680 lines
29 KiB
YAML
680 lines
29 KiB
YAML
heat_template_version: wallaby
|
|
|
|
description: >
|
|
OpenStack containerized Neutron API service
|
|
|
|
parameters:
|
|
ContainerNeutronApiImage:
|
|
description: image
|
|
type: string
|
|
tags:
|
|
- role_specific
|
|
ContainerNeutronConfigImage:
|
|
description: The container image to use for the neutron config_volume
|
|
type: string
|
|
tags:
|
|
- role_specific
|
|
NeutronApiLoggingSource:
|
|
type: json
|
|
default:
|
|
tag: openstack.neutron.api
|
|
file: /var/log/containers/neutron/server.log
|
|
EndpointMap:
|
|
default: {}
|
|
description: Mapping of service endpoint -> protocol. Typically set
|
|
via parameter_defaults in the resource registry.
|
|
type: json
|
|
ServiceData:
|
|
default: {}
|
|
description: Dictionary packing service data
|
|
type: json
|
|
ServiceNetMap:
|
|
default: {}
|
|
description: Mapping of service_name -> network name. Typically set
|
|
via parameter_defaults in the resource registry. Use
|
|
parameter_merge_strategies to merge it with the defaults.
|
|
type: json
|
|
RoleName:
|
|
default: ''
|
|
description: Role name on which the service is applied
|
|
type: string
|
|
RoleParameters:
|
|
default: {}
|
|
description: Parameters specific to the role
|
|
type: json
|
|
DeployIdentifier:
|
|
default: ''
|
|
type: string
|
|
description: >
|
|
Setting this to a unique value will re-run any deployment tasks which
|
|
perform configuration on a Heat stack-update.
|
|
EnableInternalTLS:
|
|
type: boolean
|
|
default: false
|
|
NeutronApiOptVolumes:
|
|
default: []
|
|
description: list of optional volumes to be mounted
|
|
type: comma_delimited_list
|
|
NeutronApiOptEnvVars:
|
|
default: {}
|
|
description: hash of optional environment variables
|
|
type: json
|
|
NeutronWorkers:
|
|
default: ''
|
|
description: |
|
|
Sets the number of API workers for the Neutron service.
|
|
The default value results in the configuration being left unset
|
|
and a system-dependent default will be chosen (usually the number
|
|
of processors). Please note that this can result in a large number
|
|
of processes and memory consumption on systems with a large core
|
|
count. On such systems it is recommended that a non-default value
|
|
be selected that matches the load requirements.
|
|
type: string
|
|
NeutronRpcWorkers:
|
|
default: ''
|
|
description: |
|
|
Sets the number of RPC workers for the Neutron service.
|
|
If not specified, it'll take the value of NeutronWorkers and if this is
|
|
not specified either, the default value results in the configuration
|
|
being left unset and a system-dependent default will be chosen
|
|
(usually 1).
|
|
type: string
|
|
NeutronPassword:
|
|
description: The password for the neutron service and db account, used by neutron agents.
|
|
type: string
|
|
hidden: true
|
|
NeutronAllowL3AgentFailover:
|
|
default: 'True'
|
|
description: Allow automatic l3-agent failover
|
|
type: string
|
|
NovaPassword:
|
|
description: The password for the nova service and db account
|
|
type: string
|
|
hidden: true
|
|
PlacementPassword:
|
|
description: The password for the Placement service and db account
|
|
type: string
|
|
hidden: true
|
|
NeutronEnableDVR:
|
|
description: Enable Neutron DVR.
|
|
default: ''
|
|
type: string
|
|
NeutronEnableIgmpSnooping:
|
|
description: Enable IGMP Snooping.
