openstack/openstack-helm
Code Issues Proposed changes
openstack-helm/neutron/values.yaml
Pete Birley e19be77f08 Ingress: Add initial TLS Support for core service public endpoints 
This PS adds support for TLS on over-ridden fqdn's for public
endpoints for core OpenStack Services. Currently this implementation
is limited, in that it does not provide support for dynamicly loading
CAs into the containers, or specifying them manually via configuration.
As a result only well known or CA's added manually to containers will
be recognised.

Change-Id: I8f1b699af29cbed2d83ad91bb6840dccce8c5146
Depends-On: I535f38a8d92c01280d79926a1f0acd06984aabbf
Signed-off-by: Tin Lam <tin@irrational.io>
Signed-off-by: Pete Birley <pete@port.direct>
2018-06-26 07:15:24 +00:00

1763 lines
55 KiB
YAML
Raw Blame History

# Copyright 2017 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Default values for neutron.
# This is a YAML-formatted file.
# Declare name/value pairs to be passed into your templates.
# name: value
release_group: null
images:
tags:
bootstrap: docker.io/openstackhelm/heat:newton
test: docker.io/kolla/ubuntu-source-rally:4.0.0
db_init: docker.io/openstackhelm/heat:newton
neutron_db_sync: docker.io/openstackhelm/neutron:newton
db_drop: docker.io/openstackhelm/heat:newton
rabbit_init: docker.io/rabbitmq:3.7-management
ks_user: docker.io/openstackhelm/heat:newton
ks_service: docker.io/openstackhelm/heat:newton
ks_endpoints: docker.io/openstackhelm/heat:newton
neutron_server: docker.io/openstackhelm/neutron:newton
neutron_dhcp: docker.io/openstackhelm/neutron:newton
neutron_metadata: docker.io/openstackhelm/neutron:newton
neutron_l3: docker.io/openstackhelm/neutron:newton
neutron_openvswitch_agent: docker.io/openstackhelm/neutron:newton
neutron_linuxbridge_agent: docker.io/openstackhelm/neutron:newton
neutron_sriov_agent: docker.io/openstackhelm/neutron:newton-sriov-1804
neutron_sriov_agent_init: docker.io/openstackhelm/neutron:newton-sriov-1804
dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.3.1
image_repo_sync: docker.io/docker:17.07.0
pull_policy: "IfNotPresent"
local_registry:
active: false
exclude:
- dep_check
- image_repo_sync
labels:
agent:
dhcp:
node_selector_key: openstack-control-plane
node_selector_value: enabled
l3:
node_selector_key: openstack-control-plane
node_selector_value: enabled
metadata:
node_selector_key: openstack-control-plane
node_selector_value: enabled
job:
node_selector_key: openstack-control-plane
node_selector_value: enabled
lb:
node_selector_key: linuxbridge
node_selector_value: enabled
# openvswitch is a special case, requiring a special
# label that can apply to both control hosts
# and compute hosts, until we get more sophisticated
# with our daemonset scheduling
ovs:
node_selector_key: openvswitch
node_selector_value: enabled
sriov:
node_selector_key: sriov
node_selector_value: enabled
server:
node_selector_key: openstack-control-plane
node_selector_value: enabled
test:
node_selector_key: openstack-control-plane
node_selector_value: enabled
network:
# provide what type of network wiring will be used
# possible options: openvswitch, linuxbridge, sriov
backend:
- openvswitch
# NOTE(Portdirect): Share network namespaces with the host,
# allowing agents to be restarted without packet loss and simpler
# debugging. This feature requires mount propagation support.
share_namespaces: true
# auto_bridge_add is a table of "bridge: interface" pairs
# To automatically add a physical interfaces to a specific bridges,
# for example eth3 to bridge br-physnet1, if0 to br0 and iface_two
# to br1 do something like:
#
# auto_bridge_add:
# br-physnet1: eth3
# br0: if0
# br1: iface_two
# br-ex will be added by default
auto_bridge_add:
br-ex: null
interface:
# Tunnel interface will be used for VXLAN tunneling. If null
# (default) there is a fallback mechanism to search for interface
# with default routing.
tunnel: null
sriov:
# To perform setup of network interfaces using the SR-IOV init
# container you can use a section similar to:
# sriov:
# - device: ${DEV}
# num_vfs: 8
server:
ingress:
public: true
classes:
namespace: "nginx"
cluster: "nginx-cluster"
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
external_policy_local: false
node_port:
enabled: false
port: 30096
bootstrap:
enabled: false
ks_user: neutron
script: |
openstack token issue
dependencies:
dynamic:
common:
local_image_registry:
jobs:
- neutron-image-repo-sync
services:
- endpoint: node
service: local_image_registry
targeted:
openvswitch:
dhcp:
pod:
- requireSameNode: true
labels:
application: neutron
component: neutron-ovs-agent
l3:
pod:
- requireSameNode: true
labels:
application: neutron
component: neutron-ovs-agent
metadata:
pod:
- requireSameNode: true
labels:
application: neutron
component: neutron-ovs-agent
linuxbridge:
dhcp:
pod:
- requireSameNode: true
labels:
application: neutron
component: neutron-lb-agent
l3:
pod:
- requireSameNode: true
labels:
application: neutron
component: neutron-lb-agent
metadata:
pod:
- requireSameNode: true
labels:
application: neutron
component: neutron-lb-agent
lb_agent:
pod: null
sriov:
dhcp:
pod:
- requireSameNode: true
labels:
application: neutron
component: neutron-sriov-agent
l3:
pod:
- requireSameNode: true
labels:
application: neutron
component: neutron-sriov-agent
metadata:
pod:
- requireSameNode: true
labels:
application: neutron
component: neutron-sriov-agent
static:
bootstrap:
services:
- endpoint: internal
service: network
- endpoint: internal
service: compute
db_drop:
services:
- endpoint: internal
service: oslo_db
db_init:
services:
- endpoint: internal
service: oslo_db
db_sync:
jobs:
- neutron-db-init
services:
- endpoint: internal
service: oslo_db
dhcp:
pod: null
jobs:
- neutron-rabbit-init
services:
- endpoint: internal
service: oslo_messaging
- endpoint: internal
service: network
- endpoint: internal
service: compute
ks_endpoints:
jobs:
- neutron-ks-service
services:
- endpoint: internal
service: identity
ks_service:
services:
- endpoint: internal
service: identity
ks_user:
services:
- endpoint: internal
service: identity
rabbit_init:
services:
- service: oslo_messaging
endpoint: internal
l3:
pod: null
jobs:
- neutron-rabbit-init
services:
- endpoint: internal
service: oslo_messaging
- endpoint: internal
service: network
- endpoint: internal
service: compute
lb_agent:
pod: null
jobs:
- neutron-rabbit-init
services:
- endpoint: internal
service: oslo_messaging
- endpoint: internal
service: network
metadata:
pod: null
jobs:
- neutron-rabbit-init
services:
- endpoint: internal
service: oslo_messaging
- endpoint: internal
service: network
- endpoint: internal
service: compute
- endpoint: public
service: compute_metadata
ovs_agent:
jobs:
- neutron-rabbit-init
pod:
- requireSameNode: true
labels:
application: openvswitch
component: openvswitch-vswitchd
- requireSameNode: true
labels:
application: openvswitch
component: openvswitch-vswitchd-db
services:
- endpoint: internal
service: oslo_messaging
- endpoint: internal
service: network
server:
jobs:
- neutron-db-sync
- neutron-ks-user
- neutron-ks-endpoints
- neutron-rabbit-init
services:
- endpoint: internal
service: oslo_db
- endpoint: internal
service: oslo_messaging
- endpoint: internal
service: oslo_cache
- endpoint: internal
service: identity
tests:
services:
- endpoint: internal
service: network
- endpoint: internal
service: compute
image_repo_sync:
services:
- endpoint: internal
service: local_image_registry
pod:
user:
neutron:
uid: 42424
affinity:
anti:
type:
default: preferredDuringSchedulingIgnoredDuringExecution
topologyKey:
default: kubernetes.io/hostname
mounts:
neutron_server:
init_container: null
neutron_server:
neutron_dhcp_agent:
init_container: null
neutron_dhcp_agent:
neutron_l3_agent:
init_container: null
neutron_l3_agent:
neutron_lb_agent:
init_container: null
neutron_lb_agent:
neutron_metadata_agent:
init_container: null
neutron_metadata_agent:
neutron_ovs_agent:
init_container: null
neutron_ovs_agent:
neutron_sriov_agent:
init_container: null
neutron_sriov_agent:
neutron_tests:
init_container: null
neutron_tests:
neutron_bootstrap:
init_container: null
neutron_bootstrap:
replicas:
server: 1
lifecycle:
upgrades:
deployments:
revision_history: 3
pod_replacement_strategy: RollingUpdate
rolling_update:
max_unavailable: 1
max_surge: 3
daemonsets:
pod_replacement_strategy: RollingUpdate
dhcp_agent:
enabled: false
min_ready_seconds: 0
max_unavailable: 1
l3_agent:
enabled: false
min_ready_seconds: 0
max_unavailable: 1
lb_agent:
enabled: true
min_ready_seconds: 0
max_unavailable: 1
metadata_agent:
enabled: true
min_ready_seconds: 0
max_unavailable: 1
ovs_agent:
enabled: true
min_ready_seconds: 0
max_unavailable: 1
sriov_agent:
enabled: true
min_ready_seconds: 0
max_unavailable: 1
disruption_budget:
server:
min_available: 0
termination_grace_period:
server:
timeout: 30
resources:
enabled: false
agent:
dhcp:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
l3:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
lb:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
metadata:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
ovs:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
sriov:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
server:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
jobs:
bootstrap:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
db_init:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
rabbit_init:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
db_sync:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
db_drop:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
ks_endpoints:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
ks_service:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
ks_user:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
tests:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
image_repo_sync:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
conf:
rally_tests:
run_tempest: false
tests:
NeutronNetworks.create_and_delete_networks:
- args:
network_create_args: {}
context:
quotas:
neutron:
network: -1
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
NeutronNetworks.create_and_delete_ports:
- args:
network_create_args: {}
port_create_args: {}
