86172dca82
This patch is the second of two required to implement the octavia-ovn-provider driver for Octavia. A new var, octavia_ovn_enabled, can be used to install the driver and configure Octavia accordingly. This patch has also restructured the driver/plugin mechanism for the os_octavia role to better mirror that of os_neutron and to make future additions easier to implement. It also uses neutron's method of certificate delivery for the ovn certs. Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/919599 Change-Id: Ic5963070f4f2504860ddf0829819ca2f301546b1 Signed-off-by: Matthew Thode <mthode@mthode.org>
217 lines
9.7 KiB
Django/Jinja
217 lines
9.7 KiB
Django/Jinja
[DEFAULT]
|
|
debug = {{ debug }}
|
|
use_journal = True
|
|
executor_thread_pool_size = {{ octavia_rpc_thread_pool_size }}
|
|
rpc_conn_pool_size = {{ octavia_rpc_conn_pool_size }}
|
|
transport_url = {{ octavia_oslomsg_rpc_transport }}://{% for host in octavia_oslomsg_rpc_servers.split(',') %}{{ octavia_oslomsg_rpc_userid }}:{{ octavia_oslomsg_rpc_password }}@{{ host }}:{{ octavia_oslomsg_rpc_port }}{% if not loop.last %},{% else %}/{{ _octavia_oslomsg_rpc_vhost_conf }}{% if octavia_oslomsg_rpc_use_ssl | bool %}?ssl=1&ssl_version={{ octavia_oslomsg_rpc_ssl_version }}&ssl_ca_file={{ octavia_oslomsg_rpc_ssl_ca_file }}{% else %}?ssl=0{% endif %}{% endif %}{% endfor %}
|
|
|
|
[api_settings]
|
|
bind_host = {{ octavia_uwsgi_bind_address }}
|
|
bind_port = {{ octavia_service_port }}
|
|
healthcheck_enabled = True
|
|
|
|
auth_strategy = {{ octavia_auth_strategy }}
|
|
|
|
# Allow users to create TLS Terminated listeners?
|
|
allow_tls_terminated_listeners = {{ octavia_tls_listener_enabled }}
|
|
|
|
default_provider_driver = {{ octavia_default_provider_driver }}
|
|
enabled_provider_drivers = {{ octavia_enabled_provider_drivers | select() | join(',') }}
|
|
|
|
[oslo_messaging]
|
|
topic = octavia_prov
|
|
|
|
[oslo_messaging_rabbit]
|
|
ssl = {{ octavia_oslomsg_rpc_use_ssl }}
|
|
rabbit_quorum_queue = {{ octavia_oslomsg_rabbit_quorum_queues }}
|
|
rabbit_transient_quorum_queue = {{ octavia_oslomsg_rabbit_transient_quorum_queues }}
|
|
rabbit_qos_prefetch_count = {{ octavia_oslomsg_rabbit_qos_prefetch_count }}
|
|
use_queue_manager = {{ octavia_oslomsg_rabbit_queue_manager }}
|
|
rabbit_stream_fanout = {{ octavia_oslomsg_rabbit_stream_fanout }}
|
|
rabbit_quorum_delivery_limit = {{ octavia_oslomsg_rabbit_quorum_delivery_limit }}
|
|
rabbit_quorum_max_memory_bytes = {{ octavia_oslomsg_rabbit_quorum_max_memory_bytes }}
|
|
|
|
[oslo_messaging_notifications]
|
|
driver = {{ (octavia_oslomsg_notify_configure | bool) | ternary('messagingv2', 'noop') }}
|
|
transport_url = {{ octavia_oslomsg_notify_transport }}://{% for host in octavia_oslomsg_notify_servers.split(',') %}{{ octavia_oslomsg_notify_userid }}:{{ octavia_oslomsg_notify_password }}@{{ host }}:{{ octavia_oslomsg_notify_port }}{% if not loop.last %},{% else %}/{{ _octavia_oslomsg_notify_vhost_conf }}{% if octavia_oslomsg_notify_use_ssl | bool %}?ssl=1&ssl_version={{ octavia_oslomsg_notify_ssl_version }}&ssl_ca_file={{ octavia_oslomsg_notify_ssl_ca_file }}{% else %}?ssl=0{% endif %}{% endif %}{% endfor %}
|
|
|
|
[database]
|
|
connection = mysql+pymysql://{{ octavia_galera_user }}:{{ octavia_container_mysql_password }}@{{ octavia_galera_address }}:{{ octavia_galera_port }}/{{ octavia_galera_database }}?charset=utf8{% if octavia_galera_use_ssl | bool %}&ssl_verify_cert=true{% if octavia_galera_ssl_ca_cert | length > 0 %}&ssl_ca={{ octavia_galera_ssl_ca_cert }}{% endif %}{% endif +%}
|
|
max_overflow = {{ octavia_db_max_overflow }}
|
|
max_pool_size = {{ octavia_db_max_pool_size }}
|
|
pool_timeout = {{ octavia_db_pool_timeout }}
|
|
connection_recycle_time = {{ octavia_db_connection_recycle_time }}
|
|
|
|
[health_manager]
|
|