|
|
type: boolean
|
|
default: false
|
|
KeystoneRegion:
|
|
type: string
|
|
default: 'regionOne'
|
|
description: Keystone region for endpoint
|
|
MonitoringSubscriptionNeutronServer:
|
|
default: 'overcloud-neutron-server'
|
|
type: string
|
|
EnableSQLAlchemyCollectd:
|
|
type: boolean
|
|
description: >
|
|
Set to true to enable the SQLAlchemy-collectd server plugin
|
|
default: false
|
|
NeutronApiPolicies:
|
|
description: |
|
|
A hash of policies to configure for Neutron API.
|
|
e.g. { neutron-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
|
|
default: {}
|
|
type: json
|
|
NeutronOvsIntegrationBridge:
|
|
default: ''
|
|
type: string
|
|
description: Name of Open vSwitch bridge to use
|
|
NeutronPortQuota:
|
|
default: '500'
|
|
type: string
|
|
description: Number of ports allowed per tenant, and minus means unlimited.
|
|
NeutronSecurityGroupQuota:
|
|
default: '10'
|
|
type: string
|
|
description: Number of security groups allowed per tenant, and minus means unlimited
|
|
# TODO(bogdando): Right now OVN doesn't support AZ aware routing scheduling.
|
|
# Later in Train cycle OVN ml2 driver will be extended to support it.
|
|
# Until then, we have to determine if NeutronMechanismDrivers is OVN or OVS.
|
|
NeutronMechanismDrivers:
|
|
default: 'ovn'
|
|
description: |
|
|
The mechanism drivers for the Neutron tenant network.
|
|
type: comma_delimited_list
|
|
NeutronDefaultAvailabilityZones:
|
|
description: Comma-separated list of default network availability zones to
|
|
be used by Neutron if its resource is created without
|
|
availability zone hints. If not set, no AZs will be configured
|
|
for Neutron network services.
|
|
default: []
|
|
type: comma_delimited_list
|
|
NeutronNetworkSchedulerDriver:
|
|
description: The network schedule driver to use for avialability zones.
|
|
default: neutron.scheduler.dhcp_agent_scheduler.AZAwareWeightScheduler
|
|
type: string
|
|
NeutronRouterSchedulerDriver:
|
|
description: The router schedule driver to use for avialability zones.
|
|
default: neutron.scheduler.l3_agent_scheduler.AZLeastRoutersScheduler
|
|
type: string
|
|
NeutronDhcpLoadType:
|
|
description: Additional to the availability zones aware network scheduler.
|
|
default: networks
|
|
type: string
|
|
InternalTLSCAFile:
|
|
default: '/etc/ipa/ca.crt'
|
|
type: string
|
|
description: Specifies the default CA cert to use if TLS is used for
|
|
services in the internal network.
|
|
CertificateKeySize:
|
|
type: string
|
|
default: '2048'
|
|
description: Specifies the private key size used when creating the
|
|
certificate.
|
|
NeutronCertificateKeySize:
|
|
type: string
|
|
default: ''
|
|
description: Override the private key size used when creating the
|
|
certificate for this service
|
|
MemcacheUseAdvancedPool:
|
|
type: boolean
|
|
description: |
|
|
Use the advanced (eventlet safe) memcached client pool.
|
|
default: true
|
|
# DEPRECATED: the following options are deprecated and are currently maintained
|
|
# for backwards compatibility. They will be removed in the Ocata cycle.
|
|
NeutronL3HA:
|
|
default: ''
|
|
type: string
|
|
description: |
|
|
Whether to enable HA for virtual routers. When not set, L3 HA will be
|
|
automatically enabled if the number of nodes hosting controller
|
|
configurations and DVR is disabled. Valid values are 'true' or 'false'
|
|
This parameter is being deprecated in Newton and is scheduled to be
|
|
removed in Ocata. Future releases will enable L3 HA by default if it is
|
|
appropriate for the deployment type. Alternate mechanisms will be
|
|
available to override.
|
|
NeutronAuthStrategy:
|
|
type: string
|
|
description: Auth strategy to use with neutron.
