761ea9a333
This change adds support for encryption of communication between OpenStack services and RabbitMQ. Server certificates are supported, but currently client certificates are not. The kolla-ansible certificates command has been updated to support generating certificates for RabbitMQ for development and testing. RabbitMQ TLS is enabled in the all-in-one source CI jobs, or when The Zuul 'tls_enabled' variable is true. Change-Id: I4f1d04150fb2b5af085b762890092f87ae6076b5 Implements: blueprint message-queue-ssl-support
117 lines
3.5 KiB
Django/Jinja
117 lines
3.5 KiB
Django/Jinja
[DEFAULT]
|
|
|
|
debug = {{ designate_logging_debug }}
|
|
|
|
log_dir = /var/log/kolla/designate
|
|
|
|
transport_url = {{ rpc_transport_url }}
|
|
|
|
[service:central]
|
|
default_pool_id = {{ designate_pool_id }}
|
|
workers = {{ openstack_service_workers }}
|
|
|
|
[service:api]
|
|
listen = {{ api_interface_address | put_address_in_context('url') }}:{{ designate_api_listen_port }}
|
|
api_base_uri = {{ designate_internal_endpoint }}
|
|
workers = {{ openstack_service_workers }}
|
|
enable_api_admin = True
|
|
enable_host_header = True
|
|
enabled_extensions_admin = quotas, reports
|
|
|
|
[keystone_authtoken]
|
|
www_authenticate_uri = {{ keystone_internal_url }}
|
|
auth_url = {{ keystone_admin_url }}
|
|
auth_type = password
|
|
project_domain_id = {{ default_project_domain_id }}
|
|
user_domain_id = {{ default_user_domain_id }}
|
|
project_name = service
|
|
username = {{ designate_keystone_user }}
|
|
password = {{ designate_keystone_password }}
|
|
http_connect_timeout = 60
|
|
service_token_roles_required = True
|
|
cafile = {{ openstack_cacert }}
|
|
|
|
memcache_security_strategy = ENCRYPT
|
|
memcache_secret_key = {{ memcache_secret_key }}
|
|
memcached_servers = {% for host in groups['memcached'] %}{{ 'api' | kolla_address(host) | put_address_in_context('memcache') }}:{{ memcached_port }}{% if not loop.last %},{% endif %}{% endfor %}
|
|
|
|
[service:sink]
|
|
enabled_notification_handlers = nova_fixed, neutron_floatingip
|
|
workers = {{ openstack_service_workers }}
|
|
|
|
{% if service_name == 'designate-mdns' %}
|
|
[service:mdns]
|
|
listen = {{ 'dns' | kolla_address | put_address_in_context('url') }}:{{ designate_mdns_port }}
|
|
workers = {{ openstack_service_workers }}
|
|
{% endif %}
|
|
|
|
[service:worker]
|
|
workers = {{ openstack_service_workers }}
|
|
|
|
[service:producer]
|
|
workers = {{ openstack_service_workers }}
|
|
threads = 1000
|
|
enabled_tasks = None
|
|
export_synchronous = True
|
|
|
|
[network_api:neutron]
|
|
endpoint_type = internalURL
|
|
|
|
[storage:sqlalchemy]
|
|
connection = mysql+pymysql://{{ designate_database_user }}:{{ designate_database_password }}@{{ designate_database_address }}/{{ designate_database_name }}
|
|
max_retries = 10
|
|
idle_timeout = 3600
|
|
|
|
[handler:nova_fixed]
|
|
#NOTE: zone_id must be manually filled an ID from openstack zone list
|
|
zone_id =
|
|
notification_topics = {{ designate_notifications_topic_name }}
|
|
control_exchange = nova
|
|
formatv4 = '%(octet0)s-%(octet1)s-%(octet2)s-%(octet3)s.%(zone)s'
|
|
formatv4 = '%(hostname)s.%(project)s.%(zone)s'
|
|
formatv4 = '%(hostname)s.%(zone)s'
|
|
formatv6 = '%(hostname)s.%(zone)s'
|
|
formatv6 = '%(hostname)s.%(project)s.%(zone)s'
|
|
|
|
[handler:neutron_floatingip]
|
|
#NOTE: zone_id must be manually filled an ID from openstack zone list
|
|
zone_id =
|
|
notification_topics = {{ designate_notifications_topic_name }}
|
|
control_exchange = neutron
|
|
formatv4 = '%(octet0)s-%(octet1)s-%(octet2)s-%(octet3)s.%(zone)s'
|
|
|
|
[oslo_messaging_notifications]
|
|
transport_url = {{ notify_transport_url }}
|
|
{% if designate_enabled_notification_topics %}
|
|
driver = messagingv2
|
|
topics = {{ designate_enabled_notification_topics | map(attribute='name') | join(',') }}
|
|
{% else %}
|
|
driver = noop
|
|
{% endif %}
|
|
|
|
{% if om_enable_rabbitmq_tls | bool %}
|
|
[oslo_messaging_rabbit]
|
|
ssl = true
|
|
ssl_ca_file = {{ om_rabbitmq_cacert }}
|
|
{% endif %}
|
|
|
|
[oslo_concurrency]
|
|
lock_path = /var/lib/designate/tmp
|
|
|
|
[oslo_middleware]
|
|
enable_proxy_headers_parsing = True
|
|
|
|
{% if designate_policy_file is defined %}
|
|
[oslo_policy]
|
|
policy_file = {{ designate_policy_file }}
|
|
{% endif %}
|
|
|
|
[coordination]
|
|
{% if designate_coordination_backend == 'redis' %}
|
|
backend_url = {{ redis_connection_string }}
|
|
{% endif %}
|
|
{#
|
|
NOTE(yoctozepto): etcd is not supported due to lack of group membership
|
|
support via tooz, see https://launchpad.net/bugs/1872205
|
|
#}
|