Gitiles
Code Review Sign In
review.vexxhost.dev / atmosphere / 264895a0cab6fcb6bebdace73c05401b38ee59c7 / . / charts / neutron / values.yaml
blob: cd3889bc2988c3be321943a4e3f69239ef099d51 [file] [log] [blame]
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1# Licensed under the Apache License, Version 2.0 (the "License");
2# you may not use this file except in compliance with the License.
3# You may obtain a copy of the License at
4#
5# http://www.apache.org/licenses/LICENSE-2.0
6#
7# Unless required by applicable law or agreed to in writing, software
8# distributed under the License is distributed on an "AS IS" BASIS,
9# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
10# See the License for the specific language governing permissions and
11# limitations under the License.
12
13# Default values for neutron.
14# This is a YAML-formatted file.
15# Declare name/value pairs to be passed into your templates.
16# name: value
17
18---
19release_group: null
20
21images:
22 tags:
Oleksandr K.10a2db72025-01-07 23:11:24 -0800[diff] [blame]23 bootstrap: docker.io/openstackhelm/heat:2024.1-ubuntu_jammy
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]24 test: docker.io/xrally/xrally-openstack:2.0.0
25 purge_test: docker.io/openstackhelm/ospurge:latest
Oleksandr K.10a2db72025-01-07 23:11:24 -0800[diff] [blame]26 db_init: docker.io/openstackhelm/heat:2024.1-ubuntu_jammy
27 neutron_db_sync: docker.io/openstackhelm/neutron:2024.1-ubuntu_jammy
28 db_drop: docker.io/openstackhelm/heat:2024.1-ubuntu_jammy
29 rabbit_init: docker.io/rabbitmq:3.13-management
30 ks_user: docker.io/openstackhelm/heat:2024.1-ubuntu_jammy
31 ks_service: docker.io/openstackhelm/heat:2024.1-ubuntu_jammy
32 ks_endpoints: docker.io/openstackhelm/heat:2024.1-ubuntu_jammy
Mohammed Nasera720f882023-06-30 23:48:02 -0400[diff] [blame]33 netoffload: ghcr.io/vexxhost/netoffload:v1.0.1
Oleksandr K.10a2db72025-01-07 23:11:24 -0800[diff] [blame]34 neutron_server: docker.io/openstackhelm/neutron:2024.1-ubuntu_jammy
35 neutron_policy_server: docker.io/openstackhelm/neutron:2024.1-ubuntu_jammy
36 neutron_rpc_server: docker.io/openstackhelm/neutron:2024.1-ubuntu_jammy
37 neutron_dhcp: docker.io/openstackhelm/neutron:2024.1-ubuntu_jammy
38 neutron_metadata: docker.io/openstackhelm/neutron:2024.1-ubuntu_jammy
39 neutron_ovn_metadata: docker.io/openstackhelm/neutron:2024.1-ubuntu_jammy
40 neutron_l3: docker.io/openstackhelm/neutron:2024.1-ubuntu_jammy
41 neutron_l2gw: docker.io/openstackhelm/neutron:2024.1-ubuntu_jammy
42 neutron_openvswitch_agent: docker.io/openstackhelm/neutron:2024.1-ubuntu_jammy
43 neutron_linuxbridge_agent: docker.io/openstackhelm/neutron:2024.1-ubuntu_jammy
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]44 neutron_sriov_agent: docker.io/openstackhelm/neutron:stein-18.04-sriov
45 neutron_sriov_agent_init: docker.io/openstackhelm/neutron:stein-18.04-sriov
Oleksandr K.10a2db72025-01-07 23:11:24 -0800[diff] [blame]46 neutron_bagpipe_bgp: docker.io/openstackhelm/neutron:2024.1-ubuntu_jammy
47 neutron_bgp_dragent: docker.io/openstackhelm/neutron:2024.1-ubuntu_jammy
48 neutron_ironic_agent: docker.io/openstackhelm/neutron:2024.1-ubuntu_jammy
49 neutron_netns_cleanup_cron: docker.io/openstackhelm/neutron:2024.1-ubuntu_jammy
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]50 dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
51 image_repo_sync: docker.io/docker:17.07.0
52 pull_policy: "IfNotPresent"
53 local_registry:
54 active: false
55 exclude:
56 - dep_check
57 - image_repo_sync
58
59labels:
60 agent:
61 dhcp:
62 node_selector_key: openstack-control-plane
63 node_selector_value: enabled
64 l3:
65 node_selector_key: openstack-control-plane
66 node_selector_value: enabled
67 metadata:
68 node_selector_key: openstack-control-plane
69 node_selector_value: enabled
70 l2gw:
71 node_selector_key: openstack-control-plane
72 node_selector_value: enabled
73 job:
74 node_selector_key: openstack-control-plane
75 node_selector_value: enabled
76 lb:
77 node_selector_key: linuxbridge
78 node_selector_value: enabled
79 # openvswitch is a special case, requiring a special
80 # label that can apply to both control hosts
81 # and compute hosts, until we get more sophisticated
82 # with our daemonset scheduling
83 ovs:
84 node_selector_key: openvswitch
85 node_selector_value: enabled
86 sriov:
87 node_selector_key: sriov
88 node_selector_value: enabled
89 bagpipe_bgp:
90 node_selector_key: openstack-compute-node
91 node_selector_value: enabled
Rico Lincf86b122023-11-02 01:29:14 +0800[diff] [blame]92 bgp_dragent:
93 node_selector_key: openstack-compute-node
94 node_selector_value: enabled
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]95 server:
96 node_selector_key: openstack-control-plane
97 node_selector_value: enabled
Oleksandr K.10a2db72025-01-07 23:11:24 -0800[diff] [blame]98 rpc_server:
99 node_selector_key: openstack-control-plane
100 node_selector_value: enabled
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]101 ironic_agent:
102 node_selector_key: openstack-control-plane
103 node_selector_value: enabled
104 netns_cleanup_cron:
105 node_selector_key: openstack-control-plane
106 node_selector_value: enabled
107 test:
108 node_selector_key: openstack-control-plane
109 node_selector_value: enabled
110
111network:
112 # provide what type of network wiring will be used
113 backend:
114 - openvswitch
115 # NOTE(Portdirect): Share network namespaces with the host,
116 # allowing agents to be restarted without packet loss and simpler
117 # debugging. This feature requires mount propagation support.
118 share_namespaces: true
119 interface:
120 # Tunnel interface will be used for VXLAN tunneling.
121 tunnel: null
122 # If tunnel is null there is a fallback mechanism to search
123 # for interface with routing using tunnel network cidr.
124 tunnel_network_cidr: "0/0"
125 # To perform setup of network interfaces using the SR-IOV init
126 # container you can use a section similar to:
127 # sriov:
128 # - device: ${DEV}
129 # num_vfs: 8
130 # mtu: 9214
131 # promisc: false
132 # qos:
133 # - vf_num: 0
134 # share: 10
135 # queues_per_vf:
136 # - num_queues: 16
137 # exclude_vf: 0,11,21
138 server:
139 ingress:
140 public: true
141 classes:
142 namespace: "nginx"
143 cluster: "nginx-cluster"
144 annotations:
145 nginx.ingress.kubernetes.io/rewrite-target: /
146 external_policy_local: false
147 node_port:
148 enabled: false
149 port: 30096
150
151bootstrap:
152 enabled: false
153 ks_user: neutron
154 script: |
155 openstack token issue
156
157dependencies:
158 dynamic:
159 common:
160 local_image_registry:
161 jobs:
162 - neutron-image-repo-sync
163 services:
164 - endpoint: node
165 service: local_image_registry
166 targeted:
167 sriov: {}
168 l2gateway: {}
169 bagpipe_bgp: {}
Mohammed Naserfd8edcc2023-09-06 22:32:16 +0000[diff] [blame]170 ovn:
171 server:
172 pod: null
Rico Lincf86b122023-11-02 01:29:14 +0800[diff] [blame]173 bgp_dragent: {}
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]174 openvswitch:
175 dhcp:
176 pod:
177 - requireSameNode: true
178 labels:
179 application: neutron
180 component: neutron-ovs-agent
181 l3:
182 pod:
183 - requireSameNode: true
184 labels:
185 application: neutron
186 component: neutron-ovs-agent
187 metadata:
188 pod:
189 - requireSameNode: true
190 labels:
191 application: neutron
192 component: neutron-ovs-agent
193 linuxbridge:
194 dhcp:
195 pod:
196 - requireSameNode: true
197 labels:
198 application: neutron
199 component: neutron-lb-agent
200 l3:
201 pod:
202 - requireSameNode: true
203 labels:
204 application: neutron
205 component: neutron-lb-agent
206 metadata:
207 pod:
208 - requireSameNode: true
209 labels:
210 application: neutron
211 component: neutron-lb-agent
212 lb_agent:
213 pod: null
214 static:
215 bootstrap:
216 services:
217 - endpoint: internal
218 service: network
219 - endpoint: internal
220 service: compute
221 db_drop:
222 services:
223 - endpoint: internal
224 service: oslo_db
225 db_init:
226 services:
227 - endpoint: internal
228 service: oslo_db
229 db_sync:
230 jobs:
231 - neutron-db-init
232 services:
233 - endpoint: internal
234 service: oslo_db
235 dhcp:
236 pod: null
237 jobs:
238 - neutron-rabbit-init
239 services:
240 - endpoint: internal
241 service: oslo_messaging
242 - endpoint: internal
243 service: network
244 - endpoint: internal
245 service: compute
246 ks_endpoints:
247 jobs:
248 - neutron-ks-service
249 services:
250 - endpoint: internal
251 service: identity
252 ks_service:
253 services:
254 - endpoint: internal
255 service: identity
256 ks_user:
257 services:
258 - endpoint: internal
259 service: identity
260 rabbit_init:
261 services:
262 - service: oslo_messaging
