ee9c789b23
It will allow to configure keystone event notifications using CADF, as documented on: https://docs.openstack.org/developer/keystone/event_notifications.html CADF events provide auditing capabilities for compliance with security. Change-Id: Id16b264c295b9e3adbf960366ff8328ba8dcd485
590 lines
24 KiB
YAML
590 lines
24 KiB
YAML
# This file holds metadata about the capabilities of the tripleo-heat-templates
|
|
# repository for deployment using puppet. It groups configuration by topic,
|
|
# describes possible combinations of environments and resource capabilities.
|
|
|
|
# root_template: identifies repository's root template
|
|
# root_environment: identifies root_environment, this one is special in terms of
|
|
# order in which the environments are merged before deploying. This one serves as
|
|
# a base and it's parameters/resource_registry gets overridden by other environments
|
|
# if used.
|
|
|
|
# topics:
|
|
# High Level grouping by purpose of environments
|
|
# Attributes:
|
|
# title: (required)
|
|
# description: (optional)
|
|
# environment_groups: (required)
|
|
|
|
# environment_groups:
|
|
# Identifies an environment choice. If group includes multiple environments it
|
|
# indicates that environments in group are mutually exclusive.
|
|
# Attributes:
|
|
# title: (optional)
|
|
# description: (optional)
|
|
# tags: a list of tags to provide additional information for e.g. filtering (optional)
|
|
# environments: (required)
|
|
|
|
# environments:
|
|
# List of environments in environment group
|
|
# Attributes:
|
|
# file: a file name including path within repository (required)
|
|
# title: (required)
|
|
# description: (optional)
|
|
# requires: an array of environments which are required by this environment (optional)
|
|
# resource_registry: [tbd] (optional)
|
|
|
|
# resource_registry:
|
|
# [tbd] Each environment can provide options on resource_registry level applicable
|
|
# only when that given environment is used. (resource_type of that environment can
|
|
# be implemented using multiple templates).
|
|
|
|
root_template: overcloud.yaml
|
|
root_environment: overcloud-resource-registry-puppet.yaml
|
|
topics:
|
|
- title: Base Resources Configuration
|
|
description:
|
|
environment_groups:
|
|
- title:
|
|
description: Enable base configuration for all resources required for OpenStack Deployment
|
|
environments:
|
|
- file: overcloud-resource-registry-puppet.yaml
|
|
title: Base resources configuration
|
|
description:
|
|
|
|
- title: Deployment Options
|
|
description:
|
|
environment_groups:
|
|
- title: High Availability
|
|
description: Enables configuration of an Overcloud controller with Pacemaker
|
|
environments:
|
|
- file: environments/puppet-pacemaker.yaml
|
|
title: Pacemaker
|
|
description: Enable configuration of an Overcloud controller with Pacemaker
|
|
requires:
|
|
- overcloud-resource-registry-puppet.yaml
|
|
- title: Pacemaker options
|
|
description:
|
|
environments:
|
|
- file: environments/puppet-pacemaker-no-restart.yaml
|
|
title: Pacemaker No Restart
|
|
description:
|
|
requires:
|
|
- environments/puppet-pacemaker.yaml
|
|
- overcloud-resource-registry-puppet.yaml
|
|
- title: Docker RDO
|
|
description: >
|
|
Docker container with heat agents for containerized compute node
|
|
environments:
|
|
- file: environments/docker.yaml
|
|
title: Docker RDO
|
|
description:
|
|
requires:
|
|
- overcloud-resource-registry-puppet.yaml
|
|
- title: Enable TLS
|
|
description: >
|
|
environments:
|
|
- file: environments/enable-tls.yaml
|
|
title: TLS
|
|
description: >
|
|
Use this option to pass in certificates for SSL deployments.
|
|
For these values to take effect, one of the TLS endpoints
|
|
environments must also be used.
|
|
requires:
|
|
- overcloud-resource-registry-puppet.yaml
|
|
- title: TLS Endpoints
|
|
description: >
|
|
environments:
|
|
- file: environments/tls-endpoints-public-dns.yaml
|
|
title: SSL-enabled deployment with DNS name as public endpoint
|
|
description: >
|
|
Use this environment when deploying an SSL-enabled overcloud where the public
|
|
endpoint is a DNS name.
|
|
requires:
|
|
- environments/enable-tls.yaml
|
|
- overcloud-resource-registry-puppet.yaml
|
|
- file: environments/tls-endpoints-public-ip.yaml
|
|
title: SSL-enabled deployment with IP address as public endpoint
|
|
description: >
|
|
Use this environment when deploying an SSL-enabled overcloud where the public
|
|
endpoint is an IP address.
|
|
requires:
|
|
- environments/enable-tls.yaml
|
|
- overcloud-resource-registry-puppet.yaml
|
|
- title: External load balancer
|
|
description: >
|
|
Enable external load balancer
|
|
environments:
|
|
- file: environments/external-loadbalancer-vip-v6.yaml
|
|
title: External load balancer IPv6
|
|
description: >
|
|
requires:
|
|
- overcloud-resource-registry-puppet.yaml
|
|
- file: environments/external-loadbalancer-vip.yaml
|
|
title: External load balancer IPv4
|
|
description: >
|
|
requires:
|
|
- overcloud-resource-registry-puppet.yaml
|
|
|
|
- title: Additional Services
|
|
description: Deploy additional Overcloud services
|
|
environment_groups:
|
|
- title: Manila
|
|
description:
|
|
environments:
|
|
- file: environments/manila-generic-config.yaml
|
|
title: Manila
|
|
description: Enable Manila generic driver backend
|
|
requires:
|
|
- overcloud-resource-registry-puppet.yaml
|
|
- title: Sahara
|
|
description:
|
|
environments:
|
|
- file: environments/services/sahara.yaml
|
|
title: Sahara
|
|
description: Deploy Sahara service
|
|
requires:
|
|
- overcloud-resource-registry-puppet.yaml
|
|
- title: Ironic
|
|
description:
|
|
environments:
|
|
- file: environments/services/ironic.yaml
|
|
title: Ironic
|
|
description: Deploy Ironic service
|
|
requires:
|
|
- overcloud-resource-registry-puppet.yaml
|
|
- title: Mistral
|
|
description:
|
|
environments:
|
|
- file: environments/services/mistral.yaml
|
|
title: Mistral
|
|
description: Deploy Mistral service
|
|
requires:
|
|
- overcloud-resource-registry-puppet.yaml
|
|
- title: Ceilometer Api
|
|
description:
|
|
environments:
|
|
- file: environments/services/disable-ceilometer-api.yaml
|
|
title: Ceilometer Api
|
|
description: Disable Ceilometer Api service. This service is
|
|
deprecated and will be removed in future releases. Please move
|
|
to using gnocchi/aodh/panko apis instead.
|
|
requires:
|
|
- overcloud-resource-registry-puppet.yaml
|
|
|
|
# - title: Network Interface Configuration
|
|
# description:
|
|
# environment_groups:
|
|
|
|
- title: Overlay Network Configuration
|
|
description:
|
|
environment_groups:
|
|
- title: Network Isolation
|
|
description:
|
|
environments:
|
|
- file: environments/network-isolation.yaml
|
|
title: Network Isolation
|
|
description: >
|
|
Enable the creation of Neutron networks for
|
|
isolated Overcloud traffic and configure each role to assign ports
|
|
(related to that role) on these networks.
|
|
requires:
|
|
- overcloud-resource-registry-puppet.yaml
|
|
- file: environments/network-isolation-v6.yaml
|
|
title: Network Isolation IPv6
|
|
description: >
|
|
Enable the creation of IPv6 Neutron networks for isolated Overcloud
|
|
traffic and configure each role to assign ports (related
|
|
to that role) on these networks.
|
|
requires:
|
|
- overcloud-resource-registry-puppet.yaml
|
|
- title: Single NIC or Bonding
|
|
description: >
|
|
Configure roles to use pair of bonded nics or to use Vlans on a
|
|
single nic. This option assumes use of Network Isolation.