ports_per_network: 10
context:
network: {}
quotas:
neutron:
network: -1
port: -1
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
NeutronNetworks.create_and_delete_routers:
- args:
network_create_args: {}
router_create_args: {}
subnet_cidr_start: 1.1.0.0/30
subnet_create_args: {}
subnets_per_network: 2
context:
network: {}
quotas:
neutron:
network: -1
router: -1
subnet: -1
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
NeutronNetworks.create_and_delete_subnets:
- args:
network_create_args: {}
subnet_cidr_start: 1.1.0.0/30
subnet_create_args: {}
subnets_per_network: 2
context:
network: {}
quotas:
neutron:
network: -1
subnet: -1
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
NeutronNetworks.create_and_list_routers:
- args:
network_create_args: {}
router_create_args: {}
subnet_cidr_start: 1.1.0.0/30
subnet_create_args: {}
subnets_per_network: 2
context:
network: {}
quotas:
neutron:
network: -1
router: -1
subnet: -1
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
NeutronNetworks.create_and_list_subnets:
- args:
network_create_args: {}
subnet_cidr_start: 1.1.0.0/30
subnet_create_args: {}
subnets_per_network: 2
context:
network: {}
quotas:
neutron:
network: -1
subnet: -1
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
NeutronNetworks.create_and_show_network:
- args:
network_create_args: {}
context:
quotas:
neutron:
network: -1
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
NeutronNetworks.create_and_update_networks:
- args:
network_create_args: {}
network_update_args:
admin_state_up: false
name: _updated
context:
quotas:
neutron:
network: -1
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
NeutronNetworks.create_and_update_ports:
- args:
network_create_args: {}
port_create_args: {}
port_update_args:
admin_state_up: false
device_id: dummy_id
device_owner: dummy_owner
name: _port_updated
ports_per_network: 5
context:
network: {}
quotas:
neutron:
network: -1
port: -1
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
NeutronNetworks.create_and_update_routers:
- args:
network_create_args: {}
router_create_args: {}
router_update_args:
admin_state_up: false
name: _router_updated
subnet_cidr_start: 1.1.0.0/30
subnet_create_args: {}
subnets_per_network: 2
context:
network: {}
quotas:
neutron:
network: -1
router: -1
subnet: -1
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
NeutronNetworks.create_and_update_subnets:
- args:
network_create_args: {}
subnet_cidr_start: 1.4.0.0/16
subnet_create_args: {}
subnet_update_args:
enable_dhcp: false
name: _subnet_updated
subnets_per_network: 2
context:
network: {}
quotas:
neutron:
network: -1
subnet: -1
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
NeutronNetworks.list_agents:
- args:
agent_args: {}
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
NeutronSecurityGroup.create_and_list_security_groups:
- args:
security_group_create_args: {}
context:
quotas:
neutron:
security_group: -1
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
NeutronSecurityGroup.create_and_update_security_groups:
- args:
security_group_create_args: {}
security_group_update_args: {}
context:
quotas:
neutron:
security_group: -1
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
paste:
composite:neutron:
use: egg:Paste#urlmap
/: neutronversions_composite
/v2.0: neutronapi_v2_0
composite:neutronapi_v2_0:
use: call:neutron.auth:pipeline_factory
noauth: cors http_proxy_to_wsgi request_id catch_errors extensions neutronapiapp_v2_0
keystone: cors http_proxy_to_wsgi request_id catch_errors authtoken keystonecontext extensions neutronapiapp_v2_0
composite:neutronversions_composite:
use: call:neutron.auth:pipeline_factory
noauth: cors http_proxy_to_wsgi neutronversions
keystone: cors http_proxy_to_wsgi neutronversions
filter:request_id:
paste.filter_factory: oslo_middleware:RequestId.factory
filter:catch_errors:
paste.filter_factory: oslo_middleware:CatchErrors.factory
filter:cors:
paste.filter_factory: oslo_middleware.cors:filter_factory
oslo_config_project: neutron
filter:http_proxy_to_wsgi:
paste.filter_factory: oslo_middleware.http_proxy_to_wsgi:HTTPProxyToWSGI.factory
filter:keystonecontext:
paste.filter_factory: neutron.auth:NeutronKeystoneContext.factory
filter:authtoken:
paste.filter_factory: keystonemiddleware.auth_token:filter_factory
filter:extensions:
paste.filter_factory: neutron.api.extensions:plugin_aware_extension_middleware_factory
app:neutronversions:
paste.app_factory: neutron.api.versions:Versions.factory
app:neutronapiapp_v2_0:
paste.app_factory: neutron.api.v2.router:APIRouter.factory
filter:osprofiler:
paste.filter_factory: osprofiler.web:WsgiMiddleware.factory
policy:
context_is_admin: role:admin
owner: tenant_id:%(tenant_id)s
admin_or_owner: rule:context_is_admin or rule:owner
context_is_advsvc: role:advsvc
admin_or_network_owner: rule:context_is_admin or tenant_id:%(network:tenant_id)s
admin_owner_or_network_owner: rule:owner or rule:admin_or_network_owner
admin_only: rule:context_is_admin
regular_user: ''
shared: field:networks:shared=True
shared_subnetpools: field:subnetpools:shared=True
shared_address_scopes: field:address_scopes:shared=True
external: field:networks:router:external=True
default: rule:admin_or_owner
create_subnet: rule:admin_or_network_owner
create_subnet:segment_id: rule:admin_only
create_subnet:service_types: rule:admin_only
get_subnet: rule:admin_or_owner or rule:shared
get_subnet:segment_id: rule:admin_only
update_subnet: rule:admin_or_network_owner
update_subnet:service_types: rule:admin_only
delete_subnet: rule:admin_or_network_owner
create_subnetpool: ''
create_subnetpool:shared: rule:admin_only
create_subnetpool:is_default: rule:admin_only
get_subnetpool: rule:admin_or_owner or rule:shared_subnetpools
update_subnetpool: rule:admin_or_owner
update_subnetpool:is_default: rule:admin_only
delete_subnetpool: rule:admin_or_owner
create_address_scope: ''
create_address_scope:shared: rule:admin_only
get_address_scope: rule:admin_or_owner or rule:shared_address_scopes
update_address_scope: rule:admin_or_owner
update_address_scope:shared: rule:admin_only
delete_address_scope: rule:admin_or_owner
create_network: ''
get_network: rule:admin_or_owner or rule:shared or rule:external or rule:context_is_advsvc
get_network:router:external: rule:regular_user
get_network:segments: rule:admin_only
get_network:provider:network_type: rule:admin_only
get_network:provider:physical_network: rule:admin_only
get_network:provider:segmentation_id: rule:admin_only
