Merge lp:~dmitriis/charms/trusty/contrail-configuration/trunk into lp:~sdn-charmers/charms/trusty/contrail-configuration/trunk
- Trusty Tahr (14.04)
- trunk
- Merge into trunk
Status: | Merged |
---|---|
Merged at revision: | 68 |
Proposed branch: | lp:~dmitriis/charms/trusty/contrail-configuration/trunk |
Merge into: | lp:~sdn-charmers/charms/trusty/contrail-configuration/trunk |
Diff against target: |
655 lines (+202/-70) 4 files modified
config.yaml (+10/-0) hooks/contrail_configuration_hooks.py (+171/-67) hooks/contrail_configuration_utils.py (+11/-2) templates/contrail-api.conf (+10/-1) |
To merge this branch: | bzr merge lp:~dmitriis/charms/trusty/contrail-configuration/trunk |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Robert Ayres (community) | Approve | ||
Ante Karamatić | Pending | ||
Review via email: mp+320826@code.launchpad.net |
This proposal supersedes a proposal from 2017-03-19.
Commit message
Description of the change
rbac support (rebased)
Ante Karamatić (ivoks) wrote : Posted in a previous version of this proposal | # |
Ante Karamatić (ivoks) wrote : Posted in a previous version of this proposal | # |
One more comment
Ante Karamatić (ivoks) wrote : Posted in a previous version of this proposal | # |
I haven't investigated into detail, but with your patches contrail-analytics never populates 'api_server' in /etc/contrail/
Dmitrii Shcherbakov (dmitriis) wrote : Posted in a previous version of this proposal | # |
Ante,
Not sure about api_server - no modifications for that in my MP.
https:/
Have to investigate why.
Have you tried it without my patch or just with the patch?
If not, we can try it without a patch first to figure out if I introduced a regression or not.
Bernhard Koessler (bkoessler) wrote : Posted in a previous version of this proposal | # |
I would recommend not using multi_tenancy anymore going forward.
aaa_mode can be set to:
no-auth—No authentication is performed and full access is granted to all.
cloud-admin—
rbac—Authentication is performed and access is granted based on role.
cloud-admin would be the same behaviour as multi-tenancy=true
Ante Karamatić (ivoks) wrote : Posted in a previous version of this proposal | # |
Right, but charms need to support older versions also.
Dmitrii Shcherbakov (dmitriis) wrote : | # |
Just noticed a piece of dead code for an action that we wanted to implement originally - uploaded an updated branch.
Robert Ayres (robert-ayres) wrote : | # |
For this to get merged, please remove all the unnecessary formatting changes.
This diff should only contain the *actual* code changes.
Dmitrii Shcherbakov (dmitriis) wrote : | # |
Robert,
They were separated into two revisions intentionally and it is possible to view the individual diffs.
https:/
https:/
Lint checks are a normal part of the charm dev process so I think it is worthwhile that they pass:
https:/
https:/
Robert Ayres (robert-ayres) wrote : | # |
I appreciate the lint comment, but it would be better if changes to pass lint tests were in a separate patch.
Robert Ayres (robert-ayres) wrote : | # |
To save effort, we can just look at merging r67 here.
Robert Ayres (robert-ayres) : | # |
Preview Diff
1 | === modified file 'config.yaml' | |||
2 | --- config.yaml 2017-03-10 12:49:07 +0000 | |||
3 | +++ config.yaml 2017-03-23 15:13:02 +0000 | |||
4 | @@ -59,3 +59,13 @@ | |||
5 | 59 | type: int | 59 | type: int |
6 | 60 | default: 1 | 60 | default: 1 |
7 | 61 | description: Minimum number of units required in cassandra relation | 61 | description: Minimum number of units required in cassandra relation |
8 | 62 | rbac: | ||
9 | 63 | type: boolean | ||
10 | 64 | default: true | ||
11 | 65 | description: enable/disable role-based authentication - only supported in Contrail 3.2 and newer | ||
12 | 66 | cloud-admin-role: | ||
13 | 67 | type: string | ||
14 | 68 | description: A user who is assigned the cloud_admin_role has full access to everything. | ||
15 | 69 | global-read-only-role: | ||
16 | 70 | type: string | ||
17 | 71 | description: This role allows read-only access to all Contrail resources. Must be configured in keystone. | ||
18 | 62 | 72 | ||
19 | === modified file 'hooks/contrail_configuration_hooks.py' | |||
20 | --- hooks/contrail_configuration_hooks.py 2017-03-10 12:49:07 +0000 | |||
21 | +++ hooks/contrail_configuration_hooks.py 2017-03-23 15:13:02 +0000 | |||
22 | @@ -1,6 +1,5 @@ | |||
23 | 1 | #!/usr/bin/env python | 1 | #!/usr/bin/env python |
24 | 2 | 2 | ||
25 | 3 | from socket import gethostbyname | ||
26 | 4 | import sys | 3 | import sys |
27 | 5 | 4 | ||
28 | 6 | from apt_pkg import version_compare | 5 | from apt_pkg import version_compare |
29 | @@ -24,7 +23,6 @@ | |||
30 | 24 | relation_ids, | 23 | relation_ids, |
31 | 25 | relation_set, | 24 | relation_set, |
32 | 26 | remote_unit, | 25 | remote_unit, |
33 | 27 | unit_get | ||
34 | 28 | ) | 26 | ) |
35 | 29 | 27 | ||
36 | 30 | from charmhelpers.core.host import ( | 28 | from charmhelpers.core.host import ( |
37 | @@ -68,17 +66,44 @@ | |||
38 | 68 | write_ifmap_config, | 66 | write_ifmap_config, |
39 | 69 | write_nodemgr_config, | 67 | write_nodemgr_config, |
40 | 70 | write_ssl_ca_certificate, | 68 | write_ssl_ca_certificate, |
42 | 71 | write_vnc_api_config | 69 | write_vnc_api_config, |
