openstack-ansible-os_octavia/defaults/main.yml

752 lines
32 KiB
YAML

---
# Copyright 2017, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
## Verbosity Options
debug: False
# Set the host which will execute the shade modules
# for the service setup. The host must already have
# clouds.yaml properly configured.
octavia_service_setup_host: "{{ openstack_service_setup_host | default('localhost') }}"
octavia_service_setup_host_python_interpreter: >-
{{
openstack_service_setup_host_python_interpreter | default(
(octavia_service_setup_host == 'localhost') | ternary(ansible_playbook_python, ansible_facts['python']['executable']))
}}
# Set installation method.
octavia_install_method: "{{ service_install_method | default('source') }}"
octavia_venv_python_executable: "{{ openstack_venv_python_executable | default('python3') }}"
## Allow TLS listener
octavia_tls_listener_enabled: True
# Legacy policy disables the requirement for load-balancer service users to
# have one of the load-balancer:* roles. It provides a similar policy to
# legacy OpenStack policies where any user or admin has access to load-balancer
# resources that they own. Users with the admin role has access to all
# load-balancer resources, whether they own them or not.
octavia_legacy_policy: False
# Set the package install state for distribution packages
# Options are 'present' and 'latest'
octavia_package_state: "{{ package_state | default('latest') }}"
# Source git repo/branch settings
octavia_git_repo: https://opendev.org/openstack/octavia
octavia_git_install_branch: master
octavia_upper_constraints_url: >-
{{ requirements_git_url | default('https://releases.openstack.org/constraints/upper/' ~ requirements_git_install_branch | default('master')) }}
octavia_ovn_octavia_provider_git_repo: https://opendev.org/openstack/ovn-octavia-provider
octavia_ovn_octavia_provider_git_install_branch: master
octavia_git_constraints:
- "--constraint {{ octavia_upper_constraints_url }}"
octavia_pip_install_args: "{{ pip_install_options | default('') }}"
# Name of the virtual env to deploy into
octavia_venv_tag: "{{ venv_tag | default('untagged') }}"
octavia_bin: "{{ _octavia_bin }}"
octavia_clients_endpoint: internal
octavia_auth_strategy: keystone
## Barbican certificates
octavia_barbican_enabled: false
## Cinder Volume
octavia_cinder_enabled: False
cinder_default_availability_zone: "{{ octavia_amp_availability_zone }}"
octavia_cinder_volume_size: 20
octavia_cinder_volume_type: "volumes-hdd"
## Database info
octavia_db_setup_host: "{{ openstack_db_setup_host | default('localhost') }}"
octavia_db_setup_python_interpreter: >-
{{
openstack_db_setup_python_interpreter | default(
(octavia_db_setup_host == 'localhost') | ternary(ansible_playbook_python, ansible_facts['python']['executable']))
}}
octavia_galera_address: "{{ galera_address | default('127.0.0.1') }}"
octavia_galera_user: octavia
octavia_galera_database: octavia
octavia_galera_persistence_database: octavia_persistence
octavia_galera_use_ssl: "{{ galera_use_ssl | default(False) }}"
octavia_galera_ssl_ca_cert: "{{ galera_ssl_ca_cert | default('') }}"
octavia_db_max_overflow: "{{ openstack_db_max_overflow | default('50') }}"
octavia_db_max_pool_size: "{{ openstack_db_max_pool_size | default('5') }}"
octavia_db_pool_timeout: "{{ openstack_db_pool_timeout | default('30') }}"
octavia_db_connection_recycle_time: "{{ openstack_db_connection_recycle_time | default('600') }}"
octavia_galera_port: "{{ galera_port | default('3306') }}"
## Coordination info
# NOTE: Only Zookeeper and Redis are supported for Octavia
octavia_coordination_driver: "{{ coordination_driver | default('zookeeper') }}"
octavia_coordination_group: "{{ coordination_host_group | default('zookeeper_all') }}"
octavia_coordination_enable: "{{ octavia_coordination_group in groups and groups[octavia_coordination_group] | length > 0 }}"
octavia_coordination_namespace: octavia_jobboard
octavia_coordination_client_ssl: "{{ coordination_client_ssl | default(True) }}"
octavia_coordination_verify_cert: "{{ coordination_verify_cert | default(True) }}"
octavia_coordination_port: "{{ coordination_port | default(octavia_coordination_client_ssl | ternary('2281', '2181')) }}"
## Oslo Messaging
# RPC
octavia_oslomsg_rpc_host_group: "{{ oslomsg_rpc_host_group | default('rabbitmq_all') }}"
octavia_oslomsg_rpc_setup_host: "{{ (octavia_oslomsg_rpc_host_group in groups) | ternary(groups[octavia_oslomsg_rpc_host_group][0], 'localhost') }}"
octavia_oslomsg_rpc_transport: "{{ oslomsg_rpc_transport | default('rabbit') }}"
octavia_oslomsg_rpc_servers: "{{ oslomsg_rpc_servers | default('127.0.0.1') }}"
octavia_oslomsg_rpc_port: "{{ oslomsg_rpc_port | default('5672') }}"
octavia_oslomsg_rpc_use_ssl: "{{ oslomsg_rpc_use_ssl | default(False) }}"
octavia_oslomsg_rpc_userid: octavia
octavia_oslomsg_rpc_policies: []
