We're checking if octavia_amp_availability_zone is defined, while the
variable is defined in defaults, so there is no clean way to undefine
the availability_zone except to use config overrides and define to
none.
So whe change condition in a way to allow empty value to be treated as
False which would result in availability_zone being undefined in the
config.
Change-Id: I86ffd71d6791dec700c381b695ab5a4bca8051a3
This change implements and enables by default quorum support
for rabbitmq as well as providing default variables to globally tune
it's behaviour.
In order to ensure upgrade path and ability to switch back to HA queues
we change vhost names with removing leading `/`, as enabling quorum
requires to remove exchange which is tricky thing to do with running
services.
Change-Id: I4781a0c23274b145970b3269e517c2a62497acc4
While <service>_galera_port is defined and used for db_setup
role, it's not in fact used in a connection string for oslo.db.
Change-Id: I94cc61d88b0ec54bde01477e8fba35e341afffa2
Amphorav1 has been deprecated and is removed early at the
beginning of the 2023.2 cycle. With that Antelope is perfect time for
switching the default.
[1] 6c0515c988
Change-Id: I133f20a6d971832138708101e6a8380d23e75cf2
Implement support for service_tokens. For that we convert
role_name to be a list along with renaming corresponding variable.
Additionally service_type is defined now for keystone_authtoken which
enables to validate tokens with restricted access rules
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/845690
Change-Id: I8cd6c47c64601089173671652a463ecc291d8ca1
Introduces 3 new variables cinder_default_availability_zone, octavia_cinder_volume_size and octavia_cinder_volume_type. using these variables, enables Octavia to use different Cinder configurations.
Change-Id: I8162e83d39075cd99c516b84c39ed868306283c3
- Implemented new variable ``connection_recycle_time`` responsible for SQLAlchemy's connection recycling
- Set new default values for db pooling variables which are inherited from the global ones.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/819424
Change-Id: I7804ec93d6ec82249f4d81ccec3ab02c4bc8a233
With PKI role in place in most cases you don't need to explicitly
provide path to the CA file because PKI role ensures that CA is trusted
by the system overall. In the meanwhile in PyMySQL [1] you must either
provide CA file or cert/key or enable verify.
Since current behaviour is to provide path to the custom CA we expect
certificate being trusted overall. Thus we enable cert verification when
galera_use_ssl is True.
[1] 78f0cf99e5/pymysql/connections.py (L267)
Change-Id: I1a45575423b0c7664f9f6586028c6c2b50a2ada1
Octavia complains about option amp_ssh_access_allowed to be deprecated. See
https://docs.openstack.org/octavia/ussuri/configuration/configref.html#controller_worker.amp_ssh_access_allowed
The octavia_ssh_enabled OSA variable is instead used to either write the
amp_ssh_key_name configuration option or not.
The configuration option amp_image_id in Octavia is deprected and image tags
should be used instead. Therefore octavia_amp_image_id is removed.
Change-Id: Ibd5f3d2ca25f9bb880b0c535c59ef430bd1043be
Octavia can do SSL termination only in case when barbican is available.
We should be able to add required configuration section only when barbican
is also present in inventory
Change-Id: Ie319fd02cdd60f8a8ac65f0508e9075f40839ae9
Some of the options we were configuring were dropped from upstream service
back in Stein with api v1. So we dropped removed options, renamed
deprecated ones and moved to the appropriate sections were applicable.
We also enable notifications conditionally now depending on the value of
the variable `octavia_ceilometer_enabled`.
Change-Id: Ia44da67bb7116122633117ae17794aa58236ef83
This drops unused or fully commented out sections out of octavia.conf.
Also we start using service_token_roles as current behavior has been
deprecated a while ago
Change-Id: I1b2fe1cc2c6330e68d1acfa1b50bf732f77e8255
Octavia v1 options have been dropped from upstream on Train. They have
no effect nowadays so no reason to futher carry it's codebase
Change-Id: I1c8f9723ca2ac2b468725c2954adcdaff54dbdf0
This patch aims to add a prefix for memcached_server
on each role to give the ability for deployers to
override the location of memcached cluster. I.e users
wants to create a single memcached cluster with k8s
for each service.