263 endpoint: internal
264 l3:
265 pod: null
266 jobs:
267 - neutron-rabbit-init
268 services:
269 - endpoint: internal
270 service: oslo_messaging
271 - endpoint: internal
272 service: network
273 - endpoint: internal
274 service: compute
275 lb_agent:
276 pod: null
277 jobs:
278 - neutron-rabbit-init
279 services:
280 - endpoint: internal
281 service: oslo_messaging
282 - endpoint: internal
283 service: network
284 metadata:
285 pod: null
286 jobs:
287 - neutron-rabbit-init
288 services:
289 - endpoint: internal
290 service: oslo_messaging
291 - endpoint: internal
292 service: network
293 - endpoint: internal
294 service: compute
295 - endpoint: public
296 service: compute_metadata
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]297 ovn_metadata:
Mohammed Naser593ec012023-07-23 09:20:05 +0000[diff] [blame]298 pod:
299 - requireSameNode: true
300 labels:
301 application: ovn
302 component: ovn-controller
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]303 services:
304 - endpoint: internal
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]305 service: compute_metadata
Mohammed Naserfd8edcc2023-09-06 22:32:16 +0000[diff] [blame]306 - endpoint: internal
307 service: network
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]308 ovs_agent:
309 jobs:
310 - neutron-rabbit-init
311 pod:
312 - requireSameNode: true
313 labels:
314 application: openvswitch
315 component: server
316 services:
317 - endpoint: internal
318 service: oslo_messaging
319 - endpoint: internal
320 service: network
321 server:
322 jobs:
323 - neutron-db-sync
324 - neutron-ks-user
325 - neutron-ks-endpoints
326 - neutron-rabbit-init
327 services:
328 - endpoint: internal
329 service: oslo_db
330 - endpoint: internal
331 service: oslo_messaging
332 - endpoint: internal
333 service: oslo_cache
334 - endpoint: internal
335 service: identity
Oleksandr K.10a2db72025-01-07 23:11:24 -0800[diff] [blame]336 rpc_server:
337 jobs:
338 - neutron-db-sync
339 - neutron-rabbit-init
340 services:
341 - endpoint: internal
342 service: oslo_db
343 - endpoint: internal
344 service: oslo_messaging
345 - endpoint: internal
346 service: oslo_cache
347 - endpoint: internal
348 service: identity
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]349 ironic_agent:
350 jobs:
351 - neutron-db-sync
352 - neutron-ks-user
353 - neutron-ks-endpoints
354 - neutron-rabbit-init
355 services:
356 - endpoint: internal
357 service: oslo_db
358 - endpoint: internal
359 service: oslo_messaging
360 - endpoint: internal
361 service: oslo_cache
362 - endpoint: internal
363 service: identity
364 tests:
365 services:
366 - endpoint: internal
367 service: network
368 - endpoint: internal
369 service: compute
370 image_repo_sync:
371 services:
372 - endpoint: internal
373 service: local_image_registry
374
375pod:
Mohammed Nasere40c3e82024-07-04 02:52:34 -0400[diff] [blame]376 sidecars:
377 neutron_policy_server: false
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]378 use_fqdn:
379 neutron_agent: true
380 probes:
381 rpc_timeout: 60
382 rpc_retries: 2
383 dhcp_agent:
384 dhcp_agent:
385 readiness:
386 enabled: true
387 params:
388 initialDelaySeconds: 30
389 periodSeconds: 190
390 timeoutSeconds: 185
391 liveness:
392 enabled: true
393 params:
394 initialDelaySeconds: 120
395 periodSeconds: 600
396 timeoutSeconds: 580
397 l3_agent:
398 l3_agent:
399 readiness:
400 enabled: true
401 params:
402 initialDelaySeconds: 30
403 periodSeconds: 190
404 timeoutSeconds: 185
405 liveness:
406 enabled: true
407 params:
408 initialDelaySeconds: 120
409 periodSeconds: 600
410 timeoutSeconds: 580
411 lb_agent:
412 lb_agent:
413 readiness:
414 enabled: true
415 metadata_agent:
416 metadata_agent:
417 readiness:
418 enabled: true
419 params:
420 initialDelaySeconds: 30
421 periodSeconds: 190
422 timeoutSeconds: 185
423 liveness:
424 enabled: true
425 params:
426 initialDelaySeconds: 120
427 periodSeconds: 600
428 timeoutSeconds: 580
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]429 ovn_metadata_agent:
430 ovn_metadata_agent:
431 readiness:
432 enabled: true
433 params:
434 initialDelaySeconds: 30
435 periodSeconds: 190
436 timeoutSeconds: 185
437 liveness:
438 enabled: true
439 params:
440 initialDelaySeconds: 120
441 periodSeconds: 600
442 timeoutSeconds: 580
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]443 ovs_agent:
444 ovs_agent:
445 readiness:
446 enabled: true
447 params:
okozachenko120317930d42023-09-06 00:24:05 +1000[diff] [blame]448 timeoutSeconds: 10
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]449 liveness:
450 enabled: true
451 params:
452 initialDelaySeconds: 120
453 periodSeconds: 600
454 timeoutSeconds: 580
455 sriov_agent:
456 sriov_agent:
457 readiness:
458 enabled: true
459 params:
460 initialDelaySeconds: 30
461 periodSeconds: 190
462 timeoutSeconds: 185
463 bagpipe_bgp:
464 bagpipe_bgp:
465 readiness:
466 enabled: true
467 params:
468 liveness:
469 enabled: true
470 params:
471 initialDelaySeconds: 60
Rico Lincf86b122023-11-02 01:29:14 +0800[diff] [blame]472 bgp_dragent:
473 bgp_dragent:
474 readiness:
475 enabled: false
476 params:
477 liveness:
478 enabled: true
479 params:
480 initialDelaySeconds: 60
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]481 l2gw_agent:
482 l2gw_agent:
483 readiness:
484 enabled: true
485 params:
486 initialDelaySeconds: 30
487 periodSeconds: 15
488 timeoutSeconds: 65
489 liveness:
490 enabled: true
491 params:
492 initialDelaySeconds: 120
493 periodSeconds: 90
494 timeoutSeconds: 70
495 server:
496 server:
497 readiness:
498 enabled: true
499 params:
okozachenko120317930d42023-09-06 00:24:05 +1000[diff] [blame]500 periodSeconds: 15
501 timeoutSeconds: 10
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]502 liveness:
503 enabled: true
504 params:
505 initialDelaySeconds: 60
okozachenko120317930d42023-09-06 00:24:05 +1000[diff] [blame]506 periodSeconds: 15
507 timeoutSeconds: 10
Oleksandr K.10a2db72025-01-07 23:11:24 -0800[diff] [blame]508 rpc_server:
509 rpc_server:
510 readiness:
511 enabled: true
512 params:
513 periodSeconds: 15
514 timeoutSeconds: 10
515 liveness:
516 enabled: true
517 params:
518 initialDelaySeconds: 60
519 periodSeconds: 15
520 timeoutSeconds: 10
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]521 security_context:
522 neutron_dhcp_agent:
523 pod:
524 runAsUser: 42424
525 container:
526 neutron_dhcp_agent:
527 readOnlyRootFilesystem: true
528 privileged: true
529 neutron_l2gw_agent:
530 pod:
531 runAsUser: 42424
532 container:
533 neutron_l2gw_agent:
534 readOnlyRootFilesystem: true
535 privileged: true
536 neutron_bagpipe_bgp:
537 pod:
538 runAsUser: 42424
539 container:
540 neutron_bagpipe_bgp:
541 readOnlyRootFilesystem: true
542 privileged: true
Rico Lincf86b122023-11-02 01:29:14 +0800[diff] [blame]543 neutron_bgp_dragent:
544 pod:
545 runAsUser: 42424
546 container:
547 neutron_bgp_dragent:
548 readOnlyRootFilesystem: true
549 privileged: true
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]550 neutron_l3_agent:
551 pod:
552 runAsUser: 42424
553 container:
554 neutron_l3_agent:
555 readOnlyRootFilesystem: true
556 privileged: true
557 neutron_lb_agent:
558 pod:
559 runAsUser: 42424
560 container:
561 neutron_lb_agent_kernel_modules:
562 capabilities:
563 add:
564 - SYS_MODULE
565 - SYS_CHROOT
566 runAsUser: 0
567 readOnlyRootFilesystem: true
568 neutron_lb_agent_init:
569 privileged: true
570 runAsUser: 0
571 readOnlyRootFilesystem: true
572 neutron_lb_agent:
573 readOnlyRootFilesystem: true
574 privileged: true
575 neutron_metadata_agent:
576 pod:
577 runAsUser: 42424
578 container:
579 neutron_metadata_agent_init:
580 runAsUser: 0
581 readOnlyRootFilesystem: true
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]582 neutron_ovn_metadata_agent:
583 pod:
584 runAsUser: 42424
585 container:
586 neutron_ovn_metadata_agent_init:
587 runAsUser: 0
588 readOnlyRootFilesystem: true
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]589 neutron_ovs_agent:
590 pod:
591 runAsUser: 42424
592 container:
593 neutron_openvswitch_agent_kernel_modules:
594 capabilities:
595 add:
596 - SYS_MODULE
597 - SYS_CHROOT
598 runAsUser: 0
599 readOnlyRootFilesystem: true
Mohammed Nasera720f882023-06-30 23:48:02 -0400[diff] [blame]600 netoffload:
601 privileged: true
602 runAsUser: 0
603 readOnlyRootFilesystem: true
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]604 neutron_ovs_agent_init:
605 privileged: true
606 runAsUser: 0
607 readOnlyRootFilesystem: true
608 neutron_ovs_agent:
609 readOnlyRootFilesystem: true
610 privileged: true
611 neutron_server:
612 pod:
613 runAsUser: 42424
614 container:
615 nginx:
616 runAsUser: 0
617 readOnlyRootFilesystem: false
