Gitiles
Code Review Sign In
review.vexxhost.dev / atmosphere / 5e9ee255f1b2c86b2739fd7ace8259a422e1d3a0 / . / charts / neutron / values.yaml
blob: 04e8fa9589cffc9942e3bd4eaa67aac8cd9401d3 [file] [log] [blame]
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1# Licensed under the Apache License, Version 2.0 (the "License");
2# you may not use this file except in compliance with the License.
3# You may obtain a copy of the License at
4#
5# http://www.apache.org/licenses/LICENSE-2.0
6#
7# Unless required by applicable law or agreed to in writing, software
8# distributed under the License is distributed on an "AS IS" BASIS,
9# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
10# See the License for the specific language governing permissions and
11# limitations under the License.
12
13# Default values for neutron.
14# This is a YAML-formatted file.
15# Declare name/value pairs to be passed into your templates.
16# name: value
17
18---
19release_group: null
20
21images:
22 tags:
Rico Linc49f8522024-05-07 17:43:21 +0800[diff] [blame]23 bootstrap: docker.io/openstackhelm/heat:2024.1-ubuntu_jammy
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]24 test: docker.io/xrally/xrally-openstack:2.0.0
25 purge_test: docker.io/openstackhelm/ospurge:latest
Rico Linc49f8522024-05-07 17:43:21 +0800[diff] [blame]26 db_init: docker.io/openstackhelm/heat:2024.1-ubuntu_jammy
27 neutron_db_sync: docker.io/openstackhelm/neutron:2024.1-ubuntu_jammy
28 db_drop: docker.io/openstackhelm/heat:2024.1-ubuntu_jammy
29 rabbit_init: docker.io/rabbitmq:3.13-management
30 ks_user: docker.io/openstackhelm/heat:2024.1-ubuntu_jammy
31 ks_service: docker.io/openstackhelm/heat:2024.1-ubuntu_jammy
32 ks_endpoints: docker.io/openstackhelm/heat:2024.1-ubuntu_jammy
Mohammed Nasera720f882023-06-30 23:48:02 -0400[diff] [blame]33 netoffload: ghcr.io/vexxhost/netoffload:v1.0.1
Rico Linc49f8522024-05-07 17:43:21 +0800[diff] [blame]34 neutron_server: docker.io/openstackhelm/neutron:2024.1-ubuntu_jammy
Mohammed Naser1c8e53f2024-07-03 13:04:36 -0400[diff] [blame]35 neutron_policy_server: docker.io/openstackhelm/neutron:2024.1-ubuntu_jammy
Rico Linc49f8522024-05-07 17:43:21 +0800[diff] [blame]36 neutron_rpc_server: docker.io/openstackhelm/neutron:2024.1-ubuntu_jammy
37 neutron_dhcp: docker.io/openstackhelm/neutron:2024.1-ubuntu_jammy
38 neutron_metadata: docker.io/openstackhelm/neutron:2024.1-ubuntu_jammy
39 neutron_ovn_metadata: docker.io/openstackhelm/neutron:2024.1-ubuntu_jammy
40 neutron_l3: docker.io/openstackhelm/neutron:2024.1-ubuntu_jammy
41 neutron_l2gw: docker.io/openstackhelm/neutron:2024.1-ubuntu_jammy
42 neutron_openvswitch_agent: docker.io/openstackhelm/neutron:2024.1-ubuntu_jammy
43 neutron_linuxbridge_agent: docker.io/openstackhelm/neutron:2024.1-ubuntu_jammy
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]44 neutron_sriov_agent: docker.io/openstackhelm/neutron:stein-18.04-sriov
45 neutron_sriov_agent_init: docker.io/openstackhelm/neutron:stein-18.04-sriov
Rico Linc49f8522024-05-07 17:43:21 +0800[diff] [blame]46 neutron_bagpipe_bgp: docker.io/openstackhelm/neutron:2024.1-ubuntu_jammy
47 neutron_bgp_dragent: docker.io/openstackhelm/neutron:2024.1-ubuntu_jammy
Dong Mabd61aa22025-01-16 09:57:50 +0000[diff] [blame]48 neutron_ironic_agent_init: docker.io/openstackhelm/neutron:2024.1-ubuntu_jammy
Rico Linc49f8522024-05-07 17:43:21 +0800[diff] [blame]49 neutron_ironic_agent: docker.io/openstackhelm/neutron:2024.1-ubuntu_jammy
