Gitiles
Code Review Sign In
review.vexxhost.dev / atmosphere / 4c7e0c146dc4ac04e7bd63251f75d41c379d4d9a / . / charts / neutron / values.yaml
blob: 0f559976341747fd23db04d59efdf2b94e30c486 [file] [log] [blame]
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1# Licensed under the Apache License, Version 2.0 (the "License");
2# you may not use this file except in compliance with the License.
3# You may obtain a copy of the License at
4#
5# http://www.apache.org/licenses/LICENSE-2.0
6#
7# Unless required by applicable law or agreed to in writing, software
8# distributed under the License is distributed on an "AS IS" BASIS,
9# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
10# See the License for the specific language governing permissions and
11# limitations under the License.
12
13# Default values for neutron.
14# This is a YAML-formatted file.
15# Declare name/value pairs to be passed into your templates.
16# name: value
17
18---
19release_group: null
20
21images:
22 tags:
Rico Linc49f8522024-05-07 17:43:21 +0800[diff] [blame]23 bootstrap: docker.io/openstackhelm/heat:2024.1-ubuntu_jammy
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]24 test: docker.io/xrally/xrally-openstack:2.0.0
25 purge_test: docker.io/openstackhelm/ospurge:latest
Rico Linc49f8522024-05-07 17:43:21 +0800[diff] [blame]26 db_init: docker.io/openstackhelm/heat:2024.1-ubuntu_jammy
27 neutron_db_sync: docker.io/openstackhelm/neutron:2024.1-ubuntu_jammy
28 db_drop: docker.io/openstackhelm/heat:2024.1-ubuntu_jammy
29 rabbit_init: docker.io/rabbitmq:3.13-management
30 ks_user: docker.io/openstackhelm/heat:2024.1-ubuntu_jammy
31 ks_service: docker.io/openstackhelm/heat:2024.1-ubuntu_jammy
32 ks_endpoints: docker.io/openstackhelm/heat:2024.1-ubuntu_jammy
Mohammed Nasera720f882023-06-30 23:48:02 -0400[diff] [blame]33 netoffload: ghcr.io/vexxhost/netoffload:v1.0.1
Rico Linc49f8522024-05-07 17:43:21 +0800[diff] [blame]34 neutron_server: docker.io/openstackhelm/neutron:2024.1-ubuntu_jammy
Rico Lin71132432024-07-03 02:15:57 +0800[diff] [blame]35 neutron_policy_server: docker.io/openstackhelm/neutron:2024.1-ubuntu_jammy
Rico Linc49f8522024-05-07 17:43:21 +0800[diff] [blame]36 neutron_rpc_server: docker.io/openstackhelm/neutron:2024.1-ubuntu_jammy
37 neutron_dhcp: docker.io/openstackhelm/neutron:2024.1-ubuntu_jammy
38 neutron_metadata: docker.io/openstackhelm/neutron:2024.1-ubuntu_jammy
39 neutron_ovn_metadata: docker.io/openstackhelm/neutron:2024.1-ubuntu_jammy
Rico Lin9245bf72024-10-22 01:16:35 +0800[diff] [blame]40 neutron_ovn_vpn: docker.io/openstackhelm/neutron:2024.1-ubuntu_jammy
Rico Linc49f8522024-05-07 17:43:21 +0800[diff] [blame]41 neutron_l3: docker.io/openstackhelm/neutron:2024.1-ubuntu_jammy
42 neutron_l2gw: docker.io/openstackhelm/neutron:2024.1-ubuntu_jammy
43 neutron_openvswitch_agent: docker.io/openstackhelm/neutron:2024.1-ubuntu_jammy
44 neutron_linuxbridge_agent: docker.io/openstackhelm/neutron:2024.1-ubuntu_jammy
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]45 neutron_sriov_agent: docker.io/openstackhelm/neutron:stein-18.04-sriov
46 neutron_sriov_agent_init: docker.io/openstackhelm/neutron:stein-18.04-sriov
Rico Linc49f8522024-05-07 17:43:21 +0800[diff] [blame]47 neutron_bagpipe_bgp: docker.io/openstackhelm/neutron:2024.1-ubuntu_jammy
48 neutron_bgp_dragent: docker.io/openstackhelm/neutron:2024.1-ubuntu_jammy
Dong Ma60aa8ed2025-01-16 09:57:50 +0000[diff] [blame]49 neutron_ironic_agent_init: docker.io/openstackhelm/neutron:2024.1-ubuntu_jammy
Rico Linc49f8522024-05-07 17:43:21 +0800[diff] [blame]50 neutron_ironic_agent: docker.io/openstackhelm/neutron:2024.1-ubuntu_jammy
51 neutron_netns_cleanup_cron: docker.io/openstackhelm/neutron:2024.1-ubuntu_jammy
Rico Lin9245bf72024-10-22 01:16:35 +0800[diff] [blame]52 dep_check: quay.io/airshipit/kubernetes-entrypoint:latest-ubuntu_focal
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]53 image_repo_sync: docker.io/docker:17.07.0
54 pull_policy: "IfNotPresent"
55 local_registry:
56 active: false
57 exclude:
58 - dep_check
59 - image_repo_sync
60
61labels:
62 agent:
63 dhcp:
64 node_selector_key: openstack-control-plane
65 node_selector_value: enabled
66 l3:
67 node_selector_key: openstack-control-plane
68 node_selector_value: enabled
69 metadata:
70 node_selector_key: openstack-control-plane
71 node_selector_value: enabled
72 l2gw:
73 node_selector_key: openstack-control-plane
74 node_selector_value: enabled
Rico Lin9245bf72024-10-22 01:16:35 +0800[diff] [blame]75 ovn_vpn:
76 node_selector_key: openstack-control-plane
77 node_selector_value: enabled
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]78 job:
79 node_selector_key: openstack-control-plane
80 node_selector_value: enabled
81 lb:
82 node_selector_key: linuxbridge
83 node_selector_value: enabled
84 # openvswitch is a special case, requiring a special
85 # label that can apply to both control hosts
86 # and compute hosts, until we get more sophisticated
87 # with our daemonset scheduling
88 ovs:
89 node_selector_key: openvswitch
90 node_selector_value: enabled
91 sriov:
92 node_selector_key: sriov
93 node_selector_value: enabled
94 bagpipe_bgp:
95 node_selector_key: openstack-compute-node
96 node_selector_value: enabled
Rico Lincf86b122023-11-02 01:29:14 +0800[diff] [blame]97 bgp_dragent:
98 node_selector_key: openstack-compute-node
99 node_selector_value: enabled
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]100 server:
101 node_selector_key: openstack-control-plane
102 node_selector_value: enabled
Rico Lin0e153482024-05-03 03:29:14 +0800[diff] [blame]103 rpc_server:
104 node_selector_key: openstack-control-plane
105 node_selector_value: enabled
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]106 ironic_agent:
107 node_selector_key: openstack-control-plane
108 node_selector_value: enabled
109 netns_cleanup_cron:
110 node_selector_key: openstack-control-plane
111 node_selector_value: enabled
112 test:
113 node_selector_key: openstack-control-plane
114 node_selector_value: enabled
115
116network:
117 # provide what type of network wiring will be used
118 backend:
119 - openvswitch
120 # NOTE(Portdirect): Share network namespaces with the host,
121 # allowing agents to be restarted without packet loss and simpler
122 # debugging. This feature requires mount propagation support.
123 share_namespaces: true
124 interface:
125 # Tunnel interface will be used for VXLAN tunneling.
126 tunnel: null
127 # If tunnel is null there is a fallback mechanism to search
128 # for interface with routing using tunnel network cidr.
129 tunnel_network_cidr: "0/0"
130 # To perform setup of network interfaces using the SR-IOV init
131 # container you can use a section similar to:
132 # sriov:
133 # - device: ${DEV}
134 # num_vfs: 8
135 # mtu: 9214
136 # promisc: false
137 # qos:
138 # - vf_num: 0
139 # share: 10
140 # queues_per_vf:
141 # - num_queues: 16
142 # exclude_vf: 0,11,21
143 server:
144 ingress:
145 public: true
146 classes:
147 namespace: "nginx"
148 cluster: "nginx-cluster"
149 annotations:
150 nginx.ingress.kubernetes.io/rewrite-target: /
151 external_policy_local: false
152 node_port:
153 enabled: false
154 port: 30096
155
156bootstrap:
157 enabled: false
158 ks_user: neutron
159 script: |
160 openstack token issue
161
162dependencies:
163 dynamic:
164 common:
165 local_image_registry:
166 jobs:
167 - neutron-image-repo-sync
168 services:
169 - endpoint: node
170 service: local_image_registry
171 targeted:
172 sriov: {}
173 l2gateway: {}
174 bagpipe_bgp: {}
Mohammed Naserfd8edcc2023-09-06 22:32:16 +0000[diff] [blame]175 ovn:
176 server:
177 pod: null
Rico Lincf86b122023-11-02 01:29:14 +0800[diff] [blame]178 bgp_dragent: {}
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]179 openvswitch:
180 dhcp:
181 pod:
182 - requireSameNode: true
183 labels:
184 application: neutron
185 component: neutron-ovs-agent
186 l3:
187 pod:
188 - requireSameNode: true
189 labels:
190 application: neutron
191 component: neutron-ovs-agent
192 metadata:
193 pod:
194 - requireSameNode: true
195 labels:
196 application: neutron
197 component: neutron-ovs-agent
198 linuxbridge:
199 dhcp:
200 pod:
201 - requireSameNode: true
202 labels:
203 application: neutron
204 component: neutron-lb-agent
205 l3:
206 pod:
207 - requireSameNode: true
208 labels:
209 application: neutron
210 component: neutron-lb-agent
211 metadata:
212 pod:
213 - requireSameNode: true
214 labels:
215 application: neutron
216 component: neutron-lb-agent
217 lb_agent:
218 pod: null
219 static:
220 bootstrap:
221 services:
222 - endpoint: internal
223 service: network
224 - endpoint: internal
225 service: compute
226 db_drop:
227 services:
228 - endpoint: internal
229 service: oslo_db
230 db_init:
231 services:
232 - endpoint: internal
233 service: oslo_db
234 db_sync:
235 jobs:
236 - neutron-db-init
237 services:
238 - endpoint: internal
239 service: oslo_db
240 dhcp:
241 pod: null
242 jobs:
243 - neutron-rabbit-init
244 services:
245 - endpoint: internal
246 service: oslo_messaging
247 - endpoint: internal
248 service: network
249 - endpoint: internal
250 service: compute
251 ks_endpoints:
252 jobs:
253 - neutron-ks-service
254 services:
255 - endpoint: internal
256 service: identity
257 ks_service:
258 services:
259 - endpoint: internal
260 service: identity
261 ks_user:
262 services:
263 - endpoint: internal
264 service: identity
265 rabbit_init:
266 services:
267 - service: oslo_messaging
268 endpoint: internal
269 l3:
270 pod: null
271 jobs:
272 - neutron-rabbit-init
273 services:
274 - endpoint: internal
275 service: oslo_messaging
276 - endpoint: internal
277 service: network
278 - endpoint: internal
279 service: compute
280 lb_agent:
281 pod: null
282 jobs:
283 - neutron-rabbit-init
284 services:
285 - endpoint: internal
286 service: oslo_messaging
