Add config options for volume-based amphora.

By default launched amphora will use ephemeral storage as defined by
flavor used, this is suboptimal for environments where live-migration is
desired (and avoiding the transfer of the blockstorage is needed), but
also provides some resiliency in case of hypervisor failures.

This patch adds a new set of configuration option to enable amphora
instances booted from volume.

* enable-volume-based-amphora
* volume-size
* volume-type

More details about this feature can be found at
https://opendev.org/openstack/octavia/commit/93b509cfe5ccced92ab482fa789ed6cdb700f154

Func-Test-Pr: openstack-charmers/zaza-openstack-tests#1173
Closes-Bug: #1901732
Change-Id: I45a8385e3522f161e31daf786f293777363e57e0

src/config.yaml

@@ -219,3 +219,22 @@ options:
     type: int
     description: |
       Retry timeout between connection attempts in seconds for active amphora.
+  enable-volume-based-amphora:
+    default: False
+    type: boolean
+    description: |
+      Enable the use of cinder volumes for the amphora. When this option is
+      enabled, Octavia will create a volume and attach it to the amphora.
+  volume-size:
+    default: 16
+    type: int
+    description: |
+      Size of the volume, in GB, for amphora instance. Applies only when
+      enable-volume-based-amphora is True.
+  volume-type:
+    default:
+    type: string
+    description: |
+      Type of volume for amphora volume root disk. Applies only when
+      enable-volume-based-amphora is True.If this isn't specified,
+      the default_volume_type from cinder.conf will be used.

src/templates/bobcat/octavia.conf

@@ -70,6 +70,9 @@ network_driver = allowed_address_pairs_driver
 compute_driver = compute_nova_driver
 amphora_driver = amphora_haproxy_rest_driver
 loadbalancer_topology = {{ options.loadbalancer_topology }}
+{% if options.enable_volume_based_amphora -%}
+volume_driver = volume_cinder_driver
+{% endif -%}
 
 [certificates]
 # NOTE(fnordahl) certificates for authentication between Octavia controllers
@@ -168,6 +171,12 @@ region_name = {{ options.region }}
 {% if options.use_internal_endpoints -%}
 endpoint_type = internalURL
 {%- endif %}
+{% if options.enable_volume_based_amphora -%}
+volume_size = {{options.volume_size}}
+{% if options.volume_type -%}
+volume_type = {{options.volume_type}}
+{%- endif %}
+{%- endif %}
 