|
|
environments:
|
|
- file: environments/net-bond-with-vlans.yaml
|
|
title: Bond with Vlans
|
|
description: >
|
|
Configure each role to use a pair of bonded nics (nic2 and
|
|
nic3) and configures an IP address on each relevant isolated network
|
|
for each role. This option assumes use of Network Isolation.
|
|
requires:
|
|
- environments/network-isolation.yaml
|
|
- overcloud-resource-registry-puppet.yaml
|
|
- file: environments/net-bond-with-vlans-no-external.yaml
|
|
title: Bond with Vlans No External Ports
|
|
description: >
|
|
Configure each role to use a pair of bonded nics (nic2 and
|
|
nic3) and configures an IP address on each relevant isolated network
|
|
for each role. This option assumes use of Network Isolation.
|
|
Sets external ports to noop.
|
|
requires:
|
|
- environments/network-isolation.yaml
|
|
- overcloud-resource-registry-puppet.yaml
|
|
- file: environments/net-bond-with-vlans-v6.yaml
|
|
title: Bond with Vlans IPv6
|
|
description: >
|
|
Configure each role to use a pair of bonded nics (nic2 and
|
|
nic3) and configures an IP address on each relevant isolated network
|
|
for each role, with IPv6 on the External network.
|
|
This option assumes use of Network Isolation IPv6.
|
|
requires:
|
|
- environments/network-isolation-v6.yaml
|
|
- overcloud-resource-registry-puppet.yaml
|
|
- file: environments/net-multiple-nics.yaml
|
|
title: Multiple NICs
|
|
description: >
|
|
Configures each role to use a separate NIC for
|
|
each isolated network.
|
|
This option assumes use of Network Isolation.
|
|
requires:
|
|
- environments/network-isolation.yaml
|
|
- overcloud-resource-registry-puppet.yaml
|
|
- file: environments/net-multiple-nics-v6.yaml
|
|
title: Multiple NICs IPv6
|
|
description: >
|
|
Configure each role to use a separate NIC for
|
|
each isolated network with IPv6 on the External network.
|
|
This option assumes use of Network Isolation IPv6.
|
|
requires:
|
|
- environments/network-isolation-v6.yaml
|
|
- overcloud-resource-registry-puppet.yaml
|
|
- file: environments/net-single-nic-with-vlans.yaml
|
|
title: Single NIC with Vlans
|
|
description: >
|
|
Configure each role to use Vlans on a single NIC for
|
|
each isolated network. This option assumes use of Network Isolation.
|
|
requires:
|
|
- environments/network-isolation.yaml
|
|
- overcloud-resource-registry-puppet.yaml
|
|
- file: environments/net-single-nic-with-vlans-no-external.yaml
|
|
title: Single NIC with Vlans No External Ports
|
|
description: >
|
|
Configure each role to use Vlans on a single NIC for
|
|
each isolated network. This option assumes use of Network Isolation.
|
|
Sets external ports to noop.
|
|
requires:
|
|
- environments/network-isolation.yaml
|
|
- overcloud-resource-registry-puppet.yaml
|
|
- file: environments/net-single-nic-linux-bridge-with-vlans.yaml
|
|
title: Single NIC with Linux Bridge Vlans
|
|
description: >
|
|
Configure each role to use Vlans on a single NIC for
|
|
each isolated network. This option assumes use of Network Isolation.
|
|
requires:
|
|
- environments/network-isolation.yaml
|
|
- overcloud-resource-registry-puppet.yaml
|
|
- file: environments/net-single-nic-with-vlans-v6.yaml
|
|
title: Single NIC with Vlans IPv6
|
|
description: >
|
|
Configures each role to use Vlans on a single NIC for
|
|
each isolated network with IPv6 on the External network.
|
|
This option assumes use of Network Isolation IPv6
|
|
requires:
|
|
- environments/network-isolation-v6.yaml
|
|
- overcloud-resource-registry-puppet.yaml
|
|
- title: Management Network
|
|
description: >
|
|
Enable the creation of a system management network. This
|
|
creates a Neutron network for isolated Overcloud
|
|
system management traffic and configures each role to
|
|
assign a port (related to that role) on that network.