618 neutron_server:
619 allowPrivilegeEscalation: false
620 readOnlyRootFilesystem: true
Mohammed Nasere40c3e82024-07-04 02:52:34 -0400[diff] [blame]621 neutron_policy_server:
622 allowPrivilegeEscalation: false
623 readOnlyRootFilesystem: true
Oleksandr K.10a2db72025-01-07 23:11:24 -0800[diff] [blame]624 neutron_rpc_server:
625 pod:
626 runAsUser: 42424
627 container:
628 neutron_rpc_server:
629 allowPrivilegeEscalation: false
630 readOnlyRootFilesystem: true
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]631 neutron_sriov_agent:
632 pod:
633 runAsUser: 42424
634 container:
635 neutron_sriov_agent_init:
636 privileged: true
637 runAsUser: 0
638 readOnlyRootFilesystem: false
639 neutron_sriov_agent:
640 readOnlyRootFilesystem: true
641 privileged: true
642 neutron_ironic_agent:
643 pod:
644 runAsUser: 42424
645 container:
646 neutron_ironic_agent:
647 allowPrivilegeEscalation: false
648 readOnlyRootFilesystem: true
649 neutron_netns_cleanup_cron:
650 pod:
651 runAsUser: 42424
652 container:
653 neutron_netns_cleanup_cron:
654 readOnlyRootFilesystem: true
655 privileged: true
656 affinity:
657 anti:
658 type:
659 default: preferredDuringSchedulingIgnoredDuringExecution
660 topologyKey:
661 default: kubernetes.io/hostname
662 weight:
663 default: 10
664 tolerations:
665 neutron:
666 enabled: false
667 tolerations:
668 - key: node-role.kubernetes.io/master
669 operator: Exists
670 effect: NoSchedule
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]671 - key: node-role.kubernetes.io/control-plane
672 operator: Exists
673 effect: NoSchedule
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]674 mounts:
675 neutron_server:
676 init_container: null
677 neutron_server:
678 volumeMounts:
679 volumes:
Oleksandr K.10a2db72025-01-07 23:11:24 -0800[diff] [blame]680 neutron_rpc_server:
681 init_container: null
682 neutron_rpc_server:
683 volumeMounts:
684 volumes:
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]685 neutron_dhcp_agent:
686 init_container: null
687 neutron_dhcp_agent:
688 volumeMounts:
689 volumes:
690 neutron_l3_agent:
691 init_container: null
692 neutron_l3_agent:
693 volumeMounts:
694 volumes:
695 neutron_lb_agent:
696 init_container: null
697 neutron_lb_agent:
698 volumeMounts:
699 volumes:
700 neutron_metadata_agent:
701 init_container: null
702 neutron_metadata_agent:
703 volumeMounts:
704 volumes:
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]705 neutron_ovn_metadata_agent:
706 init_container: null
707 neutron_ovn_metadata_agent:
708 volumeMounts:
709 volumes:
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]710 neutron_ovs_agent:
711 init_container: null
712 neutron_ovs_agent:
713 volumeMounts:
714 volumes:
715 neutron_sriov_agent:
716 init_container: null
717 neutron_sriov_agent:
718 volumeMounts:
719 volumes:
720 neutron_l2gw_agent:
721 init_container: null
722 neutron_l2gw_agent:
723 volumeMounts:
724 volumes:
725 bagpipe_bgp:
726 init_container: null
727 bagpipe_bgp:
728 volumeMounts:
729 volumes:
Rico Lincf86b122023-11-02 01:29:14 +0800[diff] [blame]730 bgp_dragent:
731 init_container: null
732 bgp_dragent:
733 volumeMounts:
734 volumes:
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]735 neutron_ironic_agent:
736 init_container: null
737 neutron_ironic_agent:
738 volumeMounts:
739 volumes:
740 neutron_netns_cleanup_cron:
741 init_container: null
742 neutron_netns_cleanup_cron:
743 volumeMounts:
744 volumes:
745 neutron_tests:
746 init_container: null
747 neutron_tests:
748 volumeMounts:
749 volumes:
750 neutron_bootstrap:
751 init_container: null
752 neutron_bootstrap:
753 volumeMounts:
754 volumes:
755 neutron_db_sync:
756 neutron_db_sync:
757 volumeMounts:
758 - name: db-sync-conf
759 mountPath: /etc/neutron/plugins/ml2/ml2_conf.ini
760 subPath: ml2_conf.ini
761 readOnly: true
762 volumes:
763 replicas:
764 server: 1
Oleksandr K.10a2db72025-01-07 23:11:24 -0800[diff] [blame]765 rpc_server: 1
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]766 ironic_agent: 1
767 lifecycle:
768 upgrades:
769 deployments:
770 revision_history: 3
771 pod_replacement_strategy: RollingUpdate
772 rolling_update:
773 max_unavailable: 1
774 max_surge: 3
775 daemonsets:
776 pod_replacement_strategy: RollingUpdate
777 dhcp_agent:
778 enabled: true
779 min_ready_seconds: 0
780 max_unavailable: 1
781 l3_agent:
782 enabled: true
783 min_ready_seconds: 0
784 max_unavailable: 1
785 lb_agent:
786 enabled: true
787 min_ready_seconds: 0
788 max_unavailable: 1
789 metadata_agent:
790 enabled: true
791 min_ready_seconds: 0
792 max_unavailable: 1
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]793 ovn_metadata_agent:
794 enabled: true
795 min_ready_seconds: 0
796 max_unavailable: 1
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]797 ovs_agent:
798 enabled: true
799 min_ready_seconds: 0
800 max_unavailable: 1
801 sriov_agent:
802 enabled: true
803 min_ready_seconds: 0
804 max_unavailable: 1
805 netns_cleanup_cron:
806 enabled: true
807 min_ready_seconds: 0
808 max_unavailable: 1
809 disruption_budget:
810 server:
811 min_available: 0
812 termination_grace_period:
813 server:
814 timeout: 30
Oleksandr K.10a2db72025-01-07 23:11:24 -0800[diff] [blame]815 rpc_server:
816 timeout: 30
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]817 ironic_agent:
818 timeout: 30
819 resources:
820 enabled: false
821 agent:
822 dhcp:
823 requests:
824 memory: "128Mi"
825 cpu: "100m"
826 limits:
827 memory: "1024Mi"
828 cpu: "2000m"
829 l3:
830 requests:
831 memory: "128Mi"
832 cpu: "100m"
833 limits:
834 memory: "1024Mi"
835 cpu: "2000m"
836 lb:
837 requests:
838 memory: "128Mi"
839 cpu: "100m"
840 limits:
841 memory: "1024Mi"
842 cpu: "2000m"
843 metadata:
844 requests:
845 memory: "128Mi"
846 cpu: "100m"
847 limits:
848 memory: "1024Mi"
849 cpu: "2000m"
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]850 ovn_metadata:
851 requests:
852 memory: "128Mi"
853 cpu: "100m"
854 limits:
855 memory: "1024Mi"
856 cpu: "2000m"
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]857 ovs:
858 requests:
859 memory: "128Mi"
860 cpu: "100m"
861 limits:
862 memory: "1024Mi"
863 cpu: "2000m"
864 sriov:
865 requests:
866 memory: "128Mi"
867 cpu: "100m"
868 limits:
869 memory: "1024Mi"
870 cpu: "2000m"
871 l2gw:
872 requests:
873 memory: "128Mi"
874 cpu: "100m"
875 limits:
876 memory: "1024Mi"
877 cpu: "2000m"
878 bagpipe_bgp:
879 requests:
880 memory: "128Mi"
881 cpu: "100m"
882 limits:
883 memory: "1024Mi"
884 cpu: "2000m"
Rico Lincf86b122023-11-02 01:29:14 +0800[diff] [blame]885 bgp_dragent:
886 requests:
887 memory: "128Mi"
888 cpu: "100m"
889 limits:
890 memory: "1024Mi"
891 cpu: "2000m"
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]892 server:
893 requests:
894 memory: "128Mi"
895 cpu: "100m"
896 limits:
897 memory: "1024Mi"
898 cpu: "2000m"
Mohammed Nasere40c3e82024-07-04 02:52:34 -0400[diff] [blame]899 neutron_policy_server:
900 requests:
901 memory: "128Mi"
902 cpu: "100m"
903 limits:
904 memory: "256Mi"
905 cpu: "500m"
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]906 ironic_agent:
907 requests:
908 memory: "128Mi"
909 cpu: "100m"
910 limits:
911 memory: "1024Mi"
912 cpu: "2000m"
913 netns_cleanup_cron:
914 requests:
915 memory: "128Mi"
916 cpu: "100m"
917 limits:
918 memory: "1024Mi"
919 cpu: "2000m"
920 jobs:
921 bootstrap:
922 requests:
923 memory: "128Mi"
924 cpu: "100m"
925 limits:
926 memory: "1024Mi"
927 cpu: "2000m"
928 db_init:
929 requests:
930 memory: "128Mi"
931 cpu: "100m"
932 limits:
933 memory: "1024Mi"
934 cpu: "2000m"
935 rabbit_init:
936 requests:
937 memory: "128Mi"
938 cpu: "100m"
939 limits:
940 memory: "1024Mi"
941 cpu: "2000m"
942 db_sync:
943 requests:
944 memory: "128Mi"
945 cpu: "100m"
946 limits:
947 memory: "1024Mi"
948 cpu: "2000m"
949 db_drop:
950 requests:
951 memory: "128Mi"
952 cpu: "100m"
953 limits:
954 memory: "1024Mi"
955 cpu: "2000m"
956 ks_endpoints:
957 requests:
958 memory: "128Mi"
959 cpu: "100m"
960 limits:
961 memory: "1024Mi"
962 cpu: "2000m"
963 ks_service:
964 requests:
965 memory: "128Mi"
966 cpu: "100m"
967 limits:
968 memory: "1024Mi"
969 cpu: "2000m"
970 ks_user:
971 requests:
972 memory: "128Mi"
973 cpu: "100m"
974 limits:
975 memory: "1024Mi"
976 cpu: "2000m"
977 tests:
978 requests:
979 memory: "128Mi"
980 cpu: "100m"
981 limits:
982 memory: "1024Mi"
983 cpu: "2000m"
984 image_repo_sync:
985 requests:
986 memory: "128Mi"
987 cpu: "100m"
988 limits:
989 memory: "1024Mi"
990 cpu: "2000m"
991
992conf:
993 rally_tests:
994 force_project_purge: false
995 run_tempest: false
996 clean_up: |
997 # NOTE: We will make the best effort to clean up rally generated networks and routers,
998 # but should not block further automated deployment.
