Commit Graph

129 Commits

Author SHA1 Message Date
Dmitriy Rabotyagov 59606f0957 Adopt for usage openstack_resources role
With efforts to create a resources in same, unified way,
we convert tempest role to use openstack_resources
for creating and managing openstack resources, like projects, flavors,
networks, images, etc. This should reduce maintenance costs
in case of futher collection updates and unify approach.

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/878794
Change-Id: I762ded9b6099ea55e8a19bfb82473b950155eaa4
2024-02-01 10:15:56 +00:00
Dmitriy Rabotyagov 34e0def6ec Remove obsoleted provider drivers
amphorav1 driver has been dropped from octavia early in 2023.2 cycle [1]

[1] 6c0515c988

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/900399
Change-Id: I7afeaca12dd65e5455359e22c21a77191381bc73
2023-12-05 14:06:47 +00:00
Dmitriy Rabotyagov c0783fcdf5 Add quorum queues support for service
This change implements and enables by default quorum support
for rabbitmq as well as providing default variables to globally tune
it's behaviour.

In order to ensure upgrade path and ability to switch back to HA queues
we change vhost names with removing leading `/`, as enabling quorum
requires to remove exchange which is tricky thing to do with running
services.

Change-Id: I4781a0c23274b145970b3269e517c2a62497acc4
2023-10-20 12:34:55 +00:00
Dmitriy Rabotyagov a6cb51d27a Drop Neutron oslomsg configuration
These options were used for lbaasv2 and are not used in Octavia code
for quite some time.

Change-Id: Ie6f21fe9b46c55c37ee88ad911e7c5aa56b9db9c
2023-10-20 10:48:46 +00:00
Dmitriy Rabotyagov d94e57f17b Fix linters and metadata
With update of ansible-lint to version >=6.0.0 a lot of new
linters were added, that enabled by default. In order to comply
with linter rules we're applying changes to the role.

With that we also update metdata to reflect current state.

Change-Id: Id8215882ee528d4c3055479e770c7432616649ba
2023-07-17 15:38:00 +02:00
Zuul 048f9d548e Merge "Add TLS support to octavia backends" 2023-05-08 11:51:23 +00:00
Damian Dabrowski ee554649bd Add TLS support to octavia backends
By overriding the variable `octavia_backend_ssl: True` HTTPS will
be enabled, disabling HTTP support on the octavia backend api.

The ansible-role-pki is used to generate the required TLS
certificates if this functionality is enabled.

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/879085
Change-Id: Id6c187cad4e444fb83ca1f938bd13bb9b73652b3
2023-04-29 18:43:06 +02:00
Dmitriy Rabotyagov 8499e1713e Switch default provider to amphorav2
Amphorav1 has been deprecated and is removed early at the
beginning of the 2023.2 cycle. With that Antelope is perfect time for
switching the default.

[1] 6c0515c988

Change-Id: I133f20a6d971832138708101e6a8380d23e75cf2
2023-04-24 16:16:20 +02:00
Dmitriy Rabotyagov cea4f2e358 Change default CIDR for security_group
At the moment security group allows to access Amphora SSH/API
from any network which is insecure. We're changing default for
security groups to allow access only from Octavia Management
network.

Change-Id: I6ea6ab4ec1c28a3b354d40f6744434eefb05fcfe
2023-04-19 09:51:08 +00:00
Zuul 910128fa7c Merge "Change defaults for octavia topology and affinity" 2022-12-12 18:25:08 +00:00
Dmitriy Rabotyagov b1a5d10f33 Change defaults for octavia topology and affinity
In most of production deployments it's preferable to have ACTIVE_STANDBY
topology with enable anti-affinity to ensure that loadbalancer
can survive compute node downtime and won't lead to service disruption.

Without these settings it will take quite some time to re-spawn failed
Amphora.

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/866061
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/867052
Change-Id: I4fa437117dce1c973512c09b1bc7d43d411276da
2022-12-10 19:10:49 +00:00
Dmitriy Rabotyagov aeb1dbf1dd Add coordination to octavia
This also enables usage of amphorav2 when coordination is
available.

