tripleo-heat-templates/deployment/octavia/providers/ovn-provider-config.yaml

heat_template_version: rocky

parameters:
  EndpointMap:
    default: {}
    description: Mapping of service endpoint -> protocol. Typically set
                 via parameter_defaults in the resource registry.
    type: json
  ServiceData:
    default: {}
    description: Dictionary packing service data
    type: json
  ServiceNetMap:
    default: {}
    description: Mapping of service_name -> network name. Typically set
                 via parameter_defaults in the resource registry.  This
                 mapping overrides those in ServiceNetMapDefaults.
    type: json
  DefaultPasswords:
    default: {}
    type: json
  RoleName:
    default: ''
    description: Role name on which the service is applied
    type: string
  RoleParameters:
    default: {}
    description: Parameters specific to the role
    type: json
  NeutronMechanismDrivers:
    default: 'ovn'
    description: |
        The mechanism drivers for the Neutron tenant network.        
    type: comma_delimited_list
  OctaviaOvnProviderProtocol:
    default: ''
    description: |
        The protocol used by OVN driver to connect to northbound database.        
    type: string
  EnableInternalTLS:
    type: boolean
    default: false
  InternalTLSCAFile:
    default: '/etc/ipa/ca.crt'
    type: string
    description: Specifies the default CA cert to use if TLS is used for
                 services in the internal network.
  CertificateKeySize:
    type: string
    default: '2048'
    description: Specifies the private key size used when creating the
                 certificate.
  OctaviaCertificateKeySize:
    type: string
    default: ''
    description: Override the private key size used when creating the
                 certificate for this service

conditions:

  internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
  is_ovn_in_neutron_mechanism_driver: {contains: ['ovn', {get_param: NeutronMechanismDrivers}]}
  ovn_and_tls: {and: [is_ovn_in_neutron_mechanism_driver, internal_tls_enabled]}
  octavia_provider_ovn_protocol_unset: {equals: [{get_param: OctaviaOvnProviderProtocol}, '']}
  key_size_override_unset: {equals: [{get_param: OctaviaCertificateKeySize}, '']}

outputs:
  role_data:
    description: OVN provider driver configuraton
    value:
      config_settings:
        map_merge:
            -
              if:
                - octavia_provider_ovn_protocol_unset
                - if:
                  - internal_tls_enabled
                  - tripleo::profile::base::octavia::provider::ovn::protocol: 'ssl'
                  - tripleo::profile::base::octavia::provider::ovn::protocol: 'tcp'
                - tripleo::profile::base::octavia::provider::ovn::protocol: {get_param: OctaviaOvnProviderProtocol}
            - if:
              - ovn_and_tls
              - tripleo::profile::base::octavia::provider::ovn::ovn_nb_ca_cert: {get_param: InternalTLSCAFile}
                tripleo::profile::base::octavia::provider::ovn::ovn_nb_certificate: '/etc/pki/tls/certs/ovn_octavia.crt'
                tripleo::profile::base::octavia::provider::ovn::ovn_nb_private_key: '/etc/pki/tls/private/ovn_octavia.key'
                generate_service_certificates: true
                ovn_octavia_certificate_specs:
                  service_certificate: '/etc/pki/tls/certs/ovn_octavia.crt'
                  service_key: '/etc/pki/tls/private/ovn_octavia.key'
                  hostname:
                    str_replace:
                      template: "%{hiera('fqdn_NETWORK')}"
                      params:
                        NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
                  principal:
                    str_replace:
                      template: "ovn_octavia/%{hiera('fqdn_NETWORK')}"
                      params:
                        NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
                  key_size:
                    if:
                      - key_size_override_unset
                      - {get_param: CertificateKeySize}
                      - {get_param: OctaviaCertificateKeySize}
              - {}
      puppet_tags: octavia_ovn_provider_config
      provider_driver_labels:
        if:
          - is_ovn_in_neutron_mechanism_driver
          - ['ovn: Octavia OVN driver.']
          - []
      step_config:
          if:
            - is_ovn_in_neutron_mechanism_driver
            - "include tripleo::profile::base::octavia::provider::ovn"
            - "\n"
      metadata_settings:
        if:
          - ovn_and_tls
          - - service: ovn_octavia
              network: {get_param: [ServiceNetMap, OvnDbsNetwork]}
              type: node
          - null
      volumes:
         if:
           - ovn_and_tls
           -
             - /etc/pki/tls/certs/ovn_octavia.crt:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/ovn_octavia.crt:ro
             - /etc/pki/tls/private/ovn_octavia.key:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/ovn_octavia.key:ro
           - []
      kolla_permissions:
        if:
          - ovn_and_tls
          -
            - path: /etc/pki/tls/certs/ovn_octavia.crt
              owner: octavia:octavia
              perm: '0644'
            - path: /etc/pki/tls/private/ovn_octavia.key
              owner: octavia:octavia
              perm: '0640'
          - []
      kolla_config_files:
        if:
          - ovn_and_tls
          -
            - source: "/var/lib/kolla/config_files/src-tls/*"
              dest: "/"
              merge: true
              preserve_properties: true
          - []