get_network:queue_id: rule:admin_only
get_network_ip_availabilities: rule:admin_only
get_network_ip_availability: rule:admin_only
create_network:shared: rule:admin_only
create_network:router:external: rule:admin_only
create_network:is_default: rule:admin_only
create_network:segments: rule:admin_only
create_network:provider:network_type: rule:admin_only
create_network:provider:physical_network: rule:admin_only
create_network:provider:segmentation_id: rule:admin_only
update_network: rule:admin_or_owner
update_network:segments: rule:admin_only
update_network:shared: rule:admin_only
update_network:provider:network_type: rule:admin_only
update_network:provider:physical_network: rule:admin_only
update_network:provider:segmentation_id: rule:admin_only
update_network:router:external: rule:admin_only
delete_network: rule:admin_or_owner
create_segment: rule:admin_only
get_segment: rule:admin_only
update_segment: rule:admin_only
delete_segment: rule:admin_only
network_device: 'field:port:device_owner=~^network:'
create_port: ''
create_port:device_owner: not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner
create_port:mac_address: rule:context_is_advsvc or rule:admin_or_network_owner
create_port:fixed_ips: rule:context_is_advsvc or rule:admin_or_network_owner
create_port:port_security_enabled: rule:context_is_advsvc or rule:admin_or_network_owner
create_port:binding:host_id: rule:admin_only
create_port:binding:profile: rule:admin_only
create_port:mac_learning_enabled: rule:context_is_advsvc or rule:admin_or_network_owner
create_port:allowed_address_pairs: rule:admin_or_network_owner
get_port: rule:context_is_advsvc or rule:admin_owner_or_network_owner
get_port:queue_id: rule:admin_only
get_port:binding:vif_type: rule:admin_only
get_port:binding:vif_details: rule:admin_only
get_port:binding:host_id: rule:admin_only
get_port:binding:profile: rule:admin_only
update_port: rule:admin_or_owner or rule:context_is_advsvc
update_port:device_owner: not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner
update_port:mac_address: rule:admin_only or rule:context_is_advsvc
update_port:fixed_ips: rule:context_is_advsvc or rule:admin_or_network_owner
update_port:port_security_enabled: rule:context_is_advsvc or rule:admin_or_network_owner
update_port:binding:host_id: rule:admin_only
update_port:binding:profile: rule:admin_only
update_port:mac_learning_enabled: rule:context_is_advsvc or rule:admin_or_network_owner
update_port:allowed_address_pairs: rule:admin_or_network_owner
delete_port: rule:context_is_advsvc or rule:admin_owner_or_network_owner
get_router:ha: rule:admin_only
create_router: rule:regular_user
create_router:external_gateway_info:enable_snat: rule:admin_only
create_router:distributed: rule:admin_only
create_router:ha: rule:admin_only
get_router: rule:admin_or_owner
get_router:distributed: rule:admin_only
update_router:external_gateway_info:enable_snat: rule:admin_only
update_router:distributed: rule:admin_only
update_router:ha: rule:admin_only
delete_router: rule:admin_or_owner
add_router_interface: rule:admin_or_owner
remove_router_interface: rule:admin_or_owner
create_router:external_gateway_info:external_fixed_ips: rule:admin_only
update_router:external_gateway_info:external_fixed_ips: rule:admin_only
insert_rule: rule:admin_or_owner
remove_rule: rule:admin_or_owner
create_qos_queue: rule:admin_only
get_qos_queue: rule:admin_only
update_agent: rule:admin_only
delete_agent: rule:admin_only
get_agent: rule:admin_only
create_dhcp-network: rule:admin_only
delete_dhcp-network: rule:admin_only
get_dhcp-networks: rule:admin_only
create_l3-router: rule:admin_only
delete_l3-router: rule:admin_only
get_l3-routers: rule:admin_only
get_dhcp-agents: rule:admin_only
get_l3-agents: rule:admin_only
get_loadbalancer-agent: rule:admin_only
get_loadbalancer-pools: rule:admin_only
get_agent-loadbalancers: rule:admin_only
get_loadbalancer-hosting-agent: rule:admin_only
create_floatingip: rule:regular_user
create_floatingip:floating_ip_address: rule:admin_only
update_floatingip: rule:admin_or_owner
delete_floatingip: rule:admin_or_owner
get_floatingip: rule:admin_or_owner
create_network_profile: rule:admin_only
update_network_profile: rule:admin_only
delete_network_profile: rule:admin_only
get_network_profiles: ''
get_network_profile: ''
update_policy_profiles: rule:admin_only
get_policy_profiles: ''
get_policy_profile: ''
create_metering_label: rule:admin_only
delete_metering_label: rule:admin_only
get_metering_label: rule:admin_only
create_metering_label_rule: rule:admin_only
delete_metering_label_rule: rule:admin_only
get_metering_label_rule: rule:admin_only
get_service_provider: rule:regular_user
get_lsn: rule:admin_only
create_lsn: rule:admin_only
create_flavor: rule:admin_only
update_flavor: rule:admin_only
delete_flavor: rule:admin_only
get_flavors: rule:regular_user
get_flavor: rule:regular_user
create_service_profile: rule:admin_only
update_service_profile: rule:admin_only
delete_service_profile: rule:admin_only
get_service_profiles: rule:admin_only
get_service_profile: rule:admin_only
get_policy: rule:regular_user
create_policy: rule:admin_only
update_policy: rule:admin_only
delete_policy: rule:admin_only
get_policy_bandwidth_limit_rule: rule:regular_user
create_policy_bandwidth_limit_rule: rule:admin_only
delete_policy_bandwidth_limit_rule: rule:admin_only
update_policy_bandwidth_limit_rule: rule:admin_only
get_policy_dscp_marking_rule: rule:regular_user
create_policy_dscp_marking_rule: rule:admin_only
delete_policy_dscp_marking_rule: rule:admin_only
update_policy_dscp_marking_rule: rule:admin_only
get_rule_type: rule:regular_user
get_policy_minimum_bandwidth_rule: rule:regular_user
create_policy_minimum_bandwidth_rule: rule:admin_only
delete_policy_minimum_bandwidth_rule: rule:admin_only
update_policy_minimum_bandwidth_rule: rule:admin_only
restrict_wildcard: "(not field:rbac_policy:target_tenant=*) or rule:admin_only"
create_rbac_policy: ''
create_rbac_policy:target_tenant: rule:restrict_wildcard
update_rbac_policy: rule:admin_or_owner
update_rbac_policy:target_tenant: rule:restrict_wildcard and rule:admin_or_owner
get_rbac_policy: rule:admin_or_owner
delete_rbac_policy: rule:admin_or_owner
create_flavor_service_profile: rule:admin_only
delete_flavor_service_profile: rule:admin_only
get_flavor_service_profile: rule:regular_user
get_auto_allocated_topology: rule:admin_or_owner
create_trunk: rule:regular_user
get_trunk: rule:admin_or_owner
delete_trunk: rule:admin_or_owner
get_subports: ''
