918a307427
This patch set enables TLS for the following OpenStack services: keystone, horizon, glance, cinder, heat, nova, placement and neutron for s- (stein) and t- (train) release. This serves as a consolidation and clean up patch for the following patches: [0] https://review.opendev.org/#/c/733291 [1] https://review.opendev.org/#/c/735202 [2] https://review.opendev.org/#/c/733962 [3] https://review.opendev.org/#/c/733404 [4] https://review.opendev.org/#/c/734896 This also addresses comments mentioned in previous patches. Co-authored-by: Gage Hugo <gagehugo@gmail.com> Co-authored-by: sgupta <sg774j@att.com> Depends-on: https://review.opendev.org/#/c/737194/ Change-Id: Id34ace54298660b4b151522916e929a29f5731be Signed-off-by: Tin Lam <tin@irrational.io>
496 lines
13 KiB
YAML
496 lines
13 KiB
YAML
# Copyright 2019 Intel Corporation.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
# Default values for openstack-placement.
|
|
# This is a YAML-formatted file.
|
|
# Declare variables to be passed into your templates.
|
|
|
|
---
|
|
release_group: null
|
|
|
|
labels:
|
|
api:
|
|
node_selector_key: openstack-control-plane
|
|
node_selector_value: enabled
|
|
job:
|
|
node_selector_key: openstack-control-plane
|
|
node_selector_value: enabled
|
|
|
|
images:
|
|
pull_policy: IfNotPresent
|
|
tags:
|
|
placement: docker.io/openstackhelm/placement:master-ubuntu_bionic
|
|
ks_user: docker.io/openstackhelm/heat:stein-ubuntu_bionic
|
|
ks_service: docker.io/openstackhelm/heat:stein-ubuntu_bionic
|
|
ks_endpoints: docker.io/openstackhelm/heat:stein-ubuntu_bionic
|
|
db_init: docker.io/openstackhelm/heat:stein-ubuntu_bionic
|
|
db_drop: docker.io/openstackhelm/heat:stein-ubuntu_bionic
|
|
db_migrate: quay.io/airshipit/porthole-mysqlclient-utility:latest-ubuntu_bionic
|
|
placement_db_sync: docker.io/openstackhelm/placement:master-ubuntu_bionic
|
|
dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
|
|
image_repo_sync: docker.io/docker:17.07.0
|
|
local_registry:
|
|
active: false
|
|
exclude:
|
|
- dep_check
|
|
- image_repo_sync
|
|
|
|
network:
|
|
api:
|
|
port: 8778
|
|
ingress:
|
|
public: true
|
|
classes:
|
|
namespace: "nginx"
|
|
cluster: "nginx-cluster"
|
|
annotations:
|
|
nginx.ingress.kubernetes.io/rewrite-target: /
|
|
external_policy_local: false
|
|
node_port:
|
|
enabled: false
|
|
port: 30778
|
|
|
|
conf:
|
|
software:
|
|
apache2:
|
|
binary: apache2
|
|
start_parameters: -DFOREGROUND
|
|
# Enable/Disable modules
|
|
# a2enmod:
|
|
# - headers
|
|
# - rewrite
|
|
# a2dismod:
|
|
# - status
|
|
a2enmod: null
|
|
a2dismod: null
|
|
policy:
|
|
"context_is_admin": "role:admin"
|
|
"admin_or_owner": "rule:context_is_admin or project_id:%(project_id)s"
|
|
"default": "rule:admin_or_owner"
|
|
"admin_api": "role:admin"
|
|
