Pierre Riteau ce212cc23c Prevent openrc files from using wrong OS_CACERT value
Kolla Ansible sets kolla_{external,internal}_fqdn_cacert variables with
default values compatible with the use of `kolla-ansible certificates`.

However, when these variables are left unset in Kayobe, which is
generally the case when using trusted certificates, we end up with
openrc files setting OS_CACERT to a file that does not exist:

    ${KOLLA_CONFIG_PATH}/certificates/haproxy-ca.crt

Instead we allow null cacert variables to be passed to kolla-ansible,
which results in openrc files without the bogus OS_CACERT entry.

Change-Id: Ifa615888b6d8d54c9e6314fd90f3fc4872fc6e5a
Story: 2007516
Task: 39299
2020-04-03 17:17:24 +02:00

565 lines
21 KiB
Django/Jinja

---
# {{ ansible_managed }}
# You can use this file to override _any_ variable throughout Kolla.
# Additional options can be found in the
# 'kolla-ansible/ansible/group_vars/all.yml' file. Default value of all the
# commented parameters are shown here, To override the default value uncomment
# the parameter and change its value.
###############
# Kolla options
###############
# Valid options are [ COPY_ONCE, COPY_ALWAYS ]
config_strategy: "COPY_ALWAYS"
# Valid options are ['centos', 'debian', 'oraclelinux', 'rhel', 'ubuntu']
kolla_base_distro: "{{ kolla_base_distro }}"
# Valid options are [ binary, source ]
kolla_install_type: "{{ kolla_install_type }}"
# Valid option is Docker repository tag
openstack_release: "{{ kolla_openstack_release }}"
# Location of configuration overrides
node_custom_config: "{{ kolla_node_custom_config_path }}"
# This should be a VIP, an unused IP on your network that will float between
# the hosts running keepalived for high-availability. If you want to run an
# All-In-One without haproxy and keepalived, you can set enable_haproxy to no
# in "OpenStack options" section, and set this value to the IP of your
# 'network_interface' as set in the Networking section below.
kolla_internal_vip_address: "{{ kolla_internal_vip_address }}"
# This is the DNS name that maps to the kolla_internal_vip_address VIP. By
# default it is the same as kolla_internal_vip_address.
kolla_internal_fqdn: "{{ kolla_internal_fqdn }}"
# This should be a VIP, an unused IP on your network that will float between
# the hosts running keepalived for high-availability. It defaults to the
# kolla_internal_vip_address, allowing internal and external communication to
# share the same address. Specify a kolla_external_vip_address to separate
# internal and external requests between two VIPs.
kolla_external_vip_address: "{{ kolla_external_vip_address }}"
# The Public address used to communicate with OpenStack as set in the public_url
# for the endpoints that will be created. This DNS name should map to
# kolla_external_vip_address.
kolla_external_fqdn: "{{ kolla_external_fqdn }}"
# User account to use for Kolla SSH access.
kolla_user: "{{ kolla_ansible_user }}"
# Primary group of Kolla SSH user.
kolla_group: "{{ kolla_ansible_group }}"
################
# Docker options
################
### Example: Private repository with authentication
#docker_registry: "172.16.0.10:4000"
{% if kolla_docker_registry %}
docker_registry: "{{ kolla_docker_registry }}"
{% endif %}
docker_namespace: "{{ kolla_docker_namespace }}"
{% if kolla_docker_registry_username and kolla_docker_registry_password %}
docker_registry_username: "{{ kolla_docker_registry_username }}"
docker_registry_password: "{{ kolla_docker_registry_password }}"
{% endif %}
docker_storage_driver: "{{ docker_storage_driver }}"
docker_custom_config: {{ kolla_docker_custom_config | to_nice_json | indent(2) }}
#docker_configure_for_zun: "no"
###################
# Messaging options
###################
# Below is an example of an separate backend that provides brokerless
# messaging for oslo.messaging RPC communications
#om_rpc_transport: "amqp"
#om_rpc_user: "{% raw %}{{ qdrouterd_user }}{% endraw %}"
#om_rpc_password: "{% raw %}{{ qdrouterd_password }}{% endraw %}"
#om_rpc_port: "{% raw %}{{ qdrouterd_port }}{% endraw %}"
#om_rpc_group: "qdrouterd"
##############################
# Neutron - Networking Options
##############################
# This interface is what all your api services will be bound to by default.
# Additionally, all vxlan/tunnel and storage network traffic will go over this
# interface by default. This interface must contain an IPv4 address.
# It is possible for hosts to have non-matching names of interfaces - these can
# be set in an inventory file per host or per group or stored separately, see
# http://docs.ansible.com/ansible/intro_inventory.html
# Yet another way to workaround the naming problem is to create a bond for the
# interface on all hosts and give the bond name here. Similar strategy can be
# followed for other types of interfaces.
#
# NOTE: Most network interfaces are configured via the inventory and are
# therefore not set here.
# Configure the address family (AF) per network.
# Valid options are [ ipv4, ipv6 ]
#network_address_family: "ipv4"
#api_address_family: "{% raw %}{{ network_address_family }}{% endraw %}"
#storage_address_family: "{% raw %}{{ network_address_family }}{% endraw %}"
#cluster_address_family: "{% raw %}{{ network_address_family }}{% endraw %}"
#swift_storage_address_family: "{% raw %}{{ storage_address_family }}{% endraw %}"
#swift_replication_address_family: "{% raw %}{{ swift_storage_address_family }}{% endraw %}"
#migration_address_family: "{% raw %}{{ network_address_family }}{% endraw %}"
#tunnel_address_family: "{% raw %}{{ network_address_family }}{% endraw %}"
#octavia_network_address_family: "{% raw %}{{ api_address_family }}{% endraw %}"
#bifrost_network_address_family: "{% raw %}{{ network_address_family }}{% endraw %}"
#dns_address_family: "{% raw %}{{ network_address_family }}{% endraw %}"
# Valid options are [ openvswitch, linuxbridge ]
neutron_plugin_agent: "openvswitch"
# Valid options are [ internal, infoblox ]
#neutron_ipam_driver: "internal"
# Configure Neutron upgrade option, currently Kolla support
# two upgrade ways for Neutron: legacy_upgrade and rolling_upgrade
# The variable "neutron_enable_rolling_upgrade: yes" is meaning rolling_upgrade
# were enabled and opposite
# Neutron rolling upgrade were enable by default
#neutron_enable_rolling_upgrade: "yes"
# Comma-separated names of neutron ML2 type drivers.
{% if kolla_neutron_ml2_type_drivers %}
neutron_type_drivers: {{ kolla_neutron_ml2_type_drivers | join(',') }}
{% endif %}
# Comma-separated types of tenant networks (should be listed in 'neutron_type_drivers')
# NOTE: for ironic this list should also contain 'flat'
{% if kolla_neutron_ml2_tenant_network_types %}
neutron_tenant_network_types: {{ kolla_neutron_ml2_tenant_network_types | join(',') }}
{% endif %}
####################
# keepalived options
####################
# Arbitrary unique number from 0..255
# This should be changed from the default in the event of a multi-region deployment
# where the VIPs of different regions reside on a common subnet.
#keepalived_virtual_router_id: "51"
###################
# Dimension options
###################
# This is to provide an extra option to deploy containers with Resource constraints.
# We call it dimensions here.
# The dimensions for each container are defined by a mapping, where each dimension value should be a
# string.
# Reference_Docs
# https://docs.docker.com/config/containers/resource_constraints/
# eg:
# <container_name>_dimensions:
# blkio_weight:
# cpu_period:
# cpu_quota:
# cpu_shares:
# cpuset_cpus:
# cpuset_mems:
# mem_limit:
# mem_reservation:
# memswap_limit:
# kernel_memory:
# ulimits:
#############
# TLS options
#############
# To provide encryption and authentication on the kolla_external_vip_interface,
# TLS can be enabled. When TLS is enabled, certificates must be provided to
# allow clients to perform authentication.
kolla_enable_tls_internal: {{ kolla_enable_tls_internal | bool }}
kolla_enable_tls_external: {{ kolla_enable_tls_external | bool }}
kolla_external_fqdn_cert: "{{ kolla_external_fqdn_cert }}"
kolla_internal_fqdn_cert: "{{ kolla_internal_fqdn_cert }}"
kolla_external_fqdn_cacert: "{{ kolla_external_fqdn_cacert }}"
kolla_internal_fqdn_cacert: "{{ kolla_internal_fqdn_cacert }}"
################
# Region options
################
# Use this option to change the name of this region.
#openstack_region_name: "RegionOne"
