openstack/openstack-ansible-os_octavia
Code Issues Proposed changes

Adopt for usage openstack_resources role

Browse Source 
With efforts to create a resources in same, unified way,
we convert tempest role to use openstack_resources
for creating and managing openstack resources, like projects, flavors,
networks, images, etc. This should reduce maintenance costs
in case of futher collection updates and unify approach.

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/878794
Change-Id: I762ded9b6099ea55e8a19bfb82473b950155eaa4
This commit is contained in:
Dmitriy Rabotyagov 2023-07-27 17:11:02 +02:00 committed by Dmitriy Rabotyagov
parent 34e0def6ec
commit 59606f0957
8 changed files with 158 additions and 501 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
defaults/main.yml
View File

@ -291,6 +291,19 @@ octavia_amp_image_path: "{{ lookup('env', 'HOME') }}/openstack-ansible/octavia"
octavia_amp_image_path_owner: "{{ lookup('env', 'USER') }}" octavia_amp_image_path_owner: "{{ lookup('env', 'USER') }}"
# enable uploading image to glance automatically # enable uploading image to glance automatically
octavia_amp_image_upload_enabled: "{{ octavia_download_artefact }}" octavia_amp_image_upload_enabled: "{{ octavia_download_artefact }}"
octavia_amp_image_resource:
- name: amphora-x64-haproxy
url: "{{ octavia_artefact_url }}"
# Image checksum is required for rotating old images
# checksum:
disk_format: qcow2
keep_copies: 1
tags:
- "{{ octavia_glance_image_tag }}"
owner: "{{ octavia_service_project_name }}"
owner_domain: "{{ octavia_service_project_domain_id }}"
image_download_path: "{{ octavia_amp_image_path }}"
# Name of the Octavia security group # Name of the Octavia security group
octavia_security_group_name: octavia_sec_grp octavia_security_group_name: octavia_sec_grp
@ -299,12 +312,6 @@ octavia_security_group_rule_cidr: "{{ octavia_management_net_subnet_cidr }}"
# ssh enabled - switch to True if you need ssh access to the amphora # ssh enabled - switch to True if you need ssh access to the amphora
octavia_ssh_enabled: False octavia_ssh_enabled: False
octavia_ssh_key_name: octavia_key octavia_ssh_key_name: octavia_key
octavia_keypair_setup_host: "{{ openstack_service_setup_host | default('localhost') }}"
octavia_keypair_setup_host_python_interpreter: >-
{{
openstack_service_setup_host_python_interpreter | default((octavia_keypair_setup_host == 'localhost') | ternary(
ansible_playbook_python, ansible_facts['python']['executable']))
}}
# port the agent listens on # port the agent listens on
octavia_agent_port: "9443" octavia_agent_port: "9443"
octavia_health_manager_port: 5555 octavia_health_manager_port: 5555

52
tasks/main.yml
View File

@ -226,50 +226,18 @@
tags: tags:
- always - always
- name: Including octavia_mgmt_network tasks - name: Including octavia_resources tasks
include_tasks: octavia_mgmt_network.yml include_tasks: octavia_resources.yml
args:
apply:
tags:
- octavia-install
- octavia-config
when:
- octavia_neutron_management_network_uuid is not defined
- octavia_neutron_management_network_name is defined
- _octavia_is_first_play_host
tags:
- always
- name: Importing octavia_security_group tasks
import_tasks: octavia_security_group.yml
when:
- _octavia_is_first_play_host
tags:
- octavia-install
- name: Including octavia_keypair tasks
include_tasks: octavia_keypair.yml
args: args:
apply: apply:
tags: tags:
- octavia-config - octavia-config
- octavia-resources
when: when:
- _octavia_is_first_play_host - _octavia_is_first_play_host
tags: tags:
- always
- name: Importing octavia_flavor_create tasks
include_tasks: octavia_flavor_create.yml
args:
apply:
tags:
- octavia-install
- octavia-config - octavia-config
when: - octavia-resources
- _octavia_is_first_play_host
- octavia_nova_flavor_uuid is not defined
tags:
- always
- name: Importing octavia_post_install tasks - name: Importing octavia_post_install tasks
import_tasks: octavia_post_install.yml import_tasks: octavia_post_install.yml
@ -291,17 +259,5 @@
- octavia-config - octavia-config
- octavia-policy-override - octavia-policy-override
- name: Including octavia_amp_image tasks
include_tasks: octavia_amp_image.yml
args:
apply:
tags:
- octavia-config
when:
- _octavia_is_first_play_host
- octavia_download_artefact | bool
tags:
- always
- name: Flush handlers - name: Flush handlers
meta: flush_handlers meta: flush_handlers