287 - endpoint: internal
288 service: network
289 metadata:
290 pod: null
291 jobs:
292 - neutron-rabbit-init
293 services:
294 - endpoint: internal
295 service: oslo_messaging
296 - endpoint: internal
297 service: network
298 - endpoint: internal
299 service: compute
300 - endpoint: public
301 service: compute_metadata
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]302 ovn_metadata:
Mohammed Naser593ec012023-07-23 09:20:05 +0000[diff] [blame]303 pod:
304 - requireSameNode: true
305 labels:
306 application: ovn
307 component: ovn-controller
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]308 services:
309 - endpoint: internal
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]310 service: compute_metadata
Mohammed Naserfd8edcc2023-09-06 22:32:16 +0000[diff] [blame]311 - endpoint: internal
312 service: network
Rico Lin9245bf72024-10-22 01:16:35 +0800[diff] [blame]313 ovn_vpn_agent:
314 pod:
315 - requireSameNode: true
316 labels:
317 application: ovn
318 component: ovn-controller
319 services:
320 - endpoint: internal
321 service: oslo_messaging
322 - endpoint: internal
323 service: network
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]324 ovs_agent:
325 jobs:
326 - neutron-rabbit-init
327 pod:
328 - requireSameNode: true
329 labels:
330 application: openvswitch
331 component: server
332 services:
333 - endpoint: internal
334 service: oslo_messaging
335 - endpoint: internal
336 service: network
337 server:
338 jobs:
339 - neutron-db-sync
340 - neutron-ks-user
341 - neutron-ks-endpoints
342 - neutron-rabbit-init
343 services:
344 - endpoint: internal
345 service: oslo_db
346 - endpoint: internal
347 service: oslo_messaging
348 - endpoint: internal
349 service: oslo_cache
350 - endpoint: internal
351 service: identity
Rico Lin0e153482024-05-03 03:29:14 +0800[diff] [blame]352 rpc_server:
353 jobs:
354 - neutron-db-sync
355 - neutron-rabbit-init
356 services:
357 - endpoint: internal
358 service: oslo_db
359 - endpoint: internal
360 service: oslo_messaging
361 - endpoint: internal
362 service: oslo_cache
363 - endpoint: internal
364 service: identity
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]365 ironic_agent:
366 jobs:
367 - neutron-db-sync
368 - neutron-ks-user
369 - neutron-ks-endpoints
370 - neutron-rabbit-init
371 services:
372 - endpoint: internal
373 service: oslo_db
374 - endpoint: internal
375 service: oslo_messaging
376 - endpoint: internal
377 service: oslo_cache
378 - endpoint: internal
379 service: identity
380 tests:
381 services:
382 - endpoint: internal
383 service: network
384 - endpoint: internal
385 service: compute
386 image_repo_sync:
387 services:
388 - endpoint: internal
389 service: local_image_registry
390
391pod:
Dong Mae5bd5a32025-02-11 11:03:48 +0000[diff] [blame]392 priorityClassName:
393 neutron_bagpipe_bgp: null
394 neutron_bgp_dragent: null
395 neutron_dhcp_agent: null
396 neutron_l2gw_agent: null
397 neutron_l3_agent: null
398 neutron_lb_agent: null
399 neutron_metadata_agent: null
400 neutron_netns_cleanup_cron: null
401 neutron_ovn_vpn_agent: null
402 neutron_ovn_metadata_agent: null
403 neutron_ovs_agent: null
404 neutron_sriov_agent: null
405 neutron_ironic_agent: null
406 neutron_rpc_server: null
407 neutron_server: null
408 neutron_tests: null
409 db_sync: null
410 runtimeClassName:
411 neutron_bagpipe_bgp: null
412 neutron_bgp_dragent: null
413 neutron_dhcp_agent: null
414 neutron_l2gw_agent: null
415 neutron_l3_agent: null
416 neutron_lb_agent: null
417 neutron_metadata_agent: null
418 neutron_netns_cleanup_cron: null
419 neutron_ovn_vpn_agent: null
420 neutron_ovn_metadata_agent: null
421 neutron_ovs_agent: null
422 neutron_sriov_agent: null
423 neutron_ironic_agent: null
424 neutron_rpc_server: null
425 neutron_server: null
426 neutron_tests: null
427 db_sync: null
Rico Lin71132432024-07-03 02:15:57 +0800[diff] [blame]428 sidecars:
429 neutron_policy_server: false
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]430 use_fqdn:
431 neutron_agent: true
432 probes:
433 rpc_timeout: 60
434 rpc_retries: 2
435 dhcp_agent:
436 dhcp_agent:
437 readiness:
438 enabled: true
439 params:
440 initialDelaySeconds: 30
441 periodSeconds: 190
442 timeoutSeconds: 185
443 liveness:
444 enabled: true
445 params:
446 initialDelaySeconds: 120
447 periodSeconds: 600
448 timeoutSeconds: 580
449 l3_agent:
450 l3_agent:
451 readiness:
452 enabled: true
453 params:
454 initialDelaySeconds: 30
455 periodSeconds: 190
456 timeoutSeconds: 185
457 liveness:
458 enabled: true
459 params:
460 initialDelaySeconds: 120
461 periodSeconds: 600
462 timeoutSeconds: 580
463 lb_agent:
464 lb_agent:
465 readiness:
466 enabled: true
467 metadata_agent:
468 metadata_agent:
469 readiness:
470 enabled: true
471 params:
472 initialDelaySeconds: 30
473 periodSeconds: 190
474 timeoutSeconds: 185
475 liveness:
476 enabled: true
477 params:
478 initialDelaySeconds: 120
479 periodSeconds: 600
480 timeoutSeconds: 580
Rico Lin9245bf72024-10-22 01:16:35 +0800[diff] [blame]481 ovn_vpn_agent:
482 ovn_vpn_agent:
483 readiness:
484 enabled: true
485 params:
486 initialDelaySeconds: 30
487 periodSeconds: 190
488 timeoutSeconds: 185
489 liveness:
490 enabled: true
491 params:
492 initialDelaySeconds: 120
493 periodSeconds: 600
494 timeoutSeconds: 580
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]495 ovn_metadata_agent:
496 ovn_metadata_agent:
497 readiness:
498 enabled: true
499 params:
500 initialDelaySeconds: 30
501 periodSeconds: 190
502 timeoutSeconds: 185
503 liveness:
504 enabled: true
505 params:
506 initialDelaySeconds: 120
507 periodSeconds: 600
508 timeoutSeconds: 580
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]509 ovs_agent:
510 ovs_agent:
511 readiness:
512 enabled: true
513 params:
okozachenko120317930d42023-09-06 00:24:05 +1000[diff] [blame]514 timeoutSeconds: 10
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]515 liveness:
516 enabled: true
517 params:
518 initialDelaySeconds: 120
519 periodSeconds: 600
520 timeoutSeconds: 580
521 sriov_agent:
522 sriov_agent:
523 readiness:
524 enabled: true
525 params:
526 initialDelaySeconds: 30
527 periodSeconds: 190
528 timeoutSeconds: 185
529 bagpipe_bgp:
530 bagpipe_bgp:
531 readiness:
532 enabled: true
533 params:
534 liveness:
535 enabled: true
536 params:
537 initialDelaySeconds: 60
Rico Lincf86b122023-11-02 01:29:14 +0800[diff] [blame]538 bgp_dragent:
539 bgp_dragent:
540 readiness:
541 enabled: false
542 params:
543 liveness:
544 enabled: true
545 params:
546 initialDelaySeconds: 60
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]547 l2gw_agent:
548 l2gw_agent:
549 readiness:
550 enabled: true
551 params:
552 initialDelaySeconds: 30
553 periodSeconds: 15
554 timeoutSeconds: 65
555 liveness:
556 enabled: true
557 params:
558 initialDelaySeconds: 120
559 periodSeconds: 90
560 timeoutSeconds: 70
561 server:
562 server:
563 readiness:
564 enabled: true
565 params:
okozachenko120317930d42023-09-06 00:24:05 +1000[diff] [blame]566 periodSeconds: 15
567 timeoutSeconds: 10
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]568 liveness:
569 enabled: true
570 params:
571 initialDelaySeconds: 60
okozachenko120317930d42023-09-06 00:24:05 +1000[diff] [blame]572 periodSeconds: 15
573 timeoutSeconds: 10
Rico Lin0e153482024-05-03 03:29:14 +0800[diff] [blame]574 rpc_server:
575 rpc_server:
576 readiness:
577 enabled: true
578 params:
579 periodSeconds: 15
580 timeoutSeconds: 10
581 liveness:
582 enabled: true
583 params:
584 initialDelaySeconds: 60
585 periodSeconds: 15
586 timeoutSeconds: 10
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]587 security_context:
588 neutron_dhcp_agent:
589 pod:
590 runAsUser: 42424
591 container:
592 neutron_dhcp_agent:
593 readOnlyRootFilesystem: true
594 privileged: true
595 neutron_l2gw_agent:
596 pod:
597 runAsUser: 42424
598 container:
599 neutron_l2gw_agent:
600 readOnlyRootFilesystem: true
601 privileged: true
602 neutron_bagpipe_bgp:
603 pod:
604 runAsUser: 42424
605 container:
606 neutron_bagpipe_bgp:
607 readOnlyRootFilesystem: true
608 privileged: true
Rico Lincf86b122023-11-02 01:29:14 +0800[diff] [blame]609 neutron_bgp_dragent:
610 pod:
611 runAsUser: 42424
612 container:
613 neutron_bgp_dragent:
614 readOnlyRootFilesystem: true
615 privileged: true
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]616 neutron_l3_agent:
617 pod:
618 runAsUser: 42424
619 container:
620 neutron_l3_agent:
621 readOnlyRootFilesystem: true
622 privileged: true
623 neutron_lb_agent:
624 pod:
625 runAsUser: 42424
626 container:
627 neutron_lb_agent_kernel_modules:
628 capabilities:
629 add:
630 - SYS_MODULE
631 - SYS_CHROOT
632 runAsUser: 0
633 readOnlyRootFilesystem: true
634 neutron_lb_agent_init:
635 privileged: true
636 runAsUser: 0
637 readOnlyRootFilesystem: true
638 neutron_lb_agent:
639 readOnlyRootFilesystem: true
640 privileged: true
641 neutron_metadata_agent:
642 pod:
643 runAsUser: 42424
644 container:
645 neutron_metadata_agent_init:
646 runAsUser: 0
647 readOnlyRootFilesystem: true
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]648 neutron_ovn_metadata_agent:
649 pod:
650 runAsUser: 42424
651 container:
652 neutron_ovn_metadata_agent_init:
653 runAsUser: 0
654 readOnlyRootFilesystem: true
Rico Lin9245bf72024-10-22 01:16:35 +0800[diff] [blame]655 ovn_vpn_agent:
656 pod:
657 runAsUser: 42424
658 container:
659 ovn_vpn_agent_init:
660 runAsUser: 0
661 readOnlyRootFilesystem: true
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]662 neutron_ovs_agent:
663 pod:
664 runAsUser: 42424
665 container:
666 neutron_openvswitch_agent_kernel_modules:
667 capabilities:
668 add:
669 - SYS_MODULE
670 - SYS_CHROOT
671 runAsUser: 0
672 readOnlyRootFilesystem: true
Mohammed Nasera720f882023-06-30 23:48:02 -0400[diff] [blame]673 netoffload:
674 privileged: true
