tripleo-heat-templates/deployment/ovn/ovn-metadata-container-puppet.yaml

365 lines
14 KiB
YAML

heat_template_version: wallaby
description: >
OpenStack containerized OVN Metadata agent
parameters:
ContainerOvnMetadataImage:
description: image
type: string
tags:
- role_specific
ContainerNeutronConfigImage:
description: The container image to use for the neutron config_volume
type: string
tags:
- role_specific
OvnMetadataAgentLoggingSource:
type: json
default:
tag: openstack.neutron.agent.ovn-metadata
file: /var/log/containers/neutron/networking-ovn-metadata-agent.log
OVNEnableHaproxyDockerWrapper:
description: Generate a wrapper script so that haproxy is launched in a separate container.
type: boolean
default: true
Debug:
type: boolean
default: false
description: Set to True to enable debugging on all services.
OVNWrapperDebug:
type: boolean
default: false
description: Controls debugging for the wrapper scripts.
ContainerCli:
type: string
default: 'podman'
description: CLI tool used to manage containers.
constraints:
- allowed_values: ['podman']
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. Use
parameter_merge_strategies to merge it with the defaults.
type: json
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
DeployIdentifier:
default: ''
type: string
description: >
Setting this to a unique value will re-run any deployment tasks which
perform configuration on a Heat stack-update.
NeutronMetadataProxySharedSecret:
description: Shared secret to prevent spoofing
type: string
hidden: true
NeutronMetadataWorkers:
default: ''
description: |
Sets the number of worker processes for the neutron OVN metadata agent.
The default value results in the configuration being left unset and a
system-dependent default will be chosen (usually the number of
processors). Please note that this can result in a large number of
processes and memory consumption on systems with a large core count. On
such systems it is recommended that a non-default value be selected that
matches the load requirements.
type: string
OVNSouthboundServerPort:
description: Port of the OVN Southbound DB server
type: number
default: 6642
OVNDbConnectionTimeout:
description: Timeout in seconds for the OVSDB connection transaction
type: number
default: 180
OVNOvsdbProbeInterval:
description: Probe interval in ms for the OVSDB session
type: number
default: 60000
MonitoringSubscriptionOvnMetadata:
default: 'overcloud-ovn-metadata'
type: string
OvnMetadataAgentDebug:
default: false
description: Set to True to enable debugging for OVN Metadata agent.
type: boolean
EnableInternalTLS:
type: boolean
default: false
InternalTLSCAFile:
default: '/etc/ipa/ca.crt'
type: string
description: Specifies the default CA cert to use if TLS is used for
services in the internal network.
CertificateKeySize:
type: string
default: '2048'
description: Specifies the private key size used when creating the
certificate.
OvnMetadataCertificateKeySize:
type: string
default: ''
description: Override the private key size used when creating the
certificate for this service
conditions:
neutron_metadata_workers_set:
not: {equals : [{get_param: NeutronMetadataWorkers}, '']}
key_size_override_set:
not: {equals: [{get_param: OvnMetadataCertificateKeySize}, '']}
resources:
ContainersCommon:
type: ../containers-common.yaml
NeutronBase:
type: ../neutron/neutron-base.yaml
properties:
EndpointMap: {get_param: EndpointMap}
ServiceData: {get_param: ServiceData}
ServiceNetMap: {get_param: ServiceNetMap}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
NeutronLogging:
type: OS::TripleO::Services::Logging::NeutronCommon
