openstack/openstack-helm
Code Issues Proposed changes
e19be77f08
openstack-helm/nova/values.yaml
Pete Birley e19be77f08 Ingress: Add initial TLS Support for core service public endpoints 
This PS adds support for TLS on over-ridden fqdn's for public
endpoints for core OpenStack Services. Currently this implementation
is limited, in that it does not provide support for dynamicly loading
CAs into the containers, or specifying them manually via configuration.
As a result only well known or CA's added manually to containers will
be recognised.

Change-Id: I8f1b699af29cbed2d83ad91bb6840dccce8c5146
Depends-On: I535f38a8d92c01280d79926a1f0acd06984aabbf
Signed-off-by: Tin Lam <tin@irrational.io>
Signed-off-by: Pete Birley <pete@port.direct>
2018-06-26 07:15:24 +00:00

1738 lines
50 KiB
YAML
Raw Blame History

# Copyright 2017 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Default values for nova.
# This is a YAML-formatted file.
# Declare name/value pairs to be passed into your templates.
# name: value
release_group: null
labels:
agent:
compute:
node_selector_key: openstack-compute-node
node_selector_value: enabled
compute_ironic:
node_selector_key: openstack-compute-node
node_selector_value: enabled
api_metadata:
node_selector_key: openstack-control-plane
node_selector_value: enabled
conductor:
node_selector_key: openstack-control-plane
node_selector_value: enabled
consoleauth:
node_selector_key: openstack-control-plane
node_selector_value: enabled
job:
node_selector_key: openstack-control-plane
node_selector_value: enabled
novncproxy:
node_selector_key: openstack-control-plane
node_selector_value: enabled
osapi:
node_selector_key: openstack-control-plane
node_selector_value: enabled
placement:
node_selector_key: openstack-control-plane
node_selector_value: enabled
scheduler:
node_selector_key: openstack-control-plane
node_selector_value: enabled
spiceproxy:
node_selector_key: openstack-control-plane
node_selector_value: enabled
test:
node_selector_key: openstack-control-plane
node_selector_value: enabled
images:
pull_policy: IfNotPresent
tags:
bootstrap: docker.io/openstackhelm/heat:newton
db_drop: docker.io/openstackhelm/heat:newton
db_init: docker.io/openstackhelm/heat:newton
dep_check: 'quay.io/stackanetes/kubernetes-entrypoint:v0.3.1'
rabbit_init: docker.io/rabbitmq:3.7-management
ks_user: docker.io/openstackhelm/heat:newton
ks_service: docker.io/openstackhelm/heat:newton
ks_endpoints: docker.io/openstackhelm/heat:newton
nova_api: docker.io/openstackhelm/nova:newton
nova_cell_setup: docker.io/openstackhelm/nova:newton
nova_cell_setup_init: docker.io/openstackhelm/heat:newton
nova_compute: docker.io/openstackhelm/nova:newton
nova_compute_ironic: 'docker.io/kolla/ubuntu-source-nova-compute-ironic:3.0.3'
nova_compute_ssh: docker.io/openstackhelm/nova:newton
nova_conductor: docker.io/openstackhelm/nova:newton
nova_consoleauth: docker.io/openstackhelm/nova:newton
nova_db_sync: docker.io/openstackhelm/nova:newton
nova_novncproxy: docker.io/openstackhelm/nova:newton
nova_novncproxy_assets: 'docker.io/kolla/ubuntu-source-nova-novncproxy:3.0.3'
nova_placement: docker.io/openstackhelm/nova:newton
nova_scheduler: docker.io/openstackhelm/nova:newton
nova_spiceproxy: docker.io/openstackhelm/nova:newton
nova_spiceproxy_assets: 'docker.io/kolla/ubuntu-source-nova-spicehtml5proxy:3.0.3'
test: 'docker.io/kolla/ubuntu-source-rally:4.0.0'
image_repo_sync: docker.io/docker:17.07.0
local_registry:
active: false
exclude:
- dep_check
- image_repo_sync
jobs:
# NOTE(portdirect): When using cells new nodes will be added to the cell on the hour by default.
# TODO(portdirect): Add a post-start action to nova compute pods that registers themselves.
cell_setup:
cron: "0 */1 * * *"
history:
success: 3
failed: 1
bootstrap:
enabled: true
ks_user: admin
script: null
structured:
flavors:
enabled: true
options:
m1_tiny:
name: "m1.tiny"
id: "auto"
ram: 512
disk: 1
vcpus: 1
m1_small:
name: "m1.small"
id: "auto"
ram: 2048
disk: 20
vcpus: 1
m1_medium:
name: "m1.medium"
id: "auto"
ram: 4096
disk: 40
vcpus: 2
m1_large:
name: "m1.large"
id: "auto"
ram: 8192
disk: 80
vcpus: 4
m1_xlarge:
name: "m1.xlarge"
id: "auto"
ram: 16384
disk: 160
vcpus: 8
network:
# provide what type of network wiring will be used
# possible options: openvswitch, linuxbridge, sriov
backend:
- openvswitch
osapi:
port: 8774
ingress:
public: true
classes:
namespace: "nginx"
cluster: "nginx-cluster"
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
external_policy_local: false
node_port:
enabled: false
port: 30774
metadata:
port: 8775
ingress:
public: true
classes:
namespace: "nginx"
cluster: "nginx-cluster"
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
external_policy_local: false
node_port:
enabled: false
port: 30775
placement:
port: 8778
ingress:
public: true
classes:
namespace: "nginx"
cluster: "nginx-cluster"
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
node_port:
enabled: false
port: 30778
novncproxy:
ingress:
public: true
classes:
namespace: "nginx"
cluster: "nginx-cluster"
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
node_port:
enabled: false
port: 30680
spiceproxy:
node_port:
enabled: false
port: 30682
ssh:
name: "nova-ssh"
port: 8022
dependencies:
dynamic:
common:
local_image_registry:
jobs:
- nova-image-repo-sync
services:
- endpoint: node
service: local_image_registry
targeted:
openvswitch:
compute:
pod:
- requireSameNode: true
labels:
application: neutron
component: neutron-ovs-agent
linuxbridge:
compute:
pod:
- requireSameNode: true
labels:
application: neutron
component: neutron-lb-agent
sriov:
compute:
pod:
- requireSameNode: true
labels:
application: neutron
component: neutron-sriov-agent
static:
api:
jobs:
- nova-db-sync
- nova-ks-user
- nova-ks-endpoints
- nova-rabbit-init
services:
- endpoint: internal
service: oslo_messaging
- endpoint: internal
service: oslo_db
- endpoint: internal
service: identity
- endpoint: public
service: compute_metadata
bootstrap:
services:
- endpoint: internal
service: identity
- endpoint: internal
service: compute
cell_setup:
jobs:
- nova-db-sync
- nova-rabbit-init
services:
- endpoint: internal
service: oslo_messaging
- endpoint: internal
service: oslo_db
- endpoint: internal
service: identity
- endpoint: internal
service: compute
pod:
- requireSameNode: false
labels:
application: nova
component: compute
compute:
pod:
- requireSameNode: true
labels:
application: libvirt
component: libvirt
jobs:
- nova-db-sync
- nova-rabbit-init
services:
- endpoint: internal
service: oslo_messaging
- endpoint: internal
service: image
- endpoint: internal
service: compute
- endpoint: internal
service: network
compute_ironic:
jobs:
- nova-db-sync
- nova-rabbit-init
services:
- endpoint: internal
service: oslo_messaging
- endpoint: internal
service: image
- endpoint: internal
service: compute
- endpoint: internal
service: network
- endpoint: internal
service: baremetal
conductor:
jobs:
- nova-db-sync
- nova-rabbit-init
services:
- endpoint: internal
service: oslo_messaging
- endpoint: internal
service: oslo_db
- endpoint: internal
service: identity
- endpoint: internal
service: compute
consoleauth:
jobs:
- nova-db-sync
- nova-rabbit-init
services:
- endpoint: internal
service: oslo_messaging
- endpoint: internal
service: oslo_db
- endpoint: internal
service: identity
- endpoint: internal
service: compute
db_drop:
services:
- endpoint: internal
service: oslo_db
db_init:
services:
- endpoint: internal
service: oslo_db
db_sync:
jobs:
- nova-db-init
services:
- endpoint: internal
service: oslo_db
ks_endpoints:
jobs:
- nova-ks-service
services:
- endpoint: internal
service: identity
ks_service:
services:
- endpoint: internal
service: identity
ks_user:
services:
- endpoint: internal
service: identity
rabbit_init:
services:
- service: oslo_messaging
endpoint: internal
novncproxy:
jobs:
- nova-db-sync
services:
- endpoint: internal
service: oslo_db
scheduler:
jobs:
- nova-db-sync
- nova-rabbit-init
services:
- endpoint: internal
service: oslo_messaging
- endpoint: internal
service: oslo_db
- endpoint: internal
service: identity
- endpoint: internal
service: compute
tests:
services:
- endpoint: internal
service: image
- endpoint: internal
service: compute
- endpoint: internal
service: network
image_repo_sync:
services:
- endpoint: internal
service: local_image_registry
console:
# serial | spice | novnc | none
console_kind: novnc
serial:
spice:
compute:
# IF blank, search default routing interface
server_proxyclient_interface:
proxy:
# IF blank, search default routing interface
server_proxyclient_interface:
novnc:
compute:
# IF blank, search default routing interface
vncserver_proxyclient_interface:
vncproxy:
# IF blank, search default routing interface
vncserver_proxyclient_interface:
ssh:
key_types:
- rsa
- dsa
- ecdsa
- ed25519
conf:
ceph:
enabled: true
admin_keyring: null
cinder:
user: "cinder"
keyring: null
secret_uuid: 457eb676-33da-42ec-9a8c-9293d545c337
ssh:
override:
append:
rally_tests:
run_tempest: false
tests:
NovaAgents.list_agents:
- runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
NovaAggregates.create_and_get_aggregate_details:
- args:
availability_zone: nova
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
NovaAggregates.create_and_update_aggregate:
- args:
availability_zone: nova
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
NovaAggregates.list_aggregates:
- runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
NovaAvailabilityZones.list_availability_zones:
- args:
detailed: true
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
NovaFlavors.create_and_delete_flavor:
- args:
disk: 1
ram: 500
vcpus: 1
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
NovaFlavors.create_and_list_flavor_access:
- args:
disk: 1
ram: 500
vcpus: 1
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
NovaFlavors.create_flavor:
- args:
disk: 1
ram: 500
vcpus: 1
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
NovaFlavors.create_flavor_and_add_tenant_access:
- args:
disk: 1
ram: 500
vcpus: 1
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
NovaFlavors.create_flavor_and_set_keys:
- args:
disk: 1
extra_specs:
'quota:disk_read_bytes_sec': 10240
ram: 500
vcpus: 1
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
NovaFlavors.list_flavors:
- args:
detailed: true
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
NovaHosts.list_hosts:
- runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
NovaHypervisors.list_and_get_hypervisors:
- args:
detailed: true
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
NovaHypervisors.list_and_get_uptime_hypervisors:
- args:
detailed: true
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
NovaHypervisors.list_and_search_hypervisors:
- args:
detailed: true
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
NovaHypervisors.list_hypervisors:
- args:
detailed: true
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
NovaHypervisors.statistics_hypervisors:
- args: {}
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
NovaImages.list_images:
- args:
detailed: true
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
NovaKeypair.create_and_delete_keypair:
- runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
NovaKeypair.create_and_list_keypairs:
- runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
NovaSecGroup.create_and_delete_secgroups:
- args:
rules_per_security_group: 1
security_group_count: 1
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
NovaSecGroup.create_and_list_secgroups:
- args:
rules_per_security_group: 1
security_group_count: 1
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
NovaSecGroup.create_and_update_secgroups:
- args:
security_group_count: 1
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
NovaServerGroups.create_and_list_server_groups:
- args:
all_projects: false
kwargs:
policies:
- affinity
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
NovaServices.list_services:
- runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
paste:
composite:metadata:
use: egg:Paste#urlmap
/: meta
pipeline:meta:
pipeline: cors metaapp
app:metaapp:
paste.app_factory: nova.api.metadata.handler:MetadataRequestHandler.factory
composite:osapi_compute:
use: call:nova.api.openstack.urlmap:urlmap_factory
/: oscomputeversions
/v2: openstack_compute_api_v21_legacy_v2_compatible
/v2.1: openstack_compute_api_v21
composite:openstack_compute_api_v21:
use: call:nova.api.auth:pipeline_factory_v21
noauth2: cors http_proxy_to_wsgi compute_req_id faultwrap sizelimit noauth2 osapi_compute_app_v21
keystone: cors http_proxy_to_wsgi compute_req_id faultwrap sizelimit authtoken keystonecontext osapi_compute_app_v21
composite:openstack_compute_api_v21_legacy_v2_compatible:
use: call:nova.api.auth:pipeline_factory_v21
noauth2: cors http_proxy_to_wsgi compute_req_id faultwrap sizelimit noauth2 legacy_v2_compatible osapi_compute_app_v21
keystone: cors http_proxy_to_wsgi compute_req_id faultwrap sizelimit authtoken keystonecontext legacy_v2_compatible osapi_compute_app_v21
filter:request_id:
paste.filter_factory: oslo_middleware:RequestId.factory
filter:compute_req_id:
paste.filter_factory: nova.api.compute_req_id:ComputeReqIdMiddleware.factory
filter:faultwrap:
paste.filter_factory: nova.api.openstack:FaultWrapper.factory
filter:noauth2:
paste.filter_factory: nova.api.openstack.auth:NoAuthMiddleware.factory
filter:sizelimit:
paste.filter_factory: oslo_middleware:RequestBodySizeLimiter.factory
filter:http_proxy_to_wsgi:
paste.filter_factory: oslo_middleware.http_proxy_to_wsgi:HTTPProxyToWSGI.factory
filter:legacy_v2_compatible:
paste.filter_factory: nova.api.openstack:LegacyV2CompatibleWrapper.factory
app:osapi_compute_app_v21:
paste.app_factory: nova.api.openstack.compute:APIRouterV21.factory
pipeline:oscomputeversions:
pipeline: faultwrap http_proxy_to_wsgi oscomputeversionapp
app:oscomputeversionapp:
paste.app_factory: nova.api.openstack.compute.versions:Versions.factory
filter:cors:
paste.filter_factory: oslo_middleware.cors:filter_factory
oslo_config_project: nova
filter:keystonecontext:
paste.filter_factory: nova.api.auth:NovaKeystoneContext.factory
filter:authtoken:
paste.filter_factory: keystonemiddleware.auth_token:filter_factory
policy:
os_compute_api:os-admin-actions:discoverable: "@"
os_compute_api:os-admin-actions:reset_state: rule:admin_api
os_compute_api:os-admin-actions:inject_network_info: rule:admin_api
os_compute_api:os-admin-actions: rule:admin_api
os_compute_api:os-admin-actions:reset_network: rule:admin_api
os_compute_api:os-admin-password:discoverable: "@"
os_compute_api:os-admin-password: rule:admin_or_owner
os_compute_api:os-agents: rule:admin_api
os_compute_api:os-agents:discoverable: "@"
os_compute_api:os-aggregates:set_metadata: rule:admin_api
os_compute_api:os-aggregates:add_host: rule:admin_api
os_compute_api:os-aggregates:discoverable: "@"
os_compute_api:os-aggregates:create: rule:admin_api
os_compute_api:os-aggregates:remove_host: rule:admin_api
os_compute_api:os-aggregates:update: rule:admin_api
os_compute_api:os-aggregates:index: rule:admin_api
os_compute_api:os-aggregates:delete: rule:admin_api
os_compute_api:os-aggregates:show: rule:admin_api
os_compute_api:os-assisted-volume-snapshots:create: rule:admin_api
os_compute_api:os-assisted-volume-snapshots:delete: rule:admin_api
os_compute_api:os-assisted-volume-snapshots:discoverable: "@"
os_compute_api:os-attach-interfaces: rule:admin_or_owner
os_compute_api:os-attach-interfaces:discoverable: "@"
os_compute_api:os-attach-interfaces:create: rule:admin_or_owner
os_compute_api:os-attach-interfaces:delete: rule:admin_or_owner
os_compute_api:os-availability-zone:list: rule:admin_or_owner
os_compute_api:os-availability-zone:discoverable: "@"
os_compute_api:os-availability-zone:detail: rule:admin_api
os_compute_api:os-baremetal-nodes:discoverable: "@"
os_compute_api:os-baremetal-nodes: rule:admin_api
context_is_admin: role:admin
admin_or_owner: is_admin:True or project_id:%(project_id)s
admin_api: is_admin:True
network:attach_external_network: is_admin:True
os_compute_api:os-block-device-mapping:discoverable: "@"
os_compute_api:os-block-device-mapping-v1:discoverable: "@"
os_compute_api:os-cells:discoverable: "@"
os_compute_api:os-cells:update: rule:admin_api
os_compute_api:os-cells:create: rule:admin_api
os_compute_api:os-cells: rule:admin_api
os_compute_api:os-cells:sync_instances: rule:admin_api
os_compute_api:os-cells:delete: rule:admin_api
cells_scheduler_filter:DifferentCellFilter: is_admin:True
cells_scheduler_filter:TargetCellFilter: is_admin:True
os_compute_api:os-certificates:discoverable: "@"
os_compute_api:os-certificates:create: rule:admin_or_owner
os_compute_api:os-certificates:show: rule:admin_or_owner
os_compute_api:os-cloudpipe: rule:admin_api
os_compute_api:os-cloudpipe:discoverable: "@"
os_compute_api:os-config-drive:discoverable: "@"
os_compute_api:os-config-drive: rule:admin_or_owner
os_compute_api:os-console-auth-tokens:discoverable: "@"
os_compute_api:os-console-auth-tokens: rule:admin_api
os_compute_api:os-console-output:discoverable: "@"
os_compute_api:os-console-output: rule:admin_or_owner
os_compute_api:os-consoles:create: rule:admin_or_owner
os_compute_api:os-consoles:show: rule:admin_or_owner
os_compute_api:os-consoles:delete: rule:admin_or_owner
os_compute_api:os-consoles:discoverable: "@"
os_compute_api:os-consoles:index: rule:admin_or_owner
os_compute_api:os-create-backup:discoverable: "@"
os_compute_api:os-create-backup: rule:admin_or_owner
os_compute_api:os-deferred-delete:discoverable: "@"
os_compute_api:os-deferred-delete: rule:admin_or_owner
os_compute_api:os-evacuate:discoverable: "@"
os_compute_api:os-evacuate: rule:admin_api
os_compute_api:os-extended-availability-zone: rule:admin_or_owner
os_compute_api:os-extended-availability-zone:discoverable: "@"
os_compute_api:os-extended-server-attributes: rule:admin_api
os_compute_api:os-extended-server-attributes:discoverable: "@"
os_compute_api:os-extended-status:discoverable: "@"
os_compute_api:os-extended-status: rule:admin_or_owner
os_compute_api:os-extended-volumes: rule:admin_or_owner
os_compute_api:os-extended-volumes:discoverable: "@"
os_compute_api:extension_info:discoverable: "@"
os_compute_api:extensions: rule:admin_or_owner
os_compute_api:extensions:discoverable: "@"
os_compute_api:os-fixed-ips:discoverable: "@"