43 | 72 | ) | 70 | ) |
44 | 73 | 71 | ||
49 | 74 | PACKAGES = [ "ifmap-server", "contrail-config", "contrail-config-openstack", | 72 | PACKAGES = ["ifmap-server", "contrail-config", "contrail-config-openstack", |
50 | 75 | "neutron-common", "contrail-utils", "contrail-nodemgr" ] | 73 | "neutron-common", "contrail-utils", "contrail-nodemgr"] |
51 | 76 | 74 | ||
52 | 77 | PACKAGES_BARBICAN = [ "python-barbicanclient" ] | 75 | PACKAGES_BARBICAN = ["python-barbicanclient"] |
53 | 76 | |||
54 | 77 | CONFIG_ROLES = ['cloud-admin-role', 'global-read-only-role'] | ||
55 | 78 | 78 | ||
56 | 79 | hooks = Hooks() | 79 | hooks = Hooks() |
57 | 80 | config = config() | 80 | config = config() |
58 | 81 | 81 | ||
59 | 82 | |||
60 | 83 | def get_rbac_roles(): | ||
61 | 84 | rid = relation_ids("identity-admin")[0] | ||
62 | 85 | unit = related_units(rid)[0] | ||
63 | 86 | default_role = relation_get(attribute='service_tenant_name', | ||
64 | 87 | rid=rid, unit=unit) | ||
65 | 88 | rbac_roles = {} | ||
66 | 89 | for r in CONFIG_ROLES: | ||
67 | 90 | val = config.get(r) | ||
68 | 91 | rbac_roles[r] = val if val else default_role | ||
69 | 92 | return rbac_roles | ||
70 | 93 | |||
71 | 94 | |||
72 | 95 | def add_rbac_settings(d): | ||
73 | 96 | rbac = config.get('rbac') | ||
74 | 97 | # update the rbac settings unconditionally | ||
75 | 98 | # we do need to signal the change of relation data | ||
76 | 99 | if rbac: | ||
77 | 100 | d['rbac'] = rbac | ||
78 | 101 | d.update(get_rbac_roles()) | ||
79 | 102 | else: | ||
80 | 103 | d['rbac'] = None | ||
81 | 104 | d.update({k: None for k in CONFIG_ROLES}) | ||
82 | 105 | |||
83 | 106 | |||
84 | 82 | def add_contrail_api(): | 107 | def add_contrail_api(): |
85 | 83 | # check relation dependencies | 108 | # check relation dependencies |
86 | 84 | if not config_get("contrail-api-configured") \ | 109 | if not config_get("contrail-api-configured") \ |
87 | @@ -95,14 +120,18 @@ | |||
88 | 95 | config["contrail-api-configured"] = True | 120 | config["contrail-api-configured"] = True |
89 | 96 | 121 | ||
90 | 97 | # inform relations | 122 | # inform relations |
94 | 98 | settings = { "private-address": control_network_ip(), | 123 | settings = {"private-address": control_network_ip(), |
95 | 99 | "port": api_port(), | 124 | "port": api_port(), |
96 | 100 | "vip": config.get("vip") } | 125 | "vip": config.get("vip")} |
97 | 126 | |||
98 | 127 | add_rbac_settings(settings) | ||
99 | 128 | |||
100 | 101 | for rid in relation_ids("contrail-api"): | 129 | for rid in relation_ids("contrail-api"): |
101 | 102 | relation_set(relation_id=rid, relation_settings=settings) | 130 | relation_set(relation_id=rid, relation_settings=settings) |
102 | 103 | 131 | ||
103 | 104 | configure_floating_ip_pools() | 132 | configure_floating_ip_pools() |
104 | 105 | 133 | ||
105 | 134 | |||
106 | 106 | def add_metadata(): | 135 | def add_metadata(): |
107 | 107 | # check relation dependencies | 136 | # check relation dependencies |
108 | 108 | if is_leader() \ | 137 | if is_leader() \ |
109 | @@ -112,6 +141,7 @@ | |||
110 | 112 | provision_metadata() | 141 | provision_metadata() |
111 | 113 | leader_set({"metadata-provisioned": True}) | 142 | leader_set({"metadata-provisioned": True}) |
112 | 114 | 143 | ||
113 | 144 | |||
114 | 115 | @hooks.hook("amqp-relation-changed") | 145 | @hooks.hook("amqp-relation-changed") |
115 | 116 | def amqp_changed(): | 146 | def amqp_changed(): |
116 | 117 | if not relation_get("password"): | 147 | if not relation_get("password"): |
117 | @@ -122,6 +152,7 @@ | |||
118 | 122 | add_contrail_api() | 152 | add_contrail_api() |
119 | 123 | add_metadata() | 153 | add_metadata() |
120 | 124 | 154 | ||
121 | 155 | |||
122 | 125 | @hooks.hook("amqp-relation-departed") | 156 | @hooks.hook("amqp-relation-departed") |
123 | 126 | @hooks.hook("amqp-relation-broken") | 157 | @hooks.hook("amqp-relation-broken") |
124 | 127 | def amqp_departed(): | 158 | def amqp_departed(): |
125 | @@ -131,10 +162,13 @@ | |||
126 | 131 | config["amqp-ready"] = False | 162 | config["amqp-ready"] = False |
127 | 132 | amqp_relation() | 163 | amqp_relation() |
128 | 133 | 164 | ||
133 | 134 | @restart_on_change({"/etc/contrail/contrail-api.conf": ["supervisor-config"], | 165 | |
134 | 135 | "/etc/contrail/contrail-device-manager.conf": ["supervisor-config"], | 166 | @restart_on_change( |
135 | 136 | "/etc/contrail/contrail-schema.conf": ["supervisor-config"], | 167 | { |
136 | 137 | "/etc/contrail/contrail-svc-monitor.conf": ["supervisor-config"]}) | 168 | "/etc/contrail/contrail-api.conf": ["supervisor-config"], |
137 | 169 | "/etc/contrail/contrail-device-manager.conf": ["supervisor-config"], | ||
138 | 170 | "/etc/contrail/contrail-schema.conf": ["supervisor-config"], | ||
139 | 171 | "/etc/contrail/contrail-svc-monitor.conf": ["supervisor-config"]}) | ||
140 | 138 | def amqp_relation(): | 172 | def amqp_relation(): |
141 | 139 | write_contrail_api_config() | 173 | write_contrail_api_config() |
142 | 140 | write_contrail_svc_monitor_config() | 174 | write_contrail_svc_monitor_config() |
143 | @@ -142,10 +176,12 @@ | |||
144 | 142 | if version_compare(CONTRAIL_VERSION, "3.0") >= 0: | 176 | if version_compare(CONTRAIL_VERSION, "3.0") >= 0: |
