5 files changed, 41 insertions, 24 deletions

diff --git a/playbooks/provisioning/openstack/README.md b/playbooks/provisioning/openstack/README.md
index df00e5507..57b72c7f3 100644
--- a/playbooks/provisioning/openstack/README.md
+++ b/playbooks/provisioning/openstack/README.md
@@ -8,6 +8,7 @@ etc.). The result is an environment ready for openshift-ansible.
 ## Dependencies
 
 * [Ansible 2.3](https://pypi.python.org/pypi/ansible)
+* [jinja2](http://jinja.pocoo.org/docs/2.9/)
 * [shade](https://pypi.python.org/pypi/shade)
 * python-dns
 
@@ -67,6 +68,9 @@ The `openstack_num_masters`, `openstack_num_infra` and
 `openstack_num_nodes` values specify the number of Master, Infra and
 App nodes to create.
 
+The `openstack_nodes_to_remove` allows you to specify the numerical indexes
+of App nodes that should be removed; for example, ['0', '2'],
+
 The `openstack_flat_secgrp`, controls Neutron security groups creation for Heat
 stacks. Set it to true, if you experience issues with sec group rules
 quotas. It trades security for number of rules, by sharing the same set
diff --git a/playbooks/provisioning/openstack/provision-openstack.yml b/playbooks/provisioning/openstack/provision-openstack.yml
index a2cf7b110..feea15d5d 100644
--- a/playbooks/provisioning/openstack/provision-openstack.yml
+++ b/playbooks/provisioning/openstack/provision-openstack.yml
@@ -24,6 +24,7 @@
     num_nodes: "{{ openstack_num_nodes }}"
     num_infra: "{{ openstack_num_infra }}"
     num_dns: "{{ openstack_num_dns | default(1) }}"
+    nodes_to_remove: "{{ openstack_nodes_to_remove | default([]) |  to_yaml }}"
     master_volume_size: "{{ docker_volume_size }}"
     app_volume_size: "{{ docker_volume_size }}"
     infra_volume_size: "{{ docker_volume_size }}"
diff --git a/playbooks/provisioning/openstack/sample-inventory/group_vars/all.yml b/playbooks/provisioning/openstack/sample-inventory/group_vars/all.yml
index 047923253..7c9033828 100644
--- a/playbooks/provisioning/openstack/sample-inventory/group_vars/all.yml
+++ b/playbooks/provisioning/openstack/sample-inventory/group_vars/all.yml
@@ -12,46 +12,49 @@ openstack_num_masters: 1
 openstack_num_infra: 1
 openstack_num_nodes: 2
 
+# # Numerical index of nodes to remove
+# openstack_nodes_to_remove: []
+
 docker_volume_size: "15"
 
 openstack_subnet_prefix: "192.168.99"
 
 # # Red Hat subscription
 # # Using Red Hat Satellite:
-# rhsm_register: True
-# rhsm_satellite: 'sat-6.example.com'
-# rhsm_org: 'OPENSHIFT_ORG'
-# rhsm_activationkey: '<activation-key>'
+#rhsm_register: True
+#rhsm_satellite: 'sat-6.example.com'
+#rhsm_org: 'OPENSHIFT_ORG'
+#rhsm_activationkey: '<activation-key>'
 
 # # Or using RHN username, password and optionally pool:
-# rhsm_register: True
-# rhsm_username: '<username>'
-# rhsm_password: '<password>'
-# rhsm_pool: '<pool id>'
+#rhsm_register: True
+#rhsm_username: '<username>'
+#rhsm_password: '<password>'
+#rhsm_pool: '<pool id>'
 
-# rhsm_repos:
-#  - "rhel-7-server-rpms"
-#  - "rhel-7-server-ose-3.5-rpms"
-#  - "rhel-7-server-extras-rpms"
-#  - "rhel-7-fast-datapath-rpms"
+#rhsm_repos:
+# - "rhel-7-server-rpms"
+# - "rhel-7-server-ose-3.5-rpms"
+# - "rhel-7-server-extras-rpms"
+# - "rhel-7-fast-datapath-rpms"
 
 
 # # Roll-your-own DNS
-# openstack_num_dns: 0
-# external_nsupdate_keys:
-#   public:
-#     key_secret: 'SKqKNdpfk7llKxZ57bbxUnUDobaaJp9t8CjXLJPl+fRI5mPcSBuxTAyvJPa6Y9R7vUg9DwCy/6WTpgLNqnV4Hg=='
-#     key_algorithm: 'hmac-md5'
-#     server: '192.168.1.1'
-#   private:
-#     key_secret: 'kVE2bVTgZjrdJipxPhID8BEZmbHD8cExlVPR+zbFpW6la8kL5wpXiwOh8q5AAosXQI5t95UXwq3Inx8QT58duw=='
-#     key_algorithm: 'hmac-md5'
-#     server: '192.168.1.2'
+#openstack_num_dns: 0
+#external_nsupdate_keys:
+#  public:
+#    key_secret: 'SKqKNdpfk7llKxZ57bbxUnUDobaaJp9t8CjXLJPl+fRI5mPcSBuxTAyvJPa6Y9R7vUg9DwCy/6WTpgLNqnV4Hg=='
+#    key_algorithm: 'hmac-md5'
+#    server: '192.168.1.1'
+#  private:
+#    key_secret: 'kVE2bVTgZjrdJipxPhID8BEZmbHD8cExlVPR+zbFpW6la8kL5wpXiwOh8q5AAosXQI5t95UXwq3Inx8QT58duw=='
+#    key_algorithm: 'hmac-md5'
+#    server: '192.168.1.2'
 
 
 # NOTE(shadower): Do not change this value. The Ansible user is currently
 # hardcoded to `openshift`.
 ansible_user: openshift
 
-# Use a single security group for a cluster
+# # Use a single security group for a cluster
 openstack_flat_secgrp: false
diff --git a/roles/openstack-stack/defaults/main.yml b/roles/openstack-stack/defaults/main.yml
index 2a4ef3a45..4831d6bc4 100644
--- a/roles/openstack-stack/defaults/main.yml
+++ b/roles/openstack-stack/defaults/main.yml
@@ -9,4 +9,5 @@ num_masters: 1
 num_nodes: 1
 num_dns: 1
 num_infra: 1
+nodes_to_remove: []
 etcd_volume_size: 2
diff --git a/roles/openstack-stack/templates/heat_stack.yaml.j2 b/roles/openstack-stack/templates/heat_stack.yaml.j2
index 7fd52e52d..00a46896c 100644
--- a/roles/openstack-stack/templates/heat_stack.yaml.j2
+++ b/roles/openstack-stack/templates/heat_stack.yaml.j2
@@ -592,6 +592,8 @@ resources:
     type: OS::Heat::ResourceGroup
     properties:
       count: {{ num_nodes }}
+      removal_policies:
+      - resource_list: {{ nodes_to_remove }}
       resource_def:
         type: server.yaml
         properties:
@@ -664,6 +666,12 @@ resources:
           net:         { get_resource: net }
           subnet:      { get_resource: subnet }
           secgrp:
+# TODO(bogdando) filter only required node rules into infra-secgrp
+{% if openstack_flat_secgrp|bool %}
+            - { get_resource: flat-secgrp }
+{% else %}
+            - { get_resource: node-secgrp }
+{% endif %}
             - { get_resource: infra-secgrp }
             - { get_resource: common-secgrp }
           floating_network: {{ external_network }}