roles/octavia/tasks/main.yml

# Copyright (c) 2022 VEXXHOST, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
#      http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.

- name: Uninstall the legacy HelmRelease
  run_once: true
  block:
    - name: Suspend the existing HelmRelease
      kubernetes.core.k8s:
        state: patched
        api_version: helm.toolkit.fluxcd.io/v2beta1
        kind: HelmRelease
        name: "{{ octavia_helm_release_name }}"
        namespace: "{{ octavia_helm_release_namespace }}"
        definition:
          spec:
            suspend: true

    - name: Remove the existing HelmRelease
      kubernetes.core.k8s:
        state: absent
        api_version: helm.toolkit.fluxcd.io/v2beta1
        kind: HelmRelease
        name: "{{ octavia_helm_release_name }}"
        namespace: "{{ octavia_helm_release_namespace }}"

- name: Create management network
  openstack.cloud.network:
    cloud: atmosphere
    # Network settings
    name: lb-mgmt-net
  register: _octavia_management_network

- name: Create management subnet
  openstack.cloud.subnet:
    cloud: atmosphere
    # Subnet settings
    network_name: lb-mgmt-net
    name: lb-mgmt-subnet
    cidr: "{{ octavia_management_subnet_cidr }}"

- name: Create health manager security group
  openstack.cloud.security_group:
    cloud: atmosphere
    name: lb-health-mgr-sec-grp
  register: _octavia_health_manager_sg

- name: Create health manager security group rules
  openstack.cloud.security_group_rule:
    cloud: atmosphere
    security_group: "{{ _octavia_health_manager_sg.id }}"
    direction: ingress
    ethertype: IPv4
    protocol: tcp
    port_range_min: "{{ item }}"
    port_range_max: "{{ item }}"
  loop:
    - 5555
    - 10514
    - 20514

- name: Create health manager networking ports
  openstack.cloud.port:
    cloud: atmosphere
    name: "octavia-health-manager-port-{{ hostvars[item]['inventory_hostname_short'] }}"
    device_owner: octavia:health-mgr
    network: "{{ _octavia_management_network.id }}"
    security_groups:
      - "{{ _octavia_health_manager_sg.id }}"
  loop: "{{ groups['controllers'] }}"

- name: Set binding for ports
  changed_when: false
  ansible.builtin.shell: |
    openstack port set \
      --host {{ hostvars[item]['ansible_fqdn'] }} \
      octavia-health-manager-port-{{ hostvars[item]['inventory_hostname_short'] }}
  environment:
    OS_CLOUD: atmosphere
  loop: "{{ groups['controllers'] }}"

- name: Get health manager networking ports
  openstack.cloud.port_info:
    cloud: atmosphere
    port: "octavia-health-manager-port-{{ hostvars[item]['ansible_fqdn'] | split('.') | first }}"
  loop: "{{ groups['controllers'] }}"
  register: _octavia_health_manager_ports

- name: Set controller_ip_port_list
  ansible.builtin.set_fact:
    _octavia_controller_ip_port_list: "{{ (_octavia_controller_ip_port_list | d([]) + [item.openstack_ports[0].fixed_ips[0].ip_address + ':5555']) | unique }}"
  loop: "{{ _octavia_health_manager_ports.results }}"
  loop_control:
    label: "{{ item.openstack_ports[0].name }}"

- name: Create amphora security group
  openstack.cloud.security_group:
    cloud: atmosphere
    name: lb-mgmt-sec-grp
  register: _octavia_amphora_sg

- name: Create amphora security group rules
  openstack.cloud.security_group_rule:
    cloud: atmosphere
    security_group: "{{ _octavia_amphora_sg.id }}"
    direction: ingress
    ethertype: IPv4
    protocol: tcp
    port_range_min: "{{ item.0 }}"
    port_range_max: "{{ item.0 }}"
    remote_ip_prefix: "{{ item.1.openstack_ports[0].fixed_ips[0].ip_address }}/32"
  with_nested:
    - [22, 9443]
    - "{{ _octavia_health_manager_ports.results }}"

