openstack-helm/senlin/values.yaml
Tin Lam 29f32a07ac Enable network policy enforcement
This patch set updates the gate to by default uses network policy
for all components and enforces them in Openstack-helm.

Change-Id: I70c90b5808075797f02670f21481a4f968205325
Depends-On: I78e87ef3276e948ae4dd2eb462b4b8012251c8c8
Co-Authored-By: Mike Pham <tp6510@att.com>
Signed-off-by: Tin Lam <tin@irrational.io>
2018-10-23 14:58:13 +00:00

665 lines
16 KiB
YAML

# Copyright 2017 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Default values for senlin.
# This is a YAML-formatted file.
# Declare name/value pairs to be passed into your templates.
# name: value
labels:
api:
node_selector_key: openstack-control-plane
node_selector_value: enabled
engine:
node_selector_key: openstack-control-plane
node_selector_value: enabled
job:
node_selector_key: openstack-control-plane
node_selector_value: enabled
test:
node_selector_key: openstack-control-plane
node_selector_value: enabled
release_group: null
images:
tags:
scripted_test: docker.io/openstackhelm/heat:ocata
bootstrap: docker.io/openstackhelm/heat:ocata
db_init: docker.io/openstackhelm/heat:ocata
senlin_db_sync: docker.io/openstackhelm/senlin:ocata
db_drop: docker.io/openstackhelm/heat:ocata
rabbit_init: docker.io/rabbitmq:3.7-management
ks_user: docker.io/openstackhelm/heat:ocata
ks_service: docker.io/openstackhelm/heat:ocata
ks_endpoints: docker.io/openstackhelm/heat:ocata
senlin_api: docker.io/openstackhelm/senlin:ocata
senlin_engine: docker.io/openstackhelm/senlin:ocata
senlin_engine_cleaner: docker.io/openstackhelm/senlin:ocata
dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.3.1
image_repo_sync: docker.io/docker:17.07.0
pull_policy: "IfNotPresent"
local_registry:
active: false
exclude:
- dep_check
- image_repo_sync
jobs:
engine_cleaner:
cron: "*/5 * * * *"
history:
success: 3
failed: 1
conf:
rally_tests:
run_tempest: false
tests:
SenlinClusters.create_and_delete_cluster:
- args:
desired_capacity: 3
min_size: 0
max_size: 5
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
context:
profiles:
type: os.nova.server
version: "1.0"
properties:
name: cirros_server
flavor: 689eeda3-c6cd-450f-b000-58025c783763
image: df0c1a14-0940-4ae5-be5c-bb06aa407da2
networks:
- network: public
paste:
pipeline:senlin-api:
pipeline: request_id faultwrap ssl versionnegotiation webhook authtoken context trust apiv1app
app:apiv1app:
paste.app_factory: senlin.api.common.wsgi:app_factory
senlin.app_factory: senlin.api.openstack.v1.router:API
filter:request_id:
paste.filter_factory: oslo_middleware.request_id:RequestId.factory
filter:faultwrap:
paste.filter_factory: senlin.api.common.wsgi:filter_factory
senlin.filter_factory: senlin.api.middleware:fault_filter
filter:context:
paste.filter_factory: senlin.api.common.wsgi:filter_factory
senlin.filter_factory: senlin.api.middleware:context_filter
filter:ssl:
paste.filter_factory: oslo_middleware.ssl:SSLMiddleware.factory
filter:versionnegotiation:
paste.filter_factory: senlin.api.common.wsgi:filter_factory
senlin.filter_factory: senlin.api.middleware:version_filter
filter:trust:
paste.filter_factory: senlin.api.common.wsgi:filter_factory
senlin.filter_factory: senlin.api.middleware:trust_filter
filter:webhook:
paste.filter_factory: senlin.api.common.wsgi:filter_factory
senlin.filter_factory: senlin.api.middleware:webhook_filter
filter:authtoken:
paste.filter_factory: keystonemiddleware.auth_token:filter_factory
policy:
context_is_admin: role:admin
deny_everybody: "!"