"placement:resource_providers:list": "rule:admin_api"
|
|
"placement:resource_providers:create": "rule:admin_api"
|
|
"placement:resource_providers:show": "rule:admin_api"
|
|
"placement:resource_providers:update": "rule:admin_api"
|
|
"placement:resource_providers:delete": "rule:admin_api"
|
|
"placement:resource_classes:list": "rule:admin_api"
|
|
"placement:resource_classes:create": "rule:admin_api"
|
|
"placement:resource_classes:show": "rule:admin_api"
|
|
"placement:resource_classes:update": "rule:admin_api"
|
|
"placement:resource_classes:delete": "rule:admin_api"
|
|
"placement:resource_providers:inventories:list": "rule:admin_api"
|
|
"placement:resource_providers:inventories:create": "rule:admin_api"
|
|
"placement:resource_providers:inventories:show": "rule:admin_api"
|
|
"placement:resource_providers:inventories:update": "rule:admin_api"
|
|
"placement:resource_providers:inventories:delete": "rule:admin_api"
|
|
"placement:resource_providers:aggregates:list": "rule:admin_api"
|
|
"placement:resource_providers:aggregates:update": "rule:admin_api"
|
|
"placement:resource_providers:usages": "rule:admin_api"
|
|
"placement:usages": "rule:admin_api"
|
|
"placement:traits:list": "rule:admin_api"
|
|
"placement:traits:show": "rule:admin_api"
|
|
"placement:traits:update": "rule:admin_api"
|
|
"placement:traits:delete": "rule:admin_api"
|
|
"placement:resource_providers:traits:list": "rule:admin_api"
|
|
"placement:resource_providers:traits:update": "rule:admin_api"
|
|
"placement:resource_providers:traits:delete": "rule:admin_api"
|
|
"placement:allocations:manage": "rule:admin_api"
|
|
"placement:allocations:list": "rule:admin_api"
|
|
"placement:allocations:update": "rule:admin_api"
|
|
"placement:allocations:delete": "rule:admin_api"
|
|
"placement:resource_providers:allocations:list": "rule:admin_api"
|
|
"placement:allocation_candidates:list": "rule:admin_api"
|
|
"placement:reshaper:reshape": "rule:admin_api"
|
|
placement:
|
|
DEFAULT:
|
|
debug: false
|
|
use_syslog: false
|
|
log_config_append: /etc/placement/logging.conf
|
|
placement_database:
|
|
connection: null
|
|
keystone_authtoken:
|
|
auth_version: v3
|
|
auth_type: password
|
|
memcache_security_strategy: ENCRYPT
|
|
logging:
|
|
loggers:
|
|
keys:
|
|
- root
|
|
- placement
|
|
handlers:
|
|
keys:
|
|
- stdout
|
|
- stderr
|
|
- "null"
|
|
formatters:
|
|
keys:
|
|
- context
|
|
- default
|
|
logger_root:
|
|
level: WARNING
|
|
handlers: stdout
|
|
logger_placement:
|
|
level: INFO
|
|
handlers:
|
|
- stdout
|
|
qualname: placement
|
|
logger_amqp:
|
|
level: WARNING
|
|
handlers: stderr
|
|
qualname: amqp
|
|
logger_amqplib:
|
|
level: WARNING
|
|
handlers: stderr
|
|
qualname: amqplib
|
|
logger_eventletwsgi:
|
|
level: WARNING
|
|
handlers: stderr
|
|