We also add pymemcache based on [1]
[1] https://review.opendev.org/711429
Change-Id: Ifedee3b46a845b66d54279b5a35edd16faa80e05
Since I8181ed696b9ab556e7741c08839d79167aff8350 were merged we need to add
support for the Cinder Volume here. By default this functionality is
disabled. To enable it change the option 'octavia_cinder_enabled' to True.
To override default settings use 'octavia_octavia_conf_overrides'.
Change-Id: Ib9015383d36fe47272e0a27408db89df83a4b38c
Signed-off-by: Maksim Malchuk <maksim.malchuk@gmail.com>
OpenStack services communicate with each others using their internal
endpoint. Octavia was using barbican public endpoint, it may cause issue
when creating a TLS termination LB when public endpoint have not a
proper certificat.
Closes-Bug: 1843769
Change-Id: I8d30368d3e4c94161988f8db5861c12030f0120f
Move service to use uWSGI role instead of iternal task for uwsgi
deployment. This aims to ease the maintenance of uWSGI and speedup
metal deployments as the same uwsgi environment will be used
across all services.
Change-Id: Iaeb10f2e3018f8b19d47d5a557e6fc7beb0fb9cf
This patch aims to migrate service from usage of regular syslog files
to journald. We also disable uwsgi logging, since it dublicates
requests that are logged by service itself.
Depends-On: https://review.opendev.org/670824/
Change-Id: I8cfdd46a57a91ef3b1879bf85b03cced74234451
Distributions provide packages for the OpenStack services so we add
support for using these instead of the pip ones.
Change-Id: I7eb1cbe2c80ee889d2ae08dcfed6a19cc1bd3415
Depends-On: Ide70b5d8f67d8c8a87e3f16671f0f7fb72338b89
Depends-On: I8de48eb1fb4c8d321098ca54b9e21270edc7ac87
Depends-On: Ia5fda5d417b79189d048c8891b84d57331df1404
Implements: blueprint openstack-distribution-packages
This removes the systemd service templates and tasks from this role and
leverages a common systemd service role instead. This changet removes a
lot of code duplication across all roles all without sacrificing features
or functionality. The intention of this change is to ensure uniformity and
reduce the maintenance burden on the community when sweeping changes are
needed. The exterior role is built to be OSA compatible and may be pulled
into tree should we deem it necessary.
In addition, it re-orders some tasks for consistency with other roles.
Change-Id: I124873a6ab96aa95f886ce146d28e7340c90d40d
Octavia is using certificate authorities to manage
the amp communication but the built-in ansible
certificate commands can't generate proper CA
certificates (they omit the necessary X509 extensions)
nor properly sign CSRs and reference the CA.
The changes here replace the parts where ansible's
certificate commands fall short with running the
openssl command directly. To do so it sets up
the necessary files, directories, and templates
an openssl config file.
Once ansible's certificate capabilities improve we
can retire those commands.
Also improve tests so we gate when this fails.
Change-Id: Iaae462844d783bd6086ce6a2816ea01cafc14e6d
This introduces oslo.messaging variables that define the RPC and
Notify transports for the OpenStack services. These parameters replace
the rabbitmq values and are used to generate the messaging
transport_url for the service. The association of the messaging
backend server to the oslo.messaging services will then be transparent
to the octavia service.
This patch:
* Add oslo.messaging variable for RPC and Notify to defaults
* Update transport_url generation
* Add oslo.messaging to tests inventory
* Update tests
* Add release note
Change-Id: Ibfd9b5325bf89414439a1a516d1bbde0896904b5
Option auth_uri from group keystone_authtoken is deprecated[1].
Use option www_authenticate_uri from group keystone_authtoken.