675 runAsUser: 0
676 readOnlyRootFilesystem: true
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]677 neutron_ovs_agent_init:
678 privileged: true
679 runAsUser: 0
680 readOnlyRootFilesystem: true
681 neutron_ovs_agent:
682 readOnlyRootFilesystem: true
683 privileged: true
684 neutron_server:
685 pod:
686 runAsUser: 42424
687 container:
688 nginx:
689 runAsUser: 0
690 readOnlyRootFilesystem: false
691 neutron_server:
692 allowPrivilegeEscalation: false
693 readOnlyRootFilesystem: true
Rico Lin71132432024-07-03 02:15:57 +0800[diff] [blame]694 neutron_policy_server:
695 allowPrivilegeEscalation: false
696 readOnlyRootFilesystem: true
Rico Lin0e153482024-05-03 03:29:14 +0800[diff] [blame]697 neutron_rpc_server:
698 pod:
699 runAsUser: 42424
700 container:
701 neutron_rpc_server:
702 allowPrivilegeEscalation: false
703 readOnlyRootFilesystem: true
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]704 neutron_sriov_agent:
705 pod:
706 runAsUser: 42424
707 container:
708 neutron_sriov_agent_init:
709 privileged: true
710 runAsUser: 0
711 readOnlyRootFilesystem: false
712 neutron_sriov_agent:
713 readOnlyRootFilesystem: true
714 privileged: true
715 neutron_ironic_agent:
716 pod:
717 runAsUser: 42424
718 container:
Dong Ma60aa8ed2025-01-16 09:57:50 +0000[diff] [blame]719 neutron_ironic_agent_init:
720 runAsUser: 0
721 readOnlyRootFilesystem: true
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]722 neutron_ironic_agent:
723 allowPrivilegeEscalation: false
724 readOnlyRootFilesystem: true
725 neutron_netns_cleanup_cron:
726 pod:
727 runAsUser: 42424
728 container:
729 neutron_netns_cleanup_cron:
730 readOnlyRootFilesystem: true
731 privileged: true
732 affinity:
733 anti:
734 type:
735 default: preferredDuringSchedulingIgnoredDuringExecution
736 topologyKey:
737 default: kubernetes.io/hostname
738 weight:
739 default: 10
740 tolerations:
741 neutron:
742 enabled: false
743 tolerations:
744 - key: node-role.kubernetes.io/master
745 operator: Exists
746 effect: NoSchedule
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]747 - key: node-role.kubernetes.io/control-plane
748 operator: Exists
749 effect: NoSchedule
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]750 mounts:
751 neutron_server:
752 init_container: null
753 neutron_server:
754 volumeMounts:
755 volumes:
Rico Lin0e153482024-05-03 03:29:14 +0800[diff] [blame]756 neutron_rpc_server:
757 init_container: null
758 neutron_rpc_server:
759 volumeMounts:
760 volumes:
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]761 neutron_dhcp_agent:
762 init_container: null
763 neutron_dhcp_agent:
764 volumeMounts:
765 volumes:
766 neutron_l3_agent:
767 init_container: null
768 neutron_l3_agent:
769 volumeMounts:
770 volumes:
771 neutron_lb_agent:
772 init_container: null
773 neutron_lb_agent:
774 volumeMounts:
775 volumes:
776 neutron_metadata_agent:
777 init_container: null
778 neutron_metadata_agent:
779 volumeMounts:
780 volumes:
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]781 neutron_ovn_metadata_agent:
782 init_container: null
783 neutron_ovn_metadata_agent:
784 volumeMounts:
785 volumes:
Rico Lin9245bf72024-10-22 01:16:35 +0800[diff] [blame]786 ovn_vpn_agent:
787 init_container: null
788 ovn_vpn_agent:
789 volumeMounts:
790 volumes:
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]791 neutron_ovs_agent:
792 init_container: null
793 neutron_ovs_agent:
794 volumeMounts:
795 volumes:
796 neutron_sriov_agent:
797 init_container: null
798 neutron_sriov_agent:
799 volumeMounts:
800 volumes:
801 neutron_l2gw_agent:
802 init_container: null
803 neutron_l2gw_agent:
804 volumeMounts:
805 volumes:
806 bagpipe_bgp:
807 init_container: null
808 bagpipe_bgp:
809 volumeMounts:
810 volumes:
Rico Lincf86b122023-11-02 01:29:14 +0800[diff] [blame]811 bgp_dragent:
812 init_container: null
813 bgp_dragent:
814 volumeMounts:
815 volumes:
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]816 neutron_ironic_agent:
817 init_container: null
818 neutron_ironic_agent:
819 volumeMounts:
820 volumes:
821 neutron_netns_cleanup_cron:
822 init_container: null
823 neutron_netns_cleanup_cron:
824 volumeMounts:
825 volumes:
826 neutron_tests:
827 init_container: null
828 neutron_tests:
829 volumeMounts:
830 volumes:
831 neutron_bootstrap:
832 init_container: null
833 neutron_bootstrap:
834 volumeMounts:
835 volumes:
836 neutron_db_sync:
837 neutron_db_sync:
838 volumeMounts:
839 - name: db-sync-conf
840 mountPath: /etc/neutron/plugins/ml2/ml2_conf.ini
841 subPath: ml2_conf.ini
842 readOnly: true
843 volumes:
844 replicas:
845 server: 1
Rico Lin0e153482024-05-03 03:29:14 +0800[diff] [blame]846 rpc_server: 1
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]847 ironic_agent: 1
848 lifecycle:
849 upgrades:
850 deployments:
851 revision_history: 3
852 pod_replacement_strategy: RollingUpdate
853 rolling_update:
854 max_unavailable: 1
855 max_surge: 3
856 daemonsets:
857 pod_replacement_strategy: RollingUpdate
858 dhcp_agent:
859 enabled: true
860 min_ready_seconds: 0
861 max_unavailable: 1
862 l3_agent:
863 enabled: true
864 min_ready_seconds: 0
865 max_unavailable: 1
866 lb_agent:
867 enabled: true
868 min_ready_seconds: 0
869 max_unavailable: 1
870 metadata_agent:
871 enabled: true
872 min_ready_seconds: 0
873 max_unavailable: 1
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]874 ovn_metadata_agent:
875 enabled: true
876 min_ready_seconds: 0
877 max_unavailable: 1
Rico Lin9245bf72024-10-22 01:16:35 +0800[diff] [blame]878 ovn_vpn_agent:
879 enabled: true
880 min_ready_seconds: 0
881 max_unavailable: 1
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]882 ovs_agent:
883 enabled: true
884 min_ready_seconds: 0
885 max_unavailable: 1
886 sriov_agent:
887 enabled: true
888 min_ready_seconds: 0
889 max_unavailable: 1
890 netns_cleanup_cron:
891 enabled: true
892 min_ready_seconds: 0
893 max_unavailable: 1
894 disruption_budget:
895 server:
896 min_available: 0
897 termination_grace_period:
898 server:
899 timeout: 30
Rico Lin0e153482024-05-03 03:29:14 +0800[diff] [blame]900 rpc_server:
901 timeout: 30
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]902 ironic_agent:
903 timeout: 30
904 resources:
905 enabled: false
906 agent:
907 dhcp:
908 requests:
909 memory: "128Mi"
910 cpu: "100m"
911 limits:
912 memory: "1024Mi"
913 cpu: "2000m"
914 l3:
915 requests:
916 memory: "128Mi"
917 cpu: "100m"
918 limits:
919 memory: "1024Mi"
920 cpu: "2000m"
921 lb:
922 requests:
923 memory: "128Mi"
924 cpu: "100m"
925 limits:
926 memory: "1024Mi"
927 cpu: "2000m"
928 metadata:
929 requests:
930 memory: "128Mi"
931 cpu: "100m"
932 limits:
933 memory: "1024Mi"
934 cpu: "2000m"
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]935 ovn_metadata:
936 requests:
937 memory: "128Mi"
938 cpu: "100m"
939 limits:
940 memory: "1024Mi"
941 cpu: "2000m"
Rico Lin9245bf72024-10-22 01:16:35 +0800[diff] [blame]942 ovn_vpn:
943 requests:
944 memory: "128Mi"
945 cpu: "100m"
946 limits:
947 memory: "1024Mi"
948 cpu: "2000m"
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]949 ovs:
950 requests:
951 memory: "128Mi"
952 cpu: "100m"
953 limits:
954 memory: "1024Mi"
955 cpu: "2000m"
956 sriov:
957 requests:
958 memory: "128Mi"
959 cpu: "100m"
960 limits:
961 memory: "1024Mi"
962 cpu: "2000m"
963 l2gw:
964 requests:
965 memory: "128Mi"
966 cpu: "100m"
967 limits:
968 memory: "1024Mi"
969 cpu: "2000m"
970 bagpipe_bgp:
971 requests:
972 memory: "128Mi"
973 cpu: "100m"
974 limits:
975 memory: "1024Mi"
976 cpu: "2000m"
Rico Lincf86b122023-11-02 01:29:14 +0800[diff] [blame]977 bgp_dragent:
978 requests:
979 memory: "128Mi"
980 cpu: "100m"
981 limits:
982 memory: "1024Mi"
983 cpu: "2000m"
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]984 server:
985 requests:
986 memory: "128Mi"
987 cpu: "100m"
988 limits:
989 memory: "1024Mi"
990 cpu: "2000m"
Rico Lin71132432024-07-03 02:15:57 +0800[diff] [blame]991 neutron_policy_server:
992 requests:
993 memory: "128Mi"
994 cpu: "100m"
995 limits:
996 memory: "256Mi"
997 cpu: "500m"
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]998 ironic_agent:
999 requests:
1000 memory: "128Mi"
1001 cpu: "100m"
1002 limits:
1003 memory: "1024Mi"
1004 cpu: "2000m"
1005 netns_cleanup_cron:
1006 requests:
1007 memory: "128Mi"
1008 cpu: "100m"
1009 limits:
1010 memory: "1024Mi"
1011 cpu: "2000m"
1012 jobs:
1013 bootstrap:
1014 requests:
1015 memory: "128Mi"
1016 cpu: "100m"
1017 limits:
1018 memory: "1024Mi"
1019 cpu: "2000m"
1020 db_init:
1021 requests:
1022 memory: "128Mi"
1023 cpu: "100m"
1024 limits:
1025 memory: "1024Mi"
1026 cpu: "2000m"
1027 rabbit_init:
1028 requests:
1029 memory: "128Mi"
1030 cpu: "100m"
1031 limits:
1032 memory: "1024Mi"
1033 cpu: "2000m"
1034 db_sync:
1035 requests:
1036 memory: "128Mi"
1037 cpu: "100m"
1038 limits:
1039 memory: "1024Mi"
1040 cpu: "2000m"
1041 db_drop:
1042 requests:
1043 memory: "128Mi"
1044 cpu: "100m"
1045 limits:
1046 memory: "1024Mi"
1047 cpu: "2000m"
1048 ks_endpoints:
1049 requests:
1050 memory: "128Mi"
1051 cpu: "100m"
1052 limits:
1053 memory: "1024Mi"
1054 cpu: "2000m"
1055 ks_service:
1056 requests:
1057 memory: "128Mi"
1058 cpu: "100m"
1059 limits:
1060 memory: "1024Mi"
1061 cpu: "2000m"
1062 ks_user:
1063 requests:
1064 memory: "128Mi"
1065 cpu: "100m"
1066 limits:
1067 memory: "1024Mi"
1068 cpu: "2000m"
1069 tests:
1070 requests:
1071 memory: "128Mi"
1072 cpu: "100m"
1073 limits:
1074 memory: "1024Mi"
1075 cpu: "2000m"
1076 image_repo_sync:
1077 requests:
1078 memory: "128Mi"
1079 cpu: "100m"
1080 limits:
1081 memory: "1024Mi"
1082 cpu: "2000m"
1083
1084conf:
1085 rally_tests:
1086 force_project_purge: false
1087 run_tempest: false
1088 clean_up: |
1089 # NOTE: We will make the best effort to clean up rally generated networks and routers,
1090 # but should not block further automated deployment.