bind_ip = 0.0.0.0
|
|
bind_port = {{ octavia_health_manager_port }}
|
|
# controller_ip_port_list example: 127.0.0.1:5555, 127.0.0.1:5555
|
|
controller_ip_port_list = {% for host in octavia_hm_hosts.split(',') %}{{ host }}:{{ octavia_health_manager_port }}{% if not loop.last %},{% endif %}{% endfor %}
|
|
|
|
heartbeat_key = {{ octavia_health_hmac_key }}
|
|
|
|
# Enable provisioning status sync with neutron db
|
|
sync_provisioning_status = {{ octavia_sync_provisioning_status }}
|
|
|
|
[keystone_authtoken]
|
|
insecure = {{ keystone_service_internaluri_insecure | bool }}
|
|
auth_type = {{ octavia_keystone_auth_plugin }}
|
|
auth_url = {{ keystone_service_internaluri }}/v3
|
|
www_authenticate_uri = {{ keystone_service_internaluri }}/v3
|
|
auth_version = 3
|
|
project_domain_id = {{ octavia_service_project_domain_id }}
|
|
user_domain_id = {{ octavia_service_user_domain_id }}
|
|
project_name = {{ octavia_service_project_name }}
|
|
username = {{ octavia_service_user_name }}
|
|
password = {{ octavia_service_password }}
|
|
region_name = {{ keystone_service_region }}
|
|
auth_type = password
|
|
endpoint_type = {{ octavia_clients_endpoint }}
|
|
memcached_servers = {{ octavia_memcached_servers }}
|
|
token_cache_time = 300
|
|
service_token_roles = "{{ octavia_service_token_roles | join(',') }}"
|
|
service_token_roles_required = {{ octavia_service_token_roles_required | bool }}
|
|
service_type = {{ octavia_service_type }}
|
|
|
|
# if your memcached server is shared, use these settings to avoid cache poisoning
|
|
memcache_security_strategy = ENCRYPT
|
|
memcache_secret_key = {{ memcached_encryption_key }}
|
|
|
|
[certificates]
|
|
ca_certificate = /etc/octavia/certs/server_ca.pem
|
|
ca_private_key = /etc/octavia/certs/ca_key.pem
|
|
ca_private_key_passphrase = {{ octavia_ca_private_key_passphrase }}
|
|
signing_digest = sha256
|
|
{% if octavia_barbican_enabled %}
|
|
cert_manager = barbican_cert_manager
|
|
endpoint_type = {{ octavia_clients_endpoint }}
|
|
region_name = {{ keystone_service_region }}
|
|
{% endif %}
|
|
|
|
[haproxy_amphora]
|
|
{% if octavia_haproxy_amphora_template is defined %}
|
|
haproxy_template = {{ octavia_haproxy_amphora_template }}
|
|
{% endif %}
|
|
|
|
bind_port = {{ octavia_agent_port }}
|
|
|
|
client_cert = /etc/octavia/certs/client.pem
|
|
server_ca = /etc/octavia/certs/server_ca.pem
|
|
|
|
|
|
[controller_worker]
|
|
amp_active_retries = {{ octavia_amp_active_retries }}
|
|
amp_image_tag = {{ octavia_glance_image_tag }}
|
|
amp_image_owner_id = {{ octavia_amp_image_owner_id }}
|
|
amp_flavor_id = {{ octavia_nova_flavor_uuid }}
|
|
{% if octavia_ssh_enabled %}
|
|
amp_ssh_key_name = {{ octavia_ssh_key_name }}
|
|
{% endif %}
|
|
amp_boot_network_list = {{ octavia_neutron_management_network_uuid }}
|
|
amp_secgroup_list = {{ octavia_security_group_name }}
|
|
client_ca = /etc/octavia/certs/client_ca.pem
|
|
amphora_driver = {{ octavia_amphora_driver }}
|
|
compute_driver = {{ octavia_compute_driver }}
|
|
network_driver = {{ octavia_network_driver }}
|
|
|
|
{% if octavia_cinder_enabled %}
|
|
volume_driver = volume_cinder_driver
|
|
{% else %}
|
|
volume_driver = volume_noop_driver
|
|
{% endif %}
|
|
|
|
loadbalancer_topology = {{ octavia_loadbalancer_topology }}
|
|
|
|
|
|
[task_flow]
|
|
max_workers = {{ octavia_task_flow_max_workers }}
|
|
|
|
{% if octavia_coordination_enable %}
|
|
persistence_connection = mysql+pymysql://{{ octavia_galera_user }}:{{ octavia_container_mysql_password }}@{{ octavia_galera_address }}/{{ octavia_galera_persistence_database }}?charset=utf8{% if octavia_galera_use_ssl | bool %}&ssl_verify_cert=true{% if octavia_galera_ssl_ca_cert | length > 0 %}&ssl_ca={{ octavia_galera_ssl_ca_cert }}{% endif %}{% endif +%}
|
|
jobboard_enabled = True
|
|
