With efforts to create a resources in same, unified way,
we convert tempest role to use openstack_resources
for creating and managing openstack resources, like projects, flavors,
networks, images, etc. This should reduce maintenance costs
in case of futher collection updates and unify approach.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/878794
Change-Id: I762ded9b6099ea55e8a19bfb82473b950155eaa4
This change implements and enables by default quorum support
for rabbitmq as well as providing default variables to globally tune
it's behaviour.
In order to ensure upgrade path and ability to switch back to HA queues
we change vhost names with removing leading `/`, as enabling quorum
requires to remove exchange which is tricky thing to do with running
services.
Change-Id: I4781a0c23274b145970b3269e517c2a62497acc4
With update of ansible-lint to version >=6.0.0 a lot of new
linters were added, that enabled by default. In order to comply
with linter rules we're applying changes to the role.
With that we also update metdata to reflect current state.
Change-Id: Id8215882ee528d4c3055479e770c7432616649ba
By overriding the variable `octavia_backend_ssl: True` HTTPS will
be enabled, disabling HTTP support on the octavia backend api.
The ansible-role-pki is used to generate the required TLS
certificates if this functionality is enabled.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/879085
Change-Id: Id6c187cad4e444fb83ca1f938bd13bb9b73652b3
Amphorav1 has been deprecated and is removed early at the
beginning of the 2023.2 cycle. With that Antelope is perfect time for
switching the default.
[1] 6c0515c988
Change-Id: I133f20a6d971832138708101e6a8380d23e75cf2
At the moment security group allows to access Amphora SSH/API
from any network which is insecure. We're changing default for
security groups to allow access only from Octavia Management
network.
Change-Id: I6ea6ab4ec1c28a3b354d40f6744434eefb05fcfe
Implement support for service_tokens. For that we convert
role_name to be a list along with renaming corresponding variable.
Additionally service_type is defined now for keystone_authtoken which
enables to validate tokens with restricted access rules
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/845690
Change-Id: I8cd6c47c64601089173671652a463ecc291d8ca1
Introduces 3 new variables cinder_default_availability_zone, octavia_cinder_volume_size and octavia_cinder_volume_type. using these variables, enables Octavia to use different Cinder configurations.
Change-Id: I8162e83d39075cd99c516b84c39ed868306283c3
For vlan scenraio we can't use octavia_provider_network_name for
octavia_provider_network but it's pretty big override, which might be
more handy with having an extra variable, that will be used inside it.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/787199
Change-Id: Ib5627dc3b37626e056c3cfe9ce54ee6a7ff25dd5
Modern ansible only supports the 'cryptography' backend for the
openssl_privatekey module. In this case, the 'cipher' module
parameter must be set to 'auto'.
Change-Id: I2bfe5fa57c7deb201f56f82d5699c91fcccb766d
- Implemented new variable ``connection_recycle_time`` responsible for SQLAlchemy's connection recycling
- Set new default values for db pooling variables which are inherited from the global ones.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/819424
Change-Id: I7804ec93d6ec82249f4d81ccec3ab02c4bc8a233
With PKI role in place in most cases you don't need to explicitly
provide path to the CA file because PKI role ensures that CA is trusted
by the system overall. In the meanwhile in PyMySQL [1] you must either
provide CA file or cert/key or enable verify.
Since current behaviour is to provide path to the custom CA we expect
certificate being trusted overall. Thus we enable cert verification when
galera_use_ssl is True.
[1] 78f0cf99e5/pymysql/connections.py (L267)
Change-Id: I1a45575423b0c7664f9f6586028c6c2b50a2ada1
Octavia complains about option amp_ssh_access_allowed to be deprecated. See
https://docs.openstack.org/octavia/ussuri/configuration/configref.html#controller_worker.amp_ssh_access_allowed
The octavia_ssh_enabled OSA variable is instead used to either write the
amp_ssh_key_name configuration option or not.
The configuration option amp_image_id in Octavia is deprected and image tags
should be used instead. Therefore octavia_amp_image_id is removed.
Change-Id: Ibd5f3d2ca25f9bb880b0c535c59ef430bd1043be
Instead of overriding each service separatelly it might make
sense for deployers to define some higher level variable that
will be used first or fallback to default variable.
Change-Id: I4574846b71fd9a084df0876cde4bc3277743fe86
Octavia can do SSL termination only in case when barbican is available.
We should be able to add required configuration section only when barbican
is also present in inventory
Change-Id: Ie319fd02cdd60f8a8ac65f0508e9075f40839ae9
When using a non-standard host for keypair setup (such as a utility
container) it is necessary to set a custom python interpreter
which has access to openstacksdk.
This commit provides a variable to do this in the same style as
used for service setup hosts.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/777601
Change-Id: Ia2056cf287b666d4d3d8d36f06772c5117ca6bf7
Even the most modest 4C/8T system would run with the maximum 16 processes
due to the calculation being VCPU*2.
We devide amount of CPUs to number of threads for hyperthreaded CPUs
Change-Id: I5a301ce51f28eb935ade9727880534aced5fe927
Some of the options we were configuring were dropped from upstream service
back in Stein with api v1. So we dropped removed options, renamed
deprecated ones and moved to the appropriate sections were applicable.
We also enable notifications conditionally now depending on the value of
the variable `octavia_ceilometer_enabled`.
Change-Id: Ia44da67bb7116122633117ae17794aa58236ef83
Octavia v1 options have been dropped from upstream on Train. They have
no effect nowadays so no reason to futher carry it's codebase
Change-Id: I1c8f9723ca2ac2b468725c2954adcdaff54dbdf0
Move it to the service setup host (defaults to utility[0]) instead
of the galera[0] host, and use galera_address (defaults to internal VIP)
as the endpoint instead of a local connection on the db host.
Change-Id: I0bd9a36b69fb2eb388b0e23ed1fb52644d7ba4bc
This patch aims to add a prefix for memcached_server
on each role to give the ability for deployers to
override the location of memcached cluster. I.e users
wants to create a single memcached cluster with k8s
for each service.
We also add pymemcache based on [1]
[1] https://review.opendev.org/711429
Change-Id: Ifedee3b46a845b66d54279b5a35edd16faa80e05