Since ansible-core 2.10 it is recommended to use modules via FQCN
In order to align with recommendation, we perform migration
by applying suggestions made by `ansible-lint --fix=fqcn`
Change-Id: I3106f13014a3f99cefcd07ccf31a0c79f2977805
In order to reduce divergance with ansible-lint rules, we apply
auto-fixing of violations.
In current patch we replace all kind of truthy variables with
`true` or `false` values to align with recommendations along with
alignment of used quotes.
Change-Id: I0dbc21f8bb838f1cdcdcfa3ccaff550a595b2fe3
At the moment cinder[1] and designate[1] do have coordination_client_ssl
default set to False, so it makes sense to align defaults in order
to get same behaviour across services.
[1] eb70c981dd/defaults/main.yml (L145)
[2] 8b68114626/defaults/main.yml (L72)
Change-Id: I0cd6e541b864e7e36d6954449f147808f053c273
At the moment role does not increase volumes quota for the project
when BFV is enabled for Octavia. This might lead to Amphora
failures to spawn-up once default quota (of 10 volumes) is reached.
With that we also calculate amout of diskspace required based on the
instance limit.
It also changes flavor to contain 0 disk if BFV is enabled to ensure
that ephemeral is not gonna be used.
Change-Id: Ia35948cd2381b13d3792fc0029d93a9e176c884c
config_drive is always enabled for amphora VMs [1], so DHCP is not
required for cloud-init to configure octavia network interface.
To avoid confusion, this patch disables DHCP for octavia network by default.
[1] eff69261f4/octavia/compute/drivers/nova_driver.py (L146)
Change-Id: Iabb1afac5dcea64251813404d924da9a648ca2e9
As Magnum does rely on `amphora` provider as a default and we got
a notice from Octavia devs that `amphora` provider is gonna stay
while potentially `amphorav2` might be sunsetted in the future,
it makes sense to partially revert the [1] and return `amphora` back.
[1] https://review.opendev.org/c/openstack/openstack-ansible-os_octavia/+/885519
Change-Id: Ia34be7a05593b034003bd40c866fbf6561a154e5
At the moment we do generate SSH keypairs for octavia with pre-defined
options for backwards compatability.
In the meanwhile it might not make much sense for new deployments,
though there's no clear way to overrride these options.]
With that we implement a bunch of new variables that allows to tune
properties for the SSH key to be used.
Change-Id: I5c4c20e7375b2471cc47ac628e007d6297bdeb7e
When customizing Amphora, like syslog forwarding support, we need to add
some rules to octavia_sec_grp. This change allows us to specify
additional rules using variables.
Change-Id: Ia0388171b784615924f5a5dafb5e160e942123db
Defining OVN provider agent is required for the OVN driver as it is
responsible for connection to NB DB and listens to the events in it.
Without the any provider being enabled octavia-driver-agent service is
not doing anything. Moreover, assinged FIP to the LB VIP will not be
working properly, as that needs update to the LB inside of OVN, which
is performed only when agent detects changes to the VIP port.
Change-Id: I82b4cd6749f42220be799c3a3e0d6bc14255125f
At the moment we do have an extra quote for enabled_provider_agents
defenition which prevents variable from properly renderring.
Change-Id: I67f934d0543311d5977c997d8324374fc2b604cf
With ansible-core 2.16 a breaking changes landed [1] to some filters
making their result returned in arbitrary order. With that, we were
relying on them to always return exactly same ordered lists.
With that we need to ensure that we still have determenistic behaviour
where this is important.
[1] https://github.com/ansible/ansible/issues/82554
Change-Id: I6c14dc2d153995b4045e34318e5e857ddad42019
Due to the shortcoming of QManager implementation [1], in case of uWSGI
usage on metal hosts, the flow ends up with having the same
hostname/processname set, making services to fight over same file
under SHM.
In order to avoid this, we prepend the hostname with a service_name.
We can not change processname instead, since it will lead to the fight
between different processes of the same service.
[1] https://bugs.launchpad.net/oslo.messaging/+bug/2065922
Change-Id: I6ecffcaa8abea6c5fcf1822c4b3ac58c1e7a80dc
This patch is the second of two required to implement the
octavia-ovn-provider driver for Octavia. A new var, octavia_ovn_enabled,
can be used to install the driver and configure Octavia accordingly.
This patch has also restructured the driver/plugin mechanism for the
os_octavia role to better mirror that of os_neutron and to make
future additions easier to implement.
It also uses neutron's method of certificate delivery for the ovn certs.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/919599
Change-Id: Ic5963070f4f2504860ddf0829819ca2f301546b1
Signed-off-by: Matthew Thode <mthode@mthode.org>
<service>-config tags are quite broad and have a long execution
time. Where you only need to modify a service's '.conf' file and
similar it is useful to have a quicker method to do so.
