Define and bind a public virtual IP

Prior to this change our heat templates define one virtual IP, which all
the services are bound to.

We wish to be able to segregate these endpoints: some need to be
accessible to "the public"; some are only intended to be accessed within
the cloud; some are only for admin use.

This change adds a second VIP which we can use for binding only the
endpoints that are intended to be publicly accessible, leaving the older
VIP to be used for internal end points.

Haproxy is told to also listen on that new VIP so that we can expose selected
services via the new VIP, and keepalived is in charge of assigning the VIP to
control plane nodes.

This change has a proposed split of services between control-only and
control+public interfaces. Assuming our yaml parsers (in merge.py and
Heat) understand YAML anchors/aliases, and assuming I've got the syntax
right, this should get expanded so that all the control+public services
get their config defined from the same block without needing to repeat
it for each service. (AFAICT both merge.py and heat use pyyaml, which
does support aliases/anchors)

The default is left at binding to only the controlplane interface, so
that new services added to this map will default to being internal-only

This patchset partially completes a spec which will one day live at
https://blueprints.launchpad.net/tripleo/+specs/tripleo-juno-virtual-public-ips
but for now can bee seen in  Id9addc65f0d2ed519ce4b3edbd561ed660a2786e

Implements: blueprint tripleo-juno-virtual-public-ips
Change-Id: I9649ee74ebaf62b6b929b28243a07c789a08867c
Co-Authored-By: Robert Collins <rbtcollins@hp.com>
Partial-Bug #1325114

diff --git a/overcloud-source.yaml b/overcloud-source.yaml
index 33355c9..068c853 100644 (file)
--- a/overcloud-source.yaml
+++ b/overcloud-source.yaml
@@ -252,6 +252,23 @@ Parameters:
     Default: []
     Description: Should be used for arbitrary ips.
     Type: Json
+  PublicVirtualFixedIPs:
+    Default: []
+    Description: |
+        Control the IP allocation for the PublicVirtualInterface port. E.g.
+        [{'ip_address':'1.2.3.4'}]
+    Type: Json
+  PublicVirtualInterface:
+    Default: 'br-ex'
+    Description: >
+        Specifies the interface where the public-facing virtual ip will be assigned.
+        This should be int_public when a VLAN is being used.
+    Type: String
+  PublicVirtualNetwork:
+    Default: 'ctlplane'
+    Type: String
+    Description: >
+        Neutron network to allocate public virtual IP port on.
   KeystoneCACertificate:
     Default: ''
     Description: Keystone self-signed certificate authority certificate.
@@ -277,6 +294,13 @@ Resources:
     Type: OS::Heat::RandomString
     Properties:
       length: 10
+  PublicVirtualIP:
+    Type: OS::Neutron::Port
+    Properties:
+      name: public_virtual_ip
+      network: {Ref: PublicVirtualNetwork}
+      fixed_ips:
+        Ref: PublicVirtualFixedIPs
   RabbitCookie:
     Type: OS::Heat::RandomString
     Properties:
@@ -482,15 +506,44 @@ Resources:
         ntp:
           servers:
               - {server: {Ref: NtpServer}, fudge: "stratum 0"}
+        virtual_interfaces:
+          instances:
+            - vrrp_instance_name: VI_CONTROL
+              virtual_router_id: 51
+              keepalive_interface:
+                Ref: ControlVirtualInterface
+              priority: 101
+              virtual_ips:
+              - ip: {'Fn::Select': [ip_address, 'Fn::Select': [0, 'Fn::GetAtt': [ControlVirtualIP, fixed_ips]]]}
+                interface:
+                  Ref: ControlVirtualInterface
+            - vrrp_instance_name: VI_PUBLIC
+              virtual_router_id: 52
+              keepalive_interface:
+                Ref: PublicVirtualInterface
+              priority: 101
+              virtual_ips:
+              - ip: {'Fn::Select': [ip_address, 'Fn::Select': [0, 'Fn::GetAtt': [PublicVirtualIP, fixed_ips]]]}
+                interface:
+                  Ref: PublicVirtualInterface
+          vrrp_sync_groups:
+            - name: VG1
+              members:
+                - VI_CONTROL
+                - VI_PUBLIC
         keepalived:
           keepalive_interface:
-            Ref: ControlVirtualInterface
+            Ref: PublicVirtualInterface
           priority: 101
         virtual_ips:
             -
               ip: {'Fn::Select': [ip_address, 'Fn::Select': [0, 'Fn::GetAtt': [ControlVirtualIP, fixed_ips]]]}
               interface:
                 Ref: ControlVirtualInterface
+            -
+              ip: {'Fn::Select': [ip_address, 'Fn::Select': [0, 'Fn::GetAtt': [PublicVirtualIP, fixed_ips]]]}
+              interface:
+                Ref: PublicVirtualInterface
         haproxy:
           nodes:
             Merge::Map:
@@ -502,34 +555,50 @@ Resources:
           services:
             - name: keystone_admin
               port: 35357
+              net_binds: &public_binds
+                - ip: {'Fn::Select': [ip_address, 'Fn::Select': [0, 'Fn::GetAtt': [ControlVirtualIP, fixed_ips]]]}
+                - ip: {'Fn::Select': [ip_address, 'Fn::Select': [0, 'Fn::GetAtt': [PublicVirtualIP, fixed_ips]]]}
             - name: keystone_public
               port: 5000
+              net_binds: *public_binds
             - name: horizon
               port: 80
+              net_binds: *public_binds
             - name: neutron
               port: 9696
+              net_binds: *public_binds
             - name: cinder
               port: 8776
+              net_binds: *public_binds
             - name: glance_api
               port: 9292
+              net_binds: *public_binds
             - name: glance_registry
               port: 9191
+              net_binds: *public_binds
             - name: heat_api
               port: 8004
+              net_binds: *public_binds
             - name: heat_cloudwatch
               port: 8003
+              net_binds: *public_binds
             - name: heat_cfn
               port: 8000
+              net_binds: *public_binds
             - name: nova_ec2
               port: 8773
             - name: nova_osapi
               port: 8774
+              net_binds: *public_binds
             - name: nova_metadata
               port: 8775
+              net_binds: *public_binds
             - name: ceilometer
               port: 8777
+              net_binds: *public_binds
             - name: swift_proxy_server
               port: 8080
+              net_binds: *public_binds
   controllerPassthrough:
     Type: OS::Heat::StructuredConfig
     Properties: