diff --git a/ansible/group_vars/all.yml b/ansible/group_vars/all.yml
index 4b97a034505518a5f058713e38d7a271a7e53d22..6646acba569c2f51ac09638170a852d9646cae5d 100644
--- a/ansible/group_vars/all.yml
+++ b/ansible/group_vars/all.yml
@@ -1000,15 +1000,6 @@ enable_nova_horizon_policy_file: "{{ enable_nova }}"
horizon_internal_endpoint: "{{ internal_protocol }}://{{ kolla_internal_fqdn | put_address_in_context('url') }}:{{ horizon_tls_port if kolla_enable_tls_internal | bool else horizon_port }}"
-#################
-# Octavia options
-#################
-# Load balancer topology options are [ SINGLE, ACTIVE_STANDBY ]
-octavia_loadbalancer_topology: "SINGLE"
-octavia_amp_boot_network_list:
-octavia_amp_secgroup_list:
-octavia_amp_flavor_id:
-
#################
# Qinling options
#################
diff --git a/ansible/roles/octavia/defaults/main.yml b/ansible/roles/octavia/defaults/main.yml
index f91e7d368565c80cf25cafa21fb1b9ecf55cc3c0..d2dcae63c32841b1922ae8f90f40a82d4d17554b 100644
--- a/ansible/roles/octavia/defaults/main.yml
+++ b/ansible/roles/octavia/defaults/main.yml
@@ -154,3 +154,87 @@ octavia_git_repository: "{{ kolla_dev_repos_git }}/{{ project_name }}"
octavia_dev_repos_pull: "{{ kolla_dev_repos_pull }}"
octavia_dev_mode: "{{ kolla_dev_mode }}"
octavia_source_version: "{{ kolla_source_version }}"
+
+#####################
+# Integration Options
+#####################
+octavia_amp_ssh_key_name: "octavia_ssh_key"
+octavia_amp_listen_port: "9443"
+octavia_amp_image_tag: "amphora"
+
+# Load balancer topology options are [ SINGLE, ACTIVE_STANDBY ]
+octavia_loadbalancer_topology: "SINGLE"
+
+# Whether to run Kolla-Ansible's automatic configuration for Octavia.
+# NOTE: if you upgrade from Ussuri, you must set `octavia_auto_configure` to `no`
+# and keep your other Octavia config like before.
+octavia_auto_configure: yes
+
+# OpenStack auth used when registering resources for Octavia.
+octavia_user_auth:
+ auth_url: "{{ keystone_admin_url }}"
+ username: "octavia"
+ password: "{{ octavia_keystone_password }}"
+ project_name: "{{ octavia_service_auth_project }}"
+ domain_name: "{{ default_project_domain_name }}"
+
+# Octavia amphora flavor.
+# See os_nova_flavor for details. Supported parameters:
+# - disk
+# - ephemeral (optional)
+# - extra_specs (optional)
+# - flavorid (optional)
+# - is_public (optional)
+# - name
+# - ram
+# - swap (optional)
+# - vcpus
+octavia_amp_flavor:
+ name: "amphora"
+ is_public: no
+ vcpus: 1
+ ram: 1024
+ disk: 5
+
+# Octavia security groups. lb-mgmt-sec-grp is for amphorae.
+octavia_amp_security_groups:
+ mgmt-sec-grp:
+ name: "lb-mgmt-sec-grp"
+ rules:
+ - protocol: icmp
+ - protocol: tcp
+ src_port: 22
+ dst_port: 22
+ - protocol: tcp
+ src_port: "{{ octavia_amp_listen_port }}"
+ dst_port: "{{ octavia_amp_listen_port }}"
+
+# Octavia management network.
