Add config options for volume-based amphora.

By default launched amphora will use ephemeral storage as defined by flavor used, this is suboptimal for environments where live-migration is desired (and avoiding the transfer of the blockstorage is needed), but also provides some resiliency in case of hypervisor failures. This patch adds a new set of configuration option to enable amphora instances booted from volume. * enable-volume-based-amphora * volume-size * volume-type More details about this feature can be found at https://opendev.org/openstack/octavia/commit/93b509cfe5ccced92ab482fa789ed6cdb700f154 Func-Test-Pr: openstack-charmers/zaza-openstack-tests#1280 Closes-Bug: #1901732 Change-Id: I45a8385e3522f161e31daf786f293777363e57e0 (cherry picked from commit a4711f5) (cherry picked from commit 75710ff)
openstack · Oct 22, 2024 · 6e124a1 · 6e124a1
1 parent a771e63
commit 6e124a1
Show file tree

Hide file tree

Showing 12 changed files with 678 additions and 12 deletions.
diff --git a/src/config.yaml b/src/config.yaml
@@ -221,3 +221,22 @@ options:
     type: int
     description: |
       Retry timeout between connection attempts in seconds for active amphora.
+  enable-volume-based-amphora:
+    default: False
+    type: boolean
+    description: |
+      Enable the use of cinder volumes for the amphora. When this option is
+      enabled, Octavia will create a volume and attach it to the amphora.
+  volume-size:
+    default: 16
+    type: int
+    description: |
+      Size of the volume, in GB, for amphora instance. Applies only when
+      enable-volume-based-amphora is True.
+  volume-type:
+    default:
+    type: string
+    description: |
+      Type of volume for amphora volume root disk. Applies only when
+      enable-volume-based-amphora is True.If this isn't specified,
+      the default_volume_type from cinder.conf will be used.
diff --git a/src/templates/antelope/octavia.conf b/src/templates/antelope/octavia.conf
@@ -0,0 +1,216 @@
+# bobcat
+[DEFAULT]
+debug = {{ options.debug }}
+
+{% include "parts/section-transport-url" %}
+
+{% if ovsdb_subordinate and ovsdb_subordinate.ovn_configured and ovsdb_cms -%}
+[api_settings]
+{% if options.enable_amphora -%}
+enabled_provider_drivers = amphora:The Octavia Amphora driver,ovn:Octavia OVN driver
+{% else -%}
+enabled_provider_drivers = ovn:Octavia OVN driver
+{% endif -%}
+
+[ovn]
+ovn_nb_connection={{ ','.join(ovsdb_cms.db_nb_connection_strs) }}
+ovn_nb_private_key=/etc/octavia/ovn_private_key.pem
+ovn_nb_certificate=/etc/octavia/ovn_certificate.pem
+ovn_nb_ca_cert=/etc/octavia/ovn_ca_cert.pem
+
+ovn_sb_connection={{ ','.join(ovsdb_cms.db_sb_connection_strs) }}
+ovn_sb_private_key=/etc/octavia/ovn_private_key.pem
+ovn_sb_certificate=/etc/octavia/ovn_certificate.pem
+ovn_sb_ca_cert=/etc/octavia/ovn_ca_cert.pem
+
+[driver_agent]
+enabled_provider_agents = ovn
+{% endif %}
+
+[health_manager]
+{% if options.health_manager_bind_ip -%}
+bind_ip = {{ options.health_manager_bind_ip }}
+{% endif -%}
+{% if options.controller_ip_port_list -%}
+controller_ip_port_list = {{ options.controller_ip_port_list }}
+{% endif -%}
+heartbeat_key = {{ options.heartbeat_key }}
+health_update_threads = {{ options.workers }}
+stats_update_threads = {{ options.workers }}
+
+[house_keeping]
+{% if options.spare_amphora_pool_size -%}
+spare_amphora_pool_size = {{ options.spare_amphora_pool_size }}
+{% endif %}
+
+[controller_worker]
+{% if options.amp_ssh_key_name %}
+amp_ssh_key_name = {{ options.amp_ssh_key_name }}
+{% endif -%}
+{% if options.amp_image_owner_id -%}
+amp_image_owner_id = {{ options.amp_image_owner_id }}
+{% endif -%}
+{% if options.amp_secgroup_list -%}
+amp_secgroup_list = {{ options.amp_secgroup_list }}
+{% endif -%}
+{% if options.amp_flavor_id -%}
+amp_flavor_id = {{ options.amp_flavor_id }}
+{% endif -%}
+{% if options.amp_boot_network_list -%}
+amp_boot_network_list = {{ options.amp_boot_network_list }}
+{% endif -%}
+{% if options.amp_image_tag -%}
+amp_image_tag = {{ options.amp_image_tag }}
+{% endif -%}
+amp_active_retries = 180
+# This certificate is installed on the ``Amphorae`` and used for validating
+# the authenticity of the ``Octavia`` controller.