jobboard_backend_driver = {{ _octavia_jobboard_driver_map[octavia_coordination_driver] }}
|
|
jobboard_backend_hosts = {{ groups[octavia_coordination_group] | map('extract', hostvars, 'ansible_host') | list | join(',') }}
|
|
jobboard_backend_port = {{ octavia_coordination_port }}
|
|
jobboard_backend_namespace = {{ octavia_coordination_namespace }}
|
|
|
|
{% if octavia_coordination_driver == 'zookeeper' %}
|
|
jobboard_zookeeper_ssl_options = use_ssl:{{ octavia_coordination_client_ssl | bool }},verify_certs:{{ octavia_coordination_verify_cert | bool }}
|
|
{% endif %}
|
|
{% if octavia_coordination_driver == 'redis' %}
|
|
jobboard_redis_backend_ssl_options = ssl:{{ octavia_coordination_client_ssl | bool }},ssl_cert_reqs:{{ octavia_coordination_verify_cert | ternary('required', 'None') }}
|
|
{% endif %}
|
|
{% endif %}
|
|
|
|
[service_auth]
|
|
insecure = {{ keystone_service_internaluri_insecure | bool }}
|
|
auth_plugin = {{ octavia_keystone_auth_plugin }}
|
|
auth_url = {{ keystone_service_internaluri }}/v3
|
|
www_authenticate_uri = {{ keystone_service_internaluri }}/v3
|
|
auth_version = 3
|
|
project_domain_name = {{ octavia_service_project_domain_id }}
|
|
user_domain_name = {{ octavia_service_user_domain_id }}
|
|
project_name = {{ octavia_service_project_name }}
|
|
username = {{ octavia_service_user_name }}
|
|
password = {{ octavia_service_password }}
|
|
region_name = {{ keystone_service_region }}
|
|
auth_type = password
|
|
memcached_servers = {{ octavia_memcached_servers }}
|
|
endpoint_type = {{ octavia_clients_endpoint }}
|
|
token_cache_time = 300
|
|
|
|
# if your memcached server is shared, use these settings to avoid cache poisoning
|
|
memcache_security_strategy = ENCRYPT
|
|
memcache_secret_key = {{ memcached_encryption_key }}
|
|
|
|
|
|
[octavia]
|
|
region_name = {{ keystone_service_region }}
|
|
endpoint_type = {{ octavia_clients_endpoint }}
|
|
|
|
[nova]
|
|
region_name = {{ keystone_service_region }}
|
|
endpoint_type = {{ octavia_clients_endpoint }}
|
|
enable_anti_affinity = {{ octavia_enable_anti_affinity }}
|
|
|
|
{% if octavia_amp_availability_zone %}availability_zone={{ octavia_amp_availability_zone }}{% endif %}
|
|
|
|
{% if octavia_cinder_enabled %}
|
|
[cinder]
|
|
service_name = {{ cinder_service_v3_name | default('cinderv3') }}
|
|
region_name = {{ keystone_service_region }}
|
|
endpoint_type = {{ octavia_clients_endpoint }}
|
|
availability_zone = {{ cinder_default_availability_zone }}
|
|
volume_size = {{ octavia_cinder_volume_size }}
|
|
volume_type = {{ octavia_cinder_volume_type }}
|
|
volume_create_retry_interval = 5
|
|
volume_create_timeout = 50
|
|
volume_create_max_retries = 2
|
|
{% endif %}
|
|
|
|
[glance]
|
|
region_name = {{ keystone_service_region }}
|
|
endpoint_type = {{ octavia_clients_endpoint }}
|
|
|
|
[neutron]
|
|
region_name = {{ keystone_service_region }}
|
|
endpoint_type = {{ octavia_clients_endpoint }}
|
|
|
|
{% if octavia_enabled_provider_agents | length > 0 %}
|
|
[driver_agent]
|
|
enabled_provider_agents = "{{ octavia_enabled_provider_agents | join(',') }}
|
|
{% endif %}
|
|
|
|
{% if octavia_ovn_enabled %}
|
|
[ovn]
|
|
ovn_nb_connection = {{ octavia_ovn_nb_connection }}
|
|
ovn_sb_connection = {{ octavia_ovn_sb_connection }}
|
|
{% if octavia_ovn_ssl %}
|
|
ovn_sb_ca_cert={{ ["/etc/octavia/certs", octavia_ovn_ssl_ca_cert] | join('/') }}
|
|
ovn_sb_certificate={{ ["/etc/octavia/certs", octavia_ovn_ssl_cert] | join('/') }}
|
|
ovn_sb_private_key={{ ["/etc/octavia/certs", octavia_ovn_ssl_key] | join('/') }}
|
|
ovn_nb_ca_cert={{ ["/etc/octavia/certs", octavia_ovn_ssl_ca_cert] | join('/') }}
|
|
ovn_nb_certificate={{ ["/etc/octavia/certs", octavia_ovn_ssl_cert] | join('/') }}
|
|
ovn_nb_private_key={{ ["/etc/octavia/certs", octavia_ovn_ssl_key] | join('/') }}
|
|
{% endif %}
|
|
{% endif %}
|