[Feature] Add skyline deployment capability

This change adds Skyline deployment options to OSA.

New files have been added / integrated into the normal deployment
process to support the use of skyline.

Co-Authored-By: Jonathan Rosser <jonathan.rosser@rd.bbc.co.uk>
Signed-off-by: Kevin Carter <kevin@cloudnull.com>
Needed-By: https://review.opendev.org/c/openstack/openstack-ansible-os_skyline/+/912333
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-os_skyline/+/914439
Change-Id: Ia5c8c60fb152e3eb27e2719f6d7032ca62690601
This commit is contained in:
James Denton 2023-07-08 13:37:06 +00:00 committed by Dmitriy Rabotyagov
parent 3e2d7afa05
commit 2c06a65a75
17 changed files with 239 additions and 4 deletions

View File

@ -227,6 +227,12 @@
version: master version: master
trackbranch: master trackbranch: master
shallow_since: '2023-12-06' shallow_since: '2023-12-06'
- name: os_skyline
scm: git
src: https://opendev.org/openstack/openstack-ansible-os_skyline
version: master
trackbranch: master
shallow_since: '2023-12-06'
- name: os_tacker - name: os_tacker
scm: git scm: git
src: https://opendev.org/openstack/openstack-ansible-os_tacker src: https://opendev.org/openstack/openstack-ansible-os_tacker

View File

@ -135,3 +135,9 @@ Security Policy to allow access to your authorisation server by overriding the
child-src 'self' {{ external_lb_vip_address }}:{{ nova_spice_html5proxy_base_port }} {{ external_lb_vip_address }}:{{ nova_novncproxy_port }} {{ external_lb_vip_address }}:{{ nova_serialconsoleproxy_port }}; child-src 'self' {{ external_lb_vip_address }}:{{ nova_spice_html5proxy_base_port }} {{ external_lb_vip_address }}:{{ nova_novncproxy_port }} {{ external_lb_vip_address }}:{{ nova_serialconsoleproxy_port }};
frame-src 'self' {{ external_lb_vip_address }}:{{ nova_spice_html5proxy_base_port }} {{ external_lb_vip_address }}:{{ nova_novncproxy_port }} {{ external_lb_vip_address }}:{{ nova_serialconsoleproxy_port }}; frame-src 'self' {{ external_lb_vip_address }}:{{ nova_spice_html5proxy_base_port }} {{ external_lb_vip_address }}:{{ nova_novncproxy_port }} {{ external_lb_vip_address }}:{{ nova_serialconsoleproxy_port }};
" "
It is also possible to set specific security headers for skyline.
.. code-block:: yaml
haproxy_skyline_csp: ...

View File

@ -0,0 +1,3 @@
skyline_dashboard_hosts:
aio1:
ip: 172.29.236.100

View File

@ -0,0 +1,7 @@
skyline_dashboard_hosts:
infra1:
ip: 172.20.236.111
infra2:
ip: 172.20.236.112
infra3:
ip: 172.20.236.113

View File

@ -186,6 +186,11 @@ senlin_galera_password:
senlin_oslomsg_rpc_password: senlin_oslomsg_rpc_password:
senlin_service_password: senlin_service_password:
## Skyline Options:
skyline_galera_password:
skyline_service_password:
skyline_prometheus_basic_auth_password:
skyline_secret_key:
## Swift Options: ## Swift Options:
swift_service_password: swift_service_password:

View File

@ -0,0 +1,21 @@
---
component_skel:
skyline:
belongs_to:
- skyline_all
container_skel:
skyline_container:
belongs_to:
- skyline_dashboard_containers
- os-infra_containers
contains:
- skyline
physical_skel:
skyline_dashboard_containers:
belongs_to:
- all_containers
skyline_dashboard_hosts:
belongs_to:
- hosts