 [glance]
 {% if options.region -%}

src/templates/ussuri/octavia.conf

@@ -0,0 +1,158 @@
+# victoria
+[DEFAULT]
+debug = {{ options.debug }}
+
+{% include "parts/section-transport-url" %}
+
+[health_manager]
+{% if options.health_manager_bind_ip -%}
+bind_ip = {{ options.health_manager_bind_ip }}
+{% endif -%}
+{% if options.controller_ip_port_list -%}
+controller_ip_port_list = {{ options.controller_ip_port_list }}
+{% endif -%}
+heartbeat_key = {{ options.heartbeat_key }}
+health_update_threads = {{ options.workers }}
+stats_update_threads = {{ options.workers }}
+
+[house_keeping]
+{% if options.spare_amphora_pool_size -%}
+spare_amphora_pool_size = {{ options.spare_amphora_pool_size }}
+{% endif %}
+
+[controller_worker]
+{% if options.amp_ssh_key_name %}
+amp_ssh_key_name = {{ options.amp_ssh_key_name }}
+{% endif -%}
+{% if options.amp_image_owner_id -%}
+amp_image_owner_id = {{ options.amp_image_owner_id }}
+{% endif -%}
+{% if options.amp_secgroup_list -%}
+amp_secgroup_list = {{ options.amp_secgroup_list }}
+{% endif -%}
+{% if options.amp_flavor_id -%}
+amp_flavor_id = {{ options.amp_flavor_id }}
+{% endif -%}
+{% if options.amp_boot_network_list -%}
+amp_boot_network_list = {{ options.amp_boot_network_list }}
+{% endif -%}
+{% if options.amp_image_tag -%}
+amp_image_tag = {{ options.amp_image_tag }}
+{% endif -%}
+amp_active_retries = 180
+# This certificate is installed on the ``Amphorae`` and used for validating
+# the authenticity of the ``Octavia`` controller.
+client_ca = {{ options.controller_cacert }}
+network_driver = allowed_address_pairs_driver
+compute_driver = compute_nova_driver
+amphora_driver = amphora_haproxy_rest_driver
+loadbalancer_topology = {{ options.loadbalancer_topology }}
+{% if options.enable_volume_based_amphora -%}
+volume_driver = volume_cinder_driver
+{% endif -%}
+
+[certificates]
+# NOTE(fnordahl) certificates for authentication between Octavia controllers
+# and its Amphorae instances are issued locally on the Octavia controller.
+#
+# At the time of this writing this is the only supported alternative upstream
+# after the retirement of the Anchor project [0].
+#
+# Note that these certificates are not used for any load balancer payload data
+#
+# 0: https://review.opendev.org/#/c/597022/
+cert_generator = local_cert_generator
+# This certificate is used to issue individual certificates for each
+# ``Amphora`` and to validate their authenticity when they connect to the
+# ``Octavia`` controller.
+ca_certificate = {{ options.issuing_cacert }}
+ca_private_key = {{ options.issuing_ca_private_key }}
+ca_private_key_passphrase = {{ options.issuing_ca_private_key_passphrase }}
+
+cert_manager = barbican_cert_manager
+{% if options.region -%}
+region_name = {{ options.region }}
+{% endif -%}
+{% if options.use_internal_endpoints -%}
+endpoint_type = internalURL
+{%- endif %}
+
+
+[haproxy_amphora]
+# This certificate is used by the ``Octavia`` controller to validate the
+# authenticity of the ``Amphorae`` connecting to it.
+server_ca = {{ options.issuing_cacert }}
+# This certificate is used by the ``Octavia`` controller when it takes on the
+# role as a "client" connecting to the ``Amphorae``.
+client_cert = {{ options.controller_cert }}
+connection_max_retries = {{ options.connection_max_retries }}
+connection_retry_interval = {{ options.connection_retry_interval }}
+active_connection_max_retries = {{ options.active_connection_max_retries }}
+active_connection_retry_interval = {{ options.active_connection_retry_interval }}
+
+
+{% include "parts/section-database" %}
+
+[service_auth]
+auth_section = keystone_authtoken
+
+{% include "parts/section-keystone-authtoken" %}
+{% if options.use_internal_endpoints -%}
+endpoint_type = internalURL
+{%- endif %}
+
+[oslo_messaging]
+topic = octavia
+
+[nova]
+{% if options.region -%}
+region_name = {{ options.region }}
+{% endif -%}
+{% if options.use_internal_endpoints -%}
+endpoint_type = internalURL
+{%- endif %}
+{%- if options.loadbalancer_topology == "SINGLE" or options.anti_affinity_policy == "disable" %}
+enable_anti_affinity = False
+{%- elif options.loadbalancer_topology == "ACTIVE_STANDBY" %}
+{%- if options.anti_affinity_policy == "auto" %}
+enable_anti_affinity = True
+anti_affinity_policy = "soft-anti-affinity"
+{%- elif options.anti_affinity_policy in ["anti-affinity", "soft-anti-affinity"] %}
+enable_anti_affinity = True
+anti_affinity_policy = {{ options.anti_affinity_policy }}
+{%- endif %}
+{%- endif %}
+
+[cinder]
+{% if options.region -%}
+region_name = {{ options.region }}
+{% endif -%}
+{% if options.use_internal_endpoints -%}
+endpoint_type = internalURL
+{%- endif %}
+{% if options.enable_volume_based_amphora -%}
+volume_size = {{options.volume_size}}
+{% if options.volume_type -%}
+volume_type = {{options.volume_type}}
+{%- endif %}
+{%- endif %}
+
+[glance]
+{% if options.region -%}
+region_name = {{ options.region }}
+{% endif -%}
+{% if options.use_internal_endpoints -%}
+endpoint_type = internalURL
+{%- endif %}
+
+[neutron]
+{% if options.region -%}
+region_name = {{ options.region }}
+{% endif -%}
+{% if options.use_internal_endpoints -%}
+endpoint_type = internalURL
+{%- endif %}
+
+{% include "parts/section-oslo-messaging-rabbit" %}
+
+{% include "parts/section-oslo-middleware" %}

src/templates/victoria/octavia.conf

@@ -65,6 +65,9 @@ network_driver = allowed_address_pairs_driver
 compute_driver = compute_nova_driver
 amphora_driver = amphora_haproxy_rest_driver
 loadbalancer_topology = {{ options.loadbalancer_topology }}
+{% if options.enable_volume_based_amphora -%}
+volume_driver = volume_cinder_driver
+{% endif -%}
 
 [certificates]
 # NOTE(fnordahl) certificates for authentication between Octavia controllers
@@ -145,6 +148,12 @@ region_name = {{ options.region }}
 {% if options.use_internal_endpoints -%}
 endpoint_type = internalURL
 {%- endif %}
+{% if options.enable_volume_based_amphora -%}
+volume_size = {{options.volume_size}}
+{% if options.volume_type -%}
+volume_type = {{options.volume_type}}
+{%- endif %}
+{%- endif %}
 
