# Copyright 2017 The Openstack-Helm Authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # Default values for heat. # This is a YAML-formatted file. # Declare name/value pairs to be passed into your templates. # name: value release_group: null labels: api: node_selector_key: openstack-control-plane node_selector_value: enabled cfn: node_selector_key: openstack-control-plane node_selector_value: enabled cloudwatch: node_selector_key: openstack-control-plane node_selector_value: enabled engine: node_selector_key: openstack-control-plane node_selector_value: enabled job: node_selector_key: openstack-control-plane node_selector_value: enabled images: tags: bootstrap: docker.io/openstackhelm/heat:newton db_init: docker.io/openstackhelm/heat:newton heat_db_sync: docker.io/openstackhelm/heat:newton db_drop: docker.io/openstackhelm/heat:newton rabbit_init: docker.io/rabbitmq:3.7-management ks_user: docker.io/openstackhelm/heat:newton ks_service: docker.io/openstackhelm/heat:newton ks_endpoints: docker.io/openstackhelm/heat:newton heat_api: docker.io/openstackhelm/heat:newton heat_cfn: docker.io/openstackhelm/heat:newton heat_cloudwatch: docker.io/openstackhelm/heat:newton heat_engine: docker.io/openstackhelm/heat:newton heat_engine_cleaner: docker.io/openstackhelm/heat:newton dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.3.0 pull_policy: "IfNotPresent" jobs: engine_cleaner: cron: "*/5 * * * *" history: success: 3 failed: 1 conf: paste: pipeline:heat-api: pipeline: cors request_id faultwrap http_proxy_to_wsgi versionnegotiation osprofiler authurl authtoken context apiv1app pipeline:heat-api-standalone: pipeline: cors request_id faultwrap http_proxy_to_wsgi versionnegotiation authurl authpassword context apiv1app pipeline:heat-api-custombackend: pipeline: cors request_id faultwrap versionnegotiation context custombackendauth apiv1app pipeline:heat-api-cfn: pipeline: cors http_proxy_to_wsgi cfnversionnegotiation osprofiler ec2authtoken authtoken context apicfnv1app pipeline:heat-api-cfn-standalone: pipeline: cors http_proxy_to_wsgi cfnversionnegotiation ec2authtoken context apicfnv1app pipeline:heat-api-cloudwatch: pipeline: cors versionnegotiation osprofiler ec2authtoken authtoken context apicwapp pipeline:heat-api-cloudwatch-standalone: pipeline: cors versionnegotiation ec2authtoken context apicwapp app:apiv1app: paste.app_factory: heat.common.wsgi:app_factory heat.app_factory: heat.api.openstack.v1:API app:apicfnv1app: paste.app_factory: heat.common.wsgi:app_factory heat.app_factory: heat.api.cfn.v1:API app:apicwapp: paste.app_factory: heat.common.wsgi:app_factory heat.app_factory: heat.api.cloudwatch:API filter:versionnegotiation: paste.filter_factory: heat.common.wsgi:filter_factory heat.filter_factory: heat.api.openstack:version_negotiation_filter filter:cors: paste.filter_factory: oslo_middleware.cors:filter_factory oslo_config_project: heat filter:faultwrap: paste.filter_factory: heat.common.wsgi:filter_factory heat.filter_factory: heat.api.openstack:faultwrap_filter filter:cfnversionnegotiation: paste.filter_factory: heat.common.wsgi:filter_factory heat.filter_factory: heat.api.cfn:version_negotiation_filter filter:cwversionnegotiation: paste.filter_factory: heat.common.wsgi:filter_factory heat.filter_factory: heat.api.cloudwatch:version_negotiation_filter filter:context: paste.filter_factory: heat.common.context:ContextMiddleware_filter_factory filter:ec2authtoken: paste.filter_factory: heat.api.aws.ec2token:EC2Token_filter_factory filter:http_proxy_to_wsgi: paste.filter_factory: oslo_middleware:HTTPProxyToWSGI.factory filter:authurl: paste.filter_factory: heat.common.auth_url:filter_factory filter:authtoken: paste.filter_factory: keystonemiddleware.auth_token:filter_factory filter:authpassword: paste.filter_factory: heat.common.auth_password:filter_factory filter:custombackendauth: paste.filter_factory: heat.common.custom_backend_auth:filter_factory filter:request_id: paste.filter_factory: oslo_middleware.request_id:RequestId.factory filter:osprofiler: paste.filter_factory: osprofiler.web:WsgiMiddleware.factory policy: context_is_admin: role:admin and is_admin_project:True project_admin: role:admin deny_stack_user: not role:heat_stack_user deny_everybody: "!" cloudformation:ListStacks: rule:deny_stack_user cloudformation:CreateStack: rule:deny_stack_user