View File

@ -82,7 +82,12 @@ haproxy_base_service:
haproxy_service_enabled: true haproxy_service_enabled: true
haproxy_redirect_scheme: "{{ (haproxy_ssl_letsencrypt_enable | bool and haproxy_ssl | bool) | ternary('https if !{ ssl_fc } !{ path_beg /.well-known/acme-challenge/ }', 'https if !{ ssl_fc }') }}" haproxy_redirect_scheme: "{{ (haproxy_ssl_letsencrypt_enable | bool and haproxy_ssl | bool) | ternary('https if !{ ssl_fc } !{ path_beg /.well-known/acme-challenge/ }', 'https if !{ ssl_fc }') }}"
haproxy_frontend_acls: "{{ (haproxy_ssl_letsencrypt_enable | bool and haproxy_ssl | bool) | ternary(haproxy_ssl_letsencrypt_acl, {}) }}" haproxy_frontend_acls: "{{ (haproxy_ssl_letsencrypt_enable | bool and haproxy_ssl | bool) | ternary(haproxy_ssl_letsencrypt_acl, {}) }}"
haproxy_frontend_raw: "{{ (haproxy_ssl | bool and haproxy_security_headers is defined) | ternary( haproxy_security_headers + [ haproxy_horizon_csp | default(haproxy_security_headers_csp)], []) }}" haproxy_frontend_raw: >-
{{
(haproxy_ssl | bool and haproxy_security_headers is defined) | ternary(
haproxy_security_headers + [ haproxy_horizon_csp | default(haproxy_security_headers_csp)] + [haproxy_skyline_csp | default('')],
[])
}}
haproxy_maps: haproxy_maps:
- 'use_backend %[path,map_reg(/etc/haproxy/base_regex.map)]' - 'use_backend %[path,map_reg(/etc/haproxy/base_regex.map)]'
haproxy_map_entries: haproxy_map_entries:

View File

@ -23,6 +23,8 @@ openstack_haproxy_horizon_stick_table:
- "http-request deny deny_status 429 if { sc_http_req_rate(0) gt 20 } { path_beg /auth } !{ src {{ haproxy_stick_table_allowlist_networks | join(' } !{ src ') }} }" - "http-request deny deny_status 429 if { sc_http_req_rate(0) gt 20 } { path_beg /auth } !{ src {{ haproxy_stick_table_allowlist_networks | join(' } !{ src ') }} }"
- "http-request deny deny_status 429 if { sc_http_err_rate(0) gt 20 } !{ src {{ haproxy_stick_table_allowlist_networks | join(' } !{ src ') }} }" - "http-request deny deny_status 429 if { sc_http_err_rate(0) gt 20 } !{ src {{ haproxy_stick_table_allowlist_networks | join(' } !{ src ') }} }"
horizon_webroot: "{{ (groups['skyline_all'] | default([])) | ternary('/horizon', '/') }}"
haproxy_horizon_service: haproxy_horizon_service:
haproxy_backend_only: true #only describe the backends, frontend is in `base` via haproxy_all group vars haproxy_backend_only: true #only describe the backends, frontend is in `base` via haproxy_all group vars
haproxy_service_name: horizon haproxy_service_name: horizon
@ -31,17 +33,17 @@ haproxy_horizon_service:
haproxy_balance_type: http haproxy_balance_type: http
haproxy_balance_alg: source haproxy_balance_alg: source
haproxy_backend_httpcheck_options: haproxy_backend_httpcheck_options:
- 'send hdr User-Agent "osa-haproxy-healthcheck" meth HEAD uri /auth/login/' - 'send hdr User-Agent "osa-haproxy-healthcheck" meth HEAD uri {{ horizon_webroot }}/auth/login/'
haproxy_service_enabled: "{{ groups['horizon_all'] is defined and groups['horizon_all'] | length > 0 }}" haproxy_service_enabled: "{{ groups['horizon_all'] is defined and groups['horizon_all'] | length > 0 }}"
haproxy_backend_ssl: "{{ horizon_backend_ssl | default(openstack_service_backend_ssl) }}" haproxy_backend_ssl: "{{ horizon_backend_ssl | default(openstack_service_backend_ssl) }}"
haproxy_backend_ca: "{{ horizon_haproxy_backend_ca | default(openstack_haproxy_backend_ca) }}" haproxy_backend_ca: "{{ horizon_haproxy_backend_ca | default(openstack_haproxy_backend_ca) }}"
haproxy_stick_table: "{{ openstack_haproxy_horizon_stick_table }}" haproxy_stick_table: "{{ openstack_haproxy_horizon_stick_table }}"
haproxy_map_entries: haproxy_map_entries:
- name: base_regex - name: base_regex
order: 99 order: 98
#match any requests to the horizon backend #match any requests to the horizon backend
entries: entries:
- '.* horizon-back' - "{{ horizon_webroot }} horizon-back"
horizon_haproxy_services: horizon_haproxy_services:
- "{{ haproxy_horizon_service | combine(haproxy_horizon_service_overrides | default({})) }}" - "{{ haproxy_horizon_service | combine(haproxy_horizon_service_overrides | default({})) }}"

