openstack-ansible-os_trove/defaults/main.yml
Jimmy McCrory 8be124b8c7 Add MySQL connection SSL support
When 'trove_galera_use_ssl' is True, use an encrypted connection to
the database using either a self-signed or user-provided CA certificate.

A new non-voting test has been added to verify that the role remains
functional when enabling SSL features.

Change-Id: Ia453e842cabbb46e25f9918e88738340ff08f2ab
Partial-Bug: 1667789
2017-12-14 11:27:40 -08:00

230 lines
9.9 KiB
YAML

---
# Copyright 2016 Internet Solutions (Pty) Ltd
# Copyright 2017 IBM Corp
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# (c) 2016 Donovan Francesco <donovan.francesco@is.co.za>
# (c) 2016 Paul Stevens <paul.stevens@is.co.za>
trove_package_state: "latest"
trove_pip_package_state: "latest"
debug: false
trove_system_group_name: trove
trove_system_user_name: trove
trove_system_user_comment: Trove System User
trove_system_user_shell: /bin/false
trove_system_user_home: "/var/lib/{{ trove_system_user_name }}"
trove_log_directory: /var/log/trove
trove_etc_directory: /etc/trove
trove_api_program_name: trove-api
trove_conductor_program_name: trove-conductor
trove_taskmanager_program_name: trove-taskmanager
trove_admin_user_name: admin_trove_user
trove_service_name: trove
trove_service_user_name: "{{ trove_admin_user_name }}"
trove_service_tenant_name: trove_for_trove_usage
trove_service_type: database
trove_service_description: "OpenStack DBaaS (Trove)"
trove_service_project_name: "{{ trove_service_tenant_name }}"
trove_service_admin_role_names:
- admin
trove_service_region: RegionOne
trove_service_host: "0.0.0.0"
trove_service_port: 8779
trove_service_proto: http
trove_service_publicuri_proto: "{{ openstack_service_publicuri_proto | default(trove_service_proto) }}"
trove_service_internaluri_proto: "{{ openstack_service_internaluri_proto | default(trove_service_proto) }}"
trove_service_adminuri_proto: "{{ openstack_service_adminuri_proto | default(trove_service_proto) }}"
trove_service_publicurl: "{{ trove_service_publicuri_proto }}://{{ external_lb_vip_address }}:{{ trove_service_port }}/v1.0/%(tenant_id)s"
trove_service_internalurl: "{{ trove_service_internaluri_proto }}://{{ internal_lb_vip_address }}:{{ trove_service_port }}/v1.0/%(tenant_id)s"
trove_service_adminurl: "{{ trove_service_adminuri_proto }}://{{ internal_lb_vip_address }}:{{ trove_service_port }}/v1.0/%(tenant_id)s"
trove_auth_url: "{{ keystone_service_internalurl }}"
# By default assume the trove service network is an internal one
# It would be good to use the catalog service to lookup these URLs based on the endpoint type
# but currently the Trove code doesn't work properly when endpoint types are specified
trove_nova_compute_url: "{{ trove_service_internaluri_proto }}://{{ internal_lb_vip_address }}:{{ nova_service_port }}/v2.1"
trove_cinder_url: "{{ trove_service_internaluri_proto }}://{{ internal_lb_vip_address }}:{{ cinder_service_port }}/v1"
trove_swift_url: "{{ trove_service_internaluri_proto }}://{{ internal_lb_vip_address }}:{{ swift_proxy_port }}/v1/AUTH_"
trove_neutron_url: "{{ trove_service_internaluri_proto }}://{{ internal_lb_vip_address }}:{{ neutron_service_port }}/"
trove_profiler_enabled: false
## Cap the maximum number of threads / workers when a user value is unspecified.
trove_api_workers_max: 16
trove_api_workers: "{{ [[ansible_processor_vcpus|default(2) // 2, 1] | max, trove_api_workers_max] | min }}"
## Cap the maximum number of threads / workers when a user value is unspecified.
trove_conductor_workers_max: 16
trove_conductor_workers: "{{ [[ansible_processor_vcpus|default(2) // 2, 1] | max, trove_conductor_workers_max] | min }}"
# Name of the virtual env to deploy into
trove_venv_tag: untagged
trove_bin: "/openstack/venvs/trove-{{ trove_venv_tag }}/bin"
# venv_download, even when true, will use the fallback method of building the
# venv from scratch if the venv download fails.
trove_venv_download: "{{ not trove_developer_mode | bool }}"
trove_venv_download_url: http://127.0.0.1/venvs/untagged/ubuntu/trove.tgz
trove_git_repo: "https://git.openstack.org/openstack/trove"
trove_git_install_branch: master
trove_developer_mode: false
trove_developer_constraints:
- "git+{{ trove_git_repo }}@{{ trove_git_install_branch }}#egg=trove"
#: Set this to false to disable API service through Apache + mod_wsgi
trove_use_mod_wsgi: false
## Apache setup
trove_apache_log_level: info
trove_apache_servertokens: "Prod"
trove_apache_serversignature: "Off"
trove_wsgi_threads: 1
## Cap the maximum number of processes when a user value is unspecified.
trove_wsgi_processes_max: 32
trove_wsgi_processes: "{{ [[ansible_processor_vcpus|default(1), 1] | max * 2, trove_wsgi_processes_max] | min }}"
# set trove_ssl to true to enable SSL configuration on the trove containers
trove_ssl: false
trove_ssl_cert: /etc/ssl/certs/trove.pem
trove_ssl_key: /etc/ssl/private/trove.key
trove_ssl_ca_cert: /etc/ssl/certs/trove-ca.pem
trove_ssl_protocol: "{{ ssl_protocol | default('ALL -SSLv2 -SSLv3') }}"
