microstack/snap-overlay/snap-openstack.yaml
Billy Olsen 19d74ff9ba Add PKI API for compute nodes certificates
Treat the control node as a CA for certificates at compute nodes.
Upon joining a cluster, the compute node will request a certificate to
be created by generating a CSR and asking the control node to sign the
certificate.

This adds new config options for the compute private keys and
certificate locations in use.

Change-Id: I8e8b1a86cf7df752b6cb34cfdf65a87a72934ec5
2021-10-20 11:50:43 -07:00

390 lines
16 KiB
YAML

setup:
dirs:
- "{snap_common}/etc/keystone/keystone.conf.d"
- "{snap_common}/etc/cinder/cinder.conf.d"
- "{snap_common}/etc/nova/nova.conf.d"
- "{snap_common}/etc/neutron/neutron.conf.d"
- "{snap_common}/etc/neutron/plugins/ml2"
- "{snap_common}/etc/neutron/policy.d"
- "{snap_common}/etc/neutron/rootwrap.d"
- "{snap_common}/etc/nginx/sites-enabled"
- "{snap_common}/etc/glance/glance.conf.d"
- "{snap_common}/etc/placement/placement.conf.d"
- "{snap_common}/etc/horizon/horizon.conf.d"
- "{snap_common}/etc/horizon/local_settings.d"
- "{snap_common}/var/horizon/static"
- "{snap_common}/etc/keystone/uwsgi/snap"
- "{snap_common}/etc/cinder/uwsgi/snap"
- "{snap_common}/etc/nova/uwsgi/snap"
- "{snap_common}/etc/horizon/uwsgi/snap"
- "{snap_common}/etc/placement/uwsgi/snap"
- "{snap_common}/etc/cluster/tls"
- "{snap_common}/etc/cluster/uwsgi/snap"
- "{snap_common}/etc/rabbitmq"
- "{snap_common}/etc/ssl/certs"
- "{snap_common}/etc/ssl/private"
- "{snap_common}/fernet-keys"
- "{snap_common}/lib"
- "{snap_common}/lib/images"
- "{snap_common}/lock"
- "{snap_common}/log"
- "{snap_common}/run"
- "{snap_common}/lib/instances"
- "{snap_common}/etc/apparmor.d/libvirt"
- "{snap_common}/etc/iscsi"
- "{snap_common}/etc/target"
templates:
cluster-nginx.conf.j2: "{snap_common}/etc/nginx/sites-enabled/cluster.conf"
keystone-nginx.conf.j2: "{snap_common}/etc/nginx/sites-enabled/keystone.conf"
keystone-snap.conf.j2: "{snap_common}/etc/keystone/keystone.conf.d/keystone-snap.conf"
neutron-snap.conf.j2: "{snap_common}/etc/neutron/neutron.conf.d/neutron-snap.conf"
nginx.conf.j2: "{snap_common}/etc/nginx/snap/nginx.conf"
nova-snap.conf.j2: "{snap_common}/etc/nova/nova.conf.d/nova-snap.conf"
nova-nginx.conf.j2: "{snap_common}/etc/nginx/sites-enabled/nova.conf"
glance-snap.conf.j2: "{snap_common}/etc/glance/glance.conf.d/glance-snap.conf"
glance-nginx.conf.j2: "{snap_common}/etc/nginx/sites-enabled/glance.conf"
placement-nginx.conf.j2: "{snap_common}/etc/nginx/sites-enabled/placement.conf"
placement-snap.conf.j2: "{snap_common}/etc/placement/placement.conf.d/placement-snap.conf"
cinder-nginx.conf.j2: "{snap_common}/etc/nginx/sites-enabled/cinder.conf"
cinder-snap.conf.j2: "{snap_common}/etc/cinder/cinder.conf.d/cinder-snap.conf"
cinder.database.conf.j2: "{snap_common}/etc/cinder/cinder.conf.d/database.conf"
cinder.rabbitmq.conf.j2: "{snap_common}/etc/cinder/cinder.conf.d/rabbitmq.conf"
cinder.keystone.conf.j2: "{snap_common}/etc/cinder/cinder.conf.d/keystone.conf"
cinder-rootwrap.conf.j2: "{snap_common}/etc/cinder/rootwrap.conf"