Depends-On: https://review.opendev.org/c/openstack/ansible-role-zookeeper/+/867049
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/867052
Change-Id: I1234d36c58da3f6754cda1951ee4cc49f979ae0c
2022-12-08 20:47:00 +00:00
Dmitriy Rabotyagov 87e78ee34c Support service tokens
Implement support for service_tokens. For that we convert
role_name to be a list along with renaming corresponding variable.

Additionally service_type is defined now for keystone_authtoken which
enables to validate tokens with restricted access rules

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/845690
Change-Id: I8cd6c47c64601089173671652a463ecc291d8ca1
2022-06-17 13:40:17 +00:00
Dmitriy Rabotyagov 757aecd58b Use PKI role for certificate generation
This patch replaces usage of role-specific tasks for managing
certificates to PKI role.

This will allow to unify certificates management with other services
along with simplify management of code.

However, this patch does not contain migration path, which should
be handled separately.

Depends-On: https://review.opendev.org/c/openstack/ansible-role-pki/+/838713
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/843711
Change-Id: I96c6030722661eb7ffdb31ac75e09785871179d5
2022-06-02 08:31:07 +00:00
Zuul 47ac60ca20 Merge "Add flexability for octavia cinder variable." 2022-05-27 11:48:48 +00:00
siavash sardari 3e10d40b10 Add flexability for octavia cinder variable.
Introduces 3 new variables cinder_default_availability_zone, octavia_cinder_volume_size and octavia_cinder_volume_type. using these variables, enables Octavia to use different Cinder configurations.

Change-Id: I8162e83d39075cd99c516b84c39ed868306283c3
2022-05-23 12:52:04 +04:30
Dmitriy Rabotyagov 941e671e06 Make octavia_provider_network better configurable
For vlan scenraio we can't use  octavia_provider_network_name for
octavia_provider_network but it's pretty big override, which might be
more handy with having an extra variable, that will be used inside it.

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/787199
Change-Id: Ib5627dc3b37626e056c3cfe9ce54ee6a7ff25dd5
2022-05-10 18:45:51 +02:00
Jonathan Rosser 4ba4409e46 Change octavia private key ciphers to type 'auto'
Modern ansible only supports the 'cryptography' backend for the
openssl_privatekey module. In this case, the 'cipher' module
parameter must be set to 'auto'.

Change-Id: I2bfe5fa57c7deb201f56f82d5699c91fcccb766d
2022-04-04 13:49:02 +01:00
Jonathan Rosser d736c64072 Remove legacy db pooling variables
Change-Id: I7f7e9a5a4a12afff994f548abff2482818a43ccb
2022-02-01 04:20:55 -05:00
Dmitriy Rabotyagov c7a7a14f7b Use focal amphora test image by default
Switch used default amphora image from bionic to focal

Change-Id: I5a05f583631ef7b6429da4a6a3a4e895e9c75163
2021-12-23 16:19:59 +02:00
Damian Dabrowski 6353f2f747 Database connection pooling improvements
- Implemented new variable ``connection_recycle_time`` responsible for SQLAlchemy's connection recycling
- Set new default values for db pooling variables which are inherited from the global ones.

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/819424
Change-Id: I7804ec93d6ec82249f4d81ccec3ab02c4bc8a233
2021-12-04 09:33:28 +02:00
Dmitriy Rabotyagov 1a7f8b2a57 Refactor definition of lock path
Change-Id: I5dc391fa69d84e304439b1187dac7f73c2a959e1
2021-12-02 19:04:14 +02:00
Zuul 47671efb49 Merge "Refactor galera_use_ssl behaviour" 2021-10-06 11:55:17 +00:00
Dmitriy Rabotyagov 3c77e661a3 Refactor galera_use_ssl behaviour
With PKI role in place in most cases you don't need to explicitly
provide path to the CA file because PKI role ensures that CA is trusted
by the system overall. In the meanwhile in PyMySQL [1] you must either
provide CA file or cert/key or enable verify.

