From 59606f0957b7d5ff8b789dcbccb4572f16f52092 Mon Sep 17 00:00:00 2001 From: Dmitriy Rabotyagov Date: Thu, 27 Jul 2023 17:11:02 +0200 Subject: [PATCH] Adopt for usage openstack_resources role With efforts to create a resources in same, unified way, we convert tempest role to use openstack_resources for creating and managing openstack resources, like projects, flavors, networks, images, etc. This should reduce maintenance costs in case of futher collection updates and unify approach. Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/878794 Change-Id: I762ded9b6099ea55e8a19bfb82473b950155eaa4 --- defaults/main.yml | 19 ++-- tasks/main.yml | 54 +--------- tasks/octavia_amp_image.yml | 99 ------------------ tasks/octavia_flavor_create.yml | 47 --------- tasks/octavia_keypair.yml | 50 --------- tasks/octavia_mgmt_network.yml | 78 -------------- tasks/octavia_resources.yml | 140 +++++++++++++++++++++++++ tasks/octavia_security_group.yml | 172 ------------------------------- 8 files changed, 158 insertions(+), 501 deletions(-) delete mode 100644 tasks/octavia_amp_image.yml delete mode 100644 tasks/octavia_flavor_create.yml delete mode 100644 tasks/octavia_keypair.yml delete mode 100644 tasks/octavia_mgmt_network.yml create mode 100644 tasks/octavia_resources.yml delete mode 100644 tasks/octavia_security_group.yml diff --git a/defaults/main.yml b/defaults/main.yml index 0abe9628..91715668 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -291,6 +291,19 @@ octavia_amp_image_path: "{{ lookup('env', 'HOME') }}/openstack-ansible/octavia" octavia_amp_image_path_owner: "{{ lookup('env', 'USER') }}" # enable uploading image to glance automatically octavia_amp_image_upload_enabled: "{{ octavia_download_artefact }}" +octavia_amp_image_resource: + - name: amphora-x64-haproxy + url: "{{ octavia_artefact_url }}" + # Image checksum is required for rotating old images + # checksum: + disk_format: qcow2 + keep_copies: 1 + tags: + - "{{ octavia_glance_image_tag }}" + owner: "{{ octavia_service_project_name }}" + owner_domain: "{{ octavia_service_project_domain_id }}" + image_download_path: "{{ octavia_amp_image_path }}" + # Name of the Octavia security group octavia_security_group_name: octavia_sec_grp @@ -299,12 +312,6 @@ octavia_security_group_rule_cidr: "{{ octavia_management_net_subnet_cidr }}" # ssh enabled - switch to True if you need ssh access to the amphora octavia_ssh_enabled: False octavia_ssh_key_name: octavia_key -octavia_keypair_setup_host: "{{ openstack_service_setup_host | default('localhost') }}" -octavia_keypair_setup_host_python_interpreter: >- - {{ - openstack_service_setup_host_python_interpreter | default((octavia_keypair_setup_host == 'localhost') | ternary( - ansible_playbook_python, ansible_facts['python']['executable'])) - }} # port the agent listens on octavia_agent_port: "9443" octavia_health_manager_port: 5555 diff --git a/tasks/main.yml b/tasks/main.yml index 6aaf89bd..4cd003f7 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -226,50 +226,18 @@ tags: - always -- name: Including octavia_mgmt_network tasks - include_tasks: octavia_mgmt_network.yml - args: - apply: - tags: - - octavia-install - - octavia-config - when: - - octavia_neutron_management_network_uuid is not defined - - octavia_neutron_management_network_name is defined - - _octavia_is_first_play_host - tags: - - always - -- name: Importing octavia_security_group tasks - import_tasks: octavia_security_group.yml - when: - - _octavia_is_first_play_host - tags: - - octavia-install - -- name: Including octavia_keypair tasks - include_tasks: octavia_keypair.yml +- name: Including octavia_resources tasks + include_tasks: octavia_resources.yml args: apply: tags: - octavia-config + - octavia-resources when: - _octavia_is_first_play_host tags: - - always - -- name: Importing octavia_flavor_create tasks - include_tasks: octavia_flavor_create.yml - args: - apply: - tags: - - octavia-install - - octavia-config - when: - - _octavia_is_first_play_host - - octavia_nova_flavor_uuid is not defined - tags: - - always + - octavia-config + - octavia-resources - name: Importing octavia_post_install tasks import_tasks: octavia_post_install.yml @@ -291,17 +259,5 @@ - octavia-config - octavia-policy-override -- name: Including octavia_amp_image tasks - include_tasks: octavia_amp_image.yml - args: - apply: - tags: - - octavia-config - when: - - _octavia_is_first_play_host - - octavia_download_artefact | bool - tags: - - always - - name: Flush handlers meta: flush_handlers diff --git a/tasks/octavia_amp_image.yml b/tasks/octavia_amp_image.yml deleted file mode 100644 index 90b2b80e..00000000 --- a/tasks/octavia_amp_image.yml +++ /dev/null @@ -1,99 +0,0 @@ ---- -# Copyright 2018, Rackspace US, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# We set the python interpreter to the ansible runtime venv if -# the delegation is to localhost so that we get access to the -# appropriate python libraries in that venv. If the delegation -# is to another host, we assume that it is accessible by the -# system python instead. -- name: Setup the amphora image - delegate_to: "{{ octavia_service_setup_host }}" - vars: - ansible_python_interpreter: "{{ octavia_service_setup_host_python_interpreter }}" - block: - - name: Create image download directory - file: - path: "{{ octavia_amp_image_path }}" - state: directory - mode: "0750" - owner: "{{ octavia_amp_image_path_owner }}" - - - name: Download image from artefact server - get_url: - url: "{{ octavia_artefact_url }}" - dest: "{{ octavia_amp_image_path }}" - mode: "0644" - retries: 10 - delay: 10 - register: octavia_download_result - - - name: Replace existing image with new one - when: - - octavia_download_result is changed - block: - - name: Get current image id - openstack.cloud.image_info: - auth: - auth_url: "{{ keystone_service_adminurl }}" - username: "{{ octavia_service_user_name }}" - password: "{{ octavia_service_password }}" - project_name: "{{ octavia_service_project_name }}" - user_domain_name: "{{ octavia_service_user_domain_id }}" - project_domain_name: "{{ octavia_service_project_domain_id }}" - region_name: "{{ octavia_service_region }}" - image: amphora-x64-haproxy - interface: admin - verify: "{{ not keystone_service_adminuri_insecure }}" - register: get_image_info - until: get_image_info is success - retries: 5 - delay: 10 - - # This uses command since os_image doesn't support tags. - # TODO(odyssey4me): - # Add tag capability to os_image module and replace this. - - name: Upload new image to glance - command: >- - openstack image create - --os-cloud default - --os-interface admin - --file {{ octavia_download_result.dest }} - --disk-format qcow2 - --tag {{ octavia_glance_image_tag }} - --private - --project {{ octavia_service_project_name }} - amphora-x64-haproxy - changed_when: false - - - name: Delete old image from glance - openstack.cloud.image: - auth: - auth_url: "{{ keystone_service_adminurl }}" - username: "{{ octavia_service_user_name }}" - password: "{{ octavia_service_password }}" - project_name: "{{ octavia_service_project_name }}" - user_domain_name: "{{ octavia_service_user_domain_id }}" - project_domain_name: "{{ octavia_service_project_domain_id }}" - state: absent - region_name: "{{ octavia_service_region }}" - name: "{{ get_image_info.images[0].id }}" - interface: admin - verify: "{{ not keystone_service_adminuri_insecure }}" - register: remove_old_image - until: remove_old_image is success - retries: 5 - delay: 10 - when: - - get_image_info.images | length > 0 diff --git a/tasks/octavia_flavor_create.yml b/tasks/octavia_flavor_create.yml deleted file mode 100644 index 16b94841..00000000 --- a/tasks/octavia_flavor_create.yml +++ /dev/null @@ -1,47 +0,0 @@ ---- -# Copyright 2016, Rackspace US, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# We set the python interpreter to the ansible runtime venv if -# the delegation is to localhost so that we get access to the -# appropriate python libraries in that venv. If the delegation -# is to another host, we assume that it is accessible by the -# system python instead. -- name: Setup the octavia flavor - delegate_to: "{{ octavia_service_setup_host }}" - vars: - ansible_python_interpreter: "{{ octavia_service_setup_host_python_interpreter }}" - block: - - name: Create Octavia