ef18f25158
This change introduces a single parameter, MemcacheUseAdvancedPool,
to enable usage of advanced connection pool in keystone middleware.
This is useful to avoid bursting connection to memcached.
Note that the default value of memcached_use_advanced_pool was changed
from false to true during Xena cycle[1], so this parameter is no longer
required in master. However the change in keystonemiddleware will
never be backported. This change is created so that we can switch to
advanced pool even in older releases.
[1] https://review.opendev.org/c/openstack/keystonemiddleware/+/773939
Closes-Bug: #1931047
Change-Id: I2887249af44ccfdae1592dd9120d3366fa059876
(cherry picked from commit 09bcacd25a
)
478 lines
19 KiB
YAML
478 lines
19 KiB
YAML
heat_template_version: wallaby
|
|
|
|
description: >
|
|
OpenStack Octavia service configured with Puppet
|
|
|
|
parameters:
|
|
ContainerOctaviaApiImage:
|
|
description: image
|
|
type: string
|
|
ContainerOctaviaConfigImage:
|
|
description: The container image to use for the octavia config_volume
|
|
type: string
|
|
OctaviaApiLoggingSource:
|
|
type: json
|
|
default:
|
|
tag: openstack.octavia.api
|
|
file: /var/log/containers/octavia/api.log
|
|
EndpointMap:
|
|
default: {}
|
|
description: Mapping of service endpoint -> protocol. Typically set
|
|
via parameter_defaults in the resource registry.
|
|
type: json
|
|
ServiceData:
|
|
default: {}
|
|
description: Dictionary packing service data
|
|
type: json
|
|
ServiceNetMap:
|
|
default: {}
|
|
description: Mapping of service_name -> network name. Typically set
|
|
via parameter_defaults in the resource registry. This
|
|
mapping overrides those in ServiceNetMapDefaults.
|
|
type: json
|
|
RoleName:
|
|
default: ''
|
|
description: Role name on which the service is applied
|
|
type: string
|
|
RoleParameters:
|
|
default: {}
|
|
description: Parameters specific to the role
|
|
type: json
|
|
DeployIdentifier:
|
|
default: ''
|
|
type: string
|
|
description: >
|
|
Setting this to a unique value will re-run any deployment tasks which
|
|
perform configuration on a Heat stack-update.
|
|
EnableInternalTLS:
|
|
type: boolean
|
|
default: false
|
|
OctaviaUserName:
|
|
description: The username for the Octavia database and keystone accounts.
|
|
type: string
|
|
default: 'octavia'
|
|
OctaviaPassword:
|
|
description: The password for the Octavia database and keystone accounts.
|
|
type: string
|
|
hidden: true
|
|
OctaviaProjectName:
|
|
description: The project name for the keystone Octavia account.
|
|
type: string
|
|
default: 'service'
|
|
KeystoneRegion:
|
|
type: string
|
|
default: 'regionOne'
|
|
description: Keystone region for endpoint
|
|
MonitoringSubscriptionOctaviaApi:
|
|
default: 'overcloud-octavia-api'
|
|
type: string
|
|
OctaviaApiPolicies:
|
|
description: |
|
|
A hash of policies to configure for Octavia API.
|
|
e.g. { octavia-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
|
|
default: {}
|
|
type: json
|
|
OctaviaFlavorProperties:
|
|
default:
|
|
ram : '1024'
|
|
disk : '3'
|
|
vcpus: '1'
|
|
description: Dictionary describing the nova flavor for amphora.
|
|
type: json
|
|
OctaviaManageNovaFlavor:
|
|
default: true
|
|
description: Configure the nova flavor for the amphora.
|
|
type: boolean
|
|
OctaviaEnableDriverAgent:
|
|
default: true
|
|
description: Set to false if the driver agent needs to be disabled for some reason.
|
|
type: boolean
|
|
MemcacheUseAdvancedPool:
|
|
type: boolean
|
|
description: |
|
|
Use the advanced (eventlet safe) memcached client pool.
