Damian Dabrowski 3464966868 Add TLS support to designate backends
By overriding the variable `designate_backend_ssl: True` HTTPS will
be enabled, disabling HTTP support on the designate backend api.

The ansible-role-pki is used to generate the required TLS
certificates if this functionality is enabled.

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/879085
Change-Id: Id5c18a7305c744a2b0252f62debb1b5654e4abd7
2023-04-29 18:36:33 +02:00

488 lines
14 KiB

use_journal = True
# Disable stderr logging
use_stderr = False
## General Configuration
# Show debugging output in logs (sets DEBUG log level output)
debug = {{ debug }}
# Top-level directory for maintaining designate's state
#state_path = /var/lib/designate
{% if designate_ceilometer_enabled | bool %}
# Driver used for issuing notifications
notification_driver = messagingv2
{% endif %}
# Root helper
root_helper = sudo designate-rootwrap /etc/designate/rootwrap.conf
# Which networking API to use, Defaults to neutron
#network_api = neutron
## RabbitMQ RPC
transport_url = {{ designate_oslomsg_rpc_transport }}://{% for host in designate_oslomsg_rpc_servers.split(',') %}{{ designate_oslomsg_rpc_userid }}:{{ designate_oslomsg_rpc_password }}@{{ host }}:{{ designate_oslomsg_rpc_port }}{% if not loop.last %},{% else %}/{{ designate_oslomsg_rpc_vhost }}{% if designate_oslomsg_rpc_use_ssl | bool %}?ssl=1&ssl_version={{ designate_oslomsg_rpc_ssl_version }}&ssl_ca_file={{ designate_oslomsg_rpc_ssl_ca_file }}{% else %}?ssl=0{% endif %}{% endif %}{% endfor %}
# RabbitMQ Config
ssl = {{ designate_oslomsg_rpc_use_ssl }}
rabbit_notification_exchange = designate
rabbit_notification_topic = notifications
driver = {{ (designate_ceilometer_enabled | bool) | ternary('messagingv2', 'noop') }}
transport_url = {{ designate_oslomsg_notify_transport }}://{% for host in designate_oslomsg_notify_servers.split(',') %}{{ designate_oslomsg_notify_userid }}:{{ designate_oslomsg_notify_password }}@{{ host }}:{{ designate_oslomsg_notify_port }}{% if not loop.last %},{% else %}/{{ designate_oslomsg_notify_vhost }}{% if designate_oslomsg_notify_use_ssl | bool %}?ssl=1&ssl_version={{ designate_oslomsg_notify_ssl_version }}&ssl_ca_file={{ designate_oslomsg_notify_ssl_ca_file }}{% else %}?ssl=0{% endif %}{% endif %}{% endfor %}
{% if designate_backend_ssl | bool %}
cert_file = {{ designate_ssl_cert }}
key_file = {{ designate_ssl_key }}
{% endif %}
## Service Configuration
# Central Service
# Number of central worker processes to spawn
#workers = None
# Number of central greenthreads to spawn
#threads = 1000
# Maximum domain name length
#max_domain_name_len = 255
# Maximum recordset name length
#max_recordset_name_len = 255
# Minimum TTL
#min_ttl = None
# The name of the default pool
default_pool_id = {{ designate_pool_uuid }}
## Managed resources settings
# Email to use for managed resources like domains created by the FloatingIP API
#managed_resource_email = hostmaster@example.com.
# Tenant ID to own all managed resources - like auto-created records etc.
managed_resource_tenant_id = {{ designate_managed_resource_tenant_id }}
# API Service
# Number of api worker processes to spawn
#workers = None
# Number of api greenthreads to spawn
#threads = 1000
# Enable host request headers
enable_host_header = True
# The base uri used in responses
api_base_uri = "{{ designate_service_publicuri }}"
# API host:port pairs to listen on
listen = "{{ designate_bind_address }}:{{ designate_service_port }}"
