tripleo-heat-templates/deployment/octavia/octavia-deployment-config.j2.yaml

355 lines
14 KiB
YAML

heat_template_version: rocky
{%- set octavia_standalone=[] -%}
{%- for role in roles if 'standalone' in role.tags -%}
{% if octavia_standalone.append('1') %}{% endif %}
{%- endfor %}
description: >
Configuration of Octavia as-a-service resources in the overcloud.
parameters:
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. This
mapping overrides those in ServiceNetMapDefaults.
type: json
DefaultPasswords:
default: {}
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
StackAction:
type: string
description: >
Heat action on performed top-level stack. Note StackUpdateType is
set to UPGRADE when a major-version upgrade is in progress.
constraints:
- allowed_values: ['CREATE', 'UPDATE']
OctaviaPostWorkflowName:
description: Mistral workflow name for octavia configuration steps
once the overcloud is ready.
type: string
default: 'tripleo.octavia_post.v1.octavia_post_deploy'
OctaviaAmphoraImageName:
description: The glance image name used when spawning amphorae. Default
is an empty string which will use the file name as the image
name.
type: string
default: ''
OctaviaAmphoraImageFilename:
description: Filename for the amphora image. Image files are expected to be
located in directory /usr/share/openstack-octavia-amphora-images.
Using the default of an empty string will cause a distro
specific default to be used. (e.g.
/usr/share/openstack-octavia-amphora-images/amphora-x64-haproxy.qcow2
on CentOS and /usr/share/openstack-octavia-amphora-images/octavia-amphora.qcow2
on Red Hat Enterprise Linux).
type: string
default: ''
OctaviaAmphoraImageFormat:
default: 'qcow2'
description: Image format ('qcow2' or 'raw') of the amphora image.
type: string
constraints:
- allowed_values: ['qcow2', 'raw']
OctaviaAmphoraImageTag:
default: 'amphora-image'
description: Glance image tag for identifying the amphora image.
type: string
OctaviaAmphoraSshKeyName:
type: string
default: 'octavia-ssh-key'
description: SSH key name.
OctaviaAmphoraSshKeyFile:
type: string
{% if not octavia_standalone %}
default: ''
{% endif %}
description: Public key file path. User will be able to SSH into amphorae
with the provided key. User may, in most cases, also elevate to root
from user 'centos' (CentOS), 'ubuntu' (Ubuntu) or 'cloud-user' (RHEL)
(depends on how amphora image was created). Logging in to amphorae
provides a convenient way to e.g. debug load balancing services.
NovaEnableRbdBackend:
default: false
description: Whether to enable the Rbd backend for Nova ephemeral storage.
type: boolean
tags:
- role_specific
OctaviaControlNetwork:
description: The name for the neutron network used for the amphora
control network
type: string
default: 'lb-mgmt-net'
OctaviaControlSubnet:
description: The name for the neutron subnet used for the amphora
control network
type: string
default: 'lb-mgmt-subnet'
OctaviaControlSecurityGroup:
description: The name for the neutron security group used to
control access on the amphora control network
type: string
default: 'lb-mgmt-sec-group'
OctaviaControlSubnetCidr:
description: Subnet for amphora control subnet in CIDR form.
type: string
default: '172.24.0.0/16'
OctaviaControlSubnetGateway:
description: IP address for control network gateway
type: string
default: '172.24.0.1'
OctaviaControlSubnetPoolStart:
description: First address in amphora control subnet address
pool.
type: string
default: '172.24.0.2'
OctaviaControlSubnetPoolEnd:
description: First address in amphora control subnet address
pool.
type: string
default: '172.24.255.254'
OctaviaCaCertFile:
type: string
default: '/etc/octavia/certs/ca_01.pem'
description: Octavia CA certificate file path.
OctaviaCaKeyFile:
type: string
default: '/etc/octavia/certs/private/cakey.pem'
description: Octavia CA private key file path.
