e915ad3a15
This patch adds the option to use SSL certificate validation on the backend controller using SSH-style sticky authentication, individual trusted certificates, and/or certificate authorities. Also adds caching of connections to deal with increased overhead of TLS/SSL handshake. Default is now sticky-style enforcement. Partial-Bug: 1188189 Implements: blueprint bsn-certificate-enforcement Change-Id: If0bab196495c4944a53e0e394c956cca36269883
105 lines
4.1 KiB
INI
105 lines
4.1 KiB
INI
# Config file for neutron-proxy-plugin.
|
|
|
|
[restproxy]
|
|
# All configuration for this plugin is in section '[restproxy]'
|
|
#
|
|
# The following parameters are supported:
|
|
# servers : <host:port>[,<host:port>]* (Error if not set)
|
|
# server_auth : <username:password> (default: no auth)
|
|
# server_ssl : True | False (default: True)
|
|
# ssl_cert_directory : <path> (default: /etc/neutron/plugins/bigswitch/ssl)
|
|
# no_ssl_validation : True | False (default: False)
|
|
# ssl_sticky : True | False (default: True)
|
|
# sync_data : True | False (default: False)
|
|
# auto_sync_on_failure : True | False (default: True)
|
|
# server_timeout : <integer> (default: 10 seconds)
|
|
# neutron_id : <string> (default: neutron-<hostname>)
|
|
# add_meta_server_route : True | False (default: True)
|
|
# thread_pool_size : <int> (default: 4)
|
|
|
|
# A comma separated list of BigSwitch or Floodlight servers and port numbers. The plugin proxies the requests to the BigSwitch/Floodlight server, which performs the networking configuration. Note that only one server is needed per deployment, but you may wish to deploy multiple servers to support failover.
|
|
servers=localhost:8080
|
|
|
|
# The username and password for authenticating against the BigSwitch or Floodlight controller.
|
|
# server_auth=username:password
|
|
|
|
# Use SSL when connecting to the BigSwitch or Floodlight controller.
|
|
# server_ssl=True
|
|
|
|
# Directory which contains the ca_certs and host_certs to be used to validate
|
|
# controller certificates.
|
|
# ssl_cert_directory=/etc/neutron/plugins/bigswitch/ssl/
|
|
|
|
# If a certificate does not exist for a controller, trust and store the first
|
|
# certificate received for that controller and use it to validate future
|
|
# connections to that controller.
|
|
# ssl_sticky=True
|
|
|
|
# Do not validate the controller certificates for SSL
|
|
# Warning: This will not provide protection against man-in-the-middle attacks
|
|
# no_ssl_validation=False
|
|
|
|
# Sync data on connect
|
|
# sync_data=False
|
|
|
|
# If neutron fails to create a resource because the backend controller
|
|
# doesn't know of a dependency, automatically trigger a full data
|
|
# synchronization to the controller.
|
|
# auto_sync_on_failure=True
|
|
|
|
# Maximum number of seconds to wait for proxy request to connect and complete.
|
|
# server_timeout=10
|
|
|
|
# User defined identifier for this Neutron deployment
|
|
# neutron_id =
|
|
|
|
# Flag to decide if a route to the metadata server should be injected into the VM
|
|
# add_meta_server_route = True
|
|
|
|
# Number of threads to use to handle large volumes of port creation requests
|
|
# thread_pool_size = 4
|
|
|
|
[nova]
|
|
# Specify the VIF_TYPE that will be controlled on the Nova compute instances
|
|
# options: ivs or ovs
|
|
# default: ovs
|
|
# vif_type = ovs
|
|
|
|
# Overrides for vif types based on nova compute node host IDs
|
|
# Comma separated list of host IDs to fix to a specific VIF type
|
|
# The VIF type is taken from the end of the configuration item
|
|
# node_override_vif_<vif_type>
|
|
# For example, the following would set the VIF type to IVS for
|
|
# host-id1 and host-id2
|
|
# node_overrride_vif_ivs=host-id1,host-id2
|
|
|
|
[router]
|
|
# Specify the default router rules installed in newly created tenant routers
|
|
# Specify multiple times for multiple rules
|
|
# Format is <tenant>:<source>:<destination>:<action>
|
|
# Optionally, a comma-separated list of nexthops may be included after <action>
|
|
# Use an * to specify default for all tenants
|
|
# Default is any any allow for all tenants
|
|
# tenant_default_router_rule=*:any:any:permit
|
|
|
|
# Maximum number of rules that a single router may have
|
|
# Default is 200
|
|
# max_router_rules=200
|
|
|
|
[restproxyagent]
|
|
|
|
# Specify the name of the bridge used on compute nodes
|
|
# for attachment.
|
|
# Default: br-int
|
|
# integration_bridge=br-int
|
|
|
|
# Change the frequency of polling by the restproxy agent.
|
|
# Value is seconds
|
|
# Default: 5
|
|
# polling_interval=5
|
|
|
|
# Virtual switch type on the compute node.
|
|
# Options: ovs or ivs
|
|
# Default: ovs
|
|
# virtual_switch_type = ovs
|