999 set +e
1000 PATTERN="^[sc]_rally_"
1001
1002 ROUTERS=$(openstack router list --format=value -c Name | grep -e $PATTERN | sort | tr -d '\r')
1003 NETWORKS=$(openstack network list --format=value -c Name | grep -e $PATTERN | sort | tr -d '\r')
1004
1005 for ROUTER in $ROUTERS
1006 do
1007 openstack router unset --external-gateway $ROUTER
1008 openstack router set --disable --no-ha $ROUTER
1009
1010 SUBNS=$(openstack router show $ROUTER -c interfaces_info --format=value | python -m json.tool | grep -oP '(?<="subnet_id": ")[a-f0-9\-]{36}(?=")' | sort | uniq)
1011 for SUBN in $SUBNS
1012 do
1013 openstack router remove subnet $ROUTER $SUBN
1014 done
1015
1016 for PORT in $(openstack port list --router $ROUTER --format=value -c ID | tr -d '\r')
1017 do
1018 openstack router remove port $ROUTER $PORT
1019 done
1020
1021 openstack router delete $ROUTER
1022 done
1023
1024 for NETWORK in $NETWORKS
1025 do
1026 for PORT in $(openstack port list --network $NETWORK --format=value -c ID | tr -d '\r')
1027 do
1028 openstack port delete $PORT
1029 done
1030 openstack network delete $NETWORK
1031 done
1032 set -e
1033 tests:
1034 NeutronNetworks.create_and_delete_networks:
1035 - args:
1036 network_create_args: {}
1037 context:
1038 quotas:
1039 neutron:
1040 network: -1
1041 runner:
1042 concurrency: 1
1043 times: 1
1044 type: constant
1045 sla:
1046 failure_rate:
1047 max: 0
1048 NeutronNetworks.create_and_delete_ports:
1049 - args:
1050 network_create_args: {}
1051 port_create_args: {}
1052 ports_per_network: 10
1053 context:
1054 network: {}
1055 quotas:
1056 neutron:
1057 network: -1
1058 port: -1
1059 runner:
1060 concurrency: 1
1061 times: 1
1062 type: constant
1063 sla:
1064 failure_rate:
1065 max: 0
1066 NeutronNetworks.create_and_delete_routers:
1067 - args:
1068 network_create_args: {}
1069 router_create_args: {}
1070 subnet_cidr_start: 1.1.0.0/30
1071 subnet_create_args: {}
1072 subnets_per_network: 2
1073 context:
1074 network: {}
1075 quotas:
1076 neutron:
1077 network: -1
1078 router: -1
1079 subnet: -1
1080 runner:
1081 concurrency: 1
1082 times: 1
1083 type: constant
1084 sla:
1085 failure_rate:
1086 max: 0
1087 NeutronNetworks.create_and_delete_subnets:
1088 - args:
1089 network_create_args: {}
1090 subnet_cidr_start: 1.1.0.0/30
1091 subnet_create_args: {}
1092 subnets_per_network: 2
1093 context:
1094 network: {}
1095 quotas:
1096 neutron:
1097 network: -1
1098 subnet: -1
1099 runner:
1100 concurrency: 1
1101 times: 1
1102 type: constant
1103 sla:
1104 failure_rate:
1105 max: 0
1106 NeutronNetworks.create_and_list_routers:
1107 - args:
1108 network_create_args: {}
1109 router_create_args: {}
1110 subnet_cidr_start: 1.1.0.0/30
1111 subnet_create_args: {}
1112 subnets_per_network: 2
1113 context:
1114 network: {}
1115 quotas:
1116 neutron:
1117 network: -1
1118 router: -1
1119 subnet: -1
1120 runner:
1121 concurrency: 1
1122 times: 1
1123 type: constant
1124 sla:
1125 failure_rate:
1126 max: 0
1127 NeutronNetworks.create_and_list_subnets:
1128 - args:
1129 network_create_args: {}
1130 subnet_cidr_start: 1.1.0.0/30
1131 subnet_create_args: {}
1132 subnets_per_network: 2
1133 context:
1134 network: {}
1135 quotas:
1136 neutron:
1137 network: -1
1138 subnet: -1
1139 runner:
1140 concurrency: 1
1141 times: 1
1142 type: constant
1143 sla:
1144 failure_rate:
1145 max: 0
1146 NeutronNetworks.create_and_show_network:
1147 - args:
1148 network_create_args: {}
1149 context:
1150 quotas:
1151 neutron:
1152 network: -1
1153 runner:
1154 concurrency: 1
1155 times: 1
1156 type: constant
1157 sla:
1158 failure_rate:
1159 max: 0
1160 NeutronNetworks.create_and_update_networks:
1161 - args:
1162 network_create_args: {}
1163 network_update_args:
1164 admin_state_up: false
1165 context:
1166 quotas:
1167 neutron:
1168 network: -1
1169 runner:
1170 concurrency: 1
1171 times: 1
1172 type: constant
1173 sla:
1174 failure_rate:
1175 max: 0
1176 NeutronNetworks.create_and_update_ports:
1177 - args:
1178 network_create_args: {}
1179 port_create_args: {}
1180 port_update_args:
1181 admin_state_up: false
1182 device_id: dummy_id
1183 device_owner: dummy_owner
1184 ports_per_network: 5
1185 context:
1186 network: {}
1187 quotas:
1188 neutron:
1189 network: -1
1190 port: -1
1191 runner:
1192 concurrency: 1
1193 times: 1
1194 type: constant
1195 sla:
1196 failure_rate:
1197 max: 0
1198 NeutronNetworks.create_and_update_routers:
1199 - args:
1200 network_create_args: {}
1201 router_create_args: {}
1202 router_update_args:
1203 admin_state_up: false
1204 subnet_cidr_start: 1.1.0.0/30
1205 subnet_create_args: {}
1206 subnets_per_network: 2
1207 context:
1208 network: {}
1209 quotas:
1210 neutron:
1211 network: -1
1212 router: -1
1213 subnet: -1
1214 runner:
1215 concurrency: 1
1216 times: 1
1217 type: constant
1218 sla:
1219 failure_rate:
1220 max: 0
1221 NeutronNetworks.create_and_update_subnets:
1222 - args:
1223 network_create_args: {}
1224 subnet_cidr_start: 1.4.0.0/16
1225 subnet_create_args: {}
1226 subnet_update_args:
1227 enable_dhcp: false
1228 subnets_per_network: 2
1229 context:
1230 network: {}
1231 quotas:
1232 neutron:
1233 network: -1
1234 subnet: -1
1235 runner:
1236 concurrency: 1
1237 times: 1
1238 type: constant
1239 sla:
1240 failure_rate:
1241 max: 0
1242 NeutronNetworks.list_agents:
1243 - args:
1244 agent_args: {}
1245 runner:
1246 concurrency: 1
1247 times: 1
1248 type: constant
1249 sla:
1250 failure_rate:
1251 max: 0
1252 NeutronSecurityGroup.create_and_list_security_groups:
1253 - args:
1254 security_group_create_args: {}
1255 context:
1256 quotas:
1257 neutron:
1258 security_group: -1
1259 runner:
1260 concurrency: 1
1261 times: 1
1262 type: constant
1263 sla:
1264 failure_rate:
1265 max: 0
1266 NeutronSecurityGroup.create_and_update_security_groups:
1267 - args:
1268 security_group_create_args: {}
1269 security_group_update_args: {}
1270 context:
1271 quotas:
1272 neutron:
1273 security_group: -1
1274 runner:
1275 concurrency: 1
1276 times: 1
1277 type: constant
1278 sla:
1279 failure_rate:
1280 max: 0
okozachenko120317930d42023-09-06 00:24:05 +1000[diff] [blame]1281 paste:
1282 composite:neutron:
1283 use: egg:Paste#urlmap
1284 /: neutronversions_composite
1285 /v2.0: neutronapi_v2_0
1286 composite:neutronapi_v2_0:
1287 use: call:neutron.auth:pipeline_factory
1288 noauth: cors http_proxy_to_wsgi request_id catch_errors extensions neutronapiapp_v2_0
1289 keystone: cors http_proxy_to_wsgi request_id catch_errors authtoken audit keystonecontext extensions neutronapiapp_v2_0
1290 composite:neutronversions_composite:
1291 use: call:neutron.auth:pipeline_factory
1292 noauth: cors http_proxy_to_wsgi neutronversions
1293 keystone: cors http_proxy_to_wsgi neutronversions
1294 filter:request_id:
1295 paste.filter_factory: oslo_middleware:RequestId.factory
1296 filter:catch_errors:
1297 paste.filter_factory: oslo_middleware:CatchErrors.factory
1298 filter:cors:
1299 paste.filter_factory: oslo_middleware.cors:filter_factory
1300 oslo_config_project: neutron
1301 filter:http_proxy_to_wsgi:
1302 paste.filter_factory: oslo_middleware.http_proxy_to_wsgi:HTTPProxyToWSGI.factory
1303 filter:keystonecontext:
1304 paste.filter_factory: neutron.auth:NeutronKeystoneContext.factory
1305 filter:authtoken:
1306 paste.filter_factory: keystonemiddleware.auth_token:filter_factory
1307 filter:audit:
1308 paste.filter_factory: keystonemiddleware.audit:filter_factory
1309 audit_map_file: /etc/neutron/api_audit_map.conf
1310 filter:extensions:
1311 paste.filter_factory: neutron.api.extensions:plugin_aware_extension_middleware_factory
1312 app:neutronversions:
1313 paste.app_factory: neutron.pecan_wsgi.app:versions_factory
1314 app:neutronapiapp_v2_0:
1315 paste.app_factory: neutron.api.v2.router:APIRouter.factory
1316 filter:osprofiler:
1317 paste.filter_factory: osprofiler.web:WsgiMiddleware.factory
Oleksandr K.10a2db72025-01-07 23:11:24 -0800[diff] [blame]1318 neutron_api_uwsgi:
1319 uwsgi:
1320 add-header: "Connection: close"
1321 buffer-size: 65535
1322 die-on-term: true
1323 enable-threads: true
1324 exit-on-reload: false
1325 hook-master-start: unix_signal:15 gracefully_kill_them_all
1326 lazy-apps: true
1327 log-x-forwarded-for: true
1328 master: true
1329 procname-prefix-spaced: "neutron-api:"
1330 route-user-agent: '^kube-probe.* donotlog:'
1331 thunder-lock: true
1332 worker-reload-mercy: 80
1333 wsgi-file: /var/lib/openstack/bin/neutron-api
Mohammed Nasere40c3e82024-07-04 02:52:34 -0400[diff] [blame]1334 neutron_policy_server_uwsgi:
1335 uwsgi:
1336 add-header: "Connection: close"
1337 buffer-size: 65535
1338 die-on-term: true
1339 enable-threads: true
1340 exit-on-reload: false
1341 hook-master-start: unix_signal:15 gracefully_kill_them_all
1342 lazy-apps: true
1343 log-x-forwarded-for: true
1344 master: true
1345 procname-prefix-spaced: "neutron-policy-server:"
1346 route-user-agent: '^kube-probe.* donotlog:'
1347 thunder-lock: true
1348 worker-reload-mercy: 80
1349 wsgi-file: /var/lib/openstack/bin/neutron-policy-server-wsgi
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1350 policy: {}
1351 api_audit_map:
1352 DEFAULT:
1353 target_endpoint_type: None
1354 custom_actions:
1355 add_router_interface: update/add
1356 remove_router_interface: update/remove
1357 path_keywords:
1358 floatingips: ip
1359 healthmonitors: healthmonitor
1360 health_monitors: health_monitor
1361 lb: None
1362 members: member
1363 metering-labels: label
1364 metering-label-rules: rule
1365 networks: network
1366 pools: pool
1367 ports: port
1368 routers: router
1369 quotas: quota
1370 security-groups: security-group
1371 security-group-rules: rule
1372 subnets: subnet
1373 vips: vip
1374 service_endpoints:
1375 network: service/network
1376 neutron_sudoers: |
1377 # This sudoers file supports rootwrap for both Kolla and LOCI Images.
1378 Defaults !requiretty
1379 Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin:/var/lib/openstack/bin:/var/lib/kolla/venv/bin"
1380 neutron ALL = (root) NOPASSWD: /var/lib/kolla/venv/bin/neutron-rootwrap /etc/neutron/rootwrap.conf *, /var/lib/openstack/bin/neutron-rootwrap /etc/neutron/rootwrap.conf *
1381 neutron ALL = (root) NOPASSWD: /var/lib/kolla/venv/bin/neutron-rootwrap-daemon /etc/neutron/rootwrap.conf, /var/lib/openstack/bin/neutron-rootwrap-daemon /etc/neutron/rootwrap.conf
1382 rootwrap: |
1383 # Configuration for neutron-rootwrap
1384 # This file should be owned by (and only-writeable by) the root user
1385
1386 [DEFAULT]
1387 # List of directories to load filter definitions from (separated by ',').
1388 # These directories MUST all be only writeable by root !
1389 filters_path=/etc/neutron/rootwrap.d,/usr/share/neutron/rootwrap,/var/lib/openstack/etc/neutron/rootwrap.d
1390
1391 # List of directories to search executables in, in case filters do not
1392 # explicitely specify a full path (separated by ',')
1393 # If not specified, defaults to system PATH environment variable.
1394 # These directories MUST all be only writeable by root !
1395 exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin,/var/lib/openstack/bin,/var/lib/kolla/venv/bin
1396
1397 # Enable logging to syslog
1398 # Default value is False
1399 use_syslog=False
1400
1401 # Which syslog facility to use.
1402 # Valid values include auth, authpriv, syslog, local0, local1...
1403 # Default value is 'syslog'
1404 syslog_log_facility=syslog
1405
1406 # Which messages to log.
1407 # INFO means log all usage
1408 # ERROR means only log unsuccessful attempts
1409 syslog_log_level=ERROR
1410
1411 [xenapi]
1412 # XenAPI configuration is only required by the L2 agent if it is to
1413 # target a XenServer/XCP compute host's dom0.
