--- # Copyright 2017, Rackspace US, Inc. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. ## Verbosity Options debug: False ## Octavia stnadalone (v2) experimental octavia_v2: false ## Activate Octavia V1 API octavia_v1: True ## Allow TLS listener octavia_tls_listener_enabled: True # Set the package install state for distribution and pip packages # Options are 'present' and 'latest' octavia_package_state: "latest" octavia_pip_package_state: "latest" octavia_git_repo: https://git.openstack.org/openstack/octavia octavia_git_install_branch: master octavia_developer_mode: false octavia_developer_constraints: - "git+{{ octavia_git_repo }}@{{ octavia_git_install_branch }}#egg=octavia" # Name of the virtual env to deploy into octavia_venv_tag: untagged octavia_bin: "/openstack/venvs/octavia-{{ octavia_venv_tag }}/bin" octavia_venv_download_url: http://127.0.0.1/venvs/untagged/ubuntu/octavia.tgz octavia_fatal_deprecations: False octavia_clients_endpoint: internalURL octavia_auth_strategy: keystone ## DB octavia_galera_user: octavia octavia_galera_database: octavia octavia_db_max_overflow: 20 octavia_db_pool_size: 120 octavia_db_pool_timeout: 30 ## RabbitMQ info ## Configuration for RPC communications octavia_rabbitmq_userid: octavia octavia_rabbitmq_vhost: /octavia octavia_rabbitmq_servers: 127.0.0.1 octavia_rabbitmq_use_ssl: False octavia_rabbitmq_port: 5672 ## Configuration for notifications communication, i.e. [oslo_messaging_notifications] octavia_rabbitmq_telemetry_userid: "{{ octavia_rabbitmq_userid }}" octavia_rabbitmq_telemetry_password: "{{ octavia_rabbitmq_password }}" octavia_rabbitmq_telemetry_vhost: "{{ octavia_rabbitmq_vhost }}" octavia_rabbitmq_telemetry_port: "{{ octavia_rabbitmq_port }}" octavia_rabbitmq_telemetry_servers: "{{ octavia_rabbitmq_servers }}" octavia_rabbitmq_telemetry_use_ssl: "{{ octavia_rabbitmq_use_ssl }}" ## octavia User / Group octavia_system_user_name: octavia octavia_system_group_name: octavia octavia_system_shell: /bin/false octavia_system_comment: octavia system user octavia_system_home_folder: "/var/lib/{{ octavia_system_user_name }}" ## Default domain octavia_project_domain_name: Default octavia_project_name: admin octavia_user_domain_name: Default ## Stack octavia_stack_domain_admin: stack_domain_admin octavia_stack_owner_name: octavia_stack_owner octavia_stack_domain_description: Owns users and projects created by octavia octavia_stack_user_domain_name: octavia octavia_max_nested_stack_depth: 5 octavia_deferred_auth_method: trusts octavia_trusts_delegated_roles: [] ## Cinder backups octavia_cinder_backups_enabled: false ## Auth octavia_service_region: RegionOne octavia_service_project_name: "service" octavia_service_user_name: "octavia" octavia_service_role_name: admin octavia_service_project_domain_id: default octavia_service_user_domain_id: default octavia_keystone_auth_plugin: "{{ octavia_keystone_auth_type }}" octavia_keystone_auth_type: password octavia_ansible_endpoint_type: "internal" # endpoint for ansible ## Trustee Auth octavia_service_trustee_project_name: "service" octavia_service_trustee_user_name: "octavia" octavia_service_trustee_password: "{{ octavia_service_password }}" octavia_service_trustee_project_domain_id: "default" octavia_service_trustee_user_domain_id: "default" octavia_keystone_trustee_auth_plugin: "{{ octavia_keystone_trustee_auth_type }}" octavia_keystone_trustee_auth_type: password ## octavia api service type and data octavia_service_name: octavia octavia_service_description: "Octavia Load Balancing Service" octavia_service_port: 9876 octavia_service_proto: http octavia_service_publicuri_proto: "{{ openstack_service_publicuri_proto | default(octavia_service_proto) }}" octavia_service_adminuri_proto: "{{ openstack_service_adminuri_proto | default(octavia_service_proto) }}" octavia_service_internaluri_proto: "{{ openstack_service_internaluri_proto | default(octavia_service_proto) }}" octavia_service_type: load-balancer octavia_service_publicuri: "{{ octavia_service_publicuri_proto }}://{{ external_lb_vip_address }}:{{ octavia_service_port }}" octavia_service_publicurl_v2: "{{ octavia_service_publicuri }}/" octavia_service_adminuri: "{{ octavia_service_adminuri_proto }}://{{ internal_lb_vip_address }}:{{ octavia_service_port }}" octavia_service_adminurl_v2: "{{ octavia_service_adminuri }}" octavia_service_internaluri: "{{ octavia_service_internaluri_proto }}://{{ internal_lb_vip_address }}:{{ octavia_service_port }}" octavia_service_internalurl_v2: "{{ octavia_service_internaluri }}" octavia_service_in_ldap: false ## RPC octavia_rpc_thread_pool_size: 64 octavia_rpc_conn_pool_size: 30 octavia_rpc_response_timeout: 60 octavia_rpc_workers: 2 ## Plugin dirs octavia_plugin_dirs: - /usr/lib/octavia - /usr/local/lib/octavia # octavia packages that must be installed before anything else octavia_requires_pip_packages: - httplib2 - python-keystoneclient # Keystoneclient needed to OSA keystone lib - shade - virtualenv - virtualenv-tools - python-openstackclient # Common pip packages octavia_pip_packages: - cryptography - keystonemiddleware - PyMySQL - python-glanceclient - python-keystoneclient - python-memcached - python-neutronclient - python-novaclient - python-openstackclient - python-octaviaclient - octavia - uwsgi octavia_api_init_overrides: {} octavia_worker_init_overrides: {} octavia_housekeeping_init_overrides: {} octavia_health_manager_init_overrides: {} ## Service Name-Group Mapping octavia_services: octavia-api: group: octavia_api service_name: octavia-api init_config_overrides: "{{ octavia_api_init_overrides }}" wsgi_overrides: "{{ octavia_api_uwsgi_ini_overrides }}" wsgi_app: True log_string: "--logto " wsgi_name: octavia-wsgi uwsgi_port: "{{ octavia_service_port }}" uwsgi_bind_address: "{{ octavia_uwsgi_bind_address }}" program_override: "{{ octavia_bin }}/uwsgi --ini /etc/uwsgi/octavia-api.ini" octavia-worker: group: octavia_worker service_name: octavia-worker init_config_overrides: "{{ octavia_worker_init_overrides }}" octavia-housekeeping: group: octavia_housekeeping service_name: octavia-housekeeping init_config_overrides: "{{ octavia_housekeeping_init_overrides }}" octavia-health-manager: group: octavia_health_manager service_name: octavia-health-manager init_config_overrides: "{{ octavia_health_manager_init_overrides }}" # Required secrets for the role octavia_required_secrets: - keystone_auth_admin_password - octavia_stack_domain_admin_password - octavia_auth_encryption_key - octavia_container_mysql_password - octavia_rabbitmq_password - octavia_service_password - memcached_encryption_key # This variable is used by the repo_build process to determine # which host group to check for members of before building the # pip packages required by this role. The value is picked up # by the py_pkgs lookup. octavia_role_project_group: octavia_all ## Octavia configs # Load balancer topology options are SINGLE, ACTIVE_STANDBY # ACTIVE_STANDBY is recommended for production settings octavia_loadbalancer_topology: SINGLE # Image tag for the amphora image in glance octavia_glance_image_tag: octavia-amphora-image # add here the id of the image owner to avoid faked images being used octavia_amp_image_owner_id: # add here the glance image id if tagging is not used (not recommended for