+# See os_network and os_subnet for details. Supported parameters:
+# - external (optional)
+# - mtu (optional)
+# - name
+# - provider_network_type (optional)
+# - provider_physical_network (optional)
+# - provider_segmentation_id (optional)
+# - shared (optional)
+# - subnet
+# The subnet parameter has the following supported parameters:
+# - allocation_pool_start (optional)
+# - allocation_pool_start (optional)
+# - cidr
+# - enable_dhcp (optional)
+# - gateway_ip (optional)
+# - name
+# - no_gateway_ip (optional)
+octavia_amp_network:
+ name: lb-mgmt-net
+ shared: false
+ subnet:
+ name: lb-mgmt-subnet
+ cidr: "{{ octavia_amp_network_cidr }}"
+ no_gateway_ip: yes
+ enable_dhcp: yes
+
+# Octavia management network subnet CIDR.
+octavia_amp_network_cidr: 10.0.0.0/24
diff --git a/ansible/roles/octavia/tasks/config.yml b/ansible/roles/octavia/tasks/config.yml
index 7e579b0c96e19bc226e0e8a9af72c685707a2646..3b35613dc6f0ce96b91468cfacc099b430f621e7 100644
--- a/ansible/roles/octavia/tasks/config.yml
+++ b/ansible/roles/octavia/tasks/config.yml
@@ -82,6 +82,16 @@
notify:
- "Restart {{ item.key }} container"
+- name: Copying over Octavia SSH key
+ copy:
+ content: "{{ octavia_amp_ssh_key.private_key }}"
+ dest: "{{ node_config_directory }}/octavia-worker/{{ octavia_amp_ssh_key_name }}"
+ owner: "{{ config_owner_user }}"
+ group: "{{ config_owner_group }}"
+ mode: "0400"
+ become: True
+ when: inventory_hostname in groups[octavia_services['octavia-worker']['group']]
+
- name: Copying certificate files for octavia-worker
vars:
service: "{{ octavia_services['octavia-worker'] }}"
diff --git a/ansible/roles/octavia/tasks/deploy.yml b/ansible/roles/octavia/tasks/deploy.yml
index 6882dd82bc5eaa178d48a4fe03b7b89cb49c6581..da8bbcc18d0ca43494bb1f36a48540d707edd6a3 100644
--- a/ansible/roles/octavia/tasks/deploy.yml
+++ b/ansible/roles/octavia/tasks/deploy.yml
@@ -1,6 +1,9 @@
---
- import_tasks: register.yml
+- include_tasks: prepare.yml
+ when: octavia_auto_configure | bool
+
- import_tasks: config.yml
- include_tasks: clone.yml
diff --git a/ansible/roles/octavia/tasks/prepare.yml b/ansible/roles/octavia/tasks/prepare.yml
new file mode 100644
index 0000000000000000000000000000000000000000..3bc0be4ea4e9ef768070a182507ae19928a57481
--- /dev/null
+++ b/ansible/roles/octavia/tasks/prepare.yml
@@ -0,0 +1,131 @@
+---
+- name: Create amphora flavor
+ become: true
+ kolla_toolbox:
+ module_name: os_nova_flavor
+ module_args:
+ auth: "{{ octavia_user_auth }}"
+ cacert: "{{ openstack_cacert }}"
+ endpoint_type: "{{ openstack_interface }}"
+ region_name: "{{ openstack_region_name }}"
+ state: present
+ is_public: "{{ octavia_amp_flavor.is_public | bool }}"
+ name: "{{ octavia_amp_flavor.name }}"
+ flavorid: "{{ octavia_amp_flavor.flavorid | default(omit, true) }}"
+ vcpus: "{{ octavia_amp_flavor.vcpus }}"
+ ram: "{{ octavia_amp_flavor.ram }}"
+ disk: "{{ octavia_amp_flavor.disk }}"
+ ephemeral: "{{ octavia_amp_flavor.ephemeral | default(omit, true) }}"
+ swap: "{{ octavia_amp_flavor.swap | default(omit, true) }}"
+ extra_specs: "{{ octavia_amp_flavor.extra_specs | default(omit, true) }}"
+ run_once: True
+ delegate_to: "{{ groups['octavia-api'][0] }}"
+ register: amphora_flavor_info
+
+- name: Create nova keypair for amphora