|
|
default: 'keystone'
|
|
constraints:
|
|
- allowed_values: ['keystone', 'noauth', 'http_basic']
|
|
AdminPassword: #supplied by tripleo-undercloud-passwords.yaml
|
|
type: string
|
|
description: The password for the keystone admin account, used for monitoring, querying neutron etc.
|
|
hidden: True
|
|
NeutronAgentDownTime:
|
|
default: 600
|
|
type: number
|
|
description: |
|
|
Seconds to regard the agent as down; should be at least twice
|
|
NeutronGlobalReportInterval, to be sure the agent is down for good.
|
|
IronicPassword:
|
|
description: The password for the Ironic service and db account, used by the Ironic services
|
|
type: string
|
|
hidden: true
|
|
EnforceSecureRbac:
|
|
type: boolean
|
|
default: false
|
|
description: >-
|
|
Setting this option to True will configure each OpenStack service to
|
|
enforce Secure RBAC by setting `[oslo_policy] enforce_new_defaults` and
|
|
`[oslo_policy] enforce_scope` to True. This introduces a consistent set
|
|
of RBAC personas across OpenStack services that include support for
|
|
system and project scope, as well as keystone's default roles, admin,
|
|
member, and reader. Do not enable this functionality until all services in
|
|
your deployment actually support secure RBAC.
|
|
|
|
parameter_groups:
|
|
- label: deprecated
|
|
description: |
|
|
The following parameters are deprecated and will be removed. They should not
|
|
be relied on for new deployments. If you have concerns regarding deprecated
|
|
parameters, please contact the TripleO development team on IRC or the
|
|
OpenStack mailing list.
|
|
parameters:
|
|
- NeutronL3HA
|
|
|
|
conditions:
|
|
neutron_workers_set:
|
|
not: {equals : [{get_param: NeutronWorkers}, '']}
|
|
neutron_rpc_workers_set:
|
|
not: {equals : [{get_param: NeutronRpcWorkers}, '']}
|
|
neutron_ovs_int_br_set:
|
|
not: {equals : [{get_param: NeutronOvsIntegrationBridge}, '']}
|
|
neutron_dvr_set:
|
|
not: {equals : [{get_param: NeutronEnableDVR}, '']}
|
|
az_set:
|
|
not: {equals: [{get_param: NeutronDefaultAvailabilityZones}, []]}
|
|
ovn_and_tls:
|
|
and:
|
|
- contains: ['ovn', {get_param: NeutronMechanismDrivers}]
|
|
- {get_param: EnableInternalTLS}
|
|
key_size_override_set:
|
|
not: {equals: [{get_param: NeutronCertificateKeySize}, '']}
|
|
auth_strategy_http_basic:
|
|
equals: [{get_param: NeutronAuthStrategy}, 'http_basic']
|
|
|
|
resources:
|
|
TLSProxyBase:
|
|
type: OS::TripleO::Services::TLSProxyBase
|
|
properties:
|
|
ServiceData: {get_param: ServiceData}
|
|
ServiceNetMap: {get_param: ServiceNetMap}
|
|
EndpointMap: {get_param: EndpointMap}
|
|
RoleName: {get_param: RoleName}
|
|
RoleParameters: {get_param: RoleParameters}
|
|
EnableInternalTLS: {get_param: EnableInternalTLS}
|
|
|
|
ContainersCommon:
|
|
type: ../containers-common.yaml
|
|
|
|
MySQLClient:
|
|
type: ../database/mysql-client.yaml
|
|
|
|
NeutronBase:
|
|
type: ./neutron-base.yaml
|
|
properties:
|
|
EndpointMap: {get_param: EndpointMap}
|
|
ServiceData: {get_param: ServiceData}
|
|
ServiceNetMap: {get_param: ServiceNetMap}
|
|
RoleName: {get_param: RoleName}
|
|
RoleParameters: {get_param: RoleParameters}
|
|
|
|
NeutronLogging:
|
|
type: OS::TripleO::Services::Logging::NeutronApi
|
|
properties:
|
|
NeutronServiceName: server
|
|
|
|
RoleParametersValue:
|
|
type: OS::Heat::Value
|
|
properties:
|
|
type: json
|
|
value:
|
|
map_replace:
|
|
- map_replace:
|
|
- ContainerNeutronApiImage: ContainerNeutronApiImage
|
|
ContainerNeutronConfigImage: ContainerNeutronConfigImage
|
|
- values: {get_param: [RoleParameters]}
|
|
- values:
|
|
ContainerNeutronApiImage: {get_param: ContainerNeutronApiImage}
|
|
ContainerNeutronConfigImage: {get_param: ContainerNeutronConfigImage}
|
|
|
|
outputs:
|
|
role_data:
|
|
description: Role data for the Neutron API role.