1091 set +e
1092 PATTERN="^[sc]_rally_"
1093
1094 ROUTERS=$(openstack router list --format=value -c Name | grep -e $PATTERN | sort | tr -d '\r')
1095 NETWORKS=$(openstack network list --format=value -c Name | grep -e $PATTERN | sort | tr -d '\r')
1096
1097 for ROUTER in $ROUTERS
1098 do
1099 openstack router unset --external-gateway $ROUTER
1100 openstack router set --disable --no-ha $ROUTER
1101
1102 SUBNS=$(openstack router show $ROUTER -c interfaces_info --format=value | python -m json.tool | grep -oP '(?<="subnet_id": ")[a-f0-9\-]{36}(?=")' | sort | uniq)
1103 for SUBN in $SUBNS
1104 do
1105 openstack router remove subnet $ROUTER $SUBN
1106 done
1107
1108 for PORT in $(openstack port list --router $ROUTER --format=value -c ID | tr -d '\r')
1109 do
1110 openstack router remove port $ROUTER $PORT
1111 done
1112
1113 openstack router delete $ROUTER
1114 done
1115
1116 for NETWORK in $NETWORKS
1117 do
1118 for PORT in $(openstack port list --network $NETWORK --format=value -c ID | tr -d '\r')
1119 do
1120 openstack port delete $PORT
1121 done
1122 openstack network delete $NETWORK
1123 done
1124 set -e
1125 tests:
1126 NeutronNetworks.create_and_delete_networks:
1127 - args:
1128 network_create_args: {}
1129 context:
1130 quotas:
1131 neutron:
1132 network: -1
1133 runner:
1134 concurrency: 1
1135 times: 1
1136 type: constant
1137 sla:
1138 failure_rate:
1139 max: 0
1140 NeutronNetworks.create_and_delete_ports:
1141 - args:
1142 network_create_args: {}
1143 port_create_args: {}
1144 ports_per_network: 10
1145 context:
1146 network: {}
1147 quotas:
1148 neutron:
1149 network: -1
1150 port: -1
1151 runner:
1152 concurrency: 1
1153 times: 1
1154 type: constant
1155 sla:
1156 failure_rate:
1157 max: 0
1158 NeutronNetworks.create_and_delete_routers:
1159 - args:
1160 network_create_args: {}
1161 router_create_args: {}
1162 subnet_cidr_start: 1.1.0.0/30
1163 subnet_create_args: {}
1164 subnets_per_network: 2
1165 context:
1166 network: {}
1167 quotas:
1168 neutron:
1169 network: -1
1170 router: -1
1171 subnet: -1
1172 runner:
1173 concurrency: 1
1174 times: 1
1175 type: constant
1176 sla:
1177 failure_rate:
1178 max: 0
1179 NeutronNetworks.create_and_delete_subnets:
1180 - args:
1181 network_create_args: {}
1182 subnet_cidr_start: 1.1.0.0/30
1183 subnet_create_args: {}
1184 subnets_per_network: 2
1185 context:
1186 network: {}
1187 quotas:
1188 neutron:
1189 network: -1
1190 subnet: -1
1191 runner:
1192 concurrency: 1
1193 times: 1
1194 type: constant
1195 sla:
1196 failure_rate:
1197 max: 0
1198 NeutronNetworks.create_and_list_routers:
1199 - args:
1200 network_create_args: {}
1201 router_create_args: {}
1202 subnet_cidr_start: 1.1.0.0/30
1203 subnet_create_args: {}
1204 subnets_per_network: 2
1205 context:
1206 network: {}
1207 quotas:
1208 neutron:
1209 network: -1
1210 router: -1
1211 subnet: -1
1212 runner:
1213 concurrency: 1
1214 times: 1
1215 type: constant
1216 sla:
1217 failure_rate:
1218 max: 0
1219 NeutronNetworks.create_and_list_subnets:
1220 - args:
1221 network_create_args: {}
1222 subnet_cidr_start: 1.1.0.0/30
1223 subnet_create_args: {}
1224 subnets_per_network: 2
1225 context:
1226 network: {}
1227 quotas:
1228 neutron:
1229 network: -1
1230 subnet: -1
1231 runner:
1232 concurrency: 1
1233 times: 1
1234 type: constant
1235 sla:
1236 failure_rate:
1237 max: 0
1238 NeutronNetworks.create_and_show_network:
1239 - args:
1240 network_create_args: {}
1241 context:
1242 quotas:
1243 neutron:
1244 network: -1
1245 runner:
1246 concurrency: 1
1247 times: 1
1248 type: constant
1249 sla:
1250 failure_rate:
1251 max: 0
1252 NeutronNetworks.create_and_update_networks:
1253 - args:
1254 network_create_args: {}
1255 network_update_args:
1256 admin_state_up: false
1257 context:
1258 quotas:
1259 neutron:
1260 network: -1
1261 runner:
1262 concurrency: 1
1263 times: 1
1264 type: constant
1265 sla:
1266 failure_rate:
1267 max: 0
1268 NeutronNetworks.create_and_update_ports:
1269 - args:
1270 network_create_args: {}
1271 port_create_args: {}
1272 port_update_args:
1273 admin_state_up: false
1274 device_id: dummy_id
1275 device_owner: dummy_owner
1276 ports_per_network: 5
1277 context:
1278 network: {}
1279 quotas:
1280 neutron:
1281 network: -1
1282 port: -1
1283 runner:
1284 concurrency: 1
1285 times: 1
1286 type: constant
1287 sla:
1288 failure_rate:
1289 max: 0
1290 NeutronNetworks.create_and_update_routers:
1291 - args:
1292 network_create_args: {}
1293 router_create_args: {}
1294 router_update_args:
1295 admin_state_up: false
1296 subnet_cidr_start: 1.1.0.0/30
1297 subnet_create_args: {}
1298 subnets_per_network: 2
1299 context:
1300 network: {}
1301 quotas:
1302 neutron:
1303 network: -1
1304 router: -1
1305 subnet: -1
1306 runner:
1307 concurrency: 1
1308 times: 1
1309 type: constant
1310 sla:
1311 failure_rate:
1312 max: 0
1313 NeutronNetworks.create_and_update_subnets:
1314 - args:
1315 network_create_args: {}
1316 subnet_cidr_start: 1.4.0.0/16
1317 subnet_create_args: {}
1318 subnet_update_args:
1319 enable_dhcp: false
1320 subnets_per_network: 2
1321 context:
1322 network: {}
1323 quotas:
1324 neutron:
1325 network: -1
1326 subnet: -1
1327 runner:
1328 concurrency: 1
1329 times: 1
1330 type: constant
1331 sla:
1332 failure_rate:
1333 max: 0
1334 NeutronNetworks.list_agents:
1335 - args:
1336 agent_args: {}
1337 runner:
1338 concurrency: 1
1339 times: 1
1340 type: constant
1341 sla:
1342 failure_rate:
1343 max: 0
1344 NeutronSecurityGroup.create_and_list_security_groups:
1345 - args:
1346 security_group_create_args: {}
1347 context:
1348 quotas:
1349 neutron:
1350 security_group: -1
1351 runner:
1352 concurrency: 1
1353 times: 1
1354 type: constant
1355 sla:
1356 failure_rate:
1357 max: 0
1358 NeutronSecurityGroup.create_and_update_security_groups:
1359 - args:
1360 security_group_create_args: {}
1361 security_group_update_args: {}
1362 context:
1363 quotas:
1364 neutron:
1365 security_group: -1
1366 runner:
1367 concurrency: 1
1368 times: 1
1369 type: constant
1370 sla:
1371 failure_rate:
1372 max: 0
okozachenko120317930d42023-09-06 00:24:05 +1000[diff] [blame]1373 paste:
1374 composite:neutron:
1375 use: egg:Paste#urlmap
1376 /: neutronversions_composite
1377 /v2.0: neutronapi_v2_0
1378 composite:neutronapi_v2_0:
1379 use: call:neutron.auth:pipeline_factory
1380 noauth: cors http_proxy_to_wsgi request_id catch_errors extensions neutronapiapp_v2_0
1381 keystone: cors http_proxy_to_wsgi request_id catch_errors authtoken audit keystonecontext extensions neutronapiapp_v2_0
1382 composite:neutronversions_composite:
1383 use: call:neutron.auth:pipeline_factory
1384 noauth: cors http_proxy_to_wsgi neutronversions
1385 keystone: cors http_proxy_to_wsgi neutronversions
1386 filter:request_id:
1387 paste.filter_factory: oslo_middleware:RequestId.factory
1388 filter:catch_errors:
1389 paste.filter_factory: oslo_middleware:CatchErrors.factory
1390 filter:cors:
1391 paste.filter_factory: oslo_middleware.cors:filter_factory
1392 oslo_config_project: neutron
1393 filter:http_proxy_to_wsgi:
1394 paste.filter_factory: oslo_middleware.http_proxy_to_wsgi:HTTPProxyToWSGI.factory
1395 filter:keystonecontext:
1396 paste.filter_factory: neutron.auth:NeutronKeystoneContext.factory
1397 filter:authtoken:
1398 paste.filter_factory: keystonemiddleware.auth_token:filter_factory
1399 filter:audit:
1400 paste.filter_factory: keystonemiddleware.audit:filter_factory
1401 audit_map_file: /etc/neutron/api_audit_map.conf
1402 filter:extensions:
1403 paste.filter_factory: neutron.api.extensions:plugin_aware_extension_middleware_factory
1404 app:neutronversions:
1405 paste.app_factory: neutron.pecan_wsgi.app:versions_factory
1406 app:neutronapiapp_v2_0:
1407 paste.app_factory: neutron.api.v2.router:APIRouter.factory
1408 filter:osprofiler:
1409 paste.filter_factory: osprofiler.web:WsgiMiddleware.factory
Rico Lin0e153482024-05-03 03:29:14 +0800[diff] [blame]1410 neutron_api_uwsgi:
1411 uwsgi:
1412 add-header: "Connection: close"
1413 buffer-size: 65535
1414 die-on-term: true
1415 enable-threads: true
1416 exit-on-reload: false
1417 hook-master-start: unix_signal:15 gracefully_kill_them_all
1418 lazy-apps: true
1419 log-x-forwarded-for: true
1420 master: true
1421 procname-prefix-spaced: "neutron-api:"
1422 route-user-agent: '^kube-probe.* donotlog:'
1423 thunder-lock: true
1424 worker-reload-mercy: 80
1425 wsgi-file: /var/lib/openstack/bin/neutron-api
Rico Lin71132432024-07-03 02:15:57 +0800[diff] [blame]1426 neutron_policy_server_uwsgi:
1427 uwsgi:
1428 add-header: "Connection: close"
1429 buffer-size: 65535
1430 die-on-term: true
1431 enable-threads: true
1432 exit-on-reload: false
1433 hook-master-start: unix_signal:15 gracefully_kill_them_all
1434 lazy-apps: true
1435 log-x-forwarded-for: true
1436 master: true
1437 procname-prefix-spaced: "neutron-policy-server:"
1438 route-user-agent: '^kube-probe.* donotlog:'
1439 thunder-lock: true
1440 worker-reload-mercy: 80
1441 wsgi-file: /var/lib/openstack/bin/neutron-policy-server-wsgi
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1442 policy: {}
1443 api_audit_map:
1444 DEFAULT:
1445 target_endpoint_type: None
1446 custom_actions:
1447 add_router_interface: update/add
1448 remove_router_interface: update/remove
1449 path_keywords:
1450 floatingips: ip
1451 healthmonitors: healthmonitor
1452 health_monitors: health_monitor
1453 lb: None
1454 members: member
1455 metering-labels: label
1456 metering-label-rules: rule
1457 networks: network
1458 pools: pool
1459 ports: port
1460 routers: router
1461 quotas: quota
1462 security-groups: security-group
1463 security-group-rules: rule
1464 subnets: subnet
1465 vips: vip
1466 service_endpoints:
1467 network: service/network
1468 neutron_sudoers: |
1469 # This sudoers file supports rootwrap for both Kolla and LOCI Images.
1470 Defaults !requiretty
1471 Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin:/var/lib/openstack/bin:/var/lib/kolla/venv/bin"
1472 neutron ALL = (root) NOPASSWD: /var/lib/kolla/venv/bin/neutron-rootwrap /etc/neutron/rootwrap.conf *, /var/lib/openstack/bin/neutron-rootwrap /etc/neutron/rootwrap.conf *
1473 neutron ALL = (root) NOPASSWD: /var/lib/kolla/venv/bin/neutron-rootwrap-daemon /etc/neutron/rootwrap.conf, /var/lib/openstack/bin/neutron-rootwrap-daemon /etc/neutron/rootwrap.conf
1474 rootwrap: |
1475 # Configuration for neutron-rootwrap
1476 # This file should be owned by (and only-writeable by) the root user
1477
1478 [DEFAULT]
1479 # List of directories to load filter definitions from (separated by ',').
1480 # These directories MUST all be only writeable by root !
1481 filters_path=/etc/neutron/rootwrap.d,/usr/share/neutron/rootwrap,/var/lib/openstack/etc/neutron/rootwrap.d
1482
1483 # List of directories to search executables in, in case filters do not
1484 # explicitely specify a full path (separated by ',')
1485 # If not specified, defaults to system PATH environment variable.
1486 # These directories MUST all be only writeable by root !
1487 exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin,/var/lib/openstack/bin,/var/lib/kolla/venv/bin
1488
1489 # Enable logging to syslog
1490 # Default value is False
1491 use_syslog=False
1492
1493 # Which syslog facility to use.
1494 # Valid values include auth, authpriv, syslog, local0, local1...
1495 # Default value is 'syslog'
1496 syslog_log_facility=syslog
1497
1498 # Which messages to log.
1499 # INFO means log all usage
1500 # ERROR means only log unsuccessful attempts
1501 syslog_log_level=ERROR
1502
1503 [xenapi]
1504 # XenAPI configuration is only required by the L2 agent if it is to
1505 # target a XenServer/XCP compute host's dom0.
1506 xenapi_connection_url=<None>
1507 xenapi_connection_username=root
1508 xenapi_connection_password=<None>
1509 rootwrap_filters:
1510 debug:
1511 pods:
1512 - dhcp_agent
1513 - l3_agent
1514 - lb_agent
1515 - metadata_agent
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]1516 - ovn_metadata_agent
Rico Lin9245bf72024-10-22 01:16:35 +0800[diff] [blame]1517 - ovn_vpn_agent
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1518 - ovs_agent
1519 - sriov_agent
1520 content: |
1521 # neutron-rootwrap command filters for nodes on which neutron is
1522 # expected to control network
1523 #
1524 # This file should be owned by (and only-writeable by) the root user
1525
1526 # format seems to be
1527 # cmd-name: filter-name, raw-command, user, args
1528
1529 [Filters]
1530
1531 # This is needed because we should ping
1532 # from inside a namespace which requires root
1533 # _alt variants allow to match -c and -w in any order
1534 # (used by NeutronDebugAgent.ping_all)
1535 ping: RegExpFilter, ping, root, ping, -w, \d+, -c, \d+, [0-9\.]+
1536 ping_alt: RegExpFilter, ping, root, ping, -c, \d+, -w, \d+, [0-9\.]+
1537 ping6: RegExpFilter, ping6, root, ping6, -w, \d+, -c, \d+, [0-9A-Fa-f:]+
1538 ping6_alt: RegExpFilter, ping6, root, ping6, -c, \d+, -w, \d+, [0-9A-Fa-f:]+
1539 dibbler:
1540 pods:
1541 - dhcp_agent
1542 - l3_agent
1543 - lb_agent
1544 - metadata_agent
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]1545 - ovn_metadata_agent
Rico Lin9245bf72024-10-22 01:16:35 +0800[diff] [blame]1546 - ovn_vpn_agent
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1547 - ovs_agent
1548 - sriov_agent
1549 content: |
1550 # neutron-rootwrap command filters for nodes on which neutron is
1551 # expected to control network
1552 #
1553 # This file should be owned by (and only-writeable by) the root user
1554
1555 # format seems to be
1556 # cmd-name: filter-name, raw-command, user, args
1557
1558 [Filters]
1559
1560 # Filters for the dibbler-based reference implementation of the pluggable
1561 # Prefix Delegation driver. Other implementations using an alternative agent
1562 # should include a similar filter in this folder.
1563
1564 # prefix_delegation_agent
1565 dibbler-client: CommandFilter, dibbler-client, root
1566 ipset_firewall:
1567 pods:
1568 - dhcp_agent
1569 - l3_agent
1570 - lb_agent
1571 - metadata_agent
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]1572 - ovn_metadata_agent
Rico Lin9245bf72024-10-22 01:16:35 +0800[diff] [blame]1573 - ovn_vpn_agent
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1574 - ovs_agent
1575 - sriov_agent
1576 content: |
1577 # neutron-rootwrap command filters for nodes on which neutron is
1578 # expected to control network
1579 #
1580 # This file should be owned by (and only-writeable by) the root user
1581
1582 # format seems to be
1583 # cmd-name: filter-name, raw-command, user, args
1584
1585 [Filters]
1586 # neutron/agent/linux/iptables_firewall.py
1587 # "ipset", "-A", ...
1588 ipset: CommandFilter, ipset, root
1589 l3:
1590 pods:
1591 - dhcp_agent
1592 - l3_agent
1593 - lb_agent
1594 - metadata_agent
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]1595 - ovn_metadata_agent
Rico Lin9245bf72024-10-22 01:16:35 +0800[diff] [blame]1596 - ovn_vpn_agent
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1597 - ovs_agent
1598 - sriov_agent
1599 content: |
1600 # neutron-rootwrap command filters for nodes on which neutron is
1601 # expected to control network
1602 #
1603 # This file should be owned by (and only-writeable by) the root user
1604
1605 # format seems to be
1606 # cmd-name: filter-name, raw-command, user, args
1607
1608 [Filters]
1609
1610 # arping
1611 arping: CommandFilter, arping, root
1612
1613 # l3_agent
1614 sysctl: CommandFilter, sysctl, root
1615 route: CommandFilter, route, root
1616 radvd: CommandFilter, radvd, root
1617
1618 # haproxy
1619 haproxy: RegExpFilter, haproxy, root, haproxy, -f, .*
1620 kill_haproxy: KillFilter, root, haproxy, -15, -9, -HUP
1621
1622 # metadata proxy
1623 metadata_proxy: CommandFilter, neutron-ns-metadata-proxy, root
1624 # RHEL invocation of the metadata proxy will report /usr/bin/python
1625 kill_metadata: KillFilter, root, python, -15, -9
1626 kill_metadata2: KillFilter, root, python2, -15, -9
1627 kill_metadata7: KillFilter, root, python2.7, -15, -9
1628 kill_metadata3: KillFilter, root, python3, -15, -9
1629 kill_metadata35: KillFilter, root, python3.5, -15, -9
1630 kill_metadata36: KillFilter, root, python3.6, -15, -9
1631 kill_metadata37: KillFilter, root, python3.7, -15, -9
1632 kill_radvd_usr: KillFilter, root, /usr/sbin/radvd, -15, -9, -HUP
1633 kill_radvd: KillFilter, root, /sbin/radvd, -15, -9, -HUP
1634
1635 # ip_lib
1636 ip: IpFilter, ip, root
1637 find: RegExpFilter, find, root, find, /sys/class/net, -maxdepth, 1, -type, l, -printf, %.*
1638 ip_exec: IpNetnsExecFilter, ip, root
1639
1640 # l3_tc_lib
1641 l3_tc_show_qdisc: RegExpFilter, tc, root, tc, qdisc, show, dev, .+
1642 l3_tc_add_qdisc_ingress: RegExpFilter, tc, root, tc, qdisc, add, dev, .+, ingress
1643 l3_tc_add_qdisc_egress: RegExpFilter, tc, root, tc, qdisc, add, dev, .+, root, handle, 1:, htb
1644 l3_tc_show_filters: RegExpFilter, tc, root, tc, -p, -s, -d, filter, show, dev, .+, parent, .+, prio, 1
1645 l3_tc_delete_filters: RegExpFilter, tc, root, tc, filter, del, dev, .+, parent, .+, prio, 1, handle, .+, u32
1646 l3_tc_add_filter_ingress: RegExpFilter, tc, root, tc, filter, add, dev, .+, parent, .+, protocol, ip, prio, 1, u32, match, ip, dst, .+, police, rate, .+, burst, .+, drop, flowid, :1
1647 l3_tc_add_filter_egress: RegExpFilter, tc, root, tc, filter, add, dev, .+, parent, .+, protocol, ip, prio, 1, u32, match, ip, src, .+, police, rate, .+, burst, .+, drop, flowid, :1
1648
1649 # For ip monitor
1650 kill_ip_monitor: KillFilter, root, ip, -9
1651
1652 # ovs_lib (if OVSInterfaceDriver is used)
1653 ovs-vsctl: CommandFilter, ovs-vsctl, root
1654
1655 # iptables_manager
1656 iptables-save: CommandFilter, iptables-save, root
1657 iptables-restore: CommandFilter, iptables-restore, root
1658 ip6tables-save: CommandFilter, ip6tables-save, root
1659 ip6tables-restore: CommandFilter, ip6tables-restore, root
1660
1661 # Keepalived
1662 keepalived: CommandFilter, keepalived, root
1663 kill_keepalived: KillFilter, root, keepalived, -HUP, -15, -9
1664
1665 # l3 agent to delete floatingip's conntrack state
1666 conntrack: CommandFilter, conntrack, root
1667
1668 # keepalived state change monitor
1669 keepalived_state_change: CommandFilter, neutron-keepalived-state-change, root
1670 # The following filters are used to kill the keepalived state change monitor.
1671 # Since the monitor runs as a Python script, the system reports that the
1672 # command of the process to be killed is python.
1673 # TODO(mlavalle) These kill filters will be updated once we come up with a
1674 # mechanism to kill using the name of the script being executed by Python
1675 kill_keepalived_monitor_py: KillFilter, root, python, -15
1676 kill_keepalived_monitor_py27: KillFilter, root, python2.7, -15
1677 kill_keepalived_monitor_py3: KillFilter, root, python3, -15
1678 kill_keepalived_monitor_py35: KillFilter, root, python3.5, -15
1679 kill_keepalived_monitor_py36: KillFilter, root, python3.6, -15
1680 kill_keepalived_monitor_py37: KillFilter, root, python3.7, -15
1681 netns_cleanup:
1682 pods:
1683 - dhcp_agent
1684 - l3_agent
1685 - lb_agent
1686 - metadata_agent
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]1687 - ovn_metadata_agent
Rico Lin9245bf72024-10-22 01:16:35 +0800[diff] [blame]1688 - ovn_vpn_agent
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1689 - ovs_agent
1690 - sriov_agent
1691 - netns_cleanup_cron
1692 content: |
1693 # neutron-rootwrap command filters for nodes on which neutron is
1694 # expected to control network
1695 #
1696 # This file should be owned by (and only-writeable by) the root user
1697
1698 # format seems to be
1699 # cmd-name: filter-name, raw-command, user, args
1700
1701 [Filters]
1702
1703 # netns-cleanup
1704 netstat: CommandFilter, netstat, root
1705 dhcp:
1706 pods:
1707 - dhcp_agent
1708 - l3_agent
1709 - lb_agent
1710 - metadata_agent
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]1711 - ovn_metadata_agent
Rico Lin9245bf72024-10-22 01:16:35 +0800[diff] [blame]1712 - ovn_vpn_agent
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1713 - ovs_agent
1714 - sriov_agent
1715 - netns_cleanup_cron
1716 content: |
1717 # neutron-rootwrap command filters for nodes on which neutron is
1718 # expected to control network
1719 #
1720 # This file should be owned by (and only-writeable by) the root user
1721
1722 # format seems to be
1723 # cmd-name: filter-name, raw-command, user, args
1724
1725 [Filters]
1726
1727 # dhcp-agent
1728 dnsmasq: CommandFilter, dnsmasq, root
1729 # dhcp-agent uses kill as well, that's handled by the generic KillFilter
1730 # it looks like these are the only signals needed, per
1731 # neutron/agent/linux/dhcp.py
1732 kill_dnsmasq: KillFilter, root, /sbin/dnsmasq, -9, -HUP, -15
1733 kill_dnsmasq_usr: KillFilter, root, /usr/sbin/dnsmasq, -9, -HUP, -15
1734
1735 ovs-vsctl: CommandFilter, ovs-vsctl, root
1736 ivs-ctl: CommandFilter, ivs-ctl, root
1737 mm-ctl: CommandFilter, mm-ctl, root
1738 dhcp_release: CommandFilter, dhcp_release, root
1739 dhcp_release6: CommandFilter, dhcp_release6, root
1740
1741 # metadata proxy
1742 metadata_proxy: CommandFilter, neutron-ns-metadata-proxy, root
1743 # RHEL invocation of the metadata proxy will report /usr/bin/python
1744 kill_metadata: KillFilter, root, python, -9
1745 kill_metadata2: KillFilter, root, python2, -9
1746 kill_metadata7: KillFilter, root, python2.7, -9
1747 kill_metadata3: KillFilter, root, python3, -9
1748 kill_metadata35: KillFilter, root, python3.5, -9
1749 kill_metadata36: KillFilter, root, python3.6, -9
1750 kill_metadata37: KillFilter, root, python3.7, -9
1751
1752 # ip_lib
1753 ip: IpFilter, ip, root
1754 find: RegExpFilter, find, root, find, /sys/class/net, -maxdepth, 1, -type, l, -printf, %.*
1755 ip_exec: IpNetnsExecFilter, ip, root
1756 ebtables:
1757 pods:
1758 - dhcp_agent
1759 - l3_agent
1760 - lb_agent
1761 - metadata_agent
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]1762 - ovn_metadata_agent
Rico Lin9245bf72024-10-22 01:16:35 +0800[diff] [blame]1763 - ovn_vpn_agent
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1764 - ovs_agent
1765 - sriov_agent
1766 content: |
1767 # neutron-rootwrap command filters for nodes on which neutron is
1768 # expected to control network
1769 #
1770 # This file should be owned by (and only-writeable by) the root user
1771
1772 # format seems to be
1773 # cmd-name: filter-name, raw-command, user, args
1774
1775 [Filters]
1776
1777 ebtables: CommandFilter, ebtables, root
1778 iptables_firewall:
1779 pods:
1780 - dhcp_agent
1781 - l3_agent
1782 - lb_agent
1783 - metadata_agent
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]1784 - ovn_metadata_agent
Rico Lin9245bf72024-10-22 01:16:35 +0800[diff] [blame]1785 - ovn_vpn_agent
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1786 - ovs_agent
1787 - sriov_agent
1788 content: |
1789 # neutron-rootwrap command filters for nodes on which neutron is
1790 # expected to control network
1791 #
1792 # This file should be owned by (and only-writeable by) the root user
1793
1794 # format seems to be
1795 # cmd-name: filter-name, raw-command, user, args
1796
1797 [Filters]
1798
1799 # neutron/agent/linux/iptables_firewall.py
1800 # "iptables-save", ...