145 | 143 | write_contrail_schema_config() | 177 | write_contrail_schema_config() |
146 | 144 | 178 | ||
147 | 179 | |||
148 | 145 | @hooks.hook("amqp-relation-joined") | 180 | @hooks.hook("amqp-relation-joined") |
149 | 146 | def amqp_joined(): | 181 | def amqp_joined(): |
150 | 147 | relation_set(username="contrail", vhost="contrail") | 182 | relation_set(username="contrail", vhost="contrail") |
151 | 148 | 183 | ||
152 | 184 | |||
153 | 149 | @hooks.hook("cassandra-relation-changed") | 185 | @hooks.hook("cassandra-relation-changed") |
154 | 150 | def cassandra_changed(): | 186 | def cassandra_changed(): |
155 | 151 | # 'port' is used in legacy precise charm | 187 | # 'port' is used in legacy precise charm |
156 | @@ -156,13 +192,15 @@ | |||
157 | 156 | units = len(cassandra_units()) | 192 | units = len(cassandra_units()) |
158 | 157 | required = config["cassandra-units"] | 193 | required = config["cassandra-units"] |
159 | 158 | if units < required: | 194 | if units < required: |
161 | 159 | log("{} cassandra unit(s) ready, require {} more".format(units, required - units)) | 195 | log("{} cassandra unit(s) ready, require {} more".format( |
162 | 196 | units, required - units)) | ||
163 | 160 | return | 197 | return |
164 | 161 | config["cassandra-ready"] = True | 198 | config["cassandra-ready"] = True |
165 | 162 | cassandra_relation() | 199 | cassandra_relation() |
166 | 163 | add_contrail_api() | 200 | add_contrail_api() |
167 | 164 | add_metadata() | 201 | add_metadata() |
168 | 165 | 202 | ||
169 | 203 | |||
170 | 166 | @hooks.hook("cassandra-relation-departed") | 204 | @hooks.hook("cassandra-relation-departed") |
171 | 167 | @hooks.hook("cassandra-relation-broken") | 205 | @hooks.hook("cassandra-relation-broken") |
172 | 168 | def cassandra_departed(): | 206 | def cassandra_departed(): |
173 | @@ -172,12 +210,15 @@ | |||
174 | 172 | config["cassandra-ready"] = False | 210 | config["cassandra-ready"] = False |
175 | 173 | cassandra_relation() | 211 | cassandra_relation() |
176 | 174 | 212 | ||
183 | 175 | @restart_on_change({"/etc/contrail/contrail-api.conf": ["supervisor-config"], | 213 | |
184 | 176 | "/etc/contrail/contrail-device-manager.conf": ["supervisor-config"], | 214 | @restart_on_change( |
185 | 177 | "/etc/contrail/contrail-discovery.conf": ["supervisor-config"], | 215 | { |
186 | 178 | "/etc/contrail/contrail-schema.conf": ["supervisor-config"], | 216 | "/etc/contrail/contrail-api.conf": ["supervisor-config"], |
187 | 179 | "/etc/contrail/contrail-svc-monitor.conf": ["supervisor-config"], | 217 | "/etc/contrail/contrail-device-manager.conf": ["supervisor-config"], |
188 | 180 | "/etc/contrail/discovery.conf": ["supervisor-config"]}) | 218 | "/etc/contrail/contrail-discovery.conf": ["supervisor-config"], |
189 | 219 | "/etc/contrail/contrail-schema.conf": ["supervisor-config"], | ||
190 | 220 | "/etc/contrail/contrail-svc-monitor.conf": ["supervisor-config"], | ||
191 | 221 | "/etc/contrail/discovery.conf": ["supervisor-config"]}) | ||
192 | 181 | def cassandra_relation(): | 222 | def cassandra_relation(): |
193 | 182 | write_contrail_api_config() | 223 | write_contrail_api_config() |
194 | 183 | write_contrail_schema_config() | 224 | write_contrail_schema_config() |
195 | @@ -185,6 +226,7 @@ | |||
196 | 185 | write_contrail_svc_monitor_config() | 226 | write_contrail_svc_monitor_config() |
197 | 186 | write_device_manager_config() | 227 | write_device_manager_config() |
198 | 187 | 228 | ||
199 | 229 | |||
200 | 188 | @hooks.hook("config-changed") | 230 | @hooks.hook("config-changed") |
201 | 189 | def config_changed(): | 231 | def config_changed(): |
202 | 190 | write_config() | 232 | write_config() |
203 | @@ -197,8 +239,14 @@ | |||
204 | 197 | 239 | ||
205 | 198 | ip = control_network_ip() | 240 | ip = control_network_ip() |
206 | 199 | vip = config.get("vip") | 241 | vip = config.get("vip") |
209 | 200 | settings = { "private-address": ip, | 242 | settings = {"private-address": ip, |
210 | 201 | "vip": vip } | 243 | "vip": vip} |
211 | 244 | |||
212 | 245 | # a role fetched from keystone is used as a fallback | ||
213 | 246 | # hence we have to check if this relation is established | ||
214 | 247 | if config_get("identity-admin-ready"): | ||
215 | 248 | add_rbac_settings(settings) | ||
216 | 249 | |||
217 | 202 | for rid in relation_ids("contrail-api"): | 250 | for rid in relation_ids("contrail-api"): |
218 | 203 | relation_set(relation_id=rid, relation_settings=settings) | 251 | relation_set(relation_id=rid, relation_settings=settings) |
219 | 204 | for rid in relation_ids("contrail-discovery"): | 252 | for rid in relation_ids("contrail-discovery"): |
220 | @@ -217,12 +265,14 @@ | |||
221 | 217 | for rid in relation_ids("http-services"): | 265 | for rid in relation_ids("http-services"): |
222 | 218 | relation_set(relation_id=rid, services=services) | 266 | relation_set(relation_id=rid, services=services) |
223 | 219 | 267 | ||
224 | 268 | |||
225 | 220 | def config_get(key): | 269 | def config_get(key): |
226 | 221 | try: | 270 | try: |
227 | 222 | return config[key] | 271 | return config[key] |
228 | 223 | except KeyError: | 272 | except KeyError: |
229 | 224 | return None | 273 | return None |
230 | 225 | 274 | ||
231 | 275 | |||
232 | 226 | def configure_control_network(): | 276 | def configure_control_network(): |