|
|
value:
|
|
service_name: neutron_api
|
|
firewall_rules:
|
|
'114 neutron api':
|
|
dport:
|
|
- 9696
|
|
firewall_frontend_rules:
|
|
'100 neutron_haproxy_frontend':
|
|
dport:
|
|
- 9696
|
|
firewall_ssl_frontend_rules:
|
|
'100 neutron_haproxy_frontend_ssl':
|
|
dport:
|
|
- 13696
|
|
keystone_resources:
|
|
neutron:
|
|
endpoints:
|
|
public: {get_param: [EndpointMap, NeutronPublic, uri]}
|
|
internal: {get_param: [EndpointMap, NeutronInternal, uri]}
|
|
admin: {get_param: [EndpointMap, NeutronAdmin, uri]}
|
|
users:
|
|
neutron:
|
|
password: {get_param: NeutronPassword}
|
|
roles:
|
|
- admin
|
|
- service
|
|
region: {get_param: KeystoneRegion}
|
|
service: 'network'
|
|
monitoring_subscription: {get_param: MonitoringSubscriptionNeutronServer}
|
|
config_settings:
|
|
map_merge:
|
|
- get_attr: [NeutronBase, role_data, config_settings]
|
|
- get_attr: [TLSProxyBase, role_data, config_settings]
|
|
- get_attr: [NeutronLogging, config_settings]
|
|
- neutron::db::database_connection:
|
|
make_url:
|
|
scheme: {get_param: [EndpointMap, MysqlInternal, protocol]}
|
|
username: neutron
|
|
password: {get_param: NeutronPassword}
|
|
host: {get_param: [EndpointMap, MysqlInternal, host]}
|
|
path: /ovs_neutron
|
|
query:
|
|
if:
|
|
- {get_param: EnableSQLAlchemyCollectd}
|
|
- read_default_file: /etc/my.cnf.d/tripleo.cnf
|
|
read_default_group: tripleo
|
|
plugin: collectd
|
|
collectd_program_name: ovs_neutron
|
|
collectd_host: localhost
|
|
- read_default_file: /etc/my.cnf.d/tripleo.cnf
|
|
read_default_group: tripleo
|
|
neutron::policy::policies: {get_param: NeutronApiPolicies}
|
|
- if:
|
|
- {get_param: EnforceSecureRbac}
|
|
- neutron::policy::enforce_scope: true
|
|
neutron::policy::enforce_new_defaults: true
|
|
neutron::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix] }
|
|
neutron::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
|
|
neutron::server::agent_down_time: {get_param: NeutronAgentDownTime}
|
|
neutron::server::auth_strategy: {get_param: NeutronAuthStrategy}
|
|
neutron::server::allow_automatic_l3agent_failover: {get_param: NeutronAllowL3AgentFailover}
|
|
neutron::server::enable_proxy_headers_parsing: true
|
|
neutron::server::igmp_snooping_enable: {get_param: NeutronEnableIgmpSnooping}
|
|
neutron::keystone::authtoken::password: {get_param: NeutronPassword}
|
|
neutron::server::notifications::nova::auth_url: { get_param: [ EndpointMap, KeystoneInternal, uri_no_suffix ] }