add_subports: rule:admin_or_owner
remove_subports: rule:admin_or_owner
neutron_sudoers: |
# This sudoers file supports rootwrap for both Kolla and LOCI Images.
Defaults !requiretty
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin:/var/lib/openstack/bin:/var/lib/kolla/venv/bin"
neutron ALL = (root) NOPASSWD: /var/lib/kolla/venv/bin/neutron-rootwrap /etc/neutron/rootwrap.conf *, /var/lib/openstack/bin/neutron-rootwrap /etc/neutron/rootwrap.conf *
rootwrap: |
# Configuration for neutron-rootwrap
# This file should be owned by (and only-writeable by) the root user
[DEFAULT]
# List of directories to load filter definitions from (separated by ',').
# These directories MUST all be only writeable by root !
filters_path=/etc/neutron/rootwrap.d,/usr/share/neutron/rootwrap
# List of directories to search executables in, in case filters do not
# explicitely specify a full path (separated by ',')
# If not specified, defaults to system PATH environment variable.
# These directories MUST all be only writeable by root !
exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin,/var/lib/openstack/bin,/var/lib/kolla/venv/bin
# Enable logging to syslog
# Default value is False
use_syslog=False
# Which syslog facility to use.
# Valid values include auth, authpriv, syslog, local0, local1...
# Default value is 'syslog'
syslog_log_facility=syslog
# Which messages to log.
# INFO means log all usage
# ERROR means only log unsuccessful attempts
syslog_log_level=ERROR
[xenapi]
# XenAPI configuration is only required by the L2 agent if it is to
# target a XenServer/XCP compute host's dom0.
xenapi_connection_url=<None>
xenapi_connection_username=root
xenapi_connection_password=<None>
rootwrap_filters:
debug:
pods:
- dhcp_agent
- l3_agent
- lb_agent
- metadata_agent
- ovs_agent
- sriov_agent
content: |
# neutron-rootwrap command filters for nodes on which neutron is
# expected to control network
#
# This file should be owned by (and only-writeable by) the root user
# format seems to be
# cmd-name: filter-name, raw-command, user, args
[Filters]
# This is needed because we should ping
# from inside a namespace which requires root
# _alt variants allow to match -c and -w in any order
# (used by NeutronDebugAgent.ping_all)
ping: RegExpFilter, ping, root, ping, -w, \d+, -c, \d+, [0-9\.]+
ping_alt: RegExpFilter, ping, root, ping, -c, \d+, -w, \d+, [0-9\.]+
ping6: RegExpFilter, ping6, root, ping6, -w, \d+, -c, \d+, [0-9A-Fa-f:]+
ping6_alt: RegExpFilter, ping6, root, ping6, -c, \d+, -w, \d+, [0-9A-Fa-f:]+
dibbler:
pods:
- dhcp_agent
- l3_agent
- lb_agent
- metadata_agent
- ovs_agent
- sriov_agent
content: |
# neutron-rootwrap command filters for nodes on which neutron is
# expected to control network
#
# This file should be owned by (and only-writeable by) the root user
# format seems to be
# cmd-name: filter-name, raw-command, user, args
[Filters]
# Filters for the dibbler-based reference implementation of the pluggable
# Prefix Delegation driver. Other implementations using an alternative agent
# should include a similar filter in this folder.
# prefix_delegation_agent
dibbler-client: CommandFilter, dibbler-client, root
ipset_firewall:
pods:
- dhcp_agent
- l3_agent
- lb_agent
- metadata_agent
- ovs_agent
- sriov_agent
content: |
# neutron-rootwrap command filters for nodes on which neutron is
# expected to control network
#
# This file should be owned by (and only-writeable by) the root user
# format seems to be
# cmd-name: filter-name, raw-command, user, args
[Filters]