# Use this option to define a list of region names - only needs to be configured
# in a multi-region deployment, and then only in the *first* region.
#multiple_regions_names: ["{% raw %}{{ openstack_region_name }}{% endraw %}"]
##############
# OpenDaylight
##############
#enable_opendaylight_qos: "no"
#enable_opendaylight_l3: "yes"
###################
# OpenStack options
###################
# Use these options to set the various log levels across all OpenStack projects
# Valid options are [ True, False ]
openstack_logging_debug: {{ kolla_openstack_logging_debug | bool }}
# Valid options are [ none, novnc, spice, rdp ]
#nova_console: "novnc"
# OpenStack services can be enabled or disabled with these options
{% for feature_flag in kolla_feature_flags %}
{% if ('kolla_enable_' ~ feature_flag) in hostvars[inventory_hostname] %}
enable_{{ feature_flag }}: {{ hostvars[inventory_hostname]['kolla_enable_' ~ feature_flag] | bool }}
{% endif %}
{% endfor %}
##################
# RabbitMQ options
##################
# Options passed to RabbitMQ server startup script via the
# RABBITMQ_SERVER_ADDITIONAL_ERL_ARGS environment var.
# See Kolla Ansible docs RabbitMQ section for details.
# These are appended to args already provided by Kolla Ansible
# to configure IPv6 in RabbitMQ server.
#rabbitmq_server_additional_erl_args: ""
##############
# Ceph options
##############
# Ceph can be setup with a caching to improve performance. To use the cache you
# must provide separate disks than those for the OSDs
#ceph_enable_cache: "no"
# Set to no if using external Ceph without cephx.
#external_ceph_cephx_enabled: "yes"
# Ceph is not able to determine the size of a cache pool automatically,
# so the configuration on the absolute size is required here, otherwise the flush/evict will not work.
#ceph_target_max_bytes: ""
#ceph_target_max_objects: ""
# Valid options are [ forward, none, writeback ]
#ceph_cache_mode: "writeback"
# A requirement for using the erasure-coded pools is you must setup a cache tier
# Valid options are [ erasure, replicated ]
#ceph_pool_type: "replicated"
# Integrate ceph rados object gateway with openstack keystone
#enable_ceph_rgw_keystone: "no"
# Set the pgs and pgps for pool
# WARNING! These values are dependant on the size and shape of your cluster -
# the default values are not suitable for production use. Please refer to the
# Kolla Ceph documentation for more information.
#ceph_pool_pg_num: 8
#ceph_pool_pgp_num: 8
#############################
# Keystone - Identity Options
#############################
# Valid options are [ fernet ]
#keystone_token_provider: 'fernet'
#keystone_admin_user: "admin"
#keystone_admin_project: "admin"
# Interval to rotate fernet keys by (in seconds). Must be an interval of
# 60(1 min), 120(2 min), 180(3 min), 240(4 min), 300(5 min), 360(6 min),
# 600(10 min), 720(12 min), 900(15 min), 1200(20 min), 1800(30 min),
# 3600(1 hour), 7200(2 hour), 10800(3 hour), 14400(4 hour), 21600(6 hour),
# 28800(8 hour), 43200(12 hour), 86400(1 day), 604800(1 week).
#fernet_token_expiry: 86400
########################
# Glance - Image Options
########################
# Configure image backend.
#glance_backend_ceph: "no"
#glance_backend_file: "yes"
#glance_backend_swift: "no"
#glance_backend_vmware: "no"
#enable_glance_image_cache: "no"
# Configure glance upgrade option.
# Due to this feature being experimental in glance,
# the default value is "no".
#glance_enable_rolling_upgrade: "no"
####################
# Osprofiler options
####################
# valid values: ["elasticsearch", "redis"]
#osprofiler_backend: "elasticsearch"
##################
# Barbican options
##################
# Valid options are [ simple_crypto, p11_crypto ]
#barbican_crypto_plugin: "simple_crypto"
#barbican_library_path: "/usr/lib/libCryptoki2_64.so"
################
## Panko options
################
# Valid options are [ mongodb, mysql ]
#panko_database_type: "mysql"
#################
# Gnocchi options
#################
# Valid options are [ file, ceph ]
#gnocchi_backend_storage: "{% raw %}{{ 'ceph' if enable_ceph|bool else 'file' }}{% endraw %}"
# Valid options are [redis, '']
#gnocchi_incoming_storage: "{% raw %}{{ 'redis' if enable_redis | bool else '' }}{% endraw %}"
################################
# Cinder - Block Storage Options
################################
# Enable / disable Cinder backends
#cinder_backend_ceph: "{% raw %}{{ enable_ceph }}{% endraw %}"
#cinder_backend_vmwarevc_vmdk: "no"
#cinder_volume_group: "cinder-volumes"
# Valid options are [ '', redis, etcd ]
#cinder_coordination_backend: "{% raw %}{{ 'redis' if enable_redis|bool else 'etcd' if enable_etcd|bool else '' }}{% endraw %}"
# Valid options are [ nfs, swift, ceph ]
#cinder_backup_driver: "ceph"
#cinder_backup_share: ""
#cinder_backup_mount_options_nfs: ""
#######################
# Cloudkitty options
#######################
# Valid option is gnocchi
#cloudkitty_collector_backend: "gnocchi"