OctaviaServerCertsKeyPassphrase:
constraints:
- length: { min: 32, max: 32}
description: Passphrase for encrypting Amphora Certificates and
Private Keys. Must be exactly 32 characters.
type: string
hidden: true
OctaviaCaKeyPassphrase:
description: CA private key passphrase.
type: string
hidden: true
OctaviaClientCertFile:
default: '/etc/octavia/certs/client.pem'
description: client certificate for amphoras
type: string
OctaviaGenerateCerts:
type: boolean
default: false
description: Enable internal generation of certificates for secure
communication with amphorae for isolated private clouds or
systems where security is not a concern. Otherwise, use
OctaviaCaCert, OctaviaCaKey, OctaviaCaKeyPassphrase,
OctaviaClientCert and OctaviaServerCertsKeyPassphrase
to configure Octavia.
OctaviaMgmtPortDevName:
type: string
default: "o-hm0"
description: Name of the octavia management network interface using
for communication between octavia worker/health-manager
with the amphora machine.
AdminPassword:
description: The password for the keystone admin account, used for monitoring, querying neutron etc.
type: string
hidden: true
OctaviaUserName:
description: The username for the Octavia database and keystone accounts.
type: string
default: 'octavia'
OctaviaPassword:
description: The password for the Octavia database and keystone accounts.
type: string
hidden: true
OctaviaProjectName:
description: The project name for the keystone Octavia account.
type: string
default: 'service'
ContainerCli:
type: string
default: 'podman'
description: CLI tool used to manage containers.
constraints:
- allowed_values: ['docker', 'podman']
conditions:
octavia_raw_image_check:
or:
- equals:
- get_param: OctaviaAmphoraImageFormat
- raw
- get_param: NovaEnableRbdBackend
generate_certs:
and:
- get_param: OctaviaGenerateCerts
- equals:
- get_param: StackAction
- CREATE
resources:
{% if not octavia_standalone %}
default_key_pair:
type: OS::Nova::KeyPair
external_id: default
{% endif %}
OctaviaVars:
type: OS::Heat::Value
properties:
type: json
value:
vars:
os_auth_type: "password"
os_identity_api_version: "3"
amp_image_name: { get_param: OctaviaAmphoraImageName }
amp_image_filename: {get_param: OctaviaAmphoraImageFilename }
amp_image_tag: { get_param: OctaviaAmphoraImageTag }
amp_ssh_key_name: { get_param: OctaviaAmphoraSshKeyName }
amp_ssh_key_path: { get_param: OctaviaAmphoraSshKeyFile }
{% if not octavia_standalone %}
amp_ssh_key_data: { get_attr: [default_key_pair, public_key] }
{% endif %}
{% raw %}
amp_to_raw: {if: [octavia_raw_image_check, true, false]}
auth_username: { get_param: OctaviaUserName }
auth_password: { get_param: OctaviaPassword }
auth_project_name: { get_param: OctaviaProjectName }
lb_mgmt_net_name: { get_param: OctaviaControlNetwork }
lb_mgmt_subnet_name: { get_param: OctaviaControlSubnet }
lb_sec_group_name: { get_param: OctaviaControlSubnet }
lb_mgmt_subnet_cidr: { get_param: OctaviaControlSubnetCidr }
lb_mgmt_subnet_gateway: { get_param: OctaviaControlSubnetGateway }
lb_mgmt_subnet_pool_start: { get_param: OctaviaControlSubnetPoolStart }
lb_mgmt_subnet_pool_end: { get_param: OctaviaControlSubnetPoolEnd }
ca_cert_path: { get_param: OctaviaCaCertFile }
ca_private_key_path: { get_param: OctaviaCaKeyFile }
server_certs_key_passphrase: {get_param: OctaviaServerCertsKeyPassphrase}
ca_passphrase: { get_param: OctaviaCaKeyPassphrase }
client_cert_path: { get_param: OctaviaClientCertFile }
generate_certs: {if: [generate_certs, true, false]}
mgmt_port_dev: { get_param: OctaviaMgmtPortDevName }
os_password: { get_param: AdminPassword }
os_project_name: 'admin'