233 | 227 | # unprovision/provision configuration on 3.0.2.0+ | 277 | # unprovision/provision configuration on 3.0.2.0+ |
234 | 228 | if version_compare(CONTRAIL_VERSION, "3.0.2.0-34") >= 0: | 278 | if version_compare(CONTRAIL_VERSION, "3.0.2.0-34") >= 0: |
235 | @@ -230,6 +280,7 @@ | |||
236 | 230 | unprovision_configuration() | 280 | unprovision_configuration() |
237 | 231 | provision_configuration() | 281 | provision_configuration() |
238 | 232 | 282 | ||
239 | 283 | |||
240 | 233 | def configure_floating_ip_pools(): | 284 | def configure_floating_ip_pools(): |
241 | 234 | if is_leader(): | 285 | if is_leader(): |
242 | 235 | floating_pools = config.get("floating-ip-pools") | 286 | floating_pools = config.get("floating-ip-pools") |
243 | @@ -237,16 +288,19 @@ | |||
244 | 237 | if floating_pools != previous_floating_pools: | 288 | if floating_pools != previous_floating_pools: |
245 | 238 | # create/destroy pools, activate/deactivate projects | 289 | # create/destroy pools, activate/deactivate projects |
246 | 239 | # according to new value | 290 | # according to new value |
252 | 240 | pools = { (pool["project"], | 291 | pools = {(pool["project"], |
253 | 241 | pool["network"], | 292 | pool["network"], |
254 | 242 | pool["pool-name"]): set(pool["target-projects"]) | 293 | pool["pool-name"]): set(pool["target-projects"]) |
255 | 243 | for pool in yaml.safe_load(floating_pools) } \ | 294 | for pool in yaml.safe_load(floating_pools)} \ |
256 | 244 | if floating_pools else {} | 295 | if floating_pools else {} |
257 | 245 | previous_pools = {} | 296 | previous_pools = {} |
258 | 246 | if previous_floating_pools: | 297 | if previous_floating_pools: |
259 | 247 | for pool in yaml.safe_load(previous_floating_pools): | 298 | for pool in yaml.safe_load(previous_floating_pools): |
260 | 248 | projects = pool["target-projects"] | 299 | projects = pool["target-projects"] |
262 | 249 | name = (pool["project"], pool["network"], pool["pool-name"]) | 300 | name = ( |
263 | 301 | pool["project"], | ||
264 | 302 | pool["network"], | ||
265 | 303 | pool["pool-name"]) | ||
266 | 250 | if name in pools: | 304 | if name in pools: |
267 | 251 | previous_pools[name] = set(projects) | 305 | previous_pools[name] = set(projects) |
268 | 252 | else: | 306 | else: |
269 | @@ -255,10 +309,12 @@ | |||
270 | 255 | if name not in previous_pools: | 309 | if name not in previous_pools: |
271 | 256 | floating_ip_pool_create(name, projects) | 310 | floating_ip_pool_create(name, projects) |
272 | 257 | else: | 311 | else: |
274 | 258 | floating_ip_pool_update(name, projects, previous_pools[name]) | 312 | floating_ip_pool_update( |
275 | 313 | name, projects, previous_pools[name]) | ||
276 | 259 | 314 | ||
277 | 260 | leader_set({"floating-ip-pools": floating_pools}) | 315 | leader_set({"floating-ip-pools": floating_pools}) |
278 | 261 | 316 | ||
279 | 317 | |||
280 | 262 | def configure_ssl(): | 318 | def configure_ssl(): |
281 | 263 | cert = config.get("ssl-ca") | 319 | cert = config.get("ssl-ca") |
282 | 264 | if cert: | 320 | if cert: |
283 | @@ -268,6 +324,7 @@ | |||
284 | 268 | if remove_ssl_ca_certificate(): | 324 | if remove_ssl_ca_certificate(): |
285 | 269 | service_restart("supervisor-config") | 325 | service_restart("supervisor-config") |
286 | 270 | 326 | ||
287 | 327 | |||
288 | 271 | @hooks.hook("contrail-analytics-api-relation-changed") | 328 | @hooks.hook("contrail-analytics-api-relation-changed") |
289 | 272 | def contrail_analytics_api_changed(): | 329 | def contrail_analytics_api_changed(): |
290 | 273 | if not relation_get("port"): | 330 | if not relation_get("port"): |
291 | @@ -275,27 +332,33 @@ | |||
292 | 275 | return | 332 | return |
293 | 276 | contrail_analytics_api_relation() | 333 | contrail_analytics_api_relation() |
294 | 277 | 334 | ||
295 | 335 | |||
296 | 278 | @hooks.hook("contrail-analytics-api-relation-departed") | 336 | @hooks.hook("contrail-analytics-api-relation-departed") |
297 | 279 | @hooks.hook("contrail-analytics-api-relation-broken") | 337 | @hooks.hook("contrail-analytics-api-relation-broken") |
299 | 280 | @restart_on_change({"/etc/contrail/contrail-svc-monitor.conf": ["supervisor-config"]}) | 338 | @restart_on_change( |
300 | 339 | {"/etc/contrail/contrail-svc-monitor.conf": ["supervisor-config"]}) | ||
301 | 281 | def contrail_analytics_api_relation(): | 340 | def contrail_analytics_api_relation(): |
302 | 282 | write_contrail_svc_monitor_config() | 341 | write_contrail_svc_monitor_config() |
303 | 283 | 342 | ||
304 | 343 | |||
305 | 284 | @hooks.hook("contrail-api-relation-joined") | 344 | @hooks.hook("contrail-api-relation-joined") |
306 | 285 | def contrail_api_joined(): | 345 | def contrail_api_joined(): |
307 | 286 | if config_get("contrail-api-configured"): | 346 | if config_get("contrail-api-configured"): |
311 | 287 | settings = { "private-address": control_network_ip(), | 347 | settings = {"private-address": control_network_ip(), |
312 | 288 | "port": api_port(), | 348 | "port": api_port(), |
313 | 289 | "vip": config.get("vip") } | 349 | "vip": config.get("vip")} |
314 | 350 | add_rbac_settings(settings) | ||
315 | 290 | relation_set(relation_settings=settings) | 351 | relation_set(relation_settings=settings) |
