This allows heat service endpoints to use custom hostnames, and adds the
following variables:
* heat_internal_fqdn
* heat_external_fqdn
* heat_cfn_internal_fqdn
* heat_cfn_external_fqdn
These default to the old values of kolla_internal_fqdn or
kolla_external_fqdn.
This also adds heat_api_listen_port and heat_api_cfn_listen_port
options, which default to heat_api_port and heat_api_cfn_port for
backward compatibility.
These options allow the user to differentiate between the port the
service listens on, and the port the service is reachable on. This is
useful for external load balancers which live on the same host as the
service itself.
Change-Id: Ifb8bb55799703883d81be6a55641be7b2474fd4e
Implements: blueprint service-hostnames
We're duplicating code to build the keystone URLs in nearly every
config, where we've already done it in group_vars. Replace the
redundancy with a variable that does the same thing.
Change-Id: I207d77870e2535c1cdcbc5eaf704f0448ac85a7a
backport: rocky
Not including this means that SoftwareDeployments do not have a
configured region (it's set to 'null'), and can therefore not
communicate back to the heat API. In particular, this breaks Magnum with
the following error in the journal on the deployed servers:
publicURL endpoint for orchestration service in null region not found
Change-Id: Ia2c18ef10727391812368c958262a92385374ace
Co-Authored-By: John Garbutt <john@stackhpc.com>
Closes-Bug: #1817051
Option auth_uri from group keystone_authtoken is deprecated[1].
Use option www_authenticate_uri from group keystone_authtoken.
[1]https://review.openstack.org/#/c/508522/
Co-Authored-By: confi-surya <singh.surya64mnnit@gmail.com>
Change-Id: Ifd8527d404f1df807ae8196eac2b3849911ddc26
Closes-Bug: #1761907
Currently osprofiler only choose elasticsearch,
which is only supported on x86.
On other platform like aarch64 osprofiler can
not be used since no elasticsearch package.
Enable osprofiler by enable_osprofiler: "yes",
which choose elasticsearch by default.
Choose redis by enable_redis: "yes" & osprofiler_backend: "redis"
On platform without elasticsearch support like aarch64
set enable_elasticsearch: "no"
Change-Id: I68fe7a33e11d28684962fc5d0b3d326e90784d78
Magnum was unable to fire up k8s cluster because heat-container-agent
inside kube-master was pointing to internal keystone endpoint instead of
public endpoint. This fix tells kolla ansible to set clients_keystone
auth_uri to public endpoint so that heat-container-agent communication
with heat is successfully authenticated by keystone.
Change-Id: Ida49528f88685710b5e6b8f3c4d4622506af5ae1
Closes-Bug: #1762754
If SSL is enabled, api of multiple services returns
wrong external URL without https prefix.
Removal of condition for deletion of http header.
Change-Id: I4264e04d0d6b9a3e11ef7dd7add6c5e166cf9fb4
Closes-Bug: #1749155
Closes-Bug: #1717491
In several templates the variable topics is configured
between simple quotes.
It is better to remove them to use the openstack default value.
Change-Id: I418c714240b38b2853a5c746203eac31588e841a
This commit separates the messaging rpc and notify transports in order
to support separate and different oslo.messaging backends
This patch:
* add rpc and notify variables
* update service role conf templates
* add example to globals.yaml
* add release note
Implements: blueprint hybrid-messaging
Change-Id: I34691c2895c8563f1f322f0850ecff98d11b5185
kolla-kubernetes is using its own configuration generation[0], so it is
time for kolla-ansible to remove the related code to simplify the
logical.
[0] https://github.com/openstack/kolla-kubernetes/tree/master/ansible
Change-Id: I7bb0b7fe3b8eea906613e936d5e9d19f4f2e80bb
Implements: blueprint clean-k8s-config
Heat-api-cfn need to point to keystone v3 version.
Otherwise heat fail while authenticating for scaling policies.
``AWS authentication failure.``
Change-Id: I1950cd7359d8ad589feced870de76f02ef2c8a76
Closes-Bug: #1672431
Wait conditions are commonly used by instances to signal various events
back to heat. These instances are unlikely to have access to the
internal API endpoints. OpenStack-Ansible had a similar issue[1] back in
juno and changed to use the public endpoint[2]. The code has now moved
but the default is still in place[3].
This change configures heat to advertise the public API as the endpoint
for wait conditions.
[1] https://bugs.launchpad.net/openstack-ansible/+bug/1459414
[2] https://review.openstack.org/#/c/186221/
[3] b1721a7460/defaults/main.yml (L48)
Change-Id: Id1d66aaa298efa8407db579a899a5aacebe1e6c7
Closes-Bug: #1688331
heat-api kept redirecting clients to use http:// instead of https://
when communicating with our https:// only loadbalancer
Please examine the logic for enabling it carefully, it's hard to know
if it should be enabled or not, potenitially it could be a security
risk.