os_username: 'admin'
octavia_ansible_playbook: '/usr/share/ansible/tripleo-playbooks/octavia-files.yaml'
os_auth_url: { get_param: [EndpointMap, KeystoneV3Public, uri] }
os_int_auth_url: { get_param: [EndpointMap, KeystoneInternal, uri] }
octavia_local_tmpdir: "{{playbook_dir}}/octavia-ansible/local_dir"
octavia_group_vars_dir: "{{playbook_dir}}/octavia-ansible/group_vars"
container_cli: { get_param: ContainerCli }
outputs:
role_data:
description: Role data for the Octavia configuration service
value:
service_name: octavia_deployment_config
upgrade_tasks: []
puppet_config:
config_image: ''
config_volume: ''
step_config: ''
docker_config: {}
config_settings: {}
external_deploy_tasks:
- name: octavia_post_deploy
when: step|int == 5
block:
- name: Set up group_vars
set_fact:
octavia_ansible_group_vars: { get_attr: [OctaviaVars, value, vars] }
- name: Make needed directories on the undercloud
become: true
file:
path: "{{item}}"
state: directory
owner: "{{ ansible_user }}"
with_items:
- "{{ octavia_ansible_group_vars.octavia_local_tmpdir }}"
- "{{ octavia_ansible_group_vars.octavia_group_vars_dir }}"
- name: Write group_vars file
copy:
dest: "{{ octavia_ansible_group_vars.octavia_group_vars_dir }}/octavia_vars.yaml"
content: "{{ octavia_ansible_group_vars|to_nice_yaml }}"
- name: Write octavia inventory
copy:
dest: "{{playbook_dir}}/octavia-ansible/inventory.yaml"
content: |
octavia_nodes:
hosts:
{%- set octavia_groups = ['worker'] -%}
{%- for octavia_group in octavia_groups -%}
{%- if 'octavia_' ~ octavia_groups %}
{% for host in groups['octavia_' ~ octavia_group] -%}
{{ hostvars.raw_get(host)['ansible_hostname'] }}:
ansible_user: {{ hostvars.raw_get(host)['ansible_ssh_user'] | default('heat-admin') }}
ansible_host: {{ hostvars.raw_get(host)['ansible_host'] | default(host) }}
canonical_hostname: {{ hostvars.raw_get(host)['canonical_hostname'] | default(host) }}
ansible_become: true
{% endfor %}
{%- endif -%}
{%- endfor %}
Undercloud:
hosts:
{% for host in groups['Undercloud'] -%}
{{ hostvars.raw_get(host)['ansible_hostname'] }}:
ansible_host: {{ hostvars.raw_get(host)['ansible_host'] | default(host) }}
ansible_become: false
ansible_connection: local
{%- endfor -%}
- name: Check for ssh_private_key in working directory
stat:
path: "{{playbook_dir}}/ssh_private_key"
register: detect_private_key_file
- name: Set private key location
set_fact:
octavia_ansible_ssh_key: "{{ playbook_dir }}/ssh_private_key"
when: octavia_ansible_ssh_key is not defined and detect_private_key_file.stat.exists
- name: Configure octavia command
set_fact:
config_octavia_cmd:
list_join:
- ' '
- - ANSIBLE_CONFIG="{{playbook_dir}}/ansible.cfg" ansible-playbook -i "{{playbook_dir}}/octavia-ansible/inventory.yaml"
- '--extra-vars @{{ octavia_ansible_group_vars.octavia_group_vars_dir }}/octavia_vars.yaml'
- '{% if octavia_ansible_ssh_key is defined %}--private-key {{octavia_ansible_ssh_key}}{% endif %}'
- '{{ octavia_ansible_group_vars.octavia_ansible_playbook }}'
- set_fact:
octavia_log_dir: "{{playbook_dir}}/octavia-ansible/"
- debug:
msg: "Configure Octavia command is: {{ config_octavia_cmd }}"
- name: Configure octavia on overcloud
become: true
environment:
ANSIBLE_HOST_KEY_CHECKING: False
ANSIBLE_SSH_RETRIES: 3
ANSIBLE_RETRY_FILES_ENABLED: false
ANSIBLE_LOCAL_TEMP: "{{ octavia_ansible_group_vars.octavia_local_tmpdir }}"
ANSIBLE_LOG_PATH: "{{ octavia_log_dir }}/octavia-ansible.log"
shell: "{{ config_octavia_cmd }}"
- name: Purge temp dirs
file:
state: absent
path: "{{ item }}"
with_items:
- "{{ octavia_ansible_group_vars.octavia_local_tmpdir }}"
{% endraw %}