View File

@ -0,0 +1,16 @@
---
# Copyright 2022, Cloudnull
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
skyline_service_port: 9999

View File

@ -0,0 +1,38 @@
---
# Copyright 2023, Rackspace Technology
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
haproxy_skyline_service:
haproxy_service_name: skyline
haproxy_backend_only: true #only describe the backends, frontend is in `base` via haproxy_all group vars
haproxy_backend_nodes: "{{ groups['skyline_all'] | default([]) }}"
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}"
haproxy_backend_port: "{{ skyline_service_port }}"
haproxy_balance_type: http
haproxy_balance_alg: source
haproxy_backend_options:
- "httpchk HEAD /auth/login/ HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
haproxy_service_enabled: "{{ groups['skyline_all'] is defined and groups['skyline_all'] | length > 0 }}"
haproxy_map_entries:
- name: base_regex
order: 99
# NOTE: match any requests to the skyline backend.
# Horizon will be served under /horizon.
# At the moment change of `skyline_webroot` is not fully implemented.
entries:
- "{{ skyline_webroot | default('/') }} skyline-back"
skyline_haproxy_services:
- "{{ haproxy_skyline_service | combine(haproxy_skyline_service_overrides | default({})) }}"

View File

@ -0,0 +1,25 @@
---
# Copyright 2023, Rackspace Technology
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
### HEAD as of 09.03.2024 ###
## Skyline service
skyline_git_repo: "{{ openstack_opendev_base_url }}/openstack/skyline-apiserver"
skyline_git_install_branch: 86c2fd5ce74edb6f06ca6309d0ecc69b195434cf
skyline_git_track_branch: master
skyline_console_git_repo: "{{ openstack_opendev_base_url }}/openstack/skyline-console"
skyline_console_git_install_branch: 4.0.0
skyline_console_git_track_branch: None

View File

@ -0,0 +1,60 @@
---
# Copyright 2022, BBC R&D
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Gather skyline facts
hosts: skyline_all
gather_facts: "{{ osa_gather_facts | default(True) }}"
tasks:
- name: Gather additional facts
include_tasks: "common-tasks/gather-hardware-facts.yml"
when: osa_gather_facts | default(True)
tags:
- always
- name: Configure haproxy services
import_playbook: openstack.osa.haproxy_service_config
vars:
service_group: skyline_all
service_variable: "skyline_haproxy_services"
when: groups[service_group]
tags:
- haproxy-service-config
- name: Install skyline components
hosts: skyline_all
gather_facts: false
serial: "{{ skyline_api_serial | default(['1','100%']) }}"
environment: "{{ deployment_environment_variables | default({}) }}"
user: root
vars_files:
- "defaults/{{ install_method }}_install.yml"
tags:
- skyline
pre_tasks:
- name: Including container-setup tasks
include_role:
name: "openstack.osa.{{ container_tech | default('lxc') }}_container_setup"
when: not is_metal
- name: Including unbound-clients tasks
include_tasks: common-tasks/unbound-clients.yml
when:
- hostvars['localhost']['resolvconf_enabled'] | bool
roles:
- role: "os_skyline"
- role: "openstack.osa.system_crontab_coordination"
tags:
- crontab

View File

@ -108,6 +108,9 @@
- name: Importing ceph-rgw-install playbook - name: Importing ceph-rgw-install playbook
import_playbook: ceph-rgw-install.yml import_playbook: ceph-rgw-install.yml
- name: Importing os-skyline-install playbook
import_playbook: os-skyline-install.yml
- name: Importing os-tempest-install playbook - name: Importing os-tempest-install playbook
import_playbook: os-tempest-install.yml import_playbook: os-tempest-install.yml