# neutron/agent/linux/iptables_firewall.py
# "ipset", "-A", ...
ipset: CommandFilter, ipset, root
l3:
pods:
- dhcp_agent
- l3_agent
- lb_agent
- metadata_agent
- ovs_agent
- sriov_agent
content: |
# neutron-rootwrap command filters for nodes on which neutron is
# expected to control network
#
# This file should be owned by (and only-writeable by) the root user
# format seems to be
# cmd-name: filter-name, raw-command, user, args
[Filters]
# arping
arping: CommandFilter, arping, root
# l3_agent
sysctl: CommandFilter, sysctl, root
route: CommandFilter, route, root
radvd: CommandFilter, radvd, root
# haproxy
haproxy: RegExpFilter, haproxy, root, haproxy, -f, .*
kill_haproxy: KillFilter, root, haproxy, -15, -9, -HUP
# metadata proxy
metadata_proxy: CommandFilter, neutron-ns-metadata-proxy, root
# RHEL invocation of the metadata proxy will report /usr/bin/python
kill_metadata: KillFilter, root, python, -15, -9
kill_metadata2: KillFilter, root, python2, -15, -9
kill_metadata7: KillFilter, root, python2.7, -15, -9
kill_radvd_usr: KillFilter, root, /usr/sbin/radvd, -15, -9, -HUP
kill_radvd: KillFilter, root, /sbin/radvd, -15, -9, -HUP
# ip_lib
ip: IpFilter, ip, root
find: RegExpFilter, find, root, find, /sys/class/net, -maxdepth, 1, -type, l, -printf, %.*
ip_exec: IpNetnsExecFilter, ip, root
# l3_tc_lib
l3_tc_show_qdisc: RegExpFilter, tc, root, tc, qdisc, show, dev, .+
l3_tc_add_qdisc_ingress: RegExpFilter, tc, root, tc, qdisc, add, dev, .+, ingress
l3_tc_add_qdisc_egress: RegExpFilter, tc, root, tc, qdisc, add, dev, .+, root, handle, 1:, htb
l3_tc_show_filters: RegExpFilter, tc, root, tc, -p, -s, -d, filter, show, dev, .+, parent, .+, prio, 1
l3_tc_delete_filters: RegExpFilter, tc, root, tc, filter, del, dev, .+, parent, .+, prio, 1, handle, .+, u32
l3_tc_add_filter_ingress: RegExpFilter, tc, root, tc, filter, add, dev, .+, parent, .+, protocol, ip, prio, 1, u32, match, ip, dst, .+, police, rate, .+, burst, .+, drop, flowid, :1
l3_tc_add_filter_egress: RegExpFilter, tc, root, tc, filter, add, dev, .+, parent, .+, protocol, ip, prio, 1, u32, match, ip, src, .+, police, rate, .+, burst, .+, drop, flowid, :1
# For ip monitor
kill_ip_monitor: KillFilter, root, ip, -9
# ovs_lib (if OVSInterfaceDriver is used)
ovs-vsctl: CommandFilter, ovs-vsctl, root
# iptables_manager
iptables-save: CommandFilter, iptables-save, root
iptables-restore: CommandFilter, iptables-restore, root
ip6tables-save: CommandFilter, ip6tables-save, root
ip6tables-restore: CommandFilter, ip6tables-restore, root
# Keepalived
keepalived: CommandFilter, keepalived, root
kill_keepalived: KillFilter, root, /usr/sbin/keepalived, -HUP, -15, -9
# l3 agent to delete floatingip's conntrack state
conntrack: CommandFilter, conntrack, root
# keepalived state change monitor
keepalived_state_change: CommandFilter, neutron-keepalived-state-change, root
netns_cleanup:
pods:
- dhcp_agent
- l3_agent
- lb_agent
- metadata_agent
- ovs_agent
- sriov_agent
content: |
# neutron-rootwrap command filters for nodes on which neutron is
# expected to control network
#
# This file should be owned by (and only-writeable by) the root user
# format seems to be
# cmd-name: filter-name, raw-command, user, args
[Filters]
# netns-cleanup
netstat: CommandFilter, netstat, root
dhcp:
pods:
- dhcp_agent
- l3_agent
- lb_agent
- metadata_agent
- ovs_agent
- sriov_agent
content: |
# neutron-rootwrap command filters for nodes on which neutron is
# expected to control network
#
# This file should be owned by (and only-writeable by) the root user
# format seems to be
# cmd-name: filter-name, raw-command, user, args
[Filters]
# dhcp-agent
dnsmasq: CommandFilter, dnsmasq, root
# dhcp-agent uses kill as well, that's handled by the generic KillFilter
# it looks like these are the only signals needed, per
# neutron/agent/linux/dhcp.py
kill_dnsmasq: KillFilter, root, /sbin/dnsmasq, -9, -HUP, -15
kill_dnsmasq_usr: KillFilter, root, /usr/sbin/dnsmasq, -9, -HUP, -15
ovs-vsctl: CommandFilter, ovs-vsctl, root
ivs-ctl: CommandFilter, ivs-ctl, root
mm-ctl: CommandFilter, mm-ctl, root
dhcp_release: CommandFilter, dhcp_release, root
dhcp_release6: CommandFilter, dhcp_release6, root
# metadata proxy
metadata_proxy: CommandFilter, neutron-ns-metadata-proxy, root
# RHEL invocation of the metadata proxy will report /usr/bin/python
kill_metadata: KillFilter, root, python, -9
kill_metadata2: KillFilter, root, python2, -9
kill_metadata7: KillFilter, root, python2.7, -9
# ip_lib
ip: IpFilter, ip, root
find: RegExpFilter, find, root, find, /sys/class/net, -maxdepth, 1, -type, l, -printf, %.*
ip_exec: IpNetnsExecFilter, ip, root
ebtables:
pods:
- dhcp_agent
- l3_agent
- lb_agent
- metadata_agent
- ovs_agent
- sriov_agent
content: |
# neutron-rootwrap command filters for nodes on which neutron is
# expected to control network
#
# This file should be owned by (and only-writeable by) the root user
# format seems to be
# cmd-name: filter-name, raw-command, user, args
[Filters]
ebtables: CommandFilter, ebtables, root
iptables_firewall:
pods:
- dhcp_agent
- l3_agent
- lb_agent
- metadata_agent
- ovs_agent
- sriov_agent
content: |
# neutron-rootwrap command filters for nodes on which neutron is
# expected to control network
#
# This file should be owned by (and only-writeable by) the root user
# format seems to be
# cmd-name: filter-name, raw-command, user, args
[Filters]