99
tasks/octavia_amp_image.yml
View File

@ -1,99 +0,0 @@
---
# Copyright 2018, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# We set the python interpreter to the ansible runtime venv if
# the delegation is to localhost so that we get access to the
# appropriate python libraries in that venv. If the delegation
# is to another host, we assume that it is accessible by the
# system python instead.
- name: Setup the amphora image
delegate_to: "{{ octavia_service_setup_host }}"
vars:
ansible_python_interpreter: "{{ octavia_service_setup_host_python_interpreter }}"
block:
- name: Create image download directory
file:
path: "{{ octavia_amp_image_path }}"
state: directory
mode: "0750"
owner: "{{ octavia_amp_image_path_owner }}"
- name: Download image from artefact server
get_url:
url: "{{ octavia_artefact_url }}"
dest: "{{ octavia_amp_image_path }}"
mode: "0644"
retries: 10
delay: 10
register: octavia_download_result
- name: Replace existing image with new one
when:
- octavia_download_result is changed
block:
- name: Get current image id
openstack.cloud.image_info:
auth:
auth_url: "{{ keystone_service_adminurl }}"
username: "{{ octavia_service_user_name }}"
password: "{{ octavia_service_password }}"
project_name: "{{ octavia_service_project_name }}"
user_domain_name: "{{ octavia_service_user_domain_id }}"
project_domain_name: "{{ octavia_service_project_domain_id }}"
region_name: "{{ octavia_service_region }}"
image: amphora-x64-haproxy
interface: admin
verify: "{{ not keystone_service_adminuri_insecure }}"
register: get_image_info
until: get_image_info is success
retries: 5
delay: 10
# This uses command since os_image doesn't support tags.
# TODO(odyssey4me):
# Add tag capability to os_image module and replace this.
- name: Upload new image to glance
command: >-
openstack image create
--os-cloud default
--os-interface admin
--file {{ octavia_download_result.dest }}
--disk-format qcow2
--tag {{ octavia_glance_image_tag }}
--private
--project {{ octavia_service_project_name }}
amphora-x64-haproxy
changed_when: false
- name: Delete old image from glance
openstack.cloud.image:
auth:
auth_url: "{{ keystone_service_adminurl }}"
username: "{{ octavia_service_user_name }}"
password: "{{ octavia_service_password }}"
project_name: "{{ octavia_service_project_name }}"
user_domain_name: "{{ octavia_service_user_domain_id }}"
project_domain_name: "{{ octavia_service_project_domain_id }}"
state: absent
region_name: "{{ octavia_service_region }}"
name: "{{ get_image_info.images[0].id }}"
interface: admin
verify: "{{ not keystone_service_adminuri_insecure }}"
register: remove_old_image
until: remove_old_image is success
retries: 5
delay: 10
when:
- get_image_info.images | length > 0

47
tasks/octavia_flavor_create.yml
View File

@ -1,47 +0,0 @@
---
# Copyright 2016, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# We set the python interpreter to the ansible runtime venv if
# the delegation is to localhost so that we get access to the
# appropriate python libraries in that venv. If the delegation
# is to another host, we assume that it is accessible by the
# system python instead.
- name: Setup the octavia flavor
delegate_to: "{{ octavia_service_setup_host }}"
vars:
ansible_python_interpreter: "{{ octavia_service_setup_host_python_interpreter }}"
block:
- name: Create Octavia Flavor
openstack.cloud.compute_flavor:
auth:
auth_url: "{{ keystone_service_adminurl }}"
username: "{{ octavia_service_user_name }}"
password: "{{ octavia_service_password }}"
project_name: "{{ octavia_service_project_name }}"
user_domain_name: "{{ octavia_service_user_domain_id }}"
project_domain_name: "{{ octavia_service_project_domain_id }}"
state: present
name: "{{ octavia_amp_flavor_name }}"
ram: "{{ octavia_amp_ram }}"
vcpus: "{{ octavia_amp_vcpu }}"
disk: "{{ octavia_amp_disk }}"
extra_specs: "{{ octavia_amp_extra_specs | default(omit) }}"
is_public: False
interface: admin
verify: "{{ not keystone_service_adminuri_insecure }}"
register: add_flavor
until: add_flavor is success
retries: 5
delay: 10

