8cc05a3d00
When 'octavia_galera_use_ssl' is True, use an encrypted connection to the database using either a self-signed or user-provided CA certificate. A new non-voting test has been added to verify that the role remains functional when enabling SSL features. Change-Id: I7a43d313474e17d7e968a5a9510368e3abdf6682 Partial-Bug: 1667789
388 lines
13 KiB
Django/Jinja
388 lines
13 KiB
Django/Jinja
[DEFAULT]
|
|
# Print debugging output (set logging level to DEBUG instead of default WARNING level).
|
|
debug = {{ debug }}
|
|
|
|
{% if not octavia_v2|bool %}
|
|
bind_host = 0.0.0.0
|
|
bind_port = {{ octavia_service_port }}
|
|
# api_handler = queue_producer
|
|
#
|
|
# How should authentication be handled (keystone, noauth)
|
|
auth_strategy = {{ octavia_auth_strategy }}
|
|
#
|
|
{% endif %}
|
|
# Plugin options are hot_plug_plugin (Hot-pluggable controller plugin)
|
|
#
|
|
# octavia_plugins = hot_plug_plugin
|
|
|
|
# Hostname to be used by the host machine for services running on it.
|
|
# The default value is the hostname of the host machine.
|
|
# host =
|
|
|
|
# AMQP Transport URL
|
|
# For Single Host, specify one full transport URL:
|
|
# transport_url = rabbit://<user>:<pass>@127.0.0.1:5672/<vhost>
|
|
# For HA, specify queue nodes in cluster, comma delimited:
|
|
# transport_url = rabbit://<user>:<pass>@server01,<user>:<pass>@server02/<vhost>
|
|
|
|
transport_url = rabbit://{% for host in octavia_rabbitmq_servers.split(',') %}{{ octavia_rabbitmq_userid }}:{{ octavia_rabbitmq_password }}@{{ host }}:{{ octavia_rabbitmq_port }}{% if not loop.last %},{% else %}/{{ octavia_rabbitmq_vhost }}{% endif %}{% endfor %}
|
|
|
|
[api_settings]
|
|
bind_host = 0.0.0.0
|
|
bind_port = {{ octavia_service_port }}
|
|
# api_handler = queue_producer
|
|
#
|
|
# How should authentication be handled (keystone, noauth)
|
|
# Note: remove "noauth" once LP bug is fixed
|
|
auth_strategy = {{ octavia_auth_strategy }}
|
|
#
|
|
api_v1_enabled = {{ octavia_v1 }}
|
|
api_v2_enabled = {{ octavia_v2 }}
|
|
# Allow users to create TLS Terminated listeners?
|
|
allow_tls_terminated_listeners = {{ octavia_tls_listener_enabled }}
|
|
|
|
# pre Ocata
|
|
[oslo_messaging_rabbit]
|
|
ssl = {{ octavia_rabbitmq_use_ssl }}
|
|
rpc_conn_pool_size = {{ octavia_rpc_conn_pool_size }}
|
|
|
|
[database]
|
|
connection = mysql+pymysql://{{ octavia_galera_user }}:{{ octavia_container_mysql_password }}@{{ octavia_galera_address }}/{{ octavia_galera_database }}?charset=utf8{% if octavia_galera_use_ssl | bool %}&ssl_ca={{ octavia_galera_ssl_ca_cert }}{% endif %}
|
|
|
|
max_overflow = {{ octavia_db_max_overflow }}
|
|
max_pool_size = {{ octavia_db_pool_size }}
|
|
pool_timeout = {{ octavia_db_pool_timeout }}
|
|
|
|
[health_manager]
|
|
bind_ip = 0.0.0.0
|
|
bind_port = {{ octavia_health_manager_port }}
|
|
# controller_ip_port_list example: 127.0.0.1:5555, 127.0.0.1:5555
|
|
controller_ip_port_list = {% for host in octavia_hm_hosts.split(',') %}{{ host }}:{{ octavia_health_manager_port }}{% if not loop.last %},{% endif %}{% endfor %}
|
|
|
|
# failover_threads = 10
|
|
# status_update_threads = 50
|
|
# heartbeat_interval = 10
|
|
heartbeat_key = {{ octavia_health_hmac_key }}
|
|
# heartbeat_timeout = 60
|
|
# health_check_interval = 3
|
|
# sock_rlimit = 0
|
|
|
|
# EventStreamer options are
|
|
# queue_event_streamer,
|
|
# noop_event_streamer
|
|
event_streamer_driver = {% if octavia_event_streamer|bool %}queue_event_streamer{% else %}noop_event_streamer{% endif %}
|
|
|
|
# Enable provisioning status sync with neutron db
|
|
sync_provisioning_status = {{ octavia_sync_provisioning_status }}