316 | 291 | 352 | ||
317 | 353 | |||
318 | 292 | @hooks.hook("contrail-discovery-relation-joined") | 354 | @hooks.hook("contrail-discovery-relation-joined") |
319 | 293 | def contrail_discovery_joined(): | 355 | def contrail_discovery_joined(): |
323 | 294 | settings = { "private-address": control_network_ip(), | 356 | settings = {"private-address": control_network_ip(), |
324 | 295 | "port": discovery_port(), | 357 | "port": discovery_port(), |
325 | 296 | "vip": config.get("vip") } | 358 | "vip": config.get("vip")} |
326 | 297 | relation_set(relation_settings=settings) | 359 | relation_set(relation_settings=settings) |
327 | 298 | 360 | ||
328 | 361 | |||
329 | 299 | @hooks.hook("contrail-ifmap-relation-joined") | 362 | @hooks.hook("contrail-ifmap-relation-joined") |
330 | 300 | def contrail_ifmap_joined(): | 363 | def contrail_ifmap_joined(): |
331 | 301 | if is_leader(): | 364 | if is_leader(): |
332 | @@ -303,12 +366,12 @@ | |||
333 | 303 | creds = json.loads(creds) if creds else {} | 366 | creds = json.loads(creds) if creds else {} |
334 | 304 | 367 | ||
335 | 305 | # prune credentials because we can't remove them directly lp #1469731 | 368 | # prune credentials because we can't remove them directly lp #1469731 |
342 | 306 | creds = { rid: { unit: units[unit] | 369 | creds = {rid: {unit: units[unit] |
343 | 307 | for unit, units in | 370 | for unit, units in |
344 | 308 | ((unit, creds[rid]) for unit in related_units(rid)) | 371 | ((unit, creds[rid]) for unit in related_units(rid)) |
345 | 309 | if unit in units } | 372 | if unit in units} |
346 | 310 | for rid in relation_ids("contrail-ifmap") | 373 | for rid in relation_ids("contrail-ifmap") |
347 | 311 | if rid in creds } | 374 | if rid in creds} |
348 | 312 | 375 | ||
349 | 313 | rid = relation_id() | 376 | rid = relation_id() |
350 | 314 | if rid not in creds: | 377 | if rid not in creds: |
351 | @@ -318,12 +381,13 @@ | |||
352 | 318 | if unit in cs: | 381 | if unit in cs: |
353 | 319 | return | 382 | return |
354 | 320 | # generate new credentials for unit | 383 | # generate new credentials for unit |
356 | 321 | cs[unit] = { "username": unit, "password": pwgen(32) } | 384 | cs[unit] = {"username": unit, "password": pwgen(32)} |
357 | 322 | leader_set({"ifmap-creds": json.dumps(creds)}) | 385 | leader_set({"ifmap-creds": json.dumps(creds)}) |
358 | 323 | write_ifmap_config() | 386 | write_ifmap_config() |
359 | 324 | service_restart("supervisor-config") | 387 | service_restart("supervisor-config") |
360 | 325 | relation_set(creds=json.dumps(cs)) | 388 | relation_set(creds=json.dumps(cs)) |
361 | 326 | 389 | ||
362 | 390 | |||
363 | 327 | def floating_ip_pool_create(name, projects): | 391 | def floating_ip_pool_create(name, projects): |
364 | 328 | # create pool | 392 | # create pool |
365 | 329 | fq_network = "default-domain:" + ":".join(name[:2]) | 393 | fq_network = "default-domain:" + ":".join(name[:2]) |
366 | @@ -335,6 +399,7 @@ | |||
367 | 335 | fq_project = "default-domain:" + project | 399 | fq_project = "default-domain:" + project |
368 | 336 | contrail_floating_ip_use(fq_project, fq_pool_name) | 400 | contrail_floating_ip_use(fq_project, fq_pool_name) |
369 | 337 | 401 | ||
370 | 402 | |||
371 | 338 | def floating_ip_pool_delete(name, projects): | 403 | def floating_ip_pool_delete(name, projects): |
372 | 339 | # deactivate pool for projects | 404 | # deactivate pool for projects |
373 | 340 | fq_pool_name = "default-domain:" + ":".join(name) | 405 | fq_pool_name = "default-domain:" + ":".join(name) |
374 | @@ -346,6 +411,7 @@ | |||
375 | 346 | fq_network = "default-domain:" + ":".join(name[:2]) | 411 | fq_network = "default-domain:" + ":".join(name[:2]) |
376 | 347 | contrail_floating_ip_delete(fq_network, name[2]) | 412 | contrail_floating_ip_delete(fq_network, name[2]) |
377 | 348 | 413 | ||
378 | 414 | |||
379 | 349 | def floating_ip_pool_update(name, projects, previous_projects): | 415 | def floating_ip_pool_update(name, projects, previous_projects): |
380 | 350 | fq_pool_name = "default-domain:" + ":".join(name) | 416 | fq_pool_name = "default-domain:" + ":".join(name) |
381 | 351 | 417 | ||
382 | @@ -359,24 +425,39 @@ | |||
383 | 359 | fq_project = "default-domain:" + project | 425 | fq_project = "default-domain:" + project |
384 | 360 | contrail_floating_ip_use(fq_project, fq_pool_name) | 426 | contrail_floating_ip_use(fq_project, fq_pool_name) |
385 | 361 | 427 | ||
386 | 428 | |||
387 | 362 | def http_services(): | 429 | def http_services(): |
388 | 363 | name = local_unit().replace("/", "-") | 430 | name = local_unit().replace("/", "-") |
389 | 364 | addr = control_network_ip() | 431 | addr = control_network_ip() |
400 | 365 | return [ { "service_name": "contrail-api", | 432 | return [{"service_name": "contrail-api", |
401 | 366 | "service_host": "0.0.0.0", | 433 | "service_host": "0.0.0.0", |
402 | 367 | "service_port": 8082, | 434 | "service_port": 8082, |
403 | 368 | "service_options": [ "mode http", "balance leastconn", "option httpchk GET /Snh_SandeshUVECacheReq?x=NodeStatus HTTP/1.0" ], | 435 | "service_options": ["mode http", |
404 | 369 | "servers": [ [ name, addr, api_port(), "check port 8084" ] ] }, | 436 | "balance leastconn", |
405 | 370 | { "service_name": "contrail-discovery", | 437 | "option httpchk GET " |
