Execute service setup against a delegated host using Ansible built-in modules

In order to reduce the packages required to pip install on to the hosts, we allow the service setup to be delegated to a specific host, defaulting to the deploy host. There are any other tasks in the role which need updating before we can eliminate the octavia_requires_pip_packages, but for the sake of keeping the patch smaller and easier to review they will be done in follow up patches. Change-Id: I10f6d82cbdfe19fea577f276f95691115a07e01c
2018-07-12 19:11:31 +01:00 · 2018-07-12 19:11:31 +01:00 · faf5d66876
commit faf5d66876
parent 3fc40ec770
3 changed files with 94 additions and 79 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -16,6 +16,11 @@
 ## Verbosity Options
 debug: False

+# Set the host which will execute the shade modules
+# for the service setup. The host must already have
+# clouds.yaml properly configured.
+octavia_service_setup_host: "{{ openstack_service_setup_host | default('localhost') }}"
+
 ## Octavia standalone (v2) experimental
 octavia_v2: True

--- a/releasenotes/notes/octavia-service-setup-host-d57533fdea394394.yaml
+++ b/releasenotes/notes/octavia-service-setup-host-d57533fdea394394.yaml
@ -0,0 +1,12 @@
+---
+features:
+  - |
+    The service setup in keystone for octavia will now be executed
+    through delegation to the ``octavia_service_setup_host`` which,
+    by default, is ``localhost`` (the deploy host). Deployers can
+    opt to rather change this to the utility container by implementing
+    the following override in ``user_variables.yml``.
+
+    .. code-block:: yaml
+
+      octavia_service_setup_host: "{{ groups['utility_all'][0] }}"
--- a/tasks/octavia_service_add.yml
+++ b/tasks/octavia_service_add.yml
@ -13,85 +13,83 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

-# Create a service
- name: Ensure octavia service
-  keystone:
-    command: "ensure_service"
-    endpoint: "{{ keystone_service_adminurl }}"
-    login_user: "{{ keystone_admin_user_name }}"
-    login_password: "{{ keystone_auth_admin_password }}"
-    login_project_name: "{{ keystone_admin_tenant_name }}"
-    service_name: "{{ octavia_service_name }}"
-    service_type: "{{ octavia_service_type }}"
-    description: "{{ octavia_service_description }}"
-    insecure: "{{ keystone_service_adminuri_insecure }}"
-  register: add_service
-  until: add_service is success
-  retries: 5
-  delay: 10
-  no_log: True
+# We set the python interpreter to the ansible runtime venv if
+# the delegation is to localhost so that we get access to the
+# appropriate python libraries in that venv. If the delegation
+# is to another host, we assume that it is accessible by the
+# system python instead.
+- name: Setup the service
+  delegate_to: "{{ octavia_service_setup_host }}"
+  vars:
+    ansible_python_interpreter: >-
+      {{ (octavia_service_setup_host == 'localhost') | ternary(ansible_playbook_python, ansible_python['executable']) }}
+  block:
+    - name: Add service to the keystone service catalog
+      os_keystone_service:
+        cloud: default
+        state: present
+        name: "{{ octavia_service_name }}"
+        service_type: "{{ octavia_service_type }}"
+        description: "{{ octavia_service_description }}"
+        endpoint_type: admin
+        verify: "{{ not keystone_service_adminuri_insecure }}"
+      register: add_service
+      until: add_service is success
+      retries: 5
+      delay: 10