cloudformation:DescribeStacks: rule:deny_stack_user cloudformation:DeleteStack: rule:deny_stack_user cloudformation:UpdateStack: rule:deny_stack_user cloudformation:CancelUpdateStack: rule:deny_stack_user cloudformation:DescribeStackEvents: rule:deny_stack_user cloudformation:ValidateTemplate: rule:deny_stack_user cloudformation:GetTemplate: rule:deny_stack_user cloudformation:EstimateTemplateCost: rule:deny_stack_user cloudformation:DescribeStackResource: '' cloudformation:DescribeStackResources: rule:deny_stack_user cloudformation:ListStackResources: rule:deny_stack_user cloudwatch:DeleteAlarms: rule:deny_stack_user cloudwatch:DescribeAlarmHistory: rule:deny_stack_user cloudwatch:DescribeAlarms: rule:deny_stack_user cloudwatch:DescribeAlarmsForMetric: rule:deny_stack_user cloudwatch:DisableAlarmActions: rule:deny_stack_user cloudwatch:EnableAlarmActions: rule:deny_stack_user cloudwatch:GetMetricStatistics: rule:deny_stack_user cloudwatch:ListMetrics: rule:deny_stack_user cloudwatch:PutMetricAlarm: rule:deny_stack_user cloudwatch:PutMetricData: '' cloudwatch:SetAlarmState: rule:deny_stack_user actions:action: rule:deny_stack_user build_info:build_info: rule:deny_stack_user events:index: rule:deny_stack_user events:show: rule:deny_stack_user resource:index: rule:deny_stack_user resource:metadata: '' resource:signal: '' resource:mark_unhealthy: rule:deny_stack_user resource:show: rule:deny_stack_user stacks:abandon: rule:deny_stack_user stacks:create: rule:deny_stack_user stacks:delete: rule:deny_stack_user stacks:detail: rule:deny_stack_user stacks:export: rule:deny_stack_user stacks:generate_template: rule:deny_stack_user stacks:global_index: rule:deny_everybody stacks:index: rule:deny_stack_user stacks:list_resource_types: rule:deny_stack_user stacks:list_template_versions: rule:deny_stack_user stacks:list_template_functions: rule:deny_stack_user stacks:lookup: '' stacks:preview: rule:deny_stack_user stacks:resource_schema: rule:deny_stack_user stacks:show: rule:deny_stack_user stacks:template: rule:deny_stack_user stacks:environment: rule:deny_stack_user stacks:files: rule:deny_stack_user stacks:update: rule:deny_stack_user stacks:update_patch: rule:deny_stack_user stacks:preview_update: rule:deny_stack_user stacks:preview_update_patch: rule:deny_stack_user stacks:validate_template: rule:deny_stack_user stacks:snapshot: rule:deny_stack_user stacks:show_snapshot: rule:deny_stack_user stacks:delete_snapshot: rule:deny_stack_user stacks:list_snapshots: rule:deny_stack_user stacks:restore_snapshot: rule:deny_stack_user stacks:list_outputs: rule:deny_stack_user stacks:show_output: rule:deny_stack_user software_configs:global_index: rule:deny_everybody software_configs:index: rule:deny_stack_user software_configs:create: rule:deny_stack_user software_configs:show: rule:deny_stack_user software_configs:delete: rule:deny_stack_user software_deployments:index: rule:deny_stack_user software_deployments:create: rule:deny_stack_user software_deployments:show: rule:deny_stack_user software_deployments:update: rule:deny_stack_user software_deployments:delete: rule:deny_stack_user software_deployments:metadata: '' service:index: rule:context_is_admin resource_types:OS::Nova::Flavor: rule:project_admin resource_types:OS::Cinder::EncryptedVolumeType: rule:project_admin resource_types:OS::Cinder::VolumeType: rule:project_admin resource_types:OS::Cinder::Quota: rule:project_admin resource_types:OS::Manila::ShareType: rule:project_admin resource_types:OS::Neutron::QoSPolicy: rule:project_admin resource_types:OS::Neutron::QoSBandwidthLimitRule: rule:project_admin resource_types:OS::Nova::HostAggregate: rule:project_admin resource_types:OS::Cinder::QoSSpecs: rule:project_admin heat: DEFAULT: num_engine_workers: 1 trusts_delegated_roles: "" host: heat-engine keystone_authtoken: auth_type: password auth_version: v3 memcache_security_strategy: ENCRYPT database: max_retries: -1 trustee: auth_type: password auth_version: v3 heat_api: #NOTE(portdirect): the bind port should not be defined, and is manipulated # via the endpoints section. bind_port: null workers: 1 heat_api_cloudwatch: #NOTE(portdirect): the bind port should not be defined, and is manipulated # via the endpoints section. bind_port: null workers: 1 heat_api_cfn: #NOTE(portdirect): the bind port should not be