From 02d94949a8abbb0f05fa9b87a6a5e0aa29c5a3c6 Mon Sep 17 00:00:00 2001 From: Jesse Pretorius Date: Thu, 2 Aug 2018 09:08:50 +0100 Subject: [PATCH] Execute network setup against octavia_service_setup_host In order to reduce the packages required to pip install on to the hosts, we use service delegation to octavia_service_setup_host so that instead of installing software on the target host, and putting credentials on every target host, we isolate the software and credentials to a single host. In this patch we make the network tasks execute using clouds.yaml so that we do not need to expose the credentials in the task (it will leak the credentials in vebose mode or on failure). We also set the tasks to execute on octavia_service_setup_host so that we do not need as much software installed on the target host. There are any other tasks in the role which need updating before we can eliminate the octavia_requires_pip_packages, but for the sake of keeping the patch smaller and easier to review they will be done in follow up patches. Change-Id: I07f0907a3841f81c0f76a25ce89de9f1145c35f9 --- tasks/main.yml | 1 + tasks/octavia_mgmt_network.yml | 116 +++++++++++++++------------------ 2 files changed, 53 insertions(+), 64 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index 2c42e745..c2900fa3 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -60,6 +60,7 @@ - octavia-install - include: octavia_mgmt_network.yml + run_once: true when: - octavia_neutron_management_network_uuid is not defined - octavia_neutron_management_network_name is defined diff --git a/tasks/octavia_mgmt_network.yml b/tasks/octavia_mgmt_network.yml index c2803d54..09cae20a 100644 --- a/tasks/octavia_mgmt_network.yml +++ b/tasks/octavia_mgmt_network.yml @@ -13,70 +13,58 @@ # See the License for the specific language governing permissions and # limitations under the License. -- name: Create mgmt network - os_network: - auth: - auth_url: "{{ keystone_service_adminurl }}" - username: "{{ octavia_service_user_name }}" - password: "{{ octavia_service_password }}" - project_name: "{{ octavia_service_project_name }}" - user_domain_name: "{{ octavia_service_user_domain_id }}" - project_domain_name: "{{ octavia_service_project_domain_id }}" - endpoint_type: "{{ octavia_ansible_endpoint_type }}" - region_name: "{{ octavia_service_region }}" - validate_certs: "{{ keystone_service_adminuri_insecure }}" - auth_type: "{{ octavia_keystone_auth_plugin }}" - state: present - name: "{{ octavia_neutron_management_network_name }}" - provider_network_type: "{{ octavia_provider_network_type }}" - provider_physical_network: "{{ octavia_provider_network_name }}" - provider_segmentation_id: "{{ octavia_provider_segmentation_id | default(omit) }}" - run_once: True - when: - - octavia_service_net_setup +# We set the python interpreter to the ansible runtime venv if +# the delegation is to localhost so that we get access to the +# appropriate python libraries in that venv. If the delegation +# is to another host, we assume that it is accessible by the +# system python instead. +- name: Setup the network + delegate_to: "{{ octavia_service_setup_host }}" + vars: + ansible_python_interpreter: >- + {{ (octavia_service_setup_host == 'localhost') | ternary(ansible_playbook_python, ansible_python['executable']) }} + block: + - name: Create mgmt network + os_network: + cloud: default + state: present + region_name: "{{ octavia_service_region }}" + name: "{{ octavia_neutron_management_network_name }}" + provider_network_type: "{{ octavia_provider_network_type }}" + provider_physical_network: "{{ octavia_provider_network_name }}" + provider_segmentation_id: "{{ octavia_provider_segmentation_id | default(omit) }}" + endpoint_type: admin + verify: "{{ not keystone_service_adminuri_insecure }}" + when: + - octavia_service_net_setup | bool -- name: Ensure mgmt subnet exists - os_subnet: - auth: - auth_url: "{{ keystone_service_adminurl }}" - username: "{{ octavia_service_user_name }}" - password: "{{ octavia_service_password }}" - project_name: "{{ octavia_service_project_name }}" - user_domain_name: "{{ octavia_service_user_domain_id }}" - project_domain_name: "{{ octavia_service_project_domain_id }}" - endpoint_type: "{{ octavia_ansible_endpoint_type }}" - region_name: "{{ octavia_service_region }}" - validate_certs: "{{ keystone_service_adminuri_insecure }}" - auth_type: "{{ octavia_keystone_auth_plugin }}" - state: present - network_name: "{{ octavia_neutron_management_network_name }}" - name: "{{ octavia_neutron_management_network_name }}-subnet" - cidr: "{{ octavia_management_net_subnet_cidr }}" - enable_dhcp: "{{ octavia_management_net_dhcp }}" - allocation_pool_start: "{{ octavia_management_net_subnet_allocation_pools.split('-')[0] | default(omit) }}" - allocation_pool_end: "{{ octavia_management_net_subnet_allocation_pools.split('-')[1] | default(omit) }}" - run_once: True - when: - - octavia_service_net_setup + - name: Ensure mgmt subnet exists + os_subnet: + cloud: default + state: present + region_name: "{{ octavia_service_region }}" + network_name: "{{ octavia_neutron_management_network_name }}" + name: "{{ octavia_neutron_management_network_name }}-subnet" + cidr: "{{ octavia_management_net_subnet_cidr }}" + enable_dhcp: "{{ octavia_management_net_dhcp }}" + allocation_pool_start: "{{ octavia_management_net_subnet_allocation_pools.split('-')[0] | default(omit) }}" + allocation_pool_end: "{{ octavia_management_net_subnet_allocation_pools.split('-')[1] | default(omit) }}" + endpoint_type: admin + verify: "{{ not keystone_service_adminuri_insecure }}" + when: + - octavia_service_net_setup | bool -- name: Get neutron network - os_networks_facts: - auth: - auth_url: "{{ keystone_service_adminurl }}" - username: "{{ octavia_service_user_name }}" - password: "{{ octavia_service_password }}" - project_name: "{{ octavia_service_project_name }}" - user_domain_name: "{{ octavia_service_user_domain_id }}" - project_domain_name: "{{ octavia_service_project_domain_id }}" - endpoint_type: "{{ octavia_ansible_endpoint_type }}" - region_name: "{{ octavia_service_region }}" - validate_certs: "{{ keystone_service_adminuri_insecure }}" - auth_type: "{{ octavia_keystone_auth_plugin }}" - name: "{{ octavia_neutron_management_network_name }}" + - name: Get neutron network + os_networks_facts: + cloud: default + region_name: "{{ octavia_service_region }}" + name: "{{ octavia_neutron_management_network_name }}" + endpoint_type: admin + verify: "{{ not keystone_service_adminuri_insecure }}" -- name: Set provisioning UUID fact - set_fact: - octavia_neutron_management_network_uuid: "{{ openstack_networks[0].id }}" - when: - - octavia_neutron_management_network_uuid is not defined - - octavia_neutron_management_network_name is defined + - name: Set provisioning UUID fact + set_fact: + octavia_neutron_management_network_uuid: "{{ openstack_networks[0].id }}" + when: + - octavia_neutron_management_network_uuid is not defined + - octavia_neutron_management_network_name is defined