+client_ca = {{ options.controller_cacert }}
+network_driver = allowed_address_pairs_driver
+compute_driver = compute_nova_driver
+amphora_driver = amphora_haproxy_rest_driver
+loadbalancer_topology = {{ options.loadbalancer_topology }}
+{% if options.enable_volume_based_amphora -%}
+volume_driver = volume_cinder_driver
+{% endif -%}
+
+[certificates]
+# NOTE(fnordahl) certificates for authentication between Octavia controllers
+# and its Amphorae instances are issued locally on the Octavia controller.
+#
+# At the time of this writing this is the only supported alternative upstream
+# after the retirement of the Anchor project [0].
+#
+# Note that these certificates are not used for any load balancer payload data
+#
+# 0: https://review.opendev.org/#/c/597022/
+cert_generator = local_cert_generator
+# This certificate is used to issue individual certificates for each
+# ``Amphora`` and to validate their authenticity when they connect to the
+# ``Octavia`` controller.
+ca_certificate = {{ options.issuing_cacert }}
+ca_private_key = {{ options.issuing_ca_private_key }}
+ca_private_key_passphrase = {{ options.issuing_ca_private_key_passphrase }}
+
+cert_manager = barbican_cert_manager
+{% if options.region -%}
+region_name = {{ options.region }}
+{% endif -%}
+{% if options.use_internal_endpoints -%}
+endpoint_type = internalURL
+{%- endif %}
+
+
+[haproxy_amphora]
+# This certificate is used by the ``Octavia`` controller to validate the
+# authenticity of the ``Amphorae`` connecting to it.
+server_ca = {{ options.issuing_cacert }}
+# This certificate is used by the ``Octavia`` controller when it takes on the
+# role as a "client" connecting to the ``Amphorae``.
+client_cert = {{ options.controller_cert }}
+connection_max_retries = {{ options.connection_max_retries }}
+connection_retry_interval = {{ options.connection_retry_interval }}
+active_connection_max_retries = {{ options.active_connection_max_retries }}
+active_connection_retry_interval = {{ options.active_connection_retry_interval }}
+
+{% include "parts/section-database" %}
+
+{% if identity_service.auth_host -%}
+[service_auth]
+auth_url = {{ identity_service.auth_protocol }}://{{ identity_service.auth_host }}:{{ identity_service.auth_port }}
+auth_type = password
+{% if identity_service.service_domain -%}
+project_domain_name = {{ identity_service.service_domain }}
+user_domain_name = {{ identity_service.service_domain }}
+{% else %}
+project_domain_name = default
+user_domain_name = default
+{% endif -%}
+project_name = {{ identity_service.service_tenant }}
+username = {{ identity_service.service_username }}
+password = {{ identity_service.service_password }}
+{% if options.use_memcache == true -%}
+memcached_servers = {{ options.memcache_url }}
+{% endif -%}
+{% endif %}
+
+{% include "parts/section-keystone-authtoken" %}
+{% if options.use_internal_endpoints -%}
+endpoint_type = internalURL
+{%- endif %}
+{% if identity_service.auth_host -%}
+auth_section = service_auth
+{%- endif %}
+
+[oslo_messaging]
+topic = octavia
+
+[nova]
+{% if options.region -%}
+region_name = {{ options.region }}
+{% endif -%}
+{% if options.use_internal_endpoints -%}
+endpoint_type = internalURL
+{%- endif %}
+{%- if options.loadbalancer_topology == "SINGLE" or options.anti_affinity_policy == "disable" %}
+enable_anti_affinity = False
+{%- elif options.loadbalancer_topology == "ACTIVE_STANDBY" %}