Since current behaviour is to provide path to the custom CA we expect
certificate being trusted overall. Thus we enable cert verification when
galera_use_ssl is True.

[1] 78f0cf99e5/pymysql/connections.py (L267)

Change-Id: I1a45575423b0c7664f9f6586028c6c2b50a2ada1
2021-09-21 17:08:05 +03:00
Jonathan Herlin 67c18d7034 Fix spelling mistakes
Just some various spelling mistakes I noticed while reading

Change-Id: Icc95027153b7fa86f856906630f1cfbde9149b25
2021-08-27 16:15:42 +02:00
Namrata a2de42c7bb Fix spelling error
This patch fixes the spelling of octavia which is misspelled as octaiva.

Change-Id: I4dbc598ef0d085ac8c5656c52b9239ee69a1f4d1
2021-07-09 13:12:30 +05:30
Zuul e64e815dd3 Merge "Add variables for rabbitmq ssl configuration" 2021-06-01 13:52:20 +00:00
Jonathan Rosser aa4655b8e2 Add variables for rabbitmq ssl configuration
Change-Id: Ifa8acd4f8edfa3816c3f63084aa6ff74d2c1e1c5
2021-05-17 11:41:10 +00:00
Dmitriy Rabotyagov 999ef47022 Remove shade from octavia_pip_packages
Shade has been superceded by openstacksdk and should not be required
at the moment

Change-Id: I80f3e3093f58f3f1fba6af0ddc48ace0a1165e7b
2021-04-19 18:19:58 +00:00
Marcus Klein 50b83c7927 Omit amp_ssh_access_allowed and remove amp_image_id options.
Octavia complains about option amp_ssh_access_allowed to be deprecated. See
https://docs.openstack.org/octavia/ussuri/configuration/configref.html#controller_worker.amp_ssh_access_allowed
The octavia_ssh_enabled OSA variable is instead used to either write the
amp_ssh_key_name configuration option or not.

The configuration option amp_image_id in Octavia is deprected and image tags
should be used instead. Therefore octavia_amp_image_id is removed.

Change-Id: Ibd5f3d2ca25f9bb880b0c535c59ef430bd1043be
2021-04-01 20:16:24 +02:00
Jonathan Rosser 082ad70c31 Use ansible_facts[] instead of fact variables
See https://github.com/ansible/ansible/issues/73654

Change-Id: Ifb8dfacf44ac5537dea5ee4480350e6c93c2450a
2021-03-16 10:38:55 +00:00
Jonathan Rosser 46d3096ddb Switch default virtualenv to python3
Change-Id: I12e24fbdd00638fef09c90594f757d4848a087e7
2021-03-10 09:01:04 +00:00
Zuul e844e8adfc Merge "Move octaiva pip packages from constraints to requirements" 2021-03-02 10:11:40 +00:00
Zuul 5b3694de49 Merge "Use barbican for certificates storage" 2021-03-02 10:11:35 +00:00
Dmitriy Rabotyagov f3194038ae Use global service variables
Instead of overriding each service separatelly it might make
sense for deployers to define some higher level variable that
will be used first or fallback to default variable.

Change-Id: I4574846b71fd9a084df0876cde4bc3277743fe86
2021-03-01 17:51:59 +00:00
Dmitriy Rabotyagov 78d204afb8 Use barbican for certificates storage
Octavia can do SSL termination only in case when barbican is available.
We should be able to add required configuration section only when barbican
is also present in inventory

Change-Id: Ie319fd02cdd60f8a8ac65f0508e9075f40839ae9
2021-03-01 17:51:50 +00:00
Jonathan Rosser 224ba7e2e9 Move octaiva pip packages from constraints to requirements
This is necessary to use the new pip resolver

Depends-On: Ie0a2ded1c088668395ff143c60bdffdf68b6a5a1
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-os_octavia/+/772559
Change-Id: Icbfc123d938feed34cef79fea4e6f3700be2ac7b
2021-02-26 09:43:08 +00:00
Andrew Bonney 44d0a6d398 Add variable to override keypair setup python interpreter
When using a non-standard host for keypair setup (such as a utility
container) it is necessary to set a custom python interpreter
which has access to openstacksdk.