qualname: eventlet.wsgi.server
|
|
logger_sqlalchemy:
|
|
level: WARNING
|
|
handlers: stderr
|
|
qualname: sqlalchemy
|
|
logger_boto:
|
|
level: WARNING
|
|
handlers: stderr
|
|
qualname: boto
|
|
handler_null:
|
|
class: logging.NullHandler
|
|
formatter: default
|
|
args: ()
|
|
handler_stdout:
|
|
class: StreamHandler
|
|
args: (sys.stdout,)
|
|
formatter: context
|
|
handler_stderr:
|
|
class: StreamHandler
|
|
args: (sys.stderr,)
|
|
formatter: context
|
|
formatter_context:
|
|
class: oslo_log.formatters.ContextFormatter
|
|
datefmt: "%Y-%m-%d %H:%M:%S"
|
|
formatter_default:
|
|
format: "%(message)s"
|
|
datefmt: "%Y-%m-%d %H:%M:%S"
|
|
wsgi_placement: |
|
|
Listen 0.0.0.0:{{ tuple "placement" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
|
|
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
|
|
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy
|
|
SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
|
|
CustomLog /dev/stdout combined env=!forwarded
|
|
CustomLog /dev/stdout proxy env=forwarded
|
|
<VirtualHost *:{{ tuple "placement" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}>
|
|
WSGIDaemonProcess placement-api processes=4 threads=1 user=placement group=placement display-name=%{GROUP}
|
|
WSGIProcessGroup placement-api
|
|
WSGIScriptAlias / /var/www/cgi-bin/placement/placement-api
|
|
WSGIApplicationGroup %{GLOBAL}
|
|
WSGIPassAuthorization On
|
|
<IfVersion >= 2.4>
|
|
ErrorLogFormat "%{cu}t %M"
|
|
</IfVersion>
|
|
ErrorLog /dev/stdout
|
|
SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
|
|
CustomLog /dev/stdout combined env=!forwarded
|
|
CustomLog /dev/stdout proxy env=forwarded
|
|
</VirtualHost>
|
|
Alias /placement /var/www/cgi-bin/placement/placement-api
|
|
<Location /placement>
|
|
SetHandler wsgi-script
|
|
Options +ExecCGI
|
|
WSGIProcessGroup placement-api
|
|
WSGIApplicationGroup %{GLOBAL}
|
|
WSGIPassAuthorization On
|
|
</Location>
|
|
|
|
endpoints:
|
|
cluster_domain_suffix: cluster.local
|
|
local_image_registry:
|
|
name: docker-registry
|
|
namespace: docker-registry
|
|
hosts:
|
|
default: localhost
|
|
internal: docker-registry
|
|
node: localhost
|
|
host_fqdn_override:
|
|
default: null
|
|
port:
|
|
registry:
|
|
node: 5000
|
|
oslo_db:
|
|
auth:
|
|
admin:
|
|
username: root
|
|
password: password
|
|
placement:
|
|
username: placement
|
|
password: password
|
|
# NOTE: This should be the username/password used to access the nova_api
|
|
# database. This is required only if database migration from nova to
|
|
# placement is desired.
|
|
nova_api:
|
|
username: nova
|
|
password: password
|
|
hosts:
|
|
default: mariadb
|
|
host_fqdn_override:
|
|
default: null
|
|
path: /placement
|
|
scheme: mysql+pymysql
|
|
port:
|
|
mysql:
|
|
default: 3306
|
|
oslo_cache:
|
|
auth:
|
|
# NOTE(portdirect): this is used to define the value for keystone
|
|
# authtoken cache encryption key, if not set it will be populated
|
|
# automatically with a random value, but to take advantage of
|
|
# this feature all services should be set to use the same key,
|
|
# and memcache service.
|
|
memcache_secret_key: null
|
|
hosts:
|
|
default: memcached
|
|
host_fqdn_override:
|
|
default: null
|
|
port:
|
|
memcache:
|
|
default: 11211
|
|
identity:
|
|
name: keystone
|
|
auth:
|
|
admin:
|
|
region_name: RegionOne
|
|
username: admin
|
|
password: password
|
|
project_name: admin
|
|
user_domain_name: default
|
|
project_domain_name: default
|
|
placement:
|
|
role: admin
|
|
region_name: RegionOne
|
|
username: placement
|
|
password: password
|
|
project_name: service
|
|
user_domain_name: service
|
|
project_domain_name: service
|
|
hosts:
|
|
default: keystone
|
|
internal: keystone-api
|
|
host_fqdn_override:
|
|
default: null
|
|
path:
|
|
default: /v3
|
|
scheme:
|
|
default: http
|
|
port:
|
|
api:
|
|
default: 80
|
|
internal: 5000
|
|
placement:
|
|
name: placement
|
|
hosts:
|
|
default: placement-api
|
|
public: placement
|
|
host_fqdn_override:
|
|
default: null
|
|
path:
|
|
default: /
|
|
scheme:
|
|
default: 'http'
|
|
port:
|
|
api:
|
|
default: 8778
|
|
public: 80
|
|
|
|
pod:
|
|
user:
|
|
placement:
|
|
uid: 42424
|
|
affinity:
|
|
anti:
|
|
type:
|
|
default: preferredDuringSchedulingIgnoredDuringExecution
|
|
topologyKey:
|
|
default: kubernetes.io/hostname
|
|
mounts:
|
|
placement:
|
|
init_container: null
|
|
placement:
|
|
volumeMounts:
|
|
volumes:
|
|
replicas:
|
|
api: 1
|
|
lifecycle:
|
|
upgrades:
|
|
deployments:
|
|
revision_history: 3
|
|
pod_replacement_strategy: RollingUpdate
|
|
rolling_update:
|
|
max_unavailable: 1
|
|
max_surge: 3
|
|
disruption_budget:
|
|
api:
|
|
min_available: 0
|
|
termination_grace_period:
|
|
api:
|
|
timeout: 30
|
|
resources:
|
|
enabled: false
|
|
api:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
jobs:
|
|
db_init:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
db_sync:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
db_drop:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
db_migrate:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
ks_endpoints:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
ks_service:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
ks_user:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
|
|
secrets:
|
|
identity:
|
|
admin: placement-keystone-admin
|
|
placement: placement-keystone-user
|
|
oslo_db:
|
|
admin: placement-db-admin
|
|
placement: placement-db-user
|
|
tls:
|
|
placement:
|
|
api:
|
|
public: placement-tls-public
|
|
internal: placement-tls-api
|
|
|
|
dependencies:
|
|
dynamic:
|
|
common:
|
|
local_image_registry:
|
|
jobs:
|
|
- image-repo-sync
|
|
services:
|
|
- endpoint: node
|
|
service: local_image_registry
|
|
static:
|
|
api:
|
|
jobs:
|
|
- placement-db-sync
|
|
- placement-ks-service
|
|
- placement-ks-user
|
|
- placement-ks-endpoints
|
|
ks_endpoints:
|
|
jobs:
|
|
- placement-ks-user
|
|
- placement-ks-service
|
|
services:
|
|
- endpoint: internal
|
|
service: identity
|
|
ks_service:
|
|
services:
|
|
- endpoint: internal
|
|
service: identity
|
|
ks_user:
|
|
services:
|
|
- endpoint: internal
|
|
service: identity
|
|
db_drop:
|
|
services:
|
|
- endpoint: internal
|
|
service: oslo_db
|
|
db_init:
|
|
services:
|
|
- endpoint: internal
|
|
service: oslo_db
|
|
db_migrate:
|
|
jobs:
|
|
- placement-db-init
|
|
services:
|
|
- endpoint: internal
|
|
service: oslo_db
|
|
db_sync:
|
|
jobs:
|
|
- placement-db-init
|
|
# NOTE: This needs to be enabled if placement migration is required.
|
|
# - placement-db-migrate
|
|
services:
|
|
- endpoint: internal
|
|
service: oslo_db
|
|
|
|
manifests:
|
|
certificates: false
|
|
configmap_bin: true
|
|
configmap_etc: true
|
|
deployment: true
|
|
job_image_repo_sync: true
|
|
job_db_init: true
|
|
job_db_sync: true
|
|
job_db_drop: false
|
|
job_db_migrate: false
|
|
job_ks_endpoints: true
|
|
job_ks_service: true
|
|
job_ks_user: true
|
|
network_policy: false
|
|
secret_db: true
|
|
secret_ingress_tls: true
|
|
pdb: true
|
|
ingress: true
|
|
secret_keystone: true
|
|
service_ingress: true
|
|
service: true
|
|
...
|