Merge "Execute security group setup against octavia_service_setup_host"

2018-08-03 19:09:11 +00:00 · 2018-08-03 19:09:11 +00:00 · 56ebc6b36e
commit 56ebc6b36e
parent b75f880b37 0815778b13
2 changed files with 79 additions and 64 deletions
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -69,6 +69,7 @@
    - octavia-config

 - include: octavia_security_group.yml
+  run_once: true
  tags:
    - octavia-install

--- a/tasks/octavia_security_group.yml
+++ b/tasks/octavia_security_group.yml
@ -13,70 +13,84 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

- name: Create Octavia security group
-  os_security_group:
-    auth:
-      auth_url: "{{ keystone_service_adminurl }}"
-      username: "{{ octavia_service_user_name }}"
-      password: "{{ octavia_service_password }}"
-      project_name: "{{ octavia_service_project_name }}"
-      user_domain_name: "{{ octavia_service_user_domain_id }}"
-      project_domain_name: "{{ octavia_service_project_domain_id }}"
-    endpoint_type: "{{ octavia_ansible_endpoint_type }}"
-    state: present
-    name: "{{ octavia_security_group_name }}"
-    description: "security group for octavia amphora"
-  run_once: true
+# We set the python interpreter to the ansible runtime venv if
+# the delegation is to localhost so that we get access to the
+# appropriate python libraries in that venv. If the delegation
+# is to another host, we assume that it is accessible by the
+# system python instead.
+- name: Setup the security groups
+  delegate_to: "{{ octavia_service_setup_host }}"
+  vars:
+    ansible_python_interpreter: >-
+      {{ (octavia_service_setup_host == 'localhost') | ternary(ansible_playbook_python, ansible_python['executable']) }}
+  block:
+    - name: Create Octavia security group
+      os_security_group:
+        auth:
+          auth_url: "{{ keystone_service_adminurl }}"
+          username: "{{ octavia_service_user_name }}"
+          password: "{{ octavia_service_password }}"
+          project_name: "{{ octavia_service_project_name }}"
+          user_domain_name: "{{ octavia_service_user_domain_id }}"
+          project_domain_name: "{{ octavia_service_project_domain_id }}"
+        state: present
+        name: "{{ octavia_security_group_name }}"
+        description: "security group for octavia amphora"
+        endpoint_type: admin
+        verify: "{{ not keystone_service_adminuri_insecure }}"

- name: Create security group rule for agent
-  os_security_group_rule:
-    auth:
-      auth_url: "{{ keystone_service_adminurl }}"
-      username: "{{ octavia_service_user_name }}"
-      password: "{{ octavia_service_password }}"
-      project_name: "{{ octavia_service_project_name }}"
-      user_domain_name: "{{ octavia_service_user_domain_id }}"
-      project_domain_name: "{{ octavia_service_project_domain_id }}"
-    endpoint_type: "{{ octavia_ansible_endpoint_type }}"
-    protocol: "tcp"
-    port_range_min: "{{ octavia_agent_port }}"
-    port_range_max: "{{ octavia_agent_port }}"
-    remote_ip_prefix: "{{ octavia_security_group_rule_cidr }}"
-    security_group: "{{ octavia_security_group_name }}"
-  run_once: true
+    - name: Create security group rule for agent
+      os_security_group_rule:
+        auth:
+          auth_url: "{{ keystone_service_adminurl }}"
+          username: "{{ octavia_service_user_name }}"
+          password: "{{ octavia_service_password }}"
+          project_name: "{{ octavia_service_project_name }}"
+          user_domain_name: "{{ octavia_service_user_domain_id }}"
+          project_domain_name: "{{ octavia_service_project_domain_id }}"
+        state: present
+        protocol: "tcp"
+        port_range_min: "{{ octavia_agent_port }}"
+        port_range_max: "{{ octavia_agent_port }}"
+        remote_ip_prefix: "{{ octavia_security_group_rule_cidr }}"
+        security_group: "{{ octavia_security_group_name }}"
+        endpoint_type: admin
+        verify: "{{ not keystone_service_adminuri_insecure }}"

- name: Create security group rule for ssh
-  os_security_group_rule:
-    auth:
-      auth_url: "{{ keystone_service_adminurl }}"
-      username: "{{ octavia_service_user_name }}"
-      password: "{{ octavia_service_password }}"
-      project_name: "{{ octavia_service_project_name }}"
-      user_domain_name: "{{ octavia_service_user_domain_id }}"
-      project_domain_name: "{{ octavia_service_project_domain_id }}"
-    endpoint_type: "{{ octavia_ansible_endpoint_type }}"
-    security_group: "{{ octavia_security_group_name }}"
-    protocol: tcp
-    port_range_min: 22
-    port_range_max: 22
-    remote_ip_prefix: "{{ octavia_security_group_rule_cidr }}"
-  run_once: true
-  when:
-    - octavia_ssh_enabled|bool == true
- name: Create security group rule for icmp
-  os_security_group_rule:
-    auth:
-      auth_url: "{{ keystone_service_adminurl }}"
-      username: "{{ octavia_service_user_name }}"
-      password: "{{ octavia_service_password }}"
-      project_name: "{{ octavia_service_project_name }}"
-      user_domain_name: "{{ octavia_service_user_domain_id }}"
-      project_domain_name: "{{ octavia_service_project_domain_id }}"
-    endpoint_type: "{{ octavia_ansible_endpoint_type }}"
-    security_group: "{{ octavia_security_group_name }}"
-    protocol: icmp
-    remote_ip_prefix: "{{ octavia_security_group_rule_cidr }}"
-  run_once: true
-  when:
-    - debug|bool == true
+    - name: Create security group rule for ssh
+      os_security_group_rule:
+        auth:
+          auth_url: "{{ keystone_service_adminurl }}"
+          username: "{{ octavia_service_user_name }}"
+          password: "{{ octavia_service_password }}"
+          project_name: "{{ octavia_service_project_name }}"
+          user_domain_name: "{{ octavia_service_user_domain_id }}"
+          project_domain_name: "{{ octavia_service_project_domain_id }}"
+        state: present
+        security_group: "{{ octavia_security_group_name }}"
+        protocol: tcp
+        port_range_min: 22
+        port_range_max: 22
+        remote_ip_prefix: "{{ octavia_security_group_rule_cidr }}"
+        endpoint_type: admin
+        verify: "{{ not keystone_service_adminuri_insecure }}"
+      when:
+        - octavia_ssh_enabled | bool

+    - name: Create security group rule for icmp
+      os_security_group_rule:
+        auth:
+          auth_url: "{{ keystone_service_adminurl }}"
+          username: "{{ octavia_service_user_name }}"
+          password: "{{ octavia_service_password }}"
+          project_name: "{{ octavia_service_project_name }}"
+          user_domain_name: "{{ octavia_service_user_domain_id }}"
+          project_domain_name: "{{ octavia_service_project_domain_id }}"
+        state: present
+        security_group: "{{ octavia_security_group_name }}"
+        protocol: icmp
+        remote_ip_prefix: "{{ octavia_security_group_rule_cidr }}"
+        endpoint_type: admin
+        verify: "{{ not keystone_service_adminuri_insecure }}"
+      when:
+        - debug | bool