|
|
environments:
|
|
- file: environments/network-management.yaml
|
|
title: Management Network
|
|
description:
|
|
requires:
|
|
- overcloud-resource-registry-puppet.yaml
|
|
- file: environments/network-management-v6.yaml
|
|
title: Management Network IPv6
|
|
description:
|
|
requires:
|
|
- overcloud-resource-registry-puppet.yaml
|
|
|
|
- title: Neutron Plugin Configuration
|
|
description:
|
|
environment_groups:
|
|
- title: Neutron Plugins
|
|
description: >
|
|
Enable various Neutron plugins and backends
|
|
environments:
|
|
- file: environments/neutron-ml2-bigswitch.yaml
|
|
title: BigSwitch Extensions
|
|
description: >
|
|
Enable Big Switch extensions, configured via puppet
|
|
requires:
|
|
- overcloud-resource-registry-puppet.yaml
|
|
- file: environments/neutron-ml2-cisco-n1kv.yaml
|
|
title: Cisco N1KV backend
|
|
description: >
|
|
Enable a Cisco N1KV backend, configured via puppet
|
|
requires:
|
|
- overcloud-resource-registry-puppet.yaml
|
|
- file: environments/neutron-ml2-cisco-nexus-ucsm.yaml
|
|
title: Cisco Neutron plugin
|
|
description:
|
|
requires:
|
|
- overcloud-resource-registry-puppet.yaml
|
|
- file: environments/neutron-midonet.yaml
|
|
title: Deploy MidoNet Services
|
|
description:
|
|
requires:
|
|
- overcloud-resource-registry-puppet.yaml
|
|
- file: environments/neutron-nuage-config.yaml
|
|
title: Neutron Nuage backend
|
|
description: Enables Neutron Nuage backend on the controller
|
|
requires:
|
|
- overcloud-resource-registry-puppet.yaml
|
|
- file: environments/neutron-opendaylight.yaml
|
|
title: OpenDaylight
|
|
description: Enables OpenDaylight
|
|
requires:
|
|
- overcloud-resource-registry-puppet.yaml
|
|
- file: environments/neutron-ovs-dpdk.yaml
|
|
title: DPDK with OVS
|
|
description: Deploy DPDK with OVS
|
|
requires:
|
|
- overcloud-resource-registry-puppet.yaml
|
|
- file: environments/neutron-ovs-dvr.yaml
|
|
title: DVR
|
|
description: Enables DVR in the Overcloud
|
|
requires:
|
|
- overcloud-resource-registry-puppet.yaml
|
|
- file: environments/neutron-plumgrid.yaml
|
|
title: PLUMgrid extensions
|
|
description: Enables PLUMgrid extensions
|
|
requires:
|
|
- overcloud-resource-registry-puppet.yaml
|
|
- file: environments/neutron-ml2-fujitsu-cfab.yaml
|
|
title: Fujitsu Neutron plugin for C-Fabric
|
|
description: Enable C-Fabric in the overcloud
|
|
requires:
|
|
- overcloud-resource-registry-puppet.yaml
|
|
- file: environments/neutron-ml2-fujitsu-fossw.yaml
|
|
title: Fujitsu Neutron plugin for FOS
|
|
description: Enable FOS in the overcloud
|
|
requires:
|
|
- overcloud-resource-registry-puppet.yaml
|
|
|
|
- title: Nova Extensions
|
|
description:
|
|
environment_groups:
|
|
- title: Nova Extensions
|
|
description:
|
|
environments:
|
|
- file: environments/nova-nuage-config.yaml
|
|
title: Nuage backend
|
|
description: >
|
|
Enables Nuage backend on the Compute
|
|
requires:
|
|
- overcloud-resource-registry-puppet.yaml
|
|
|
|
- title: Storage
|
|
description:
|
|
environment_groups:
|
|
- title: Cinder backup service
|
|
description:
|
|
environments:
|
|
- file: environments/cinder-backup.yaml
|
|
title: Cinder backup service
|
|
description: >
|
|
OpenStack Cinder Backup service with Pacemaker configured
|
|
with Puppet
|
|
requires:
|
|
- environments/puppet-pacemaker.yaml
|
|