build_info:build_info: ''
profile_types:index: ''
profile_types:get: ''
policy_types:index: ''
policy_types:get: ''
clusters:index: ''
clusters:create: ''
clusters:delete: ''
clusters:get: ''
clusters:action: ''
clusters:update: ''
clusters:collect: ''
profiles:index: ''
profiles:create: ''
profiles:get: ''
profiles:delete: ''
profiles:update: ''
profiles:validate: ''
nodes:index: ''
nodes:create: ''
nodes:get: ''
nodes:action: ''
nodes:update: ''
nodes:delete: ''
policies:index: ''
policies:create: ''
policies:get: ''
policies:update: ''
policies:delete: ''
policies:validate: ''
cluster_policies:index: ''
cluster_policies:attach: ''
cluster_policies:detach: ''
cluster_policies:update: ''
cluster_policies:get: ''
receivers:index: ''
receivers:create: ''
receivers:get: ''
receivers:delete: ''
actions:index: ''
actions:get: ''
events:index: ''
events:get: ''
webhooks:trigger: ''
senlin:
DEFAULT:
log_config_append: /etc/senlin/logging.conf
transport_url: null
host: senlin
database:
max_retries: -1
authentication:
auth_url: null
keystone_authtoken:
auth_type: password
auth_version: v3
memcache_security_strategy: ENCRYPT
senlin_api:
# NOTE(portdirect): the bind port should not be defined, and is manipulated
# via the endpoints section.
bind_port: null
logging:
loggers:
keys:
- root
- senlin
handlers:
keys:
- stdout
- stderr
- "null"
formatters:
keys:
- context
- default
logger_root:
level: WARNING
handlers: 'null'
logger_senlin:
level: INFO
handlers:
- stdout
qualname: senlin
logger_amqp:
level: WARNING
handlers: stderr
qualname: amqp
logger_amqplib:
level: WARNING
handlers: stderr
qualname: amqplib
logger_eventletwsgi:
level: WARNING
handlers: stderr
qualname: eventlet.wsgi.server
logger_sqlalchemy:
level: WARNING
handlers: stderr
qualname: sqlalchemy
logger_boto:
level: WARNING
handlers: stderr
qualname: boto
handler_null:
class: logging.NullHandler
formatter: default
args: ()
handler_stdout:
class: StreamHandler
args: (sys.stdout,)
formatter: context
handler_stderr:
class: StreamHandler
args: (sys.stderr,)
formatter: context
formatter_context:
class: oslo_log.formatters.ContextFormatter
formatter_default:
format: "%(message)s"
network:
api:
ingress:
public: true
classes:
namespace: "nginx"
cluster: "nginx-cluster"
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
node_port:
enabled: false
port: 30778
bootstrap:
enabled: false
ks_user: senlin
script: |
openstack token issue
dependencies:
dynamic:
common:
local_image_registry:
jobs:
- senlin-image-repo-sync
services:
- endpoint: node
service: local_image_registry
static:
engine_cleaner:
jobs:
- senlin-db-sync
services:
- endpoint: internal
service: oslo_db
- endpoint: internal
service: oslo_messaging
- endpoint: internal
service: identity
api:
jobs:
- senlin-db-sync
- senlin-ks-user
- senlin-ks-endpoints
- senlin-rabbit-init
services:
- endpoint: internal
service: oslo_db
- endpoint: internal
service: identity
- endpoint: internal
service: oslo_messaging
db_drop:
services:
- endpoint: internal
service: oslo_db
db_init:
services:
- endpoint: internal
service: oslo_db
db_sync:
jobs:
- senlin-db-init
services:
- endpoint: internal
service: oslo_db
engine:
jobs:
- senlin-db-sync
- senlin-ks-user
- senlin-ks-endpoints
- senlin-rabbit-init
services:
- endpoint: internal
service: oslo_db
- endpoint: internal
service: identity
ks_endpoints:
jobs:
- senlin-ks-service
services:
- endpoint: internal
service: identity
ks_service:
services:
- endpoint: internal
service: identity
ks_user:
services:
- endpoint: internal
service: identity
rabbit_init:
services:
- endpoint: internal
service: oslo_messaging
tests:
services:
- endpoint: internal
service: identity
- endpoint: internal
service: clustering
image_repo_sync:
services:
- endpoint: internal
service: local_image_registry
# Names of secrets used by bootstrap and environmental checks
secrets:
identity:
admin: senlin-keystone-admin
senlin: senlin-keystone-user
oslo_db:
admin: senlin-db-admin
senlin: senlin-db-user
oslo_messaging:
admin: senlin-rabbitmq-admin
senlin: senlin-rabbitmq-user
# typically overridden by environmental
# values, but should include all endpoints
# required by this chart
endpoints:
