Cleanup octavia configuration

This drops unused or fully commented out sections out of octavia.conf.
Also we start using service_token_roles as current behavior has been
deprecated a while ago

Change-Id: I1b2fe1cc2c6330e68d1acfa1b50bf732f77e8255

templates/octavia.conf.j2

@@ -1,34 +1,15 @@
 [DEFAULT]
-# Print debugging output (set logging level to DEBUG instead of default WARNING level).
 debug = {{ debug }}
 use_journal = True
-
-# Plugin options are hot_plug_plugin (Hot-pluggable controller plugin)
-#
-# octavia_plugins = hot_plug_plugin
-
-# Hostname to be used by the host machine for services running on it.
-# The default value is the hostname of the host machine.
-# host =
-
-# AMQP Transport URL
-# For Single Host, specify one full transport URL:
-#   transport_url = rabbit://<user>:<pass>@127.0.0.1:5672/<vhost>
-# For HA, specify queue nodes in cluster, comma delimited:
-#   transport_url = rabbit://<user>:<pass>@server01,<user>:<pass>@server02/<vhost>
-
 transport_url = {{ octavia_oslomsg_rpc_transport }}://{% for host in octavia_oslomsg_rpc_servers.split(',') %}{{ octavia_oslomsg_rpc_userid }}:{{ octavia_oslomsg_rpc_password }}@{{ host }}:{{ octavia_oslomsg_rpc_port }}{% if not loop.last %},{% else %}/{{ octavia_oslomsg_rpc_vhost }}{% if octavia_oslomsg_rpc_use_ssl | bool %}?ssl=1{% else %}?ssl=0{% endif %}{% endif %}{% endfor %}
 
 [oslo_messaging_notifications]
 transport_url = {{ octavia_oslomsg_notify_transport }}://{% for host in octavia_oslomsg_notify_servers.split(',') %}{{ octavia_oslomsg_notify_userid }}:{{ octavia_oslomsg_notify_password }}@{{ host }}:{{ octavia_oslomsg_notify_port }}{% if not loop.last %},{% else %}/{{ octavia_oslomsg_notify_vhost }}{% if octavia_oslomsg_notify_use_ssl | bool %}?ssl=1{% else %}?ssl=0{% endif %}{% endif %}{% endfor %}
 
 [api_settings]
-bind_host = 0.0.0.0
+bind_host = {{ octavia_uwsgi_bind_address }}
 bind_port = {{ octavia_service_port }}
-# api_handler = queue_producer
-#
-# How should authentication be handled (keystone, noauth)
-# Note: remove "noauth" once LP bug is fixed
+
 auth_strategy = {{ octavia_auth_strategy }}
 
 # Allow users to create TLS Terminated listeners?
@@ -52,13 +33,7 @@ bind_port = {{ octavia_health_manager_port }}
 # controller_ip_port_list example: 127.0.0.1:5555, 127.0.0.1:5555
 controller_ip_port_list = {% for host in octavia_hm_hosts.split(',') %}{{ host }}:{{ octavia_health_manager_port }}{% if not loop.last %},{% endif %}{% endfor %}
 
-# failover_threads = 10
-# status_update_threads = 50
-# heartbeat_interval = 10
 heartbeat_key = {{ octavia_health_hmac_key }}
-# heartbeat_timeout = 60
-# health_check_interval = 3
-# sock_rlimit = 0
 
 # EventStreamer options are
 #                            queue_event_streamer,
@@ -83,8 +58,9 @@ region_name = {{ keystone_service_region }}
 auth_type = password
 endpoint_type = {{ octavia_clients_endpoint }}
 memcached_servers = {{ octavia_memcached_servers }}
-
 token_cache_time = 300
+service_token_roles = "{{ octavia_service_role_name }}"
+service_token_roles_required = True
 
 # if your memcached server is shared, use these settings to avoid cache poisoning
 memcache_security_strategy = ENCRYPT
@@ -98,134 +74,42 @@ ca_certificate = /etc/octavia/certs/ca.pem
 ca_private_key = /etc/octavia/certs/ca_key.pem
 ca_private_key_passphrase = {{ octavia_ca_private_key_passphrase }}
 signing_digest = {{ octavia_signing_digest }}
-# storage_path = /var/lib/octavia/certificates/
-
-# For the TLS management
-# Certificate Manager options are local_cert_manager
-#                                 barbican_cert_manager
-# cert_manager = barbican_cert_manager
-# For Barbican authentication (if using any Barbican based cert class)
-# barbican_auth = barbican_acl_auth
-#
-# Region in Identity service catalog to use for communication with the Barbican service.
-# region_name =
-#
-# Endpoint type to use for communication with the Barbican service.
 endpoint_type = {{ octavia_clients_endpoint }}
 