# Valid options are 'sqlalchemy' or 'influxdb'. The default value is
# 'influxdb', which matches the default in Cloudkitty since the Stein release.
# When the backend is "influxdb", we also enable Influxdb.
# Also, when using 'influxdb' as the backend, we trigger the configuration/use
# of Cloudkitty storage backend version 2.
#cloudkitty_storage_backend: "influxdb"
###################
# Designate options
###################
# Valid options are [ bind9 ]
#designate_backend: "bind9"
#designate_ns_record: "sample.openstack.org"
# Valid options are [ '', redis, etcd ]
#designate_coordination_backend: "{% raw %}{{ 'redis' if enable_redis|bool else 'etcd' if enable_etcd|bool else '' }}{% endraw %}"
########################
# Nova - Compute Options
########################
#nova_backend_ceph: "{% raw %}{{ enable_ceph }}{% endraw %}"
# Valid options are [ qemu, kvm, vmware, xenapi ]
#nova_compute_virt_type: "kvm"
# The number of fake driver per compute node
#num_nova_fake_per_node: 5
# The flag "nova_safety_upgrade" need to be consider when
# "nova_enable_rolling_upgrade" is enabled. The "nova_safety_upgrade"
# controls whether the nova services are all stopped before rolling
# upgrade to the new version, for the safety and availability.
# If "nova_safety_upgrade" is "yes", that will stop all nova services (except
# nova-compute) for no failed API operations before upgrade to the
# new version. And opposite.
#nova_safety_upgrade: "no"
# Valid options are [ none, novnc, spice, rdp ]
#nova_console: "novnc"
#################
# Hyper-V options
#################
# Hyper-V can be used as hypervisor
#hyperv_username: "user"
#hyperv_password: "password"
#vswitch_name: "vswitch"
# URL from which Nova Hyper-V MSI is downloaded
#nova_msi_url: "https://www.cloudbase.it/downloads/HyperVNovaCompute_Beta.msi"
#############################
# Horizon - Dashboard Options
#############################
#horizon_backend_database: "{% raw %}{{ enable_murano | bool }}{% endraw %}"
#############################
# Ironic options
#############################
{% if kolla_inspector_dhcp_pool_start and kolla_inspector_dhcp_pool_end %}
ironic_dnsmasq_dhcp_range: {{ kolla_inspector_dhcp_pool_start }},{{ kolla_inspector_dhcp_pool_end }}
{% endif %}
{% if kolla_inspector_default_gateway %}
ironic_dnsmasq_default_gateway: {{ kolla_inspector_default_gateway }}
{% endif %}
{% if kolla_inspector_extra_kernel_options %}
ironic_inspector_kernel_cmdline_extras:
{{ kolla_inspector_extra_kernel_options | to_nice_yaml }}
{% endif %}
# PXE bootloader file for Ironic Inspector, relative to /tftpboot.
#ironic_dnsmasq_boot_file: "pxelinux.0"
# Configure ironic upgrade option, due to currently kolla support
# two upgrade ways for ironic: legacy_upgrade and rolling_upgrade
# The variable "ironic_enable_rolling_upgrade: yes" is meaning rolling_upgrade
# were enabled and opposite
# Rolling upgrade were enable by default
#ironic_enable_rolling_upgrade: "yes"
# List of extra kernel parameters passed to the kernel used during inspection
#ironic_inspector_kernel_cmdline_extras: []
######################################
# Manila - Shared File Systems Options
######################################
# HNAS backend configuration
#hnas_ip:
#hnas_user:
#hnas_password:
#hnas_evs_id:
#hnas_evs_ip:
#hnas_file_system_name:
################################
# Swift - Object Storage Options
################################
# Swift expects block devices to be available for storage. Two types of storage
# are supported: 1 - storage device with a special partition name and filesystem
# label, 2 - unpartitioned disk with a filesystem. The label of this filesystem
# is used to detect the disk which Swift will be using.
# Swift support two matching modes, valid options are [ prefix, strict ]
#swift_devices_match_mode: "strict"