cluster_domain_suffix: cluster.local
local_image_registry:
name: docker-registry
namespace: docker-registry
hosts:
default: localhost
internal: docker-registry
node: localhost
host_fqdn_override:
default: null
port:
registry:
node: 5000
identity:
name: keystone
auth:
admin:
region_name: RegionOne
username: admin
password: password
project_name: admin
user_domain_name: default
project_domain_name: default
senlin:
role: admin
region_name: RegionOne
username: senlin
password: password
project_name: service
user_domain_name: service
project_domain_name: service
test:
role: admin
region_name: RegionOne
username: test
password: password
project_name: test
user_domain_name: service
project_domain_name: service
hosts:
default: keystone
internal: keystone-api
host_fqdn_override:
default: null
path:
default: /v3
scheme:
default: http
port:
api:
default: 80
internal: 5000
clustering:
name: senlin
hosts:
default: senlin-api
public: senlin
host_fqdn_override:
default: null
path:
default: null
scheme:
default: http
port:
api:
default: 8778
public: 80
oslo_db:
auth:
admin:
username: root
password: password
senlin:
username: senlin
password: password
hosts:
default: mariadb
host_fqdn_override:
default: null
path: /senlin
scheme: mysql+pymysql
port:
mysql:
default: 3306
oslo_cache:
auth:
# NOTE(portdirect): this is used to define the value for keystone
# authtoken cache encryption key, if not set it will be populated
# automatically with a random value, but to take advantage of
# this feature all services should be set to use the same key,
# and memcache service.
memcache_secret_key: null
hosts:
default: memcached
host_fqdn_override:
default: null
port:
memcache:
default: 11211
oslo_messaging:
auth:
admin:
username: rabbitmq
password: password
senlin:
username: senlin
password: password
hosts:
default: rabbitmq
host_fqdn_override:
default: null
path: /senlin
scheme: rabbit
port:
amqp:
default: 5672
http:
default: 15672
fluentd:
namespace: null
name: fluentd
hosts:
default: fluentd-logging
host_fqdn_override:
default: null
path:
default: null
scheme: 'http'
port:
service:
default: 24224
metrics:
default: 24220
pod:
user:
senlin:
uid: 42424
affinity:
anti:
type:
default: preferredDuringSchedulingIgnoredDuringExecution
topologyKey:
default: kubernetes.io/hostname
mounts:
senlin_api:
init_container: null
senlin_api:
senlin_engine:
init_container: null
senlin_engine:
senlin_bootstrap:
init_container: null
senlin_bootstrap:
senlin_engine_cleaner:
init_container: null
senlin_engine_cleaner:
senlin_tests:
init_container: null
senlin_tests:
replicas:
api: 1
engine: 1
lifecycle:
upgrades:
deployments:
revision_history: 3
pod_replacement_strategy: RollingUpdate
rolling_update:
max_unavailable: 1
max_surge: 3
disruption_budget:
api:
min_available: 0
termination_grace_period:
api:
timeout: 30
resources:
enabled: false
api:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
engine:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
jobs:
bootstrap:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
db_init:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
db_sync:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
db_drop:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
ks_endpoints:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
ks_service:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
ks_user:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
rabbit_init:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
tests:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
engine_cleaner:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
image_repo_sync:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
network_policy:
senlin:
ingress:
- {}
manifests:
configmap_bin: true
configmap_etc: true
cron_job_engine_cleaner: true
deployment_api: true
deployment_engine: true
ingress_api: true
job_bootstrap: true
job_db_init: true
job_db_sync: true
job_db_drop: false
job_image_repo_sync: true
job_ks_endpoints: true
job_ks_service: true
job_ks_user: true
job_rabbit_init: true
pdb_api: true
pod_test: true
network_policy: false
secret_db: true
secret_keystone: true
secret_rabbitmq: true
service_ingress_api: true
service_api: true