
- tripleo::profile::base::neutron::ovn_metadata_agent_wrappers::enable_haproxy_wrapper: {get_param: OVNEnableHaproxyDockerWrapper}
|
|
tripleo::profile::base::neutron::ovn_metadata_agent_wrappers::haproxy_process_wrapper: '/var/lib/neutron/ovn_metadata_haproxy_wrapper'
|
|
tripleo::profile::base::neutron::ovn_metadata_agent_wrappers::haproxy_image: {get_param: ContainerOvnMetadataImage}
|
|
tripleo::profile::base::neutron::ovn_metadata_agent_wrappers::debug:
|
|
if:
|
|
- service_debug_unset
|
|
- {get_param: Debug }
|
|
- {get_param: OVNWrapperDebug}
|
|
tripleo::profile::base::neutron::container_cli: {get_param: ContainerCli}
|
|
neutron::agents::ovn_metadata::shared_secret: {get_param: NeutronMetadataProxySharedSecret}
|
|
neutron::agents::ovn_metadata::auth_password: {get_param: NeutronPassword}
|
|
neutron::agents::ovn_metadata::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
|
|
neutron::agents::ovn_metadata::auth_tenant: 'service'
|
|
neutron::agents::ovn_metadata::metadata_host: {get_param: [EndpointMap, NovaMetadataCellInternal, host_nobrackets]}
|
|
neutron::agents::ovn_metadata::ovsdb_connection_timeout: {get_param: OVNDbConnectionTimeout}
|
|
ovn::southbound::port: {get_param: OVNSouthboundServerPort}
|
|
neutron::agents::ovn_metadata::ovn_remote_probe_interval: {get_param: OVNRemoteProbeInterval}
|
|
neutron::agents::ovn_metadata::debug:
|
|
if:
|
|
- service_debug_unset
|
|
- {get_param: Debug}
|
|
- {get_param: OvnMetadataAgentDebug}
|
|
neutron::agents::ovn_metadata::metadata_protocol:
|
|
if:
|
|
- internal_tls_enabled
|
|
- 'https'
|
|
- 'http'
|
|
-
|
|
if:
|
|
- neutron_metadata_workers_unset
|
|
- {}
|
|
- neutron::agents::ovn_metadata::metadata_workers: {get_param: NeutronMetadataWorkers}
|
|
- if:
|
|
- internal_tls_enabled
|
|
- tripleo::profile::base::neutron::ovn_metadata::ovn_sb_ca_cert: {get_param: InternalTLSCAFile}
|
|
tripleo::profile::base::neutron::ovn_metadata::protocol: 'ssl'
|
|
tripleo::profile::base::neutron::ovn_metadata::ovn_sb_certificate: '/etc/pki/tls/certs/ovn_metadata.crt'
|
|
tripleo::profile::base::neutron::ovn_metadata::ovn_sb_private_key: '/etc/pki/tls/private/ovn_metadata.key'
|
|
generate_service_certificates: true
|
|
ovn_metadata_certificate_specs:
|
|
service_certificate: '/etc/pki/tls/certs/ovn_metadata.crt'
|
|
service_key: '/etc/pki/tls/private/ovn_metadata.key'
|
|
hostname:
|
|
str_replace:
|
|
template: "%{hiera('fqdn_NETWORK')}"
|
|
params:
|
|
NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
|
|
principal:
|
|
str_replace:
|
|
template: "ovn_metadata/%{hiera('fqdn_NETWORK')}"
|
|
params:
|
|
NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
|
|
key_size:
|
|
if:
|
|
- key_size_override_unset
|
|
- {get_param: CertificateKeySize}
|
|
- {get_param: OvnMetadataCertificateKeySize}
|
|
- {}
|
|
|
|
puppet_config:
|
|
puppet_tags: neutron_config,ovn_metadata_agent_config
|
|
config_volume: neutron
|
|
step_config: |
|
|
include tripleo::profile::base::neutron::ovn_metadata
|
|
config_image: {get_param: ContainerNeutronConfigImage}
|
|
volumes:
|
|
- /lib/modules:/lib/modules:ro
|
|
- /run/openvswitch:/run/openvswitch:shared,z
|
|
kolla_config:
|
|
/var/lib/kolla/config_files/ovn_metadata_agent.json:
|
|
command:
|
|
list_join:
|
|
- ' '
|
|
- - /usr/bin/networking-ovn-metadata-agent --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/plugins/networking-ovn/networking-ovn-metadata-agent.ini
|
|
- get_attr: [NeutronLogging, cmd_extra_args]
|
|
config_files:
|
|
- source: "/var/lib/kolla/config_files/src/*"
|
|
dest: "/"
|
|
merge: true
|
|
preserve_properties: true
|
|
permissions:
|
|
- path: /var/log/neutron
|
|
owner: neutron:neutron
|
|
recurse: true
|
|
- path: /var/lib/neutron
|
|
owner: neutron:neutron
|
|
recurse: true
|
|
- path: /etc/pki/tls/certs/ovn_metadata.crt
|
|
owner: neutron:neutron
|
|
optional: true
|
|
perm: '0644'
|
|
- path: /etc/pki/tls/private/ovn_metadata.key
|
|
owner: neutron:neutron
|
|
optional: true
|
|
perm: '0644'
|
|
container_config_scripts: {get_attr: [ContainersCommon, container_config_scripts]}