- overcloud-resource-registry-puppet.yaml
|
|
- title: Cinder backend
|
|
description: >
|
|
Enable various Cinder backends
|
|
environments:
|
|
- file: environments/cinder-netapp-config.yaml
|
|
title: Cinder NetApp backend
|
|
description:
|
|
requires:
|
|
- overcloud-resource-registry-puppet.yaml
|
|
- file: environments/cinder-dellsc-config.yaml
|
|
title: Cinder Dell EMC Storage Center ISCSI backend
|
|
description: >
|
|
Enables a Cinder Dell EMC Storage Center ISCSI backend,
|
|
configured via puppet
|
|
requires:
|
|
- overcloud-resource-registry-puppet.yaml
|
|
- file: environments/cinder-hpelefthand-config.yaml
|
|
title: Cinder HPELeftHandISCSI backend
|
|
description: >
|
|
Enables a Cinder HPELeftHandISCSI backend, configured
|
|
via puppet
|
|
requires:
|
|
- overcloud-resource-registry-puppet.yaml
|
|
- file: environments/cinder-dellps-config.yaml
|
|
title: Cinder Dell EMC PS Series backend
|
|
description: >
|
|
Enables a Cinder Dell EMC PS Series backend,
|
|
configured via puppet
|
|
requires:
|
|
- overcloud-resource-registry-puppet.yaml
|
|
- file: environments/cinder-iser.yaml
|
|
title: Cinder iSER backend
|
|
description: >
|
|
Enable a Cinder iSER RDMA backend, configured via puppet
|
|
- file: environments/cinder-scaleio-config.yaml
|
|
title: Cinder Dell EMC ScaleIO backend
|
|
description: >
|
|
Enables a Cinder Dell EMC ScaleIO backend,
|
|
configured via puppet
|
|
requires:
|
|
- overcloud-resource-registry-puppet.yaml
|
|
- title: Ceph
|
|
description: >
|
|
Enable the use of Ceph in the overcloud
|
|
environments:
|
|
- file: environments/puppet-ceph-external.yaml
|
|
title: Externally managed Ceph
|
|
description: >
|
|
Configures the overcloud to use an externally managed Ceph cluster, via RBD driver.
|
|
requires:
|
|
- overcloud-resource-registry-puppet.yaml
|
|
- file: environments/puppet-ceph.yaml
|
|
title: TripleO managed Ceph
|
|
description: >
|
|
Deploys a Ceph cluster via TripleO, requires at lease one CephStorage node or
|
|
use of hyperconverged-ceph.yaml environment for the HCI scenario, where CephOSD is
|
|
colocated with NovaCompute and configures the overcloud to use it, via RBD driver.
|
|
requires:
|
|
- overcloud-resource-registry-puppet.yaml
|
|
- title: CephMDS
|
|
description: >
|
|
Deploys CephMDS via TripleO, an additional Ceph service needed to create shared
|
|
filesystems hosted in Ceph.
|
|
environments:
|
|
- file: environments/services/ceph-mds.yaml
|
|
title: Deploys CephMDS
|
|
description:
|
|
requires:
|
|
- environments/puppet-ceph.yaml
|
|
- title: Ceph Rados Gateway
|
|
description: >
|
|
Deploys CephRGW via TripleO, transparently replaces Swift providing a compatible API
|
|
which stores data in the Ceph cluster.
|
|
environments:
|
|
- file: environments/ceph-radosgw.yaml
|
|
title: Deploys CephRGW
|
|
description:
|
|
requires:
|
|
- environments/puppet-ceph.yaml
|
|
- title: Manila with CephFS
|
|
description: >
|
|
Deploys Manila and configures it with the CephFS driver. This requires the deployment of
|
|
Ceph and CephMDS from TripleO or the use of an external Ceph cluster for the overcloud.
|
|
environments:
|
|
- file: environments/manila-cephfsnative-config.yaml
|
|
title: Deploys Manila with CephFS driver
|
|
description: Deploys Manila and configures CephFS as its default backend.