-
-[anchor]
-# Use OpenStack anchor to sign the amphora REST API certificates
-# url = http://localhost:9999/v1/sign/default
-# username =
-# password =
-
-[networking]
-# The maximum attempts to retry an action with the networking service.
-# max_retries = 15
-# Seconds to wait before retrying an action with the networking service.
-# retry_interval = 1
-# The maximum time to wait, in seconds, for a port to detach from an amphora
-# port_detach_timeout = 300
-
 [haproxy_amphora]
-# base_path = /var/lib/octavia
-# base_cert_dir = /var/lib/octavia/certs
-# Absolute path to a custom HAProxy template file
 {% if octavia_haproxy_amphora_template is defined %}
 haproxy_template = {{ octavia_haproxy_amphora_template }}
 {% endif %}
-# connection_max_retries = 300
-# connection_retry_interval = 5
 
-# Maximum number of entries that can fit in the stick table.
-# The size supports "k", "m", "g" suffixes.
-# haproxy_stick_size = 10k
-
-# REST Driver specific
-# bind_host = 0.0.0.0
 bind_port = {{ octavia_agent_port }}
-#
-# This setting is only needed with IPv6 link-local addresses (fe80::/64) are
-# used for communication between Octavia and its Amphora, if IPv4 or other IPv6
-# addresses are used it can be ignored.
-# lb_network_interface = o-hm0
-#
-# haproxy_cmd = /usr/sbin/haproxy
-# respawn_count = 2
-# respawn_interval = 2
+
 client_cert = /etc/octavia/certs/client.pem
 server_ca = /etc/octavia/certs/server_ca.pem
-#
-# This setting is deprecated.  It is now automatically discovered.
-# use_upstart = True
-#
-# rest_request_conn_timeout = 10
-# rest_request_read_timeout = 60
+
 
 [controller_worker]
 amp_active_retries = {{ octavia_amp_active_retries }}
-# amp_active_wait_sec = 10
-# Glance parameters to extract image ID to use for amphora. Only one of
-# parameters is needed. Using tags is the recommended way to refer to images.
 amp_image_id = {{ octavia_amp_image_id }}
 amp_image_tag = {{ octavia_glance_image_tag }}
-# Optional owner ID used to restrict glance images to one owner ID.
-# This is a recommended security setting.
 amp_image_owner_id = {{ octavia_amp_image_owner_id }}
-# octavia parameters to use when booting amphora
 amp_flavor_id = {{ octavia_nova_flavor_uuid }}
 amp_ssh_key_name = {{ octavia_ssh_key_name }}
 amp_ssh_access_allowed = {{ octavia_ssh_enabled }}
-
-
-# Networks to attach to the Amphorae examples:
-#  - One primary network
-#  - - amp_boot_network_list = 22222222-3333-4444-5555-666666666666
-#  - Multiple networks
-#  - - amp_boot_network_list = 11111111-2222-33333-4444-555555555555, 22222222-3333-4444-5555-666666666666
-#  - All networks defined in the list will be attached to each amphora
 amp_boot_network_list = {{ octavia_neutron_management_network_uuid }}
-
-# Takes a single network id that is attached to amphorae on boot
-# Deprecated...
-# amp_network =
-
 amp_secgroup_list = {{ octavia_security_group_name }}
 client_ca = /etc/octavia/certs/client_ca.pem
-
-# Amphora driver options are amphora_noop_driver,
-#                            amphora_haproxy_rest_driver
-#
 amphora_driver = {{ octavia_amphora_driver }}
-#
-# Compute driver options are compute_noop_driver
-#                            compute_octavia_driver
-#
 compute_driver = {{ octavia_compute_driver }}
-#
-# Network driver options are network_noop_driver
-#                            allowed_address_pairs_driver
-#
 network_driver = {{ octavia_network_driver }}
-#
-# Cinder Volume driver options are volume_noop_driver
-#                                  volume_cinder_driver
-#
+
 {% if octavia_cinder_enabled %}
 volume_driver = volume_cinder_driver
 {% else %}
 volume_driver = volume_noop_driver
 {% endif %}
-#
-# Certificate Generator options are local_cert_generator
-#                                   barbican_cert_generator
-#                                   anchor_cert_generator
-# cert_generator = local_cert_generator
-#
-# Load balancer topology options are SINGLE, ACTIVE_STANDBY
+
 loadbalancer_topology = {{ octavia_loadbalancer_topology }}
-# user_data_config_drive = False
+
 