+ become: True
+ kolla_toolbox:
+ module_name: os_keypair
+ module_args:
+ auth: "{{ octavia_user_auth }}"
+ cacert: "{{ openstack_cacert }}"
+ endpoint_type: "{{ openstack_interface }}"
+ region_name: "{{ openstack_region_name }}"
+ state: present
+ name: "{{ octavia_amp_ssh_key_name }}"
+ public_key: "{{ octavia_amp_ssh_key.public_key }}"
+ run_once: True
+ delegate_to: "{{ groups['octavia-api'][0] }}"
+
+- name: Get {{ octavia_service_auth_project }} project id
+ become: True
+ kolla_toolbox:
+ module_name: os_project_info
+ module_args:
+ auth: "{{ octavia_user_auth }}"
+ cacert: "{{ openstack_cacert }}"
+ endpoint_type: "{{ openstack_interface }}"
+ region_name: "{{ openstack_region_name }}"
+ name: "{{ octavia_service_auth_project }}"
+ run_once: True
+ delegate_to: "{{ groups['octavia-api'][0] }}"
+ register: project_info
+
+- name: Create security groups for octavia
+ become: true
+ kolla_toolbox:
+ module_name: os_security_group
+ module_args:
+ auth: "{{ octavia_user_auth }}"
+ cacert: "{{ openstack_cacert }}"
+ endpoint_type: "{{ openstack_interface }}"
+ region_name: "{{ openstack_region_name }}"
+ state: present
+ name: "{{ item.name }}"
+ loop: "{{ octavia_amp_security_groups.values() | list }}"
+ loop_control:
+ label: "{{ item.name }}"
+ run_once: True
+ delegate_to: "{{ groups['octavia-api'][0] }}"
+ register: sec_grp_info
+
+- name: Add rules for security groups
+ become: true
+ kolla_toolbox:
+ module_name: os_security_group_rule
+ module_args:
+ auth: "{{ octavia_user_auth }}"
+ cacert: "{{ openstack_cacert }}"
+ endpoint_type: "{{ openstack_interface }}"
+ region_name: "{{ openstack_region_name }}"
+ security_group: "{{ item.0.name }}"
+ protocol: "{{ item.1.protocol }}"
+ port_range_min: "{{ item.1.src_port | default(omit) }}"
+ port_range_max: "{{ item.1.dst_port | default(omit) }}"
+ with_subelements:
+ - "{{ octavia_amp_security_groups }}"
+ - rules
+ run_once: True
+ delegate_to: "{{ groups['octavia-api'][0] }}"
+
+- name: Create loadbalancer management network
+ become: true
+ kolla_toolbox:
+ module_name: os_network
+ module_args:
+ auth: "{{ octavia_user_auth }}"
+ cacert: "{{ openstack_cacert }}"
+ endpoint_type: "{{ openstack_interface }}"
+ region_name: "{{ openstack_region_name }}"
+ state: present
+ name: "{{ octavia_amp_network['name'] }}"
+ mtu: "{{ octavia_amp_network['mtu'] | default(omit, true) }}"
+ provider_network_type: "{{ octavia_amp_network['provider_network_type'] | default(omit, true) }}"
+ provider_physical_network: "{{ octavia_amp_network['provider_physical_network'] | default(omit, true) }}"
+ provider_segmentation_id: "{{ octavia_amp_network['provider_segmentation_id'] | default(omit, true) }}"
+ external: "{{ octavia_amp_network['external'] | default(omit) }}"
+ shared: "{{ octavia_amp_network['shared'] | default(omit) }}"
+ register: network_info
+ run_once: True
+ delegate_to: "{{ groups['octavia-api'][0] }}"
+
+- name: Create loadbalancer management subnet
+ become: true
+ kolla_toolbox:
+ module_name: os_subnet
+ module_args:
+ auth: "{{ octavia_user_auth }}"
+ cacert: "{{ openstack_cacert }}"
+ endpoint_type: "{{ openstack_interface }}"
+ region_name: "{{ openstack_region_name }}"
+ state: present