# This parameter defines matching pattern: if "strict" mode was selected,
# for swift_devices_match_mode then swift_device_name should specify the name of
# the special swift partition for example: "KOLLA_SWIFT_DATA", if "prefix" mode was
# selected then swift_devices_name should specify a pattern which would match to
# filesystems' labels prepared for swift.
#swift_devices_name: "KOLLA_SWIFT_DATA"
# Configure swift upgrade option, due to currently kolla support
# two upgrade ways for swift: legacy_upgrade and rolling_upgrade
# The variable "swift_enable_rolling_upgrade: yes" is meaning rolling_upgrade
# were enabled and opposite
# Rolling upgrade were enable by default
#swift_enable_rolling_upgrade: "yes"
################################################
# Tempest - The OpenStack Integration Test Suite
################################################
# The following values must be set when enabling tempest
#tempest_image_id:
#tempest_flavor_ref_id:
#tempest_public_network_id:
#tempest_floating_network_name:
# tempest_image_alt_id: "{% raw %}{{ tempest_image_id }}{% endraw %}"
# tempest_flavor_ref_alt_id: "{% raw %}{{ tempest_flavor_ref_id }}{% endraw %}"
###################################
# VMware - OpenStack VMware support
###################################
#vmware_vcenter_host_ip:
#vmware_vcenter_host_username:
#vmware_vcenter_host_password:
#vmware_datastore_name:
#vmware_vcenter_name:
#vmware_vcenter_cluster_name:
#######################################
# XenAPI - Support XenAPI for XenServer
#######################################
# XenAPI driver use HIMN(Host Internal Management Network)
# to communicate with XenServer host.
#xenserver_himn_ip:
#xenserver_username:
#xenserver_connect_protocol:
############
# Prometheus
############
#enable_prometheus_haproxy_exporter: "{% raw %}{{ enable_haproxy | bool }}{% endraw %}"
#enable_prometheus_mysqld_exporter: "{% raw %}{{ enable_mariadb | bool }}{% endraw %}"
#enable_prometheus_node_exporter: "{% raw %}{{ enable_prometheus | bool }}{% endraw %}"
#enable_prometheus_cadvisor: "{% raw %}{{ enable_prometheus | bool }}{% endraw %}"
#enable_prometheus_memcached: "{% raw %}{{ enable_prometheus | bool }}{% endraw %}"
#enable_prometheus_alertmanager: "{% raw %}{{ enable_prometheus | bool }}{% endraw %}"
#enable_prometheus_ceph_mgr_exporter: "{% raw %}{{ enable_prometheus | bool and enable_ceph | bool }}{% endraw %}"
#enable_prometheus_openstack_exporter: "{% raw %}{{ enable_prometheus | bool }}{% endraw %}"
#enable_prometheus_elasticsearch_exporter: "{% raw %}{{ enable_prometheus | bool and enable_elasticsearch | bool }}{% endraw %}"
#enable_prometheus_blackbox_exporter: "{% raw %}{{ enable_prometheus | bool }}{% endraw %}"
# List of extra parameters passed to prometheus. You can add as many to the list.
#prometheus_cmdline_extras:
#########
# Freezer
#########
# Freezer can utilize two different database backends, elasticsearch or mariadb.
# Elasticsearch is preferred, however it is not compatible with the version deployed
# by kolla-ansible. You must first setup an external elasticsearch with 2.3.0.
# By default, kolla-ansible deployed mariadb is the used database backend.
#freezer_database_backend: "mariadb"
##########
# Telegraf
##########
# Configure telegraf to use the docker daemon itself as an input for
# telemetry data.
#telegraf_enable_docker_input: "no"
#####################################
# Bifrost - Bare Metal Provisioning
#####################################
# The Bifrost deployment image only supports a source installation.
bifrost_install_type: source
############################################
# Grafana - Data visualisation & Monitoring
############################################
# When using the Monasca fork of Grafana if an OpenStack user with the
# same name as the admin user logs into Grafana it overwrites user data
# in the Grafana database, breaking the local admin account, and
# preventing admin API calls to Grafana. To reduce the chance of this
# happening the local admin account is renamed here.
{% if kolla_enable_grafana and grafana_local_admin_user_name is defined %}
grafana_admin_username: "{{ grafana_local_admin_user_name }}"
{% endif %}
{% if kolla_selinux_state is not none %}
selinux_state: {{ kolla_selinux_state }}
{% endif %}
install_epel: {{ kolla_ansible_install_epel | bool }}
{% if kolla_enable_host_ntp is not none %}
enable_host_ntp: {{ kolla_enable_host_ntp | bool }}
{% endif %}
{% if kolla_extra_globals %}
#######################
# Extra configuration
#######################
{{ kolla_extra_globals|to_nice_yaml }}
{% endif %}