1801 iptables-save: CommandFilter, iptables-save, root
1802 iptables-restore: CommandFilter, iptables-restore, root
1803 ip6tables-save: CommandFilter, ip6tables-save, root
1804 ip6tables-restore: CommandFilter, ip6tables-restore, root
1805
1806 # neutron/agent/linux/iptables_firewall.py
1807 # "iptables", "-A", ...
1808 iptables: CommandFilter, iptables, root
1809 ip6tables: CommandFilter, ip6tables, root
1810
1811 # neutron/agent/linux/iptables_firewall.py
1812 sysctl: CommandFilter, sysctl, root
1813
1814 # neutron/agent/linux/ip_conntrack.py
1815 conntrack: CommandFilter, conntrack, root
1816 linuxbridge_plugin:
1817 pods:
1818 - dhcp_agent
1819 - l3_agent
1820 - lb_agent
1821 - metadata_agent
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]1822 - ovn_metadata_agent
Rico Lin9245bf72024-10-22 01:16:35 +0800[diff] [blame]1823 - ovn_vpn_agent
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1824 - ovs_agent
1825 - sriov_agent
1826 content: |
1827 # neutron-rootwrap command filters for nodes on which neutron is
1828 # expected to control network
1829 #
1830 # This file should be owned by (and only-writeable by) the root user
1831
1832 # format seems to be
1833 # cmd-name: filter-name, raw-command, user, args
1834
1835 [Filters]
1836
1837 # linuxbridge-agent
1838 # unclear whether both variants are necessary, but I'm transliterating
1839 # from the old mechanism
1840 brctl: CommandFilter, brctl, root
1841 bridge: CommandFilter, bridge, root
1842
1843 # ip_lib
1844 ip: IpFilter, ip, root
1845 find: RegExpFilter, find, root, find, /sys/class/net, -maxdepth, 1, -type, l, -printf, %.*
1846 ip_exec: IpNetnsExecFilter, ip, root
1847
1848 # tc commands needed for QoS support
1849 tc_replace_tbf: RegExpFilter, tc, root, tc, qdisc, replace, dev, .+, root, tbf, rate, .+, latency, .+, burst, .+
1850 tc_add_ingress: RegExpFilter, tc, root, tc, qdisc, add, dev, .+, ingress, handle, .+
1851 tc_delete: RegExpFilter, tc, root, tc, qdisc, del, dev, .+, .+
1852 tc_show_qdisc: RegExpFilter, tc, root, tc, qdisc, show, dev, .+
1853 tc_show_filters: RegExpFilter, tc, root, tc, filter, show, dev, .+, parent, .+
1854 tc_add_filter: RegExpFilter, tc, root, tc, filter, add, dev, .+, parent, .+, protocol, all, prio, .+, basic, police, rate, .+, burst, .+, mtu, .+, drop
1855 openvswitch_plugin:
1856 pods:
1857 - dhcp_agent
1858 - l3_agent
1859 - lb_agent
1860 - metadata_agent
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]1861 - ovn_metadata_agent
Rico Lin9245bf72024-10-22 01:16:35 +0800[diff] [blame]1862 - ovn_vpn_agent
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1863 - ovs_agent
1864 - sriov_agent
1865 content: |
1866 # neutron-rootwrap command filters for nodes on which neutron is
1867 # expected to control network
1868 #
1869 # This file should be owned by (and only-writeable by) the root user
1870
1871 # format seems to be
1872 # cmd-name: filter-name, raw-command, user, args
1873
1874 [Filters]
1875
1876 # openvswitch-agent
1877 # unclear whether both variants are necessary, but I'm transliterating
1878 # from the old mechanism
1879 ovs-vsctl: CommandFilter, ovs-vsctl, root
1880 # NOTE(yamamoto): of_interface=native doesn't use ovs-ofctl
1881 ovs-ofctl: CommandFilter, ovs-ofctl, root
1882 ovs-appctl: CommandFilter, ovs-appctl, root
1883 kill_ovsdb_client: KillFilter, root, /usr/bin/ovsdb-client, -9
1884 ovsdb-client: CommandFilter, ovsdb-client, root
1885 xe: CommandFilter, xe, root
1886
1887 # ip_lib
1888 ip: IpFilter, ip, root
1889 find: RegExpFilter, find, root, find, /sys/class/net, -maxdepth, 1, -type, l, -printf, %.*
1890 ip_exec: IpNetnsExecFilter, ip, root
1891
1892 # needed for FDB extension
1893 bridge: CommandFilter, bridge, root
1894 privsep:
1895 pods:
1896 - dhcp_agent
1897 - l3_agent
1898 - lb_agent
1899 - metadata_agent
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]1900 - ovn_metadata_agent
Rico Lin9245bf72024-10-22 01:16:35 +0800[diff] [blame]1901 - ovn_vpn_agent
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1902 - ovs_agent
1903 - sriov_agent
1904 - netns_cleanup_cron
1905 content: |
1906 # Command filters to allow privsep daemon to be started via rootwrap.
1907 #
1908 # This file should be owned by (and only-writeable by) the root user
1909
1910 [Filters]
1911
1912 # By installing the following, the local admin is asserting that:
1913 #
1914 # 1. The python module load path used by privsep-helper
1915 # command as root (as started by sudo/rootwrap) is trusted.
1916 # 2. Any oslo.config files matching the --config-file
1917 # arguments below are trusted.
1918 # 3. Users allowed to run sudo/rootwrap with this configuration(*) are
1919 # also allowed to invoke python "entrypoint" functions from
1920 # --privsep_context with the additional (possibly root) privileges
1921 # configured for that context.
1922 #
1923 # (*) ie: the user is allowed by /etc/sudoers to run rootwrap as root
1924 #
1925 # In particular, the oslo.config and python module path must not
1926 # be writeable by the unprivileged user.
1927
1928 # oslo.privsep default neutron context
1929 privsep: PathFilter, privsep-helper, root,
1930 --config-file, /etc,
1931 --privsep_context, neutron.privileged.default,
1932 --privsep_sock_path, /
1933
1934 # NOTE: A second `--config-file` arg can also be added above. Since
1935 # many neutron components are installed like that (eg: by devstack).
1936 # Adjust to suit local requirements.
1937 linux_vxlan:
1938 pods:
1939 - bagpipe_bgp
1940 content: |
1941 # bagpipe-bgp-rootwrap command filters for nodes on which bagpipe-bgp is
1942 # expected to control VXLAN Linux Bridge dataplane
1943 #
1944 # This file should be owned by (and only-writeable by) the root user
1945
1946 # format seems to be
1947 # cmd-name: filter-name, raw-command, user, args
1948
1949 [Filters]
1950
1951 #
1952 modprobe: CommandFilter, modprobe, root
1953
1954 #
1955 brctl: CommandFilter, brctl, root
1956 bridge: CommandFilter, bridge, root
1957
1958 # ip_lib
1959 ip: IpFilter, ip, root
1960 ip_exec: IpNetnsExecFilter, ip, root
1961
1962 # shell (for piped commands)
1963 sh: CommandFilter, sh, root
1964 mpls_ovs_dataplane:
1965 pods:
1966 - bagpipe_bgp
1967 content: |
1968 # bagpipe-bgp-rootwrap command filters for nodes on which bagpipe-bgp is
1969 # expected to control MPLS OpenVSwitch dataplane
1970 #
1971 # This file should be owned by (and only-writeable by) the root user
1972
1973 # format seems to be
1974 # cmd-name: filter-name, raw-command, user, args
1975
1976 [Filters]
1977
1978 # openvswitch
1979 ovs-vsctl: CommandFilter, ovs-vsctl, root
1980 ovs-ofctl: CommandFilter, ovs-ofctl, root
1981
1982 # ip_lib
1983 ip: IpFilter, ip, root
1984 ip_exec: IpNetnsExecFilter, ip, root
1985
1986 # shell (for piped commands)
1987 sh: CommandFilter, sh, root
1988 neutron:
1989 DEFAULT:
1990 metadata_proxy_socket: /var/lib/neutron/openstack-helm/metadata_proxy
1991 log_config_append: /etc/neutron/logging.conf
1992 # NOTE(portdirect): the bind port should not be defined, and is manipulated
1993 # via the endpoints section.
1994 bind_port: null
1995 default_availability_zones: nova
1996 api_workers: 1
1997 rpc_workers: 4
1998 allow_overlapping_ips: True
1999 state_path: /var/lib/neutron
2000 # core_plugin can be: ml2, calico
2001 core_plugin: ml2
2002 # service_plugin can be: router, odl-router, empty for calico,
2003 # networking_ovn.l3.l3_ovn.OVNL3RouterPlugin for OVN
2004 service_plugins: router
2005 allow_automatic_l3agent_failover: True
2006 l3_ha: True
2007 max_l3_agents_per_router: 2
2008 l3_ha_network_type: vxlan
2009 network_auto_schedule: True
2010 router_auto_schedule: True
2011 # (NOTE)portdirect: if unset this is populated dynamically from the value in
2012 # 'network.backend' to sane defaults.