# neutron/agent/linux/iptables_firewall.py
# "iptables-save", ...
iptables-save: CommandFilter, iptables-save, root
iptables-restore: CommandFilter, iptables-restore, root
ip6tables-save: CommandFilter, ip6tables-save, root
ip6tables-restore: CommandFilter, ip6tables-restore, root
# neutron/agent/linux/iptables_firewall.py
# "iptables", "-A", ...
iptables: CommandFilter, iptables, root
ip6tables: CommandFilter, ip6tables, root
# neutron/agent/linux/iptables_firewall.py
sysctl: CommandFilter, sysctl, root
# neutron/agent/linux/ip_conntrack.py
conntrack: CommandFilter, conntrack, root
linuxbridge_plugin:
pods:
- dhcp_agent
- l3_agent
- lb_agent
- metadata_agent
- ovs_agent
- sriov_agent
content: |
# neutron-rootwrap command filters for nodes on which neutron is
# expected to control network
#
# This file should be owned by (and only-writeable by) the root user
# format seems to be
# cmd-name: filter-name, raw-command, user, args
[Filters]
# linuxbridge-agent
# unclear whether both variants are necessary, but I'm transliterating
# from the old mechanism
brctl: CommandFilter, brctl, root
bridge: CommandFilter, bridge, root
# ip_lib
ip: IpFilter, ip, root
find: RegExpFilter, find, root, find, /sys/class/net, -maxdepth, 1, -type, l, -printf, %.*
ip_exec: IpNetnsExecFilter, ip, root
# tc commands needed for QoS support
tc_replace_tbf: RegExpFilter, tc, root, tc, qdisc, replace, dev, .+, root, tbf, rate, .+, latency, .+, burst, .+
tc_add_ingress: RegExpFilter, tc, root, tc, qdisc, add, dev, .+, ingress, handle, .+
tc_delete: RegExpFilter, tc, root, tc, qdisc, del, dev, .+, .+
tc_show_qdisc: RegExpFilter, tc, root, tc, qdisc, show, dev, .+
tc_show_filters: RegExpFilter, tc, root, tc, filter, show, dev, .+, parent, .+
tc_add_filter: RegExpFilter, tc, root, tc, filter, add, dev, .+, parent, .+, protocol, all, prio, .+, basic, police, rate, .+, burst, .+, mtu, .+, drop
openvswitch_plugin:
pods:
- dhcp_agent
- l3_agent
- lb_agent
- metadata_agent
- ovs_agent
- sriov_agent
content: |
# neutron-rootwrap command filters for nodes on which neutron is
# expected to control network
#
# This file should be owned by (and only-writeable by) the root user
# format seems to be
# cmd-name: filter-name, raw-command, user, args
[Filters]
# openvswitch-agent
# unclear whether both variants are necessary, but I'm transliterating
# from the old mechanism
ovs-vsctl: CommandFilter, ovs-vsctl, root
# NOTE(yamamoto): of_interface=native doesn't use ovs-ofctl
ovs-ofctl: CommandFilter, ovs-ofctl, root
kill_ovsdb_client: KillFilter, root, /usr/bin/ovsdb-client, -9
ovsdb-client: CommandFilter, ovsdb-client, root
xe: CommandFilter, xe, root
# ip_lib
ip: IpFilter, ip, root
find: RegExpFilter, find, root, find, /sys/class/net, -maxdepth, 1, -type, l, -printf, %.*
ip_exec: IpNetnsExecFilter, ip, root
# needed for FDB extension
bridge: CommandFilter, bridge, root
privsep:
pods:
- dhcp_agent
- l3_agent
- lb_agent
- metadata_agent
- ovs_agent
- sriov_agent
content: |
# Command filters to allow privsep daemon to be started via rootwrap.
#
# This file should be owned by (and only-writeable by) the root user
[Filters]
# By installing the following, the local admin is asserting that:
#
# 1. The python module load path used by privsep-helper
# command as root (as started by sudo/rootwrap) is trusted.
# 2. Any oslo.config files matching the --config-file
# arguments below are trusted.
# 3. Users allowed to run sudo/rootwrap with this configuration(*) are
# also allowed to invoke python "entrypoint" functions from
# --privsep_context with the additional (possibly root) privileges
# configured for that context.
#
# (*) ie: the user is allowed by /etc/sudoers to run rootwrap as root
#
# In particular, the oslo.config and python module path must not
# be writeable by the unprivileged user.
# oslo.privsep default neutron context
privsep: PathFilter, privsep-helper, root,
--config-file, /etc,
--privsep_context, neutron.privileged.default,
--privsep_sock_path, /
# NOTE: A second `--config-file` arg can also be added above. Since
# many neutron components are installed like that (eg: by devstack).
# Adjust to suit local requirements.
neutron:
DEFAULT:
#NOTE(portdirect): the bind port should not be defined, and is manipulated
# via the endpoints section.
bind_port: null
default_availability_zones: nova
api_workers: 1
rpc_workers: 4
allow_overlapping_ips: True
# core_plugin can be: ml2, calico
core_plugin: ml2
# service_plugin can be: router, odl-router, empty for calico,
# networking_ovn.l3.l3_ovn.OVNL3RouterPlugin for OVN
service_plugins: router
allow_automatic_l3agent_failover: True
l3_ha: True
max_l3_agents_per_router: 2
l3_ha_network_type: vxlan
network_auto_schedule: True
router_auto_schedule: True
#(NOTE)portdirect: if unset this is populated dyanmicly from the value in
# 'network.backend' to sane defaults.
interface_driver: null
oslo_concurrency:
lock_path: /var/lib/neutron/tmp
database:
max_retries: -1
agent:
root_helper: sudo /var/lib/openstack/bin/neutron-rootwrap /etc/neutron/rootwrap.conf
oslo_messaging_notifications:
driver: messagingv2
nova:
auth_type: password
auth_version: v3
endpoint_type: internal
keystone_authtoken:
memcache_security_strategy: ENCRYPT
auth_type: password
auth_version: v3
plugins:
ml2_conf:
ml2:
extension_drivers: port_security
#(NOTE)portdirect: if unset this is populated dyanmicly from the value
# in 'network.backend' to sane defaults.
mechanism_drivers: null
type_drivers: flat,vlan,vxlan
tenant_network_types: vxlan
ml2_type_vxlan:
vni_ranges: 1:1000
vxlan_group: 239.1.1.1
ml2_type_flat:
flat_networks: "*"
# If you want to use the external network as a tagged provider network,
# a range should be specified including the intended VLAN target
# using ml2_type_vlan.network_vlan_ranges:
# ml2_type_vlan:
# network_vlan_ranges: "external:1100:1110"
ml2_conf_sriov: null
openvswitch_agent:
agent:
tunnel_types: vxlan
l2_population: True
arp_responder: True
ovs:
bridge_mappings: "external:br-ex"
securitygroup:
firewall_driver: neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
linuxbridge_agent:
linux_bridge:
# To define Flat and VLAN connections, in LB we can assign
# specific interface to the flat/vlan network name using:
# physical_interface_mappings: "external:eth3"
# Or we can set the mapping between the network and bridge:
bridge_mappings: "external:br-ex"
# The two above options are exclusive, do not use both of them at once
securitygroup:
firewall_driver: iptables
vxlan:
l2_population: True
arp_responder: True
macvtap_agent: null
sriov_agent:
securitygroup:
firewall_driver: neutron.agent.firewall.NoopFirewallDriver
sriov_nic:
physical_device_mappings: physnet2:enp3s0f1
exclude_devices: null
dhcp_agent:
DEFAULT:
#(NOTE)portdirect: if unset this is populated dyanmicly from the value in
# 'network.backend' to sane defaults.
interface_driver: null
dnsmasq_config_file: /etc/neutron/dnsmasq.conf
force_metadata: True
l3_agent:
DEFAULT:
#(NOTE)portdirect: if unset this is populated dyanmicly from the value in
# 'network.backend' to sane defaults.
interface_driver: null
agent_mode: legacy
metering_agent: null
metadata_agent:
DEFAULT:
# we cannot change the proxy socket path as it is declared
# as a hostPath volume from agent daemonsets
metadata_proxy_socket: /var/lib/neutron/openstack-helm/metadata_proxy
metadata_proxy_shared_secret: "password"
cache:
enabled: true
backend: dogpile.cache.memcached
# Names of secrets used by bootstrap and environmental checks
secrets:
identity:
admin: neutron-keystone-admin
neutron: neutron-keystone-user
test: neutron-keystone-test
oslo_db:
admin: neutron-db-admin
neutron: neutron-db-user
oslo_messaging:
admin: neutron-rabbitmq-admin
neutron: neutron-rabbitmq-user
tls:
network:
server:
public: neutron-tls-public
# typically overridden by environmental
# values, but should include all endpoints
# required by this chart
endpoints:
cluster_domain_suffix: cluster.local
local_image_registry:
name: docker-registry
namespace: docker-registry
hosts:
default: localhost
internal: docker-registry
node: localhost
host_fqdn_override:
default: null
port:
registry:
node: 5000
oslo_db:
auth:
admin:
username: root
password: password
neutron:
username: neutron
password: password
hosts:
default: mariadb
host_fqdn_override:
default: null
path: /neutron
scheme: mysql+pymysql
port:
mysql:
default: 3306
oslo_messaging:
auth:
admin:
username: rabbitmq
password: password
neutron:
username: neutron
password: password
hosts:
default: rabbitmq
host_fqdn_override:
default: null
path: /neutron
scheme: rabbit
port:
amqp:
default: 5672
http:
default: 15672
oslo_cache:
auth:
# NOTE(portdirect): this is used to define the value for keystone
# authtoken cache encryption key, if not set it will be populated
# automatically with a random value, but to take advantage of
# this feature all services should be set to use the same key,
# and memcache service.
memcache_secret_key: null
hosts:
default: memcached
host_fqdn_override:
default: null
port:
memcache:
default: 11211
compute:
name: nova
hosts:
default: nova-api
public: nova
host_fqdn_override:
default: null
path:
default: "/v2.1/%(tenant_id)s"
scheme:
default: 'http'
port:
api:
default: 8774
public: 80
novncproxy:
default: 6080
compute_metadata:
name: nova
hosts:
default: nova-metadata
public: metadata
host_fqdn_override:
default: null
path:
default: /
scheme:
default: 'http'
port:
metadata:
default: 8775
public: 80
identity:
name: keystone
auth:
admin:
region_name: RegionOne
username: admin
password: password
project_name: admin
user_domain_name: default
project_domain_name: default
neutron:
role: admin
region_name: RegionOne
username: neutron
password: password
project_name: service
user_domain_name: default
project_domain_name: default
nova:
region_name: RegionOne
project_domain_name: default
project_name: service
user_domain_name: default
username: nova
password: password
test:
role: admin
region_name: RegionOne
username: test
password: password
project_name: test
user_domain_name: default
project_domain_name: default
hosts:
default: keystone-api
public: keystone
host_fqdn_override:
default: null
path:
default: /v3
scheme:
default: http
port:
admin:
default: 35357
api:
default: 80
network:
name: neutron
hosts:
default: neutron-server
public: neutron
host_fqdn_override:
default: null
# NOTE(portdirect): this chart supports TLS for fqdn over-ridden public
# endpoints using the following format:
# public:
# host: null
# tls:
# crt: null
# key: null
path:
default: null
scheme:
default: 'http'
port:
api:
default: 9696
public: 80
manifests:
configmap_bin: true
configmap_etc: true
daemonset_dhcp_agent: true
daemonset_l3_agent: true
daemonset_lb_agent: true
daemonset_metadata_agent: true
daemonset_ovs_agent: true
daemonset_sriov_agent: true
deployment_server: true
ingress_server: true
job_bootstrap: true
job_db_init: true
job_db_sync: true
job_db_drop: false
job_image_repo_sync: true
job_ks_endpoints: true
job_ks_service: true
job_ks_user: true
job_rabbit_init: true
pdb_server: true
pod_rally_test: true
secret_db: true
secret_ingress_tls: true
secret_keystone: true
secret_rabbitmq: true
service_ingress_server: true
service_server: true
View Git Blame Copy Permalink