# Summary of feature set # Deploy an HA OpenStack environment with an IPA server. # This enables TLS for the undercloud which will also make haproxy bind to the # configured public-vip and admin-vip. undercloud_generate_service_certificate: true ssl_overcloud: true overcloud_templates_path: /usr/share/openstack-tripleo-heat-templates undercloud_templates_path: /usr/share/openstack-tripleo-heat-templates step_introspect: true # This enables container deployements after Pike containerized_overcloud: >- {% if release in ['newton', 'ocata', 'pike'] -%} false {%- else -%} true {%- endif -%} delete_docker_cache: true containerized_undercloud: >- {% if release not in ['newton','ocata','pike','queens'] -%} true {%- else -%} false {%- endif -%} ctlplane_masquerade: >- {% if release not in ['newton','ocata','pike','queens'] -%} true {%- else -%} false {%- endif -%} undercloud_enable_routed_networks: >- {% if release not in ['newton','ocata','pike'] -%} true {%- else -%} false {%- endif -%} undercloud_clean_nodes: >- {% if release not in ['newton','ocata','pike'] -%} true {%- else -%} false {%- endif -%} undercloud_inspection_extras: false # Tell tripleo about our environment. enable_pacemaker: true network_isolation: true network_isolation_type: "multiple-nics" network_isolation_args: >- -e {{ overcloud_templates_path }}/ci/environments/network/multiple-nics/network-isolation-absolute.yaml -e {{ overcloud_templates_path }}/ci/environments/network/multiple-nics/network-environment.yaml # This featureset is extremely resource intensive, so we disable telemetry # in order to reduce the overall memory footprint # This is not required in newton telemetry_args: >- {% if release != 'newton' %} -e {{ overcloud_templates_path }}/environments/disable-telemetry.yaml {% endif %} extra_args: >- {% if release not in ['newton', 'ocata', 'pike'] %} -e {{ overcloud_templates_path }}/ci/environments/ovb-ha.yaml {% endif %} undercloud_ntp_servers: pool.ntp.org # keep the doc gen settings at the bottom of the config file. # options below direct automatic doc generation by tripleo-collect-logs artcl_gen_docs: true artcl_create_docs_payload: included_deployment_scripts: - undercloud-install - "{% if release not in ['queens', 'rocky', 'stein', 'train'] -%}ipa_prep{%- else -%}novajoin_prep{%- endif -%}" - "{% if release not in ['queens', 'rocky', 'stein', 'train'] -%}install_ipa{%- else -%}install_novajoin{%- endif -%}" - overcloud-custom-tht-script - "{% if release not in ['newton', 'ocata', 'pike'] -%}overcloud-prep-containers{%- endif -%}" - overcloud-prep-flavors - overcloud-prep-images - overcloud-prep-network - overcloud-deploy - overcloud-deploy-post - overcloud-validate - "{% if run_tempest|bool -%}tempest-setup{%- endif -%}" - "{% if run_tempest|bool and tempest_format|default('packages') == 'containers' -%}tempest_container{%- endif -%}" included_static_docs: - env-setup-virt table_of_contents: - env-setup-virt - "{% if release not in ['queens', 'rocky', 'stein', 'train'] -%}ipa_prep{%- else -%}novajoin_prep{%- endif -%}" - "{% if release not in ['queens', 'rocky', 'stein', 'train'] -%}install_ipa{%- else -%}install_novajoin{%- endif -%}" - undercloud-install - overcloud-custom-tht-script - "{% if release not in ['newton', 'ocata', 'pike'] -%}overcloud-prep-containers{%- endif -%}" - overcloud-prep-flavors - overcloud-prep-images - overcloud-prep-network - overcloud-deploy - overcloud-deploy-post - overcloud-validate - "{% if run_tempest|bool -%}tempest-setup{%- endif -%}" - "{% if run_tempest|bool and tempest_format|default('packages') == 'containers' -%}tempest_container{%- endif -%}" deploy_steps_ansible_workflow: >- {% if release not in ['newton','ocata','pike'] -%} true {%- else -%} false {%- endif -%} config_download_args: >- {% if release in ['queens'] -%} -e /usr/share/openstack-tripleo-heat-templates/environments/config-download-environment.yaml --config-download --verbose {%- endif -%} # Tempest configuration, keep always at the end of the file # Use the traditional ping test in newton, ocata and pike # Run tempest in queens+ test_ping: >- {% if release in ['newton', 'ocata', 'pike'] -%} true {%- else -%} false {%- endif -%} # Settings for os_tempest run_tempest: >- {% if release not in ['pike', 'queens', 'rocky', 'stein', 'train'] -%} false {%- else -%} true {%- endif -%} use_os_tempest: >- {% if release not in ['pike', 'queens', 'rocky', 'stein', 'train'] -%} true {%- else -%} false {%- endif -%} # It will create a public network name 'public' using os_tempest tempest_interface_name: public tempest_run_concurrency: 4 # In order to have a public network with external connectivity, we need to use # flat network type tempest_public_net_provider_type: flat # It is the physical network name through which public network will be created # having connectivity with external