1414 xenapi_connection_url=<None>
1415 xenapi_connection_username=root
1416 xenapi_connection_password=<None>
1417 rootwrap_filters:
1418 debug:
1419 pods:
1420 - dhcp_agent
1421 - l3_agent
1422 - lb_agent
1423 - metadata_agent
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]1424 - ovn_metadata_agent
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1425 - ovs_agent
1426 - sriov_agent
1427 content: |
1428 # neutron-rootwrap command filters for nodes on which neutron is
1429 # expected to control network
1430 #
1431 # This file should be owned by (and only-writeable by) the root user
1432
1433 # format seems to be
1434 # cmd-name: filter-name, raw-command, user, args
1435
1436 [Filters]
1437
1438 # This is needed because we should ping
1439 # from inside a namespace which requires root
1440 # _alt variants allow to match -c and -w in any order
1441 # (used by NeutronDebugAgent.ping_all)
1442 ping: RegExpFilter, ping, root, ping, -w, \d+, -c, \d+, [0-9\.]+
1443 ping_alt: RegExpFilter, ping, root, ping, -c, \d+, -w, \d+, [0-9\.]+
1444 ping6: RegExpFilter, ping6, root, ping6, -w, \d+, -c, \d+, [0-9A-Fa-f:]+
1445 ping6_alt: RegExpFilter, ping6, root, ping6, -c, \d+, -w, \d+, [0-9A-Fa-f:]+
1446 dibbler:
1447 pods:
1448 - dhcp_agent
1449 - l3_agent
1450 - lb_agent
1451 - metadata_agent
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]1452 - ovn_metadata_agent
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1453 - ovs_agent
1454 - sriov_agent
1455 content: |
1456 # neutron-rootwrap command filters for nodes on which neutron is
1457 # expected to control network
1458 #
1459 # This file should be owned by (and only-writeable by) the root user
1460
1461 # format seems to be
1462 # cmd-name: filter-name, raw-command, user, args
1463
1464 [Filters]
1465
1466 # Filters for the dibbler-based reference implementation of the pluggable
1467 # Prefix Delegation driver. Other implementations using an alternative agent
1468 # should include a similar filter in this folder.
1469
1470 # prefix_delegation_agent
1471 dibbler-client: CommandFilter, dibbler-client, root
1472 ipset_firewall:
1473 pods:
1474 - dhcp_agent
1475 - l3_agent
1476 - lb_agent
1477 - metadata_agent
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]1478 - ovn_metadata_agent
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1479 - ovs_agent
1480 - sriov_agent
1481 content: |
1482 # neutron-rootwrap command filters for nodes on which neutron is
1483 # expected to control network
1484 #
1485 # This file should be owned by (and only-writeable by) the root user
1486
1487 # format seems to be
1488 # cmd-name: filter-name, raw-command, user, args
1489
1490 [Filters]
1491 # neutron/agent/linux/iptables_firewall.py
1492 # "ipset", "-A", ...
1493 ipset: CommandFilter, ipset, root
1494 l3:
1495 pods:
1496 - dhcp_agent
1497 - l3_agent
1498 - lb_agent
1499 - metadata_agent
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]1500 - ovn_metadata_agent
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1501 - ovs_agent
1502 - sriov_agent
1503 content: |
1504 # neutron-rootwrap command filters for nodes on which neutron is
1505 # expected to control network
1506 #
1507 # This file should be owned by (and only-writeable by) the root user
1508
1509 # format seems to be
1510 # cmd-name: filter-name, raw-command, user, args
1511
1512 [Filters]
1513
1514 # arping
1515 arping: CommandFilter, arping, root
1516
1517 # l3_agent
1518 sysctl: CommandFilter, sysctl, root
1519 route: CommandFilter, route, root
1520 radvd: CommandFilter, radvd, root
1521
1522 # haproxy
1523 haproxy: RegExpFilter, haproxy, root, haproxy, -f, .*
1524 kill_haproxy: KillFilter, root, haproxy, -15, -9, -HUP
1525
1526 # metadata proxy
1527 metadata_proxy: CommandFilter, neutron-ns-metadata-proxy, root
1528 # RHEL invocation of the metadata proxy will report /usr/bin/python
1529 kill_metadata: KillFilter, root, python, -15, -9
1530 kill_metadata2: KillFilter, root, python2, -15, -9
1531 kill_metadata7: KillFilter, root, python2.7, -15, -9
1532 kill_metadata3: KillFilter, root, python3, -15, -9
1533 kill_metadata35: KillFilter, root, python3.5, -15, -9
1534 kill_metadata36: KillFilter, root, python3.6, -15, -9
1535 kill_metadata37: KillFilter, root, python3.7, -15, -9
1536 kill_radvd_usr: KillFilter, root, /usr/sbin/radvd, -15, -9, -HUP
1537 kill_radvd: KillFilter, root, /sbin/radvd, -15, -9, -HUP
1538
1539 # ip_lib
1540 ip: IpFilter, ip, root
1541 find: RegExpFilter, find, root, find, /sys/class/net, -maxdepth, 1, -type, l, -printf, %.*
1542 ip_exec: IpNetnsExecFilter, ip, root
1543
1544 # l3_tc_lib
1545 l3_tc_show_qdisc: RegExpFilter, tc, root, tc, qdisc, show, dev, .+
1546 l3_tc_add_qdisc_ingress: RegExpFilter, tc, root, tc, qdisc, add, dev, .+, ingress
1547 l3_tc_add_qdisc_egress: RegExpFilter, tc, root, tc, qdisc, add, dev, .+, root, handle, 1:, htb
1548 l3_tc_show_filters: RegExpFilter, tc, root, tc, -p, -s, -d, filter, show, dev, .+, parent, .+, prio, 1
1549 l3_tc_delete_filters: RegExpFilter, tc, root, tc, filter, del, dev, .+, parent, .+, prio, 1, handle, .+, u32
1550 l3_tc_add_filter_ingress: RegExpFilter, tc, root, tc, filter, add, dev, .+, parent, .+, protocol, ip, prio, 1, u32, match, ip, dst, .+, police, rate, .+, burst, .+, drop, flowid, :1
1551 l3_tc_add_filter_egress: RegExpFilter, tc, root, tc, filter, add, dev, .+, parent, .+, protocol, ip, prio, 1, u32, match, ip, src, .+, police, rate, .+, burst, .+, drop, flowid, :1
1552
1553 # For ip monitor
1554 kill_ip_monitor: KillFilter, root, ip, -9
1555
1556 # ovs_lib (if OVSInterfaceDriver is used)
1557 ovs-vsctl: CommandFilter, ovs-vsctl, root
1558
1559 # iptables_manager
1560 iptables-save: CommandFilter, iptables-save, root
1561 iptables-restore: CommandFilter, iptables-restore, root
1562 ip6tables-save: CommandFilter, ip6tables-save, root
1563 ip6tables-restore: CommandFilter, ip6tables-restore, root
1564
1565 # Keepalived
1566 keepalived: CommandFilter, keepalived, root
1567 kill_keepalived: KillFilter, root, keepalived, -HUP, -15, -9
1568
1569 # l3 agent to delete floatingip's conntrack state
1570 conntrack: CommandFilter, conntrack, root
1571
1572 # keepalived state change monitor
1573 keepalived_state_change: CommandFilter, neutron-keepalived-state-change, root
1574 # The following filters are used to kill the keepalived state change monitor.
1575 # Since the monitor runs as a Python script, the system reports that the
1576 # command of the process to be killed is python.
1577 # TODO(mlavalle) These kill filters will be updated once we come up with a
1578 # mechanism to kill using the name of the script being executed by Python
1579 kill_keepalived_monitor_py: KillFilter, root, python, -15
1580 kill_keepalived_monitor_py27: KillFilter, root, python2.7, -15
1581 kill_keepalived_monitor_py3: KillFilter, root, python3, -15
1582 kill_keepalived_monitor_py35: KillFilter, root, python3.5, -15
1583 kill_keepalived_monitor_py36: KillFilter, root, python3.6, -15
1584 kill_keepalived_monitor_py37: KillFilter, root, python3.7, -15
1585 netns_cleanup:
1586 pods:
1587 - dhcp_agent
1588 - l3_agent
1589 - lb_agent
1590 - metadata_agent
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]1591 - ovn_metadata_agent
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1592 - ovs_agent
1593 - sriov_agent
1594 - netns_cleanup_cron
1595 content: |
1596 # neutron-rootwrap command filters for nodes on which neutron is
1597 # expected to control network
1598 #
1599 # This file should be owned by (and only-writeable by) the root user
1600
1601 # format seems to be
1602 # cmd-name: filter-name, raw-command, user, args
1603
1604 [Filters]
1605
1606 # netns-cleanup
1607 netstat: CommandFilter, netstat, root
1608 dhcp:
1609 pods:
1610 - dhcp_agent
1611 - l3_agent
1612 - lb_agent
1613 - metadata_agent
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]1614 - ovn_metadata_agent
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1615 - ovs_agent
1616 - sriov_agent
1617 - netns_cleanup_cron
1618 content: |
1619 # neutron-rootwrap command filters for nodes on which neutron is
1620 # expected to control network
1621 #
1622 # This file should be owned by (and only-writeable by) the root user
1623
1624 # format seems to be
1625 # cmd-name: filter-name, raw-command, user, args
1626
1627 [Filters]
1628
1629 # dhcp-agent
1630 dnsmasq: CommandFilter, dnsmasq, root
1631 # dhcp-agent uses kill as well, that's handled by the generic KillFilter
1632 # it looks like these are the only signals needed, per
1633 # neutron/agent/linux/dhcp.py
1634 kill_dnsmasq: KillFilter, root, /sbin/dnsmasq, -9, -HUP, -15
1635 kill_dnsmasq_usr: KillFilter, root, /usr/sbin/dnsmasq, -9, -HUP, -15
1636
1637 ovs-vsctl: CommandFilter, ovs-vsctl, root
1638 ivs-ctl: CommandFilter, ivs-ctl, root
1639 mm-ctl: CommandFilter, mm-ctl, root
1640 dhcp_release: CommandFilter, dhcp_release, root
1641 dhcp_release6: CommandFilter, dhcp_release6, root
1642
1643 # metadata proxy
1644 metadata_proxy: CommandFilter, neutron-ns-metadata-proxy, root
1645 # RHEL invocation of the metadata proxy will report /usr/bin/python
1646 kill_metadata: KillFilter, root, python, -9
1647 kill_metadata2: KillFilter, root, python2, -9
1648 kill_metadata7: KillFilter, root, python2.7, -9
1649 kill_metadata3: KillFilter, root, python3, -9
1650 kill_metadata35: KillFilter, root, python3.5, -9
1651 kill_metadata36: KillFilter, root, python3.6, -9
1652 kill_metadata37: KillFilter, root, python3.7, -9
1653
1654 # ip_lib
1655 ip: IpFilter, ip, root
1656 find: RegExpFilter, find, root, find, /sys/class/net, -maxdepth, 1, -type, l, -printf, %.*
1657 ip_exec: IpNetnsExecFilter, ip, root
1658 ebtables:
1659 pods:
1660 - dhcp_agent
1661 - l3_agent
1662 - lb_agent
1663 - metadata_agent
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]1664 - ovn_metadata_agent
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1665 - ovs_agent
1666 - sriov_agent
1667 content: |
1668 # neutron-rootwrap command filters for nodes on which neutron is
1669 # expected to control network
1670 #
1671 # This file should be owned by (and only-writeable by) the root user
1672
1673 # format seems to be
1674 # cmd-name: filter-name, raw-command, user, args
1675
1676 [Filters]
1677
1678 ebtables: CommandFilter, ebtables, root
1679 iptables_firewall:
1680 pods:
1681 - dhcp_agent
1682 - l3_agent
1683 - lb_agent
1684 - metadata_agent
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]1685 - ovn_metadata_agent
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1686 - ovs_agent
1687 - sriov_agent
1688 content: |
1689 # neutron-rootwrap command filters for nodes on which neutron is
1690 # expected to control network
1691 #
1692 # This file should be owned by (and only-writeable by) the root user
1693
1694 # format seems to be
1695 # cmd-name: filter-name, raw-command, user, args
1696
1697 [Filters]
1698
1699 # neutron/agent/linux/iptables_firewall.py
1700 # "iptables-save", ...
