heat_template_version: wallaby description: > Configures Ovn Bgp Agent on the host parameters: ContainerOvnBgpAgentImage: description: The container image for the BGP Agent type: string tags: - role_specific EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json ServiceData: default: {} description: Dictionary packing service data type: json ServiceNetMap: default: {} description: Mapping of service_name -> network name. Typically set via parameter_defaults in the resource registry. Use parameter_merge_strategies to merge it with the defaults. type: json RoleName: default: '' description: Role name on which the service is applied type: string RoleParameters: default: {} description: Parameters specific to the role type: json EnableInternalTLS: type: boolean default: false InternalTLSCAFile: default: '/etc/ipa/ca.crt' type: string description: Specifies the default CA cert to use if TLS is used for services in the internal network. CertificateKeySize: type: string default: '2048' description: Specifies the private key size used when creating the certificate. OvnBgpAgentCertificateKeySize: type: string default: '' description: Override the private key size used when creating the certificate for this service FrrOvnBgpAgentExposeTenantNetworks: description: > Exposes VM IPs on tenant networks via MP-BGP IPv4 and IPv6 unicast. type: boolean default: false tags: - role_specific FrrOvnBgpAgentAsn: default: 64999 description: > Autonomous System Number to be used by the agent when running in BGP mode. type: number tags: - role_specific FrrOvnBgpAgentOvsdbConnection: default: 'tcp:127.0.0.1:6640' description: > The connection string for the native OVSDB backend. Use tcp:IP:PORT for TCP connection. type: string tags: - role_specific FrrOvnBgpAgentReconcileInterval: default: 300 description: > Defines how frequently to reconcile the status, to ensure only the right IPs are exposed on the right locations. type: number tags: - role_specific conditions: key_size_override_set: not: {equals: [{get_param: OvnBgpAgentCertificateKeySize}, '']} resources: RoleParametersValue: type: OS::Heat::Value properties: type: json value: map_replace: - map_replace: - ContainerOvnBgpAgentImage: ContainerOvnBgpAgentImage ovn_bgp_agent_expose_tenant_networks: FrrOvnBgpAgentExposeTenantNetworks ovn_bgp_agent_bgp_as: FrrOvnBgpAgentAsn ovn_bgp_agent_ovsdb_connection: FrrOvnBgpAgentOvsdbConnection ovn_bgp_agent_reconcile_interval: FrrOvnBgpAgentReconcileInterval - values: {get_param: [RoleParameters]} - values: ContainerOvnBgpAgentImage: {get_param: ContainerOvnBgpAgentImage} FrrOvnBgpAgentExposeTenantNetworks: {get_param: FrrOvnBgpAgentExposeTenantNetworks} FrrOvnBgpAgentAsn: {get_param: FrrOvnBgpAgentAsn} FrrOvnBgpAgentOvsdbConnection: {get_param: FrrOvnBgpAgentOvsdbConnection} FrrOvnBgpAgentReconcileInterval: {get_param: FrrOvnBgpAgentReconcileInterval} outputs: role_data: description: Role data for the OVN BGP Agent service value: service_name: ovn_bgp_agent kolla_config: /var/lib/kolla/config_files/ovn_bgp_agent.json: command: /usr/bin/ovn-bgp-agent --config-dir /etc/ovn-bgp-agent config_files: - source: "/var/lib/kolla/config_files/src/*" dest: "/" merge: true preserve_properties: true permissions: - path: /etc/ovn-bgp-agent owner: ovn-bgp:ovn-bgp recurse: true - path: /var/log/ovn-bgp-agent owner: ovn-bgp:ovn-bgp recurse: true - path: /etc/pki/tls/certs/ovn_bgp_agent.crt owner: ovn-bgp:ovn-bgp optional: true perm: '0644' - path: /etc/pki/tls/private/ovn_bgp_agent.key owner: ovn-bgp:ovn-bgp optional: true perm: '0640' metadata_settings: if: - {get_param: EnableInternalTLS} - - service: ovn_bgp_agent network: {get_param: [ServiceNetMap, OvnDbsNetwork]} type: node docker_config: step_5: ovn_bgp_agent: start_order: 0 image: {get_attr: [RoleParametersValue, value, ContainerOvnBgpAgentImage]} net: host pid: host cgroupns: host restart: always privileged: true healthcheck: test: /openstack/healthcheck # We cannot bind mount the InternalTLSCAFile as freeipa might not # be reachable without frr volumes: list_concat: - - /etc/hosts:/etc/hosts:ro - /etc/localtime:/etc/localtime:ro - /dev/log:/dev/log - /etc/iproute2:/etc/iproute2 # OpenSSL trusted CAs - /etc/pki/ca-trust/extracted:/etc/pki/ca-trust/extracted:ro - /etc/pki/ca-trust/source/anchors:/etc/pki/ca-trust/source/anchors:ro - /etc/pki/tls/certs/ca-bundle.crt:/etc/pki/tls/certs/ca-bundle.crt:ro - /etc/pki/tls/certs/ca-bundle.trust.crt:/etc/pki/tls/certs/ca-bundle.trust.crt:ro - /etc/pki/tls/cert.pem:/etc/pki/tls/cert.pem:ro - /var/lib/kolla/config_files/ovn_bgp_agent.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/ansible-generated/ovn-bgp-agent:/var/lib/kolla/config_files/src:ro - /run/frr:/run/frr:shared,z - /run/openvswitch:/run/openvswitch:shared,z - if: - {get_param: EnableInternalTLS} - - list_join: - ':' - - {get_param: InternalTLSCAFile} - {get_param: InternalTLSCAFile} - 'ro' - /etc/pki/tls/certs/ovn_bgp_agent.crt:/etc/pki/tls/certs/ovn_bgp_agent.crt - /etc/pki/tls/private/ovn_bgp_agent.key:/etc/pki/tls/private/ovn_bgp_agent.key - null environment: KOLLA_CONFIG_STRATEGY: COPY_ALWAYS deploy_steps_tasks: - name: Certificate generation when: - step|int == 1 - enable_internal_tls block: - include_role: name: linux-system-roles.certificate vars: certificate_requests: - name: ovn_bgp_agent dns: str_replace: template: "{{fqdn_$NETWORK}}" params: $NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]} principal: str_replace: template: "ovn_bgp_agent/{{fqdn_$NETWORK}}@{{idm_realm}}" params: $NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]} key_size: if: - key_size_override_set - {get_param: OvnBgpAgentCertificateKeySize} - {get_param: CertificateKeySize} ca: ipa host_prep_tasks: - name: create persistent directories file: path: "{{ item.path }}" state: directory setype: "{{ item.setype }}" mode: "{{ item.mode }}" with_items: - { 'path': /var/log/containers/ovn-bgp-agent, 'setype': container_file_t, 'mode': '0750' } - { 'path': /var/lib/config-data/ansible-generated/ovn-bgp-agent, 'setype': container_file_t, 'mode': '0750' } pre_deploy_step_tasks: - name: Configure Ovn Bgp Agent import_role: name: tripleo_frr tasks_from: ovn_bgp_agent vars: tripleo_frr_ovn_bgp_agent_internal_tls_enable: {get_param: EnableInternalTLS} tripleo_frr_ovn_bgp_agent_expose_tenant_networks: {get_attr: [RoleParametersValue, value, ovn_bgp_agent_expose_tenant_networks]} tripleo_frr_ovn_bgp_agent_bgp_as: {get_attr: [RoleParametersValue, value, ovn_bgp_agent_bgp_as]} tripleo_frr_ovn_bgp_agent_ovsdb_connection: {get_attr: [RoleParametersValue, value, ovn_bgp_agent_ovsdb_connection]} tripleo_frr_ovn_bgp_agent_reconcile_interval: {get_attr: [RoleParametersValue, value, ovn_bgp_agent_reconcile_interval]} tripleo_frr_ovn_bgp_agent_ca_cert: {get_param: InternalTLSCAFile} tripleo_frr_ovn_bgp_agent_enable: true update_tasks: [] upgrade_tasks: []