+{%- if options.anti_affinity_policy == "auto" %}
+enable_anti_affinity = True
+anti_affinity_policy = "soft-anti-affinity"
+{%- elif options.anti_affinity_policy in ["anti-affinity", "soft-anti-affinity"] %}
+enable_anti_affinity = True
+anti_affinity_policy = {{ options.anti_affinity_policy }}
+{%- endif %}
+{%- endif %}
+
+[cinder]
+{% if options.region -%}
+region_name = {{ options.region }}
+{% endif -%}
+{% if options.use_internal_endpoints -%}
+endpoint_type = internalURL
+{%- endif %}
+{% if options.enable_volume_based_amphora -%}
+volume_size = {{options.volume_size}}
+{% if options.volume_type -%}
+volume_type = {{options.volume_type}}
+{%- endif %}
+{%- endif %}
+
+[glance]
+{% if options.region -%}
+region_name = {{ options.region }}
+{% endif -%}
+{% if options.use_internal_endpoints -%}
+endpoint_type = internalURL
+{%- endif %}
+
+[neutron]
+{% if options.region -%}
+region_name = {{ options.region }}
+{% endif -%}
+{% if options.use_internal_endpoints -%}
+endpoint_type = internalURL
+{%- endif %}
+{% if identity_service.auth_host -%}
+auth_url = {{ identity_service.auth_protocol }}://{{ identity_service.auth_host }}:{{ identity_service.auth_port }}
+auth_type = password
+{% if identity_service.service_domain -%}
+project_domain_name = {{ identity_service.service_domain }}
+user_domain_name = {{ identity_service.service_domain }}
+{% else %}
+project_domain_name = default
+user_domain_name = default
+{% endif -%}
+project_name = {{ identity_service.service_tenant }}
+username = {{ identity_service.service_username }}
+password = {{ identity_service.service_password }}
+{% if options.use_memcache == true -%}
+memcached_servers = {{ options.memcache_url }}
+{% endif -%}
+{% endif %}
+
+{% include "parts/section-oslo-messaging-rabbit" %}
+
+{% include "parts/section-oslo-middleware" %}
diff --git a/src/templates/ussuri/octavia.conf b/src/templates/ussuri/octavia.conf
@@ -0,0 +1,158 @@
+# victoria
+[DEFAULT]
+debug = {{ options.debug }}
+
+{% include "parts/section-transport-url" %}
+
+[health_manager]
+{% if options.health_manager_bind_ip -%}
+bind_ip = {{ options.health_manager_bind_ip }}
+{% endif -%}
+{% if options.controller_ip_port_list -%}
+controller_ip_port_list = {{ options.controller_ip_port_list }}
+{% endif -%}
+heartbeat_key = {{ options.heartbeat_key }}
+health_update_threads = {{ options.workers }}
+stats_update_threads = {{ options.workers }}
+
+[house_keeping]
+{% if options.spare_amphora_pool_size -%}
+spare_amphora_pool_size = {{ options.spare_amphora_pool_size }}
+{% endif %}
+
+[controller_worker]
+{% if options.amp_ssh_key_name %}
+amp_ssh_key_name = {{ options.amp_ssh_key_name }}
+{% endif -%}
+{% if options.amp_image_owner_id -%}
+amp_image_owner_id = {{ options.amp_image_owner_id }}
+{% endif -%}
+{% if options.amp_secgroup_list -%}
+amp_secgroup_list = {{ options.amp_secgroup_list }}
+{% endif -%}
+{% if options.amp_flavor_id -%}
+amp_flavor_id = {{ options.amp_flavor_id }}
+{% endif -%}
+{% if options.amp_boot_network_list -%}
+amp_boot_network_list = {{ options.amp_boot_network_list }}
+{% endif -%}
+{% if options.amp_image_tag -%}
+amp_image_tag = {{ options.amp_image_tag }}
+{% endif -%}
+amp_active_retries = 180
+# This certificate is installed on the ``Amphorae`` and used for validating
+# the authenticity of the ``Octavia`` controller.