|
|
neutron::server::notifications::nova::project_name: 'service'
|
|
neutron::server::notifications::nova::user_domain_name: 'Default'
|
|
neutron::server::notifications::nova::project_domain_name: 'Default'
|
|
neutron::server::notifications::nova::region_name: {get_param: KeystoneRegion}
|
|
neutron::server::notifications::nova::password: {get_param: NovaPassword}
|
|
neutron::server::notifications::nova::endpoint_type: 'internal'
|
|
neutron::keystone::authtoken::project_name: 'service'
|
|
neutron::keystone::authtoken::user_domain_name: 'Default'
|
|
neutron::keystone::authtoken::project_domain_name: 'Default'
|
|
neutron::keystone::authtoken::region_name: {get_param: KeystoneRegion}
|
|
neutron::keystone::authtoken::interface: 'internal'
|
|
neutron::keystone::authtoken::memcache_use_advanced_pool: {get_param: MemcacheUseAdvancedPool}
|
|
neutron::quota::quota_port: {get_param: NeutronPortQuota}
|
|
neutron::quota::quota_security_group: {get_param: NeutronSecurityGroupQuota}
|
|
neutron::server::placement::password: {get_param: PlacementPassword}
|
|
neutron::server::placement::project_domain_name: 'Default'
|
|
neutron::server::placement::project_name: 'service'
|
|
neutron::server::placement::user_domain_name: 'Default'
|
|
neutron::server::placement::username: placement
|
|
neutron::server::placement::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
|
|
neutron::server::placement::auth_type: 'password'
|
|
neutron::server::placement::region_name: {get_param: KeystoneRegion}
|
|
neutron::server::placement::endpoint_type: 'internal'
|
|
neutron::server::sync_db: false
|
|
# NOTE: bind IP is found in hiera replacing the network name with the local node IP
|
|
# for the given network; replacement examples (eg. for internal_api):
|
|
# internal_api -> IP
|
|
# internal_api_uri -> [IP]
|
|
# internal_api_subnet - > IP/CIDR
|
|
tripleo::profile::base::neutron::server::tls_proxy_bind_ip:
|
|
str_replace:
|
|
template:
|
|
"%{lookup('$NETWORK')}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, NeutronApiNetwork]}
|
|
tripleo::profile::base::neutron::server::tls_proxy_fqdn:
|
|
str_replace:
|
|
template:
|
|
"%{lookup('fqdn_$NETWORK')}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, NeutronApiNetwork]}
|
|
tripleo::profile::base::neutron::server::tls_proxy_port:
|
|
get_param: [EndpointMap, NeutronInternal, port]
|
|
# Bind to localhost if internal TLS is enabled, since we put a TLS
|
|
# proxy in front.
|
|
neutron::bind_host:
|
|
if:
|
|
- {get_param: EnableInternalTLS}
|
|
- "%{lookup('localhost_address')}"
|
|
- str_replace:
|
|
template:
|
|
"%{lookup('$NETWORK')}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, NeutronApiNetwork]}
|
|
tripleo::profile::base::neutron::server::l3_ha_override: {get_param: NeutronL3HA}
|
|
- if:
|
|
- neutron_dvr_set
|
|
- neutron::server::router_distributed: {get_param: NeutronEnableDVR}
|
|
neutron::server::enable_dvr: {get_param: NeutronEnableDVR}
|
|
- if:
|
|
- neutron_workers_set
|
|
- neutron::server::api_workers: {get_param: NeutronWorkers}
|
|
- if:
|
|
- neutron_rpc_workers_set
|
|
- neutron::server::rpc_workers: {get_param: NeutronRpcWorkers}
|
|
- if:
|
|
- neutron_workers_set
|
|
- neutron::server::rpc_workers: {get_param: NeutronWorkers}
|
|
- if:
|
|
- neutron_ovs_int_br_set
|
|
- neutron::server::ovs_integration_bridge: {get_param: NeutronOvsIntegrationBridge}
|
|
- if:
|
|
- az_set
|
|
- neutron::server::dhcp_load_type: {get_param: NeutronDhcpLoadType}
|
|
neutron::server::network_scheduler_driver:
|
|
{get_param: NeutronNetworkSchedulerDriver}
|
|
neutron::server::router_scheduler_driver:
|
|
{get_param: NeutronRouterSchedulerDriver}
|
|
neutron::server::default_availability_zones:
|
|
{get_param: NeutronDefaultAvailabilityZones}
|
|
- if:
|
|
- ovn_and_tls
|
|
- tripleo::profile::base::neutron::plugins::ml2::ovn::protocol: 'ssl'
|
|
tripleo::profile::base::neutron::plugins::ml2::ovn::ovn_nb_private_key: '/etc/pki/tls/private/neutron_ovn.key'
|
|
tripleo::profile::base::neutron::plugins::ml2::ovn::ovn_nb_certificate: '/etc/pki/tls/certs/neutron_ovn.crt'
|
|
tripleo::profile::base::neutron::plugins::ml2::ovn::ovn_sb_private_key: '/etc/pki/tls/private/neutron_ovn.key'
|
|
tripleo::profile::base::neutron::plugins::ml2::ovn::ovn_sb_certificate: '/etc/pki/tls/certs/neutron_ovn.crt'
|
|
tripleo::profile::base::neutron::plugins::ml2::ovn::ovn_nb_ca_cert: {get_param: InternalTLSCAFile}
|
|
tripleo::profile::base::neutron::plugins::ml2::ovn::ovn_sb_ca_cert: {get_param: InternalTLSCAFile}
|
|
- if:
|
|
- auth_strategy_http_basic
|
|
- neutron::config::api_paste_ini:
|
|
composite:neutronapi_v2_0/http_basic:
|
|
value: 'cors http_proxy_to_wsgi request_id fake_project_id catch_errors osprofiler basic_auth extensions neutronapiapp_v2_0'
|
|
composite:neutronversions_composite/http_basic:
|
|
value: 'cors http_proxy_to_wsgi neutronversions'
|
|
filter:basic_auth/paste.filter_factory:
|
|
value: 'oslo_middleware.basic_auth:BasicAuthMiddleware.factory'
|
|
service_config_settings:
|
|
rsyslog:
|
|
tripleo_logging_sources_neutron_api:
|
|
- {get_param: NeutronApiLoggingSource}
|
|
mysql:
|
|
neutron::db::mysql::password: {get_param: NeutronPassword}
|
|
neutron::db::mysql::user: neutron
|
|
neutron::db::mysql::host: '%'
|
|
neutron::db::mysql::dbname: ovs_neutron
|
|
horizon:
|
|
horizon::policy::neutron_policies: {get_param: NeutronApiPolicies}
|
|
# BEGIN DOCKER SETTINGS
|
|
puppet_config:
|
|
config_volume: neutron
|
|
puppet_tags: neutron_config,neutron_api_paste_ini
|
|
step_config:
|
|
list_join:
|
|
- "\n"
|
|
- - include tripleo::profile::base::neutron::server
|
|
