tripleo-quickstart/config/general_config/featureset039.yml

# Summary of feature set
# Deploy an HA OpenStack environment with an IPA server.

# This enables TLS for the undercloud which will also make haproxy bind to the
# configured public-vip and admin-vip.
undercloud_generate_service_certificate: true
ssl_overcloud: true
overcloud_templates_path: /usr/share/openstack-tripleo-heat-templates
undercloud_templates_path: /usr/share/openstack-tripleo-heat-templates
step_introspect: true

# This enables container deployements after Pike
containerized_overcloud: >-
  {% if release in ['newton', 'ocata', 'pike'] -%}
  false
  {%- else -%}
  true
  {%- endif -%}  
delete_docker_cache: true

containerized_undercloud: >-
  {% if release not in ['newton','ocata','pike','queens'] -%}
  true
  {%- else -%}
  false
  {%- endif -%}  

ctlplane_masquerade: >-
  {% if release not in ['newton','ocata','pike','queens'] -%}
  true
  {%- else -%}
  false
  {%- endif -%}  

undercloud_enable_routed_networks: >-
  {% if release not in ['newton','ocata','pike'] -%}
  true
  {%- else -%}
  false
  {%- endif -%}  

undercloud_clean_nodes: >-
  {% if release not in ['newton','ocata','pike'] -%}
  true
  {%- else -%}
  false
  {%- endif -%}  

undercloud_inspection_extras: false


# Tell tripleo about our environment.
enable_pacemaker: true
network_isolation: true
network_isolation_type: "multiple-nics"
network_isolation_args: >-
  -e {{ overcloud_templates_path }}/ci/environments/network/multiple-nics/network-isolation-absolute.yaml
  -e {{ overcloud_templates_path }}/ci/environments/network/multiple-nics/network-environment.yaml  

# This featureset is extremely resource intensive, so we disable telemetry
# in order to reduce the overall memory footprint
# This is not required in newton
telemetry_args: >-
   {% if release != 'newton' %}
   -e {{ overcloud_templates_path }}/environments/disable-telemetry.yaml
   {% endif %}   

extra_args: >-
   {% if release not in ['newton', 'ocata', 'pike'] %}
   -e {{ overcloud_templates_path }}/ci/environments/ovb-ha.yaml
   {% endif %}   

undercloud_ntp_servers: pool.ntp.org
# keep the doc gen settings at the bottom of the config file.
# options below direct automatic doc generation by tripleo-collect-logs
artcl_gen_docs: true
artcl_create_docs_payload:
  included_deployment_scripts:
    - undercloud-install
    - novajoin_prep
    - install_novajoin
    - overcloud-custom-tht-script
    - "{% if release not in ['newton', 'ocata', 'pike'] -%}overcloud-prep-containers{%- endif -%}"
    - overcloud-prep-flavors
    - overcloud-prep-images
    - overcloud-prep-network
    - overcloud-deploy
    - overcloud-deploy-post
    - overcloud-validate
    - "{% if run_tempest|bool -%}tempest-setup{%- endif -%}"
    - "{% if run_tempest|bool and tempest_format|default('packages') == 'containers' -%}tempest_container{%- endif -%}"
  included_static_docs:
    - env-setup-virt
  table_of_contents:
    - env-setup-virt
    - novajoin_prep
    - install_novajoin
    - undercloud-install
    - overcloud-custom-tht-script
    - "{% if release not in ['newton', 'ocata', 'pike'] -%}overcloud-prep-containers{%- endif -%}"
    - overcloud-prep-flavors
    - overcloud-prep-images
    - overcloud-prep-network
    - overcloud-deploy
    - overcloud-deploy-post
    - overcloud-validate
    - "{% if run_tempest|bool -%}tempest-setup{%- endif -%}"
    - "{% if run_tempest|bool and tempest_format|default('packages') == 'containers' -%}tempest_container{%- endif -%}"

deploy_steps_ansible_workflow: >-
  {% if release not in ['newton','ocata','pike'] -%}
  true
  {%- else -%}
  false
  {%- endif -%}  
config_download_args: >-
  {% if release in ['queens'] -%}
  -e /usr/share/openstack-tripleo-heat-templates/environments/config-download-environment.yaml
  --config-download
  --verbose
  {%- endif -%}  

# Tempest configuration, keep always at the end of the file
# Use the traditional ping test in newton, ocata and pike
# Run tempest in queens+
test_ping: >-
  {% if release in ['newton', 'ocata', 'pike'] -%}
  true
  {%- else -%}
  false
  {%- endif -%}  

# Settings for os_tempest
run_tempest: >-
  {% if release not in ['pike', 'queens', 'rocky', 'stein', 'train'] -%}
  false
  {%- else -%}
  true
  {%- endif -%}  
use_os_tempest: >-
  {% if release not in ['pike', 'queens', 'rocky', 'stein', 'train'] -%}
  true
  {%- else -%}
  false
  {%- endif -%}  
# It will create a public network name 'public' using os_tempest
tempest_interface_name: public

tempest_run_concurrency: 4

# In order to have a public network with external connectivity, we need to use
# flat network type
tempest_public_net_provider_type: flat

# It is the physical network name through which public network will be created
# having connectivity with external world.
tempest_public_net_physical_name: datacentre