|
|
default: true
|
|
|
|
conditions:
|
|
|
|
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
|
|
use_tls_proxy: {equals : [{get_param: EnableInternalTLS}, true]}
|
|
enable_driver_agent: {equals: [{get_param: OctaviaEnableDriverAgent}, true]}
|
|
|
|
resources:
|
|
|
|
ContainersCommon:
|
|
type: ../containers-common.yaml
|
|
|
|
MySQLClient:
|
|
type: ../database/mysql-client.yaml
|
|
|
|
OctaviaProviderConfig:
|
|
type: ./providers/ovn-provider-config.yaml
|
|
properties:
|
|
EndpointMap: {get_param: EndpointMap}
|
|
ServiceData: {get_param: ServiceData}
|
|
ServiceNetMap: {get_param: ServiceNetMap}
|
|
RoleName: {get_param: RoleName}
|
|
RoleParameters: {get_param: RoleParameters}
|
|
|
|
OctaviaBase:
|
|
type: ./octavia-base.yaml
|
|
properties:
|
|
EndpointMap: {get_param: EndpointMap}
|
|
ServiceData: {get_param: ServiceData}
|
|
ServiceNetMap: {get_param: ServiceNetMap}
|
|
RoleName: {get_param: RoleName}
|
|
RoleParameters: {get_param: RoleParameters}
|
|
|
|
OctaviaWorker: # provides Nova flavor
|
|
type: ./octavia-worker-container-puppet.yaml
|
|
properties:
|
|
EndpointMap: {get_param: EndpointMap}
|
|
ServiceData: {get_param: ServiceData}
|
|
ServiceNetMap: {get_param: ServiceNetMap}
|
|
RoleName: {get_param: RoleName}
|
|
RoleParameters: {get_param: RoleParameters}
|
|
|
|
outputs:
|
|
role_data:
|
|
description: Role data for the Octavia API role.
|
|
value:
|
|
service_name: octavia_api
|
|
firewall_rules:
|
|
'120 octavia api':
|
|
dport:
|
|
- 9876
|
|
- 13876
|
|
keystone_resources:
|
|
octavia:
|
|
endpoints:
|
|
public: {get_param: [EndpointMap, OctaviaPublic, uri]}
|
|
internal: {get_param: [EndpointMap, OctaviaInternal, uri]}
|
|
admin: {get_param: [EndpointMap, OctaviaAdmin, uri]}
|
|
project: {get_param: OctaviaProjectName}
|
|
users:
|
|
octavia:
|
|
name: {get_param: OctaviaUserName}
|
|
password: {get_param: OctaviaPassword}
|
|
project: {get_param: OctaviaProjectName}
|
|
region: {get_param: KeystoneRegion}
|
|
service: 'load-balancer'
|
|
monitoring_subscription: {get_param: MonitoringSubscriptionOctaviaApi}
|
|
config_settings:
|
|
map_merge:
|
|
- {get_attr: [OctaviaBase, role_data, config_settings]}
|
|
- {get_attr: [OctaviaWorker, role_data, config_settings]}
|
|
- {get_attr: [OctaviaProviderConfig, role_data, config_settings]}
|
|
- octavia::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri] }
|
|
octavia::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
|
|
octavia::keystone::authtoken::project_name: {get_param: OctaviaProjectName}
|
|
octavia::keystone::authtoken::password: {get_param: OctaviaPassword}
|
|
octavia::keystone::authtoken::user_domain_name: 'Default'
|
|
octavia::keystone::authtoken::project_domain_name: 'Default'
|
|
octavia::keystone::authtoken::region_name: {get_param: KeystoneRegion}
|
|
octavia::keystone::authtoken::interface: 'internal'
|
|
octavia::keystone::authtoken::memcache_use_advanced_pool: {get_param: MemcacheUseAdvancedPool}
|
|
octavia::policy::policies: {get_param: OctaviaApiPolicies}
|
|
octavia::worker::manage_nova_flavor: {get_param: OctaviaManageNovaFlavor}
|
|
octavia::worker::nova_flavor_config: {get_param: OctaviaFlavorProperties}
|
|
octavia::api::service_name: 'httpd'
|
|
octavia::wsgi::apache::ssl: {get_param: EnableInternalTLS}
|
|
# NOTE: bind IP is found in hiera replacing the network name with the local node IP
|
|
# for the given network; replacement examples (eg. for internal_api):
|
|
# internal_api -> IP
|
|
# internal_api_uri -> [IP]
|
|
# internal_api_subnet - > IP/CIDR
|
|
octavia::wsgi::apache::bind_host:
|
|
str_replace:
|
|
template:
|
|
"%{hiera('$NETWORK')}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, OctaviaApiNetwork]}
|
|
octavia::wsgi::apache::servername:
|
|
str_replace:
|
|
template:
|
|
"%{hiera('fqdn_$NETWORK')}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, OctaviaApiNetwork]}