406 | 371 | "service_host": "0.0.0.0", | 438 | "/Snh_SandeshUVECacheReq?x=NodeStatus " |
407 | 372 | "service_port": 5998, | 439 | "HTTP/1.0"], |
408 | 373 | "service_options": [ "mode http", "balance leastconn", "option httpchk GET /services HTTP/1.0" ], | 440 | "servers": [[name, |
409 | 374 | "servers": [ [ name, addr, discovery_port(), "check" ] ] } ] | 441 | addr, |
410 | 442 | api_port(), | ||
411 | 443 | "check port 8084"]]}, | ||
412 | 444 | {"service_name": "contrail-discovery", | ||
413 | 445 | "service_host": "0.0.0.0", | ||
414 | 446 | "service_port": 5998, | ||
415 | 447 | "service_options": ["mode http", | ||
416 | 448 | "balance leastconn", | ||
417 | 449 | "option httpchk GET /services HTTP/1.0"], | ||
418 | 450 | "servers": [[name, | ||
419 | 451 | addr, | ||
420 | 452 | discovery_port(), | ||
421 | 453 | "check"]]}] | ||
422 | 454 | |||
423 | 375 | 455 | ||
424 | 376 | @hooks.hook("http-services-relation-joined") | 456 | @hooks.hook("http-services-relation-joined") |
425 | 377 | def http_services_joined(): | 457 | def http_services_joined(): |
426 | 378 | relation_set(services=yaml.dump(http_services())) | 458 | relation_set(services=yaml.dump(http_services())) |
427 | 379 | 459 | ||
428 | 460 | |||
429 | 380 | @hooks.hook("identity-admin-relation-changed") | 461 | @hooks.hook("identity-admin-relation-changed") |
430 | 381 | def identity_admin_changed(): | 462 | def identity_admin_changed(): |
431 | 382 | if not relation_get("service_hostname"): | 463 | if not relation_get("service_hostname"): |
432 | @@ -387,6 +468,7 @@ | |||
433 | 387 | add_contrail_api() | 468 | add_contrail_api() |
434 | 388 | add_metadata() | 469 | add_metadata() |
435 | 389 | 470 | ||
436 | 471 | |||
437 | 390 | @hooks.hook("identity-admin-relation-departed") | 472 | @hooks.hook("identity-admin-relation-departed") |
438 | 391 | @hooks.hook("identity-admin-relation-broken") | 473 | @hooks.hook("identity-admin-relation-broken") |
439 | 392 | def identity_admin_departed(): | 474 | def identity_admin_departed(): |
440 | @@ -396,10 +478,13 @@ | |||
441 | 396 | config["identity-admin-ready"] = False | 478 | config["identity-admin-ready"] = False |
442 | 397 | identity_admin_relation() | 479 | identity_admin_relation() |
443 | 398 | 480 | ||
448 | 399 | @restart_on_change({"/etc/contrail/contrail-api.conf": ["supervisor-config"], | 481 | |
449 | 400 | "/etc/contrail/contrail-device-manager.conf": ["supervisor-config"], | 482 | @restart_on_change( |
450 | 401 | "/etc/contrail/contrail-schema.conf": ["supervisor-config"], | 483 | { |
451 | 402 | "/etc/contrail/contrail-svc-monitor.conf": ["supervisor-config"]}) | 484 | "/etc/contrail/contrail-api.conf": ["supervisor-config"], |
452 | 485 | "/etc/contrail/contrail-device-manager.conf": ["supervisor-config"], | ||
453 | 486 | "/etc/contrail/contrail-schema.conf": ["supervisor-config"], | ||
454 | 487 | "/etc/contrail/contrail-svc-monitor.conf": ["supervisor-config"]}) | ||
455 | 403 | def identity_admin_relation(): | 488 | def identity_admin_relation(): |
456 | 404 | write_contrail_api_config() | 489 | write_contrail_api_config() |
457 | 405 | write_contrail_schema_config() | 490 | write_contrail_schema_config() |
458 | @@ -409,6 +494,7 @@ | |||
459 | 409 | if version_compare(CONTRAIL_VERSION, "3.0.2.0-34") >= 0: | 494 | if version_compare(CONTRAIL_VERSION, "3.0.2.0-34") >= 0: |
460 | 410 | write_barbican_auth_config() | 495 | write_barbican_auth_config() |
461 | 411 | 496 | ||
462 | 497 | |||
463 | 412 | @hooks.hook("identity-service-relation-joined") | 498 | @hooks.hook("identity-service-relation-joined") |
464 | 413 | def identity_service_joined(): | 499 | def identity_service_joined(): |
465 | 414 | vip = config.get("vip") | 500 | vip = config.get("vip") |
466 | @@ -419,6 +505,7 @@ | |||
467 | 419 | internal_url=url, | 505 | internal_url=url, |
468 | 420 | admin_url=url) | 506 | admin_url=url) |
469 | 421 | 507 | ||
470 | 508 | |||
471 | 422 | @hooks.hook() | 509 | @hooks.hook() |
472 | 423 | def install(): | 510 | def install(): |
473 | 424 | configure_installation_source(config["openstack-origin"]) | 511 | configure_installation_source(config["openstack-origin"]) |
474 | @@ -437,8 +524,10 @@ | |||
475 | 437 | write_nodemgr_config() | 524 | write_nodemgr_config() |
476 | 438 | service_restart("contrail-config-nodemgr") | 525 | service_restart("contrail-config-nodemgr") |
477 | 439 | 526 | ||
478 | 527 | |||
479 | 440 | @hooks.hook("leader-settings-changed") | 528 | @hooks.hook("leader-settings-changed") |
481 | 441 | @restart_on_change({"/etc/ifmap-server/basicauthusers.properties": ["supervisor-config"]}) | 529 | @restart_on_change( |
482 | 530 | {"/etc/ifmap-server/basicauthusers.properties": ["supervisor-config"]}) | ||
483 | 442 | def leader_changed(): | 531 | def leader_changed(): |
484 | 443 | write_ifmap_config() | 532 | write_ifmap_config() |
485 | 444 | creds = leader_get("ifmap-creds") | 533 | creds = leader_get("ifmap-creds") |
486 | @@ -448,12 +537,14 @@ | |||
487 | 448 | if rid in creds: | 537 | if rid in creds: |
488 | 449 | relation_set(relation_id=rid, creds=json.dumps(creds[rid])) | 538 | relation_set(relation_id=rid, creds=json.dumps(creds[rid])) |
489 | 450 | 539 | ||
490 | 540 | |||