properties:
NeutronServiceName: ovn-metadata-agent
RoleParametersValue:
type: OS::Heat::Value
properties:
type: json
value:
map_replace:
- map_replace:
- ContainerOvnMetadataImage: ContainerOvnMetadataImage
ContainerNeutronConfigImage: ContainerNeutronConfigImage
- values: {get_param: [RoleParameters]}
- values:
ContainerOvnMetadataImage: {get_param: ContainerOvnMetadataImage}
ContainerNeutronConfigImage: {get_param: ContainerNeutronConfigImage}
outputs:
role_data:
description: Role data for OVNMetadata agent
value:
service_name: ovn_metadata
monitoring_subscription: {get_param: MonitoringSubscriptionOvnMetadata}
config_settings:
map_merge:
- get_attr: [NeutronBase, role_data, config_settings]
- get_attr: [NeutronLogging, config_settings]
- tripleo::profile::base::neutron::ovn_metadata_agent_wrappers::enable_haproxy_wrapper: {get_param: OVNEnableHaproxyDockerWrapper}
tripleo::profile::base::neutron::ovn_metadata_agent_wrappers::haproxy_process_wrapper: '/var/lib/neutron/ovn_metadata_haproxy_wrapper'
tripleo::profile::base::neutron::ovn_metadata_agent_wrappers::haproxy_image: {get_attr: [RoleParametersValue, value, ContainerOvnMetadataImage]}
tripleo::profile::base::neutron::ovn_metadata_agent_wrappers::debug:
if:
- {get_param: OVNWrapperDebug}
- true
- {get_param: Debug}
tripleo::profile::base::neutron::container_cli: {get_param: ContainerCli}
neutron::agents::ovn_metadata::shared_secret: {get_param: NeutronMetadataProxySharedSecret}
neutron::agents::ovn_metadata::metadata_host: {get_param: [EndpointMap, NovaMetadataCellInternal, host_nobrackets]}
neutron::agents::ovn_metadata::ovsdb_connection_timeout: {get_param: OVNDbConnectionTimeout}
neutron::agents::ovn_metadata::ovsdb_probe_interval: {get_param: OVNOvsdbProbeInterval}
ovn::southbound::port: {get_param: OVNSouthboundServerPort}
neutron::agents::ovn_metadata::debug:
if:
- {get_param: OvnMetadataAgentDebug}
- true
- {get_param: Debug}
neutron::agents::ovn_metadata::metadata_protocol:
if:
- {get_param: EnableInternalTLS}
- 'https'
- 'http'
neutron::agents::ovn_metadata::metadata_workers:
if:
- neutron_metadata_workers_set
- {get_param: NeutronMetadataWorkers}
- if:
- {get_param: EnableInternalTLS}
- tripleo::profile::base::neutron::ovn_metadata::ovn_sb_ca_cert: {get_param: InternalTLSCAFile}
tripleo::profile::base::neutron::ovn_metadata::protocol: 'ssl'
tripleo::profile::base::neutron::ovn_metadata::ovn_sb_certificate: '/etc/pki/tls/certs/ovn_metadata.crt'
tripleo::profile::base::neutron::ovn_metadata::ovn_sb_private_key: '/etc/pki/tls/private/ovn_metadata.key'
puppet_config:
puppet_tags: neutron_config,ovn_metadata_agent_config
config_volume: neutron
step_config: |
include tripleo::profile::base::neutron::ovn_metadata
include tripleo::profile::base::neutron::ovn_metadata_agent_wrappers
config_image: {get_attr: [RoleParametersValue, value, ContainerNeutronConfigImage]}
volumes:
- /var/lib/neutron:/var/lib/neutron:shared,z
kolla_config:
/var/lib/kolla/config_files/ovn_metadata_agent.json:
command:
list_join:
- ' '
- - /usr/bin/networking-ovn-metadata-agent --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/plugins/networking-ovn/networking-ovn-metadata-agent.ini
- get_attr: [NeutronLogging, cmd_extra_args]
config_files:
- source: "/var/lib/kolla/config_files/src/*"
dest: "/"
merge: true
preserve_properties: true
permissions:
- path: /var/log/neutron
owner: neutron:neutron
recurse: true
- path: /var/lib/neutron
owner: neutron:neutron
recurse: true
- path: /etc/pki/tls/certs/ovn_metadata.crt
owner: neutron:neutron
optional: true
perm: '0644'
- path: /etc/pki/tls/private/ovn_metadata.key