# Maximum line size of message headers to be accepted. max_header_line may
# need to be increased when using large tokens (typically those generated by
# the Keystone v3 API with big service catalogs).
#max_header_line = 16384
# Authentication strategy to use - can be either "noauth" or "keystone"
auth_strategy = keystone
# Enable API Version 2
enable_api_v2 = True
# Enabled API Version 2 extensions
enabled_extensions_v2 = quotas, reports
# Default per-page limit for the V2 API, a value of None means show all results
# by default
#default_limit_v2 = 20
# Max page size in the V2 API
#max_limit_v2 = 1000
# Enable Admin API (experimental)
enable_api_admin = False
# Enabled Admin API extensions
# Can be one or more of : reports, quotas, counts, tenants, zones
# zone export is in zones extension
#enabled_extensions_admin =
# Default per-page limit for the Admin API, a value of None means show all results
# by default
#default_limit_admin = 20
# Max page size in the Admin API
#max_limit_admin = 1000
# Show the pecan HTML based debug interface (v2 only)
# This is only useful for development, and WILL break python-designateclient
# if an error occurs
#pecan_debug = False
# Keystone Middleware
insecure = {{ keystone_service_internaluri_insecure | bool }}
auth_type = {{ designate_keystone_auth_type }}
auth_url = {{ keystone_service_adminurl }}
www_authenticate_uri = {{ keystone_service_internaluri }}
project_domain_id = {{ designate_service_project_domain_id }}
user_domain_id = {{ designate_service_user_domain_id }}
project_name = {{ designate_service_project_name }}
username = {{ designate_service_user_name }}
password = {{ designate_service_password }}
service_token_roles_required = {{ designate_service_token_roles_required | bool }}
service_token_roles = {{ designate_service_token_roles | join(',') }}
service_type = {{ designate_service_type }}
memcached_servers = {{ designate_memcached_servers }}
# Sink Service
# List of notification handlers to enable, configuration of these needs to
# correspond to a [handler:my_driver] section below or else in the config
# Can be one or more of : nova_fixed, neutron_floatingip
#enabled_notification_handlers =
# mDNS Service
# Number of mdns worker processes to spawn
#workers = None
# Number of mdns greenthreads to spawn
#threads = 1000
# mDNS Bind Host
#host =
# mDNS Port Number
#port = 5354
# mDNS TCP Backlog
#tcp_backlog = 100
# mDNS TCP Receive Timeout
#tcp_recv_timeout = 0.5
# Enforce all incoming queries (including AXFR) are TSIG signed
#query_enforce_tsig = False
# Send all traffic over TCP
#all_tcp = False
# Maximum message size to emit
#max_message_size = 65535
# Agent Service
#workers = None
#host =
#port = 5358
#tcp_backlog = 100
#allow_notify =
#masters =
#backend_driver = fake
#transfer_source = None
#notify_delay = 0
# Producer Service
# Number of Zone Manager worker processes to spawn
#workers = None
# Number of Zone Manager greenthreads to spawn
#threads = 1000
# List of Zone Manager tasks to enable, a value of None will enable all tasks.
# Can be one or more of: periodic_exists
#enabled_tasks = None
# Whether to allow synchronous zone exports
#export_synchronous = True
# Deleted domains purging
# How frequently to purge deleted domains, in seconds
#interval = 3600 # 1h
# How many records to be deleted on each run
#batch_size = 100
# How old deleted records should be (deleted_at) to be purged, in seconds
#time_threshold = 604800 # 7 days
# Delayed zones NOTIFY
# How frequently to scan for zones pending NOTIFY, in seconds
#interval = 5
# Worker Periodic Recovery
# How frequently to scan for zones in ERROR, in seconds
#interval = 120
# Pool Manager Service
# Number of Pool Manager worker processes to spawn
#workers = None
# Number of Pool Manager greenthreads to spawn
#threads = 1000
# The percentage of servers requiring a successful update for a domain change
# to be considered active
#threshold_percentage = 100
# The time to wait for a response from a server
#poll_timeout = 30
# The time between retrying to send a request and waiting for a response from a
# server
#poll_retry_interval = 15
# The maximum number of times to retry sending a request and wait for a
# response from a server
#poll_max_retries = 10
# The time to wait before sending the first request to a server
#poll_delay = 5
# Enable the recovery thread
#enable_recovery_timer = True
# The time between recovering from failures
#periodic_recovery_interval = 120
# Enable the sync thread
#enable_sync_timer = True
# The time between synchronizing the servers with storage
#periodic_sync_interval = 1800