|
|
|
|
[keystone_authtoken]
|
|
insecure = {{ keystone_service_internaluri_insecure | bool }}
|
|
auth_type = {{ octavia_keystone_auth_plugin }}
|
|
auth_url = {{ keystone_service_internaluri }}/v3
|
|
auth_uri = {{ keystone_service_internaluri }}/v3
|
|
auth_version = 3
|
|
project_domain_id = {{ octavia_service_project_domain_id }}
|
|
user_domain_id = {{ octavia_service_user_domain_id }}
|
|
project_name = {{ octavia_service_project_name }}
|
|
username = {{ octavia_service_user_name }}
|
|
password = {{ octavia_service_password }}
|
|
region_name = {{ keystone_service_region }}
|
|
auth_type = password
|
|
endpoint_type = {{ octavia_clients_endpoint }}
|
|
memcached_servers = {{ memcached_servers }}
|
|
|
|
token_cache_time = 300
|
|
|
|
# if your memcached server is shared, use these settings to avoid cache poisoning
|
|
memcache_security_strategy = ENCRYPT
|
|
memcache_secret_key = {{ memcached_encryption_key }}
|
|
|
|
[certificates]
|
|
# cert_generator = local_cert_generator
|
|
|
|
# For local certificate signing (development only):
|
|
ca_certificate = /etc/octavia/certs/ca.pem
|
|
ca_private_key = /etc/octavia/certs/ca_key.pem
|
|
ca_private_key_passphrase = {{ octavia_ca_private_key_passphrase }}
|
|
signing_digest = {{ octavia_signing_digest }}
|
|
# storage_path = /var/lib/octavia/certificates/
|
|
|
|
# For the TLS management
|
|
# Certificate Manager options are local_cert_manager
|
|
# barbican_cert_manager
|
|
# cert_manager = barbican_cert_manager
|
|
# For Barbican authentication (if using any Barbican based cert class)
|
|
# barbican_auth = barbican_acl_auth
|
|
#
|
|
# Region in Identity service catalog to use for communication with the Barbican service.
|
|
# region_name =
|
|
#
|
|
# Endpoint type to use for communication with the Barbican service.
|
|
# endpoint_type = publicURL
|
|
|
|
|
|
[anchor]
|
|
# Use OpenStack anchor to sign the amphora REST API certificates
|
|
# url = http://localhost:9999/v1/sign/default
|
|
# username =
|
|
# password =
|
|
|
|
[networking]
|
|
# The maximum attempts to retry an action with the networking service.
|
|
# max_retries = 15
|
|
# Seconds to wait before retrying an action with the networking service.
|
|
# retry_interval = 1
|
|
# The maximum time to wait, in seconds, for a port to detach from an amphora
|
|
# port_detach_timeout = 300
|
|
|
|
[haproxy_amphora]
|
|
# base_path = /var/lib/octavia
|
|
# base_cert_dir = /var/lib/octavia/certs
|
|
# Absolute path to a custom HAProxy template file
|
|
{% if octavia_haproxy_amphora_template is defined %}
|
|
haproxy_template = {{ octavia_haproxy_amphora_template }}
|
|
{% endif %}
|
|
# connection_max_retries = 300
|
|
# connection_retry_interval = 5
|
|
|
|
# Maximum number of entries that can fit in the stick table.
|
|
# The size supports "k", "m", "g" suffixes.
|
|
# haproxy_stick_size = 10k
|
|
|
|
# REST Driver specific
|
|
# bind_host = 0.0.0.0
|
|
bind_port = {{ octavia_agent_port }}
|
|
#
|
|
# This setting is only needed with IPv6 link-local addresses (fe80::/64) are
|
|
# used for communication between Octavia and its Amphora, if IPv4 or other IPv6
|
|
# addresses are used it can be ignored.
|
|
# lb_network_interface = o-hm0
|
|
#
|
|
# haproxy_cmd = /usr/sbin/haproxy
|
|
# respawn_count = 2
|
|
# respawn_interval = 2
|
|
client_cert = /etc/octavia/certs/client.pem
|
|
server_ca = /etc/octavia/certs/server_ca.pem
|
|
#
|
|
# This setting is deprecated. It is now automatically discovered.
|
|
# use_upstart = True
|
|
#
|
|
# rest_request_conn_timeout = 10
|
|
# rest_request_read_timeout = 60
|
|
|
|
[controller_worker]