+client_ca = {{ options.controller_cacert }}
+network_driver = allowed_address_pairs_driver
+compute_driver = compute_nova_driver
+amphora_driver = amphora_haproxy_rest_driver
+loadbalancer_topology = {{ options.loadbalancer_topology }}
+{% if options.enable_volume_based_amphora -%}
+volume_driver = volume_cinder_driver
+{% endif -%}
+
+[certificates]
+# NOTE(fnordahl) certificates for authentication between Octavia controllers
+# and its Amphorae instances are issued locally on the Octavia controller.
+#
+# At the time of this writing this is the only supported alternative upstream
+# after the retirement of the Anchor project [0].
+#
+# Note that these certificates are not used for any load balancer payload data
+#
+# 0: https://review.opendev.org/#/c/597022/
+cert_generator = local_cert_generator
+# This certificate is used to issue individual certificates for each
+# ``Amphora`` and to validate their authenticity when they connect to the
+# ``Octavia`` controller.
+ca_certificate = {{ options.issuing_cacert }}
+ca_private_key = {{ options.issuing_ca_private_key }}
+ca_private_key_passphrase = {{ options.issuing_ca_private_key_passphrase }}
+
+cert_manager = barbican_cert_manager
+{% if options.region -%}
+region_name = {{ options.region }}
+{% endif -%}
+{% if options.use_internal_endpoints -%}
+endpoint_type = internalURL
+{%- endif %}
+
+
+[haproxy_amphora]
+# This certificate is used by the ``Octavia`` controller to validate the
+# authenticity of the ``Amphorae`` connecting to it.
+server_ca = {{ options.issuing_cacert }}
+# This certificate is used by the ``Octavia`` controller when it takes on the
+# role as a "client" connecting to the ``Amphorae``.
+client_cert = {{ options.controller_cert }}
+connection_max_retries = {{ options.connection_max_retries }}
+connection_retry_interval = {{ options.connection_retry_interval }}
+active_connection_max_retries = {{ options.active_connection_max_retries }}
+active_connection_retry_interval = {{ options.active_connection_retry_interval }}
+
+
+{% include "parts/section-database" %}
+
+[service_auth]
+auth_section = keystone_authtoken
+
+{% include "parts/section-keystone-authtoken" %}
+{% if options.use_internal_endpoints -%}
+endpoint_type = internalURL
+{%- endif %}
+
+[oslo_messaging]
+topic = octavia
+
+[nova]
+{% if options.region -%}
+region_name = {{ options.region }}
+{% endif -%}
+{% if options.use_internal_endpoints -%}
+endpoint_type = internalURL
+{%- endif %}
+{%- if options.loadbalancer_topology == "SINGLE" or options.anti_affinity_policy == "disable" %}
+enable_anti_affinity = False
+{%- elif options.loadbalancer_topology == "ACTIVE_STANDBY" %}
+{%- if options.anti_affinity_policy == "auto" %}
+enable_anti_affinity = True
+anti_affinity_policy = "soft-anti-affinity"
+{%- elif options.anti_affinity_policy in ["anti-affinity", "soft-anti-affinity"] %}
+enable_anti_affinity = True
+anti_affinity_policy = {{ options.anti_affinity_policy }}
+{%- endif %}
+{%- endif %}
+
+[cinder]
+{% if options.region -%}
+region_name = {{ options.region }}
+{% endif -%}
+{% if options.use_internal_endpoints -%}
+endpoint_type = internalURL
+{%- endif %}
+{% if options.enable_volume_based_amphora -%}
+volume_size = {{options.volume_size}}
+{% if options.volume_type -%}
+volume_type = {{options.volume_type}}
+{%- endif %}
+{%- endif %}
+
+[glance]
+{% if options.region -%}
+region_name = {{ options.region }}
+{% endif -%}
+{% if options.use_internal_endpoints -%}
+endpoint_type = internalURL
+{%- endif %}
+
+[neutron]
+{% if options.region -%}
+region_name = {{ options.region }}
+{% endif -%}
+{% if options.use_internal_endpoints -%}
+endpoint_type = internalURL
+{%- endif %}
+
+{% include "parts/section-oslo-messaging-rabbit" %}
+
+{% include "parts/section-oslo-middleware" %}