openstack-helm/placement/values.yaml
Tin Lam 918a307427 feat(tls): add tls support to openstack services
This patch set enables TLS for the following OpenStack services: keystone,
horizon, glance, cinder, heat, nova, placement and neutron for s- (stein)
and t- (train) release. This serves as a consolidation and clean up patch
for the following patches:

[0] https://review.opendev.org/#/c/733291
[1] https://review.opendev.org/#/c/735202
[2] https://review.opendev.org/#/c/733962
[3] https://review.opendev.org/#/c/733404
[4] https://review.opendev.org/#/c/734896

This also addresses comments mentioned in previous patches.

Co-authored-by: Gage Hugo <gagehugo@gmail.com>
Co-authored-by: sgupta <sg774j@att.com>

Depends-on: https://review.opendev.org/#/c/737194/

Change-Id: Id34ace54298660b4b151522916e929a29f5731be
Signed-off-by: Tin Lam <tin@irrational.io>
2020-07-10 09:36:31 -05:00

496 lines
13 KiB
YAML

# Copyright 2019 Intel Corporation.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Default values for openstack-placement.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
---
release_group: null
labels:
api:
node_selector_key: openstack-control-plane
node_selector_value: enabled
job:
node_selector_key: openstack-control-plane
node_selector_value: enabled
images:
pull_policy: IfNotPresent
tags:
placement: docker.io/openstackhelm/placement:master-ubuntu_bionic
ks_user: docker.io/openstackhelm/heat:stein-ubuntu_bionic
ks_service: docker.io/openstackhelm/heat:stein-ubuntu_bionic
ks_endpoints: docker.io/openstackhelm/heat:stein-ubuntu_bionic
db_init: docker.io/openstackhelm/heat:stein-ubuntu_bionic
db_drop: docker.io/openstackhelm/heat:stein-ubuntu_bionic
db_migrate: quay.io/airshipit/porthole-mysqlclient-utility:latest-ubuntu_bionic
placement_db_sync: docker.io/openstackhelm/placement:master-ubuntu_bionic
dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
image_repo_sync: docker.io/docker:17.07.0
local_registry:
active: false
exclude:
- dep_check
- image_repo_sync
network:
api:
port: 8778
ingress:
public: true
classes:
namespace: "nginx"
cluster: "nginx-cluster"
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
external_policy_local: false
node_port:
enabled: false
port: 30778
conf:
software:
apache2:
binary: apache2
start_parameters: -DFOREGROUND
# Enable/Disable modules
# a2enmod:
# - headers
# - rewrite
# a2dismod:
# - status
a2enmod: null
a2dismod: null
policy:
"context_is_admin": "role:admin"
"admin_or_owner": "rule:context_is_admin or project_id:%(project_id)s"
"default": "rule:admin_or_owner"
"admin_api": "role:admin"
"placement:resource_providers:list": "rule:admin_api"
"placement:resource_providers:create": "rule:admin_api"
"placement:resource_providers:show": "rule:admin_api"
"placement:resource_providers:update": "rule:admin_api"
"placement:resource_providers:delete": "rule:admin_api"
"placement:resource_classes:list": "rule:admin_api"
"placement:resource_classes:create": "rule:admin_api"
"placement:resource_classes:show": "rule:admin_api"
"placement:resource_classes:update": "rule:admin_api"
"placement:resource_classes:delete": "rule:admin_api"
"placement:resource_providers:inventories:list": "rule:admin_api"
"placement:resource_providers:inventories:create": "rule:admin_api"
"placement:resource_providers:inventories:show": "rule:admin_api"
"placement:resource_providers:inventories:update": "rule:admin_api"
"placement:resource_providers:inventories:delete": "rule:admin_api"
"placement:resource_providers:aggregates:list": "rule:admin_api"
"placement:resource_providers:aggregates:update": "rule:admin_api"
"placement:resource_providers:usages": "rule:admin_api"
"placement:usages": "rule:admin_api"
"placement:traits:list": "rule:admin_api"
"placement:traits:show": "rule:admin_api"
"placement:traits:update": "rule:admin_api"
"placement:traits:delete": "rule:admin_api"
"placement:resource_providers:traits:list": "rule:admin_api"
"placement:resource_providers:traits:update": "rule:admin_api"
"placement:resource_providers:traits:delete": "rule:admin_api"
"placement:allocations:manage": "rule:admin_api"
"placement:allocations:list": "rule:admin_api"
"placement:allocations:update": "rule:admin_api"
"placement:allocations:delete": "rule:admin_api"
"placement:resource_providers:allocations:list": "rule:admin_api"
"placement:allocation_candidates:list": "rule:admin_api"
"placement:reshaper:reshape": "rule:admin_api"
placement:
DEFAULT:
debug: false
use_syslog: false
log_config_append: /etc/placement/logging.conf
placement_database:
connection: null
keystone_authtoken:
auth_version: v3
auth_type: password
memcache_security_strategy: ENCRYPT
logging:
loggers:
keys:
- root
- placement
handlers:
keys:
- stdout
- stderr
- "null"
formatters:
keys:
- context
- default
logger_root:
level: WARNING
handlers: stdout
logger_placement:
level: INFO
handlers:
- stdout
qualname: placement
logger_amqp:
level: WARNING
handlers: stderr
qualname: amqp
logger_amqplib:
level: WARNING
handlers: stderr
qualname: amqplib
logger_eventletwsgi:
level: WARNING
handlers: stderr
qualname: eventlet.wsgi.server
logger_sqlalchemy:
level: WARNING
handlers: stderr
qualname: sqlalchemy
logger_boto:
level: WARNING
handlers: stderr
qualname: boto
handler_null:
class: logging.NullHandler
formatter: default
args: ()
handler_stdout:
class: StreamHandler
args: (sys.stdout,)
formatter: context
handler_stderr:
class: StreamHandler
args: (sys.stderr,)
formatter: context
formatter_context:
class: oslo_log.formatters.ContextFormatter
datefmt: "%Y-%m-%d %H:%M:%S"
formatter_default:
format: "%(message)s"
datefmt: "%Y-%m-%d %H:%M:%S"
wsgi_placement: |
Listen 0.0.0.0:{{ tuple "placement" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy
SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
CustomLog /dev/stdout combined env=!forwarded
CustomLog /dev/stdout proxy env=forwarded
<VirtualHost *:{{ tuple "placement" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}>
WSGIDaemonProcess placement-api processes=4 threads=1 user=placement group=placement display-name=%{GROUP}
WSGIProcessGroup placement-api
WSGIScriptAlias / /var/www/cgi-bin/placement/placement-api
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
<IfVersion >= 2.4>
ErrorLogFormat "%{cu}t %M"
</IfVersion>
ErrorLog /dev/stdout
SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
CustomLog /dev/stdout combined env=!forwarded
CustomLog /dev/stdout proxy env=forwarded
</VirtualHost>
Alias /placement /var/www/cgi-bin/placement/placement-api
<Location /placement>
SetHandler wsgi-script
Options +ExecCGI
WSGIProcessGroup placement-api
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
</Location>
endpoints:
cluster_domain_suffix: cluster.local
local_image_registry:
name: docker-registry
namespace: docker-registry
hosts:
default: localhost
internal: docker-registry
node: localhost
host_fqdn_override:
default: null
port:
registry:
node: 5000
oslo_db:
auth:
admin:
username: root
password: password
placement:
username: placement
password: password
# NOTE: This should be the username/password used to access the nova_api
# database. This is required only if database migration from nova to
# placement is desired.
nova_api:
username: nova
password: password
hosts:
default: mariadb
host_fqdn_override:
default: null
path: /placement
scheme: mysql+pymysql
port:
mysql:
default: 3306
oslo_cache:
auth:
# NOTE(portdirect): this is used to define the value for keystone
# authtoken cache encryption key, if not set it will be populated
# automatically with a random value, but to take advantage of
# this feature all services should be set to use the same key,
# and memcache service.
memcache_secret_key: null
hosts:
default: memcached
host_fqdn_override:
default: null
port:
memcache:
default: 11211
identity:
name: keystone
auth:
admin:
region_name: RegionOne
username: admin
password: password
project_name: admin
user_domain_name: default
project_domain_name: default
placement:
role: admin
region_name: RegionOne
username: placement
password: password
project_name: service
user_domain_name: service
project_domain_name: service
hosts:
default: keystone
internal: keystone-api
host_fqdn_override:
default: null
path:
default: /v3
scheme:
default: http
port:
api:
default: 80
internal: 5000
placement:
name: placement
hosts:
default: placement-api
public: placement
host_fqdn_override:
default: null
path:
default: /
scheme:
default: 'http'
port:
api:
default: 8778
public: 80
pod:
user:
placement:
uid: 42424
affinity:
anti:
type:
default: preferredDuringSchedulingIgnoredDuringExecution
topologyKey:
default: kubernetes.io/hostname
mounts:
placement:
init_container: null
placement:
volumeMounts:
volumes:
replicas:
api: 1
lifecycle:
upgrades:
deployments:
revision_history: 3
pod_replacement_strategy: RollingUpdate
rolling_update:
max_unavailable: 1
max_surge: 3
disruption_budget:
api:
min_available: 0
termination_grace_period:
api:
timeout: 30
resources:
enabled: false
api:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
jobs:
db_init:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
db_sync:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
db_drop:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
db_migrate:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
ks_endpoints:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
ks_service:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
ks_user:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
secrets:
identity:
admin: placement-keystone-admin
placement: placement-keystone-user
oslo_db:
admin: placement-db-admin
placement: placement-db-user
tls:
placement:
api:
public: placement-tls-public
internal: placement-tls-api
dependencies:
dynamic:
common:
local_image_registry:
jobs:
- image-repo-sync
services:
- endpoint: node
service: local_image_registry
static:
api:
jobs:
- placement-db-sync
- placement-ks-service
- placement-ks-user
- placement-ks-endpoints
ks_endpoints:
jobs:
- placement-ks-user
- placement-ks-service
services:
- endpoint: internal
service: identity
ks_service:
services:
- endpoint: internal
service: identity
ks_user:
services:
- endpoint: internal
service: identity
db_drop:
services:
- endpoint: internal
service: oslo_db
db_init:
services:
- endpoint: internal
service: oslo_db
db_migrate:
jobs:
- placement-db-init
services:
- endpoint: internal
service: oslo_db
db_sync:
jobs:
- placement-db-init
# NOTE: This needs to be enabled if placement migration is required.
# - placement-db-migrate
services:
- endpoint: internal
service: oslo_db
manifests:
certificates: false
configmap_bin: true
configmap_etc: true
deployment: true
job_image_repo_sync: true
job_db_init: true
job_db_sync: true
job_db_drop: false
job_db_migrate: false
job_ks_endpoints: true
job_ks_service: true
job_ks_user: true
network_policy: false
secret_db: true
secret_ingress_tls: true
pdb: true
ingress: true
secret_keystone: true
service_ingress: true
service: true
...