2013 interface_driver: null
2014 oslo_concurrency:
2015 lock_path: /var/lib/neutron/tmp
2016 database:
2017 max_retries: -1
2018 agent:
2019 root_helper: sudo /var/lib/openstack/bin/neutron-rootwrap /etc/neutron/rootwrap.conf
2020 root_helper_daemon: sudo /var/lib/openstack/bin/neutron-rootwrap-daemon /etc/neutron/rootwrap.conf
2021 oslo_messaging_notifications:
2022 driver: messagingv2
2023 oslo_messaging_rabbit:
2024 rabbit_ha_queues: true
2025 oslo_middleware:
2026 enable_proxy_headers_parsing: true
2027 oslo_policy:
2028 policy_file: /etc/neutron/policy.yaml
Mohammed Naser593ec012023-07-23 09:20:05 +0000[diff] [blame]2029 ovn:
Mohammed Naser593ec012023-07-23 09:20:05 +0000[diff] [blame]2030 ovn_metadata_enabled: true
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]2031 nova:
2032 auth_type: password
2033 auth_version: v3
2034 endpoint_type: internal
Oleksandr Kozachenkoa10d7852023-02-02 22:01:16 +0100[diff] [blame]2035 placement:
2036 auth_type: password
2037 auth_version: v3
2038 endpoint_type: internal
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]2039 designate:
2040 auth_type: password
2041 auth_version: v3
2042 endpoint_type: internal
2043 allow_reverse_dns_lookup: true
2044 ironic:
Rico Lin9245bf72024-10-22 01:16:35 +0800[diff] [blame]2045 auth_type: password
2046 auth_version: v3
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]2047 endpoint_type: internal
2048 keystone_authtoken:
okozachenko120317930d42023-09-06 00:24:05 +1000[diff] [blame]2049 service_token_roles: service
2050 service_token_roles_required: true
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]2051 memcache_security_strategy: ENCRYPT
2052 auth_type: password
2053 auth_version: v3
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]2054 service_type: network
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]2055 octavia:
2056 request_poll_timeout: 3000
2057 logging:
2058 loggers:
2059 keys:
2060 - root
2061 - neutron
2062 - neutron_taas
2063 handlers:
2064 keys:
2065 - stdout
2066 - stderr
2067 - "null"
2068 formatters:
2069 keys:
2070 - context
2071 - default
2072 logger_root:
2073 level: WARNING
2074 handlers: 'null'
2075 logger_neutron:
2076 level: INFO
2077 handlers:
2078 - stdout
2079 qualname: neutron
2080 logger_neutron_taas:
2081 level: INFO
2082 handlers:
2083 - stdout
2084 qualname: neutron_taas
2085 logger_amqp:
2086 level: WARNING
2087 handlers: stderr
2088 qualname: amqp
2089 logger_amqplib:
2090 level: WARNING
2091 handlers: stderr
2092 qualname: amqplib
2093 logger_eventletwsgi:
2094 level: WARNING
2095 handlers: stderr
2096 qualname: eventlet.wsgi.server
2097 logger_sqlalchemy:
2098 level: WARNING
2099 handlers: stderr
2100 qualname: sqlalchemy
2101 logger_boto:
2102 level: WARNING
2103 handlers: stderr
2104 qualname: boto
2105 handler_null:
2106 class: logging.NullHandler
2107 formatter: default
2108 args: ()
2109 handler_stdout:
2110 class: StreamHandler
2111 args: (sys.stdout,)
2112 formatter: context
2113 handler_stderr:
2114 class: StreamHandler
2115 args: (sys.stderr,)
2116 formatter: context
2117 formatter_context:
2118 class: oslo_log.formatters.ContextFormatter
2119 datefmt: "%Y-%m-%d %H:%M:%S"
2120 formatter_default:
2121 format: "%(message)s"
2122 datefmt: "%Y-%m-%d %H:%M:%S"
2123 plugins:
2124 ml2_conf:
2125 ml2:
2126 extension_drivers: port_security
2127 # (NOTE)portdirect: if unset this is populated dyanmicly from the value
2128 # in 'network.backend' to sane defaults.
2129 mechanism_drivers: null
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]2130 type_drivers: flat,vlan,vxlan,local
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]2131 tenant_network_types: vxlan
2132 ml2_type_vxlan:
2133 vni_ranges: 1:1000
2134 vxlan_group: 239.1.1.1
2135 ml2_type_flat:
2136 flat_networks: "*"
2137 # If you want to use the external network as a tagged provider network,
2138 # a range should be specified including the intended VLAN target
2139 # using ml2_type_vlan.network_vlan_ranges:
2140 # ml2_type_vlan:
2141 # network_vlan_ranges: "external:1100:1110"
Mohammed Naser593ec012023-07-23 09:20:05 +0000[diff] [blame]2142 ml2_type_geneve:
2143 vni_ranges: 1:65536
2144 max_header_size: 38
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]2145 agent:
2146 extensions: ""
2147 ml2_conf_sriov: null
2148 taas:
2149 taas:
2150 enabled: False
2151 openvswitch_agent:
2152 agent:
2153 tunnel_types: vxlan
2154 l2_population: True
2155 arp_responder: True
2156 ovs:
2157 bridge_mappings: "external:br-ex"
2158 securitygroup:
2159 firewall_driver: neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
2160 linuxbridge_agent:
2161 linux_bridge:
2162 # To define Flat and VLAN connections, in LB we can assign
2163 # specific interface to the flat/vlan network name using:
2164 # physical_interface_mappings: "external:eth3"
2165 # Or we can set the mapping between the network and bridge:
2166 bridge_mappings: "external:br-ex"
2167 # The two above options are exclusive, do not use both of them at once
2168 securitygroup:
2169 firewall_driver: iptables
2170 vxlan:
2171 l2_population: True
2172 arp_responder: True
2173 macvtap_agent: null
2174 sriov_agent:
2175 securitygroup:
2176 firewall_driver: neutron.agent.firewall.NoopFirewallDriver
2177 sriov_nic:
2178 physical_device_mappings: physnet2:enp3s0f1
2179 # NOTE: do not use null here, use an empty string
2180 exclude_devices: ""
2181 dhcp_agent:
2182 DEFAULT:
2183 # (NOTE)portdirect: if unset this is populated dyanmicly from the value in
2184 # 'network.backend' to sane defaults.
2185 interface_driver: null
2186 dnsmasq_config_file: /etc/neutron/dnsmasq.conf
2187 force_metadata: True
2188 dnsmasq: |
2189 #no-hosts
2190 #port=5353
2191 #cache-size=500
2192 #no-negcache
2193 #dns-forward-max=100
2194 #resolve-file=
2195 #strict-order
2196 #bind-interface
2197 #bind-dynamic
2198 #domain=
2199 #dhcp-range=10.10.10.10,10.10.10.100,24h
2200 #dhcp-lease-max=150
2201 #dhcp-host=11:22:33:44:55:66,ignore
2202 #dhcp-option=3,10.10.10.1
2203 #dhcp-option-force=26,1450
2204
Rico Lin9245bf72024-10-22 01:16:35 +0800[diff] [blame]2205 neutron_vpnaas: null
2206 ovn_vpn_agent:
2207 DEFAULT:
2208 interface_driver: openvswitch
2209 vpnagent:
2210 vpn_device_driver: neutron_vpnaas.services.vpn.device_drivers.ovn_ipsec.OvnStrongSwanDriver
2211 ovs:
2212 ovsdb_connection: unix:/run/openvswitch/db.sock
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]2213 l3_agent:
2214 DEFAULT:
2215 # (NOTE)portdirect: if unset this is populated dyanmicly from the value in
2216 # 'network.backend' to sane defaults.
2217 interface_driver: null
2218 agent_mode: legacy
2219 metering_agent: null
2220 metadata_agent:
2221 DEFAULT:
2222 # we cannot change the proxy socket path as it is declared
2223 # as a hostPath volume from agent daemonsets
2224 metadata_proxy_socket: /var/lib/neutron/openstack-helm/metadata_proxy
2225 metadata_proxy_shared_secret: "password"
2226 cache:
2227 enabled: true
2228 backend: dogpile.cache.memcached
2229 bagpipe_bgp: {}
Mohammed Naser593ec012023-07-23 09:20:05 +0000[diff] [blame]2230 ovn_metadata_agent:
2231 DEFAULT:
2232 # we cannot change the proxy socket path as it is declared
2233 # as a hostPath volume from agent daemonsets
2234 metadata_proxy_socket: /var/lib/neutron/openstack-helm/metadata_proxy
2235 metadata_proxy_shared_secret: "password"
2236 metadata_workers: 2
2237 cache:
2238 enabled: true
2239 backend: dogpile.cache.memcached
2240 ovs:
2241 ovsdb_connection: unix:/run/openvswitch/db.sock
Rico Lincf86b122023-11-02 01:29:14 +0800[diff] [blame]2242 bgp_dragent: {}
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]2243
2244 rabbitmq:
2245 # NOTE(rk760n): adding rmq policy to mirror messages from notification queues and set expiration time for the ones
2246 policies:
2247 - vhost: "neutron"
2248 name: "ha_ttl_neutron"
2249 definition:
2250 # mirror messges to other nodes in rmq cluster
2251 ha-mode: "all"
2252 ha-sync-mode: "automatic"
2253 # 70s
2254 message-ttl: 70000
2255 priority: 0
2256 apply-to: all
2257 pattern: '^(?!(amq\.|reply_)).*'
2258 ## NOTE: "besteffort" is meant for dev env with mixed compute type only.
2259 ## This helps prevent sriov init script from failing due to mis-matched NIC
2260 ## For prod env, target NIC should match and init script should fail otherwise.
2261 ## sriov_init:
2262 ## - besteffort
2263 sriov_init:
2264 -
2265 # auto_bridge_add is a table of "bridge: interface" pairs
2266 # To automatically add a physical interfaces to a specific bridges,
2267 # for example eth3 to bridge br-physnet1, if0 to br0 and iface_two
2268 # to br1 do something like:
2269 #
2270 # auto_bridge_add:
2271 # br-physnet1: eth3
2272 # br0: if0
2273 # br1: iface_two
2274 # br-ex will be added by default
2275 auto_bridge_add:
2276 br-ex: null
2277
Mohammed Nasera720f882023-06-30 23:48:02 -0400[diff] [blame]2278 # Network off-loading configuration
2279 netoffload:
ricolin18e6fd32023-07-17 06:17:15 +0000[diff] [blame]2280 enabled: false
Mohammed Nasera720f882023-06-30 23:48:02 -0400[diff] [blame]2281 asap2:
2282 # - dev: enp97s0f0
2283 # vfs: 16
2284
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]2285 # configuration of OVS DPDK bridges and NICs
2286 # this is a separate section and not part of the auto_bridge_add section
2287 # because additional parameters are needed
2288 ovs_dpdk:
2289 enabled: false
2290 # setting update_dpdk_bond_config to true will have default behavior,
2291 # which may cause disruptions in ovs dpdk traffic in case of neutron
2292 # ovs agent restart or when dpdk nic/bond configurations are changed.
2293 # Setting this to false will configure dpdk in the first run and
2294 # disable nic/bond config on event of restart or config update.
2295 update_dpdk_bond_config: true
2296 driver: uio_pci_generic
2297 # In case bonds are configured, the nics which are part of those bonds
2298 # must NOT be provided here.
2299 nics:
2300 - name: dpdk0
2301 pci_id: '0000:05:00.0'
2302 # Set VF Index in case some particular VF(s) need to be
2303 # used with ovs-dpdk.
2304 # vf_index: 0
2305 bridge: br-phy
2306 migrate_ip: true
2307 n_rxq: 2
2308 n_txq: 2
2309 pmd_rxq_affinity: "0:3,1:27"
2310 ofport_request: 1
2311 # optional parameters for tuning the OVS DPDK config
2312 # in alignment with the available hardware resources
2313 # mtu: 2000
2314 # n_rxq_size: 1024
2315 # n_txq_size: 1024
2316 # vhost-iommu-support: true
2317 bridges:
2318 - name: br-phy
2319 # optional parameter, in case tunnel traffic needs to be transported over a vlan underlay
2320 # - tunnel_underlay_vlan: 45
2321 # Optional parameter for configuring bonding in OVS-DPDK
2322 # - name: br-phy-bond0
2323 # bonds:
2324 # - name: dpdkbond0
2325 # bridge: br-phy-bond0
2326 # # The IP from the first nic in nics list shall be used
2327 # migrate_ip: true
2328 # mtu: 2000
2329 # # Please note that n_rxq is set for each NIC individually
2330 # # rather than denoting the total number of rx queues for
2331 # # the bond as a whole. So setting n_rxq = 2 below for ex.