horizon-snap.conf.j2: "{snap_common}/etc/horizon/horizon.conf.d/horizon-snap.conf"
horizon-nginx.conf.j2: "{snap_common}/etc/nginx/sites-enabled/horizon.conf"
05_snap_tweaks.j2: "{snap_common}/etc/horizon/local_settings.d/_05_snap_tweaks.py"
libvirtd.conf.j2: "{snap_common}/etc/libvirt/libvirtd.conf"
qemu.conf.j2: "{snap_common}/etc/libvirt/qemu.conf"
virtlogd.conf.j2: "{snap_common}/etc/libvirt/virtlogd.conf"
microstack.rc.j2: "{snap_common}/etc/microstack.rc"
microstack.json.j2: "{snap_common}/etc/microstack.json"
glance.conf.d.keystone.conf.j2: "{snap_common}/etc/glance/glance.conf.d/keystone.conf"
placement.conf.d.keystone.conf.j2: "{snap_common}/etc/placement/placement.conf.d/keystone.conf"
nova.conf.d.keystone.conf.j2: "{snap_common}/etc/nova/nova.conf.d/keystone.conf"
nova.conf.d.database.conf.j2: "{snap_common}/etc/nova/nova.conf.d/database.conf"
nova.conf.d.rabbitmq.conf.j2: "{snap_common}/etc/nova/nova.conf.d/rabbitmq.conf"
nova.conf.d.cinder.conf.j2: "{snap_common}/etc/nova/nova.conf.d/cinder.conf"
nova.conf.d.glance.conf.j2: "{snap_common}/etc/nova/nova.conf.d/glance.conf"
nova.conf.d.neutron.conf.j2: "{snap_common}/etc/nova/nova.conf.d/neutron.conf"
nova.conf.d.placement.conf.j2: "{snap_common}/etc/nova/nova.conf.d/placement.conf"
nova.conf.d.console.conf.j2: "{snap_common}/etc/nova/nova.conf.d/console.conf"
nova-nginx.conf.j2: "{snap_common}/etc/nginx/sites-enabled/nova.conf"
keystone.database.conf.j2: "{snap_common}/etc/keystone/keystone.conf.d/database.conf"
glance.database.conf.j2: "{snap_common}/etc/glance/glance.conf.d/database.conf"
placement.conf.d.database.conf.j2: "{snap_common}/etc/placement/placement.conf.d/database.conf"
neutron.keystone.conf.j2: "{snap_common}/etc/neutron/neutron.conf.d/keystone.conf"
neutron.nova.conf.j2: "{snap_common}/etc/neutron/neutron.conf.d/nova.conf"
neutron.placement.conf.j2: "{snap_common}/etc/neutron/neutron.conf.d/placement.conf"
neutron.database.conf.j2: "{snap_common}/etc/neutron/neutron.conf.d/database.conf"
neutron.conf.d.rabbitmq.conf.j2: "{snap_common}/etc/neutron/neutron.conf.d/rabbitmq.conf"
neutron_ovn_metadata_agent.ini.j2: "{snap_common}/etc/neutron/neutron_ovn_metadata_agent.ini"
neutron-nginx.conf.j2: "{snap_common}/etc/nginx/sites-enabled/neutron.conf"
rabbitmq.conf.j2: "{snap_common}/etc/rabbitmq/rabbitmq.config"
iscsid.conf.j2: "{snap_common}/etc/iscsi/iscsid.conf"
lvm.conf.j2: "{snap_common}/etc/lvm/lvm.conf"
# LMA stack templates
telegraf.conf.j2: "{snap_common}/etc/telegraf/telegraf-microstack.conf"
nrpe.cfg.j2: "{snap_common}/etc/nrpe/nrpe-microstack.cfg"
filebeat.yaml.j2: "{snap_common}/etc/filebeat/filebeat-microstack.yaml"
chmod:
"{snap_common}/etc/ssl": 0755
"{snap_common}/etc/ssl/certs": 0755
"{snap_common}/etc/ssl/private": 0700
"{snap_common}/instances": 0755
"{snap_common}/etc/microstack.rc": 0644
"{snap_common}/etc/microstack.json": 0644
snap-config-keys:
is_clustered: 'config.is-clustered'
cluster_tls_cert_path: 'config.cluster.tls-cert-path'
cluster_tls_key_path: 'config.cluster.tls-key-path'