owner: neutron:neutron
optional: true
perm: '0644'
container_config_scripts: {get_attr: [ContainersCommon, container_config_scripts]}
docker_config:
step_4:
setup_ovs_manager:
start_order: 0
detach: false
net: host
privileged: true
user: root
command: # '/container_puppet_apply.sh "STEP" "TAGS" "CONFIG" "DEBUG"'
list_concat:
- - '/container_puppet_apply.sh'
- '4'
- 'exec'
- 'include tripleo::profile::base::neutron::ovn_metadata'
image: {get_attr: [RoleParametersValue, value, ContainerOvnMetadataImage]}
volumes:
list_concat:
- {get_attr: [ContainersCommon, container_puppet_apply_volumes]}
- - /lib/modules:/lib/modules:ro
- /run/openvswitch:/run/openvswitch:shared,z
environment:
TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier}
ovn_metadata_agent:
start_order: 1
image: {get_attr: [RoleParametersValue, value, ContainerOvnMetadataImage]}
net: host
pid: host
cgroupns: host
privileged: true
restart: always
healthcheck:
test: /openstack/healthcheck
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
- {get_attr: [NeutronLogging, volumes]}
- - /var/lib/kolla/config_files/ovn_metadata_agent.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/neutron:/var/lib/kolla/config_files/src:ro
- /lib/modules:/lib/modules:ro
- /run/openvswitch:/run/openvswitch:shared,z
- /var/lib/neutron:/var/lib/neutron:shared,z
- /run/netns:/run/netns:shared
- /var/lib/neutron/kill_scripts:/etc/neutron/kill_scripts:shared,z
- if:
- {get_param: OVNEnableHaproxyDockerWrapper}
- - /var/lib/neutron/ovn_metadata_haproxy_wrapper:/usr/local/bin/haproxy:ro
- if:
- {get_param: EnableInternalTLS}
- - /etc/pki/tls/certs/ovn_metadata.crt:/etc/pki/tls/certs/ovn_metadata.crt
- /etc/pki/tls/private/ovn_metadata.key:/etc/pki/tls/private/ovn_metadata.key
environment:
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
metadata_settings:
list_concat:
- {get_attr: [NeutronBase, role_data, metadata_settings]}
- if:
- {get_param: EnableInternalTLS}
- - service: ovn_metadata
network: {get_param: [ServiceNetMap, OvnDbsNetwork]}
type: node
deploy_steps_tasks:
- name: Certificate generation
when:
- step|int == 1
- enable_internal_tls
block:
- include_role:
name: linux-system-roles.certificate
vars:
certificate_requests:
- name: ovn_metadata
dns:
str_replace:
template: "{{fqdn_$NETWORK}}"
params:
$NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
principal:
str_replace:
template: "ovn_metadata/{{fqdn_$NETWORK}}@{{idm_realm}}"
params:
$NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
key_size:
if:
- key_size_override_set
- {get_param: OvnMetadataCertificateKeySize}
- {get_param: CertificateKeySize}
ca: ipa
host_prep_tasks:
list_concat:
- {get_attr: [NeutronLogging, host_prep_tasks]}
- - name: create /run/netns with temp namespace
command: ip netns add ns_temp
register: ipnetns_add_result
failed_when: false
- name: remove temp namespace
command: ip netns delete ns_temp
failed_when: false
when:
- ipnetns_add_result.rc is defined
- ipnetns_add_result.rc == 0
- name: create /var/lib/neutron
file:
path: /var/lib/neutron
state: directory
setype: container_file_t
- name: set conditions
set_fact:
haproxy_wrapper_enabled: {get_param: OVNEnableHaproxyDockerWrapper}
debug_enabled:
if:
- {get_param: OVNWrapperDebug}
- true
- {get_param: Debug}
- name: create kill_scripts directory within /var/lib/neutron
file:
state: directory
path: /var/lib/neutron/kill_scripts
- name: create haproxy kill script
when: haproxy_wrapper_enabled|bool
copy:
dest: /var/lib/neutron/kill_scripts/haproxy-kill
mode: 0755
content: {get_file: ../neutron/kill-script}
upgrade_tasks: []