# vhost name depends on value of oslomsg_rabbit_quorum_queues. In case quorum queues
# are not used - vhost name will be prefixed with leading `/`.
octavia_oslomsg_rpc_vhost:
- name: /octavia
state: "{{ octavia_oslomsg_rabbit_quorum_queues | ternary('absent', 'present') }}"
- name: octavia
state: "{{ octavia_oslomsg_rabbit_quorum_queues | ternary('present', 'absent') }}"
octavia_oslomsg_rpc_ssl_version: "{{ oslomsg_rpc_ssl_version | default('TLSv1_2') }}"
octavia_oslomsg_rpc_ssl_ca_file: "{{ oslomsg_rpc_ssl_ca_file | default('') }}"
# Notify
octavia_oslomsg_notify_configure: "{{ oslomsg_notify_configure | default(octavia_ceilometer_enabled) }}"
octavia_oslomsg_notify_host_group: "{{ oslomsg_notify_host_group | default('rabbitmq_all') }}"
octavia_oslomsg_notify_setup_host: >-
{{ (octavia_oslomsg_notify_host_group in groups) | ternary(groups[octavia_oslomsg_notify_host_group][0], 'localhost') }}
octavia_oslomsg_notify_transport: "{{ oslomsg_notify_transport | default('rabbit') }}"
octavia_oslomsg_notify_servers: "{{ oslomsg_notify_servers | default('127.0.0.1') }}"
octavia_oslomsg_notify_port: "{{ oslomsg_notify_port | default('5672') }}"
octavia_oslomsg_notify_use_ssl: "{{ oslomsg_notify_use_ssl | default(False) }}"
octavia_oslomsg_notify_userid: "{{ octavia_oslomsg_rpc_userid }}"
octavia_oslomsg_notify_password: "{{ octavia_oslomsg_rpc_password }}"
octavia_oslomsg_notify_vhost: "{{ octavia_oslomsg_rpc_vhost }}"
octavia_oslomsg_notify_ssl_version: "{{ oslomsg_notify_ssl_version | default('TLSv1_2') }}"
octavia_oslomsg_notify_ssl_ca_file: "{{ oslomsg_notify_ssl_ca_file | default('') }}"
octavia_oslomsg_notify_policies: []
## RabbitMQ integration
octavia_oslomsg_rabbit_quorum_queues: "{{ oslomsg_rabbit_quorum_queues | default(True) }}"
octavia_oslomsg_rabbit_stream_fanout: "{{ oslomsg_rabbit_stream_fanout | default(octavia_oslomsg_rabbit_quorum_queues) }}"
octavia_oslomsg_rabbit_transient_quorum_queues: "{{ oslomsg_rabbit_transient_quorum_queues | default(octavia_oslomsg_rabbit_stream_fanout) }}"
octavia_oslomsg_rabbit_qos_prefetch_count: "{{ oslomsg_rabbit_qos_prefetch_count | default(octavia_oslomsg_rabbit_stream_fanout | ternary(10, 0)) }}"
octavia_oslomsg_rabbit_queue_manager: "{{ oslomsg_rabbit_queue_manager | default(octavia_oslomsg_rabbit_quorum_queues) }}"
octavia_oslomsg_rabbit_quorum_delivery_limit: "{{ oslomsg_rabbit_quorum_delivery_limit | default(0) }}"
octavia_oslomsg_rabbit_quorum_max_memory_bytes: "{{ oslomsg_rabbit_quorum_max_memory_bytes | default(0) }}"
## (Qdrouterd) integration
# TODO(ansmith): Change structure when more backends will be supported
octavia_oslomsg_amqp1_enabled: "{{ octavia_oslomsg_rpc_transport == 'amqp' }}"
octavia_ceilometer_enabled: "{{ (groups['ceilometer_all'] is defined) and (groups['ceilometer_all'] | length > 0) }}"
## octavia User / Group
octavia_system_user_name: octavia
octavia_system_group_name: octavia
octavia_system_shell: /bin/false
octavia_system_comment: octavia system user
octavia_system_home_folder: "/var/lib/{{ octavia_system_user_name }}"
octavia_system_slice_name: octavia
octavia_lock_dir: "{{ openstack_lock_dir | default('/run/lock') }}"
## Auth
octavia_service_region: "{{ service_region | default('RegionOne') }}"
octavia_service_project_name: "service"
octavia_service_user_name: "octavia"
octavia_service_role_names:
- admin
- service
octavia_service_token_roles:
- service
octavia_service_token_roles_required: "{{ openstack_service_token_roles_required | default(True) }}"