+ network_name: "{{ octavia_amp_network['name'] }}"
+ name: "{{ octavia_amp_network['subnet']['name'] }}"
+ cidr: "{{ octavia_amp_network['subnet']['cidr'] }}"
+ allocation_pool_start: "{{ octavia_amp_network['subnet']['allocation_pool_start'] | default(omit, true) }}"
+ allocation_pool_end: "{{ octavia_amp_network['subnet']['allocation_pool_end'] | default(omit, true) }}"
+ enable_dhcp: "{{ octavia_amp_network['subnet']['enable_dhcp'] | default(omit) }}"
+ no_gateway_ip: "{{ octavia_amp_network['subnet']['no_gateway_ip'] | default(omit) }}"
+ gateway_ip: "{{ octavia_amp_network['gateway_ip'] | default(omit, true) }}"
+ run_once: True
+ delegate_to: "{{ groups['octavia-api'][0] }}"
diff --git a/ansible/roles/octavia/templates/octavia.conf.j2 b/ansible/roles/octavia/templates/octavia.conf.j2
index 3d42d7aa77f8268ad6da497d9c0bbcf9c4655f65..9292a245ed60db1520a434de3ff1527b59371bbb 100644
--- a/ansible/roles/octavia/templates/octavia.conf.j2
+++ b/ansible/roles/octavia/templates/octavia.conf.j2
@@ -22,6 +22,7 @@ ca_certificates_file = {{ openstack_cacert }}
[haproxy_amphora]
server_ca = /etc/octavia/certs/server_ca.cert.pem
client_cert = /etc/octavia/certs/client.cert-and-key.pem
+bind_port = {{ octavia_amp_listen_port }}
[database]
connection = mysql+pymysql://{{ octavia_database_user }}:{{ octavia_database_password }}@{{ octavia_database_address }}/{{ octavia_database_name }}
@@ -68,11 +69,29 @@ stats_update_threads = {{ openstack_service_workers }}
health_update_threads = {{ openstack_service_workers }}
[controller_worker]
+amp_ssh_key_name = {{ octavia_amp_ssh_key_name }}
+amp_image_tag = {{ octavia_amp_image_tag }}
+
+{% if not octavia_auto_configure | bool %}
+{% if octavia_amp_image_owner_id is defined %}
+amp_image_owner_id = {{ octavia_amp_image_owner_id }}
+{% endif %}
+{% if octavia_amp_boot_network_list is defined %}
amp_boot_network_list = {{ octavia_amp_boot_network_list }}
-amp_image_tag = amphora
+{% endif %}
+{% if octavia_amp_secgroup_list is defined %}
amp_secgroup_list = {{ octavia_amp_secgroup_list }}
+{% endif %}
+{% if octavia_amp_flavor_id is defined %}
amp_flavor_id = {{ octavia_amp_flavor_id }}
-amp_ssh_key_name = octavia_ssh_key
+{% endif %}
+{% else %}
+amp_image_owner_id = {{ project_info.openstack_projects.0.id }}
+amp_boot_network_list = {{ network_info.id }}
+amp_secgroup_list = {{ (sec_grp_info.results | selectattr('secgroup.name', 'equalto', octavia_amp_security_groups['mgmt-sec-grp'].name) | list).0.secgroup.id }}
+amp_flavor_id = {{ amphora_flavor_info.flavor.id }}
+{% endif %}
+
client_ca = /etc/octavia/certs/client_ca.cert.pem
network_driver = allowed_address_pairs_driver
compute_driver = compute_nova_driver
diff --git a/etc/kolla/globals.yml b/etc/kolla/globals.yml
index f1b5336b3e0db50a6c3f234aa37210e269e0af8d..d1cb1ff22be29d916707544b946a6e9683163910 100644
--- a/etc/kolla/globals.yml
+++ b/etc/kolla/globals.yml
@@ -666,3 +666,83 @@
# Configure telegraf to use the docker daemon itself as an input for
# telemetry data.
#telegraf_enable_docker_input: "no"
+
+##########################################
+# Octavia - openstack loadbalancer Options
+##########################################
+# Whether to run Kolla-Ansible's automatic configuration for Octavia.