prod) octavia_amp_image_id: # add here the file name of the image if it should be uplaoded automatically # Note: This does not support image tags so don't use for prod octavia_amp_image_file_name: # enable uploading image to glance automatically # Note: This does not support image tags so don't use for prod octavia_amp_image_upload_enabled: False # Name of the Octavia security group octavia_security_group_name: octavia_sec_grp # Restrict access to only authorized hosts octavia_security_group_rule_cidr: # ssh enabled - switch to True if you need ssh access to the amphora # and make sure to uplaod a key with the name below octavia_ssh_enabled: False octavia_ssh_key_name: octavia_key # port the agent listens on octavia_agent_port: "9443" octavia_health_manager_port: 5555 #Octavia Nova flavor octavia_amp_flavor_name: "m1.amphora" octavia_amp_ram: 1024 octavia_amp_vcpu: 1 octavia_amp_disk: 2 # client certs octavia_client_ca: "{{ octavia_system_home_folder }}/certs/ca_01.pem" octavia_client_cert: "{{ octavia_system_home_folder }}/certs/client.pem" # server octavia_server_ca: "{{ octavia_system_home_folder }}/certs/ca_01.pem" # ca certs octavia_ca_private_key: "{{ octavia_system_home_folder }}/certs/private/cakey.pem" octavia_ca_certificate: "{{ octavia_system_home_folder }}/certs/ca_01.pem" octavia_ca_private_key_passphrase: foobar octavia_signing_digest: sha256 # spare pool - increase to speed up load balancer creation and fail over octavia_spare_amphora_pool_size: 1 # only increase when it's a really busy system since this is by deployed host, # e.g. 3 hosts, 5 workers (this param) per host, results in 15 worker total octavia_task_flow_max_workers: 5 # event_streamer - set to False if you don't need up to date lb information and/or # your queue is crashing (Octavia will stream events to the neutron DB) octavia_event_streamer: True # Enable provisioning status sync with neutron db octavia_sync_provisioning_status: True # OSA is architected to use vHosts for queues so we need to post events # into the Neutron queue for them to be picked up neutron_rabbitmq_userid: neutron neutron_rabbitmq_vhost: /neutron neutron_rabbitmq_port: 5672 neutron_rabbitmq_servers: 127.0.0.1 neutron_rabbitmq_use_ssl: False neutron_rabbitmq_password: changeme # For additional security use a different user on the Neutron queue # for Octavia with restricted access to only the event streamer # queues octavia_neutron_rabbitmq_userid: "{{ neutron_rabbitmq_userid }}" octavia_neutron_rabbitmq_password: "{{ neutron_rabbitmq_password }}" # this controls if Octavia should add an anti-affinity hint to make sure # two amphora are not placed pn the same host (the most common setup of # ant affinity features in Nova). # Since AIO only has one compute host this is set to false octavia_enable_anti_affinity: False # Some installations put hardware more suited for load balancing in special # availability zones. This allows to target a specific availability zone # for amphora creation #octavia_amp_availability_zone: # List of haproxy template files to copy from deployment host to octavia hosts # octavia_user_haproxy_templates: # - src: "/etc/openstack_deploy/octavia/haproxy_templates/base.cfg.j2" # dest: "/etc/octavia/templates/base.cfg.j2" # - src: "/etc/openstack_deploy/octavia/haproxy_templates/haproxy.cfg.j2" # dest: "/etc/octavia/templates/haproxy.cfg.j2" # - src: "/etc/openstack_deploy/octavia/haproxy_templates/macros.cfg.j2" # dest: "/etc/octavia/templates/macros.cfg.j2" octavia_user_haproxy_templates: {} # Path of custom haproxy template file #octavia_haproxy_amphora_template: /etc/octavia/templates/haproxy.cfg.j2 # Name of