3bcb347a5b
Motivation: libvirt 127.0.0.1 listen is terrible for live migration. To resolve that, we can use 0.0.0.0 but it is not secure so tried to realize SSL. Once create secrets for cacert, client&server cert and keys then it will mounted on libvirt daemonset. It means all instances use the same key and cert. This is not ideal but can be considered as the first stage. Change-Id: Ic3407e484039afaf98495e0f6028254c4c2a0a78
206 lines
4.8 KiB
YAML
206 lines
4.8 KiB
YAML
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
# Default values for libvirt.
|
|
# This is a YAML-formatted file.
|
|
# Declare name/value pairs to be passed into your templates.
|
|
# name: value
|
|
|
|
---
|
|
release_group: null
|
|
|
|
labels:
|
|
agent:
|
|
libvirt:
|
|
node_selector_key: openstack-compute-node
|
|
node_selector_value: enabled
|
|
|
|
images:
|
|
tags:
|
|
libvirt: docker.io/openstackhelm/libvirt:latest-ubuntu_bionic
|
|
ceph_config_helper: 'docker.io/openstackhelm/ceph-config-helper:ubuntu_bionic-20200217'
|
|
dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
|
|
image_repo_sync: docker.io/docker:17.07.0
|
|
pull_policy: "IfNotPresent"
|
|
local_registry:
|
|
active: false
|
|
exclude:
|
|
- dep_check
|
|
- image_repo_sync
|
|
|
|
network:
|
|
# provide what type of network wiring will be used
|
|
# possible options: openvswitch, linuxbridge, sriov
|
|
backend:
|
|
- openvswitch
|
|
|
|
endpoints:
|
|
cluster_domain_suffix: cluster.local
|
|
local_image_registry:
|
|
name: docker-registry
|
|
namespace: docker-registry
|
|
hosts:
|
|
default: localhost
|
|
internal: docker-registry
|
|
node: localhost
|
|
host_fqdn_override:
|
|
default: null
|
|
port:
|
|
registry:
|
|
node: 5000
|
|
|
|
network_policy:
|
|
libvirt:
|
|
ingress:
|
|
- {}
|
|
egress:
|
|
- {}
|
|
|
|
ceph_client:
|
|
configmap: ceph-etc
|
|
user_secret_name: pvc-ceph-client-key
|
|
|
|
conf:
|
|
ceph:
|
|
enabled: true
|
|
admin_keyring: null
|
|
cinder:
|
|
user: "cinder"
|
|
keyring: null
|
|
secret_uuid: 457eb676-33da-42ec-9a8c-9293d545c337
|
|
# Cinder Ceph backend that is not configured by the k8s cluter
|
|
external_ceph:
|
|
enabled: false
|
|
user: null
|
|
secret_uuid: null
|
|
user_secret_name: null
|
|
libvirt:
|
|
listen_tcp: "1"
|
|
listen_tls: "0"
|
|
auth_tcp: "none"
|
|
ca_file: "/etc/pki/CA/cacert.pem"
|
|
cert_file: "/etc/pki/libvirt/servercert.pem"
|
|
key_file: "/etc/pki/libvirt/private/serverkey.pem"
|
|
listen_addr: 127.0.0.1
|
|
log_level: "3"
|
|
log_outputs: "1:file:/var/log/libvirt/libvirtd.log"
|
|
qemu:
|
|
stdio_handler: "file"
|
|
user: "nova"
|
|
group: "kvm"
|
|
kubernetes:
|
|
cgroup: "kubepods"
|
|
|
|
pod:
|
|
security_context:
|
|
libvirt:
|
|
pod:
|
|
runAsUser: 0
|
|
container:
|
|
ceph_admin_keyring_placement:
|
|
readOnlyRootFilesystem: false
|
|
ceph_keyring_placement:
|
|
readOnlyRootFilesystem: false
|
|
libvirt:
|
|
privileged: true
|
|
readOnlyRootFilesystem: false
|
|
affinity:
|
|
anti:
|
|
type:
|
|
default: preferredDuringSchedulingIgnoredDuringExecution
|
|
topologyKey:
|
|
default: kubernetes.io/hostname
|
|
weight:
|
|
default: 10
|
|
dns_policy: "ClusterFirstWithHostNet"
|
|
mounts:
|
|
libvirt:
|
|
init_container: null
|
|
libvirt:
|
|
lifecycle:
|
|
upgrades:
|
|
daemonsets:
|
|
pod_replacement_strategy: RollingUpdate
|
|
libvirt:
|
|
enabled: true
|
|
min_ready_seconds: 0
|
|
max_unavailable: 1
|
|
resources:
|
|
enabled: false
|
|
libvirt:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
jobs:
|
|
image_repo_sync:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
|
|
dependencies:
|
|
dynamic:
|
|
common:
|
|
local_image_registry:
|
|
jobs:
|
|
- libvirt-image-repo-sync
|
|
services:
|
|
- endpoint: node
|
|
service: local_image_registry
|
|
targeted:
|
|
openvswitch:
|
|
libvirt:
|
|
pod:
|
|
- requireSameNode: true
|
|
labels:
|
|
application: neutron
|
|
component: neutron-ovs-agent
|
|
linuxbridge:
|
|
libvirt:
|
|
pod:
|
|
- requireSameNode: true
|
|
labels:
|
|
application: neutron
|
|
component: neutron-lb-agent
|
|
sriov:
|
|
libvirt:
|
|
pod:
|
|
- requireSameNode: true
|
|
labels:
|
|
application: neutron
|
|
component: neutron-sriov-agent
|
|
static:
|
|
libvirt:
|
|
services: null
|
|
image_repo_sync:
|
|
services:
|
|
- endpoint: internal
|
|
service: local_image_registry
|
|
|
|
manifests:
|
|
configmap_bin: true
|
|
configmap_etc: true
|
|
daemonset_libvirt: true
|
|
job_image_repo_sync: true
|
|
network_policy: false
|
|
|
|
secrets:
|
|
tls:
|
|
server: libvirt-tls-server
|
|
client: libvirt-tls-client
|
|
...
|