-# Create an admin user
- name: Ensure octavia user
-  keystone:
-    command: "ensure_user"
-    endpoint: "{{ keystone_service_adminurl }}"
-    login_user: "{{ keystone_admin_user_name }}"
-    login_password: "{{ keystone_auth_admin_password }}"
-    login_project_name: "{{ keystone_admin_tenant_name }}"
-    user_name: "{{ octavia_service_user_name }}"
-    tenant_name: "{{ octavia_service_project_name }}"
-    password: "{{ octavia_service_password }}"
-    insecure: "{{ keystone_service_adminuri_insecure }}"
-  register: add_service
-  when: not octavia_service_in_ldap | bool
-  until: add_service is success
-  retries: 5
-  delay: 10
-  no_log: True
+    - name: Add service user
+      os_user:
+        cloud: default
+        state: present
+        name: "{{ octavia_service_user_name }}"
+        password: "{{ octavia_service_password }}"
+        domain: default
+        default_project: "{{ octavia_service_project_name }}"
+        endpoint_type: admin
+        verify: "{{ not keystone_service_adminuri_insecure }}"
+      register: add_service
+      when: not octavia_service_in_ldap | bool
+      until: add_service is success
+      retries: 5
+      delay: 10
+      no_log: True

-# Add a role to the user
- name: Ensure octavia user to admin role
-  keystone:
-    command: "ensure_user_role"
-    endpoint: "{{ keystone_service_adminurl }}"
-    login_user: "{{ keystone_admin_user_name }}"
-    login_password: "{{ keystone_auth_admin_password }}"
-    login_project_name: "{{ keystone_admin_tenant_name }}"
-    user_name: "{{ octavia_service_user_name }}"
-    tenant_name: "{{ octavia_service_project_name }}"
-    role_name: "{{ octavia_service_role_name }}"
-    insecure: "{{ keystone_service_adminuri_insecure }}"
-  register: add_service
-  when: not octavia_service_in_ldap | bool
-  until: add_service is success
-  retries: 5
-  delay: 10
-  no_log: True
+    - name: Add service user to admin role
+      os_user_role:
+        cloud: default
+        state: present
+        user: "{{ octavia_service_user_name }}"
+        role: "{{ octavia_service_role_name }}"
+        project: "{{ octavia_service_project_name }}"
+        endpoint_type: admin
+        verify: "{{ not keystone_service_adminuri_insecure }}"
+      register: add_service
+      when: not octavia_service_in_ldap | bool
+      until: add_service is success
+      retries: 5
+      delay: 10
+
+    - name: Add endpoints to keystone endpoint catalog
+      os_keystone_endpoint:
+        cloud: default
+        state: present
+        service: "{{ octavia_service_name }}"
+        endpoint_interface: "{{ item.interface }}"
+        url: "{{ item.url }}"
+        region: "{{ octavia_service_region }}"
+        endpoint_type: admin
+        verify: "{{ not keystone_service_adminuri_insecure }}"
+      register: add_service
+      until: add_service is success
+      retries: 5
+      delay: 10
+      with_items:
+        - interface: "public"
+          url: "{{ octavia_service_publicuri }}"
+        - interface: "internal"
+          url: "{{ octavia_service_internaluri }}"
+        - interface: "admin"
+          url: "{{ octavia_service_adminuri }}"
+      when: octavia_v2 | bool

-# Create an endpoint (v2 only)
-# V1 uses a direct URL in the neutron conf
- name: Ensure octavia endpoint
-  keystone:
-    command: "ensure_endpoint"
-    endpoint: "{{ keystone_service_adminurl }}"
-    login_user: "{{ keystone_admin_user_name }}"
-    login_password: "{{ keystone_auth_admin_password }}"
-    login_project_name: "{{ keystone_admin_tenant_name }}"
-    region_name: "{{ octavia_service_region }}"
-    service_name: "{{ octavia_service_name }}"
-    service_type: "{{ octavia_service_type }}"
-    insecure: "{{ keystone_service_adminuri_insecure }}"
-    endpoint_list:
-      - url: "{{ octavia_service_publicuri }}"
-        interface: "public"
-      - url: "{{ octavia_service_internaluri }}"
-        interface: "internal"
-      - url: "{{ octavia_service_adminuri }}"
-        interface: "admin"
-  register: add_service_v2
-  until: add_service_v2 is success
-  retries: 5
-  delay: 10
-  no_log: True
-  when: octavia_v2 | bool