50
tasks/octavia_keypair.yml
View File

@ -1,50 +0,0 @@
---
# Copyright 2018, VEXXHOST, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Create keypair
register: _octavia_keypair
openstack.cloud.keypair:
auth:
auth_url: "{{ keystone_service_adminurl }}"
username: "{{ octavia_service_user_name }}"
password: "{{ octavia_service_password }}"
project_name: "{{ octavia_service_project_name }}"
user_domain_name: "{{ octavia_service_user_domain_id }}"
project_domain_name: "{{ octavia_service_project_domain_id }}"
state: "{{ (octavia_ssh_enabled | bool) | ternary('present', 'absent') }}"
interface: admin
verify: "{{ not keystone_service_adminuri_insecure }}"
name: "{{ octavia_ssh_key_name }}"
delegate_to: "{{ octavia_keypair_setup_host }}"
vars:
ansible_python_interpreter: "{{ octavia_keypair_setup_host_python_interpreter }}"
- name: Write private key locally
copy:
content: "{{ _octavia_keypair['keypair']['private_key'] }}"
dest: "{{ lookup('env', 'HOME') }}/.ssh/{{ octavia_ssh_key_name }}"
mode: "0600"
delegate_to: localhost
when:
- _octavia_keypair is changed
- octavia_ssh_enabled
- name: Remove private key from deploy host after use
file:
path: "{{ lookup('env', 'HOME') }}/.ssh/{{ octavia_ssh_key_name }}"
state: absent
delegate_to: localhost
when:
- not octavia_ssh_enabled

78
tasks/octavia_mgmt_network.yml
View File

@ -1,78 +0,0 @@
---
# Copyright 2016, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# We set the python interpreter to the ansible runtime venv if
# the delegation is to localhost so that we get access to the
# appropriate python libraries in that venv. If the delegation
# is to another host, we assume that it is accessible by the
# system python instead.
- name: Setup the network
delegate_to: "{{ octavia_service_setup_host }}"
vars:
ansible_python_interpreter: "{{ octavia_service_setup_host_python_interpreter }}"
block:
- name: Create mgmt network
run_once: true
openstack.cloud.network:
auth:
auth_url: "{{ keystone_service_adminurl }}"
username: "{{ octavia_service_user_name }}"
password: "{{ octavia_service_password }}"
project_name: "{{ octavia_service_project_name }}"
user_domain_name: "{{ octavia_service_user_domain_id }}"
project_domain_name: "{{ octavia_service_project_domain_id }}"
state: present
region_name: "{{ octavia_service_region }}"
name: "{{ octavia_neutron_management_network_name }}"
provider_network_type: "{{ octavia_provider_network_type }}"
provider_physical_network: "{{ octavia_provider_network_name }}"
provider_segmentation_id: "{{ octavia_provider_segmentation_id | default(omit) }}"
mtu_size: "{{ octavia_provider_network_mtu | default('1500') }}"
interface: admin
verify: "{{ not keystone_service_adminuri_insecure }}"
register: add_network
until: add_network is success
retries: 5
delay: 10
when:
- octavia_service_net_setup | bool
- name: Ensure mgmt subnet exists
run_once: true
openstack.cloud.subnet:
auth:
auth_url: "{{ keystone_service_adminurl }}"
username: "{{ octavia_service_user_name }}"
password: "{{ octavia_service_password }}"
project_name: "{{ octavia_service_project_name }}"
user_domain_name: "{{ octavia_service_user_domain_id }}"
project_domain_name: "{{ octavia_service_project_domain_id }}"
state: present
region_name: "{{ octavia_service_region }}"
network_name: "{{ octavia_neutron_management_network_name }}"
name: "{{ octavia_neutron_management_network_name }}-subnet"
cidr: "{{ octavia_management_net_subnet_cidr }}"
enable_dhcp: "{{ octavia_management_net_dhcp }}"
allocation_pool_start: "{{ octavia_management_net_subnet_allocation_pools.split('-')[0] | default(omit) }}"
allocation_pool_end: "{{ octavia_management_net_subnet_allocation_pools.split('-')[1] | default(omit) }}"
gateway_ip: "{{ octavia_management_net_subnet_gateway | default(omit) }}"
interface: admin
verify: "{{ not keystone_service_adminuri_insecure }}"
register: add_subnet
until: add_subnet is success
retries: 5
delay: 10
when:
- octavia_service_net_setup | bool