- name: Create amphora flavor
  openstack.cloud.compute_flavor:
    cloud: atmosphere
    name: "{{ octavia_amphora_flavor_name }}"
    vcpus: "{{ octavia_amphora_flavor_vcpus }}"
    ram: "{{ octavia_amphora_flavor_ram }}"
    disk: "{{ octavia_amphora_flavor_disk }}"
    is_public: false
  register: _octavia_amphora_flavor

- name: Upload Amphora image
  ansible.builtin.include_role:
    name: glance_image
  vars:
    glance_image_name: "{{ octavia_amphora_image_name }}"
    glance_image_url: "{{ octavia_amphora_image_url }}"
    glance_image_container_format: "{{ octavia_amphora_image_container_format }}"
    glance_image_disk_format: "{{ octavia_amphora_image_disk_format }}"
    glance_image_tags: "{{ octavia_amphora_image_tags }}"

- name: Get Amphora image information
  openstack.cloud.image_info:
    cloud: atmosphere
    image: "{{ octavia_amphora_image_name }}"
  register: _octavia_amphora_image

- name: Create CAs & Issuers
  kubernetes.core.k8s:
    state: present
    definition:
      - apiVersion: cert-manager.io/v1
        kind: Certificate
        metadata:
          name: "{{ item }}-ca"
          namespace: openstack
        spec:
          isCA: true
          commonName: "{{ item }}"
          secretName: "{{ item }}-ca"
          duration: 87600h
          renewBefore: 720h
          privateKey:
            algorithm: ECDSA
            size: 256
          issuerRef:
            name: self-signed
            kind: ClusterIssuer
            group: cert-manager.io

      - apiVersion: cert-manager.io/v1
        kind: Issuer
        metadata:
          name: "{{ item }}"
          namespace: openstack
        spec:
          ca:
            secretName: "{{ item }}-ca"
  loop:
    - octavia-client
    - octavia-server

- name: Create certificate for Octavia clients
  kubernetes.core.k8s:
    state: present
    definition:
      apiVersion: cert-manager.io/v1
      kind: Certificate
      metadata:
        name: octavia-client-certs
        namespace: openstack
      spec:
        commonName: octavia-client
        secretName: octavia-client-certs
        additionalOutputFormats:
          - type: CombinedPEM
        duration: 87600h
        renewBefore: 720h
        issuerRef:
          name: octavia-client
          kind: Issuer
          group: cert-manager.io

- name: Create admin compute quotaset
  openstack.cloud.quota:
    cloud: atmosphere
    # NOTE(okozachenko): It uses project name instead of id.
    name: admin
    instances: -1
    cores: -1
    ram: -1
    volumes: -1
    gigabytes: -1

- name: Deploy Helm chart
  run_once: true
  kubernetes.core.helm:
    name: "{{ octavia_helm_release_name }}"
    chart_ref: "{{ octavia_helm_chart_ref }}"
    release_namespace: "{{ octavia_helm_release_namespace }}"
    create_namespace: true
    kubeconfig: /etc/kubernetes/admin.conf
    values: "{{ _octavia_helm_values | combine(octavia_helm_values, recursive=True) }}"

- name: Add implied role of load-balancer_member to member
  run_once: true
  ansible.builtin.shell: |
    openstack implied role create \
      --implied-role load-balancer_member \
      member
  environment:
    OS_CLOUD: atmosphere
  register: _octavia_implied_role_create
  changed_when: _octavia_implied_role_create.rc == 0
  failed_when: _octavia_implied_role_create.rc != 0 and 'Duplicate entry.' not in _octavia_implied_role_create.stderr

- name: Create Ingress
  ansible.builtin.include_role:
    name: openstack_helm_ingress
  vars:
    openstack_helm_ingress_endpoint: load_balancer
    openstack_helm_ingress_service_name: octavia-api
    openstack_helm_ingress_service_port: 9876
    openstack_helm_ingress_annotations: "{{ octavia_ingress_annotations }}"