View File

@ -0,0 +1,20 @@
---
prelude: >
Added support to deploy Skyline dashboard.
features:
- |
OpenStack-Ansible can now be used to deploy Skyline, an alternantive
dashboard. New example files have been added to `env.d` and `conf.d`
to support the Skyline infrastructure, and a playbook named
`os-skyline-install.yml` has been added to deploy the API and console
service.
other:
- |
When Skyline is deployed with the built-in HAProxy server it will, by
default, listen on port 80 when ssl is disabled and port 443 when ssl
is enabled. Skyline backend in it's term will listen on port 9999.
When Skyline is attempted to be deployed with Horizon, Skyline will
take precedence by serving on port 80/443. In the meanwhile Horizon
will be available in "subdirectory" ``/horizon``.

View File

@ -172,6 +172,14 @@ heat_wsgi_buffer_size: 16384
horizon_wsgi_processes: 1 horizon_wsgi_processes: 1
horizon_wsgi_threads: 1 horizon_wsgi_threads: 1
## Skyline
skyline_api_workers: 2
{% if 'skyline' in bootstrap_host_scenarios_expanded and 'yarn' in bootstrap_host_scenarios_expanded %}
{% raw %}
skyline_console_git_install_branch: "{{ skyline_git_track_branch }}"
{% endraw %}
{% endif %}
## Ceilometer ## Ceilometer
ceilometer_notification_workers: 1 ceilometer_notification_workers: 1

View File

@ -455,6 +455,12 @@ class TestAnsibleInventoryFormatConstraints(unittest.TestCase):
'senlin_engine', 'senlin_engine',
'senlin_conductor', 'senlin_conductor',
'senlin_health_manager', 'senlin_health_manager',
'skyline',
'skyline_all',
'skyline_container',
'skyline_dashboard_containers',
'skyline_dashboard_hosts',
'skyline_dashboard_all',
'shared-infra_all', 'shared-infra_all',
'shared-infra_containers', 'shared-infra_containers',
'shared-infra_hosts', 'shared-infra_hosts',

View File

@ -87,6 +87,7 @@
- name: openstack/openstack-ansible-os_rally - name: openstack/openstack-ansible-os_rally
- name: openstack/openstack-ansible-os_sahara - name: openstack/openstack-ansible-os_sahara
- name: openstack/openstack-ansible-os_senlin - name: openstack/openstack-ansible-os_senlin
- name: openstack/openstack-ansible-os_skyline
- name: openstack/openstack-ansible-os_swift - name: openstack/openstack-ansible-os_swift
- name: openstack/openstack-ansible-os_tacker - name: openstack/openstack-ansible-os_tacker
- name: openstack/openstack-ansible-os_tempest - name: openstack/openstack-ansible-os_tempest
@ -208,6 +209,7 @@
- name: openstack/openstack-ansible-os_rally - name: openstack/openstack-ansible-os_rally
- name: openstack/openstack-ansible-os_sahara - name: openstack/openstack-ansible-os_sahara
- name: openstack/openstack-ansible-os_senlin - name: openstack/openstack-ansible-os_senlin
- name: openstack/openstack-ansible-os_skyline
- name: openstack/openstack-ansible-os_swift - name: openstack/openstack-ansible-os_swift
- name: openstack/openstack-ansible-os_tacker - name: openstack/openstack-ansible-os_tacker
- name: openstack/openstack-ansible-os_tempest - name: openstack/openstack-ansible-os_tempest
@ -259,6 +261,8 @@
- name: openstack/ovn-octavia-provider - name: openstack/ovn-octavia-provider
- name: openstack/sahara - name: openstack/sahara
- name: openstack/senlin - name: openstack/senlin
- name: openstack/skyline-apiserver
- name: openstack/skyline-console
- name: openstack/swift - name: openstack/swift
- name: openstack/ironic - name: openstack/ironic
- name: openstack/ironic-inspector - name: openstack/ironic-inspector