140
tasks/octavia_resources.yml Normal file
View File

@ -0,0 +1,140 @@
---
# Copyright 2023, Cleura AB.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Create image download directory
delegate_to: "{{ octavia_service_setup_host }}"
file:
path: "{{ octavia_amp_image_path }}"
state: directory
mode: "0750"
owner: "{{ octavia_amp_image_path_owner }}"
when:
- octavia_download_artefact | bool
- name: Creating OpenStack resources
ansible.builtin.include_role:
name: openstack.osa.openstack_resources
vars:
openstack_resources_setup_host: "{{ octavia_service_setup_host }}"
openstack_resources_python_interpreter: "{{ octavia_service_setup_host_python_interpreter }}"
openstack_resources_image: "{{ (octavia_download_artefact | bool) | ternary({'images': octavia_amp_image_resource}, {}) }}"
openstack_resources_identity:
quotas:
- name: "{{ octavia_service_project_name }}"
cores: "{{ octavia_num_cores }}"
instances: "{{ octavia_num_instances }}"
ram: "{{ octavia_ram }}"
server_groups: "{{ octavia_num_server_groups }}"
server_group_members: "{{ octavia_num_server_group_members }}"
security_group: "{{ octavia_num_secgroups }}"
security_group_rule: "{{ octavia_num_security_group_rules }}"
port: "{{ octavia_num_ports }}"
# Network Resources
_octavia_networks:
networks:
- name: "{{ octavia_neutron_management_network_name }}"
network_type: "{{ octavia_provider_network_type }}"
physical_network: "{{ octavia_provider_network_name }}"
segmentation_id: "{{ octavia_provider_segmentation_id | default(omit) }}"
mtu: "{{ octavia_provider_network_mtu | default('1500') }}"
project: "{{ octavia_service_project_name }}"
subnets:
- name: "{{ octavia_neutron_management_network_name }}-subnet"
cidr: "{{ octavia_management_net_subnet_cidr }}"
dhcp: "{{ octavia_management_net_dhcp }}"
allocation_start: "{{ octavia_management_net_subnet_allocation_pools.split('-')[0] | default(omit) }}"
allocation_end: "{{ octavia_management_net_subnet_allocation_pools.split('-')[1] | default(omit) }}"
gateway: "{{ octavia_management_net_subnet_gateway | default(omit) }}"
_octavia_security_rule_agent:
protocol: "tcp"
port_range_min: "{{ octavia_agent_port }}"
port_range_max: "{{ octavia_agent_port }}"
remote_ip_prefix: "{{ octavia_security_group_rule_cidr }}"
_octavia_security_rule_healthmanager:
protocol: udp
port_range_min: "{{ octavia_health_manager_port }}"
port_range_max: "{{ octavia_health_manager_port }}"
remote_ip_prefix: "{{ octavia_security_group_rule_cidr }}"
direction: egress
_octavia_security_rule_ssh:
protocol: tcp
port_range_min: 22
port_range_max: 22
remote_ip_prefix: "{{ octavia_security_group_rule_cidr }}"
_octavia_security_rule_icmp:
protocol: icmp
remote_ip_prefix: "{{ octavia_security_group_rule_cidr }}"
_octavia_security_rule_dhcp:
protocol: udp
port_range_min: 67
port_range_max: 67
direction: egress
_octavia_security_groups:
security_groups:
- name: "{{ octavia_security_group_name }}"
description: "security group for octavia amphora"
project: "{{ octavia_service_project_name }}"
security_group_rules: |-
{% set rules = [_octavia_security_rule_agent, _octavia_security_rule_healthmanager] %}
{% if octavia_ssh_enabled %}
{% set _ = rules.append(_octavia_security_rule_ssh) %}
{% endif %}
{% if debug %}
{% set _ = rules.append(_octavia_security_rule_icmp) %}
{% endif %}
{% if octavia_management_net_dhcp %}
{% set _ = rules.append(_octavia_security_rule_dhcp) %}
{% endif %}
{{ rules }}
openstack_resources_network: |-
{% set network_resources = _octavia_security_groups %}
{% if octavia_service_net_setup and octavia_neutron_management_network_uuid is not defined %}
{% set _ = network_resources.update(_octavia_networks) %}
{% endif %}
{{ network_resources }}
# Compute resources
_octavia_flavors:
flavors:
- specs:
- name: "{{ octavia_amp_flavor_name }}"
ram: "{{ octavia_amp_ram }}"
vcpus: "{{ octavia_amp_vcpu }}"
disk: "{{ octavia_amp_disk }}"
extra_specs: "{{ octavia_amp_extra_specs | default({}) }}"
_octavia_keypairs:
keypairs:
# NOTE(noonedeadpunk): We define old/short keypair algorythms for backwards compatibiltiy with
# previous keypair generation which was handled by Nova:
# https://opendev.org/openstack/nova/src/commit/7e8e0dd1ab2e46c6f95746b47189e81b5a228c69/nova/crypto.py#L97
- name: "{{ octavia_ssh_key_name }}"
path: "{{ octavia_ssh_key_dir | default(lookup('env', 'HOME') ~ '/.ssh') }}/{{ octavia_ssh_key_name }}"
state: "{{ (octavia_ssh_enabled | bool) | ternary('present', 'absent') }}"
private_key_format: ssh
size: 2048
comment: Generated-by-Nova
auth:
auth_url: "{{ keystone_service_adminurl }}"
username: "{{ octavia_service_user_name }}"
password: "{{ octavia_service_password }}"
project_name: "{{ octavia_service_project_name }}"
user_domain_name: "{{ octavia_service_user_domain_id }}"
project_domain_name: "{{ octavia_service_project_domain_id }}"
openstack_resources_compute: |-
{% set compute_resources = _octavia_keypairs %}
{% if octavia_nova_flavor_uuid is not defined %}
{% set _ = compute_resources.update(_octavia_flavors) %}
{% endif %}
{{ compute_resources }}