+# NOTE: if you upgrade from Ussuri, you must set `octavia_auto_configure` to `no`
+# and keep your other Octavia config like before.
+#octavia_auto_configure: yes
+
+# Octavia amphora flavor.
+# See os_nova_flavor for details. Supported parameters:
+# - flavorid (optional)
+# - is_public (optional)
+# - name
+# - vcpus
+# - ram
+# - disk
+# - ephemeral (optional)
+# - swap (optional)
+# - extra_specs (optional)
+#octavia_amp_flavor:
+# name: "amphora"
+# is_public: no
+# vcpus: 1
+# ram: 1024
+# disk: 5
+
+# Octavia security groups. lb-mgmt-sec-grp is for amphorae.
+#octavia_amp_security_groups:
+# mgmt-sec-grp:
+# name: "lb-mgmt-sec-grp"
+# rules:
+# - protocol: icmp
+# - protocol: tcp
+# src_port: 22
+# dst_port: 22
+# - protocol: tcp
+# src_port: "{{ octavia_amp_listen_port }}"
+# dst_port: "{{ octavia_amp_listen_port }}"
+
+# Octavia management network.
+# See os_network and os_subnet for details. Supported parameters:
+# - external (optional)
+# - mtu (optional)
+# - name
+# - provider_network_type (optional)
+# - provider_physical_network (optional)
+# - provider_segmentation_id (optional)
+# - shared (optional)
+# - subnet
+# The subnet parameter has the following supported parameters:
+# - allocation_pool_start (optional)
+# - allocation_pool_start (optional)
+# - cidr
+# - enable_dhcp (optional)
+# - gateway_ip (optional)
+# - name
+# - no_gateway_ip (optional)
+#octavia_amp_network:
+# name: lb-mgmt-net
+# shared: false
+# subnet:
+# name: lb-mgmt-subnet
+# cidr: "{{ octavia_amp_network_cidr }}"
+# no_gateway_ip: yes
+# enable_dhcp: yes
+
+# Octavia management network subnet CIDR.
+#octavia_amp_network_cidr: 10.0.0.0/24
+
+#octavia_amp_image_tag: "amphora"
+
+# Load balancer topology options are [ SINGLE, ACTIVE_STANDBY ]
+#octavia_loadbalancer_topology: "SINGLE"
+
+# The following variables are ignored as along as `octavia_auto_configure` is set to `yes`.
+#octavia_amp_image_owner_id:
+#octavia_amp_boot_network_list:
+#octavia_amp_secgroup_list:
+#octavia_amp_flavor_id:
diff --git a/etc/kolla/passwords.yml b/etc/kolla/passwords.yml
index c2007b07a3a76e9b22afd91bb484f2c4cd98057e..902d8d1d62efcb22b607dca5e2748945a542cd02 100644
--- a/etc/kolla/passwords.yml
+++ b/etc/kolla/passwords.yml
@@ -209,6 +209,10 @@ bifrost_ssh_key:
private_key:
public_key:
+octavia_amp_ssh_key:
+ private_key:
+ public_key:
+
####################
# Gnocchi options
####################
diff --git a/kolla_ansible/cmd/genpwd.py b/kolla_ansible/cmd/genpwd.py
index 6927bd5e91344466f910d85d052a5d0efc525376..40fcf8ae5a743c58b6b427de5a4c1bad3ddd1274 100755
--- a/kolla_ansible/cmd/genpwd.py
+++ b/kolla_ansible/cmd/genpwd.py
@@ -117,7 +117,7 @@ def main():
# SSH key pair
ssh_keys = ['kolla_ssh_key', 'nova_ssh_key',
- 'keystone_ssh_key', 'bifrost_ssh_key']
+ 'keystone_ssh_key', 'bifrost_ssh_key', 'octavia_amp_ssh_key']
# If these keys are None, leave them as None
blank_keys = ['docker_registry_password']