|
|
docker_config:
|
|
step_2:
|
|
create_haproxy_wrapper:
|
|
start_order: 1
|
|
detach: false
|
|
net: host
|
|
pid: host
|
|
user: root
|
|
command: # '/container_puppet_apply.sh "STEP" "TAGS" "CONFIG" "DEBUG"'
|
|
list_concat:
|
|
-
|
|
- '/container_puppet_apply.sh'
|
|
- '4'
|
|
- 'file'
|
|
- 'include ::tripleo::profile::base::neutron::ovn_metadata_agent_wrappers'
|
|
image: {get_param: ContainerOvnMetadataImage}
|
|
volumes:
|
|
list_concat:
|
|
- {get_attr: [ContainersCommon, container_puppet_apply_volumes]}
|
|
-
|
|
- /run/openvswitch:/run/openvswitch:shared,z
|
|
- /var/lib/neutron:/var/lib/neutron:shared,z
|
|
step_4:
|
|
setup_ovs_manager:
|
|
start_order: 0
|
|
detach: false
|
|
net: host
|
|
privileged: true
|
|
user: root
|
|
command: # '/container_puppet_apply.sh "STEP" "TAGS" "CONFIG" "DEBUG"'
|
|
list_concat:
|
|
- - '/container_puppet_apply.sh'
|
|
- '4'
|
|
- 'exec'
|
|
- 'include tripleo::profile::base::neutron::ovn_metadata'
|
|
image: {get_param: ContainerOvnMetadataImage}
|
|
volumes:
|
|
list_concat:
|
|
- {get_attr: [ContainersCommon, container_puppet_apply_volumes]}
|
|
- - /lib/modules:/lib/modules:ro
|
|
- /run/openvswitch:/run/openvswitch:shared,z
|
|
environment:
|
|
TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier}
|
|
ovn_metadata_agent:
|
|
start_order: 1
|
|
image: {get_param: ContainerOvnMetadataImage}
|
|
net: host
|
|
pid: host
|
|
privileged: true
|
|
restart: always
|
|
healthcheck:
|
|
test: /openstack/healthcheck
|
|
volumes:
|
|
list_concat:
|
|
- {get_attr: [ContainersCommon, volumes]}
|
|
- {get_attr: [NeutronLogging, volumes]}
|
|
-
|
|
- /var/lib/kolla/config_files/ovn_metadata_agent.json:/var/lib/kolla/config_files/config.json:ro
|
|
- /var/lib/config-data/puppet-generated/neutron:/var/lib/kolla/config_files/src:ro
|
|
- /lib/modules:/lib/modules:ro
|
|
- /run/openvswitch:/run/openvswitch:shared,z
|
|
- /var/lib/neutron:/var/lib/neutron:shared,z
|
|
- /run/netns:/run/netns:shared
|
|
- /var/lib/neutron/kill_scripts:/etc/neutron/kill_scripts:shared,z
|
|
-
|
|
if:
|
|
- docker_enabled
|
|
- - /var/lib/openstack:/var/lib/openstack
|
|
- null
|
|
-
|
|
if:
|
|
- haproxy_wrapper_enabled
|
|
- - /var/lib/neutron/ovn_metadata_haproxy_wrapper:/usr/local/bin/haproxy:ro
|
|
- null
|
|
- if:
|
|
- internal_tls_enabled
|
|
-
|
|
- /etc/pki/tls/certs/ovn_metadata.crt:/etc/pki/tls/certs/ovn_metadata.crt
|
|
- /etc/pki/tls/private/ovn_metadata.key:/etc/pki/tls/private/ovn_metadata.key
|
|
- null
|
|
environment:
|
|
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
|
|
metadata_settings:
|
|
list_concat:
|
|
- {get_attr: [NeutronBase, role_data, metadata_settings]}
|
|
- if:
|
|
- internal_tls_enabled
|
|
- - service: ovn_metadata
|
|
network: {get_param: [ServiceNetMap, OvnDbsNetwork]}
|
|
type: node
|
|
- null
|
|
host_prep_tasks:
|
|
list_concat:
|
|
- {get_attr: [NeutronLogging, host_prep_tasks]}
|
|
- - name: create /run/netns with temp namespace
|
|
command: ip netns add ns_temp
|
|
register: ipnetns_add_result
|
|
failed_when: false
|
|
- name: remove temp namespace
|
|
command: ip netns delete ns_temp
|
|
failed_when: false
|
|
when:
|
|
- ipnetns_add_result.rc is defined
|
|
- ipnetns_add_result.rc == 0
|
|
- name: create /var/lib/neutron
|
|
file:
|
|
path: /var/lib/neutron
|
|
state: directory
|
|
setype: container_file_t
|
|
- name: set conditions
|
|
set_fact:
|
|
haproxy_wrapper_enabled: {get_param: OVNEnableHaproxyDockerWrapper}
|
|
debug_enabled:
|
|
if:
|
|
- service_debug_unset
|
|
- {get_param: Debug }
|
|
- {get_param: NeutronWrapperDebug}
|
|
docker_additional_sockets: {get_param: DockerAdditionalSockets}
|
|
- name: create kill_scripts directory within /var/lib/neutron
|
|
file:
|
|
state: directory
|
|
path: /var/lib/neutron/kill_scripts
|
|
- name: create haproxy kill script
|
|
when: haproxy_wrapper_enabled|bool
|
|
copy:
|
|
dest: /var/lib/neutron/kill_scripts/haproxy-kill
|
|
mode: 0755
|
|
content: {get_file: ../neutron/kill-script}
|
|
upgrade_tasks: []
|