1701 iptables-save: CommandFilter, iptables-save, root
1702 iptables-restore: CommandFilter, iptables-restore, root
1703 ip6tables-save: CommandFilter, ip6tables-save, root
1704 ip6tables-restore: CommandFilter, ip6tables-restore, root
1705
1706 # neutron/agent/linux/iptables_firewall.py
1707 # "iptables", "-A", ...
1708 iptables: CommandFilter, iptables, root
1709 ip6tables: CommandFilter, ip6tables, root
1710
1711 # neutron/agent/linux/iptables_firewall.py
1712 sysctl: CommandFilter, sysctl, root
1713
1714 # neutron/agent/linux/ip_conntrack.py
1715 conntrack: CommandFilter, conntrack, root
1716 linuxbridge_plugin:
1717 pods:
1718 - dhcp_agent
1719 - l3_agent
1720 - lb_agent
1721 - metadata_agent
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]1722 - ovn_metadata_agent
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1723 - ovs_agent
1724 - sriov_agent
1725 content: |
1726 # neutron-rootwrap command filters for nodes on which neutron is
1727 # expected to control network
1728 #
1729 # This file should be owned by (and only-writeable by) the root user
1730
1731 # format seems to be
1732 # cmd-name: filter-name, raw-command, user, args
1733
1734 [Filters]
1735
1736 # linuxbridge-agent
1737 # unclear whether both variants are necessary, but I'm transliterating
1738 # from the old mechanism
1739 brctl: CommandFilter, brctl, root
1740 bridge: CommandFilter, bridge, root
1741
1742 # ip_lib
1743 ip: IpFilter, ip, root
1744 find: RegExpFilter, find, root, find, /sys/class/net, -maxdepth, 1, -type, l, -printf, %.*
1745 ip_exec: IpNetnsExecFilter, ip, root
1746
1747 # tc commands needed for QoS support
1748 tc_replace_tbf: RegExpFilter, tc, root, tc, qdisc, replace, dev, .+, root, tbf, rate, .+, latency, .+, burst, .+
1749 tc_add_ingress: RegExpFilter, tc, root, tc, qdisc, add, dev, .+, ingress, handle, .+
1750 tc_delete: RegExpFilter, tc, root, tc, qdisc, del, dev, .+, .+
1751 tc_show_qdisc: RegExpFilter, tc, root, tc, qdisc, show, dev, .+
1752 tc_show_filters: RegExpFilter, tc, root, tc, filter, show, dev, .+, parent, .+
1753 tc_add_filter: RegExpFilter, tc, root, tc, filter, add, dev, .+, parent, .+, protocol, all, prio, .+, basic, police, rate, .+, burst, .+, mtu, .+, drop
1754 openvswitch_plugin:
1755 pods:
1756 - dhcp_agent
1757 - l3_agent
1758 - lb_agent
1759 - metadata_agent
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]1760 - ovn_metadata_agent
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1761 - ovs_agent
1762 - sriov_agent
1763 content: |
1764 # neutron-rootwrap command filters for nodes on which neutron is
1765 # expected to control network
1766 #
1767 # This file should be owned by (and only-writeable by) the root user
1768
1769 # format seems to be
1770 # cmd-name: filter-name, raw-command, user, args
1771
1772 [Filters]
1773
1774 # openvswitch-agent
1775 # unclear whether both variants are necessary, but I'm transliterating
1776 # from the old mechanism
1777 ovs-vsctl: CommandFilter, ovs-vsctl, root
1778 # NOTE(yamamoto): of_interface=native doesn't use ovs-ofctl
1779 ovs-ofctl: CommandFilter, ovs-ofctl, root
1780 ovs-appctl: CommandFilter, ovs-appctl, root
1781 kill_ovsdb_client: KillFilter, root, /usr/bin/ovsdb-client, -9
1782 ovsdb-client: CommandFilter, ovsdb-client, root
1783 xe: CommandFilter, xe, root
1784
1785 # ip_lib
1786 ip: IpFilter, ip, root
1787 find: RegExpFilter, find, root, find, /sys/class/net, -maxdepth, 1, -type, l, -printf, %.*
1788 ip_exec: IpNetnsExecFilter, ip, root
1789
1790 # needed for FDB extension
1791 bridge: CommandFilter, bridge, root
1792 privsep:
1793 pods:
1794 - dhcp_agent
1795 - l3_agent
1796 - lb_agent
1797 - metadata_agent
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]1798 - ovn_metadata_agent
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1799 - ovs_agent
1800 - sriov_agent
1801 - netns_cleanup_cron
1802 content: |
1803 # Command filters to allow privsep daemon to be started via rootwrap.
1804 #
1805 # This file should be owned by (and only-writeable by) the root user
1806
1807 [Filters]
1808
1809 # By installing the following, the local admin is asserting that:
1810 #
1811 # 1. The python module load path used by privsep-helper
1812 # command as root (as started by sudo/rootwrap) is trusted.
1813 # 2. Any oslo.config files matching the --config-file
1814 # arguments below are trusted.
1815 # 3. Users allowed to run sudo/rootwrap with this configuration(*) are
1816 # also allowed to invoke python "entrypoint" functions from
1817 # --privsep_context with the additional (possibly root) privileges
1818 # configured for that context.
1819 #
1820 # (*) ie: the user is allowed by /etc/sudoers to run rootwrap as root
1821 #
1822 # In particular, the oslo.config and python module path must not
1823 # be writeable by the unprivileged user.
1824
1825 # oslo.privsep default neutron context
1826 privsep: PathFilter, privsep-helper, root,
1827 --config-file, /etc,
1828 --privsep_context, neutron.privileged.default,
1829 --privsep_sock_path, /
1830
1831 # NOTE: A second `--config-file` arg can also be added above. Since
1832 # many neutron components are installed like that (eg: by devstack).
1833 # Adjust to suit local requirements.
1834 linux_vxlan:
1835 pods:
1836 - bagpipe_bgp
1837 content: |
1838 # bagpipe-bgp-rootwrap command filters for nodes on which bagpipe-bgp is
1839 # expected to control VXLAN Linux Bridge dataplane
1840 #
1841 # This file should be owned by (and only-writeable by) the root user
1842
1843 # format seems to be
1844 # cmd-name: filter-name, raw-command, user, args
1845
1846 [Filters]
1847
1848 #
1849 modprobe: CommandFilter, modprobe, root
1850
1851 #
1852 brctl: CommandFilter, brctl, root
1853 bridge: CommandFilter, bridge, root
1854
1855 # ip_lib
1856 ip: IpFilter, ip, root
1857 ip_exec: IpNetnsExecFilter, ip, root
1858
1859 # shell (for piped commands)
1860 sh: CommandFilter, sh, root
1861 mpls_ovs_dataplane:
1862 pods:
1863 - bagpipe_bgp
1864 content: |
1865 # bagpipe-bgp-rootwrap command filters for nodes on which bagpipe-bgp is
1866 # expected to control MPLS OpenVSwitch dataplane
1867 #
1868 # This file should be owned by (and only-writeable by) the root user
1869
1870 # format seems to be
1871 # cmd-name: filter-name, raw-command, user, args
1872
1873 [Filters]
1874
1875 # openvswitch
1876 ovs-vsctl: CommandFilter, ovs-vsctl, root
1877 ovs-ofctl: CommandFilter, ovs-ofctl, root
1878
1879 # ip_lib
1880 ip: IpFilter, ip, root
1881 ip_exec: IpNetnsExecFilter, ip, root
1882
1883 # shell (for piped commands)
1884 sh: CommandFilter, sh, root
1885 neutron:
1886 DEFAULT:
1887 metadata_proxy_socket: /var/lib/neutron/openstack-helm/metadata_proxy
1888 log_config_append: /etc/neutron/logging.conf
1889 # NOTE(portdirect): the bind port should not be defined, and is manipulated
1890 # via the endpoints section.
1891 bind_port: null
1892 default_availability_zones: nova
1893 api_workers: 1
1894 rpc_workers: 4
1895 allow_overlapping_ips: True
1896 state_path: /var/lib/neutron
1897 # core_plugin can be: ml2, calico
1898 core_plugin: ml2
1899 # service_plugin can be: router, odl-router, empty for calico,
1900 # networking_ovn.l3.l3_ovn.OVNL3RouterPlugin for OVN
1901 service_plugins: router
1902 allow_automatic_l3agent_failover: True
1903 l3_ha: True
1904 max_l3_agents_per_router: 2
1905 l3_ha_network_type: vxlan
1906 network_auto_schedule: True
1907 router_auto_schedule: True
1908 # (NOTE)portdirect: if unset this is populated dynamically from the value in
1909 # 'network.backend' to sane defaults.
