diff --git a/templates/octavia.conf.j2 b/templates/octavia.conf.j2 index 30bd117d..76bcc781 100644 --- a/templates/octavia.conf.j2 +++ b/templates/octavia.conf.j2 @@ -1,34 +1,15 @@ [DEFAULT] -# Print debugging output (set logging level to DEBUG instead of default WARNING level). debug = {{ debug }} use_journal = True - -# Plugin options are hot_plug_plugin (Hot-pluggable controller plugin) -# -# octavia_plugins = hot_plug_plugin - -# Hostname to be used by the host machine for services running on it. -# The default value is the hostname of the host machine. -# host = - -# AMQP Transport URL -# For Single Host, specify one full transport URL: -# transport_url = rabbit://:@127.0.0.1:5672/ -# For HA, specify queue nodes in cluster, comma delimited: -# transport_url = rabbit://:@server01,:@server02/ - transport_url = {{ octavia_oslomsg_rpc_transport }}://{% for host in octavia_oslomsg_rpc_servers.split(',') %}{{ octavia_oslomsg_rpc_userid }}:{{ octavia_oslomsg_rpc_password }}@{{ host }}:{{ octavia_oslomsg_rpc_port }}{% if not loop.last %},{% else %}/{{ octavia_oslomsg_rpc_vhost }}{% if octavia_oslomsg_rpc_use_ssl | bool %}?ssl=1{% else %}?ssl=0{% endif %}{% endif %}{% endfor %} [oslo_messaging_notifications] transport_url = {{ octavia_oslomsg_notify_transport }}://{% for host in octavia_oslomsg_notify_servers.split(',') %}{{ octavia_oslomsg_notify_userid }}:{{ octavia_oslomsg_notify_password }}@{{ host }}:{{ octavia_oslomsg_notify_port }}{% if not loop.last %},{% else %}/{{ octavia_oslomsg_notify_vhost }}{% if octavia_oslomsg_notify_use_ssl | bool %}?ssl=1{% else %}?ssl=0{% endif %}{% endif %}{% endfor %} [api_settings] -bind_host = 0.0.0.0 +bind_host = {{ octavia_uwsgi_bind_address }} bind_port = {{ octavia_service_port }} -# api_handler = queue_producer -# -# How should authentication be handled (keystone, noauth) -# Note: remove "noauth" once LP bug is fixed + auth_strategy = {{ octavia_auth_strategy }} # Allow users to create TLS Terminated listeners? @@ -52,13 +33,7 @@ bind_port = {{ octavia_health_manager_port }} # controller_ip_port_list example: 127.0.0.1:5555, 127.0.0.1:5555 controller_ip_port_list = {% for host in octavia_hm_hosts.split(',') %}{{ host }}:{{ octavia_health_manager_port }}{% if not loop.last %},{% endif %}{% endfor %} -# failover_threads = 10 -# status_update_threads = 50 -# heartbeat_interval = 10 heartbeat_key = {{ octavia_health_hmac_key }} -# heartbeat_timeout = 60 -# health_check_interval = 3 -# sock_rlimit = 0 # EventStreamer options are # queue_event_streamer, @@ -83,8 +58,9 @@ region_name = {{ keystone_service_region }} auth_type = password endpoint_type = {{ octavia_clients_endpoint }} memcached_servers = {{ octavia_memcached_servers }} - token_cache_time = 300 +service_token_roles = "{{ octavia_service_role_name }}" +service_token_roles_required = True # if your memcached server is shared, use these settings to avoid cache poisoning memcache_security_strategy = ENCRYPT @@ -98,134 +74,42 @@ ca_certificate = /etc/octavia/certs/ca.pem ca_private_key = /etc/octavia/certs/ca_key.pem ca_private_key_passphrase = {{ octavia_ca_private_key_passphrase }} signing_digest = {{ octavia_signing_digest }} -# storage_path = /var/lib/octavia/certificates/ - -# For the TLS management -# Certificate Manager options are local_cert_manager -# barbican_cert_manager -# cert_manager = barbican_cert_manager -# For Barbican authentication (if using any Barbican based cert class) -# barbican_auth = barbican_acl_auth -# -# Region in Identity service catalog to use for communication with the Barbican service. -# region_name = -# -# Endpoint type to use for communication with the Barbican service. endpoint_type = {{ octavia_clients_endpoint }} - -[anchor] -# Use OpenStack anchor to sign the amphora REST API certificates -# url = http://localhost:9999/v1/sign/default -# username = -# password = - -[networking] -# The maximum attempts to