os_compute_api:os-fixed-ips: rule:admin_api
os_compute_api:os-flavor-access:add_tenant_access: rule:admin_api
os_compute_api:os-flavor-access:discoverable: "@"
os_compute_api:os-flavor-access:remove_tenant_access: rule:admin_api
os_compute_api:os-flavor-access: rule:admin_or_owner
os_compute_api:os-flavor-extra-specs:show: rule:admin_or_owner
os_compute_api:os-flavor-extra-specs:create: rule:admin_api
os_compute_api:os-flavor-extra-specs:discoverable: "@"
os_compute_api:os-flavor-extra-specs:update: rule:admin_api
os_compute_api:os-flavor-extra-specs:delete: rule:admin_api
os_compute_api:os-flavor-extra-specs:index: rule:admin_or_owner
os_compute_api:os-flavor-manage: rule:admin_api
os_compute_api:os-flavor-manage:discoverable: "@"
os_compute_api:os-flavor-rxtx: rule:admin_or_owner
os_compute_api:os-flavor-rxtx:discoverable: "@"
os_compute_api:flavors:discoverable: "@"
os_compute_api:flavors: rule:admin_or_owner
os_compute_api:os-floating-ip-dns: rule:admin_or_owner
os_compute_api:os-floating-ip-dns:domain:update: rule:admin_api
os_compute_api:os-floating-ip-dns:discoverable: "@"
os_compute_api:os-floating-ip-dns:domain:delete: rule:admin_api
os_compute_api:os-floating-ip-pools:discoverable: "@"
os_compute_api:os-floating-ip-pools: rule:admin_or_owner
os_compute_api:os-floating-ips: rule:admin_or_owner
os_compute_api:os-floating-ips:discoverable: "@"
os_compute_api:os-floating-ips-bulk:discoverable: "@"
os_compute_api:os-floating-ips-bulk: rule:admin_api
os_compute_api:os-fping:all_tenants: rule:admin_api
os_compute_api:os-fping:discoverable: "@"
os_compute_api:os-fping: rule:admin_or_owner
os_compute_api:os-hide-server-addresses:discoverable: "@"
os_compute_api:os-hide-server-addresses: is_admin:False
os_compute_api:os-hosts:discoverable: "@"
os_compute_api:os-hosts: rule:admin_api
os_compute_api:os-hypervisors:discoverable: "@"
os_compute_api:os-hypervisors: rule:admin_api
os_compute_api:image-metadata:discoverable: "@"
os_compute_api:image-size:discoverable: "@"
os_compute_api:image-size: rule:admin_or_owner
os_compute_api:images:discoverable: "@"
os_compute_api:os-instance-actions:events: rule:admin_api
os_compute_api:os-instance-actions: rule:admin_or_owner
os_compute_api:os-instance-actions:discoverable: "@"
os_compute_api:os-instance-usage-audit-log: rule:admin_api
os_compute_api:os-instance-usage-audit-log:discoverable: "@"
os_compute_api:ips:discoverable: "@"
os_compute_api:ips:show: rule:admin_or_owner
os_compute_api:ips:index: rule:admin_or_owner
os_compute_api:os-keypairs:discoverable: "@"
os_compute_api:os-keypairs:index: rule:admin_api or user_id:%(user_id)s
os_compute_api:os-keypairs:create: rule:admin_api or user_id:%(user_id)s
os_compute_api:os-keypairs:delete: rule:admin_api or user_id:%(user_id)s
os_compute_api:os-keypairs:show: rule:admin_api or user_id:%(user_id)s
os_compute_api:os-keypairs: rule:admin_or_owner
os_compute_api:limits:discoverable: "@"
os_compute_api:limits: rule:admin_or_owner
os_compute_api:os-lock-server:discoverable: "@"
os_compute_api:os-lock-server:lock: rule:admin_or_owner
os_compute_api:os-lock-server:unlock:unlock_override: rule:admin_api
os_compute_api:os-lock-server:unlock: rule:admin_or_owner
os_compute_api:os-migrate-server:migrate: rule:admin_api
os_compute_api:os-migrate-server:discoverable: "@"
os_compute_api:os-migrate-server:migrate_live: rule:admin_api
os_compute_api:os-migrations:index: rule:admin_api
os_compute_api:os-migrations:discoverable: "@"
os_compute_api:os-multinic: rule:admin_or_owner
os_compute_api:os-multinic:discoverable: "@"
os_compute_api:os-multiple-create:discoverable: "@"
os_compute_api:os-networks:discoverable: "@"
os_compute_api:os-networks: rule:admin_api
os_compute_api:os-networks:view: rule:admin_or_owner
os_compute_api:os-networks-associate: rule:admin_api
os_compute_api:os-networks-associate:discoverable: "@"
os_compute_api:os-pause-server:unpause: rule:admin_or_owner
os_compute_api:os-pause-server:discoverable: "@"
os_compute_api:os-pause-server:pause: rule:admin_or_owner
os_compute_api:os-pci:index: rule:admin_api
os_compute_api:os-pci:detail: rule:admin_api
os_compute_api:os-pci:pci_servers: rule:admin_or_owner
os_compute_api:os-pci:show: rule:admin_api
os_compute_api:os-pci:discoverable: "@"
os_compute_api:os-quota-class-sets:show: is_admin:True or quota_class:%(quota_class)s
os_compute_api:os-quota-class-sets:discoverable: "@"
os_compute_api:os-quota-class-sets:update: rule:admin_api
os_compute_api:os-quota-sets:update: rule:admin_api
os_compute_api:os-quota-sets:defaults: "@"
os_compute_api:os-quota-sets:show: rule:admin_or_owner
os_compute_api:os-quota-sets:delete: rule:admin_api
os_compute_api:os-quota-sets:discoverable: "@"
os_compute_api:os-quota-sets:detail: rule:admin_api
os_compute_api:os-remote-consoles: rule:admin_or_owner
os_compute_api:os-remote-consoles:discoverable: "@"
os_compute_api:os-rescue:discoverable: "@"
os_compute_api:os-rescue: rule:admin_or_owner