defined, and is manipulated # via the endpoints section. bind_port: null workers: 1 paste_deploy: api_paste_config: /etc/heat/api-paste.ini clients: endpoint_type: internalURL clients_keystone: endpoint_type: internalURL oslo_messaging_notifications: driver: messagingv2 network: api: ingress: public: true classes: namespace: "nginx" cluster: "nginx-cluster" annotations: nginx.ingress.kubernetes.io/rewrite-target: / external_policy_local: false node_port: enabled: false port: 30004 cfn: ingress: public: true classes: namespace: "nginx" cluster: "nginx-cluster" annotations: nginx.ingress.kubernetes.io/rewrite-target: / node_port: enabled: false port: 30800 cloudwatch: ingress: public: true classes: namespace: "nginx" cluster: "nginx-cluster" annotations: nginx.ingress.kubernetes.io/rewrite-target: / node_port: enabled: false port: 30003 bootstrap: enabled: true ks_user: admin script: | #NOTE(portdirect): required for all users who operate heat stacks openstack role create --or-show heat_stack_owner #NOTE(portdirect): The Orchestration service automatically assigns the # 'heat_stack_user' role to users that it creates during stack deployment. # By default, this role restricts API operations. To avoid conflicts, do # not add this role to users with the heat_stack_owner role. openstack role create --or-show heat_stack_user dependencies: static: api: jobs: - heat-db-sync - heat-ks-user - heat-trustee-ks-user - heat-domain-ks-user - heat-ks-endpoints services: - endpoint: internal service: oslo_db - endpoint: internal service: identity cfn: jobs: - heat-db-sync - heat-ks-user - heat-trustee-ks-user - heat-domain-ks-user - heat-ks-endpoints services: - endpoint: internal service: oslo_db - endpoint: internal service: identity cloudwatch: jobs: - heat-db-sync - heat-ks-user - heat-trustee-ks-user - heat-domain-ks-user - heat-ks-endpoints services: - endpoint: internal service: oslo_db - endpoint: internal service: identity db_drop: services: - endpoint: internal service: oslo_db db_init: services: - endpoint: internal service: oslo_db db_sync: jobs: - heat-db-init services: - endpoint: internal service: oslo_db engine: jobs: - heat-db-sync - heat-ks-user - heat-trustee-ks-user - heat-domain-ks-user - heat-ks-endpoints services: - endpoint: internal service: oslo_db - endpoint: internal service: identity engine_cleaner: jobs: - heat-db-sync - heat-ks-user - heat-trustee-ks-user - heat-domain-ks-user - heat-ks-endpoints services: - endpoint: internal service: oslo_db - endpoint: internal service: identity ks_endpoints: jobs: - heat-ks-service services: - endpoint: internal service: identity ks_service: services: - endpoint: internal service: identity ks_user: services: - endpoint: internal service: identity rabbit_init: services: - service: oslo_messaging endpoint: internal trusts: jobs: - heat-ks-user - heat-trustee-ks-user - heat-domain-ks-user services: - endpoint: internal service: identity # Names of secrets used by bootstrap and environmental checks secrets: identity: admin: heat-keystone-admin heat: heat-keystone-user heat_trustee: heat-keystone-trustee heat_stack_user: heat-keystone-stack-user oslo_db: admin: heat-db-admin heat: heat-db-user oslo_messaging: admin: heat-rabbitmq-admin heat: heat-rabbitmq-user # typically overridden by environmental # values, but should include all endpoints # required by this chart endpoints: cluster_domain_suffix: cluster.local identity: name: keystone auth: admin: region_name: RegionOne username: admin password: password project_name: admin user_domain_name: default project_domain_name: default heat: role: - admin - heat_stack_owner region_name: RegionOne username: heat password: password project_name: service user_domain_name: default project_domain_name: default heat_trustee: role: admin region_name: RegionOne username: heat-trust password: password project_name: service user_domain_name: default project_domain_name: default heat_stack_user: role: admin region_name: RegionOne username: heat-domain password: password domain_name: heat hosts: default: keystone-api public: keystone host_fqdn_override: default: null path: default: /v3 scheme: default: 'http' port: admin: default: 35357 api: default: 80 orchestration: name: heat hosts: default: heat-api public: heat host_fqdn_override: default: null path: default: '/v1/%(project_id)s' scheme: default: 'http' port: api: default: 8004 public: 80 cloudformation: name: heat-cfn hosts: default: heat-cfn public: cloudformation host_fqdn_override: default: null path: default: /v1 scheme: default: 'http' port: api: default: 8000 public: 80 # Cloudwatch does not get an entry in the keystone service catalog cloudwatch: name: heat-cloudwatch hosts: default: heat-cloudwatch public: cloudwatch host_fqdn_override: default: null path: default: null type: null scheme: default: 'http' port: api: default: 8003 public: 80 oslo_db: auth: admin: username: root password: password heat: username: heat password: password hosts: default: mariadb host_fqdn_override: default: null path: /heat scheme: mysql+pymysql port: mysql: default: 3306 oslo_cache: auth: # NOTE(portdirect): this is used to define the value for keystone # authtoken cache encryption key, if not set it will be populated # automatically with a random value, but to take advantage of # this feature all services should be set to use the same key, # and memcache service. memcache_secret_key: null hosts: default: memcached host_fqdn_override: default: null port: memcache: default: 11211 oslo_messaging: auth: admin: username: rabbitmq password: password heat: username: heat password: password hosts: default: rabbitmq host_fqdn_override: default: null path: / scheme: rabbit port: amqp: default: 5672 http: default: 15672 pod: user: heat: uid: 42424 affinity: anti: type: default: preferredDuringSchedulingIgnoredDuringExecution topologyKey: default: kubernetes.io/hostname mounts: heat_api: init_container: null heat_api: heat_cfn: init_container: null heat_cfn: heat_cloudwatch: init_container: null heat_cloudwatch: heat_engine: init_container: null heat_engine: heat_bootstrap: init_container: null heat_bootstrap: heat_trusts: init_container: null heat_trusts: heat_engine_cleaner: init_container: null heat_engine_cleaner: replicas: api: 1 cfn: 1 cloudwatch: 1 engine: 1 lifecycle: upgrades: deployments: revision_history: 3 pod_replacement_strategy: RollingUpdate rolling_update: max_unavailable: 1 max_surge: 3 disruption_budget: api: min_available: 0 cfn: min_available: 0 cloudwatch: min_available: 0 termination_grace_period: api: timeout: 30 cfn: timeout: 30 cloudwatch: timeout: 30 engine: timeout: 30 resources: enabled: false api: requests: memory: "128Mi" cpu: "100m" limits: memory: "1024Mi" cpu: "2000m" cfn: requests: memory: "128Mi" cpu: "100m" limits: memory: "1024Mi" cpu: "2000m" cloudwatch: requests: memory: "128Mi" cpu: "100m" limits: memory: "1024Mi" cpu: "2000m" engine: requests: memory: "128Mi" cpu: "100m" limits: memory: "1024Mi" cpu: "2000m" jobs: bootstrap: requests: memory: "128Mi" cpu: "100m" limits: memory: "1024Mi" cpu: "2000m" db_init: requests: memory: "128Mi" cpu: "100m" limits: memory: "1024Mi" cpu: "2000m" db_sync: requests: memory: "128Mi" cpu: "100m" limits: memory: "1024Mi" cpu: "2000m" db_drop: requests: memory: "128Mi" cpu: "100m" limits: memory: "1024Mi" cpu: "2000m" ks_endpoints: requests: memory: "128Mi" cpu: "100m" limits: memory: "1024Mi" cpu: "2000m" ks_service: requests: memory: "128Mi" cpu: "100m" limits: memory: "1024Mi" cpu: "2000m" ks_user: requests: memory: "128Mi" cpu: "100m" limits: memory: "1024Mi" cpu: "2000m" rabbit_init: requests: memory: "128Mi" cpu: "100m" limits: memory: "1024Mi" cpu: "2000m" tests: requests: memory: "128Mi" cpu: "100m" limits: memory: "1024Mi" cpu: "2000m" trusts: requests: memory: "124Mi" cpu: "100m" limits: memory: "1024Mi" cpu: "2000m" engine_cleaner: requests: memory: "124Mi" cpu: "100m" limits: memory: "1024Mi" cpu: "2000m" manifests: configmap_bin: true configmap_etc: true cron_job_engine_cleaner: true deployment_api: true deployment_cfn: true deployment_cloudwatch: true deployment_engine: true ingress_api: true ingress_cfn: true ingress_cloudwatch: true job_bootstrap: true job_db_init: true job_db_sync: true job_db_drop: false job_ks_endpoints: true job_ks_service: true job_ks_user_domain: true job_ks_user_trustee: true job_ks_user: true job_rabbit_init: true pdb_api: true pdb_cfn: true pdb_cloudwatch: true secret_db: true secret_keystone: true secret_rabbitmq: true service_api: true service_cfn: true service_cloudwatch: true service_ingress_api: true service_ingress_cfn: true service_ingress_cloudwatch: true statefulset_engine: false