octavia_service_project_domain_id: default
octavia_service_user_domain_id: default
octavia_keystone_auth_plugin: "{{ octavia_keystone_auth_type }}"
octavia_keystone_auth_type: password
## octavia api service type and data
octavia_service_name: octavia
octavia_service_description: "Octavia Load Balancing Service"
octavia_service_port: 9876
octavia_service_proto: http
octavia_service_publicuri_proto: "{{ openstack_service_publicuri_proto | default(octavia_service_proto) }}"
octavia_service_adminuri_proto: "{{ openstack_service_adminuri_proto | default(octavia_service_proto) }}"
octavia_service_internaluri_proto: "{{ openstack_service_internaluri_proto | default(octavia_service_proto) }}"
octavia_service_type: load-balancer
octavia_service_publicuri: "{{ octavia_service_publicuri_proto }}://{{ external_lb_vip_address }}:{{ octavia_service_port }}"
octavia_service_adminuri: "{{ octavia_service_adminuri_proto }}://{{ internal_lb_vip_address }}:{{ octavia_service_port }}"
octavia_service_internaluri: "{{ octavia_service_internaluri_proto }}://{{ internal_lb_vip_address }}:{{ octavia_service_port }}"
octavia_service_in_ldap: "{{ service_ldap_backend_enabled | default(False) }}"
## RPC
octavia_rpc_thread_pool_size: 64
octavia_rpc_conn_pool_size: 30
## Timeouts
octavia_amp_active_retries: 10
## Plugin dirs
octavia_plugin_dirs:
- /usr/lib/octavia
- /usr/local/lib/octavia
###
### Python code details
###
octavia_pip_packages:
- cryptography
- keystonemiddleware
- osprofiler
- PyMySQL
- pymemcache
- python-glanceclient
- python-keystoneclient
- python-memcached
- python-neutronclient
- python-novaclient
- python-openstackclient
- python-octaviaclient
- "git+{{ octavia_git_repo }}@{{ octavia_git_install_branch }}#egg=octavia"
- systemd-python
- "tooz[{{ octavia_coordination_driver }}]"
# Specific pip packages provided by the user
octavia_user_pip_packages: []
octavia_optional_oslomsg_amqp1_pip_packages:
- oslo.messaging[amqp1]
octavia_optional_ovn_octavia_provider_pip_packages:
- "git+{{ octavia_ovn_octavia_provider_git_repo }}@{{ octavia_ovn_octavia_provider_git_install_branch }}#egg=ovn-octavia-provider"
# Memcached override
octavia_memcached_servers: "{{ memcached_servers }}"
octavia_api_init_overrides: {}
octavia_worker_init_overrides: {}
octavia_housekeeping_init_overrides: {}
octavia_health_manager_init_overrides: {}
octavia_driver_agent_init_overrides:
Service:
Killmode: process
## Service Name-Group Mapping
octavia_services:
octavia-api:
group: octavia-api
service_name: octavia-api
start_order: 4
init_config_overrides: "{{ octavia_api_init_overrides }}"
wsgi_app: True
wsgi_name: octavia-wsgi
uwsgi_overrides: "{{ octavia_api_uwsgi_ini_overrides }}"
uwsgi_port: "{{ octavia_service_port }}"
uwsgi_bind_address: "{{ octavia_uwsgi_bind_address }}"
uwsgi_tls: "{{ octavia_backend_ssl | ternary(octavia_uwsgi_tls, {}) }}"
octavia-worker:
group: octavia-worker
service_name: octavia-worker
start_order: 1
init_config_overrides: "{{ octavia_worker_init_overrides }}"
execstarts: "{{ octavia_bin }}/octavia-worker"
execreloads: "/bin/kill -HUP $MAINPID"
octavia-housekeeping:
group: octavia-housekeeping
service_name: octavia-housekeeping
start_order: 3
init_config_overrides: "{{ octavia_housekeeping_init_overrides }}"
execstarts: "{{ octavia_bin }}/octavia-housekeeping"
execreloads: "/bin/kill -HUP $MAINPID"
octavia-health-manager:
group: octavia-health-manager