os_compute_api:os-scheduler-hints:discoverable: "@"
os_compute_api:os-security-group-default-rules:discoverable: "@"
os_compute_api:os-security-group-default-rules: rule:admin_api
os_compute_api:os-security-groups: rule:admin_or_owner
os_compute_api:os-security-groups:discoverable: "@"
os_compute_api:os-server-diagnostics: rule:admin_api
os_compute_api:os-server-diagnostics:discoverable: "@"
os_compute_api:os-server-external-events:create: rule:admin_api
os_compute_api:os-server-external-events:discoverable: "@"
os_compute_api:os-server-groups:discoverable: "@"
os_compute_api:os-server-groups: rule:admin_or_owner
os_compute_api:server-metadata:index: rule:admin_or_owner
os_compute_api:server-metadata:show: rule:admin_or_owner
os_compute_api:server-metadata:create: rule:admin_or_owner
os_compute_api:server-metadata:discoverable: "@"
os_compute_api:server-metadata:update_all: rule:admin_or_owner
os_compute_api:server-metadata:delete: rule:admin_or_owner
os_compute_api:server-metadata:update: rule:admin_or_owner
os_compute_api:os-server-password: rule:admin_or_owner
os_compute_api:os-server-password:discoverable: "@"
os_compute_api:os-server-tags:delete_all: "@"
os_compute_api:os-server-tags:index: "@"
os_compute_api:os-server-tags:update_all: "@"
os_compute_api:os-server-tags:delete: "@"
os_compute_api:os-server-tags:update: "@"
os_compute_api:os-server-tags:show: "@"
os_compute_api:os-server-tags:discoverable: "@"
os_compute_api:os-server-usage: rule:admin_or_owner
os_compute_api:os-server-usage:discoverable: "@"
os_compute_api:servers:index: rule:admin_or_owner
os_compute_api:servers:detail: rule:admin_or_owner
os_compute_api:servers:detail:get_all_tenants: rule:admin_api
os_compute_api:servers:index:get_all_tenants: rule:admin_api
os_compute_api:servers:show: rule:admin_or_owner
os_compute_api:servers:show:host_status: rule:admin_api
os_compute_api:servers:create: rule:admin_or_owner
os_compute_api:servers:create:forced_host: rule:admin_api
os_compute_api:servers:create:attach_volume: rule:admin_or_owner
os_compute_api:servers:create:attach_network: rule:admin_or_owner
os_compute_api:servers:delete: rule:admin_or_owner
os_compute_api:servers:update: rule:admin_or_owner
os_compute_api:servers:confirm_resize: rule:admin_or_owner
os_compute_api:servers:revert_resize: rule:admin_or_owner
os_compute_api:servers:reboot: rule:admin_or_owner
os_compute_api:servers:resize: rule:admin_or_owner
os_compute_api:servers:rebuild: rule:admin_or_owner
os_compute_api:servers:create_image: rule:admin_or_owner
os_compute_api:servers:create_image:allow_volume_backed: rule:admin_or_owner
os_compute_api:servers:start: rule:admin_or_owner
os_compute_api:servers:stop: rule:admin_or_owner
os_compute_api:servers:trigger_crash_dump: rule:admin_or_owner
os_compute_api:servers:discoverable: "@"
os_compute_api:servers:migrations:show: rule:admin_api
os_compute_api:servers:migrations:force_complete: rule:admin_api
os_compute_api:servers:migrations:delete: rule:admin_api
os_compute_api:servers:migrations:index: rule:admin_api
os_compute_api:server-migrations:discoverable: "@"
os_compute_api:os-services: rule:admin_api
os_compute_api:os-services:discoverable: "@"
os_compute_api:os-shelve:shelve: rule:admin_or_owner
os_compute_api:os-shelve:unshelve: rule:admin_or_owner
os_compute_api:os-shelve:shelve_offload: rule:admin_api
os_compute_api:os-shelve:discoverable: "@"
os_compute_api:os-simple-tenant-usage:show: rule:admin_or_owner
os_compute_api:os-simple-tenant-usage:list: rule:admin_api
os_compute_api:os-simple-tenant-usage:discoverable: "@"
os_compute_api:os-suspend-server:resume: rule:admin_or_owner
os_compute_api:os-suspend-server:suspend: rule:admin_or_owner
os_compute_api:os-suspend-server:discoverable: "@"
os_compute_api:os-tenant-networks: rule:admin_or_owner
os_compute_api:os-tenant-networks:discoverable: "@"
os_compute_api:os-used-limits:discoverable: "@"
os_compute_api:os-used-limits: rule:admin_api
os_compute_api:os-user-data:discoverable: "@"
os_compute_api:versions:discoverable: "@"
os_compute_api:os-virtual-interfaces:discoverable: "@"
os_compute_api:os-virtual-interfaces: rule:admin_or_owner
os_compute_api:os-volumes:discoverable: "@"
os_compute_api:os-volumes: rule:admin_or_owner
os_compute_api:os-volumes-attachments:index: rule:admin_or_owner
os_compute_api:os-volumes-attachments:create: rule:admin_or_owner
os_compute_api:os-volumes-attachments:show: rule:admin_or_owner
os_compute_api:os-volumes-attachments:discoverable: "@"
os_compute_api:os-volumes-attachments:update: rule:admin_api
os_compute_api:os-volumes-attachments:delete: rule:admin_or_owner
nova_sudoers:
override:
append:
rootwrap:
override:
append:
wsgi_placement:
override:
append:
rootwrap_filters:
api_metadata:
override:
append:
compute:
override:
append:
network:
override:
append:
nova_ironic:
DEFAULT:
scheduler_host_manager: ironic_host_manager
compute_driver: ironic.IronicDriver
nova:
DEFAULT:
default_ephemeral_format: ext4
ram_allocation_ratio: 1.0
disk_allocation_ratio: 1.0
cpu_allocation_ratio: 3.0
state_path: /var/lib/nova
osapi_compute_listen: 0.0.0.0
# NOTE(portdirect): the bind port should not be defined, and is manipulated
# via the endpoints section.
osapi_compute_listen_port: null
osapi_compute_workers: 1
metadata_workers: 1
use_neutron: true
firewall_driver: nova.virt.firewall.NoopFirewallDriver
linuxnet_interface_driver: openvswitch
allow_resize_to_same_host: true
compute_driver: libvirt.LibvirtDriver
my_ip: 0.0.0.0
instance_usage_audit: True
instance_usage_audit_period: hour
notify_on_state_change: vm_and_task_state
resume_guests_state_on_host_boot: True
vnc:
novncproxy_host: 0.0.0.0
vncserver_listen: 0.0.0.0
# This would be set by each compute nodes's ip
# vncserver_proxyclient_address: 127.0.0.1
spice:
html5proxy_host: 0.0.0.0
server_listen: 0.0.0.0
# This would be set by each compute nodes's ip
# server_proxyclient_address: 127.0.0.1
conductor:
workers: 1
oslo_policy:
policy_file: /etc/nova/policy.yaml
oslo_concurrency:
lock_path: /var/lib/nova/tmp
oslo_middleware:
enable_proxy_headers_parsing: true
glance:
num_retries: 3
ironic:
api_endpoint: null
auth_url: null
neutron:
metadata_proxy_shared_secret: "password"
service_metadata_proxy: True
auth_type: password
auth_version: v3
database:
max_retries: -1
api_database:
max_retries: -1
cell0_database:
max_retries: -1
keystone_authtoken:
auth_type: password
auth_version: v3
memcache_security_strategy: ENCRYPT
libvirt:
connection_uri: "qemu+tcp://127.0.0.1/system"
images_type: qcow2
images_rbd_pool: vms
images_rbd_ceph_conf: /etc/ceph/ceph.conf
rbd_user: cinder
rbd_secret_uuid: 457eb676-33da-42ec-9a8c-9293d545c337
disk_cachemodes: "network=writeback"
hw_disk_discard: unmap
upgrade_levels:
compute: auto
cache:
enabled: true
backend: oslo_cache.memcache_pool
wsgi:
api_paste_config: /etc/nova/api-paste.ini
oslo_messaging_notifications:
driver: messagingv2
placement:
auth_type: password
auth_version: v3
# Names of secrets used by bootstrap and environmental checks
secrets:
identity:
admin: nova-keystone-admin
nova: nova-keystone-user
placement: nova-keystone-placement
test: nova-keystone-test
oslo_db:
admin: nova-db-admin
nova: nova-db-user
oslo_db_api:
admin: nova-db-api-admin
nova: nova-db-api-user
oslo_db_cell0:
admin: nova-db-api-admin
nova: nova-db-api-user
oslo_messaging:
admin: nova-rabbitmq-admin
nova: nova-rabbitmq-user
tls:
compute:
osapi:
public: nova-tls-public
compute_novnc_proxy:
novncproxy:
public: nova-novncproxy-tls-public
placement:
placement:
public: placement-tls-public
# typically overridden by environmental
# values, but should include all endpoints
# required by this chart
endpoints:
cluster_domain_suffix: cluster.local
local_image_registry:
name: docker-registry
namespace: docker-registry
hosts:
default: localhost
internal: docker-registry
node: localhost
host_fqdn_override:
default: null
port:
registry:
node: 5000
oslo_db:
auth:
admin:
username: root
password: password
nova:
username: nova
password: password
hosts:
default: mariadb
host_fqdn_override:
default: null
path: /nova
scheme: mysql+pymysql
port:
mysql:
default: 3306
oslo_db_api:
auth:
admin:
username: root
password: password
nova:
username: nova
password: password
hosts:
default: mariadb
host_fqdn_override:
default: null
path: /nova_api
scheme: mysql+pymysql
port:
mysql:
default: 3306
oslo_db_cell0:
auth:
admin:
username: root
password: password
nova:
username: nova
password: password
hosts:
default: mariadb
host_fqdn_override:
default: null
path: /nova_cell0
scheme: mysql+pymysql
port:
mysql:
default: 3306
oslo_messaging:
auth:
admin:
username: rabbitmq
password: password
nova:
username: nova
password: password
hosts:
default: rabbitmq
host_fqdn_override:
default: null
path: /nova
scheme: rabbit
port:
amqp:
default: 5672
http:
default: 15672
oslo_cache:
auth:
# NOTE(portdirect): this is used to define the value for keystone
# authtoken cache encryption key, if not set it will be populated
# automatically with a random value, but to take advantage of
# this feature all services should be set to use the same key,
# and memcache service.
memcache_secret_key: null
hosts:
default: memcached
host_fqdn_override:
default: null
port:
memcache:
default: 11211
identity:
name: keystone
auth:
admin:
region_name: RegionOne
username: admin
password: password
project_name: admin
user_domain_name: default
project_domain_name: default
nova:
role: admin
region_name: RegionOne
username: nova
password: password
project_name: service
user_domain_name: default
project_domain_name: default
# NOTE(portdirect): the neutron user is not managed by the nova chart
# these values should match those set in the neutron chart.
neutron:
region_name: RegionOne
project_name: service
project_domain_name: default
user_domain_name: default
username: neutron
password: password
# NOTE(portdirect): the ironic user is not managed by the nova chart
# these values should match those set in the ironic chart.
ironic:
auth_type: password
auth_version: v3
region_name: RegionOne
project_name: service
project_domain_name: default
user_domain_name: default
username: ironic
password: password
placement:
role: admin
region_name: RegionOne
username: placement
password: password
project_name: service
user_domain_name: default
project_domain_name: default
test:
role: admin
region_name: RegionOne
username: test
password: password
project_name: test
user_domain_name: default
project_domain_name: default
hosts:
default: keystone-api
public: keystone
host_fqdn_override:
default: null
path:
default: /v3
scheme:
default: http
port:
admin:
default: 35357
api:
default: 80
image:
name: glance
hosts:
default: glance-api
public: glance
host_fqdn_override:
default: null
path:
default: null
scheme:
default: http
port:
api:
default: 9292
public: 80
compute:
name: nova
hosts:
default: nova-api
public: nova
host_fqdn_override:
default: null
# NOTE(portdirect): this chart supports TLS for fqdn over-ridden public
# endpoints using the following format:
# public:
# host: null
# tls:
# crt: null
# key: null
path:
default: "/v2.1/%(tenant_id)s"
scheme:
default: 'http'
port:
api:
default: 8774
public: 80
novncproxy:
default: 6080
compute_metadata:
name: nova
ip:
# IF blank, set clusterIP and metadata_host dynamically
ingress: null
hosts:
default: nova-metadata
public: metadata
host_fqdn_override:
default: null
path:
default: /
scheme:
default: 'http'
port:
metadata:
default: 8775
public: 80
compute_novnc_proxy:
name: nova
hosts:
default: nova-novncproxy
public: novncproxy
host_fqdn_override:
default: null
# NOTE(portdirect): this chart supports TLS for fqdn over-ridden public
# endpoints using the following format:
# public:
# host: null
# tls:
# crt: null
# key: null
path:
default: /vnc_auto.html
scheme:
default: 'http'
port:
novnc_proxy:
default: 6080
public: 80
compute_spice_proxy:
name: nova
hosts:
default: nova-spiceproxy
public: placement
host_fqdn_override:
default: null
path:
default: /spice_auto.html
scheme:
default: 'http'
port:
spice_proxy:
default: 6082
placement:
name: placement
hosts:
default: placement-api
public: placement
host_fqdn_override:
default: null
path:
default: /
scheme:
default: 'http'
port:
api:
default: 8778
public: 80
network:
name: neutron
hosts:
default: neutron-server
public: neutron
host_fqdn_override:
default: null
path:
default: null
scheme:
default: 'http'
port:
api:
default: 9696
public: 80
baremetal:
name: ironic
hosts:
default: ironic-api
public: ironic
host_fqdn_override:
default: null
path:
default: null
scheme:
default: http
port:
api:
default: 6385
public: 80
pod:
user:
nova:
uid: 42424
affinity:
anti:
type:
default: preferredDuringSchedulingIgnoredDuringExecution
topologyKey:
default: kubernetes.io/hostname
mounts:
nova_compute:
init_container: null
nova_compute:
nova_compute_ironic:
init_container: null
nova_compute_ironic:
nova_api_metadata:
init_container: null
nova_api_metadata:
nova_placement:
init_container: null
nova_placement:
nova_api_osapi:
init_container: null
nova_api_osapi:
nova_consoleauth:
init_container: null
nova_consoleauth:
nova_conductor:
init_container: null
nova_conductor:
nova_scheduler:
init_container: null
nova_scheduler:
nova_bootstrap:
init_container: null
nova_bootstrap:
nova_tests:
init_container: null
nova_tests:
nova_novncproxy:
init_novncproxy: null
nova_novncproxy:
nova_spiceproxy:
init_spiceproxy: null
nova_spiceproxy:
replicas:
api_metadata: 1
compute_ironic: 1
placement: 1
osapi: 1
conductor: 1
consoleauth: 1
scheduler: 1
novncproxy: 1
spiceproxy: 1
lifecycle:
upgrades:
deployments:
revision_history: 3
pod_replacement_strategy: RollingUpdate
rolling_update:
max_unavailable: 1
max_surge: 3
daemonsets:
pod_replacement_strategy: RollingUpdate
compute:
enabled: true
min_ready_seconds: 0
max_unavailable: 1
disruption_budget:
metadata:
min_available: 0
placement:
min_available: 0
osapi:
min_available: 0
termination_grace_period:
metadata:
timeout: 30
placement:
timeout: 30
osapi:
timeout: 30
resources:
enabled: false
compute:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
compute_ironic:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
api_metadata:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
placement:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
api:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
conductor:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
consoleauth:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
scheduler:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
ssh:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
novncproxy:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
spiceproxy:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
jobs:
bootstrap:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
db_init:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
rabbit_init:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
db_sync:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
db_drop:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
ks_endpoints:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
ks_service:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
ks_user:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
tests:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
cell_setup:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
image_repo_sync:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
manifests:
configmap_bin: true
configmap_etc: true
cron_job_cell_setup: true
daemonset_compute: true
deployment_api_metadata: true
deployment_api_osapi: true
deployment_placement: true
deployment_conductor: true
deployment_consoleauth: true
deployment_novncproxy: true
deployment_spiceproxy: true
deployment_scheduler: true
ingress_metadata: true
ingress_novncproxy: true
ingress_placement: true
ingress_osapi: true
job_bootstrap: true
job_db_init: true
job_db_init_placement: true
job_db_sync: true
job_db_drop: false
job_image_repo_sync: true
job_rabbit_init: true
job_ks_endpoints: true
job_ks_service: true
job_ks_user: true
job_ks_placement_endpoints: true
job_ks_placement_service: true
job_ks_placement_user: true
job_cell_setup: true
pdb_metadata: true
pdb_placement: true
pdb_osapi: true
pod_rally_test: true
secret_db_api: true
secret_db: true
secret_ingress_tls: true
secret_keystone: true
secret_keystone_placement: true
secret_rabbitmq: true
service_ingress_metadata: true
service_ingress_novncproxy: true
service_ingress_placement: true
service_ingress_osapi: true
service_metadata: true
service_placement: true
service_novncproxy: true
service_spiceproxy: true
service_osapi: true
statefulset_compute_ironic: false
View Git Blame Copy Permalink