|
|
# Bind to localhost if internal TLS is enabled, since we put a TLS
|
|
# proxy in front.
|
|
octavia::api::host:
|
|
str_replace:
|
|
template:
|
|
"%{hiera('$NETWORK')}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, OctaviaApiNetwork]}
|
|
- octavia::api::provider_drivers:
|
|
list_join:
|
|
- ','
|
|
- list_concat:
|
|
- - 'amphora: The Octavia Amphora driver.'
|
|
- 'octavia: Deprecated alias of the Octavia Amphora driver.'
|
|
-
|
|
if:
|
|
- enable_driver_agent
|
|
- {get_attr: [OctaviaProviderConfig, role_data, provider_driver_labels]}
|
|
- []
|
|
|
|
service_config_settings:
|
|
rsyslog:
|
|
tripleo_logging_sources_octavia_api:
|
|
- {get_param: OctaviaApiLoggingSource}
|
|
mysql:
|
|
octavia::db::mysql::password: {get_param: OctaviaPassword}
|
|
octavia::db::mysql::user: {get_param: OctaviaUserName}
|
|
octavia::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
|
|
octavia::db::mysql::dbname: octavia
|
|
octavia::db::mysql::allowed_hosts:
|
|
- '%'
|
|
- "%{hiera('mysql_bind_host')}"
|
|
# BEGIN DOCKER SETTINGS #
|
|
puppet_config:
|
|
config_volume: octavia
|
|
puppet_tags:
|
|
list_join:
|
|
- ','
|
|
- - octavia_config
|
|
- {get_attr: [OctaviaProviderConfig, role_data, puppet_tags]}
|
|
step_config:
|
|
list_join:
|
|
- "\n"
|
|
- - "include tripleo::profile::base::octavia::api"
|
|
- {get_attr: [OctaviaProviderConfig, role_data, step_config]}
|
|
- {get_attr: [MySQLClient, role_data, step_config]}
|
|
config_image: {get_param: ContainerOctaviaConfigImage}
|
|
kolla_config:
|
|
/var/lib/kolla/config_files/octavia_api.json:
|
|
command: /usr/sbin/httpd -DFOREGROUND
|
|
config_files:
|
|
list_concat:
|
|
-
|
|
- source: "/var/lib/kolla/config_files/src/etc/httpd/conf.d"
|
|
dest: "/etc/httpd/conf.d"
|
|
merge: false
|
|
preserve_properties: true
|
|
- source: "/var/lib/kolla/config_files/src/etc/httpd/conf.modules.d"
|
|
dest: "/etc/httpd/conf.modules.d"
|
|
merge: false
|
|
preserve_properties: true
|
|
- source: "/var/lib/kolla/config_files/src/*"
|
|
dest: "/"
|
|
merge: true
|
|
preserve_properties: true
|
|
- {get_attr: [OctaviaProviderConfig, role_data, kolla_config_files]}
|
|
permissions:
|
|
list_concat:
|
|
-
|
|
- path: /var/log/octavia
|
|
owner: octavia:octavia
|
|
recurse: true
|
|
- path: /run/octavia
|
|
owner: octavia:octavia
|
|
recurse: true
|
|
- {get_attr: [OctaviaProviderConfig, role_data, kolla_permissions]}
|
|
/var/lib/kolla/config_files/octavia_driver_agent.json:
|
|
command: /usr/bin/octavia-driver-agent --config-file /usr/share/octavia/octavia-dist.conf --config-file /etc/octavia/octavia.conf --log-file /var/log/octavia/driver-agent.log --config-dir /etc/octavia/conf.d/common
|
|
config_files:
|
|
- source: "/var/lib/kolla/config_files/src/*"
|
|
dest: "/"
|
|
merge: true
|
|
preserve_properties: true
|
|
permissions:
|
|
- path: /var/log/octavia
|
|
owner: octavia:octavia
|
|
recurse: true
|
|
- path: /run/octavia
|
|
owner: octavia:octavia
|
|
recurse: true
|
|
container_puppet_tasks:
|
|
step_5:
|
|
config_volume: octavia
|
|
puppet_tags: nova_flavor
|
|
step_config: |
|
|
include ::octavia::worker
|
|
config_image: {get_param: ContainerOctaviaConfigImage}
|
|
volumes:
|
|
- /var/lib/config-data/puppet-generated/nova/etc/nova:/etc/nova:ro
|
|
metadata_settings: {get_attr: [OctaviaProviderConfig, role_data, metadata_settings]}
|
|
deploy_steps_tasks:
|
|
get_attr: [OctaviaProviderConfig, role_data, deploy_steps_tasks]
|
|
docker_config:
|
|
# Kolla_bootstrap/db_sync runs before permissions set by kolla_config
|
|
step_2:
|
|
octavia_api_init_dirs:
|
|
start_order: 0
|
|
image: &octavia_api_image {get_param: ContainerOctaviaApiImage}
|
|
net: none
|
|
user: root
|
|
volumes:
|
|
# NOTE(mandre) we need extra dir for the service in /etc/octavia/conf.d
|
|
# It is normally created as part of the RPM install, but it is
|
|
# missing here because we use the same config_volume for all
|
|
# octavia services, hence the same container image to generate
|
|
# configuration.
|
|
- /var/lib/config-data/puppet-generated/octavia/etc/octavia:/etc/octavia/
|
|
- /var/log/containers/octavia:/var/log/octavia:z
|
|
- /var/log/containers/httpd/octavia-api:/var/log/httpd:z
|
|
command: ['/bin/bash', '-c', 'mkdir -p /etc/octavia/conf.d/octavia-api; chown -R octavia:octavia /etc/octavia/conf.d/octavia-api; chown -R octavia:octavia /var/log/octavia']
|
|
step_3:
|
|
octavia_db_sync:
|
|
start_order: 0
|
|
image: *octavia_api_image
|
|
net: host
|
|
privileged: false
|
|
detach: false
|
|
user: root
|
|
volumes:
|
|
list_concat:
|
|
- {get_attr: [ContainersCommon, volumes]}
|
|
-
|
|
- /var/lib/config-data/octavia/etc/octavia/:/etc/octavia/:ro
|
|
- /var/lib/config-data/octavia/etc/my.cnf.d/:/etc/my.cnf.d/:ro
|
|
- /var/log/containers/octavia:/var/log/octavia:z
|
|
- /var/log/containers/httpd/octavia-api:/var/log/httpd:z
|
|
command: "/usr/bin/bootstrap_host_exec octavia_api su octavia -s /bin/bash -c '/usr/bin/octavia-db-manage upgrade head'"
|
|
environment:
|
|
TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier}
|
|
step_4:
|
|
map_merge:
|
|
- octavia_api:
|
|
start_order: 2
|
|
image: *octavia_api_image
|
|
net: host
|
|
user: root
|
|
privileged: false
|
|
restart: always
|
|
healthcheck:
|
|
test: /openstack/healthcheck
|
|
volumes:
|
|
list_concat:
|
|
- {get_attr: [ContainersCommon, volumes]}
|
|
-
|
|
- /var/lib/kolla/config_files/octavia_api.json:/var/lib/kolla/config_files/config.json:ro
|
|
- /var/lib/config-data/puppet-generated/octavia:/var/lib/kolla/config_files/src:ro
|
|
- /var/log/containers/octavia:/var/log/octavia:z
|
|
- /run/octavia:/run/octavia:shared,z
|
|
- /var/log/containers/httpd/octavia-api:/var/log/httpd:z
|
|
- if:
|
|
- internal_tls_enabled
|
|
- - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
|
|
- []
|
|
- if:
|
|
- internal_tls_enabled
|
|
- - /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
|
|
- []
|
|
- {get_attr: [OctaviaProviderConfig, role_data, volumes]}
|
|
environment:
|
|
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
|
|
- if:
|
|
- enable_driver_agent
|
|
- octavia_driver_agent:
|
|
start_order: 2
|
|
image: *octavia_api_image
|
|
net: host
|
|
privileged: true
|
|
restart: always
|
|
volumes:
|
|
list_concat:
|
|
- {get_attr: [ContainersCommon, volumes]}
|
|
-
|
|
- /var/lib/kolla/config_files/octavia_driver_agent.json:/var/lib/kolla/config_files/config.json:ro
|
|
- /var/lib/config-data/puppet-generated/octavia:/var/lib/kolla/config_files/src:ro
|
|
- /var/log/containers/octavia:/var/log/octavia:z
|
|
- /run/octavia:/run/octavia:shared,z
|
|
environment:
|
|
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
|
|
- {}