trove_ssl_cipher_suite: "{{ ssl_cipher_suite | default('ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS') }}"
# if using a self-signed certificate, set this to true to regenerate it
trove_ssl_self_signed_regen: false
trove_ssl_self_signed_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ internal_lb_vip_address }}/subjectAltName=IP.1={{ external_lb_vip_address }}"
# Database vars
trove_galera_database_name: trove
trove_galera_user: trove
trove_galera_address: "{{ internal_lb_vip_address }}"
trove_db_sync_options:
trove_galera_use_ssl: "{{ galera_use_ssl | default(False) }}"
trove_galera_ssl_ca_cert: "{{ galera_ssl_ca_cert | default('/etc/ssl/certs/galera-ca.pem') }}"
trove_galera_connection_string: "mysql+pymysql://{{ trove_galera_user}}:{{ trove_galera_password }}@{{ trove_galera_address }}/{{ trove_galera_database_name }}?charset=utf8{% if trove_galera_use_ssl | bool %}&ssl_ca={{ trove_galera_ssl_ca_cert }}{% endif %}"
# Rabbit vars
trove_control_exchange: trove
trove_rabbit_notification_topic: notification
trove_rabbitmq_userid: trove
trove_rabbitmq_vhost: /trove
trove_rabbitmq_use_ssl: False
trove_rabbitmq_port: 5672
trove_rabbitmq_servers: "{{ rabbitmq_servers }}"
# The trove guest agent in the deployed DB VMs need access to OpenStack services (keystone, swift, etc)
# and also to rabbitmq. The way it gets access (networking) these services may differ.
# By default assume:
# OpenStack services are accesses through public interfaces
# Infrastructure services (rabbitmq) are accessed through the defined provider network.
#
# The value of 'net_name' field of the provider network network to use for infrastructure services
trove_provider_net_name: dbaas-mgmt
trove_provider_network: "{{ provider_networks|map(attribute='network')|selectattr('net_name','defined')|selectattr('net_name', 'equalto', trove_provider_net_name)|list|first }}"
# The value of 'ip_from_q' field
trove_provider_ip_from_q: "{{ trove_provider_network['ip_from_q'] }}"
# The name of the network address pool
trove_container_net_name: "{{ trove_provider_ip_from_q }}_address"
trove_guest_rabbitmq_servers: "{% for host in groups[rabbitmq_host_group] %}{{ hostvars[host]['container_networks'][trove_container_net_name]['address'] }}{% if not loop.last %},{% endif %}{% endfor %}"
trove_guest_rabbitmq_use_ssl: "{{ trove_rabbitmq_use_ssl }}"
# For OpenStack services that have public, admin, and internal access, use the public ones for the guest VMs.
trove_guest_auth_url: "{{ keystone_service_publicurl }}"
trove_guest_swift_url: "{{ trove_service_publicuri_proto }}://{{ external_lb_vip_address }}:{{ swift_proxy_port }}/v1/AUTH_"
# Trove service network settings.
# These values are used when creating an OpenStack network to be used by Trove. By default the network will
# not be created.
trove_service_net_setup: False
trove_service_net_validate_certs: "False"
trove_service_net_phys_net: dbaas-mgmt
trove_service_net_type: flat
trove_service_net_name: dbaas_service_net
trove_service_subnet_name: dbaas_service_subnet
trove_service_net_subnet_cidr: "192.168.20.0/24"
trove_service_net_dhcp: "True"
trove_service_net_allocation_pool_start: "192.168.20.100"
trove_service_net_allocation_pool_end: "192.168.20.120"
trove_service_net_endpoint_type: internal
# RPC encryption keys
# See the Trove documentation as to the significance of the rpc encryption keys
# Trove supplies default values but we enforce they not be left to their default values
trove_enable_secure_rpc_messaging: "True"
trove_required_secrets:
- trove_galera_password
- trove_rabbitmq_password
- trove_service_password
- trove_admin_user_password
- trove_taskmanager_rpc_encr_key
- trove_inst_rpc_key_encr_key
# Keystone AuthToken/Middleware
trove_keystone_auth_plugin: "{{ trove_keystone_auth_type }}"
trove_keystone_auth_type: password
trove_service_project_domain_name: Default
trove_service_user_domain_name: default
trove_service_project_domain_id: default
trove_service_user_domain_id: default
trove_conductor_service_name: "{{ trove_conductor_program_name }}"
trove_taskmanager_service_name: "{{ trove_taskmanager_program_name }}"
#Glance images
trove_glance_images: []
trove_requires_pip_packages:
- httplib2
- python-glanceclient
- python-keystoneclient
- virtualenv
- virtualenv-tools
- shade
- futures
trove_pip_packages:
- cryptography
- MySQL-python
- os-client-config
- pexpect
- PyMySQL
- python-troveclient
- python-memcached
- trove
# This variable is used by the repo_build process to determine
# which host group to check for members of before building the
# pip packages required by this role. The value is picked up
# by the py_pkgs lookup.
trove_role_project_group: trove_all
## Tunable overrides
trove_config_overrides: {}
trove_api_paste_ini_overrides: {}
trove_conductor_config_overrides: {}
trove_taskmanager_config_overrides: {}
trove_guestagent_config_overrides: {}
trove_policy_overrides: {}
trove_api_init_config_overrides: {}
trove_conductor_init_config_overrides: {}
trove_taskmanager_init_config_overrides: {}