This commit provides a variable to do this in the same style as
used for service setup hosts.

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/777601
Change-Id: Ia2056cf287b666d4d3d8d36f06772c5117ca6bf7
2021-02-26 08:24:58 +00:00
Zuul b94b927aaf Merge "Automatically create and import keypair if it doesn't exist" 2020-12-06 20:59:58 +00:00
Mohammed Naser b20198146e Automatically create and import keypair if it doesn't exist
This will automatically build a keypair if none exists with the
name that's provided and octavia_ssh_enabled is set to true.

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/765673
Change-Id: I12b1b7d18c5efd1438585153fa6b2db467758419
2020-12-05 22:48:58 +00:00
Satish Patel 1be636c5ab Removing spare_amphora_pool_size option
Victoria and future releases going to deprecate this option.
https://docs.openstack.org/octavia/latest/configuration/configref.html#house_keeping.spare_amphora_pool_size

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/765544
Change-Id: I99425c9b65c6327636a94c00b32545553a705611
2020-12-05 00:22:47 +00:00
Zuul 16ade13a54 Merge "Reduce number of processes on small systems" 2020-12-04 17:01:47 +00:00
Dmitriy Rabotyagov 87691d3fb9 Reduce number of processes on small systems
Even the most modest 4C/8T system would run with the maximum 16 processes
due to the calculation being VCPU*2.

We devide amount of CPUs to number of threads for hyperthreaded CPUs

Change-Id: I5a301ce51f28eb935ade9727880534aced5fe927
2020-12-02 21:22:15 +00:00
Dmitriy Rabotyagov ac5fdd6b4f Update octavia messaging options
Some of the options we were configuring were dropped from upstream service
back in Stein with api v1. So we dropped removed options, renamed
deprecated ones and moved to the appropriate sections were applicable.
We also enable notifications conditionally now depending on the value of
the variable `octavia_ceilometer_enabled`.

Change-Id: Ia44da67bb7116122633117ae17794aa58236ef83
2020-12-02 17:00:54 +00:00
Dmitriy Rabotyagov e00cb9c563 Drop octavia v1 api options
Octavia v1 options have been dropped from upstream on Train. They have
no effect nowadays so no reason to futher carry it's codebase

Change-Id: I1c8f9723ca2ac2b468725c2954adcdaff54dbdf0
2020-12-02 14:27:43 +00:00
Dmitriy Rabotyagov 7fb7f1ba75 Use the utility host for db setup tasks
Move it to the service setup host (defaults to utility[0]) instead
of the galera[0] host, and use galera_address (defaults to internal VIP)
as the endpoint instead of a local connection on the db host.

Change-Id: I0bd9a36b69fb2eb388b0e23ed1fb52644d7ba4bc
2020-08-20 19:30:54 +03:00
Dmitriy Rabotyagov fa21c6f52a Cleanup after repo_build and pip_install retirement
Change-Id: I66a06583eb6646903eba365768bad35e8c28cd90
2020-05-12 22:41:41 +03:00
Guilherme Steinmüller 677aff655b Refactor memcached_servers
This patch aims to add a prefix for memcached_server
on each role to give the ability for deployers to
override the location of memcached cluster. I.e users
wants to create a single memcached cluster with k8s
for each service.

We also add pymemcache based on [1]

[1] https://review.opendev.org/711429

Change-Id: Ifedee3b46a845b66d54279b5a35edd16faa80e05
2020-03-16 14:48:48 +00:00
Dmitriy Rabotyagov fa7b62fca2 Replace git.openstack.org with opendev.org
This patch replaces git.openstack.org with opendev.org as redirection
from old path was enabled.
Also we change upper constraints url due to [1]

[1] http://lists.openstack.org/pipermail/openstack-discuss/2019-May/006478.html

Change-Id: I7d232d94f9c4e9f6493045245f60475f233b185d
2019-11-14 18:02:58 +02:00
Zuul c4d5142b8d Merge "Add global override for service bind address" 2019-10-08 14:46:05 +00:00