|
|
|
|
host_prep_tasks:
|
|
- name: create persistent directories
|
|
file:
|
|
path: "{{ item.path }}"
|
|
state: directory
|
|
setype: "{{ item.setype }}"
|
|
mode: "{{ item.mode|default(omit) }}"
|
|
with_items:
|
|
- { 'path': /var/log/containers/octavia, 'setype': container_file_t, 'mode': '0750' }
|
|
- { 'path': /var/log/containers/httpd/octavia-api, 'setype': container_file_t, 'mode': '0750' }
|
|
- { 'path': /run/octavia, 'setype': container_file_t, 'mode': '0755' }
|
|
- name: ensure /run/octavia is present upon reboot
|
|
copy:
|
|
dest: /etc/tmpfiles.d/run-octavia.conf
|
|
content: |
|
|
d /run/octavia 0755 root root - -
|
|
update_tasks:
|
|
list_concat:
|
|
- {get_attr: [OctaviaBase, role_data, update_tasks]}
|
|
- - name: octavia_api_tmpfile_cleanup
|
|
when: step|int == 1
|
|
block: &octavia_api_tmpfile_cleanup
|
|
- name: octavia_api_tmpfile_cleanup
|
|
file:
|
|
path: /etc/tmpfiles.d/var-run-octavia.conf
|
|
state: absent
|
|
- name: Set internal tls variable
|
|
set_fact:
|
|
internal_tls_enabled: {get_param: EnableInternalTLS}
|
|
- name: remove TLS proxy if configured and running
|
|
when:
|
|
- step|int == 2
|
|
- internal_tls_enabled|bool
|
|
block: &remove_octavia_tls_proxy_tasks
|
|
- name: stop and remove octavia_api_tls_proxy container if docker
|
|
docker:
|
|
name: octavia_api_tls_proxy
|
|
state: absent
|
|
when: container_cli == 'docker'
|
|
- name: "check if tripleo_octavia_api_tls_proxy service exists in systemd"
|
|
stat:
|
|
path: "/etc/systemd/system/tripleo_octavia_api_tls_proxy.service"
|
|
register: systemd_exists
|
|
- name: Remove tripleo_octavia_api_tls_proxy service
|
|
when:
|
|
- container_cli == 'podman'
|
|
- systemd_exists.stat.exists
|
|
block:
|
|
- name: stop and disable octavia_api_tls_proxy container
|
|
systemd:
|
|
name: tripleo_octavia_api_tls_proxy
|
|
state: stopped
|
|
enabled: no
|
|
- name: clean up tripleo service file for octavia_api_tls_proxy
|
|
file:
|
|
state: absent
|
|
path: "/etc/systemd/system/tripleo_octavia_api_tls_proxy.service"
|
|
- name: reload systemd
|
|
systemd:
|
|
daemon-reload: yes
|
|
|
|
upgrade_tasks:
|
|
list_concat:
|
|
- {get_attr: [OctaviaBase, role_data, upgrade_tasks]}
|
|
- - name: octavia_api_tmpfile_cleanup
|
|
when: step|int == 1
|
|
block: *octavia_api_tmpfile_cleanup
|
|
- name: Set internal tls variable
|
|
set_fact:
|
|
internal_tls_enabled: {get_param: EnableInternalTLS}
|
|
- name: remove TLS proxy if configured and running
|
|
when:
|
|
- step|int == 2
|
|
- internal_tls_enabled|bool
|
|
block: *remove_octavia_tls_proxy_tasks
|
|
external_upgrade_tasks:
|
|
- when:
|
|
- step|int == 1
|
|
tags:
|
|
- never
|
|
- system_upgrade_transfer_data
|
|
- system_upgrade_stop_services
|
|
block:
|
|
- name: Stop octavia api container
|
|
import_role:
|
|
name: tripleo_container_stop
|
|
vars:
|
|
tripleo_containers_to_stop:
|
|
- octavia_api
|
|
tripleo_delegate_to: "{{ groups['octavia_api'] | default([]) }}"
|