172
tasks/octavia_security_group.yml
View File

@ -1,172 +0,0 @@
---
# Copyright 2016, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# We set the python interpreter to the ansible runtime venv if
# the delegation is to localhost so that we get access to the
# appropriate python libraries in that venv. If the delegation
# is to another host, we assume that it is accessible by the
# system python instead.
- name: Setup the security groups
delegate_to: "{{ octavia_service_setup_host }}"
vars:
ansible_python_interpreter: "{{ octavia_service_setup_host_python_interpreter }}"
block:
- name: Setup the service project quota
openstack.cloud.quota:
cloud: default
interface: admin
name: "{{ octavia_service_project_name }}"
cores: "{{ octavia_num_cores }}"
instances: "{{ octavia_num_instances }}"
ram: "{{ octavia_ram }}"
server_groups: "{{ octavia_num_server_groups }}"
server_group_members: "{{ octavia_num_server_group_members }}"
security_group: "{{ octavia_num_secgroups }}"
security_group_rule: "{{ octavia_num_security_group_rules }}"
port: "{{ octavia_num_ports }}"
- name: Create Octavia security group
openstack.cloud.security_group:
auth:
auth_url: "{{ keystone_service_adminurl }}"
username: "{{ octavia_service_user_name }}"
password: "{{ octavia_service_password }}"
project_name: "{{ octavia_service_project_name }}"
user_domain_name: "{{ octavia_service_user_domain_id }}"
project_domain_name: "{{ octavia_service_project_domain_id }}"
state: present
name: "{{ octavia_security_group_name }}"
description: "security group for octavia amphora"
interface: admin
verify: "{{ not keystone_service_adminuri_insecure }}"
register: add_security_group
until: add_security_group is success
retries: 5
delay: 10
- name: Create security group rule for agent
openstack.cloud.security_group_rule:
auth:
auth_url: "{{ keystone_service_adminurl }}"
username: "{{ octavia_service_user_name }}"
password: "{{ octavia_service_password }}"
project_name: "{{ octavia_service_project_name }}"
user_domain_name: "{{ octavia_service_user_domain_id }}"
project_domain_name: "{{ octavia_service_project_domain_id }}"
state: present
protocol: "tcp"
port_range_min: "{{ octavia_agent_port }}"
port_range_max: "{{ octavia_agent_port }}"
remote_ip_prefix: "{{ octavia_security_group_rule_cidr }}"
security_group: "{{ octavia_security_group_name }}"
interface: admin
verify: "{{ not keystone_service_adminuri_insecure }}"
register: add_security_group_rule
until: add_security_group_rule is success
retries: 5
delay: 10
- name: Create security group rule for healthmanager
openstack.cloud.security_group_rule:
auth:
auth_url: "{{ keystone_service_adminurl }}"
username: "{{ octavia_service_user_name }}"
password: "{{ octavia_service_password }}"
project_name: "{{ octavia_service_project_name }}"
user_domain_name: "{{ octavia_service_user_domain_id }}"
project_domain_name: "{{ octavia_service_project_domain_id }}"
state: present
security_group: "{{ octavia_security_group_name }}"
protocol: udp
port_range_min: "{{ octavia_health_manager_port }}"
port_range_max: "{{ octavia_health_manager_port }}"
remote_ip_prefix: "{{ octavia_security_group_rule_cidr }}"
direction: egress
interface: admin
verify: "{{ not keystone_service_adminuri_insecure }}"
register: add_security_group_rule
until: add_security_group_rule is success
retries: 5
delay: 10
- name: Create security group rule for ssh
openstack.cloud.security_group_rule:
auth:
auth_url: "{{ keystone_service_adminurl }}"
username: "{{ octavia_service_user_name }}"
password: "{{ octavia_service_password }}"
project_name: "{{ octavia_service_project_name }}"
user_domain_name: "{{ octavia_service_user_domain_id }}"
project_domain_name: "{{ octavia_service_project_domain_id }}"
state: present
security_group: "{{ octavia_security_group_name }}"
protocol: tcp
port_range_min: 22
port_range_max: 22
remote_ip_prefix: "{{ octavia_security_group_rule_cidr }}"
interface: admin
verify: "{{ not keystone_service_adminuri_insecure }}"
register: add_security_group_rule
until: add_security_group_rule is success
retries: 5
delay: 10
when:
- octavia_ssh_enabled | bool
- name: Create security group rule for icmp
openstack.cloud.security_group_rule:
auth:
auth_url: "{{ keystone_service_adminurl }}"
username: "{{ octavia_service_user_name }}"
password: "{{ octavia_service_password }}"
project_name: "{{ octavia_service_project_name }}"
user_domain_name: "{{ octavia_service_user_domain_id }}"
project_domain_name: "{{ octavia_service_project_domain_id }}"
state: present
security_group: "{{ octavia_security_group_name }}"
protocol: icmp
remote_ip_prefix: "{{ octavia_security_group_rule_cidr }}"
interface: admin
verify: "{{ not keystone_service_adminuri_insecure }}"
register: add_security_group_rule
until: add_security_group_rule is success
retries: 5
delay: 10
when:
- debug | bool
- name: Create security group rule for dhcp
openstack.cloud.security_group_rule:
auth:
auth_url: "{{ keystone_service_adminurl }}"
username: "{{ octavia_service_user_name }}"
password: "{{ octavia_service_password }}"
project_name: "{{ octavia_service_project_name }}"
user_domain_name: "{{ octavia_service_user_domain_id }}"
project_domain_name: "{{ octavia_service_project_domain_id }}"
state: present
security_group: "{{ octavia_security_group_name }}"
protocol: udp
port_range_min: 67
port_range_max: 67
direction: egress
interface: admin
verify: "{{ not keystone_service_adminuri_insecure }}"
register: add_security_group_rule
until: add_security_group_rule is success
retries: 5
delay: 10
when:
- octavia_management_net_dhcp | bool