retry an action with the networking service. -# max_retries = 15 -# Seconds to wait before retrying an action with the networking service. -# retry_interval = 1 -# The maximum time to wait, in seconds, for a port to detach from an amphora -# port_detach_timeout = 300 - [haproxy_amphora] -# base_path = /var/lib/octavia -# base_cert_dir = /var/lib/octavia/certs -# Absolute path to a custom HAProxy template file {% if octavia_haproxy_amphora_template is defined %} haproxy_template = {{ octavia_haproxy_amphora_template }} {% endif %} -# connection_max_retries = 300 -# connection_retry_interval = 5 -# Maximum number of entries that can fit in the stick table. -# The size supports "k", "m", "g" suffixes. -# haproxy_stick_size = 10k - -# REST Driver specific -# bind_host = 0.0.0.0 bind_port = {{ octavia_agent_port }} -# -# This setting is only needed with IPv6 link-local addresses (fe80::/64) are -# used for communication between Octavia and its Amphora, if IPv4 or other IPv6 -# addresses are used it can be ignored. -# lb_network_interface = o-hm0 -# -# haproxy_cmd = /usr/sbin/haproxy -# respawn_count = 2 -# respawn_interval = 2 + client_cert = /etc/octavia/certs/client.pem server_ca = /etc/octavia/certs/server_ca.pem -# -# This setting is deprecated. It is now automatically discovered. -# use_upstart = True -# -# rest_request_conn_timeout = 10 -# rest_request_read_timeout = 60 + [controller_worker] amp_active_retries = {{ octavia_amp_active_retries }} -# amp_active_wait_sec = 10 -# Glance parameters to extract image ID to use for amphora. Only one of -# parameters is needed. Using tags is the recommended way to refer to images. amp_image_id = {{ octavia_amp_image_id }} amp_image_tag = {{ octavia_glance_image_tag }} -# Optional owner ID used to restrict glance images to one owner ID. -# This is a recommended security setting. amp_image_owner_id = {{ octavia_amp_image_owner_id }} -# octavia parameters to use when booting amphora amp_flavor_id = {{ octavia_nova_flavor_uuid }} amp_ssh_key_name = {{ octavia_ssh_key_name }} amp_ssh_access_allowed = {{ octavia_ssh_enabled }} - - -# Networks to attach to the Amphorae examples: -# - One primary network -# - - amp_boot_network_list = 22222222-3333-4444-5555-666666666666 -# - Multiple networks -# - - amp_boot_network_list = 11111111-2222-33333-4444-555555555555, 22222222-3333-4444-5555-666666666666 -# - All networks defined in the list will be attached to each amphora amp_boot_network_list = {{ octavia_neutron_management_network_uuid }} - -# Takes a single network id that is attached to amphorae on boot -# Deprecated... -# amp_network = - amp_secgroup_list = {{ octavia_security_group_name }} client_ca = /etc/octavia/certs/client_ca.pem - -# Amphora driver options are amphora_noop_driver, -# amphora_haproxy_rest_driver -# amphora_driver = {{ octavia_amphora_driver }} -# -# Compute driver options are compute_noop_driver -# compute_octavia_driver -# compute_driver = {{ octavia_compute_driver }} -# -# Network driver options are network_noop_driver -# allowed_address_pairs_driver -# network_driver = {{ octavia_network_driver }} -# -# Cinder Volume driver options are volume_noop_driver -# volume_cinder_driver -# + {% if octavia_cinder_enabled %} volume_driver = volume_cinder_driver {% else %} volume_driver = volume_noop_driver {% endif %} -# -# Certificate Generator options are local_cert_generator -# barbican_cert_generator -# anchor_cert_generator -# cert_generator = local_cert_generator -# -# Load balancer topology options are SINGLE, ACTIVE_STANDBY + loadbalancer_topology = {{ octavia_loadbalancer_topology }} -# user_data_config_drive = False + [task_flow] # engine = serial @@ -248,49 +132,10 @@ event_stream_transport_url = {{ neutron_oslomsg_rpc_transport }}://{% for host i [house_keeping] -# Interval in seconds to initiate spare amphora checks -# spare_check_interval = 30 spare_amphora_pool_size = {{ octavia_spare_amphora_pool_size }} -# Cleanup interval for Deleted amphora -# cleanup_interval = 30 -# Amphora expiry age in seconds. Default is 1 week -# amphora_expiry_age = 604800 - -# Load balancer expiry age in seconds. Default is 1 week -# load_balancer_expiry_age = 604800 - -[amphora_agent] -# agent_server_ca = /etc/octavia/certs/client_ca.pem -# agent_server_cert = /etc/octavia/certs/server.pem -# agent_server_network_dir = /etc/netns/amphora-haproxy/network/interfaces.d/ -# agent_server_network_file = -# agent_request_read_timeout = 120 - -[keepalived_vrrp] -# Amphora Role/Priority advertisement interval in seconds -# vrrp_advert_int = 1 - -# Service health check interval and success/fail count -# vrrp_check_interval = 5 -# vrpp_fail_count = 2 -# vrrp_success_count = 2 - -# Amphora MASTER gratuitous ARP refresh settings -# vrrp_garp_refresh_interval = 5 -# vrrp_garp_refresh_count = 2 [service_auth] -# memcached_servers = -# signing_dir = -# cafile = /opt/stack/data/ca-bundle.pem -# project_domain_name = Default -# project_name = admin -# user_domain_name = Default -# password = password -# username = admin -# auth_type = password -# auth_url = http://localhost:5555/ insecure = {{ keystone_service_internaluri_insecure | bool }} auth_plugin = {{ octavia_keystone_auth_plugin }} auth_url = {{ keystone_service_internaluri }}/v3 @@ -313,41 +158,12 @@ memcache_secret_key = {{ memcached_encryption_key }} [octavia] -# The name of the octavia service in the keystone catalog -# service_name = -# Custom octavia endpoint if override is necessary -# endpoint = - -# Region in Identity service catalog to use for communication with the -# OpenStack services. region_name = {{ keystone_service_region }} - -# Endpoint type in Identity service catalog to use for communication with -# the OpenStack services. endpoint_type = {{ octavia_clients_endpoint }} -# CA certificates file to verify neutron connections when TLS is enabled -# insecure = False -# ca_certificates_file = - [nova] -# The name of the nova service in the keystone catalog -# service_name = -# Custom nova endpoint if override is necessary -# endpoint = - -# Region in Identity service catalog to use for communication with the -# OpenStack services. region_name = {{ keystone_service_region }} - -# Endpoint type in Identity service catalog to use for communication with -# the OpenStack services. endpoint_type = {{ octavia_clients_endpoint }} - -# CA certificates file to verify neutron connections when TLS is enabled -# insecure = False -# ca_certificates_file = - enable_anti_affinity = {{ octavia_enable_anti_affinity }} {% if octavia_amp_availability_zone is defined %}availability_zone={{ octavia_amp_availability_zone }}{%endif%} @@ -366,37 +182,9 @@ volume_create_max_retries = 2 {% endif %} [glance] -# The name of the glance service in the keystone catalog -# service_name = -# Custom glance endpoint if override is necessary -# endpoint = - -# Region in Identity service catalog to use for communication with the -# OpenStack services. region_name = {{ keystone_service_region }} - -# Endpoint type in Identity service catalog to use for communication with -# the OpenStack services. endpoint_type = {{ octavia_clients_endpoint }} -# CA certificates file to verify neutron connections when TLS is enabled -# insecure = False -# ca_certificates_file = - [neutron] -# The name of the neutron service in the keystone catalog -# service_name = -# Custom neutron endpoint if override is necessary -# endpoint = - -# Region in Identity service catalog to use for communication with the -# OpenStack services. region_name = {{ keystone_service_region }} - -# Endpoint type in Identity service catalog to use for communication with -# the OpenStack services. endpoint_type = {{ octavia_clients_endpoint }} - -# CA certificates file to verify neutron connections when TLS is enabled -# insecure = False -# ca_certificates_file =