vmware-nsx/etc/neutron/plugins/bigswitch/restproxy.ini
Kevin Benton e915ad3a15 BigSwitch: Add SSL Certificate Validation
This patch adds the option to use SSL certificate
validation on the backend controller using SSH-style
sticky authentication, individual trusted
certificates, and/or certificate authorities.
Also adds caching of connections to deal with
increased overhead of TLS/SSL handshake.

Default is now sticky-style enforcement.

Partial-Bug: 1188189
Implements: blueprint bsn-certificate-enforcement
Change-Id: If0bab196495c4944a53e0e394c956cca36269883
2014-03-05 15:08:39 -05:00

105 lines
4.1 KiB
INI

# Config file for neutron-proxy-plugin.
[restproxy]
# All configuration for this plugin is in section '[restproxy]'
#
# The following parameters are supported:
# servers : <host:port>[,<host:port>]* (Error if not set)
# server_auth : <username:password> (default: no auth)
# server_ssl : True | False (default: True)
# ssl_cert_directory : <path> (default: /etc/neutron/plugins/bigswitch/ssl)
# no_ssl_validation : True | False (default: False)
# ssl_sticky : True | False (default: True)
# sync_data : True | False (default: False)
# auto_sync_on_failure : True | False (default: True)
# server_timeout : <integer> (default: 10 seconds)
# neutron_id : <string> (default: neutron-<hostname>)
# add_meta_server_route : True | False (default: True)
# thread_pool_size : <int> (default: 4)
# A comma separated list of BigSwitch or Floodlight servers and port numbers. The plugin proxies the requests to the BigSwitch/Floodlight server, which performs the networking configuration. Note that only one server is needed per deployment, but you may wish to deploy multiple servers to support failover.
servers=localhost:8080
# The username and password for authenticating against the BigSwitch or Floodlight controller.
# server_auth=username:password
# Use SSL when connecting to the BigSwitch or Floodlight controller.
# server_ssl=True
# Directory which contains the ca_certs and host_certs to be used to validate
# controller certificates.
# ssl_cert_directory=/etc/neutron/plugins/bigswitch/ssl/
# If a certificate does not exist for a controller, trust and store the first
# certificate received for that controller and use it to validate future
# connections to that controller.
# ssl_sticky=True
# Do not validate the controller certificates for SSL
# Warning: This will not provide protection against man-in-the-middle attacks
# no_ssl_validation=False
# Sync data on connect
# sync_data=False
# If neutron fails to create a resource because the backend controller
# doesn't know of a dependency, automatically trigger a full data
# synchronization to the controller.
# auto_sync_on_failure=True
# Maximum number of seconds to wait for proxy request to connect and complete.
# server_timeout=10
# User defined identifier for this Neutron deployment
# neutron_id =
# Flag to decide if a route to the metadata server should be injected into the VM
# add_meta_server_route = True
# Number of threads to use to handle large volumes of port creation requests
# thread_pool_size = 4
[nova]
# Specify the VIF_TYPE that will be controlled on the Nova compute instances
# options: ivs or ovs
# default: ovs
# vif_type = ovs
# Overrides for vif types based on nova compute node host IDs
# Comma separated list of host IDs to fix to a specific VIF type
# The VIF type is taken from the end of the configuration item
# node_override_vif_<vif_type>
# For example, the following would set the VIF type to IVS for
# host-id1 and host-id2
# node_overrride_vif_ivs=host-id1,host-id2
[router]
# Specify the default router rules installed in newly created tenant routers
# Specify multiple times for multiple rules
# Format is <tenant>:<source>:<destination>:<action>
# Optionally, a comma-separated list of nexthops may be included after <action>
# Use an * to specify default for all tenants
# Default is any any allow for all tenants
# tenant_default_router_rule=*:any:any:permit
# Maximum number of rules that a single router may have
# Default is 200
# max_router_rules=200
[restproxyagent]
# Specify the name of the bridge used on compute nodes
# for attachment.
# Default: br-int
# integration_bridge=br-int
# Change the frequency of polling by the restproxy agent.
# Value is seconds
# Default: 5
# polling_interval=5
# Virtual switch type on the compute node.
# Options: ovs or ivs
# Default: ovs
# virtual_switch_type = ovs