|
|
requires:
|
|
- overcloud-resource-registry-puppet.yaml
|
|
- title: Storage Environment
|
|
description: >
|
|
Can be used to set up storage backends. Defaults to Ceph used as a
|
|
backend for Cinder, Glance, Nova ephemeral storage and Gnocchi. It
|
|
configures which services will use Ceph, or if any of the services
|
|
will use NFS. And more. Usually requires to be edited by user first.
|
|
tags:
|
|
- no-gui
|
|
environments:
|
|
- file: environments/storage-environment.yaml
|
|
title: Storage Environment
|
|
description:
|
|
requires:
|
|
- overcloud-resource-registry-puppet.yaml
|
|
|
|
- title: Utilities
|
|
description:
|
|
environment_groups:
|
|
- title: Config Debug
|
|
description: Enable config management (e.g. Puppet) debugging
|
|
environments:
|
|
- file: environments/config-debug.yaml
|
|
title: Config Debug
|
|
description:
|
|
requires:
|
|
- overcloud-resource-registry-puppet.yaml
|
|
- title: Disable journal in MongoDb
|
|
description: >
|
|
Since, when journaling is enabled, MongoDb will create big journal
|
|
file it can take time. In a CI environment for example journaling is
|
|
not necessary.
|
|
environments:
|
|
- file: environments/mongodb-nojournal.yaml
|
|
title: Disable journal in MongoDb
|
|
description:
|
|
requires:
|
|
- overcloud-resource-registry-puppet.yaml
|
|
- title: Overcloud Steps
|
|
description: >
|
|
Specifies hooks/breakpoints where overcloud deployment should stop
|
|
Allows operator validation between steps, and/or more granular control.
|
|
Note: the wildcards relate to naming convention for some resource suffixes,
|
|
e.g see puppet/*-post.yaml, enabling this will mean we wait for
|
|
a user signal on every *Deployment_StepN resource defined in those files.
|
|
tags:
|
|
- no-gui
|
|
environments:
|
|
- file: environments/overcloud-steps.yaml
|
|
title: Overcloud Steps
|
|
description:
|
|
requires:
|
|
- overcloud-resource-registry-puppet.yaml
|
|
|
|
- title: Operational Tools
|
|
description:
|
|
environment_groups:
|
|
- title: Monitoring agents
|
|
description: Enable monitoring agents
|
|
environments:
|
|
- file: environments/monitoring-environment.yaml
|
|
title: enable monitoring agents
|
|
description:
|
|
requires:
|
|
- overcloud-resource-registry-puppet.yaml
|
|
- title: Centralized logging support
|
|
description: Enable centralized logging clients (fluentd)
|
|
environments:
|
|
- file: environments/logging-environment.yaml
|
|
title: Enable fluentd client
|
|
description:
|
|
requires:
|
|
- overcloud-resource-registry-puppet.yaml
|
|
|
|
- title: Security Options
|
|
description: Security Hardening Options
|
|
environment_groups:
|
|
- title: SSH Banner Text
|
|
description: Enables population of SSH Banner Text
|
|
environments:
|
|
- file: environments/sshd-banner.yaml
|
|
title: SSH Banner Text
|
|
description:
|
|
requires:
|
|
- overcloud-resource-registry-puppet.yaml
|
|
- title: Horizon Password Validation
|
|
description: Enable Horizon Password validation
|
|
environments:
|
|
- file: environments/horizon_password_validation.yaml
|
|
title: Horizon Password Validation
|
|
description:
|
|
requires:
|
|
- overcloud-resource-registry-puppet.yaml
|
|
- title: AuditD Rules
|
|
description: Management of AuditD rules
|
|
environments:
|
|
- file: environments/auditd.yaml
|
|
title: AuditD Rule Management
|
|
description:
|
|
requires:
|
|
- overcloud-resource-registry-puppet.yaml
|
|
- title: Keystone CADF auditing
|
|
description: Enable CADF notifications in Keystone for auditing
|
|
environments:
|
|
- file: environments/cadf.yaml
|
|
title: Keystone CADF auditing
|