|
|
# amp_active_retries = 10
|
|
# amp_active_wait_sec = 10
|
|
# Glance parameters to extract image ID to use for amphora. Only one of
|
|
# parameters is needed. Using tags is the recommended way to refer to images.
|
|
amp_image_id = {{ octavia_amp_image_id }}
|
|
amp_image_tag = {{ octavia_glance_image_tag }}
|
|
# Optional owner ID used to restrict glance images to one owner ID.
|
|
# This is a recommended security setting.
|
|
amp_image_owner_id = {{ octavia_amp_image_owner_id }}
|
|
# octavia parameters to use when booting amphora
|
|
amp_flavor_id = {{ octavia_nova_flavor_uuid }}
|
|
amp_ssh_key_name = {{ octavia_ssh_key_name }}
|
|
amp_ssh_access_allowed = {{ octavia_ssh_enabled }}
|
|
|
|
|
|
# Networks to attach to the Amphorae examples:
|
|
# - One primary network
|
|
# - - amp_boot_network_list = 22222222-3333-4444-5555-666666666666
|
|
# - Multiple networks
|
|
# - - amp_boot_network_list = 11111111-2222-33333-4444-555555555555, 22222222-3333-4444-5555-666666666666
|
|
# - All networks defined in the list will be attached to each amphora
|
|
amp_boot_network_list = {{ octavia_neutron_management_network_uuid }}
|
|
|
|
# Takes a single network id that is attached to amphorae on boot
|
|
# Deprecated...
|
|
# amp_network =
|
|
|
|
amp_secgroup_list = {{ octavia_security_group_name }}
|
|
client_ca = /etc/octavia/certs/client_ca.pem
|
|
|
|
# Amphora driver options are amphora_noop_driver,
|
|
# amphora_haproxy_rest_driver
|
|
#
|
|
amphora_driver = {{ octavia_amphora_driver }}
|
|
#
|
|
# Compute driver options are compute_noop_driver
|
|
# compute_octavia_driver
|
|
#
|
|
compute_driver = {{ octavia_compute_driver }}
|
|
#
|
|
# Network driver options are network_noop_driver
|
|
# allowed_address_pairs_driver
|
|
#
|
|
network_driver = {{ octavia_network_driver }}
|
|
#
|
|
# Certificate Generator options are local_cert_generator
|
|
# barbican_cert_generator
|
|
# anchor_cert_generator
|
|
# cert_generator = local_cert_generator
|
|
#
|
|
# Load balancer topology options are SINGLE, ACTIVE_STANDBY
|
|
loadbalancer_topology = {{ octavia_loadbalancer_topology }}
|
|
# user_data_config_drive = False
|
|
|
|
[task_flow]
|
|
# engine = serial
|
|
max_workers = {{ octavia_task_flow_max_workers }}
|
|
|
|
[oslo_messaging]
|
|
# Queue Consumer Thread Pool Size
|
|
rpc_thread_pool_size = {{ octavia_rpc_thread_pool_size }}
|
|
|
|
# Topic (i.e. Queue) Name
|
|
topic = octavia_prov
|
|
|
|
# Topic for octavia's events sent to a queue
|
|
event_stream_topic = neutron_lbaas_event
|
|
|
|
# Put it into the Neutron queue
|
|
{% if octavia_event_streamer|bool %}
|
|
event_stream_transport_url = rabbit://{% for host in neutron_rabbitmq_servers.split(',') %}{{ octavia_neutron_rabbitmq_userid }}:{{ octavia_neutron_rabbitmq_password }}@{{ host }}:{{ neutron_rabbitmq_port }}{% if not loop.last %},{% else %}/{{ neutron_rabbitmq_vhost }}{% endif %}{% endfor %}
|
|
{% endif %}
|
|
|
|
|
|
[house_keeping]
|
|
# Interval in seconds to initiate spare amphora checks
|
|
# spare_check_interval = 30
|
|
spare_amphora_pool_size = {{ octavia_spare_amphora_pool_size }}
|
|
|
|
# Cleanup interval for Deleted amphora
|
|
# cleanup_interval = 30
|
|
# Amphora expiry age in seconds. Default is 1 week
|
|
# amphora_expiry_age = 604800
|
|
|
|
# Load balancer expiry age in seconds. Default is 1 week
|
|
# load_balancer_expiry_age = 604800
|
|
|
|
[amphora_agent]
|
|
# agent_server_ca = /etc/octavia/certs/client_ca.pem
|
|
# agent_server_cert = /etc/octavia/certs/server.pem
|
|
# agent_server_network_dir = /etc/netns/amphora-haproxy/network/interfaces.d/
|
|
# agent_server_network_file =
|
|
# agent_request_read_timeout = 120
|
|
|
|
[keepalived_vrrp]
|
|
# Amphora Role/Priority advertisement interval in seconds
|
|
# vrrp_advert_int = 1
|
|
|
|
# Service health check interval and success/fail count
|
|
# vrrp_check_interval = 5
|
|
# vrpp_fail_count = 2
|
|
# vrrp_success_count = 2
|
|
|
|
# Amphora MASTER gratuitous ARP refresh settings
|
