93ad57f47e
Add TLS support for backend Neutron API Server communication using HAProxy to perform TLS termination. When used in conjunction with enabling TLS for service API endpoints, network communication will be encrypted end to end, from client through HAProxy to the Neutron service. Change-Id: Ib333a1f1bd12491df72a9e52d961161210e2d330 Partially-Implements: blueprint add-ssl-internal-network
185 lines
6.3 KiB
YAML
185 lines
6.3 KiB
YAML
---
|
|
project_name: "common"
|
|
|
|
common_services:
|
|
fluentd:
|
|
container_name: fluentd
|
|
group: fluentd
|
|
enabled: "{{ enable_fluentd | bool }}"
|
|
image: "{{ fluentd_image_full }}"
|
|
environment:
|
|
KOLLA_CONFIG_STRATEGY: "{{ config_strategy }}"
|
|
volumes: "{{ fluentd_default_volumes + fluentd_extra_volumes }}"
|
|
dimensions: "{{ fluentd_dimensions }}"
|
|
kolla-toolbox:
|
|
container_name: kolla_toolbox
|
|
group: kolla-toolbox
|
|
enabled: True
|
|
image: "{{ kolla_toolbox_image_full }}"
|
|
environment:
|
|
ANSIBLE_NOCOLOR: "1"
|
|
ANSIBLE_LIBRARY: "/usr/share/ansible"
|
|
privileged: True
|
|
volumes: "{{ kolla_toolbox_default_volumes + kolla_toolbox_extra_volumes }}"
|
|
dimensions: "{{ kolla_toolbox_dimensions }}"
|
|
# DUMMY_ENVIRONMENT is needed because empty environment is not supported
|
|
cron:
|
|
container_name: cron
|
|
group: cron
|
|
enabled: True
|
|
image: "{{ cron_image_full }}"
|
|
environment:
|
|
DUMMY_ENVIRONMENT: kolla_useless_env
|
|
volumes: "{{ cron_default_volumes + cron_extra_volumes }}"
|
|
dimensions: "{{ cron_dimensions }}"
|
|
|
|
#######################
|
|
# TLS and authenication
|
|
#######################
|
|
|
|
fluentd_elasticsearch_path: ""
|
|
fluentd_elasticsearch_scheme: "{{ internal_protocol }}"
|
|
fluentd_elasticsearch_user: ""
|
|
fluentd_elasticsearch_password: ""
|
|
fluentd_elasticsearch_ssl_version: "TLSv1_2"
|
|
fluentd_elasticsearch_ssl_verify: "true"
|
|
fluentd_elasticsearch_cacert: "{{ openstack_cacert }}"
|
|
|
|
####################
|
|
# Docker
|
|
####################
|
|
common_install_type: "{{ kolla_install_type }}"
|
|
common_tag: "{{ openstack_tag }}"
|
|
|
|
cron_dimensions: "{{ default_container_dimensions }}"
|
|
kolla_toolbox_dimensions: "{{ default_container_dimensions }}"
|
|
fluentd_dimensions: "{{ default_container_dimensions }}"
|
|
|
|
kolla_toolbox_image: "{{ docker_registry ~ '/' if docker_registry else '' }}{{ docker_namespace }}/{{ kolla_base_distro }}-{{ common_install_type }}-kolla-toolbox"
|
|
kolla_toolbox_tag: "{{ common_tag }}"
|
|
kolla_toolbox_image_full: "{{ kolla_toolbox_image }}:{{ kolla_toolbox_tag }}"
|
|
|
|
cron_image: "{{ docker_registry ~ '/' if docker_registry else '' }}{{ docker_namespace }}/{{ kolla_base_distro }}-{{ common_install_type }}-cron"
|
|
cron_tag: "{{ common_tag }}"
|
|
cron_image_full: "{{ cron_image }}:{{ cron_tag }}"
|
|
|
|
fluentd_image: "{{ docker_registry ~ '/' if docker_registry else '' }}{{ docker_namespace }}/{{ kolla_base_distro }}-{{ common_install_type }}-fluentd"
|
|
fluentd_tag: "{{ common_tag }}"
|
|
fluentd_image_full: "{{ fluentd_image }}:{{ fluentd_tag }}"
|
|
|
|
syslog_swift_facility: "local0"
|
|
syslog_haproxy_facility: "local1"
|
|
syslog_glance_tls_proxy_facility: "local2"
|
|
syslog_neutron_tls_proxy_facility: "local4"
|
|
|
|
kolla_toolbox_default_volumes:
|
|
- "{{ node_config_directory }}/kolla-toolbox/:{{ container_config_directory }}/:ro"
|
|
- "/etc/localtime:/etc/localtime:ro"
|
|
- "{{ '/etc/timezone:/etc/timezone:ro' if ansible_os_family == 'Debian' else '' }}"
|
|
- "/dev/:/dev/"
|
|
- "/run/:/run/:shared"
|
|
- "kolla_logs:/var/log/kolla/"