region_name: 'config.keystone.region-name'
keystone_password: 'config.credentials.keystone-password'
nova_password: 'config.credentials.nova-password'
cinder_password: 'config.credentials.cinder-password'
neutron_password: 'config.credentials.neutron-password'
glance_password: 'config.credentials.glance-password'
placement_password: 'config.credentials.placement-password'
rabbitmq_password: 'config.credentials.rabbitmq-password'
control_ip: 'config.network.control-ip'
node_fqdn: 'config.network.node-fqdn'
compute_ip: 'config.network.compute-ip'
extgateway: 'config.network.ext-gateway'
extcidr: 'config.network.ext-cidr'
dns_servers: 'config.network.dns-servers'
dns_domain: 'config.network.dns-domain'
dashboard_allowed_hosts: 'config.network.dashboard-allowed-hosts'
dashboard_port: 'config.network.ports.dashboard'
mysql_port: 'config.network.ports.mysql'
rabbit_port: 'config.network.ports.rabbit'
logging_debug: 'config.logging.debug'
logging_tag: 'config.logging.logging.tag'
logging_host: 'config.logging.host'
monitoring_tag: 'config.monitoring.tag'
monitoring_ipmi: 'config.monitoring.ipmi'
alerting_tag: 'config.alerting.tag'
ovn_nb_connection: 'config.network.ovn-nb-connection'
ovn_sb_connection: 'config.network.ovn-sb-connection'
ovn_metadata_proxy_shared_secret: 'config.credentials.ovn-metadata-proxy-shared-secret'
setup_loop_based_cinder_lvm_backend: 'config.cinder.setup-loop-based-cinder-lvm-backend'
lvm_backend_volume_group: 'config.cinder.lvm-backend-volume-group'
virt_type: 'config.nova.virt-type'
cpu_mode: 'config.nova.cpu-mode'
cpu_models: 'config.nova.cpu-models'
tls_generate_self_signed: 'config.tls.generate-self-signed'
tls_cacert_path: 'config.tls.cacert-path'
tls_cert_path: 'config.tls.cert-path'
tls_key_path: 'config.tls.key-path'
tls_compute_cert_path: 'config.tls.compute.cert-path'
tls_compute_key_path: 'config.tls.compute.key-path'
entry_points:
keystone-manage:
binary: "{snap}/bin/keystone-manage"
config-files:
- "{snap}/etc/keystone/keystone.conf"
config-files-override:
- "{snap_common}/etc/keystone/keystone.conf"
config-dirs:
- "{snap_common}/etc/keystone/keystone.conf.d"
keystone-uwsgi:
type: uwsgi
uwsgi-dir: "{snap_common}/etc/keystone/uwsgi/snap"
uwsgi-dir-override: "{snap_common}/etc/keystone/uwsgi"
config-files:
- "{snap}/etc/keystone/keystone.conf"
config-files-override:
- "{snap_common}/etc/keystone/keystone.conf"
config-dirs:
- "{snap_common}/etc/keystone/keystone.conf.d"
templates:
keystone-api.ini.j2: "{snap_common}/etc/keystone/uwsgi/snap/keystone-api.ini"
cluster-uwsgi:
type: uwsgi
uwsgi-dir: "{snap_common}/etc/cluster/uwsgi/snap"
uwsgi-dir-override: "{snap_common}/etc/cluster/uwsgi"
templates:
cluster-api.ini.j2: "{snap_common}/etc/cluster/uwsgi/snap/cluster-api.ini"
nginx:
type: nginx
config-file: "{snap_common}/etc/nginx/snap/nginx.conf"
config-file-override: "{snap_common}/etc/nginx/nginx.conf"
nova-api-os-compute:
binary: "{snap}/bin/nova-api-os-compute"
config-files:
- "{snap}/etc/nova/nova.conf"
config-files-override:
- "{snap_common}/etc/nova/nova.conf"
config-dirs:
- "{snap_common}/etc/nova/nova.conf.d"
nova-conductor:
binary: "{snap}/bin/nova-conductor"
config-files:
- "{snap}/etc/nova/nova.conf"
config-files-override:
- "{snap_common}/etc/nova/nova.conf"
config-dirs:
- "{snap_common}/etc/nova/nova.conf.d"
nova-scheduler:
binary: "{snap}/bin/nova-scheduler"
config-files:
- "{snap}/etc/nova/nova.conf"
config-files-override:
- "{snap_common}/etc/nova/nova.conf"
config-dirs:
- "{snap_common}/etc/nova/nova.conf.d"
nova-compute:
binary: "{snap}/bin/nova-compute"
config-files:
- "{snap}/etc/nova/nova.conf"
config-files-override:
- "{snap_common}/etc/nova/nova.conf"
config-dirs:
- "{snap_common}/etc/nova/nova.conf.d"
nova-api-metadata:
binary: "{snap}/bin/nova-api-metadata"
config-files:
- "{snap}/etc/nova/nova.conf"
config-files-override:
- "{snap_common}/etc/nova/nova.conf"
config-dirs:
- "{snap_common}/etc/nova/nova.conf.d"
nova-manage:
binary: "{snap}/bin/nova-manage"
config-files:
- "{snap}/etc/nova/nova.conf"
config-files-override:
- "{snap_common}/etc/nova/nova.conf"
config-dirs:
- "{snap_common}/etc/nova/nova.conf.d"
nova-spicehtml5proxy:
binary: "{snap}/bin/nova-spicehtml5proxy"
config-files:
- "{snap}/etc/nova/nova.conf"
config-files-override:
- "{snap_common}/etc/nova/nova.conf"
config-dirs:
- "{snap_common}/etc/nova/nova.conf.d"
templates:
nova.conf.d.console.conf.j2:
"{snap_common}/etc/nova/nova.conf.d/console.conf"
neutron-db-manage:
binary: "{snap}/bin/neutron-db-manage"
config-files:
- "{snap}/etc/neutron/neutron.conf"
- "{snap}/etc/neutron/plugins/ml2/ml2_conf.ini"
config-files-override:
- "{snap_common}/etc/neutron/neutron.conf"
- "{snap_common}/etc/neutron/plugins/ml2/ml2_conf.ini"
config-dirs:
- "{snap_common}/etc/neutron/neutron.conf.d"
neutron-server:
binary: "{snap}/bin/neutron-server"
config-files:
- "{snap}/etc/neutron/neutron.conf"
- "{snap}/etc/neutron/plugins/ml2/ml2_conf.ini"
config-files-override:
- "{snap_common}/etc/neutron/neutron.conf"
- "{snap_common}/etc/neutron/plugins/ml2/ml2_conf.ini"
config-dirs:
- "{snap_common}/etc/neutron/neutron.conf.d"
neutron-ovs-cleanup:
binary: "{snap}/bin/neutron-ovs-cleanup"
config-files:
- "{snap}/etc/neutron/neutron.conf"
config-files-override:
- "{snap_common}/etc/neutron/neutron.conf"
config-dirs:
- "{snap_common}/etc/neutron/neutron.conf.d"
neutron-netns-cleanup:
binary: "{snap}/bin/neutron-netns-cleanup"
config-files:
- "{snap}/etc/neutron/neutron.conf"
config-files-override:
- "{snap_common}/etc/neutron/neutron.conf"
config-dirs:
- "{snap_common}/etc/neutron/neutron.conf.d"
neutron-ovn-metadata-agent:
binary: "{snap}/bin/neutron-ovn-metadata-agent"
config-files:
- "{snap}/etc/neutron/neutron.conf"
- "{snap}/etc/neutron/neutron_ovn_metadata_agent.ini"
config-files-override:
- "{snap_common}/etc/neutron/neutron.conf"
- "{snap_common}/etc/neutron/neutron_ovn_metadata_agent.ini"
config-dirs:
- "{snap_common}/etc/neutron/neutron.conf.d"
templates:
neutron_ovn_metadata_agent.ini.j2:
"{snap_common}/etc/neutron/neutron_ovn_metadata_agent.ini"
glance-manage:
binary: "{snap}/bin/glance-manage"
config-files:
- "{snap}/etc/glance/glance-manage.conf"
config-files-override:
- "{snap_common}/etc/glance/glance-manage.conf"
config-dirs:
- "{snap_common}/etc/glance/glance.conf.d"
glance-api:
binary: "{snap}/bin/glance-api"
config-files:
- "{snap}/etc/glance/glance-api.conf"
config-files-override:
- "{snap_common}/etc/glance/glance-api.conf"
config-dirs:
- "{snap_common}/etc/glance/glance.conf.d"
placement-uwsgi:
type: uwsgi
uwsgi-dir: "{snap_common}/etc/placement/uwsgi/snap"
uwsgi-dir-override: "{snap_common}/etc/placement/uwsgi"
config-files:
- "{snap}/etc/placement/placement.conf"
config-files-override:
- "{snap_common}/etc/placement/placement.conf"
config-dirs:
- "{snap_common}/etc/placement/placement.conf.d"
templates:
placement-api.ini.j2:
"{snap_common}/etc/placement/uwsgi/snap/placement-api.ini"
placement-manage:
binary: "{snap}/bin/placement-manage"
config-files:
- "{snap}/etc/placement/placement.conf"
config-files-override:
- "{snap_common}/etc/placement/placement.conf"
config-dirs:
- "{snap_common}/etc/placement/placement.conf.d"
cinder-backup:
binary: "{snap}/bin/cinder-backup"
config-files:
- "{snap}/etc/cinder/cinder.conf"
config-files-override:
- "{snap_common}/etc/cinder/cinder.conf"
config-dirs:
- "{snap_common}/etc/cinder/cinder.conf.d"
cinder-manage:
binary: "{snap}/bin/cinder-manage"
config-files:
- "{snap}/etc/cinder/cinder.conf"
config-files-override:
- "{snap_common}/etc/cinder/cinder.conf"
config-dirs:
- "{snap_common}/etc/cinder/cinder.conf.d"
cinder-scheduler:
binary: "{snap}/bin/cinder-scheduler"
config-files:
- "{snap}/etc/cinder/cinder.conf"
config-files-override:
- "{snap_common}/etc/cinder/cinder.conf"
config-dirs:
- "{snap_common}/etc/cinder/cinder.conf.d"
cinder-volume:
binary: "{snap}/bin/cinder-volume"
config-files:
- "{snap}/etc/cinder/cinder.conf"
config-files-override:
- "{snap_common}/etc/cinder/cinder.conf"
config-dirs:
- "{snap_common}/etc/cinder/cinder.conf.d"
cinder-uwsgi:
type: uwsgi
uwsgi-dir: "{snap_common}/etc/cinder/uwsgi/snap"
uwsgi-dir-override: "{snap_common}/etc/cinder/uwsgi"
config-files:
- "{snap}/etc/cinder/cinder.conf"
config-files-override:
- "{snap_common}/etc/cinder/cinder.conf"
config-dirs:
- "{snap_common}/etc/cinder/cinder.conf.d"
templates:
cinder-api.ini.j2: "{snap_common}/etc/cinder/uwsgi/snap/cinder-api.ini"
horizon-uwsgi:
type: uwsgi
uwsgi-dir: "{snap_common}/etc/horizon/uwsgi/snap"
uwsgi-dir-override: "{snap_common}/etc/horizon/uwsgi"
config-dirs:
- "{snap_common}/etc/horizon/horizon.conf.d"
templates:
horizon.ini.j2: "{snap_common}/etc/horizon/uwsgi/snap/horizon.ini"
filebeat:
binary: "{snap}/bin/filebeat.sh"
type: simple
config-dirs:
- "{snap_common}/lma/filebeat"
templates:
filebeat.yml.j2: "{snap_common}/etc/filebeat/filebeat.yml"
nrpe:
binary: "{snap}/bin/nrpe.sh"
type: simple
config-dirs:
- "{snap_common}/lma/nrpe"
templates:
nrpe.conf.j2: "{snap_common}/etc/nrpe/nrpe.conf"
telegraf:
binary: "{snap}/bin/telegraf"
type: simple
config-dirs:
- "{snap_common}/lma/telegraf"
templates:
telegraf.conf.j2: "{snap_common}/etc/telegraf/telegraf.conf"