service_name: octavia-health-manager
start_order: 2
init_config_overrides: "{{ octavia_health_manager_init_overrides }}"
execstarts: "{{ octavia_bin }}/octavia-health-manager"
execreloads: "/bin/kill -HUP $MAINPID"
octavia-driver-agent:
group: octavia-api
service_name: octavia-driver-agent
service_en: "{{ octavia_ovn_enabled }}"
start_order: 5
init_config_overrides: "{{ octavia_driver_agent_init_overrides }}"
execstarts: "{{ octavia_bin }}/octavia-driver-agent --config-file /etc/octavia/octavia.conf"
execreloads: "/bin/kill -HUP $MAINPID"
# Required secrets for the role
octavia_required_secrets:
- keystone_auth_admin_password
- octavia_container_mysql_password
- octavia_oslomsg_rpc_password
- octavia_oslomsg_notify_password
- octavia_service_password
- memcached_encryption_key
## Octavia configs
# Load balancer topology options are SINGLE, ACTIVE_STANDBY
octavia_loadbalancer_topology: ACTIVE_STANDBY
# Image tag for the amphora image in glance
octavia_glance_image_tag: octavia-amphora-image
# add here the id of the image owner to avoid faked images being used
octavia_amp_image_owner_id:
# download the image from an artefact server
# Note: The default is the Octavia test image so don't use that in prod
octavia_download_artefact: True
# The URL to download from
octavia_artefact_url: http://tarballs.openstack.org/octavia/test-images/test-only-amphora-x64-haproxy-ubuntu-focal.qcow2
# Set the directory where the downloaded image will be stored
# on the octavia_service_setup_host host. If the host is localhost,
# then the user running the playbook must have access to it.
octavia_amp_image_path: "{{ lookup('env', 'HOME') }}/openstack-ansible/octavia"
octavia_amp_image_path_owner: "{{ lookup('env', 'USER') }}"
# enable uploading image to glance automatically
octavia_amp_image_upload_enabled: "{{ octavia_download_artefact }}"
octavia_amp_image_resource:
- name: amphora-x64-haproxy
url: "{{ octavia_artefact_url }}"
# Image checksum is required for rotating old images
# checksum:
disk_format: qcow2
keep_copies: 1
tags:
- "{{ octavia_glance_image_tag }}"
owner: "{{ octavia_service_project_name }}"
owner_domain: "{{ octavia_service_project_domain_id }}"
image_download_path: "{{ octavia_amp_image_path }}"
# Name of the Octavia security group
octavia_security_group_name: octavia_sec_grp
# Additional rules to add to the security group for the amphora
octavia_security_group_additional_rules: []
# Restrict access to only authorized hosts
octavia_security_group_rule_cidr: "{{ octavia_management_net_subnet_cidr }}"
octavia_resources_deploy_host: localhost
octavia_resources_deploy_python_interpreter: "{{ ansible_playbook_python }}"
# ssh enabled - switch to True if you need ssh access to the amphora
octavia_ssh_enabled: False
octavia_ssh_key_manage: True
octavia_ssh_key_name: octavia_key
octavia_ssh_key_dir: "{{ lookup('env', 'HOME') ~ '/.ssh' }}"
# SSH Key variables below are set to "old" values for backwards compatability
# of how Nova used to generate keypairs.
octavia_ssh_key_comment: Generated-by-Nova
# Options: ssh, pkcs1 and pkcs8
octavia_ssh_key_format: ssh
# Options: rsa, dsa, rsa1, ecdsa, ed25519
octavia_ssh_key_type: rsa
octavia_ssh_key_size: 2048
# port the agent listens on
octavia_agent_port: "9443"
octavia_health_manager_port: 5555
# Octavia Nova flavor
octavia_amp_flavor_name: "m1.amphora"
octavia_amp_ram: 1024
octavia_amp_vcpu: 1
octavia_amp_disk: "{{ octavia_cinder_enabled | ternary(0, 20) }}"