491 | 451 | def main(): | 541 | def main(): |
492 | 452 | try: | 542 | try: |
493 | 453 | hooks.execute(sys.argv) | 543 | hooks.execute(sys.argv) |
494 | 454 | except UnregisteredHookError as e: | 544 | except UnregisteredHookError as e: |
495 | 455 | log("Unknown hook {} - skipping.".format(e)) | 545 | log("Unknown hook {} - skipping.".format(e)) |
496 | 456 | 546 | ||
497 | 547 | |||
498 | 457 | @hooks.hook("neutron-metadata-relation-changed") | 548 | @hooks.hook("neutron-metadata-relation-changed") |
499 | 458 | def neutron_metadata_changed(): | 549 | def neutron_metadata_changed(): |
500 | 459 | if not relation_get("shared-secret"): | 550 | if not relation_get("shared-secret"): |
501 | @@ -462,6 +553,7 @@ | |||
502 | 462 | config["neutron-metadata-ready"] = True | 553 | config["neutron-metadata-ready"] = True |
503 | 463 | add_metadata() | 554 | add_metadata() |
504 | 464 | 555 | ||
505 | 556 | |||
506 | 465 | @hooks.hook("neutron-metadata-relation-departed") | 557 | @hooks.hook("neutron-metadata-relation-departed") |
507 | 466 | @hooks.hook("neutron-metadata-relation-broken") | 558 | @hooks.hook("neutron-metadata-relation-broken") |
508 | 467 | def neutron_metadata_departed(): | 559 | def neutron_metadata_departed(): |
509 | @@ -469,6 +561,7 @@ | |||
510 | 469 | remove_metadata() | 561 | remove_metadata() |
511 | 470 | config["neutron-metadata-ready"] = False | 562 | config["neutron-metadata-ready"] = False |
512 | 471 | 563 | ||
513 | 564 | |||
514 | 472 | def remove_contrail_api(): | 565 | def remove_contrail_api(): |
515 | 473 | if config_get("contrail-api-configured"): | 566 | if config_get("contrail-api-configured"): |
516 | 474 | # unprovision configuration on 3.0.2.0+ | 567 | # unprovision configuration on 3.0.2.0+ |
517 | @@ -476,6 +569,7 @@ | |||
518 | 476 | unprovision_configuration() | 569 | unprovision_configuration() |
519 | 477 | config["contrail-api-configured"] = False | 570 | config["contrail-api-configured"] = False |
520 | 478 | 571 | ||
521 | 572 | |||
522 | 479 | def remove_metadata(): | 573 | def remove_metadata(): |
523 | 480 | if is_leader() and leader_get("metadata-provisioned"): | 574 | if is_leader() and leader_get("metadata-provisioned"): |
524 | 481 | # impossible to know if current hook is firing because | 575 | # impossible to know if current hook is firing because |
525 | @@ -484,6 +578,7 @@ | |||
526 | 484 | unprovision_metadata() | 578 | unprovision_metadata() |
527 | 485 | leader_set({"metadata-provisioned": ""}) | 579 | leader_set({"metadata-provisioned": ""}) |
528 | 486 | 580 | ||
529 | 581 | |||
530 | 487 | @hooks.hook("upgrade-charm") | 582 | @hooks.hook("upgrade-charm") |
531 | 488 | def upgrade_charm(): | 583 | def upgrade_charm(): |
532 | 489 | write_ifmap_config() | 584 | write_ifmap_config() |
533 | @@ -496,12 +591,16 @@ | |||
534 | 496 | write_nodemgr_config() | 591 | write_nodemgr_config() |
535 | 497 | service_restart("supervisor-config") | 592 | service_restart("supervisor-config") |
536 | 498 | 593 | ||
539 | 499 | @restart_on_change({"/etc/contrail/contrail-api.conf": ["supervisor-config"], | 594 | |
540 | 500 | "/etc/contrail/contrail-config-nodemgr.conf": ["supervisor-config"]}) | 595 | @restart_on_change( |
541 | 596 | { | ||
542 | 597 | "/etc/contrail/contrail-api.conf": ["supervisor-config"], | ||
543 | 598 | "/etc/contrail/contrail-config-nodemgr.conf": ["supervisor-config"]}) | ||
544 | 501 | def write_config(): | 599 | def write_config(): |
545 | 502 | write_contrail_api_config() | 600 | write_contrail_api_config() |
546 | 503 | write_nodemgr_config() | 601 | write_nodemgr_config() |
547 | 504 | 602 | ||
548 | 603 | |||
549 | 505 | @hooks.hook("zookeeper-relation-changed") | 604 | @hooks.hook("zookeeper-relation-changed") |
550 | 506 | def zookeeper_changed(): | 605 | def zookeeper_changed(): |
551 | 507 | if not relation_get("port"): | 606 | if not relation_get("port"): |
552 | @@ -512,6 +611,7 @@ | |||
553 | 512 | add_contrail_api() | 611 | add_contrail_api() |
554 | 513 | add_metadata() | 612 | add_metadata() |
555 | 514 | 613 | ||
556 | 614 | |||
557 | 515 | @hooks.hook("zookeeper-relation-departed") | 615 | @hooks.hook("zookeeper-relation-departed") |
558 | 516 | @hooks.hook("zookeeper-relation-broken") | 616 | @hooks.hook("zookeeper-relation-broken") |
559 | 517 | def zookeeper_departed(): | 617 | def zookeeper_departed(): |
560 | @@ -521,12 +621,15 @@ | |||
561 | 521 | config["zookeeper-ready"] = False | 621 | config["zookeeper-ready"] = False |
562 | 522 | zookeeper_relation() | 622 | zookeeper_relation() |
563 | 523 | 623 | ||
570 | 524 | @restart_on_change({"/etc/contrail/contrail-api.conf": ["supervisor-config"], | 624 | |
571 | 525 | "/etc/contrail/contrail-device-manager.conf": ["supervisor-config"], | 625 | @restart_on_change( |
572 | 526 | "/etc/contrail/contrail-discovery.conf": ["supervisor-config"], | 626 | { |
573 | 527 | "/etc/contrail/contrail-schema.conf": ["supervisor-config"], | 627 | "/etc/contrail/contrail-api.conf": ["supervisor-config"], |
574 | 528 | "/etc/contrail/contrail-svc-monitor.conf": ["supervisor-config"], | 628 | "/etc/contrail/contrail-device-manager.conf": ["supervisor-config"], |
575 | 529 | "/etc/contrail/discovery.conf": ["supervisor-config"]}) | 629 | "/etc/contrail/contrail-discovery.conf": ["supervisor-config"], |