the Octavia management network in Neutron octavia_neutron_management_network_name: lbaas-mgmt # Name of the provider net in the system octavia_provider_network_name: lbaas # Network type octavia_provider_network_type: flat # Network segmentation ID if vlan, gre... #octavia_provider_segmentation_id: # Network CIDR octavia_management_net_subnet_cidr: 172.29.232.0/22 # Example allocation range: # octavia_management_net_subnet_allocation_pools: "172.29.232.10-172.29.235.200" octavia_management_net_subnet_allocation_pools: "" # Do we require the Neutron DHCP server octavia_management_net_dhcp: "True" # Should Octavia set up the network and subnet? octavia_service_net_setup: True # This sets it to the container managment network based on how you setup # the provider net octavia_container_network_name: "{{ octavia_provider_network_name }}_address" octavia_provider_network: "{{ provider_networks|map(attribute='network')|selectattr('net_name','defined')|selectattr('net_name', 'equalto', octavia_provider_network_name)|list|first }}" octavia_hm_group: "octavia-health-manager" # Note: We use some heuritsics here but if you do anyhting special make sure to use the # ip addresses on the right network. This will use the container newtorking to figure out the ip octavia_hm_hosts: "{% for host in groups[octavia_hm_group] %}{{ hostvars[host]['container_networks'][octavia_container_network_name]['address'] }}{% if not loop.last %},{% endif %}{% endfor %}" # Set this to the right container port aka the eth you connect to the octavia # management network octavia_container_interface: "{{ octavia_provider_network.container_interface }}" # Set this to true to drop the iptables rules octavia_ip_tables_fw: True # The iptable rules octavia_iptables_rules: - # Allow icmp chain: INPUT protocol: icmp ctstate: NEW icmp_type: 8 jump: ACCEPT - # Allow existing connections: chain: INPUT in_interface: "{{ octavia_container_interface }}" ctstate: RELATED,ESTABLISHED jump: ACCEPT - # Allow heartbeat: chain: INPUT in_interface: "{{ octavia_container_interface }}" protocol: udp destination_port: "{{ octavia_health_manager_port }}" jump: ACCEPT - # Reject INPUT: chain: INPUT in_interface: "{{ octavia_container_interface }}" reject_with: icmp-port-unreachable - # Reject FORWARD: chain: FORWARD in_interface: "{{ octavia_container_interface }}" reject_with: icmp-port-unreachable - # Allow icmp6 chain: INPUT protocol: icmpv6 jump: ACCEPT ip_version: ipv6 - # Allow existing connections chain: INPUT in_interface: "{{ octavia_container_interface }}" ctstate: RELATED,ESTABLISHED jump: ACCEPT ip_version: ipv6 - # Allow heartbeat chain: INPUT in_interface: "{{ octavia_container_interface }}" protocol: udp destination_port: "{{ octavia_health_manager_port }}" jump: ACCEPT ip_version: ipv6 - # Reject INPUT chain: INPUT in_interface: "{{ octavia_container_interface }}" reject_with: icmp6-port-unreachable ip_version: ipv6 - # Reject FORWARD chain: FORWARD in_interface: "{{ octavia_container_interface }}" reject_with: icmp6-port-unreachable ip_version: ipv6 # uWSGI Settings octavia_wsgi_processes_max: 16 octavia_wsgi_processes: "{{ [[ansible_processor_vcpus|default(1), 1] | max * 2, octavia_wsgi_processes_max] | min }}" octavia_wsgi_threads: 1 octavia_wsgi_buffer_size: 65535 octavia_uwsgi_bind_address: "0.0.0.0" octavia_api_uwsgi_ini_overrides: {} # Set up the drivers octavia_amphora_driver: amphora_haproxy_rest_driver octavia_compute_driver: compute_nova_driver octavia_network_driver: allowed_address_pairs_driver ## Tunable overrides octavia_octavia_conf_overrides: {} octavia_api_paste_ini_overrides: {} octavia_policy_overrides: {}