From df8f5f0e251a014ab30dabd62c17e151b7fe36e8 Mon Sep 17 00:00:00 2001 From: Bogdan Dobrelya <bdobreli@redhat.com> Date: Wed, 12 Jul 2017 13:09:45 +0200 Subject: Options for bastion, SSH config, static inventory autogeneration * At the provisioning stage, allow users to auto-generate SSH config, when using a static inventory. * Run playbooks to provsion and post-provision as a separate, when using a bastion. This re-applies the SSH config, which ansible can't do on the fly. * Support a pre-installed bastion node, colocated with the 1st infra node. * With a bastion enabled, reduce floating IP footprint to infra and dns nodes only, effectively isolating a cluster in a private network. Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com> --- roles/openstack-stack/defaults/main.yml | 2 ++ 1 file changed, 2 insertions(+) (limited to 'roles/openstack-stack/defaults') diff --git a/roles/openstack-stack/defaults/main.yml b/roles/openstack-stack/defaults/main.yml index 4831d6bc4..803a96389 100644 --- a/roles/openstack-stack/defaults/main.yml +++ b/roles/openstack-stack/defaults/main.yml @@ -4,6 +4,7 @@ ssh_ingress_cidr: 0.0.0.0/0 node_ingress_cidr: 0.0.0.0/0 master_ingress_cidr: 0.0.0.0/0 lb_ingress_cidr: 0.0.0.0/0 +bastion_ingress_cidr: 0.0.0.0/0 num_etcd: 0 num_masters: 1 num_nodes: 1 @@ -11,3 +12,4 @@ num_dns: 1 num_infra: 1 nodes_to_remove: [] etcd_volume_size: 2 +use_bastion: False -- cgit v1.2.3 From 6ebad037254b0c254638f6e6dfbd48e451a1ceeb Mon Sep 17 00:00:00 2001 From: Bogdan Dobrelya <bdobreli@redhat.com> Date: Wed, 16 Aug 2017 09:14:06 +0200 Subject: Access UI via a bastion node (#596) When using a bastion and a single master, use the lb-secgrp to access UI port allowed from the ingress bastion node cidr. For HA (masters>1), UI still should be accessed via the LB node's ingress cidr, omitting the bastion. Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com> --- roles/openstack-stack/defaults/main.yml | 1 + 1 file changed, 1 insertion(+) (limited to 'roles/openstack-stack/defaults') diff --git a/roles/openstack-stack/defaults/main.yml b/roles/openstack-stack/defaults/main.yml index 803a96389..c8529612e 100644 --- a/roles/openstack-stack/defaults/main.yml +++ b/roles/openstack-stack/defaults/main.yml @@ -13,3 +13,4 @@ num_infra: 1 nodes_to_remove: [] etcd_volume_size: 2 use_bastion: False +ui_ssh_tunnel: False -- cgit v1.2.3 From 6a528d5803619f93c734c23be44a2021f1d35ee9 Mon Sep 17 00:00:00 2001 From: Tlacenka <tlacencin@gmail.com> Date: Thu, 17 Aug 2017 13:48:20 +0200 Subject: Configure different Docker volume sizes for different roles (#644) * README, all.yml, stack_params.yaml, openstack-stack: added docker volume size customisation - app_volume_size changed to node_volume_size (it is node everywhere else) * all.yml, stack_params.yaml,openstack-stack: added customisation for lb, etcd, dns * README: updated * README: updated info about ephemeral volumes --- roles/openstack-stack/defaults/main.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'roles/openstack-stack/defaults') diff --git a/roles/openstack-stack/defaults/main.yml b/roles/openstack-stack/defaults/main.yml index c8529612e..fbca0bdf6 100644 --- a/roles/openstack-stack/defaults/main.yml +++ b/roles/openstack-stack/defaults/main.yml @@ -1,5 +1,4 @@ --- -dns_volume_size: 1 ssh_ingress_cidr: 0.0.0.0/0 node_ingress_cidr: 0.0.0.0/0 master_ingress_cidr: 0.0.0.0/0 @@ -12,5 +11,7 @@ num_dns: 1 num_infra: 1 nodes_to_remove: [] etcd_volume_size: 2 +dns_volume_size: 1 +lb_volume_size: 5 use_bastion: False ui_ssh_tunnel: False -- cgit v1.2.3 From daa0b91119d2c16860a19b4ead2d0d128f8bc5ce Mon Sep 17 00:00:00 2001 From: Tomas Sedovic <tomas@sedovic.cz> Date: Wed, 6 Sep 2017 10:24:16 +0200 Subject: Allow using a provider network (#701) * Allow using a provider network This adds a new option `openstack_provider_network_name` which will take a name of an existing network and put the servers there. It will also prevent creating floating IP addresses as the provider network's IPs should already be accessible without any additional routing required. Fixes #622 * Requested changes Don't fail on external/private networks and use role defaults for the provider network. * Add missing endif --- roles/openstack-stack/defaults/main.yml | 1 + 1 file changed, 1 insertion(+) (limited to 'roles/openstack-stack/defaults') diff --git a/roles/openstack-stack/defaults/main.yml b/roles/openstack-stack/defaults/main.yml index fbca0bdf6..c16b5dc00 100644 --- a/roles/openstack-stack/defaults/main.yml +++ b/roles/openstack-stack/defaults/main.yml @@ -15,3 +15,4 @@ dns_volume_size: 1 lb_volume_size: 5 use_bastion: False ui_ssh_tunnel: False +provider_network: None -- cgit v1.2.3