commit 4a58f4238c46c7b95395f07be74a4d729acdc09c Author: wu.chunyang Date: Thu Jul 9 15:28:50 2020 +0800 Implement automatic deploy of octavia this patchset has implemented: - network (lb-mgmt-net) - security groups and rules (used by amphora and health manager) - amphora flavor (used by amphora) - nova keypair (used by amphora at the time of debugging) Add a octavia_amp_listen_port variable which used by amphora Add amp_image_owner_id in octavia.conf Implements: blueprint implement-automatic-deploy-of-octavia Co-Authored-By: zhangchun Depends-On: https://review.opendev.org/652030 Change-Id: I67009d046925cfc02c1e0073c80085c1471975f6 diff --git a/ansible/group_vars/all.yml b/ansible/group_vars/all.yml index 4b97a03..6646acb 100644 --- a/ansible/group_vars/all.yml +++ b/ansible/group_vars/all.yml @@ -1001,15 +1001,6 @@ enable_nova_horizon_policy_file: "{{ enable_nova }}" horizon_internal_endpoint: "{{ internal_protocol }}://{{ kolla_internal_fqdn | put_address_in_context('url') }}:{{ horizon_tls_port if kolla_enable_tls_internal | bool else horizon_port }}" ################# -# Octavia options -################# -# Load balancer topology options are [ SINGLE, ACTIVE_STANDBY ] -octavia_loadbalancer_topology: "SINGLE" -octavia_amp_boot_network_list: -octavia_amp_secgroup_list: -octavia_amp_flavor_id: - -################# # Qinling options ################# # Configure qinling-engine certificates to authenticate with Kubernetes cluster. diff --git a/ansible/roles/octavia/defaults/main.yml b/ansible/roles/octavia/defaults/main.yml index f91e7d3..d2dcae6 100644 --- a/ansible/roles/octavia/defaults/main.yml +++ b/ansible/roles/octavia/defaults/main.yml @@ -154,3 +154,87 @@ octavia_git_repository: "{{ kolla_dev_repos_git }}/{{ project_name }}" octavia_dev_repos_pull: "{{ kolla_dev_repos_pull }}" octavia_dev_mode: "{{ kolla_dev_mode }}" octavia_source_version: "{{ kolla_source_version }}" + +##################### +# Integration Options +##################### +octavia_amp_ssh_key_name: "octavia_ssh_key" +octavia_amp_listen_port: "9443" +octavia_amp_image_tag: "amphora" + +# Load balancer topology options are [ SINGLE, ACTIVE_STANDBY ] +octavia_loadbalancer_topology: "SINGLE" + +# Whether to run Kolla-Ansible's automatic configuration for Octavia. +# NOTE: if you upgrade from Ussuri, you must set `octavia_auto_configure` to `no` +# and keep your other Octavia config like before. +octavia_auto_configure: yes + +# OpenStack auth used when registering resources for Octavia. +octavia_user_auth: + auth_url: "{{ keystone_admin_url }}" + username: "octavia" + password: "{{ octavia_keystone_password }}" + project_name: "{{ octavia_service_auth_project }}" + domain_name: "{{ default_project_domain_name }}" + +# Octavia amphora flavor. +# See os_nova_flavor for details. Supported parameters: +# - disk +# - ephemeral (optional) +# - extra_specs (optional) +# - flavorid (optional) +# - is_public (optional) +# - name +# - ram +# - swap (optional) +# - vcpus +octavia_amp_flavor: + name: "amphora" + is_public: no + vcpus: 1 + ram: 1024 + disk: 5 + +# Octavia security groups. lb-mgmt-sec-grp is for amphorae. +octavia_amp_security_groups: + mgmt-sec-grp: + name: "lb-mgmt-sec-grp" + rules: + - protocol: icmp + - protocol: tcp + src_port: 22 + dst_port: 22 + - protocol: tcp + src_port: "{{ octavia_amp_listen_port }}" + dst_port: "{{ octavia_amp_listen_port }}" + +# Octavia management network. +# See os_network and os_subnet for details. Supported parameters: +# - external (optional) +# - mtu (optional) +# - name +# - provider_network_type (optional) +# - provider_physical_network (optional) +# - provider_segmentation_id (optional) +# - shared (optional) +# - subnet +# The subnet parameter has the following supported parameters: +# - allocation_pool_start (optional) +# - allocation_pool_start (optional) +# - cidr +# - enable_dhcp (optional) +# - gateway_ip (optional) +# - name +# - no_gateway_ip (optional) +octavia_amp_network: + name: lb-mgmt-net + shared: false + subnet: + name: lb-mgmt-subnet + cidr: "{{ octavia_amp_network_cidr }}" + no_gateway_ip: yes + enable_dhcp: yes + +# Octavia management network subnet CIDR. +octavia_amp_network_cidr: 10.0.0.0/24 diff --git a/ansible/roles/octavia/tasks/config.yml b/ansible/roles/octavia/tasks/config.yml index 7e579b0..3b35613 100644 --- a/ansible/roles/octavia/tasks/config.yml +++ b/ansible/roles/octavia/tasks/config.yml @@ -82,6 +82,16 @@ notify: - "Restart {{ item.key }} container" +- name: Copying over Octavia SSH key + copy: + content: "{{ octavia_amp_ssh_key.private_key }}" + dest: "{{ node_config_directory }}/octavia-worker/{{ octavia_amp_ssh_key_name }}" + owner: "{{ config_owner_user }}" + group: "{{ config_owner_group }}" + mode: "0400" + become: True + when: inventory_hostname in groups[octavia_services['octavia-worker']['group']] + - name: Copying certificate files for octavia-worker vars: service: "{{ octavia_services['octavia-worker'] }}" diff --git a/ansible/roles/octavia/tasks/deploy.yml b/ansible/roles/octavia/tasks/deploy.yml index 6882dd8..da8bbcc 100644 --- a/ansible/roles/octavia/tasks/deploy.yml +++ b/ansible/roles/octavia/tasks/deploy.yml @@ -1,6 +1,9 @@ --- - import_tasks: register.yml +- include_tasks: prepare.yml + when: octavia_auto_configure | bool + - import_tasks: config.yml - include_tasks: clone.yml diff --git a/ansible/roles/octavia/tasks/prepare.yml b/ansible/roles/octavia/tasks/prepare.yml new file mode 100644 index 0000000..3bc0be4 --- /dev/null +++ b/ansible/roles/octavia/tasks/prepare.yml @@ -0,0 +1,131 @@ +--- +- name: Create amphora flavor + become: true + kolla_toolbox: + module_name: os_nova_flavor + module_args: + auth: "{{ octavia_user_auth }}" + cacert: "{{ openstack_cacert }}" + endpoint_type: "{{ openstack_interface }}" + region_name: "{{ openstack_region_name }}" + state: present + is_public: "{{ octavia_amp_flavor.is_public | bool }}" + name: "{{ octavia_amp_flavor.name }}" + flavorid: "{{ octavia_amp_flavor.flavorid | default(omit, true) }}" + vcpus: "{{ octavia_amp_flavor.vcpus }}" + ram: "{{ octavia_amp_flavor.ram }}" + disk: "{{ octavia_amp_flavor.disk }}" + ephemeral: "{{ octavia_amp_flavor.ephemeral | default(omit, true) }}" + swap: "{{ octavia_amp_flavor.swap | default(omit, true) }}" + extra_specs: "{{ octavia_amp_flavor.extra_specs | default(omit, true) }}" + run_once: True + delegate_to: "{{ groups['octavia-api'][0] }}" + register: amphora_flavor_info + +- name: Create nova keypair for amphora + become: True + kolla_toolbox: + module_name: os_keypair + module_args: + auth: "{{ octavia_user_auth }}" + cacert: "{{ openstack_cacert }}" + endpoint_type: "{{ openstack_interface }}" + region_name: "{{ openstack_region_name }}" + state: present + name: "{{ octavia_amp_ssh_key_name }}" + public_key: "{{ octavia_amp_ssh_key.public_key }}" + run_once: True + delegate_to: "{{ groups['octavia-api'][0] }}" + +- name: Get {{ octavia_service_auth_project }} project id + become: True + kolla_toolbox: + module_name: os_project_info + module_args: + auth: "{{ octavia_user_auth }}" + cacert: "{{ openstack_cacert }}" + endpoint_type: "{{ openstack_interface }}" + region_name: "{{ openstack_region_name }}" + name: "{{ octavia_service_auth_project }}" + run_once: True + delegate_to: "{{ groups['octavia-api'][0] }}" + register: project_info + +- name: Create security groups for octavia + become: true + kolla_toolbox: + module_name: os_security_group + module_args: + auth: "{{ octavia_user_auth }}" + cacert: "{{ openstack_cacert }}" + endpoint_type: "{{ openstack_interface }}" + region_name: "{{ openstack_region_name }}" + state: present + name: "{{ item.name }}" + loop: "{{ octavia_amp_security_groups.values() | list }}" + loop_control: + label: "{{ item.name }}" + run_once: True + delegate_to: "{{ groups['octavia-api'][0] }}" + register: sec_grp_info + +- name: Add rules for security groups + become: true + kolla_toolbox: + module_name: os_security_group_rule + module_args: + auth: "{{ octavia_user_auth }}" + cacert: "{{ openstack_cacert }}" + endpoint_type: "{{ openstack_interface }}" + region_name: "{{ openstack_region_name }}" + security_group: "{{ item.0.name }}" + protocol: "{{ item.1.protocol }}" + port_range_min: "{{ item.1.src_port | default(omit) }}" + port_range_max: "{{ item.1.dst_port | default(omit) }}" + with_subelements: + - "{{ octavia_amp_security_groups }}" + - rules + run_once: True + delegate_to: "{{ groups['octavia-api'][0] }}" + +- name: Create loadbalancer management network + become: true + kolla_toolbox: + module_name: os_network + module_args: + auth: "{{ octavia_user_auth }}" + cacert: "{{ openstack_cacert }}" + endpoint_type: "{{ openstack_interface }}" + region_name: "{{ openstack_region_name }}" + state: present + name: "{{ octavia_amp_network['name'] }}" + mtu: "{{ octavia_amp_network['mtu'] | default(omit, true) }}" + provider_network_type: "{{ octavia_amp_network['provider_network_type'] | default(omit, true) }}" + provider_physical_network: "{{ octavia_amp_network['provider_physical_network'] | default(omit, true) }}" + provider_segmentation_id: "{{ octavia_amp_network['provider_segmentation_id'] | default(omit, true) }}" + external: "{{ octavia_amp_network['external'] | default(omit) }}" + shared: "{{ octavia_amp_network['shared'] | default(omit) }}" + register: network_info + run_once: True + delegate_to: "{{ groups['octavia-api'][0] }}" + +- name: Create loadbalancer management subnet + become: true + kolla_toolbox: + module_name: os_subnet + module_args: + auth: "{{ octavia_user_auth }}" + cacert: "{{ openstack_cacert }}" + endpoint_type: "{{ openstack_interface }}" + region_name: "{{ openstack_region_name }}" + state: present + network_name: "{{ octavia_amp_network['name'] }}" + name: "{{ octavia_amp_network['subnet']['name'] }}" + cidr: "{{ octavia_amp_network['subnet']['cidr'] }}" + allocation_pool_start: "{{ octavia_amp_network['subnet']['allocation_pool_start'] | default(omit, true) }}" + allocation_pool_end: "{{ octavia_amp_network['subnet']['allocation_pool_end'] | default(omit, true) }}" + enable_dhcp: "{{ octavia_amp_network['subnet']['enable_dhcp'] | default(omit) }}" + no_gateway_ip: "{{ octavia_amp_network['subnet']['no_gateway_ip'] | default(omit) }}" + gateway_ip: "{{ octavia_amp_network['gateway_ip'] | default(omit, true) }}" + run_once: True + delegate_to: "{{ groups['octavia-api'][0] }}" diff --git a/ansible/roles/octavia/templates/octavia.conf.j2 b/ansible/roles/octavia/templates/octavia.conf.j2 index 3d42d7a..9292a24 100644 --- a/ansible/roles/octavia/templates/octavia.conf.j2 +++ b/ansible/roles/octavia/templates/octavia.conf.j2 @@ -22,6 +22,7 @@ ca_certificates_file = {{ openstack_cacert }} [haproxy_amphora] server_ca = /etc/octavia/certs/server_ca.cert.pem client_cert = /etc/octavia/certs/client.cert-and-key.pem +bind_port = {{ octavia_amp_listen_port }} [database] connection = mysql+pymysql://{{ octavia_database_user }}:{{ octavia_database_password }}@{{ octavia_database_address }}/{{ octavia_database_name }} @@ -68,11 +69,29 @@ stats_update_threads = {{ openstack_service_workers }} health_update_threads = {{ openstack_service_workers }} [controller_worker] +amp_ssh_key_name = {{ octavia_amp_ssh_key_name }} +amp_image_tag = {{ octavia_amp_image_tag }} + +{% if not octavia_auto_configure | bool %} +{% if octavia_amp_image_owner_id is defined %} +amp_image_owner_id = {{ octavia_amp_image_owner_id }} +{% endif %} +{% if octavia_amp_boot_network_list is defined %} amp_boot_network_list = {{ octavia_amp_boot_network_list }} -amp_image_tag = amphora +{% endif %} +{% if octavia_amp_secgroup_list is defined %} amp_secgroup_list = {{ octavia_amp_secgroup_list }} +{% endif %} +{% if