Based on openstack-ansible-os_heat:
commit 4033a0f854cba6719c61812ef5b553e932a6c6c2
Author: Kyle L. Henderson <kyleh@us.ibm.com>
Enable oslo_middleware proxy header parsing
"Heat has moved to using oslo_middleware for the http proxy header
parsing, however the default is to not parse the headers. When
the external protocol differs from the internal protocol this
parsing is required in order for heat to work properly since it
will return 302 redirects to the client during some operations
(such as delete stack).
An example of this is when using haproxy with https configured
for the external protocol and http for the internal protocol.
If the oslo_middleware does not parse the headers, then any
302 redirects would specify a url with http rather than
correctly specifying https and the heat client would fail to
connect on the redirect url."
Change-Id: I38661a0bc2163a7f72febd98b7ae6f51c5d45ad5
Making variable name "works" to "workers" for correct configuration
as followed in other services
Closes-Bug: #1655081
Change-Id: I333b7a7a98770e640db49e8103900957c629bad5
This will solve the following issue:
WARNING oslo_config.cfg [-] Option "auth_plugin" from group "trustee"
is deprecated. Use option "auth_type" from group "trustee".
Change-Id: I7343a4a28555495d22a7960bf4d585152505a79c
Closes-bug: #1632064
"project_domain_id" and "project_name"
cannot be specified [trustee] section or keystone will throw a
"cannot be scoped to multiple targets" error when we attempt to get
a token scoped to a trust.
Change-Id: I167c0e31835d05b8069fd931ef76fb337dd99207
Closes-Bug: #1628353
Use a lower number of workers rather than the default value, which is
equal to the number of the cpu. Otherwise, in a multi cpu environment,
the number of the processes will very high.
In this PS, we use min(5, << number of cpu >>) as the default worker
count.
Closes-Bug: #1582254
Change-Id: I1c32cf0db794b43b8fb8be18f39190422ca5846f
Make sure that all the sevices will attempt to
connect to the database an infinite about of times.
If the database ever disappears for some reason we
want the services to try and reconnect more than just
10 times.
Closes-bug: #1505636
Change-Id: I77abbf72ce5bfd68faa451bb9a72bd2544963f4b
This reverts commit 7524b3770fedd730bf2c49d26a94135c5357781b.
Liberty uses heat_user_domain and works and this should too. The
bootstrap process itself must have changed or another part of the
config. Either way that needs to be fixed so we can do proper upgrades.
Basically, dont change the heat domain out from under the user).
Change-Id: I32ae3ef90d340a83b09c09860af8f3635c1a07a5
Fix the domain user to point at heat instead of some nonsensenical
value. Now stack-create works properly.
Change-Id: If2bc57c2516ffe724999515bb6aa3eeb31a0c980
Co-Authored-By: Angus Salkeld <asalkeld@mirantis.com>
Closes-Bug: #1553565
These options have all be deprecated/removed. This switches all
options to thier proper mitaka values.
TrivialFix
Change-Id: Ica8d5ea0d48da01ee11672a32890431acd6a306d
The in-process cache for keystone tokens has been deprecated due to
"incosistent results and high memory usage" with the expectation we
switch to memcached_servers if we want to stay performant.
Add memcache_servers [cache] section to the appropriate servers as the
[DEFAULT]\memcache_servers options was deprecated.
TrivialFix
Related-Id: Ied2b88c8cefe5655a88d0c2f334de04e588fa75a
Change-Id: Ic971bdddc0be3338b15924f7cc0f97d4a3ad2440
When using separate networks for external APIs and internal
APIs, services need to be configured to use the internal APIs.
The default is typically publicURL.
TrivialFix
Change-Id: I24da63220a65e210c37d9f24b6d76a0031d66f3d
Due to poor planning on our variable names we have a situation where
we have "internal_address" which must be a VIP, but "external_address"
which should be a DNS name. Now with two vips "external_vip_address"
is a new variable.
This corrects that issue by deprecating kolla_internal_address and
replacing it with 4 nicely named variables.
kolla_internal_vip_address
kolla_internal_fqdn
kolla_external_vip_address
kolla_external_fqdn
The default behaviour will remain the same, and the way the variable
inheritance is setup the kolla_internal_address variable can still be
set in globals.yml and propogate out to these 4 new variables like it
normally would, but all reference to kolla_internal_address has been
completely removed.
Change-Id: I4556dcdbf4d91a8d2751981ef9c64bad44a719e5
Partially-Implements: blueprint ssl-kolla
Changed hard-code keystone username for neutron and heat in the
neutron.conf template and heat.conf template.
TrivialFix
Change-Id: Ibdd1422bd4cae5011f9fc5f4de7dfc58601dca1d
To allow for TLS to protect the service endpoints, the protocol
in the URLs for the endpoints will be either http or https.
This patch removes the hardcoded values of http and replaces them
with variables that can be adjusted accordingly in future patches.
Change-Id: Ibca6f8aac09c65115d1ac9957410e7f81ac7671e
Partially-implements: blueprint ssl-kolla