# octavia_amp_extra_specs:
# only increase when it's a really busy system since this is by deployed host,
# e.g. 3 hosts, 5 workers (this param) per host, results in 15 worker total
octavia_task_flow_max_workers: 5
# Enable provisioning status sync with neutron db
octavia_sync_provisioning_status: False
# this controls if Octavia should add an anti-affinity hint to make sure
# two amphora are not placed pn the same host (the most common setup of
# ant affinity features in Nova).
octavia_enable_anti_affinity: True
# Some installations put hardware more suited for load balancing in special
# availability zones. This allows to target a specific availability zone
# for amphora creation
octavia_amp_availability_zone: nova
# List of haproxy template files to copy from deployment host to octavia hosts
# octavia_user_haproxy_templates:
# - src: "/etc/openstack_deploy/octavia/haproxy_templates/base.cfg.j2"
# dest: "/etc/octavia/templates/base.cfg.j2"
# - src: "/etc/openstack_deploy/octavia/haproxy_templates/haproxy.cfg.j2"
# dest: "/etc/octavia/templates/haproxy.cfg.j2"
# - src: "/etc/openstack_deploy/octavia/haproxy_templates/macros.cfg.j2"
# dest: "/etc/octavia/templates/macros.cfg.j2"
octavia_user_haproxy_templates: {}
# Path of custom haproxy template file
# octavia_haproxy_amphora_template: /etc/octavia/templates/haproxy.cfg.j2
# Name of the Octavia management network in Neutron
octavia_neutron_management_network_name: lbaas-mgmt
# Name of the Neutron provider net in the system (flat, vlan, ...)
octavia_provider_network_name: lbaas
# Network type
octavia_provider_network_type: flat
# Network segmentation ID if vlan, gre...
# octavia_provider_segmentation_id:
# Network CIDR
octavia_management_net_subnet_cidr: 172.29.232.0/22
# Example allocation range:
# octavia_management_net_subnet_allocation_pools: "172.29.232.10-172.29.235.200"
octavia_management_net_subnet_allocation_pools: ""
# Do we require the Neutron DHCP server
octavia_management_net_dhcp: "False"
# Should Octavia set up the network and subnet?
octavia_service_net_setup: True
# This should match net_name from provider_networks structure in openstack_user_config
octavia_provider_inventory_net_name: "{{ octavia_provider_network_name }}"
# This gets container managment network structure based on octavia_provider_inventory_net_name
octavia_provider_network: >-
{{ provider_networks | map(attribute='network') | selectattr('net_name', 'defined') | selectattr(
'net_name', 'equalto', octavia_provider_inventory_net_name) | list | first
}}
# The name of the network address pool
octavia_container_network_name: "{{ octavia_provider_network['ip_from_q'] }}_address"
octavia_hm_group: "octavia-health-manager"
# Note: We use some heuristics here but if you do anything special make sure to use the
# ip addresses on the right network. This will use the container networking to figure out the ip
octavia_hm_hosts: >-
{% for host in groups[octavia_hm_group] %}{{ hostvars[host]['container_networks'][octavia_container_network_name]['address'] }}{%
if not loop.last %},{% endif %}{% endfor %}
# Set this to the right container port aka the eth you connect to the octavia
# management network
octavia_container_interface: "{{ octavia_provider_network.container_interface }}"
# Set this to true to drop the iptables rules
octavia_ip_tables_fw: True
# The iptable rules
octavia_iptables_rules:
- # Allow icmp
chain: INPUT
protocol: icmp
ctstate: NEW
icmp_type: 8
jump: ACCEPT
- # Allow existing connections:
chain: INPUT
in_interface: "{{ octavia_container_interface }}"
ctstate: RELATED,ESTABLISHED
jump: ACCEPT
- # Allow heartbeat:
chain: INPUT
in_interface: "{{ octavia_container_interface }}"
protocol: udp
destination_port: "{{ octavia_health_manager_port }}"
jump: ACCEPT
- # Reject INPUT:
chain: INPUT
in_interface: "{{ octavia_container_interface }}"
reject_with: icmp-port-unreachable
- # Reject FORWARD:
chain: FORWARD
in_interface: "{{ octavia_container_interface }}"
reject_with: icmp-port-unreachable
- # Allow icmp6
chain: INPUT
protocol: icmpv6
jump: ACCEPT
ip_version: ipv6
- # Allow existing connections
chain: INPUT
in_interface: "{{ octavia_container_interface }}"
ctstate: RELATED,ESTABLISHED
jump: ACCEPT
ip_version: ipv6
- # Allow heartbeat
chain: INPUT
in_interface: "{{ octavia_container_interface }}"
protocol: udp
destination_port: "{{ octavia_health_manager_port }}"
jump: ACCEPT
ip_version: ipv6
- # Reject INPUT
chain: INPUT
in_interface: "{{ octavia_container_interface }}"
reject_with: icmp6-port-unreachable
ip_version: ipv6
- # Reject FORWARD
chain: FORWARD
in_interface: "{{ octavia_container_interface }}"
reject_with: icmp6-port-unreachable
ip_version: ipv6
# uWSGI Settings
octavia_wsgi_processes_max: 16
octavia_wsgi_processes: >-
{{ [[(ansible_facts['processor_vcpus'] // ansible_facts['processor_threads_per_core']) | default(1), 1] | max * 2, octavia_wsgi_processes_max] | min }}
octavia_wsgi_threads: 1
octavia_uwsgi_bind_address: "{{ openstack_service_bind_address | default('0.0.0.0') }}"
octavia_uwsgi_tls:
crt: "{{ octavia_api_ssl_cert }}"
key: "{{ octavia_api_ssl_key }}"
# Set up the drivers
# Provider agents are optional and not required for a successful Octavia provider driver
# Possible options: amphora_agent, noop_agent, ovn
octavia_enabled_provider_agents:
- "{{ (octavia_ovn_enabled | bool) | ternary('ovn', None) }}"
octavia_enabled_provider_drivers:
- "amphora:'The Octavia Amphora driver.'"
