Gitiles
Code Review Sign In
review.vexxhost.dev / atmosphere / refs/heads/main / . / roles / octavia / tasks / migrate_from_osa.yml
blob: 4f292ea32ebe0dc4fa78134d5df4e4d327b7d76b [file] [log] [blame]
Mohammed Naser0a13cee2023-03-02 11:28:29 +0100[diff] [blame]1# Copyright (c) 2023 VEXXHOST, Inc.
2#
3# Licensed under the Apache License, Version 2.0 (the "License"); you may
4# not use this file except in compliance with the License. You may obtain
5# a copy of the License at
6#
7# http://www.apache.org/licenses/LICENSE-2.0
8#
9# Unless required by applicable law or agreed to in writing, software
10# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
11# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
12# License for the specific language governing permissions and limitations
13# under the License.
14
15- name: Map existing health manager IP addresses to existing controllers
16 run_once: true
17 delegate_to: "{{ groups['controllers'][_octavia_health_manager_ip] }}"
18 delegate_facts: true
19 ansible.builtin.set_fact:
20 octavia_health_manager_ip: "{{ item }}"
21 loop: "{{ groups['octavia-health-manager'] | map('extract', hostvars, ['container_networks', 'lbaas_address', 'address']) | list }}"
22 loop_control:
23 index_var: _octavia_health_manager_ip
24
25- name: Slurp configuration file for Octavia
26 run_once: true
27 delegate_to: "{{ groups['octavia_all'][0] }}"
28 ansible.builtin.slurp:
29 src: /etc/octavia/octavia.conf
30 register: _octavia_conf
31
32- name: Generate fact with Octavia configuration file
33 run_once: true
34 ansible.builtin.set_fact:
35 _octavia_conf: "{{ _octavia_conf['content'] | b64decode | vexxhost.atmosphere.from_ini }}"
36
37- name: Create secrets for server CA, client CA and client certificates
38 run_once: true
39 kubernetes.core.k8s:
40 state: present
41 definition:
42 - apiVersion: v1
43 kind: Secret
44 metadata:
45 name: octavia-server-ca
46 namespace: "{{ octavia_helm_release_namespace }}"
47 annotations:
48 cert-manager.io/alt-names: ""
49 cert-manager.io/certificate-name: octavia-server-ca
50 cert-manager.io/common-name: octavia-server
51 cert-manager.io/ip-sans: ""
52 cert-manager.io/issuer-group: cert-manager.io
53 cert-manager.io/issuer-kind: ClusterIssuer
54 cert-manager.io/issuer-name: self-signed
55 cert-manager.io/uri-sans: ""
56 type: kuberenetes.io/tls
57 stringData:
58 ca.crt: "{{ lookup('file', _octavia_cert_dir ~ '/ca_server_01.pem') }}"
59 tls.crt: "{{ lookup('file', _octavia_cert_dir ~ '/ca_server_01.pem') }}"
60 tls.key: "{{ lookup('pipe', 'openssl rsa -in ' ~ _octavia_cert_dir ~ '/private/cakey.pem -passin pass:' ~ _octavia_cert_passphrase) }}"
61
62 - apiVersion: v1
63 kind: Secret
64 metadata:
65 name: octavia-client-ca
66 namespace: "{{ octavia_helm_release_namespace }}"
67 annotations:
68 cert-manager.io/alt-names: ""
69 cert-manager.io/certificate-name: octavia-client-ca
70 cert-manager.io/common-name: octavia-client
71 cert-manager.io/ip-sans: ""
72 cert-manager.io/issuer-group: cert-manager.io
73 cert-manager.io/issuer-kind: ClusterIssuer
74 cert-manager.io/issuer-name: self-signed
75 cert-manager.io/uri-sans: ""
76 type: kuberenetes.io/tls
77 stringData:
78 ca.crt: "{{ lookup('file', _octavia_cert_dir ~ '/ca_01.pem') }}"
79 tls.crt: "{{ lookup('file', _octavia_cert_dir ~ '/ca_01.pem') }}"
80 tls.key: "{{ lookup('pipe', 'openssl rsa -in ' ~ _octavia_cert_dir ~ '/ca_01.key -passin pass:' ~ _octavia_cert_passphrase) }}"
81
82 - apiVersion: v1
83 kind: Secret
84 metadata:
85 name: octavia-client-certs
86 namespace: "{{ octavia_helm_release_namespace }}"
87 annotations:
88 cert-manager.io/alt-names: ""
89 cert-manager.io/certificate-name: octavia-client-certs
90 cert-manager.io/common-name: octavia-client
91 cert-manager.io/ip-sans: ""
92 cert-manager.io/issuer-group: cert-manager.io
93 cert-manager.io/issuer-kind: Issuer
94 cert-manager.io/issuer-name: octavia-client
95 cert-manager.io/uri-sans: ""
96 type: kuberenetes.io/tls
97 stringData:
98 ca.crt: "{{ lookup('file', _octavia_cert_dir ~ '/ca_01.pem') }}"
99 tls-combined.pem: "{{ lookup('file', _octavia_cert_dir ~ '/client.pem') }}"
100 tls.crt: "{{ lookup('file', _octavia_cert_dir ~ '/client-.pem') }}"
101 tls.key: "{{ lookup('file', _octavia_cert_dir ~ '/client.key') }}"
102 vars:
103 _octavia_cert_dir: "{{ lookup('env', 'HOME') }}/openstack-ansible/octavia"
104 _octavia_cert_passphrase: "{{ _octavia_conf.certificates.ca_private_key_passphrase }}"
105
106- name: Generate resources
107 ansible.builtin.import_tasks:
108 file: generate_resources.yml
109
110- name: Generate configuration difference
111 ansible.builtin.include_role:
112 name: osa_config_diff
113 vars:
114 osa_config_diff_containers_group: octavia_all
115 osa_config_diff_chart_ref: "{{ octavia_helm_chart_ref }}"
116 osa_config_diff_release_namespace: "{{ octavia_helm_release_namespace }}"
117 osa_config_diff_release_values: "{{ _octavia_helm_values | combine(octavia_helm_values, recursive=True) }}"
118 osa_config_diff_config_files:
119 octavia.conf: /etc/octavia/octavia.conf
120
121- name: Migrate the database
122 ansible.builtin.include_role:
123 name: migrate_db_from_osa
124 vars:
125 migrate_db_from_osa_pxc_namespace: "{{ octavia_helm_release_namespace }}"
126 migrate_db_from_osa_containers_group: octavia_all
127 migrate_db_from_osa_databases:
128 octavia: octavia
129
130- name: Run deployment flow
131 ansible.builtin.import_tasks:
132 file: main.yml
133
134- name: Migrate HAproxy
135 ansible.builtin.include_role:
136 name: migrate_haproxy_from_osa
137 vars:
138 migrate_haproxy_from_osa_group: octavia_all
139 migrate_haproxy_from_osa_service_namespace: "{{ octavia_helm_release_namespace }}"
140 migrate_haproxy_from_osa_service_name: octavia-api
141 migrate_haproxy_from_osa_haproxy_backend: octavia