# Setting the tempest_cidr as it is required while creating public subnet from which
# floating IPs gets assigned
tempest_cidr: '10.0.0.0/24'

# In order to create a private network, fs01 is based on OVN, geneve should be used
# as private network type
tempest_private_net_provider_type: geneve

tempest_private_net_seg_id: ''

tempest_install_method: distro

# Having tempest_network_ping_gateway set to true allows to ping any of the IP from
# router to find out network related issue in the deployment early
tempest_network_ping_gateway: true

# It is the python-tempestconf profile which also consumes tempest-deployer-input file
tempest_tempestconf_profile:
  debug: true
  create: true
  deployer-input: "{{ ansible_user_dir }}/tempest-deployer-input.conf"
  os-cloud: "{{ tempest_cloud_name }}"
  out: "{{ tempest_workspace }}/etc/tempest.conf"
  network-id: "{{ tempest_neutron_public_network_id }}"
  overrides: "{{ tempest_tempest_conf_overrides | default({}) }}"

test_white_regex: ''
tempest_whitelist:
  - 'tempest.scenario.test_network_basic_ops.TestNetworkBasicOps.test_network_basic_ops'

tempest_test_whitelist: "{{ tempest_whitelist }}"

tempest_format: >-
  {% if containerized_undercloud|bool -%}
  container
  {%- else -%}
  packages
  {%- endif -%}  
undercloud_enable_tempest: >-
  {% if release not in ['newton', 'ocata', 'pike', 'queens'] -%}
  true
  {%- else -%}
  false
  {%- endif -%}  

# TLS everywhere related vars. #
enable_tls_everywhere: true
novajoin_connect_timeout: 60
novajoin_read_timeout: 60
external_network_cidr: 10.0.0.0/24

freeipa_admin_password: fce95318204114530f31f885c9df588f

# Set node hostnames.
freeipa_internal_ip: "{{ external_network_cidr|nthhost(250) }}"
supplemental_node_ip: "{{ freeipa_internal_ip }}"
undercloud_undercloud_nameservers: ["{{ freeipa_internal_ip }}"]
overcloud_dns_servers: ["{{ freeipa_internal_ip }}", "8.8.8.8"]
tripleo_domain: ooo.test
undercloud_cloud_domain: "{{ tripleo_domain }}"
freeipa_server_hostname: "ipa.{{ tripleo_domain }}"
undercloud_undercloud_hostname: "undercloud.{{ tripleo_domain }}"
overcloud_cloud_name: "overcloud.{{ tripleo_domain }}"
overcloud_cloud_domain: "{{ tripleo_domain }}"
overcloud_cloud_name_internal: "overcloud.internalapi.{{ tripleo_domain }}"
overcloud_cloud_name_storage: "overcloud.storage.{{ tripleo_domain }}"
overcloud_cloud_name_storage_management: "overcloud.storagemgmt.{{ tripleo_domain }}"
overcloud_cloud_name_ctlplane: "overcloud.ctlplane.{{ tripleo_domain }}"
# Supplemental node related vars. #
# Ensure that the FreeIPA server node is provisioned during deployment.
deploy_supplemental_node: true
supplemental_user: centos
supplemental_image_url: https://cloud.centos.org/centos/7/images/CentOS-7-x86_64-GenericCloud.qcow2

undercloud_custom_env_files: "{{ working_dir }}/undercloud-parameter-defaults.yaml"
undercloud_resource_registry_args:
  "OS::TripleO::Undercloud::Net::SoftwareConfig": "{{ undercloud_templates_path }}/net-config-undercloud.yaml"

### Keycloak IdP ###

# Turn on federation support
enable_federation: true

# For simplicity in development and testing scenarios share the admin
# password with IPA. Do not do this in a production environment!
keycloak_admin_password: "{{ freeipa_admin_password }}"

# Locate the Keycloak cert/key on the supplemental node, this offers
# the potential for certmonger to manage cert renewal and simplifies
# obtaining the cert from IPA.
keycloak_tls_files_on_target: true

# Download the keycloak archive directly to the supplemental node as
# opposed to caching it on the host running oooq which then incurs the
# penalty of Ansible unpacking it over a (typically) slow SSH connection.
keycloak_archive_on_target: true

# Both the PKI certificate server in IPA and Keycloak default their
# http and https port to 8080 and 8443 respectively. Because IPA is
# installed first ports 8080 and 8443 are already in use, bump the
# Keycloak ports by 1 to avoid port conflicts.
keycloak_http_port: 8081
keycloak_https_port: 8444

# IPA installs first on the supplemental and does not enable the
# firewall. If keycloak were to install later and enabled the
# firewall opening only the Keycloak ports then the IPA ports would
# be blocked. Therefore turn off Keycloak's configuration of the
# firewall. The IPA install should enable the firewall but when this
# was attempted a bug in Ansible prevented it from working. If the IPA
# install gains the ability to enable the firewall then
# keycloak_configure_firewall should be turned on.
keycloak_configure_firewall: false

# Limit the JVM max heap size to 512 MB
keycloak_java_opts: "-Xms64m -Xmx512m"

# Extend the CLI connect timeout to account for slow startup of Keycloak
# with our small heap size.
keycloak_jboss_config_connect_timeout: 90000