- "amphorav2:'The Octavia Amphora v2 driver.'"
- "{{ (octavia_ovn_enabled | bool) | ternary(\"ovn:'The Octavia OVN provider driver.'\", False) }}"
octavia_default_provider_driver: "amphorav2"
octavia_amphora_driver: amphora_haproxy_rest_driver
octavia_compute_driver: compute_nova_driver
octavia_network_driver: allowed_address_pairs_driver
# OVN Defaults
octavia_ovn_enabled: "{{ neutron_plugin_type | default('ml2.ovn') == 'ml2.ovn' }}"
octavia_ovn_ssl: "{{ neutron_ovn_ssl | default(True) }}"
octavia_ovn_proto: "{{ (octavia_ovn_ssl) | ternary('ssl', 'tcp') }}"
octavia_ovn_nb_connection: >-
{{ octavia_ovn_proto }}:{{ groups['neutron_ovn_northd'] | map('extract', hostvars, ['ansible_host']) | join(':6641,' + octavia_ovn_proto + ':') }}:6641
octavia_ovn_sb_connection: >-
{{ octavia_ovn_proto }}:{{ groups['neutron_ovn_northd'] | map('extract', hostvars, ['ansible_host']) | join(':6642,' + octavia_ovn_proto + ':') }}:6642
#
# Certificate generation
#
# Set the host which will execute the openssl_* modules
# for the certificate generation. The host must already
# have access to pyOpenSSL.
octavia_cert_setup_host: "{{ openstack_pki_setup_host | default('localhost') }}"
# Set the directory where the certificates will be stored
# on the above host. If the host is localhost, then the user
# running the playbook must have access to it.
octavia_cert_dir: "{{ openstack_pki_dir | default(lookup('env', 'HOME') ~ '/openstack-ansible') }}"
octavia_cert_keys_dir: "{{ octavia_cert_dir }}/certs/private/"
octavia_cert_certs_dir: "{{ octavia_cert_dir }}/certs/certs/"
octavia_cert_dir_owner: "{{ lookup('env', 'USER') }}"
octavia_cert_dest_dir: "/etc/octavia/certs"
octavia_cert_client_req_common_name: 'www.example.com' # change this to something more real
octavia_cert_client_req_country_name: 'US'
octavia_cert_client_req_state_or_province_name: 'Denial'
octavia_cert_client_req_locality_name: 'Nowhere'
octavia_cert_client_req_organization_name: 'Dis'
octavia_cert_validity_days: 1825 # 5 years
octavia_generate_certs: True # generate self signed client certs
octavia_generate_client_cert: True
octavia_generate_ca: True
octavia_regenerate_client_cert: ''
octavia_regenerate_ca: ''
# OVN server certificate
# The local address used for the ovn certificate
octavia_ovn_node_address: "{{ management_address | default('127.0.0.1') }}"
# OVN destination files for SSL certificates
octavia_ovn_pki_intermediate_cert_name: "{{ octavia_api_intermediate_cert_name }}"
octavia_ovn_pki_intermediate_chain_path: >-
{{ octavia_cert_dir ~ '/roots/' ~ octavia_ovn_pki_intermediate_cert_name ~ '/certs/' ~ octavia_ovn_pki_intermediate_cert_name ~ '-chain.crt' }}
octavia_ovn_ssl_cert: "octavia_ovn.pem"
octavia_ovn_ssl_key: "octavia_ovn.key"
octavia_ovn_ssl_ca_cert: "octavia_ovn-ca.pem"
octavia_cert_authorities:
- name: "OctaviaServerRoot"
country: "{{ octavia_cert_client_req_country_name }}"
state_or_province_name: "{{ octavia_cert_client_req_state_or_province_name }}"
organization_name: "{{ octavia_cert_client_req_organization_name }}"
locality_name: "{{ octavia_cert_client_req_locality_name }}"
cn: "Octavia Server CA"
provider: selfsigned
basic_constraints: "CA:TRUE"
key_passphrase: "{{ octavia_ca_private_key_passphrase }}"
key_usage:
- digitalSignature
- cRLSign
- keyCertSign
not_after: "+{{ octavia_cert_validity_days }}d"
- name: "OctaviaClientRoot"
country: "{{ octavia_cert_client_req_country_name }}"
state_or_province_name: "{{ octavia_cert_client_req_state_or_province_name }}"
organization_name: "{{ octavia_cert_client_req_organization_name }}"
locality_name: "{{ octavia_cert_client_req_locality_name }}"
