With efforts to create a resources in same, unified way,
we convert tempest role to use openstack_resources
for creating and managing openstack resources, like projects, flavors,
networks, images, etc. This should reduce maintenance costs
in case of futher collection updates and unify approach.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/878794
Change-Id: I762ded9b6099ea55e8a19bfb82473b950155eaa4
Amphora does report back it's status to Octavia healthmanager through
octavia_health_manager_port. This outgoing traffic from Amphora must be
allowed to show LB stats and operational_status.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/896017
Change-Id: Ib6b8547b69949f7af0ba0f7f436b4286d3baccb7
With update of ansible-lint to version >=6.0.0 a lot of new
linters were added, that enabled by default. In order to comply
with linter rules we're applying changes to the role.
With that we also update metdata to reflect current state.
Change-Id: Id8215882ee528d4c3055479e770c7432616649ba
By overriding the variable `octavia_backend_ssl: True` HTTPS will
be enabled, disabling HTTP support on the octavia backend api.
The ansible-role-pki is used to generate the required TLS
certificates if this functionality is enabled.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/879085
Change-Id: Id6c187cad4e444fb83ca1f938bd13bb9b73652b3
In case it's needed to limit access to DHCP servers, rules must be
way more complex then this one, since DHCP uses broadcast.
To avoid complexity, let's just avoid defining remote_ip_prefix
that allows egress traffic for DHCP.
Change-Id: I280c064b4d93bcd78092f02a928d5d6dfb4fda68
With ansible-collection version 2.0 return of project_info module
has changed. We need to adopt usage of module return to the new format.
We also add security group rule for dhcp, since in case DHCP is enabled
for the network, it won't be provided in metadata on config-drive anymore.
Change-Id: I861797fdddbf2c82ef7b1409df577475e7424414
This line snuck in with I5cc0b1bde814abb0a4afe1567b9b23230a57f275
probably to bring it in line with other OSA roles, but should already
be covered by the distribution_major_version line above.
Change-Id: I7f719b3fbd7e89ce96b84c9080049888aeda7ee6
The `octavia_provider_network_mtu-parameter` defaults to 1500
to not accidentially use `global_physnet_mtu` on deployment with
large MTU settings
Change-Id: I9fa33c5ee76197191f1e66b7a70a4c1c0a5fa394
With commit [1] to collection output structure of networks_info module
has been changed. With that we adpot to the new format.
Return values for keypair have also changed
[1] 9272146cf7
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/864553
Change-Id: Ic22ec379983e43aa5f2b55fd4543b4aa70762354
Implement support for service_tokens. For that we convert
role_name to be a list along with renaming corresponding variable.
Additionally service_type is defined now for keystone_authtoken which
enables to validate tokens with restricted access rules
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/845690
Change-Id: I8cd6c47c64601089173671652a463ecc291d8ca1
We need to collect installation method variables as early as we can as
we rely on them later on in the play.
Change-Id: I0fa1b7b25a4b6ced5606018410825e7cf2eac54a
Use a first_found lookup instead of a with_first_found loop so that
the 'paths' parameter can be used.
This ensures that only vars from the role are included, and not vars
from a parent calling role. This can happen when a parent role has
a higher priority vars file available for inclusion than the role
it calls.
Change-Id: I5cc0b1bde814abb0a4afe1567b9b23230a57f275
Since we still use ceph-ansible that has their own implementation of
config_template module it's worth to use mentioned module as a collection
explicitly.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/819814
Change-Id: I9fa37f5f781b8529874daa6deffbd47de75e28fa
The env lookup in the key copying task refers to the deploy host.
If your deploy host user is not root then this task will fail
as this directory does not exist on the remote setup host.
As the original intention appears to have been to copy the result
of the keypair generation to the deploy host, the delegation is
explicitly set to 'localhost'.
Change-Id: I89649503d5918c33f0d1e4200be67be5e0ed8a9e
With multinode Octavia setup self and octavia_generate_certs is
True, role fails with distributing certificates.
While correct approach would be to replace that with PKI role, right now
we just patching current approach, by ensuring that facts are set
for octavia_cert_setup_host so we could reliable gain them.
Change-Id: I0dc2488b9e8e33847c9a2646032ac5f926d09133
Closes-Bug: #1936646
This patch sets the octavia_amp_image_owner_id default so that the
Octavia configuration file has amp_image_owner_id populated.
That is important security setting for production deployments that helps
to avoid faked images being used
Change-Id: I22c56f32d7308803e9363f9375d7f6206ccecd41
When task import condition is false, we need to use include instead
of import, since this allows not running through all tasks and
reduce amount of skipped tasks for such deployments.
Change-Id: I4b51290b94b5b4b54b111d197688f65129a4f5ad
All references to Gentoo, SUSE, Debian stretch and Centos-7 are removed.
Conditional tasks, ternary operators and variables are simplified where possible
OS specific variables files are generalised where possible
Change-Id: I4153df38980650c726cc1a79320b22e1e07605cf
When using a non-standard host for keypair setup (such as a utility
container) it is necessary to set a custom python interpreter
which has access to openstacksdk.
This commit provides a variable to do this in the same style as
used for service setup hosts.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/777601
Change-Id: Ia2056cf287b666d4d3d8d36f06772c5117ca6bf7
We are not supposed to have neither openstack client nor clouds.yaml file
in octavia containers and all openstack commands are expected
to be executed on the setup (utility) host.
Change-Id: I93398ef72be3e423c721f92e4bf9077cd5e08d05
Make use of the new _octavia_is_first_play_host while creating resources
to ensure that we try to create them only once.
Change-Id: I0c5d017bd865b09d94139740ef50b712b8753760
We use the same condition, which defines against what host some "service"
tasks should run against, several times. It's hard to keep it the same
across the role and ansible spending additional resources to evaluate
it each time, so it's simpler and better for the maintenance to set
a boolean variable which will say for all tasks, that we want to run
only against signle host, if they should run or not now.
Change-Id: Icf411ab2df0f6e937ce056b085fee97b89fe8361
Move it to the service setup host (defaults to utility[0]) instead
of the galera[0] host, and use galera_address (defaults to internal VIP)
as the endpoint instead of a local connection on the db host.
Change-Id: I0bd9a36b69fb2eb388b0e23ed1fb52644d7ba4bc