Gitiles
Code Review Sign In
review.vexxhost.dev / atmosphere / ec976556f03260ba7334a8a1a356082d2249d5a0 / . / roles / octavia / tasks / main.yml
blob: 22b21ee701d443fdedb1ba33f016c42c08863b56 [file] [log] [blame]
okozachenko1203d8d2aa12022-10-22 00:55:14 +1100[diff] [blame]1# Copyright (c) 2022 VEXXHOST, Inc.
2#
3# Licensed under the Apache License, Version 2.0 (the "License"); you may
4# not use this file except in compliance with the License. You may obtain
5# a copy of the License at
6#
7# http://www.apache.org/licenses/LICENSE-2.0
8#
9# Unless required by applicable law or agreed to in writing, software
10# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
11# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
12# License for the specific language governing permissions and limitations
13# under the License.
14
guilhermesteinmuller9b173d22023-01-24 19:15:17 +0000[diff] [blame]15- name: Uninstall the legacy HelmRelease
16 run_once: true
17 block:
18 - name: Suspend the existing HelmRelease
19 kubernetes.core.k8s:
20 state: patched
21 api_version: helm.toolkit.fluxcd.io/v2beta1
22 kind: HelmRelease
Mohammed Naser2145fc32023-01-29 23:23:03 +0000[diff] [blame]23 name: "{{ octavia_helm_release_name }}"
24 namespace: "{{ octavia_helm_release_namespace }}"
guilhermesteinmuller9b173d22023-01-24 19:15:17 +0000[diff] [blame]25 definition:
26 spec:
27 suspend: true
28
29 - name: Remove the existing HelmRelease
30 kubernetes.core.k8s:
31 state: absent
32 api_version: helm.toolkit.fluxcd.io/v2beta1
33 kind: HelmRelease
Mohammed Naser2145fc32023-01-29 23:23:03 +0000[diff] [blame]34 name: "{{ octavia_helm_release_name }}"
35 namespace: "{{ octavia_helm_release_namespace }}"
okozachenko1203d8d2aa12022-10-22 00:55:14 +1100[diff] [blame]36
Mohammed Naser0a13cee2023-03-02 11:28:29 +0100[diff] [blame]37- name: Generate resources
38 ansible.builtin.import_tasks:
39 file: generate_resources.yml
okozachenko1203d8d2aa12022-10-22 00:55:14 +1100[diff] [blame]40
Mohammed Naserc5824202022-11-12 17:17:02 +0000[diff] [blame]41- name: Create CAs & Issuers
42 kubernetes.core.k8s:
43 state: present
44 definition:
45 - apiVersion: cert-manager.io/v1
46 kind: Certificate
47 metadata:
48 name: "{{ item }}-ca"
49 namespace: openstack
50 spec:
51 isCA: true
Mohammed Naser0a13cee2023-03-02 11:28:29 +0100[diff] [blame]52 commonName: "{{ octavia_tls_server_common_name if item == 'octavia-server' else octavia_tls_client_common_name }}"
Mohammed Naserc5824202022-11-12 17:17:02 +0000[diff] [blame]53 secretName: "{{ item }}-ca"
54 duration: 87600h
55 renewBefore: 720h
Mohammed Naser0a13cee2023-03-02 11:28:29 +0100[diff] [blame]56 privateKey: "{{ private_key | from_yaml }}"
Mohammed Naserc5824202022-11-12 17:17:02 +0000[diff] [blame]57 issuerRef:
58 name: self-signed
Mohammed Naserbb89a842022-11-14 19:49:36 +0000[diff] [blame]59 kind: ClusterIssuer
Mohammed Naserc5824202022-11-12 17:17:02 +0000[diff] [blame]60 group: cert-manager.io
okozachenko1203d8d2aa12022-10-22 00:55:14 +1100[diff] [blame]61
Mohammed Naserc5824202022-11-12 17:17:02 +0000[diff] [blame]62 - apiVersion: cert-manager.io/v1
63 kind: Issuer
64 metadata:
65 name: "{{ item }}"
66 namespace: openstack
67 spec:
68 ca:
69 secretName: "{{ item }}-ca"
Mohammed Naser0a13cee2023-03-02 11:28:29 +0100[diff] [blame]70 vars:
71 # NOTE(mnaser): Unfortuantely, Ansible renders all variables as strings so
72 # we do this workaround to make sure the size is an integer.