octavia_amp_flavor_id is defined %} amp_flavor_id = {{ octavia_amp_flavor_id }} -amp_ssh_key_name = octavia_ssh_key +{% endif %} +{% else %} +amp_image_owner_id = {{ project_info.openstack_projects.0.id }} +amp_boot_network_list = {{ network_info.id }} +amp_secgroup_list = {{ (sec_grp_info.results | selectattr('secgroup.name', 'equalto', octavia_amp_security_groups['mgmt-sec-grp'].name) | list).0.secgroup.id }} +amp_flavor_id = {{ amphora_flavor_info.flavor.id }} +{% endif %} + client_ca = /etc/octavia/certs/client_ca.cert.pem network_driver = allowed_address_pairs_driver compute_driver = compute_nova_driver diff --git a/etc/kolla/globals.yml b/etc/kolla/globals.yml index f1b5336..d1cb1ff 100644 --- a/etc/kolla/globals.yml +++ b/etc/kolla/globals.yml @@ -666,3 +666,83 @@ # Configure telegraf to use the docker daemon itself as an input for # telemetry data. #telegraf_enable_docker_input: "no" + +########################################## +# Octavia - openstack loadbalancer Options +########################################## +# Whether to run Kolla-Ansible's automatic configuration for Octavia. +# NOTE: if you upgrade from Ussuri, you must set `octavia_auto_configure` to `no` +# and keep your other Octavia config like before. +#octavia_auto_configure: yes + +# Octavia amphora flavor. +# See os_nova_flavor for details. Supported parameters: +# - flavorid (optional) +# - is_public (optional) +# - name +# - vcpus +# - ram +# - disk +# - ephemeral (optional) +# - swap (optional) +# - extra_specs (optional) +#octavia_amp_flavor: +# name: "amphora" +# is_public: no +# vcpus: 1 +# ram: 1024 +# disk: 5 + +# Octavia security groups. lb-mgmt-sec-grp is for amphorae. +#octavia_amp_security_groups: +# mgmt-sec-grp: +# name: "lb-mgmt-sec-grp" +# rules: +# - protocol: icmp +# - protocol: tcp +# src_port: 22 +# dst_port: 22 +# - protocol: tcp +# src_port: "{{ octavia_amp_listen_port }}" +# dst_port: "{{ octavia_amp_listen_port }}" + +# Octavia management network. +# See os_network and os_subnet for details. Supported parameters: +# - external (optional) +# - mtu (optional) +# - name +# - provider_network_type (optional) +# - provider_physical_network (optional) +# - provider_segmentation_id (optional) +# - shared (optional) +# - subnet +# The subnet parameter has the following supported parameters: +# - allocation_pool_start (optional) +# - allocation_pool_start (optional) +# - cidr +# - enable_dhcp (optional) +# - gateway_ip (optional) +# - name +# - no_gateway_ip (optional) +#octavia_amp_network: +# name: lb-mgmt-net +# shared: false +# subnet: +# name: lb-mgmt-subnet +# cidr: "{{ octavia_amp_network_cidr }}" +# no_gateway_ip: yes +# enable_dhcp: yes + +# Octavia management network subnet CIDR. +#octavia_amp_network_cidr: 10.0.0.0/24 + +#octavia_amp_image_tag: "amphora" + +# Load balancer topology options are [ SINGLE, ACTIVE_STANDBY ] +#octavia_loadbalancer_topology: "SINGLE" + +# The following variables are ignored as along as `octavia_auto_configure` is set to `yes`. +#octavia_amp_image_owner_id: +#octavia_amp_boot_network_list: +#octavia_amp_secgroup_list: +#octavia_amp_flavor_id: diff --git a/etc/kolla/passwords.yml b/etc/kolla/passwords.yml index c2007b0..902d8d1 100644 --- a/etc/kolla/passwords.yml +++ b/etc/kolla/passwords.yml @@ -209,6 +209,10 @@ bifrost_ssh_key: private_key: public_key: +octavia_amp_ssh_key: + private_key: + public_key: + #################### # Gnocchi options #################### diff --git a/kolla_ansible/cmd/genpwd.py b/kolla_ansible/cmd/genpwd.py index 6927bd5..40fcf8a 100755 --- a/kolla_ansible/cmd/genpwd.py +++ b/kolla_ansible/cmd/genpwd.py @@ -117,7 +117,7 @@ def main(): # SSH key pair ssh_keys = ['kolla_ssh_key', 'nova_ssh_key', - 'keystone_ssh_key', 'bifrost_ssh_key'] + 'keystone_ssh_key', 'bifrost_ssh_key', 'octavia_amp_ssh_key'] # If these keys are None, leave them as None blank_keys = ['docker_registry_password']