cn: "Octavia Client CA"
provider: selfsigned
basic_constraints: "CA:TRUE"
key_passphrase: "{{ octavia_cert_client_password }}"
key_usage:
- digitalSignature
- cRLSign
- keyCertSign
not_after: "+{{ octavia_cert_validity_days }}d"
octavia_cert_certificates:
# Communication between haproxy and octavia API
- name: "octavia-api_{{ ansible_facts['hostname'] }}"
provider: ownca
cn: "{{ ansible_facts['hostname'] }}"
san: "{{ octavia_api_cert_san }}"
signed_by: "{{ octavia_api_intermediate_cert_name }}"
condition: "{{ octavia_backend_ssl | bool }}"
# Communication between octavia control plane and amphoras
- name: "octavia_client"
provider: ownca
cn: "{{ octavia_cert_client_req_common_name }}"
signed_by: "OctaviaClientRoot"
ownca_key_passphrase: "{{ octavia_cert_client_password }}"
key_usage:
- nonRepudiation
- digitalSignature
- keyEncipherment
extended_key_usage:
- clientAuth
- emailProtection
condition: "{{ octavia_generate_certs | bool }}"
# OVN NB/SB communication
- name: "octavia_ovn_{{ ansible_facts['hostname'] }}"
provider: ownca
cn: "{{ ansible_facts['hostname'] }}"
san: "{{ 'DNS:' ~ ansible_facts['hostname'] ~ ',IP:' ~ octavia_ovn_node_address }}"
signed_by: "{{ octavia_ovn_pki_intermediate_cert_name }}"
condition: "{{ (octavia_ovn_ssl and octavia_ovn_enabled) }}"
# Installation details for SSL certificates
octavia_cert_install_certificates:
# Communication between haproxy and octavia API
- src: "{{ octavia_api_user_ssl_cert | default(octavia_cert_certs_dir ~ 'octavia-api_' ~ ansible_facts['hostname'] ~ '-chain.crt') }}"
dest: "{{ octavia_api_ssl_cert }}"
owner: "{{ octavia_system_user_name }}"
group: "{{ octavia_system_user_name }}"
mode: "0644"
condition: "{{ octavia_backend_ssl | bool }}"
- src: "{{ octavia_api_user_ssl_key | default(octavia_cert_keys_dir ~ 'octavia-api_' ~ ansible_facts['hostname'] ~ '.key.pem') }}"
dest: "{{ octavia_api_ssl_key }}"
owner: "{{ octavia_system_user_name }}"
group: "{{ octavia_system_user_name }}"
mode: "0600"
condition: "{{ octavia_backend_ssl | bool }}"
# Server CA
- src: "{{ octavia_ca_certificate | default(octavia_cert_dir ~ '/roots/OctaviaServerRoot/certs/OctaviaServerRoot.crt') }}"
dest: "{{ octavia_cert_dest_dir }}/server_ca.pem"
owner: "{{ octavia_system_user_name }}"
group: "{{ octavia_system_group_name }}"
mode: "0640"
condition: "{{ octavia_generate_certs | bool }}"
- src: "{{ octavia_ca_private_key | default(octavia_cert_dir ~ '/roots/OctaviaServerRoot/private/OctaviaServerRoot.key.pem') }}"
dest: "{{ octavia_cert_dest_dir }}/ca_key.pem"
owner: "{{ octavia_system_user_name }}"
group: "{{ octavia_system_group_name }}"
mode: "0640"
condition: "{{ octavia_generate_certs | bool }}"
# Client CA
- src: "{{ octavia_client_ca | default(octavia_cert_dir ~ '/roots/OctaviaClientRoot/certs/OctaviaClientRoot.crt') }}"
dest: "{{ octavia_cert_dest_dir }}/client_ca.pem"
owner: "{{ octavia_system_user_name }}"
group: "{{ octavia_system_group_name }}"
mode: "0640"
condition: "{{ octavia_generate_certs | bool }}"
# Client certificate
- src: "{{ octavia_client_cert | default(octavia_cert_certs_dir ~ '/octavia_client.crt') }}"
dest: "{{ octavia_cert_dest_dir }}/client.pem.crt"
owner: "{{ octavia_system_user_name }}"
group: "{{ octavia_system_group_name }}"
mode: "0640"
condition: "{{ octavia_generate_certs | bool }}"
- src: "{{ octavia_client_key | default(octavia_cert_keys_dir ~ '/octavia_client.key.pem') }}"
dest: "{{ octavia_cert_dest_dir }}/client.pem.key"
owner: "{{ octavia_system_user_name }}"
group: "{{ octavia_system_group_name }}"
mode: "0640"
condition: "{{ octavia_generate_certs | bool }}"