|
# vrrp_garp_refresh_interval = 5
|
|
# vrrp_garp_refresh_count = 2
|
|
|
|
[service_auth]
|
|
# memcached_servers =
|
|
# signing_dir =
|
|
# cafile = /opt/stack/data/ca-bundle.pem
|
|
# project_domain_name = Default
|
|
# project_name = admin
|
|
# user_domain_name = Default
|
|
# password = password
|
|
# username = admin
|
|
# auth_type = password
|
|
# auth_url = http://localhost:5555/
|
|
insecure = {{ keystone_service_internaluri_insecure | bool }}
|
|
auth_plugin = {{ octavia_keystone_auth_plugin }}
|
|
auth_url = {{ keystone_service_internaluri }}/v3
|
|
auth_uri = {{ keystone_service_internaluri }}/v3
|
|
auth_version = 3
|
|
project_domain_name = {{ octavia_service_project_domain_id }}
|
|
user_domain_name = {{ octavia_service_user_domain_id }}
|
|
project_name = {{ octavia_service_project_name }}
|
|
username = {{ octavia_service_user_name }}
|
|
password = {{ octavia_service_password }}
|
|
region_name = {{ keystone_service_region }}
|
|
auth_type = password
|
|
memcached_servers = {{ memcached_servers }}
|
|
endpoint_type = {{ octavia_clients_endpoint }}
|
|
token_cache_time = 300
|
|
|
|
# if your memcached server is shared, use these settings to avoid cache poisoning
|
|
memcache_security_strategy = ENCRYPT
|
|
memcache_secret_key = {{ memcached_encryption_key }}
|
|
|
|
|
|
[octavia]
|
|
# The name of the octavia service in the keystone catalog
|
|
# service_name =
|
|
# Custom octavia endpoint if override is necessary
|
|
# endpoint =
|
|
|
|
# Region in Identity service catalog to use for communication with the
|
|
# OpenStack services.
|
|
region_name = {{ keystone_service_region }}
|
|
|
|
# Endpoint type in Identity service catalog to use for communication with
|
|
# the OpenStack services.
|
|
endpoint_type = {{ octavia_clients_endpoint }}
|
|
|
|
# CA certificates file to verify neutron connections when TLS is enabled
|
|
# insecure = False
|
|
# ca_certificates_file =
|
|
|
|
[nova]
|
|
# The name of the nova service in the keystone catalog
|
|
# service_name =
|
|
# Custom nova endpoint if override is necessary
|
|
# endpoint =
|
|
|
|
# Region in Identity service catalog to use for communication with the
|
|
# OpenStack services.
|
|
region_name = {{ keystone_service_region }}
|
|
|
|
# Endpoint type in Identity service catalog to use for communication with
|
|
# the OpenStack services.
|
|
endpoint_type = {{ octavia_clients_endpoint }}
|
|
|
|
# CA certificates file to verify neutron connections when TLS is enabled
|
|
# insecure = False
|
|
# ca_certificates_file =
|
|
|
|
enable_anti_affinity = {{ octavia_enable_anti_affinity }}
|
|
|
|
{% if octavia_amp_availability_zone is defined %}availability_zone={{ octavia_amp_availability_zone }}{%endif%}
|
|
|
|
[glance]
|
|
# The name of the glance service in the keystone catalog
|
|
# service_name =
|
|
# Custom glance endpoint if override is necessary
|
|
# endpoint =
|
|
|
|
# Region in Identity service catalog to use for communication with the
|
|
# OpenStack services.
|
|
region_name = {{ keystone_service_region }}
|
|
|
|
# Endpoint type in Identity service catalog to use for communication with
|
|
# the OpenStack services.
|
|
endpoint_type = {{ octavia_clients_endpoint }}
|
|
|
|
# CA certificates file to verify neutron connections when TLS is enabled
|
|
# insecure = False
|
|
# ca_certificates_file =
|
|
|
|
[neutron]
|
|
# The name of the neutron service in the keystone catalog
|
|
# service_name =
|
|
# Custom neutron endpoint if override is necessary
|
|
# endpoint =
|
|
|
|
# Region in Identity service catalog to use for communication with the
|
|
# OpenStack services.
|
|
region_name = {{ keystone_service_region }}
|
|
|
|
# Endpoint type in Identity service catalog to use for communication with
|
|
# the OpenStack services.
|
|
endpoint_type = {{ octavia_clients_endpoint }}
|
|
|
|
# CA certificates file to verify neutron connections when TLS is enabled
|
|
# insecure = False
|
|
# ca_certificates_file =
|