[1]https://review.openstack.org/#/c/508522/
Change-Id: I4c99449f591dc67f0f5aa906426ea34e944ab2c7
Option auth_uri from group keystone_authtoken is deprecated[1].
Use option www_authenticate_uri from group keystone_authtoken.
[1]https://review.openstack.org/#/c/508522/
Change-Id: Ifcc589a006e79d9256993377ec8ab2af9b1326df
Implements: blueprint deprecate-auth-uri-option
This patch updates the default systemd service definition for the Octavia
processes. It increases the TimeoutStopSec to 300 seconds to allow more time
for the in-flight flows (failover, etc.) to finish and gracefully shutdown.
If the cloud has performance issues, flows may run beyond their normal
sub-minute runtime.
Change-Id: I5708c05db2c9f13491f5af0cd0b8c5632c537608
The health check requests from haproxy cause uwsgi to write a
lot of useless log lines. This can make it more difficult to find
a problem with a particular service.
This patch adds a route to look for the `osa-haproxy-healthcheck`
user agent string, which haproxy uses when performing health checks.
Any requests with that user agent are not logged.
Closes-Bug: 1742718
Change-Id: I9b0239a9a24861734badbe874dc3e1139d7100c6
When 'octavia_galera_use_ssl' is True, use an encrypted connection to
the database using either a self-signed or user-provided CA certificate.
A new non-voting test has been added to verify that the role remains
functional when enabling SSL features.
Change-Id: I7a43d313474e17d7e968a5a9510368e3abdf6682
Partial-Bug: 1667789
Octavia has introduced new roles for more granular access policies.
This will create those keystone roles and if the legacy parameter
is set create admin or user rules which are similar what Neutron
allowed before.
Change-Id: I2d6b7278d7d4af2669cba7ac760dae0bc8e6f183
In a newer Octavia version we can specify the transport_url for
the event streamer which listens on the neutron rabbit vhost.
This configures that and also enables provisonal status streaming by
default.
Depends-On: I00422b93d3ecfb672e967c2019424b64bc44ba66
Change-Id: I8bee145d5517c66c95bb24ba62cf6f7ed497df2d
As a followup to I147abdd8d3d95164168ec606f5b92401cb24d1fe,
remove this bogus config option, it was deprecated since Newton.
Change-Id: I9f3c39b4a16b7f0d45ec1c212c68499aeeb90e27
Without a blank line between jinja2 interpolation and comment, it would
generate wrong config file which results the following warning:
2017-08-28 07:13:30.321 6880 WARNING stevedore.named [-] Could not load
queue_event_streamer# Enable provisioning status sync with neutron db
Change-Id: I0d16b0a23ed6ebf1f90e3a2f8b6ad4730087915a
For Pike Octavia gains a way to run independent of Neutron with the
new V2 API. This adds an (experiemntal) switch to enable this which
defaults to False.
Change-Id: I009ea4feb7aecda861701af277122001c9bf4500
As part of the Pike goals we are moving api services to run as WSGI
apps. octavia-api service is set up as a wsgi app, and this patch
moves it over to uWSGI.
Since this is just a drop in replacement for the existing eventlet
service, operators an deployers should notice no difference.
Additionally, fix bug whereby git_install_branch was set to
"stable/ocata" for testing.
Change-Id: I0c473977e015015bd252a486c7191a95781b38a4
Implements: blueprint goal-deploy-api-in-wsgi
Add new variables, 'octavia_user_haproxy_templates' and
'octavia_haproxy_amphora_template' to allow deployers to provide and use
custom haproxy template files with Octavia.
Change-Id: I9527081d6ba6aac8f5bddc3796f8c2513625bf70
Option "rabbit_use_ssl" from group "oslo_messaging_rabbit" is deprecated.
Use option "ssl" from group "oslo_messaging_rabbit".
Change-Id: I4e35cfdcb2a13bcb2aa30d601eaf237a81e72473
Implements: blueprint deprecate-rabbit-use-ssl
Dmitriy Rabotyagov