|
|
cron_default_volumes:
|
|
- "{{ node_config_directory }}/cron/:{{ container_config_directory }}/:ro"
|
|
- "/etc/localtime:/etc/localtime:ro"
|
|
- "{{ '/etc/timezone:/etc/timezone:ro' if ansible_os_family == 'Debian' else '' }}"
|
|
- "kolla_logs:/var/log/kolla/"
|
|
fluentd_default_volumes:
|
|
- "{{ node_config_directory }}/fluentd/:{{ container_config_directory }}/:ro"
|
|
- "/etc/localtime:/etc/localtime:ro"
|
|
- "{{ '/etc/timezone:/etc/timezone:ro' if ansible_os_family == 'Debian' else '' }}"
|
|
- "kolla_logs:/var/log/kolla/"
|
|
- "fluentd_data:/var/lib/fluentd/data/"
|
|
kolla_toolbox_extra_volumes: "{{ default_extra_volumes }}"
|
|
cron_extra_volumes: "{{ default_extra_volumes }}"
|
|
fluentd_extra_volumes: "{{ default_extra_volumes }}"
|
|
|
|
cron_logrotate_rotation_interval: "weekly"
|
|
cron_logrotate_rotation_count: 6
|
|
|
|
####################
|
|
# Fluentd
|
|
####################
|
|
|
|
fluentd_input_openstack_services:
|
|
- name: aodh
|
|
enabled: "{{ enable_aodh | bool }}"
|
|
- name: barbican
|
|
enabled: "{{ enable_barbican | bool }}"
|
|
- name: blazar
|
|
enabled: "{{ enable_blazar | bool }}"
|
|
- name: ceilometer
|
|
enabled: "{{ enable_ceilometer | bool }}"
|
|
- name: cinder
|
|
enabled: "{{ enable_cinder | bool }}"
|
|
- name: cloudkitty
|
|
enabled: "{{ enable_cloudkitty | bool }}"
|
|
- name: cyborg
|
|
enabled: "{{ enable_cyborg | bool }}"
|
|
- name: designate
|
|
enabled: "{{ enable_designate | bool }}"
|
|
- name: freezer
|
|
enabled: "{{ enable_freezer | bool }}"
|
|
- name: glance
|
|
enabled: "{{ enable_glance | bool }}"
|
|
- name: glance-tls-proxy
|
|
enabled: "{{ enable_glance | bool }}"
|
|
- name: gnocchi
|
|
enabled: "{{ enable_gnocchi | bool }}"
|
|
- name: heat
|
|
enabled: "{{ enable_heat | bool }}"
|
|
- name: horizon
|
|
enabled: "{{ enable_horizon | bool }}"
|
|
- name: ironic
|
|
enabled: "{{ enable_ironic | bool }}"
|
|
- name: ironic-inspector
|
|
enabled: "{{ enable_ironic | bool }}"
|
|
- name: karbor
|
|
enabled: "{{ enable_karbor | bool }}"
|
|
- name: keystone
|
|
enabled: "{{ enable_keystone | bool }}"
|
|
- name: kuryr
|
|
enabled: "{{ enable_kuryr | bool }}"
|
|
- name: magnum
|
|
enabled: "{{ enable_magnum | bool }}"
|
|
- name: manila
|
|
enabled: "{{ enable_manila | bool }}"
|
|
- name: masakari
|
|
enabled: "{{ enable_masakari | bool }}"
|
|
- name: mistral
|
|
enabled: "{{ enable_mistral | bool }}"
|
|
- name: monasca
|
|
enabled: "{{ enable_monasca | bool }}"
|
|
- name: murano
|
|
enabled: "{{ enable_murano | bool }}"
|
|
- name: neutron
|
|
enabled: "{{ enable_neutron | bool }}"
|
|
- name: neutron-tls-proxy
|
|
enabled: "{{ neutron_enable_tls_backend | bool }}"
|
|
- name: nova
|
|
enabled: "{{ enable_nova | bool }}"
|
|
- name: octavia
|
|
enabled: "{{ enable_octavia | bool }}"
|
|
- name: panko
|
|
enabled: "{{ enable_panko | bool }}"
|
|
- name: qinling
|
|
enabled: "{{ enable_qinling | bool }}"
|
|
- name: rally
|
|
enabled: "{{ enable_rally | bool }}"
|
|
- name: sahara
|
|
enabled: "{{ enable_sahara | bool }}"
|
|
- name: searchlight
|
|
enabled: "{{ enable_searchlight | bool }}"
|
|
- name: senlin
|
|
enabled: "{{ enable_senlin | bool }}"
|
|
- name: solum
|
|
enabled: "{{ enable_solum | bool }}"
|
|
- name: tacker
|
|
enabled: "{{ enable_tacker | bool }}"
|
|
- name: trove
|
|
enabled: "{{ enable_trove | bool }}"
|
|
- name: watcher
|
|
enabled: "{{ enable_watcher | bool }}"
|
|
|
|
fluentd_enabled_input_openstack_services: "{{ fluentd_input_openstack_services | selectattr('enabled', 'equalto', true) | map(attribute='name') | list }}"
|