 [task_flow]
 # engine = serial
@@ -248,49 +132,10 @@ event_stream_transport_url = {{ neutron_oslomsg_rpc_transport }}://{% for host i
 
 
 [house_keeping]
-# Interval in seconds to initiate spare amphora checks
-# spare_check_interval = 30
 spare_amphora_pool_size = {{ octavia_spare_amphora_pool_size }}
 
-# Cleanup interval for Deleted amphora
-# cleanup_interval = 30
-# Amphora expiry age in seconds. Default is 1 week
-# amphora_expiry_age = 604800
-
-# Load balancer expiry age in seconds. Default is 1 week
-# load_balancer_expiry_age = 604800
-
-[amphora_agent]
-# agent_server_ca = /etc/octavia/certs/client_ca.pem
-# agent_server_cert = /etc/octavia/certs/server.pem
-# agent_server_network_dir = /etc/netns/amphora-haproxy/network/interfaces.d/
-# agent_server_network_file =
-# agent_request_read_timeout = 120
-
-[keepalived_vrrp]
-# Amphora Role/Priority advertisement interval in seconds
-# vrrp_advert_int = 1
-
-# Service health check interval and success/fail count
-# vrrp_check_interval = 5
-# vrpp_fail_count = 2
-# vrrp_success_count = 2
-
-# Amphora MASTER gratuitous ARP refresh settings
-# vrrp_garp_refresh_interval = 5
-# vrrp_garp_refresh_count = 2
 
 [service_auth]
-# memcached_servers =
-# signing_dir =
-# cafile = /opt/stack/data/ca-bundle.pem
-# project_domain_name = Default
-# project_name = admin
-# user_domain_name = Default
-# password = password
-# username = admin
-# auth_type = password
-# auth_url = http://localhost:5555/
 insecure = {{ keystone_service_internaluri_insecure | bool }}
 auth_plugin = {{ octavia_keystone_auth_plugin }}
 auth_url = {{ keystone_service_internaluri }}/v3
@@ -313,41 +158,12 @@ memcache_secret_key = {{ memcached_encryption_key }}
 
 
 [octavia]
-# The name of the octavia service in the keystone catalog
-# service_name =
-# Custom octavia endpoint if override is necessary
-# endpoint =
-
-# Region in Identity service catalog to use for communication with the
-# OpenStack services.
 region_name = {{ keystone_service_region }}
-
-# Endpoint type in Identity service catalog to use for communication with
-# the OpenStack services.
 endpoint_type = {{ octavia_clients_endpoint }}
 
-# CA certificates file to verify neutron connections when TLS is enabled
-# insecure = False
-# ca_certificates_file =
-
 [nova]
-# The name of the nova service in the keystone catalog
-# service_name =
-# Custom nova endpoint if override is necessary
-# endpoint =
-
-# Region in Identity service catalog to use for communication with the
-# OpenStack services.
 region_name = {{ keystone_service_region }}
-
-# Endpoint type in Identity service catalog to use for communication with
-# the OpenStack services.
 endpoint_type = {{ octavia_clients_endpoint }}
-
-# CA certificates file to verify neutron connections when TLS is enabled
-# insecure = False
-# ca_certificates_file =
-
 enable_anti_affinity = {{ octavia_enable_anti_affinity }}
 
 {% if octavia_amp_availability_zone is defined %}availability_zone={{ octavia_amp_availability_zone }}{%endif%}
@@ -366,37 +182,9 @@ volume_create_max_retries = 2
 {% endif %}
 
 [glance]
-# The name of the glance service in the keystone catalog
-# service_name =
-# Custom glance endpoint if override is necessary
-# endpoint =
-
-# Region in Identity service catalog to use for communication with the
-# OpenStack services.
 region_name = {{ keystone_service_region }}
-
-# Endpoint type in Identity service catalog to use for communication with
-# the OpenStack services.
 endpoint_type = {{ octavia_clients_endpoint }}
 
-# CA certificates file to verify neutron connections when TLS is enabled
-# insecure = False
-# ca_certificates_file =
-
 [neutron]
-# The name of the neutron service in the keystone catalog
-# service_name =
-# Custom neutron endpoint if override is necessary
-# endpoint =
-
-# Region in Identity service catalog to use for communication with the
-# OpenStack services.
 region_name = {{ keystone_service_region }}
-
-# Endpoint type in Identity service catalog to use for communication with
-# the OpenStack services.
 endpoint_type = {{ octavia_clients_endpoint }}
-
-# CA certificates file to verify neutron connections when TLS is enabled
-# insecure = False
-# ca_certificates_file =