2332 # # would be 4 rx queues in total for the bond.
2333 # # Same for n_txq
2334 # n_rxq: 2
2335 # n_txq: 2
2336 # ofport_request: 1
2337 # n_rxq_size: 1024
2338 # n_txq_size: 1024
2339 # vhost-iommu-support: true
2340 # ovs_options: "bond_mode=active-backup"
2341 # nics:
2342 # - name: dpdk_b0s0
2343 # pci_id: '0000:06:00.0'
2344 # pmd_rxq_affinity: "0:3,1:27"
2345 # # Set VF Index in case some particular VF(s) need to be
2346 # # used with ovs-dpdk. In which case pci_id of PF must be
2347 # # provided above.
2348 # # vf_index: 0
2349 # - name: dpdk_b0s1
2350 # pci_id: '0000:07:00.0'
2351 # pmd_rxq_affinity: "0:3,1:27"
2352 # # Set VF Index in case some particular VF(s) need to be
2353 # # used with ovs-dpdk. In which case pci_id of PF must be
2354 # # provided above.
2355 # # vf_index: 0
2356 #
2357 # Set the log level for each target module (default level is always dbg)
2358 # Supported log levels are: off, emer, err, warn, info, dbg
2359 #
2360 # modules:
2361 # - name: dpdk
2362 # log_level: info
2363
2364# Names of secrets used by bootstrap and environmental checks
2365secrets:
2366 identity:
2367 admin: neutron-keystone-admin
2368 neutron: neutron-keystone-user
2369 test: neutron-keystone-test
2370 oslo_db:
2371 admin: neutron-db-admin
2372 neutron: neutron-db-user
2373 oslo_messaging:
2374 admin: neutron-rabbitmq-admin
2375 neutron: neutron-rabbitmq-user
2376 tls:
2377 compute_metadata:
2378 metadata:
2379 internal: metadata-tls-metadata
2380 network:
2381 server:
2382 public: neutron-tls-public
2383 internal: neutron-tls-server
2384 oci_image_registry:
2385 neutron: neutron-oci-image-registry
2386
2387# typically overridden by environmental
2388# values, but should include all endpoints
2389# required by this chart
2390endpoints:
2391 cluster_domain_suffix: cluster.local
2392 local_image_registry:
2393 name: docker-registry
2394 namespace: docker-registry
2395 hosts:
2396 default: localhost
2397 internal: docker-registry
2398 node: localhost
2399 host_fqdn_override:
2400 default: null
2401 port:
2402 registry:
2403 node: 5000
2404 oci_image_registry:
2405 name: oci-image-registry
2406 namespace: oci-image-registry
2407 auth:
2408 enabled: false
2409 neutron:
2410 username: neutron
2411 password: password
2412 hosts:
2413 default: localhost
2414 host_fqdn_override:
2415 default: null
2416 port:
2417 registry:
2418 default: null
2419 oslo_db:
2420 auth:
2421 admin:
2422 username: root
2423 password: password
2424 secret:
2425 tls:
2426 internal: mariadb-tls-direct
2427 neutron:
2428 username: neutron
2429 password: password
2430 hosts:
2431 default: mariadb
2432 host_fqdn_override:
2433 default: null
2434 path: /neutron
2435 scheme: mysql+pymysql
2436 port:
2437 mysql:
2438 default: 3306
2439 oslo_messaging:
2440 auth:
2441 admin:
2442 username: rabbitmq
2443 password: password
2444 secret:
2445 tls:
2446 internal: rabbitmq-tls-direct
2447 neutron:
2448 username: neutron
2449 password: password
2450 statefulset:
2451 replicas: 2
2452 name: rabbitmq-rabbitmq
2453 hosts:
2454 default: rabbitmq
2455 host_fqdn_override:
2456 default: null
2457 path: /neutron
2458 scheme: rabbit
2459 port:
2460 amqp:
2461 default: 5672
2462 http:
2463 default: 15672
2464 oslo_cache:
2465 auth:
2466 # NOTE(portdirect): this is used to define the value for keystone
2467 # authtoken cache encryption key, if not set it will be populated
2468 # automatically with a random value, but to take advantage of
2469 # this feature all services should be set to use the same key,
2470 # and memcache service.
2471 memcache_secret_key: null
2472 hosts:
2473 default: memcached
2474 host_fqdn_override:
2475 default: null
2476 port:
2477 memcache:
2478 default: 11211
2479 compute:
2480 name: nova
2481 hosts:
2482 default: nova-api
2483 public: nova
2484 host_fqdn_override:
2485 default: null
2486 path:
2487 default: "/v2.1/%(tenant_id)s"
2488 scheme:
2489 default: 'http'
2490 port:
2491 api:
2492 default: 8774
2493 public: 80
2494 novncproxy:
2495 default: 6080
2496 compute_metadata:
2497 name: nova
2498 hosts:
2499 default: nova-metadata
2500 public: metadata
2501 host_fqdn_override:
2502 default: null
2503 path:
2504 default: /
2505 scheme:
2506 default: 'http'
2507 port:
2508 metadata:
2509 default: 8775
2510 public: 80
2511 identity:
2512 name: keystone
2513 auth:
2514 admin:
2515 region_name: RegionOne
2516 username: admin
2517 password: password
2518 project_name: admin
2519 user_domain_name: default
2520 project_domain_name: default
2521 neutron:
Mohammed Naserda994232024-04-13 12:34:01 -0400[diff] [blame]2522 role: admin,service
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]2523 region_name: RegionOne
2524 username: neutron
2525 password: password
2526 project_name: service
2527 user_domain_name: service
2528 project_domain_name: service
2529 nova:
2530 region_name: RegionOne
2531 project_name: service
2532 username: nova
2533 password: password
2534 user_domain_name: service
2535 project_domain_name: service
Oleksandr Kozachenkoa10d7852023-02-02 22:01:16 +0100[diff] [blame]2536 placement:
2537 region_name: RegionOne
2538 project_name: service
2539 username: placement
2540 password: password
2541 user_domain_name: service
2542 project_domain_name: service
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]2543 designate:
2544 region_name: RegionOne
2545 project_name: service
2546 username: designate
2547 password: password
2548 user_domain_name: service
2549 project_domain_name: service
2550 ironic:
2551 region_name: RegionOne
2552 project_name: service
2553 username: ironic
2554 password: password
2555 user_domain_name: service
2556 project_domain_name: service
2557 test:
2558 role: admin
2559 region_name: RegionOne
2560 username: neutron-test
2561 password: password
2562 # NOTE: this project will be purged and reset if
2563 # conf.rally_tests.force_project_purge is set to true
2564 # which may be required upon test failure, but be aware that this will
2565 # expunge all openstack objects, so if this is used a seperate project
2566 # should be used for each helm test, and also it should be ensured
2567 # that this project is not in use by other tenants
2568 project_name: test
2569 user_domain_name: service
2570 project_domain_name: service
2571 hosts:
2572 default: keystone
2573 internal: keystone-api
2574 host_fqdn_override:
2575 default: null
2576 path:
2577 default: /v3
2578 scheme:
2579 default: http
2580 port:
2581 api:
2582 default: 80
2583 internal: 5000
2584 network:
2585 name: neutron
2586 hosts:
2587 default: neutron-server
2588 public: neutron
2589 host_fqdn_override:
2590 default: null
2591 # NOTE(portdirect): this chart supports TLS for fqdn over-ridden public
2592 # endpoints using the following format:
2593 # public:
2594 # host: null
2595 # tls:
2596 # crt: null
2597 # key: null
2598 path:
2599 default: null
2600 scheme:
2601 default: 'http'
2602 service: 'http'
2603 port:
2604 api:
2605 default: 9696
2606 public: 80
2607 service: 9696
Rico Lin71132432024-07-03 02:15:57 +0800[diff] [blame]2608 policy_server:
2609 default: 9697
2610 public: 80
2611 service: 9697
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]2612 load_balancer:
2613 name: octavia
2614 hosts:
2615 default: octavia-api
2616 public: octavia
2617 host_fqdn_override:
2618 default: null
2619 path:
2620 default: null
2621 scheme:
2622 default: http
2623 port:
2624 api:
2625 default: 9876
2626 public: 80
2627 fluentd:
2628 namespace: osh-infra
2629 name: fluentd
2630 hosts:
2631 default: fluentd-logging
2632 host_fqdn_override:
2633 default: null
2634 path:
2635 default: null
2636 scheme: 'http'
2637 port:
2638 service:
2639 default: 24224
2640 metrics:
2641 default: 24220
2642 dns:
2643 name: designate
2644 hosts:
2645 default: designate-api
2646 public: designate
2647 host_fqdn_override:
2648 default: null
2649 path:
2650 default: /
2651 scheme:
2652 default: 'http'
2653 port:
2654 api:
2655 default: 9001
2656 public: 80
2657 baremetal:
2658 name: ironic
2659 hosts:
2660 default: ironic-api
2661 public: ironic
2662 host_fqdn_override:
2663 default: null
2664 path:
2665 default: null
2666 scheme:
2667 default: 'http'
2668 port:
2669 api:
2670 default: 6385
2671 public: 80
2672 # NOTE(tp6510): these endpoints allow for things like DNS lookups and ingress
2673 # They are using to enable the Egress K8s network policy.
2674 kube_dns:
2675 namespace: kube-system
2676 name: kubernetes-dns
2677 hosts:
2678 default: kube-dns
2679 host_fqdn_override:
2680 default: null
2681 path:
2682 default: null
2683 scheme: http
2684 port:
2685 dns:
2686 default: 53
2687 protocol: UDP
2688 ingress:
2689 namespace: null
2690 name: ingress
2691 hosts:
2692 default: ingress
2693 port:
2694 ingress:
2695 default: 80
2696
2697network_policy:
2698 neutron:
2699 # TODO(lamt): Need to tighten this ingress for security.
2700 ingress:
2701 - {}
2702 egress:
2703 - {}
2704
2705helm3_hook: true
2706
2707health_probe:
2708 logging:
2709 level: ERROR
2710
2711tls:
2712 identity: false
2713 oslo_messaging: false
2714 oslo_db: false
2715
2716manifests:
2717 certificates: false
2718 configmap_bin: true
2719 configmap_etc: true
2720 daemonset_dhcp_agent: true
2721 daemonset_l3_agent: true
2722 daemonset_lb_agent: true
2723 daemonset_metadata_agent: true
2724 daemonset_ovs_agent: true
2725 daemonset_sriov_agent: true
2726 daemonset_l2gw_agent: false
2727 daemonset_bagpipe_bgp: false
Rico Lincf86b122023-11-02 01:29:14 +0800[diff] [blame]2728 daemonset_bgp_dragent: false
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]2729 daemonset_netns_cleanup_cron: true
Rico Lin9245bf72024-10-22 01:16:35 +0800[diff] [blame]2730 daemonset_ovn_metadata_agent: false
2731 daemonset_ovn_vpn_agent: false
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]2732 deployment_ironic_agent: false
2733 deployment_server: true
Rico Lin0e153482024-05-03 03:29:14 +0800[diff] [blame]2734 deployment_rpc_server: true
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]2735 ingress_server: true
2736 job_bootstrap: true
2737 job_db_init: true
2738 job_db_sync: true
2739 job_db_drop: false
2740 job_image_repo_sync: true
2741 job_ks_endpoints: true
2742 job_ks_service: true
2743 job_ks_user: true
2744 job_rabbit_init: true
2745 pdb_server: true
2746 pod_rally_test: true
2747 network_policy: false
2748 secret_db: true
2749 secret_ingress_tls: true
2750 secret_keystone: true
2751 secret_rabbitmq: true
2752 secret_registry: true
2753 service_ingress_server: true
2754 service_server: true
2755...