# OVN certificates
- src: "{{ octavia_ovn_user_ssl_cert | default(octavia_cert_certs_dir ~ 'octavia_ovn_' ~ ansible_facts['hostname'] ~ '-chain.crt') }}"
dest: "{{ [octavia_cert_dest_dir, octavia_ovn_ssl_cert] | join('/') }}"
owner: "{{ octavia_system_user_name }}"
group: "{{ octavia_system_group_name }}"
mode: "0644"
condition: "{{ (octavia_ovn_ssl and octavia_ovn_enabled) }}"
- src: "{{ octavia_ovn_user_ssl_key | default(octavia_cert_keys_dir ~ 'octavia_ovn_' ~ ansible_facts['hostname'] ~ '.key.pem') }}"
dest: "{{ [octavia_cert_dest_dir, octavia_ovn_ssl_key] | join('/') }}"
owner: "{{ octavia_system_user_name }}"
group: "{{ octavia_system_group_name }}"
mode: "0600"
condition: "{{ (octavia_ovn_ssl and octavia_ovn_enabled) }}"
- src: "{{ octavia_ovn_user_ssl_ca_cert | default(octavia_ovn_pki_intermediate_chain_path) }}"
dest: "{{ [octavia_cert_dest_dir, octavia_ovn_ssl_ca_cert] | join('/') }}"
owner: "{{ octavia_system_user_name }}"
group: "{{ octavia_system_group_name }}"
mode: "0644"
condition: "{{ (octavia_ovn_ssl and octavia_ovn_enabled) }}"
# Custom client CA
# octavia_client_ca: "{{ octavia_cert_dir }}/ca_01.pem"
## Custom client certs
# octavia_client_cert: "{{ octavia_cert_dir }}/client.pem"
# octavia_client_key: "{{ octavia_cert_dir }}/client.key.pem"
## server
# octavia_server_ca: "{{ octavia_ca_certificate }}"
## ca certs
# octavia_ca_private_key: "{{ octavia_cert_dir }}/private/cakey.pem"
octavia_ca_private_key_passphrase: "{{ octavia_cert_client_password }}"
# octavia_ca_certificate: "{{ octavia_cert_dir }}/ca_server_01.pem"
# Custom OVN certs
# octavia_ovnnb_user_ssl_cert: <path to cert on ansible deployment host>
# octavia_ovnnb_user_ssl_key: <path to cert on ansible deployment host>
# octavia_ovnsb_user_ssl_cert: <path to cert on ansible deployment host>
# octavia_ovnsb_user_ssl_key: <path to cert on ansible deployment host>
# Quotas for the Octavia user - assuming active/passive topology
octavia_num_instances: 10000 # 5000 LB in active/passive
octavia_ram: "{{ (octavia_num_instances | int) * 1024 }}"
octavia_gigabytes: "{{ (octavia_num_volumes | int) * (octavia_cinder_volume_size | int) }}"
octavia_num_server_groups: "{{ ((octavia_num_instances | int) * 0.5) | int | abs }}"
octavia_num_server_group_members: 50
octavia_num_cores: "{{ octavia_num_instances }}"
octavia_num_secgroups: "{{ (octavia_num_instances | int) * 1.5 | int | abs }}" # average 3 listener per lb
octavia_num_ports: "{{ (octavia_num_instances | int) * 10 }}" # at least instances * 10
octavia_num_security_group_rules: "{{ (octavia_num_secgroups | int) * 100 }}"
octavia_num_volumes: "{{ octavia_num_instances }}"
## Tunable overrides
octavia_octavia_conf_overrides: {}
octavia_api_paste_ini_overrides: {}
octavia_policy_overrides: {}
octavia_api_uwsgi_ini_overrides: {}
###
### Backend TLS
###
# Define if communication between haproxy and service backends should be
# encrypted with TLS.
octavia_backend_ssl: "{{ openstack_service_backend_ssl | default(False) }}"
# octavia server certificate
octavia_api_intermediate_cert_name: "{{ openstack_pki_service_intermediate_cert_name | default('ExampleCorpIntermediate') }}"
octavia_api_cert_san: "{{ openstack_pki_san | default('DNS:' ~ ansible_facts['hostname'] ~ ',IP:' ~ management_address) }}"
# octavia destination files for SSL certificates
octavia_api_ssl_cert: "{{ octavia_cert_dest_dir }}/octavia-api.pem"
octavia_api_ssl_key: "{{ octavia_cert_dest_dir }}/octavia-api.key"
# Define user-provided SSL certificates
# octavia_api_user_ssl_cert: <path to cert on ansible deployment host>
# octavia_api_user_ssl_key: <path to cert on ansible deployment host>