1910 interface_driver: null
1911 oslo_concurrency:
1912 lock_path: /var/lib/neutron/tmp
1913 database:
1914 max_retries: -1
1915 agent:
1916 root_helper: sudo /var/lib/openstack/bin/neutron-rootwrap /etc/neutron/rootwrap.conf
1917 root_helper_daemon: sudo /var/lib/openstack/bin/neutron-rootwrap-daemon /etc/neutron/rootwrap.conf
1918 oslo_messaging_notifications:
1919 driver: messagingv2
1920 oslo_messaging_rabbit:
1921 rabbit_ha_queues: true
1922 oslo_middleware:
1923 enable_proxy_headers_parsing: true
1924 oslo_policy:
1925 policy_file: /etc/neutron/policy.yaml
Mohammed Naser593ec012023-07-23 09:20:05 +0000[diff] [blame]1926 ovn:
Mohammed Naser593ec012023-07-23 09:20:05 +0000[diff] [blame]1927 ovn_metadata_enabled: true
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1928 nova:
1929 auth_type: password
1930 auth_version: v3
1931 endpoint_type: internal
Oleksandr Kozachenkoa10d7852023-02-02 22:01:16 +0100[diff] [blame]1932 placement:
1933 auth_type: password
1934 auth_version: v3
1935 endpoint_type: internal
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1936 designate:
1937 auth_type: password
1938 auth_version: v3
1939 endpoint_type: internal
1940 allow_reverse_dns_lookup: true
1941 ironic:
1942 endpoint_type: internal
1943 keystone_authtoken:
okozachenko120317930d42023-09-06 00:24:05 +1000[diff] [blame]1944 service_token_roles: service
1945 service_token_roles_required: true
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1946 memcache_security_strategy: ENCRYPT
1947 auth_type: password
1948 auth_version: v3
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]1949 service_type: network
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1950 octavia:
1951 request_poll_timeout: 3000
1952 logging:
1953 loggers:
1954 keys:
1955 - root
1956 - neutron
1957 - neutron_taas
1958 handlers:
1959 keys:
1960 - stdout
1961 - stderr
1962 - "null"
1963 formatters:
1964 keys:
1965 - context
1966 - default
1967 logger_root:
1968 level: WARNING
1969 handlers: 'null'
1970 logger_neutron:
1971 level: INFO
1972 handlers:
1973 - stdout
1974 qualname: neutron
1975 logger_neutron_taas:
1976 level: INFO
1977 handlers:
1978 - stdout
1979 qualname: neutron_taas
1980 logger_amqp:
1981 level: WARNING
1982 handlers: stderr
1983 qualname: amqp
1984 logger_amqplib:
1985 level: WARNING
1986 handlers: stderr
1987 qualname: amqplib
1988 logger_eventletwsgi:
1989 level: WARNING
1990 handlers: stderr
1991 qualname: eventlet.wsgi.server
1992 logger_sqlalchemy:
1993 level: WARNING
1994 handlers: stderr
1995 qualname: sqlalchemy
1996 logger_boto:
1997 level: WARNING
1998 handlers: stderr
1999 qualname: boto
2000 handler_null:
2001 class: logging.NullHandler
2002 formatter: default
2003 args: ()
2004 handler_stdout:
2005 class: StreamHandler
2006 args: (sys.stdout,)
2007 formatter: context
2008 handler_stderr:
2009 class: StreamHandler
2010 args: (sys.stderr,)
2011 formatter: context
2012 formatter_context:
2013 class: oslo_log.formatters.ContextFormatter
2014 datefmt: "%Y-%m-%d %H:%M:%S"
2015 formatter_default:
2016 format: "%(message)s"
2017 datefmt: "%Y-%m-%d %H:%M:%S"
2018 plugins:
2019 ml2_conf:
2020 ml2:
2021 extension_drivers: port_security
2022 # (NOTE)portdirect: if unset this is populated dyanmicly from the value
2023 # in 'network.backend' to sane defaults.
2024 mechanism_drivers: null
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]2025 type_drivers: flat,vlan,vxlan,local
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]2026 tenant_network_types: vxlan
2027 ml2_type_vxlan:
2028 vni_ranges: 1:1000
2029 vxlan_group: 239.1.1.1
2030 ml2_type_flat:
2031 flat_networks: "*"
2032 # If you want to use the external network as a tagged provider network,
2033 # a range should be specified including the intended VLAN target
2034 # using ml2_type_vlan.network_vlan_ranges:
2035 # ml2_type_vlan:
2036 # network_vlan_ranges: "external:1100:1110"
Mohammed Naser593ec012023-07-23 09:20:05 +0000[diff] [blame]2037 ml2_type_geneve:
2038 vni_ranges: 1:65536
2039 max_header_size: 38
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]2040 agent:
2041 extensions: ""
2042 ml2_conf_sriov: null
2043 taas:
2044 taas:
2045 enabled: False
2046 openvswitch_agent:
2047 agent:
2048 tunnel_types: vxlan
2049 l2_population: True
2050 arp_responder: True
2051 ovs:
2052 bridge_mappings: "external:br-ex"
2053 securitygroup:
2054 firewall_driver: neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
2055 linuxbridge_agent:
2056 linux_bridge:
2057 # To define Flat and VLAN connections, in LB we can assign
2058 # specific interface to the flat/vlan network name using:
2059 # physical_interface_mappings: "external:eth3"
2060 # Or we can set the mapping between the network and bridge:
2061 bridge_mappings: "external:br-ex"
2062 # The two above options are exclusive, do not use both of them at once
2063 securitygroup:
2064 firewall_driver: iptables
2065 vxlan:
2066 l2_population: True
2067 arp_responder: True
2068 macvtap_agent: null
2069 sriov_agent:
2070 securitygroup:
2071 firewall_driver: neutron.agent.firewall.NoopFirewallDriver
2072 sriov_nic:
2073 physical_device_mappings: physnet2:enp3s0f1
2074 # NOTE: do not use null here, use an empty string
2075 exclude_devices: ""
2076 dhcp_agent:
2077 DEFAULT:
2078 # (NOTE)portdirect: if unset this is populated dyanmicly from the value in
2079 # 'network.backend' to sane defaults.
2080 interface_driver: null
2081 dnsmasq_config_file: /etc/neutron/dnsmasq.conf
2082 force_metadata: True
2083 dnsmasq: |
2084 #no-hosts
2085 #port=5353
2086 #cache-size=500
2087 #no-negcache
2088 #dns-forward-max=100
2089 #resolve-file=
2090 #strict-order
2091 #bind-interface
2092 #bind-dynamic
2093 #domain=
2094 #dhcp-range=10.10.10.10,10.10.10.100,24h
2095 #dhcp-lease-max=150
2096 #dhcp-host=11:22:33:44:55:66,ignore
2097 #dhcp-option=3,10.10.10.1
2098 #dhcp-option-force=26,1450
2099
2100 l3_agent:
2101 DEFAULT:
2102 # (NOTE)portdirect: if unset this is populated dyanmicly from the value in
2103 # 'network.backend' to sane defaults.
2104 interface_driver: null
2105 agent_mode: legacy
2106 metering_agent: null
2107 metadata_agent:
2108 DEFAULT:
2109 # we cannot change the proxy socket path as it is declared
2110 # as a hostPath volume from agent daemonsets
2111 metadata_proxy_socket: /var/lib/neutron/openstack-helm/metadata_proxy
2112 metadata_proxy_shared_secret: "password"
2113 cache:
2114 enabled: true
2115 backend: dogpile.cache.memcached
2116 bagpipe_bgp: {}
Mohammed Naser593ec012023-07-23 09:20:05 +0000[diff] [blame]2117 ovn_metadata_agent:
2118 DEFAULT:
2119 # we cannot change the proxy socket path as it is declared
2120 # as a hostPath volume from agent daemonsets
2121 metadata_proxy_socket: /var/lib/neutron/openstack-helm/metadata_proxy
2122 metadata_proxy_shared_secret: "password"
2123 metadata_workers: 2
2124 cache:
2125 enabled: true
2126 backend: dogpile.cache.memcached
2127 ovs:
2128 ovsdb_connection: unix:/run/openvswitch/db.sock
Rico Lincf86b122023-11-02 01:29:14 +0800[diff] [blame]2129 bgp_dragent: {}
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]2130
2131 rabbitmq:
2132 # NOTE(rk760n): adding rmq policy to mirror messages from notification queues and set expiration time for the ones
2133 policies:
2134 - vhost: "neutron"
2135 name: "ha_ttl_neutron"
2136 definition:
2137 # mirror messges to other nodes in rmq cluster
2138 ha-mode: "all"
2139 ha-sync-mode: "automatic"
2140 # 70s
2141 message-ttl: 70000
2142 priority: 0
2143 apply-to: all
2144 pattern: '^(?!(amq\.|reply_)).*'
2145 ## NOTE: "besteffort" is meant for dev env with mixed compute type only.
2146 ## This helps prevent sriov init script from failing due to mis-matched NIC
2147 ## For prod env, target NIC should match and init script should fail otherwise.
2148 ## sriov_init:
2149 ## - besteffort
2150 sriov_init:
2151 -
2152 # auto_bridge_add is a table of "bridge: interface" pairs
2153 # To automatically add a physical interfaces to a specific bridges,
2154 # for example eth3 to bridge br-physnet1, if0 to br0 and iface_two
2155 # to br1 do something like:
2156 #
2157 # auto_bridge_add:
2158 # br-physnet1: eth3
2159 # br0: if0
2160 # br1: iface_two
2161 # br-ex will be added by default
2162 auto_bridge_add:
2163 br-ex: null
2164
Mohammed Nasera720f882023-06-30 23:48:02 -0400[diff] [blame]2165 # Network off-loading configuration
2166 netoffload:
ricolin18e6fd32023-07-17 06:17:15 +0000[diff] [blame]2167 enabled: false
Mohammed Nasera720f882023-06-30 23:48:02 -0400[diff] [blame]2168 asap2:
2169 # - dev: enp97s0f0
2170 # vfs: 16
2171
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]2172 # configuration of OVS DPDK bridges and NICs
2173 # this is a separate section and not part of the auto_bridge_add section
2174 # because additional parameters are needed
2175 ovs_dpdk:
2176 enabled: false
2177 # setting update_dpdk_bond_config to true will have default behavior,
2178 # which may cause disruptions in ovs dpdk traffic in case of neutron
2179 # ovs agent restart or when dpdk nic/bond configurations are changed.
2180 # Setting this to false will configure dpdk in the first run and
2181 # disable nic/bond config on event of restart or config update.
2182 update_dpdk_bond_config: true
2183 driver: uio_pci_generic
2184 # In case bonds are configured, the nics which are part of those bonds
2185 # must NOT be provided here.
2186 nics:
2187 - name: dpdk0
2188 pci_id: '0000:05:00.0'
2189 # Set VF Index in case some particular VF(s) need to be
2190 # used with ovs-dpdk.
2191 # vf_index: 0
2192 bridge: br-phy
2193 migrate_ip: true
2194 n_rxq: 2
2195 n_txq: 2
2196 pmd_rxq_affinity: "0:3,1:27"
2197 ofport_request: 1
2198 # optional parameters for tuning the OVS DPDK config
2199 # in alignment with the available hardware resources
2200 # mtu: 2000
2201 # n_rxq_size: 1024
2202 # n_txq_size: 1024
2203 # vhost-iommu-support: true
2204 bridges:
2205 - name: br-phy
2206 # optional parameter, in case tunnel traffic needs to be transported over a vlan underlay
2207 # - tunnel_underlay_vlan: 45
2208 # Optional parameter for configuring bonding in OVS-DPDK
2209 # - name: br-phy-bond0
2210 # bonds:
2211 # - name: dpdkbond0
2212 # bridge: br-phy-bond0
2213 # # The IP from the first nic in nics list shall be used
2214 # migrate_ip: true
2215 # mtu: 2000
2216 # # Please note that n_rxq is set for each NIC individually
2217 # # rather than denoting the total number of rx queues for
2218 # # the bond as a whole. So setting n_rxq = 2 below for ex.
2219 # # would be 4 rx queues in total for the bond.
2220 # # Same for n_txq
2221 # n_rxq: 2
2222 # n_txq: 2
2223 # ofport_request: 1
2224 # n_rxq_size: 1024
2225 # n_txq_size: 1024
2226 # vhost-iommu-support: true
2227 # ovs_options: "bond_mode=active-backup"
2228 # nics:
2229 # - name: dpdk_b0s0
2230 # pci_id: '0000:06:00.0'
2231 # pmd_rxq_affinity: "0:3,1:27"
2232 # # Set VF Index in case some particular VF(s) need to be
2233 # # used with ovs-dpdk. In which case pci_id of PF must be
2234 # # provided above.