 [glance]
 {% if options.region -%}

src/templates/xena/octavia.conf

@@ -70,6 +70,9 @@ network_driver = allowed_address_pairs_driver
 compute_driver = compute_nova_driver
 amphora_driver = amphora_haproxy_rest_driver
 loadbalancer_topology = {{ options.loadbalancer_topology }}
+{% if options.enable_volume_based_amphora -%}
+volume_driver = volume_cinder_driver
+{% endif -%}
 
 [certificates]
 # NOTE(fnordahl) certificates for authentication between Octavia controllers
@@ -149,6 +152,12 @@ region_name = {{ options.region }}
 {% if options.use_internal_endpoints -%}
 endpoint_type = internalURL
 {%- endif %}
+{% if options.enable_volume_based_amphora -%}
+volume_size = {{options.volume_size}}
+{% if options.volume_type -%}
+volume_type = {{options.volume_type}}
+{%- endif %}
+{%- endif %}
 
 [glance]
 {% if options.region -%}

src/tests/bundles/noble-caracal-ha-ovn.yaml

@@ -1,5 +1,5 @@
 variables:
-  openstack-origin: &openstack-origin cloud:noble-caracal
+  openstack-origin: &openstack-origin distro
 
 local_overlay_enabled: True
 
@@ -90,6 +90,8 @@ relations:
   - octavia:certificates
 - - vault:certificates
   - glance-simplestreams-sync:certificates
+- - vault:certificates
+  - cinder:certificates
 - - hacluster-octavia:ha
   - octavia:ha
 - ["octavia-mysql-router:db-router", "mysql-innodb-cluster:db-router"]
@@ -99,6 +101,15 @@ relations:
 - ["neutron-mysql-router:db-router", "mysql-innodb-cluster:db-router"]
 - ["placement-mysql-router:db-router", "mysql-innodb-cluster:db-router"]
 - ["vault-mysql-router:db-router", "mysql-innodb-cluster:db-router"]
+- ["cinder-ceph:storage-backend", "cinder:storage-backend"]
+- ["nova-compute:ceph-access", "cinder-ceph:ceph-access"]
+- ["ceph-mon:client", "cinder-ceph:ceph"]
+- ["ceph-mon:osd", "ceph-osd:mon"]
+- ["cinder:shared-db", "cinder-mysql-router:shared-db"]
+- ["cinder-mysql-router:db-router", "mysql-innodb-cluster:db-router"]
+- ["cinder:identity-service", "keystone:identity-service"]
+- ["cinder:amqp", "rabbitmq-server:amqp"]
+- ["cinder:image-service", "glance:image-service"]
 applications:
   glance:
     charm: ch:glance
@@ -112,6 +123,9 @@ applications:
     options:
       openstack-origin: *openstack-origin
     channel: latest/edge
+  cinder-mysql-router:
+    charm: ch:mysql-router
+    channel: latest/edge
   octavia-mysql-router:
     charm: ch:mysql-router
     channel: latest/edge
@@ -138,6 +152,35 @@ applications:
     charm: ch:mysql-innodb-cluster
     num_units: 3
     channel: latest/edge
+  ceph-osd:
+    charm: ch:ceph-osd
+    num_units: 3
+    storage:
+      osd-devices: '40G'
+    options:
+      source: *openstack-origin
+    channel: squid/candidate
+  ceph-mon:
+    charm: ch:ceph-mon
+    num_units: 1
+    options:
+      source: *openstack-origin
+      monitor-count: '1'
+    channel: squid/candidate
+  cinder:
+    charm: ch:cinder
+    num_units: 1
+    storage:
+      block-devices: '40G'
+    options:
+      openstack-origin: *openstack-origin
+      glance-api-version: 2
+      block-device: None
+      overwrite: "true"
+    channel: latest/edge
+  cinder-ceph:
+    charm: ch:cinder-ceph
+    channel: latest/edge
   neutron-api:
     constraints: cores=4
     charm: ch:neutron-api
@@ -196,7 +239,7 @@ applications:
                       name_prefix: 'ubuntu:released',
                       path: 'streams/v1/index.sjson', max: 1,
                       item_filters: [
-                        'release~(jammy)',
+                        'release~(jammy|noble)',
                         'arch~(x86_64|amd64)',
                         'ftype~(disk1.img|disk.img)']}]"
     channel: latest/edge
@@ -205,7 +248,7 @@ applications:
     options:
       amp-image-tag: 'octavia-amphora'
       retrofit-series: *series
-      retrofit-uca-pocket: bobcat
+      retrofit-uca-pocket: caracal
     channel: latest/edge
   placement:
     charm: ch:placement