73 private_key: |
74 algorithm: "{{ octavia_tls_server_private_key_algorithm if item == 'octavia-server' else octavia_tls_client_private_key_algorithm }}"
75 size: {{ octavia_tls_server_private_key_size if item == 'octavia-server' else octavia_tls_client_private_key_size }}
Mohammed Naserc5824202022-11-12 17:17:02 +0000[diff] [blame]76 loop:
77 - octavia-client
78 - octavia-server
okozachenko1203d8d2aa12022-10-22 00:55:14 +1100[diff] [blame]79
Mohammed Naserc5824202022-11-12 17:17:02 +0000[diff] [blame]80- name: Create certificate for Octavia clients
81 kubernetes.core.k8s:
82 state: present
83 definition:
84 apiVersion: cert-manager.io/v1
85 kind: Certificate
86 metadata:
87 name: octavia-client-certs
88 namespace: openstack
89 spec:
Mohammed Naser0a13cee2023-03-02 11:28:29 +0100[diff] [blame]90 commonName: "{{ octavia_tls_client_common_name }}"
Mohammed Naserc5824202022-11-12 17:17:02 +0000[diff] [blame]91 secretName: octavia-client-certs
92 additionalOutputFormats:
93 - type: CombinedPEM
94 duration: 87600h
95 renewBefore: 720h
Mohammed Naser0a13cee2023-03-02 11:28:29 +0100[diff] [blame]96 privateKey: "{{ private_key | from_yaml }}"
Mohammed Naserc5824202022-11-12 17:17:02 +0000[diff] [blame]97 issuerRef:
98 name: octavia-client
99 kind: Issuer
100 group: cert-manager.io
Mohammed Naser0a13cee2023-03-02 11:28:29 +0100[diff] [blame]101 vars:
102 # NOTE(mnaser): Unfortuantely, Ansible renders all variables as strings so
103 # we do this workaround to make sure the size is an integer.
104 private_key: |
105 algorithm: "{{ octavia_tls_client_private_key_algorithm }}"
106 size: {{ octavia_tls_client_private_key_size }}
okozachenko1203d8d2aa12022-10-22 00:55:14 +1100[diff] [blame]107
108- name: Create admin compute quotaset
109 openstack.cloud.quota:
110 cloud: atmosphere
111 # NOTE(okozachenko): It uses project name instead of id.
112 name: admin
113 instances: -1
114 cores: -1
115 ram: -1
Mohammed Naser9c8115d2023-02-07 22:06:48 +0000[diff] [blame]116 volumes: -1
117 gigabytes: -1
okozachenko1203d8d2aa12022-10-22 00:55:14 +1100[diff] [blame]118
119- name: Deploy Helm chart
guilhermesteinmuller9b173d22023-01-24 19:15:17 +0000[diff] [blame]120 run_once: true
121 kubernetes.core.helm:
Mohammed Naser2145fc32023-01-29 23:23:03 +0000[diff] [blame]122 name: "{{ octavia_helm_release_name }}"
123 chart_ref: "{{ octavia_helm_chart_ref }}"
124 release_namespace: "{{ octavia_helm_release_namespace }}"
guilhermesteinmuller9b173d22023-01-24 19:15:17 +0000[diff] [blame]125 create_namespace: true
126 kubeconfig: /etc/kubernetes/admin.conf
Mohammed Naser2145fc32023-01-29 23:23:03 +0000[diff] [blame]127 values: "{{ _octavia_helm_values | combine(octavia_helm_values, recursive=True) }}"
okozachenko1203d8d2aa12022-10-22 00:55:14 +1100[diff] [blame]128
Mohammed Naserf641f862023-02-16 19:04:57 +0000[diff] [blame]129- name: Add implied roles
Mohammed Naser24abccb2023-01-29 22:50:42 +0000[diff] [blame]130 run_once: true
131 ansible.builtin.shell: |
132 openstack implied role create \
Mohammed Naserf641f862023-02-16 19:04:57 +0000[diff] [blame]133 --implied-role {{ item.implies }} \
134 {{ item.role }}
135 loop:
136 - role: member
137 implies: load-balancer_member
138 - role: reader
139 implies: load-balancer_observer
Mohammed Naser24abccb2023-01-29 22:50:42 +0000[diff] [blame]140 environment:
141 OS_CLOUD: atmosphere
Mohammed Naser2145fc32023-01-29 23:23:03 +0000[diff] [blame]142 register: _octavia_implied_role_create
143 changed_when: _octavia_implied_role_create.rc == 0
144 failed_when: _octavia_implied_role_create.rc != 0 and 'Duplicate entry.' not in _octavia_implied_role_create.stderr
Mohammed Naser24abccb2023-01-29 22:50:42 +0000[diff] [blame]145
okozachenko1203d8d2aa12022-10-22 00:55:14 +1100[diff] [blame]146- name: Create Ingress
147 ansible.builtin.include_role:
148 name: openstack_helm_ingress
149 vars:
150 openstack_helm_ingress_endpoint: load_balancer
151 openstack_helm_ingress_service_name: octavia-api
152 openstack_helm_ingress_service_port: 9876
Mohammed Naser2145fc32023-01-29 23:23:03 +0000[diff] [blame]153 openstack_helm_ingress_annotations: "{{ octavia_ingress_annotations }}"