# Zones Updated within last N seconds will be syncd. Use None to sync all zones
#periodic_sync_seconds = None
# Perform multiple update attempts during periodic_sync
#periodic_sync_max_attempts = 3
#periodic_sync_retry_interval = 30
# The cache driver to use
#cache_driver = memcache
# Worker Service
# Whether to send events to worker instead of Pool Manager
enabled = True
# Number of Worker processes to spawn
#workers = None
# Number of Worker greenthreads to spawn
#threads = 1000
# The percentage of servers requiring a successful update for a zone change
# to be considered active
#threshold_percentage = 100
# The time to wait for a response from a server
#poll_timeout = 30
# The time between retrying to send a request and waiting for a response from a
# server
#poll_retry_interval = 15
# The maximum number of times to retry sending a request and wait for a
# response from a server
#poll_max_retries = 10
# The time to wait before sending the first request to a server
#poll_delay = 5
# Whether to allow worker to send NOTIFYs. NOTIFY requests to mdns will noop
notify = True
## Pool Manager Cache Configuration
# SQLAlchemy Pool Manager Cache
#connection_debug = 100
#connection_trace = False
#sqlite_synchronous = True
#idle_timeout = 3600
#max_retries = 10
#retry_interval = 10
# Memcache Pool Manager Cache
#memcached_servers = None
#expiration = 3600
## Network API
# Comma separated list of values, formatted "<name>|<neutron_uri>"
#endpoints = RegionOne|http://localhost:9696
endpoint_type = internalURL
#timeout = 30
#admin_username = designate
#admin_password = designate
#admin_tenant_name = designate
#auth_url = http://localhost:5000/v2.0
#insecure = False
#auth_strategy = keystone
#ca_certificates_file =
## Storage Configuration
# SQLAlchemy Storage
connection = mysql+pymysql://{{ designate_galera_user }}:{{ designate_galera_password }}@{{ designate_galera_address }}/{{ designate_galera_database }}?charset=utf8{% if designate_galera_use_ssl | bool %}&ssl_verify_cert=true{% if designate_galera_ssl_ca_cert | length > 0 %}&ssl_ca={{ designate_galera_ssl_ca_cert }}{% endif %}{% endif +%}
max_overflow = {{ designate_db_max_overflow }}
max_pool_size = {{ designate_db_max_pool_size }}
pool_timeout = {{ designate_db_pool_timeout }}
connection_recycle_time = {{ designate_db_connection_recycle_time }}
#connection_debug = 0
#connection_trace = False
#sqlite_synchronous = True
#idle_timeout = 3600
#max_retries = 10
#retry_interval = 10
## Handler Configuration
# Nova Fixed Handler
# Domain ID of domain to create records in. Should be pre-created
#domain_id =
#notification_topics = notifications
#control_exchange = 'nova'
##Following https://docs.openstack.org/releasenotes/designate/pike.html#critical-issues
#formatv4 = '%(octet0)s-%(octet1)s-%(octet2)s-%(octet3)s.%(zone)s'
#formatv4 = '%(hostname)s.%(project)s.%(zone)s'
#formatv4 = '%(hostname)s.%(zone)s'
#formatv6 = '%(hostname)s.%(project)s.%(zone)s'
#formatv6 = '%(hostname)s.%(zone)s'
# Neutron Floating Handler
# Domain ID of domain to create records in. Should be pre-created
#domain_id =
#notification_topics = notifications
#control_exchange = 'neutron'
##Following https://docs.openstack.org/releasenotes/designate/pike.html#critical-issues
#formatv4 = '%(octet0)s-%(octet1)s-%(octet2)s-%(octet3)s.%(zone)s'
#formatv4 = '%(hostname)s.%(project)s.%(zone)s'
#formatv4 = '%(hostname)s.%(zone)s'
#formatv6 = '%(hostname)s.%(project)s.%(zone)s'
#formatv6 = '%(hostname)s.%(zone)s'
## Agent Backend Configuration
#rndc_host =
#rndc_port = 953
#rndc_config_file = /etc/rndc.conf
#rndc_key_file = /etc/rndc.key
#zone_file_path = $state_path/zones
#query_destination =
#name = dynect
#config_file = /etc/denominator.conf
## Library Configuration
# Path for Oslo Concurrency to store lock files, defaults to the value
# of the state_path setting.
#lock_path = $state_path
## Oslo Middleware Configuration
enable_proxy_headers_parsing = true
{% if designate_coordination_enable %}
## Coordination
backend_url = {{ designate_coordination_url }}
{% endif %}
## Hook Points
# Hook Points are enabled when added to the config and there has been
# a package that provides the corresponding named designate.hook_point
# entry point.
# [hook_point:name_of_hook_point]
# some_param_for_hook = 42
# Hooks can be disabled in the config
# enabled = False
# Hook can also be applied to the import path when the hook has not
# been given an explicit name. The name is created from the hook
# target function / method:
# name = '%s.%s' % (func.__module__, func.__name__)
# [hook_point:designate.api.v2.controllers.zones.get_one]