2235 # # vf_index: 0
2236 # - name: dpdk_b0s1
2237 # pci_id: '0000:07:00.0'
2238 # pmd_rxq_affinity: "0:3,1:27"
2239 # # Set VF Index in case some particular VF(s) need to be
2240 # # used with ovs-dpdk. In which case pci_id of PF must be
2241 # # provided above.
2242 # # vf_index: 0
2243 #
2244 # Set the log level for each target module (default level is always dbg)
2245 # Supported log levels are: off, emer, err, warn, info, dbg
2246 #
2247 # modules:
2248 # - name: dpdk
2249 # log_level: info
2250
2251# Names of secrets used by bootstrap and environmental checks
2252secrets:
2253 identity:
2254 admin: neutron-keystone-admin
2255 neutron: neutron-keystone-user
2256 test: neutron-keystone-test
2257 oslo_db:
2258 admin: neutron-db-admin
2259 neutron: neutron-db-user
2260 oslo_messaging:
2261 admin: neutron-rabbitmq-admin
2262 neutron: neutron-rabbitmq-user
2263 tls:
2264 compute_metadata:
2265 metadata:
2266 internal: metadata-tls-metadata
2267 network:
2268 server:
2269 public: neutron-tls-public
2270 internal: neutron-tls-server
2271 oci_image_registry:
2272 neutron: neutron-oci-image-registry
2273
2274# typically overridden by environmental
2275# values, but should include all endpoints
2276# required by this chart
2277endpoints:
2278 cluster_domain_suffix: cluster.local
2279 local_image_registry:
2280 name: docker-registry
2281 namespace: docker-registry
2282 hosts:
2283 default: localhost
2284 internal: docker-registry
2285 node: localhost
2286 host_fqdn_override:
2287 default: null
2288 port:
2289 registry:
2290 node: 5000
2291 oci_image_registry:
2292 name: oci-image-registry
2293 namespace: oci-image-registry
2294 auth:
2295 enabled: false
2296 neutron:
2297 username: neutron
2298 password: password
2299 hosts:
2300 default: localhost
2301 host_fqdn_override:
2302 default: null
2303 port:
2304 registry:
2305 default: null
2306 oslo_db:
2307 auth:
2308 admin:
2309 username: root
2310 password: password
2311 secret:
2312 tls:
2313 internal: mariadb-tls-direct
2314 neutron:
2315 username: neutron
2316 password: password
2317 hosts:
2318 default: mariadb
2319 host_fqdn_override:
2320 default: null
2321 path: /neutron
2322 scheme: mysql+pymysql
2323 port:
2324 mysql:
2325 default: 3306
2326 oslo_messaging:
2327 auth:
2328 admin:
2329 username: rabbitmq
2330 password: password
2331 secret:
2332 tls:
2333 internal: rabbitmq-tls-direct
2334 neutron:
2335 username: neutron
2336 password: password
2337 statefulset:
2338 replicas: 2
2339 name: rabbitmq-rabbitmq
2340 hosts:
2341 default: rabbitmq
2342 host_fqdn_override:
2343 default: null
2344 path: /neutron
2345 scheme: rabbit
2346 port:
2347 amqp:
2348 default: 5672
2349 http:
2350 default: 15672
2351 oslo_cache:
2352 auth:
2353 # NOTE(portdirect): this is used to define the value for keystone
2354 # authtoken cache encryption key, if not set it will be populated
2355 # automatically with a random value, but to take advantage of
2356 # this feature all services should be set to use the same key,
2357 # and memcache service.
2358 memcache_secret_key: null
2359 hosts:
2360 default: memcached
2361 host_fqdn_override:
2362 default: null
2363 port:
2364 memcache:
2365 default: 11211
2366 compute:
2367 name: nova
2368 hosts:
2369 default: nova-api
2370 public: nova
2371 host_fqdn_override:
2372 default: null
2373 path:
2374 default: "/v2.1/%(tenant_id)s"
2375 scheme:
2376 default: 'http'
2377 port:
2378 api:
2379 default: 8774
2380 public: 80
2381 novncproxy:
2382 default: 6080
2383 compute_metadata:
2384 name: nova
2385 hosts:
2386 default: nova-metadata
2387 public: metadata
2388 host_fqdn_override:
2389 default: null
2390 path:
2391 default: /
2392 scheme:
2393 default: 'http'
2394 port:
2395 metadata:
2396 default: 8775
2397 public: 80
2398 identity:
2399 name: keystone
2400 auth:
2401 admin:
2402 region_name: RegionOne
2403 username: admin
2404 password: password
2405 project_name: admin
2406 user_domain_name: default
2407 project_domain_name: default
2408 neutron:
Oleksandr K.10a2db72025-01-07 23:11:24 -0800[diff] [blame]2409 role: admin,service
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]2410 region_name: RegionOne
2411 username: neutron
2412 password: password
2413 project_name: service
2414 user_domain_name: service
2415 project_domain_name: service
2416 nova:
2417 region_name: RegionOne
2418 project_name: service
2419 username: nova
2420 password: password
2421 user_domain_name: service
2422 project_domain_name: service
Oleksandr Kozachenkoa10d7852023-02-02 22:01:16 +0100[diff] [blame]2423 placement:
2424 region_name: RegionOne
2425 project_name: service
2426 username: placement
2427 password: password
2428 user_domain_name: service
2429 project_domain_name: service
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]2430 designate:
2431 region_name: RegionOne
2432 project_name: service
2433 username: designate
2434 password: password
2435 user_domain_name: service
2436 project_domain_name: service
2437 ironic:
2438 region_name: RegionOne
2439 project_name: service
2440 username: ironic
2441 password: password
2442 user_domain_name: service
2443 project_domain_name: service
2444 test:
2445 role: admin
2446 region_name: RegionOne
2447 username: neutron-test
2448 password: password
2449 # NOTE: this project will be purged and reset if
2450 # conf.rally_tests.force_project_purge is set to true
2451 # which may be required upon test failure, but be aware that this will
2452 # expunge all openstack objects, so if this is used a seperate project
2453 # should be used for each helm test, and also it should be ensured
2454 # that this project is not in use by other tenants
2455 project_name: test
2456 user_domain_name: service
2457 project_domain_name: service
2458 hosts:
2459 default: keystone
2460 internal: keystone-api
2461 host_fqdn_override:
2462 default: null
2463 path:
2464 default: /v3
2465 scheme:
2466 default: http
2467 port:
2468 api:
2469 default: 80
2470 internal: 5000
2471 network:
2472 name: neutron
2473 hosts:
2474 default: neutron-server
2475 public: neutron
2476 host_fqdn_override:
2477 default: null
2478 # NOTE(portdirect): this chart supports TLS for fqdn over-ridden public
2479 # endpoints using the following format:
2480 # public:
2481 # host: null
2482 # tls:
2483 # crt: null
2484 # key: null
2485 path:
2486 default: null
2487 scheme:
2488 default: 'http'
2489 service: 'http'
2490 port:
2491 api:
2492 default: 9696
2493 public: 80
2494 service: 9696
Mohammed Nasere40c3e82024-07-04 02:52:34 -0400[diff] [blame]2495 policy_server:
2496 default: 9697
2497 public: 80
2498 service: 9697
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]2499 load_balancer:
2500 name: octavia
2501 hosts:
2502 default: octavia-api
2503 public: octavia
2504 host_fqdn_override:
2505 default: null
2506 path:
2507 default: null
2508 scheme:
2509 default: http
2510 port:
2511 api:
2512 default: 9876
2513 public: 80
2514 fluentd:
2515 namespace: osh-infra
2516 name: fluentd
2517 hosts:
2518 default: fluentd-logging
2519 host_fqdn_override:
2520 default: null
2521 path:
2522 default: null
2523 scheme: 'http'
2524 port:
2525 service:
2526 default: 24224
2527 metrics:
2528 default: 24220
2529 dns:
2530 name: designate
2531 hosts:
2532 default: designate-api
2533 public: designate
2534 host_fqdn_override:
2535 default: null
2536 path:
2537 default: /
2538 scheme:
2539 default: 'http'
2540 port:
2541 api:
2542 default: 9001
2543 public: 80
2544 baremetal:
2545 name: ironic
2546 hosts:
2547 default: ironic-api
2548 public: ironic
2549 host_fqdn_override:
2550 default: null
2551 path:
2552 default: null
2553 scheme:
2554 default: 'http'
2555 port:
2556 api:
2557 default: 6385
2558 public: 80
2559 # NOTE(tp6510): these endpoints allow for things like DNS lookups and ingress
2560 # They are using to enable the Egress K8s network policy.
2561 kube_dns:
2562 namespace: kube-system
2563 name: kubernetes-dns
2564 hosts:
2565 default: kube-dns
2566 host_fqdn_override:
2567 default: null
2568 path:
2569 default: null
2570 scheme: http
2571 port:
2572 dns:
2573 default: 53
2574 protocol: UDP
2575 ingress:
2576 namespace: null
2577 name: ingress
2578 hosts:
2579 default: ingress
2580 port:
2581 ingress:
2582 default: 80
2583
2584network_policy:
2585 neutron:
2586 # TODO(lamt): Need to tighten this ingress for security.
2587 ingress:
2588 - {}
2589 egress:
2590 - {}
2591
2592helm3_hook: true
2593
2594health_probe:
2595 logging:
2596 level: ERROR
2597
2598tls:
2599 identity: false
2600 oslo_messaging: false
2601 oslo_db: false
2602
2603manifests:
2604 certificates: false
2605 configmap_bin: true
2606 configmap_etc: true
2607 daemonset_dhcp_agent: true
2608 daemonset_l3_agent: true
2609 daemonset_lb_agent: true
2610 daemonset_metadata_agent: true
2611 daemonset_ovs_agent: true
2612 daemonset_sriov_agent: true
2613 daemonset_l2gw_agent: false
2614 daemonset_bagpipe_bgp: false
Rico Lincf86b122023-11-02 01:29:14 +0800[diff] [blame]2615 daemonset_bgp_dragent: false
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]2616 daemonset_netns_cleanup_cron: true
2617 deployment_ironic_agent: false
2618 deployment_server: true
Oleksandr K.10a2db72025-01-07 23:11:24 -0800[diff] [blame]2619 deployment_rpc_server: true
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]2620 ingress_server: true
2621 job_bootstrap: true
2622 job_db_init: true
2623 job_db_sync: true
2624 job_db_drop: false
2625 job_image_repo_sync: true
2626 job_ks_endpoints: true
2627 job_ks_service: true
2628 job_ks_user: true
2629 job_rabbit_init: true
2630 pdb_server: true
2631 pod_rally_test: true
2632 network_policy: false
2633 secret_db: true
2634 secret_ingress_tls: true
2635 secret_keystone: true
2636 secret_rabbitmq: true
2637 secret_registry: true
2638 service_ingress_server: true
2639 service_server: true
2640...