Flavor - openstack.cloud.compute_flavor: - auth: - auth_url: "{{ keystone_service_adminurl }}" - username: "{{ octavia_service_user_name }}" - password: "{{ octavia_service_password }}" - project_name: "{{ octavia_service_project_name }}" - user_domain_name: "{{ octavia_service_user_domain_id }}" - project_domain_name: "{{ octavia_service_project_domain_id }}" - state: present - name: "{{ octavia_amp_flavor_name }}" - ram: "{{ octavia_amp_ram }}" - vcpus: "{{ octavia_amp_vcpu }}" - disk: "{{ octavia_amp_disk }}" - extra_specs: "{{ octavia_amp_extra_specs | default(omit) }}" - is_public: False - interface: admin - verify: "{{ not keystone_service_adminuri_insecure }}" - register: add_flavor - until: add_flavor is success - retries: 5 - delay: 10 diff --git a/tasks/octavia_keypair.yml b/tasks/octavia_keypair.yml deleted file mode 100644 index 85fe5664..00000000 --- a/tasks/octavia_keypair.yml +++ /dev/null @@ -1,50 +0,0 @@ ---- -# Copyright 2018, VEXXHOST, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -- name: Create keypair - register: _octavia_keypair - openstack.cloud.keypair: - auth: - auth_url: "{{ keystone_service_adminurl }}" - username: "{{ octavia_service_user_name }}" - password: "{{ octavia_service_password }}" - project_name: "{{ octavia_service_project_name }}" - user_domain_name: "{{ octavia_service_user_domain_id }}" - project_domain_name: "{{ octavia_service_project_domain_id }}" - state: "{{ (octavia_ssh_enabled | bool) | ternary('present', 'absent') }}" - interface: admin - verify: "{{ not keystone_service_adminuri_insecure }}" - name: "{{ octavia_ssh_key_name }}" - delegate_to: "{{ octavia_keypair_setup_host }}" - vars: - ansible_python_interpreter: "{{ octavia_keypair_setup_host_python_interpreter }}" - -- name: Write private key locally - copy: - content: "{{ _octavia_keypair['keypair']['private_key'] }}" - dest: "{{ lookup('env', 'HOME') }}/.ssh/{{ octavia_ssh_key_name }}" - mode: "0600" - delegate_to: localhost - when: - - _octavia_keypair is changed - - octavia_ssh_enabled - -- name: Remove private key from deploy host after use - file: - path: "{{ lookup('env', 'HOME') }}/.ssh/{{ octavia_ssh_key_name }}" - state: absent - delegate_to: localhost - when: - - not octavia_ssh_enabled diff --git a/tasks/octavia_mgmt_network.yml b/tasks/octavia_mgmt_network.yml deleted file mode 100644 index 303f8a3d..00000000 --- a/tasks/octavia_mgmt_network.yml +++ /dev/null @@ -1,78 +0,0 @@ ---- -# Copyright 2016, Rackspace US, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# We set the python interpreter to the ansible runtime venv if -# the delegation is to localhost so that we get access to the -# appropriate python libraries in that venv. If the delegation -# is to another host, we assume that it is accessible by the -# system python instead. -- name: Setup the network - delegate_to: "{{ octavia_service_setup_host }}" - vars: - ansible_python_interpreter: "{{ octavia_service_setup_host_python_interpreter }}" - block: - - name: Create mgmt network - run_once: true - openstack.cloud.network: - auth: - auth_url: "{{ keystone_service_adminurl }}" - username: "{{ octavia_service_user_name }}" - password: "{{ octavia_service_password }}" - project_name: "{{ octavia_service_project_name }}" - user_domain_name: "{{ octavia_service_user_domain_id }}" - project_domain_name: "{{ octavia_service_project_domain_id }}" - state: present - region_name: "{{ octavia_service_region }}" - name: "{{ octavia_neutron_management_network_name }}" - provider_network_type: "{{ octavia_provider_network_type }}" - provider_physical_network: "{{ octavia_provider_network_name }}" - provider_segmentation_id: "{{ octavia_provider_segmentation_id | default(omit) }}" - mtu_size: "{{ octavia_provider_network_mtu | default('1500') }}" - interface: admin - verify: "{{ not keystone_service_adminuri_insecure }}" - register: add_network - until: add_network is success - retries: 5 - delay: 10 - when: - - octavia_service_net_setup | bool - - - name: Ensure mgmt subnet exists - run_once: true - openstack.cloud.subnet: - auth: - auth_url: "{{ keystone_service_adminurl }}" - username: "{{ octavia_service_user_name }}" - password: "{{ octavia_service_password }}" - project_name: "{{ octavia_service_project_name }}" - user_domain_name: "{{ octavia_service_user_domain_id }}" - project_domain_name: "{{ octavia_service_project_domain_id }}" - state: present - region_name: "{{ octavia_service_region }}" - network_name: "{{ octavia_neutron_management_network_name }}" - name: "{{ octavia_neutron_management_network_name }}-subnet" - cidr: "{{ octavia_management_net_subnet_cidr }}" - enable_dhcp: "{{ octavia_management_net_dhcp }}" - allocation_pool_start: "{{ octavia_management_net_subnet_allocation_pools.split('-')[0] | default(omit) }}" - allocation_pool_end: "{{ octavia_management_net_subnet_allocation_pools.split('-')[1] | default(omit) }}" - gateway_ip: "{{ octavia_management_net_subnet_gateway | default(omit) }}" - interface: admin - verify: "{{ not keystone_service_adminuri_insecure }}" - register: add_subnet - until: add_subnet is success - retries: 5 - delay: 10 - when: - - octavia_service_net_setup | bool diff --git a/tasks/octavia_resources.yml b/tasks/octavia_resources.yml new file mode 100644 index 00000000..45936e75 --- /dev/null +++ b/tasks/octavia_resources.yml @@ -0,0 +1,140 @@ +--- +# Copyright 2023, Cleura AB. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- name: Create image download directory + delegate_to: "{{ octavia_service_setup_host }}" + file: + path: "{{ octavia_amp_image_path }}" + state: directory + mode: "0750" + owner: "{{ octavia_amp_image_path_owner }}" + when: + - octavia_download_artefact | bool + +- name: Creating OpenStack resources + ansible.builtin.include_role: + name: openstack.osa.openstack_resources + vars: + openstack_resources_setup_host: "{{ octavia_service_setup_host }}" + openstack_resources_python_interpreter: "{{ octavia_service_setup_host_python_interpreter }}" + openstack_resources_image: "{{ (octavia_download_artefact | bool) | ternary({'images': octavia_amp_image_resource}, {}) }}" + openstack_resources_identity: + quotas: + - name: "{{ octavia_service_project_name }}" + cores: "{{ octavia_num_cores }}" + instances: "{{ octavia_num_instances }}" + ram: "{{ octavia_ram }}" + server_groups: "{{ octavia_num_server_groups }}" + server_group_members: "{{ octavia_num_server_group_members }}" + security_group: "{{ octavia_num_secgroups }}" + security_group_rule: "{{ octavia_num_security_group_rules }}" + port: "{{ octavia_num_ports }}" + # Network Resources + _octavia_networks: + networks: + - name: "{{ octavia_neutron_management_network_name }}" + network_type: "{{ octavia_provider_network_type }}" + physical_network: "{{ octavia_provider_network_name }}" + segmentation_id: "{{ octavia_provider_segmentation_id | default(omit) }}" + mtu: "{{ octavia_provider_network_mtu | default('1500') }}" + project: "{{ octavia_service_project_name }}" + subnets: + - name: "{{ octavia_neutron_management_network_name }}-subnet" + cidr: "{{ octavia_management_net_subnet_cidr }}" + dhcp: "{{ octavia_management_net_dhcp }}" + allocation_start: "{{ octavia_management_net_subnet_allocation_pools.split('-')[0] | default(omit) }}" + allocation_end: "{{ octavia_management_net_subnet_allocation_pools.split('-')[1] | default(omit) }}" + gateway: "{{ octavia_management_net_subnet_gateway | default(omit) }}" + _octavia_security_rule_agent: + protocol: "tcp" + port_range_min: "{{ octavia_agent_port }}" + port_range_max: "{{ octavia_agent_port }}" + remote_ip_prefix: "{{ octavia_security_group_rule_cidr }}" + _octavia_security_rule_healthmanager: + protocol: udp + port_range_min: "{{ octavia_health_manager_port }}" + port_range_max: "{{ octavia_health_manager_port }}" + remote_ip_prefix: "{{ octavia_security_group_rule_cidr }}" + direction: egress + _octavia_security_rule_ssh: + protocol: tcp + port_range_min: 22 + port_range_max: 22 + remote_ip_prefix: "{{ octavia_security_group_rule_cidr }}" + _octavia_security_rule_icmp: + protocol: icmp + remote_ip_prefix: "{{ octavia_security_group_rule_cidr }}" + _octavia_security_rule_dhcp: + protocol: udp + port_range_min: 67 + port_range_max: 67 + direction: egress + _octavia_security_groups: + security_groups: + - name: "{{ octavia_security_group_name }}" + description: "security group for octavia amphora" + project: "{{ octavia_service_project_name }}" + security_group_rules: |- + {% set rules = [_octavia_security_rule_agent, _octavia_security_rule_healthmanager] %} + {% if octavia_ssh_enabled %} + {% set _ = rules.append(_octavia_security_rule_ssh) %} + {% endif %} + {% if debug %} + {% set _ = rules.append(_octavia_security_rule_icmp) %} + {% endif %} + {% if octavia_management_net_dhcp %} + {% set _ = rules.append(_octavia_security_rule_dhcp) %} + {% endif %} + {{ rules }} + openstack_resources_network: |- + {% set network_resources = _octavia_security_groups %} + {% if octavia_service_net_setup and octavia_neutron_management_network_uuid is not defined %} + {% set _ = network_resources.update(_octavia_networks) %} + {% endif %} + {{ network_resources }} + # Compute resources + _octavia_flavors: + flavors: + - specs: + - name: "{{ octavia_amp_flavor_name }}" + ram: "{{ octavia_amp_ram }}" + vcpus: "{{ octavia_amp_vcpu }}" + disk: "{{ octavia_amp_disk }}" + extra_specs: "{{ octavia_amp_extra_specs | default({}) }}" + _octavia_keypairs: + keypairs: + # NOTE(noonedeadpunk): We define old/short keypair algorythms for backwards compatibiltiy with + # previous keypair generation which was handled by Nova: + # https://opendev.org/openstack/nova/src/commit/7e8e0dd1ab2e46c6f95746b47189e81b5a228c69/nova/crypto.py#L97 + - name: "{{ octavia_ssh_key_name }}" + path: "{{ octavia_ssh_key_dir | default(lookup('env', 'HOME') ~ '/.ssh') }}/{{ octavia_ssh_key_name }}" + state: "{{ (octavia_ssh_enabled | bool) | ternary('present', 'absent') }}" + private_key_format: ssh + size: 2048 + comment: Generated-by-Nova + auth: + auth_url: "{{ keystone_service_adminurl }}" + username: "{{ octavia_service_user_name }}" + password: "{{ octavia_service_password }}" + project_name: "{{ octavia_service_project_name }}" + user_domain_name: "{{ octavia_service_user_domain_id }}" + project_domain_name: "{{ octavia_service_project_domain_id }}" + + openstack_resources_compute: |- + {% set compute_resources = _octavia_keypairs %} + {% if octavia_nova_flavor_uuid is not defined %} + {% set _ = compute_resources.update(_octavia_flavors) %} + {% endif %} + {{ compute_resources }} diff --git a/tasks/octavia_security_group.yml b/tasks/octavia_security_group.yml deleted file mode 100644 index a3134847..00000000 --- a/tasks/octavia_security_group.yml +++ /dev/null @@ -1,172 +0,0 @@ ---- -# Copyright 2016, Rackspace US, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# We set the python interpreter to the ansible runtime venv if -# the delegation is to localhost so that we get access to the -# appropriate python libraries in that venv. If the delegation -# is to another host, we assume that it is accessible by the -# system python instead. -- name: Setup the security groups - delegate_to: "{{ octavia_service_setup_host }}" - vars: - ansible_python_interpreter: "{{ octavia_service_setup_host_python_interpreter }}" - block: - - name: Setup the service project quota - openstack.cloud.quota: - cloud: default - interface: admin - name: "{{ octavia_service_project_name }}" - cores: "{{ octavia_num_cores }}" - instances: "{{ octavia_num_instances }}" - ram: "{{ octavia_ram }}" - server_groups: "{{ octavia_num_server_groups }}" - server_group_members: "{{ octavia_num_server_group_members }}" - security_group: "{{ octavia_num_secgroups }}" - security_group_rule: "{{ octavia_num_security_group_rules }}" - port: "{{ octavia_num_ports }}" - - - name: Create Octavia security group - openstack.cloud.security_group: - auth: - auth_url: "{{ keystone_service_adminurl }}" - username: "{{ octavia_service_user_name }}" - password: "{{ octavia_service_password }}" - project_name: "{{ octavia_service_project_name }}" - user_domain_name: "{{ octavia_service_user_domain_id }}" - project_domain_name: "{{ octavia_service_project_domain_id }}" - state: present - name: "{{ octavia_security_group_name }}" - description: "security group for octavia amphora" - interface: admin - verify: "{{ not keystone_service_adminuri_insecure }}" - register: add_security_group - until: add_security_group is success - retries: 5 - delay: 10 - - - name: Create security group rule for agent - openstack.cloud.security_group_rule: - auth: - auth_url: "{{ keystone_service_adminurl }}" - username: "{{ octavia_service_user_name }}" - password: "{{ octavia_service_password }}" - project_name: "{{ octavia_service_project_name }}" - user_domain_name: "{{ octavia_service_user_domain_id }}" - project_domain_name: "{{ octavia_service_project_domain_id }}" - state: present - protocol: "tcp" - port_range_min: "{{ octavia_agent_port }}" - port_range_max: "{{ octavia_agent_port }}" - remote_ip_prefix: "{{ octavia_security_group_rule_cidr }}" - security_group: "{{ octavia_security_group_name }}" - interface: admin - verify: "{{ not keystone_service_adminuri_insecure }}" - register: add_security_group_rule - until: add_security_group_rule is success - retries: 5 - delay: 10 - - - name: Create security group rule for healthmanager - openstack.cloud.security_group_rule: - auth: - auth_url: "{{ keystone_service_adminurl }}" - username: "{{ octavia_service_user_name }}" - password: "{{ octavia_service_password }}" - project_name: "{{ octavia_service_project_name }}" - user_domain_name: "{{ octavia_service_user_domain_id }}" - project_domain_name: "{{ octavia_service_project_domain_id }}" - state: present - security_group: "{{ octavia_security_group_name }}" - protocol: udp - port_range_min: "{{ octavia_health_manager_port }}" - port_range_max: "{{ octavia_health_manager_port }}" - remote_ip_prefix: "{{ octavia_security_group_rule_cidr }}" - direction: egress - interface: admin - verify: "{{ not keystone_service_adminuri_insecure }}" - register: add_security_group_rule - until: add_security_group_rule is success - retries: 5 - delay: 10 - - - name: Create security group rule for ssh - openstack.cloud.security_group_rule: - auth: - auth_url: "{{ keystone_service_adminurl }}" - username: "{{ octavia_service_user_name }}" - password: "{{ octavia_service_password }}" - project_name: "{{ octavia_service_project_name }}" - user_domain_name: "{{ octavia_service_user_domain_id }}" - project_domain_name: "{{ octavia_service_project_domain_id }}" - state: present - security_group: "{{ octavia_security_group_name }}" - protocol: tcp - port_range_min: 22 - port_range_max: 22 - remote_ip_prefix: "{{ octavia_security_group_rule_cidr }}" - interface: admin - verify: "{{ not keystone_service_adminuri_insecure }}" - register: add_security_group_rule - until: add_security_group_rule is success - retries: 5 - delay: 10 - when: - - octavia_ssh_enabled | bool - - - name: Create security group rule for icmp - openstack.cloud.security_group_rule: - auth: - auth_url: "{{ keystone_service_adminurl }}" - username: "{{ octavia_service_user_name }}" - password: "{{ octavia_service_password }}" - project_name: "{{ octavia_service_project_name }}" - user_domain_name: "{{ octavia_service_user_domain_id }}" - project_domain_name: "{{ octavia_service_project_domain_id }}" - state: present - security_group: "{{ octavia_security_group_name }}" - protocol: icmp - remote_ip_prefix: "{{ octavia_security_group_rule_cidr }}" - interface: admin - verify: "{{ not keystone_service_adminuri_insecure }}" - register: add_security_group_rule - until: add_security_group_rule is success - retries: 5 - delay: 10 - when: - - debug | bool - - - name: Create security group rule for dhcp - openstack.cloud.security_group_rule: - auth: - auth_url: "{{ keystone_service_adminurl }}" - username: "{{ octavia_service_user_name }}" - password: "{{ octavia_service_password }}" - project_name: "{{ octavia_service_project_name }}" - user_domain_name: "{{ octavia_service_user_domain_id }}" - project_domain_name: "{{ octavia_service_project_domain_id }}" - state: present - security_group: "{{ octavia_security_group_name }}" - protocol: udp - port_range_min: 67 - port_range_max: 67 - direction: egress - interface: admin - verify: "{{ not keystone_service_adminuri_insecure }}" - register: add_security_group_rule - until: add_security_group_rule is success - retries: 5 - delay: 10 - when: - - octavia_management_net_dhcp | bool