world. tempest_public_net_physical_name: datacentre # Setting the tempest_cidr as it is required while creating public subnet from which # floating IPs gets assigned tempest_cidr: '10.0.0.0/24' # In order to create a private network, fs01 is based on OVN, geneve should be used # as private network type tempest_private_net_provider_type: geneve tempest_private_net_seg_id: '' tempest_install_method: distro # Having tempest_network_ping_gateway set to true allows to ping any of the IP from # router to find out network related issue in the deployment early tempest_network_ping_gateway: true # It is the python-tempestconf profile which also consumes tempest-deployer-input file tempest_tempestconf_profile: debug: true create: true deployer-input: "{{ ansible_user_dir }}/tempest-deployer-input.conf" os-cloud: "{{ tempest_cloud_name }}" out: "{{ tempest_workspace }}/etc/tempest.conf" network-id: "{{ tempest_neutron_public_network_id }}" overrides: "{{ tempest_tempest_conf_overrides | default({}) }}" test_white_regex: '' tempest_whitelist: - 'tempest.scenario.test_network_basic_ops.TestNetworkBasicOps.test_network_basic_ops' tempest_test_whitelist: "{{ tempest_whitelist }}" tempest_format: >- {% if containerized_undercloud|bool -%} container {%- else -%} packages {%- endif -%} undercloud_enable_tempest: >- {% if release not in ['newton', 'ocata', 'pike', 'queens'] -%} true {%- else -%} false {%- endif -%} undercloud_enable_nova: true # TLS everywhere related vars. # enable_tls_everywhere: true novajoin_connect_timeout: 60 novajoin_read_timeout: 60 # This switches between a deployment with novajoin or using ansible-tripleo-ipa undercloud_enable_novajoin: >- {% if release in ['queens', 'rocky', 'stein', 'train'] -%} True {%- else -%} False {%- endif -%} external_network_cidr: 10.0.0.0/24 freeipa_admin_password: fce95318204114530f31f885c9df588f # Set node hostnames. freeipa_internal_ip: "{{ external_network_cidr|nthhost(250) }}" supplemental_node_ip: "{{ freeipa_internal_ip }}" undercloud_undercloud_nameservers: ["{{ freeipa_internal_ip }}"] overcloud_dns_servers: ["{{ freeipa_internal_ip }}", "8.8.8.8"] tripleo_domain: ooo.test undercloud_cloud_domain: "{{ tripleo_domain }}" freeipa_server_hostname: "ipa.{{ tripleo_domain }}" undercloud_undercloud_hostname: "undercloud.{{ tripleo_domain }}" overcloud_cloud_name: "overcloud.{{ tripleo_domain }}" overcloud_cloud_domain: "{{ tripleo_domain }}" overcloud_cloud_name_internal: "overcloud.internalapi.{{ tripleo_domain }}" overcloud_cloud_name_storage: "overcloud.storage.{{ tripleo_domain }}" overcloud_cloud_name_storage_management: "overcloud.storagemgmt.{{ tripleo_domain }}" overcloud_cloud_name_ctlplane: "overcloud.ctlplane.{{ tripleo_domain }}" # Supplemental node related vars. # # Ensure that the FreeIPA server node is provisioned during deployment. deploy_supplemental_node: true supplemental_user: centos supplemental_image_url: https://cloud.centos.org/centos/7/images/CentOS-7-x86_64-GenericCloud.qcow2 undercloud_custom_env_files: "{{ working_dir }}/undercloud-parameter-defaults.yaml" ### Keycloak IdP ### # Turn on federation support enable_federation: true # For simplicity in development and testing scenarios share the admin # password with IPA. Do not do this in a production environment! keycloak_admin_password: "{{ freeipa_admin_password }}" # Locate the Keycloak cert/key on the supplemental node, this offers # the potential for certmonger to manage cert renewal and simplifies # obtaining the cert from IPA. keycloak_tls_files_on_target: true # Download the keycloak archive directly to the supplemental node as # opposed to caching it on the host running oooq which then incurs the # penalty of Ansible unpacking it over a (typically) slow SSH connection. keycloak_archive_on_target: true # Both the PKI certificate server in IPA and Keycloak default their # http and https port to 8080 and 8443 respectively. Because IPA is # installed first ports 8080 and 8443 are already in use, bump the # Keycloak ports by 1 to avoid port conflicts. keycloak_http_port: 8081 keycloak_https_port: 8444 # IPA installs first on the supplemental and does not enable the # firewall. If keycloak were to install later and enabled the # firewall opening only the Keycloak ports then the IPA ports would # be blocked. Therefore turn off Keycloak's configuration of the # firewall. The IPA install should enable the firewall but when this # was attempted a bug in Ansible prevented it from working. If the IPA # install gains the ability to enable the firewall then # keycloak_configure_firewall should be turned on. keycloak_configure_firewall: false # Limit the JVM max heap size to 512 MB keycloak_java_opts: "-Xms64m -Xmx512m" # Extend the CLI connect timeout to account for slow startup of Keycloak # with our small heap size. keycloak_jboss_config_connect_timeout: 90000