576 | 630 | "/etc/contrail/contrail-schema.conf": ["supervisor-config"], | ||
577 | 631 | "/etc/contrail/contrail-svc-monitor.conf": ["supervisor-config"], | ||
578 | 632 | "/etc/contrail/discovery.conf": ["supervisor-config"]}) | ||
579 | 530 | def zookeeper_relation(): | 633 | def zookeeper_relation(): |
580 | 531 | write_contrail_api_config() | 634 | write_contrail_api_config() |
581 | 532 | write_contrail_schema_config() | 635 | write_contrail_schema_config() |
582 | @@ -534,5 +637,6 @@ | |||
583 | 534 | write_contrail_svc_monitor_config() | 637 | write_contrail_svc_monitor_config() |
584 | 535 | write_device_manager_config() | 638 | write_device_manager_config() |
585 | 536 | 639 | ||
586 | 640 | |||
587 | 537 | if __name__ == "__main__": | 641 | if __name__ == "__main__": |
588 | 538 | main() | 642 | main() |
589 | 539 | 643 | ||
590 | === modified file 'hooks/contrail_configuration_utils.py' | |||
591 | --- hooks/contrail_configuration_utils.py 2017-03-10 12:49:07 +0000 | |||
592 | +++ hooks/contrail_configuration_utils.py 2017-03-23 15:13:02 +0000 | |||
593 | @@ -40,6 +40,7 @@ | |||
594 | 40 | 40 | ||
595 | 41 | apt_pkg.init() | 41 | apt_pkg.init() |
596 | 42 | 42 | ||
597 | 43 | |||
598 | 43 | def dpkg_version(pkg): | 44 | def dpkg_version(pkg): |
599 | 44 | try: | 45 | try: |
600 | 45 | return check_output(["dpkg-query", "-f", "${Version}\\n", "-W", pkg]).rstrip() | 46 | return check_output(["dpkg-query", "-f", "${Version}\\n", "-W", pkg]).rstrip() |
601 | @@ -155,10 +156,16 @@ | |||
602 | 155 | 156 | ||
603 | 156 | def contrail_ctx(): | 157 | def contrail_ctx(): |
604 | 157 | addr = control_network_ip() | 158 | addr = control_network_ip() |
605 | 159 | rbac = config.get("rbac") | ||
606 | 160 | cloud_admin_role = config.get("cloud-admin-role") | ||
607 | 161 | global_read_only_role = config.get("global-read-only-role") | ||
608 | 158 | return { "api_port": api_port(), | 162 | return { "api_port": api_port(), |
609 | 159 | "ifmap_server": addr, | 163 | "ifmap_server": addr, |
610 | 160 | "disc_server": addr, | 164 | "disc_server": addr, |
612 | 161 | "disc_port": discovery_port() } | 165 | "disc_port": discovery_port(), |
613 | 166 | "rbac": rbac, | ||
614 | 167 | "cloud_admin_role": cloud_admin_role, | ||
615 | 168 | "global_read_only_role": global_read_only_role } | ||
616 | 162 | 169 | ||
617 | 163 | def contrail_floating_ip_create(network, name): | 170 | def contrail_floating_ip_create(network, name): |
618 | 164 | user, password, tenant = [ (relation_get("service_username", unit, rid), | 171 | user, password, tenant = [ (relation_get("service_username", unit, rid), |
619 | @@ -344,7 +351,9 @@ | |||
620 | 344 | "admin_user": relation_get("service_username", unit, rid), | 351 | "admin_user": relation_get("service_username", unit, rid), |
621 | 345 | "admin_password": relation_get("service_password", unit, rid), | 352 | "admin_password": relation_get("service_password", unit, rid), |
622 | 346 | "admin_tenant_name": relation_get("service_tenant_name", unit, rid), | 353 | "admin_tenant_name": relation_get("service_tenant_name", unit, rid), |
624 | 347 | "auth_region": relation_get("service_region", unit, rid) } | 354 | "auth_region": relation_get("service_region", unit, rid), |
625 | 355 | "service_protocol": relation_get("service_protocol", unit, rid), | ||
626 | 356 | "api_version": relation_get("api_version", unit, rid)} | ||
627 | 348 | for rid in relation_ids("identity-admin") | 357 | for rid in relation_ids("identity-admin") |
628 | 349 | for unit, hostname in | 358 | for unit, hostname in |
629 | 350 | ((unit, relation_get("service_hostname", unit, rid)) for unit in related_units(rid)) | 359 | ((unit, relation_get("service_hostname", unit, rid)) for unit in related_units(rid)) |
630 | 351 | 360 | ||
631 | === added symlink 'hooks/identity-credentials-relation-changed' | |||
632 | === target is u'contrail_configuration_hooks.py' | |||
633 | === added symlink 'hooks/identity-credentials-relation-joined' | |||
634 | === target is u'contrail_configuration_hooks.py' | |||
635 | === modified file 'templates/contrail-api.conf' | |||
636 | --- templates/contrail-api.conf 2017-01-31 12:51:09 +0000 | |||
637 | +++ templates/contrail-api.conf 2017-03-23 15:13:02 +0000 | |||
638 | @@ -10,7 +10,16 @@ | |||
639 | 10 | ifmap_password = api-server | 10 | ifmap_password = api-server |
640 | 11 | cassandra_server_list = {{ cassandra_servers|join(" ") }} | 11 | cassandra_server_list = {{ cassandra_servers|join(" ") }} |
641 | 12 | auth = keystone | 12 | auth = keystone |
643 | 13 | multi_tenancy = True | 13 | |
644 | 14 | {% if rbac -%} | ||
645 | 15 | aaa_mode = rbac | ||
646 | 16 | {% else -%} | ||
647 | 17 | multi_tenancy = true | ||
648 | 18 | {% endif -%} | ||
649 | 19 | |||
650 | 20 | cloud_admin_role = {{ cloud_admin_role }} | ||
651 | 21 | global_read_only_role = {{ global_read_only_role }} | ||
652 | 22 | |||
653 | 14 | disc_server_ip = {{ disc_server }} | 23 | disc_server_ip = {{ disc_server }} |
654 | 15 | disc_server_port = {{ disc_port }} | 24 | disc_server_port = {{ disc_port }} |
655 | 16 | zk_server_ip = {{ zk_servers|join(",") }} | 25 | zk_server_ip = {{ zk_servers|join(",") }} |
See my comment