Change-Id: I6c84cf958a1d7268ccec14c3cf1b98ff6a8115e3
During last release cycle oslo.messaging has landed [1] series of extremely
useful changes that are designed to implement modern messaging
techniques for rabbitmq quorum queues.
Since these changes are breaking and require queues being re-created,
it makes total sense to align these with migration to quorum queues by default.
[1] https://review.opendev.org/q/topic:%22bug-2031497%22
Change-Id: I88e1fd869fa0e1e13184d17d5fa16364f87d14bd
In order to be able to globally enable notification reporting for all services,
without an need to have ceilometer deployed or bunch of overrides for each
service, we add `oslomsg_notify_enabled` variable that aims to control
behaviour of enabled notifications.
Presence of ceilometer is still respected by default and being referenced.
Potential usecase are various billing panels that do rely on notifications
but do not require presence of Ceilometer.
Change-Id: Id9bc7f2ba4a2e813657d65f2bb6be5089c1a5461
In order to allow definition of policies per service, we need to add variables
to service roles, that will be passed to openstack.osa.mq_setup.
Currently this can be handled by leveraging group_vars and overriding `oslomsg_rpc_policies` as a whole, but it's not obvious and
can be non-trivial for some groups which are co-locating multiple services
or in case of metal deployments.
Change-Id: I594514580ca7180089699914805a595c2feb965b
With efforts to create a resources in same, unified way,
we convert tempest role to use openstack_resources
for creating and managing openstack resources, like projects, flavors,
networks, images, etc. This should reduce maintenance costs
in case of futher collection updates and unify approach.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/878794
Change-Id: I762ded9b6099ea55e8a19bfb82473b950155eaa4
We're checking if octavia_amp_availability_zone is defined, while the
variable is defined in defaults, so there is no clean way to undefine
the availability_zone except to use config overrides and define to
none.
So whe change condition in a way to allow empty value to be treated as
False which would result in availability_zone being undefined in the
config.
Change-Id: I86ffd71d6791dec700c381b695ab5a4bca8051a3
This change implements and enables by default quorum support
for rabbitmq as well as providing default variables to globally tune
it's behaviour.
In order to ensure upgrade path and ability to switch back to HA queues
we change vhost names with removing leading `/`, as enabling quorum
requires to remove exchange which is tricky thing to do with running
services.
Change-Id: I4781a0c23274b145970b3269e517c2a62497acc4
Amphora does report back it's status to Octavia healthmanager through
octavia_health_manager_port. This outgoing traffic from Amphora must be
allowed to show LB stats and operational_status.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/896017
Change-Id: Ib6b8547b69949f7af0ba0f7f436b4286d3baccb7
While <service>_galera_port is defined and used for db_setup
role, it's not in fact used in a connection string for oslo.db.
Change-Id: I94cc61d88b0ec54bde01477e8fba35e341afffa2
Right now we are not using any constraints for docs and releasenotes builds.
This has resulted in docs job failures once Sphinx 7.2.0 has been released.
The patch will ensure that constraints are used an we should not face
simmilar issue again.
TOX_CONSTRAINTS_FILE is updated by Release bot once new branch is created,
so it should always track relevant constraints.
Some extra syntax-related changes can apply, since patch is being passed
through ConfigParser, that does not preserve comments and align indenting.
Change-Id: Ia704b63838c8730039e135eb38e170204d5a30e2
With update of ansible-lint to version >=6.0.0 a lot of new
linters were added, that enabled by default. In order to comply
with linter rules we're applying changes to the role.
With that we also update metdata to reflect current state.
Change-Id: Id8215882ee528d4c3055479e770c7432616649ba
By overriding the variable `octavia_backend_ssl: True` HTTPS will
be enabled, disabling HTTP support on the octavia backend api.
The ansible-role-pki is used to generate the required TLS
certificates if this functionality is enabled.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/879085
Change-Id: Id6c187cad4e444fb83ca1f938bd13bb9b73652b3
Amphorav1 has been deprecated and is removed early at the
beginning of the 2023.2 cycle. With that Antelope is perfect time for
switching the default.
[1] 6c0515c988
Change-Id: I133f20a6d971832138708101e6a8380d23e75cf2
At the moment security group allows to access Amphora SSH/API
from any network which is insecure. We're changing default for
security groups to allow access only from Octavia Management
network.
Change-Id: I6ea6ab4ec1c28a3b354d40f6744434eefb05fcfe
In case it's needed to limit access to DHCP servers, rules must be
way more complex then this one, since DHCP uses broadcast.
To avoid complexity, let's just avoid defining remote_ip_prefix
that allows egress traffic for DHCP.
Change-Id: I280c064b4d93bcd78092f02a928d5d6dfb4fda68