- {get_attr: [MySQLClient, role_data, step_config]}
|
|
config_image: {get_attr: [RoleParametersValue, value, ContainerNeutronConfigImage]}
|
|
kolla_config:
|
|
/var/lib/kolla/config_files/neutron_api.json:
|
|
command:
|
|
list_join:
|
|
- ' '
|
|
- - /usr/bin/neutron-server --config-dir /usr/share/neutron/server --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/plugin.ini --config-dir /etc/neutron/conf.d/common --config-dir /etc/neutron/conf.d/neutron-server
|
|
- get_attr: [NeutronLogging, cmd_extra_args]
|
|
config_files: &neutron_api_config_files
|
|
- source: "/var/lib/kolla/config_files/src/*"
|
|
dest: "/"
|
|
merge: true
|
|
preserve_properties: true
|
|
- source: "/var/lib/kolla/config_files/src-tls/*"
|
|
dest: "/"
|
|
merge: true
|
|
optional: true
|
|
preserve_properties: true
|
|
permissions: &neutron_api_permissions
|
|
- path: /var/log/neutron
|
|
owner: neutron:neutron
|
|
recurse: true
|
|
- path: /etc/pki/tls/certs/neutron_ovn.crt
|
|
owner: neutron:neutron
|
|
optional: true
|
|
perm: '0644'
|
|
- path: /etc/pki/tls/private/neutron_ovn.key
|
|
owner: neutron:neutron
|
|
optional: true
|
|
perm: '0644'
|
|
/var/lib/kolla/config_files/neutron_api_db_sync.json:
|
|
command: "/usr/bin/bootstrap_host_exec neutron_api neutron-db-manage upgrade heads"
|
|
# FIXME: we should make config file permissions right
|
|
# and run as neutron user
|
|
#command: "/usr/bin/bootstrap_host_exec neutron_api su neutron -s /bin/bash -c 'neutron-db-manage upgrade heads'"
|
|
config_files: *neutron_api_config_files
|
|
permissions: *neutron_api_permissions
|
|
/var/lib/kolla/config_files/neutron_server_tls_proxy.json:
|
|
command: /usr/sbin/httpd -DFOREGROUND
|
|
config_files:
|
|
- source: "/var/lib/kolla/config_files/src/*"
|
|
dest: "/"
|
|
merge: true
|
|
preserve_properties: true
|
|
- source: "/var/lib/kolla/config_files/src/etc/httpd/conf.d"
|
|
dest: "/etc/httpd/conf.d"
|
|
merge: false
|
|
preserve_properties: true
|
|
- source: "/var/lib/kolla/config_files/src/etc/httpd/conf.modules.d"
|
|
dest: "/etc/httpd/conf.modules.d"
|
|
merge: false
|
|
preserve_properties: true
|
|
docker_config:
|
|
step_2:
|
|
get_attr: [NeutronLogging, docker_config, step_2]
|
|
step_3:
|
|
neutron_db_sync:
|
|
image: &neutron_api_image {get_attr: [RoleParametersValue, value, ContainerNeutronApiImage]}
|
|
net: host
|
|
privileged: false
|
|
detach: false
|
|
user: root
|
|
volumes:
|
|
list_concat:
|
|
- {get_attr: [ContainersCommon, volumes]}
|
|
- {get_attr: [NeutronLogging, volumes]}
|
|
- {get_param: NeutronApiOptVolumes}
|
|
- - /var/lib/kolla/config_files/neutron_api_db_sync.json:/var/lib/kolla/config_files/config.json:ro
|
|
- /var/lib/config-data/puppet-generated/neutron:/var/lib/kolla/config_files/src:ro
|
|
environment:
|
|
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
|
|
TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier}
|
|
step_4:
|
|
map_merge:
|
|
- neutron_api:
|
|
start_order: 0
|
|
image: *neutron_api_image
|
|
net: host
|
|
privileged: false
|
|
restart: always
|
|
healthcheck:
|
|
test: /openstack/healthcheck
|
|
volumes:
|
|
list_concat:
|
|
- {get_attr: [ContainersCommon, volumes]}
|
|
- {get_attr: [NeutronLogging, volumes]}
|
|
- {get_param: NeutronApiOptVolumes}
|
|
- - /var/lib/kolla/config_files/neutron_api.json:/var/lib/kolla/config_files/config.json:ro
|
|
- /var/lib/config-data/puppet-generated/neutron:/var/lib/kolla/config_files/src:ro
|
|
- if:
|
|
- ovn_and_tls
|
|
- - /etc/pki/tls/certs/neutron_ovn.crt:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/neutron_ovn.crt:ro
|
|
- /etc/pki/tls/private/neutron_ovn.key:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/neutron_ovn.key:ro
|
|
- if:
|
|
- auth_strategy_http_basic
|
|
- - /etc/neutron_passwd:/etc/htpasswd:z
|
|
|
|
environment:
|
|
map_merge:
|
|
- {get_param: NeutronApiOptEnvVars}
|
|
- KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
|
|
- if:
|
|
- {get_param: EnableInternalTLS}
|
|
- neutron_server_tls_proxy:
|
|
image: *neutron_api_image
|
|
net: host
|
|
user: root
|
|
restart: always
|
|
volumes:
|
|
list_concat:
|
|
- {get_attr: [ContainersCommon, volumes]}
|
|
- {get_attr: [NeutronLogging, volumes]}
|
|
- - /var/lib/kolla/config_files/neutron_server_tls_proxy.json:/var/lib/kolla/config_files/config.json:ro
|
|
- /var/lib/config-data/puppet-generated/neutron:/var/lib/kolla/config_files/src:ro
|
|
- /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
|
|
- /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
|
|
environment:
|
|
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
|
|
host_prep_tasks:
|
|
list_concat:
|
|
- {get_attr: [NeutronLogging, host_prep_tasks]}
|
|
- - name: create password file when auth_stragy is 'http_basic'
|
|
vars:
|
|
is_http_basic:
|
|
if:
|
|
- auth_strategy_http_basic
|
|
- true
|
|
- false
|
|
copy:
|
|
dest: /etc/neutron_passwd
|
|
content:
|
|
str_replace:
|
|
template: |
|
|
admin:{{'$ADMIN_PASSWORD' | password_hash('bcrypt')}}
|
|
neutron:{{'$NEUTRON_PASSWORD' | password_hash('bcrypt')}}
|
|
ironic:{{'$IRONIC_PASSWORD' | password_hash('bcrypt')}}
|
|
params:
|
|
$ADMIN_PASSWORD: {get_param: AdminPassword}
|
|
$NEUTRON_PASSWORD: {get_param: NeutronPassword}
|
|
$IRONIC_PASSWORD: {get_param: IronicPassword}
|
|
when: is_http_basic | bool
|
|
metadata_settings:
|
|
list_concat:
|
|
- {get_attr: [TLSProxyBase, role_data, metadata_settings]}
|
|
- if:
|
|
- ovn_and_tls
|
|
- - service: neutron_ovn
|
|
network: {get_param: [ServiceNetMap, NeutronApiNetwork]}
|
|
type: node
|
|
deploy_steps_tasks:
|
|
if:
|
|
- ovn_and_tls
|
|
- - name: Certificate generation
|
|
when: step|int == 1
|
|
block:
|
|
- include_role:
|
|
name: linux-system-roles.certificate
|
|
vars:
|
|
certificate_requests:
|
|
- name: neutron_ovn
|
|
dns:
|
|
str_replace:
|
|
template: "{{fqdn_$NETWORK}}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, NeutronApiNetwork]}
|
|
principal:
|
|
str_replace:
|
|
template: "neutron_ovn/{{fqdn_$NETWORK}}@{{idm_realm}}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, NeutronApiNetwork]}
|
|
key_size:
|
|
if:
|
|
- key_size_override_set
|
|
- {get_param: NeutronCertificateKeySize}
|
|
- {get_param: CertificateKeySize}
|
|
ca: ipa
|
|
external_upgrade_tasks:
|
|
- when:
|
|
- step|int == 1
|
|
tags:
|
|
- never
|
|
- system_upgrade_transfer_data
|
|
- system_upgrade_stop_services
|
|
block:
|
|
- name: Stop neutron api container
|
|
import_role:
|
|
name: tripleo_container_stop
|
|
vars:
|
|
tripleo_containers_to_stop:
|
|
- neutron_api
|
|
tripleo_delegate_to: "{{ groups['neutron_api'] | default([]) }}"
|