50 neutron_netns_cleanup_cron: docker.io/openstackhelm/neutron:2024.1-ubuntu_jammy
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]51 dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
52 image_repo_sync: docker.io/docker:17.07.0
53 pull_policy: "IfNotPresent"
54 local_registry:
55 active: false
56 exclude:
57 - dep_check
58 - image_repo_sync
59
60labels:
61 agent:
62 dhcp:
63 node_selector_key: openstack-control-plane
64 node_selector_value: enabled
65 l3:
66 node_selector_key: openstack-control-plane
67 node_selector_value: enabled
68 metadata:
69 node_selector_key: openstack-control-plane
70 node_selector_value: enabled
71 l2gw:
72 node_selector_key: openstack-control-plane
73 node_selector_value: enabled
74 job:
75 node_selector_key: openstack-control-plane
76 node_selector_value: enabled
77 lb:
78 node_selector_key: linuxbridge
79 node_selector_value: enabled
80 # openvswitch is a special case, requiring a special
81 # label that can apply to both control hosts
82 # and compute hosts, until we get more sophisticated
83 # with our daemonset scheduling
84 ovs:
85 node_selector_key: openvswitch
86 node_selector_value: enabled
87 sriov:
88 node_selector_key: sriov
89 node_selector_value: enabled
90 bagpipe_bgp:
91 node_selector_key: openstack-compute-node
92 node_selector_value: enabled
Rico Lincf86b122023-11-02 01:29:14 +0800[diff] [blame]93 bgp_dragent:
94 node_selector_key: openstack-compute-node
95 node_selector_value: enabled
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]96 server:
97 node_selector_key: openstack-control-plane
98 node_selector_value: enabled
Rico Lin0e153482024-05-03 03:29:14 +0800[diff] [blame]99 rpc_server:
100 node_selector_key: openstack-control-plane
101 node_selector_value: enabled
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]102 ironic_agent:
103 node_selector_key: openstack-control-plane
104 node_selector_value: enabled
105 netns_cleanup_cron:
106 node_selector_key: openstack-control-plane
107 node_selector_value: enabled
108 test:
109 node_selector_key: openstack-control-plane
110 node_selector_value: enabled
111
112network:
113 # provide what type of network wiring will be used
114 backend:
115 - openvswitch
116 # NOTE(Portdirect): Share network namespaces with the host,
117 # allowing agents to be restarted without packet loss and simpler
118 # debugging. This feature requires mount propagation support.
119 share_namespaces: true
120 interface:
121 # Tunnel interface will be used for VXLAN tunneling.
122 tunnel: null
123 # If tunnel is null there is a fallback mechanism to search
124 # for interface with routing using tunnel network cidr.
125 tunnel_network_cidr: "0/0"
126 # To perform setup of network interfaces using the SR-IOV init
127 # container you can use a section similar to:
128 # sriov:
129 # - device: ${DEV}
130 # num_vfs: 8
131 # mtu: 9214
132 # promisc: false
133 # qos:
134 # - vf_num: 0
135 # share: 10
136 # queues_per_vf:
137 # - num_queues: 16
138 # exclude_vf: 0,11,21
139 server:
140 ingress:
141 public: true
142 classes:
143 namespace: "nginx"
144 cluster: "nginx-cluster"
145 annotations:
146 nginx.ingress.kubernetes.io/rewrite-target: /
147 external_policy_local: false
148 node_port:
149 enabled: false
150 port: 30096
151
152bootstrap:
153 enabled: false
154 ks_user: neutron
155 script: |
156 openstack token issue
157
158dependencies:
159 dynamic:
160 common:
161 local_image_registry:
162 jobs:
163 - neutron-image-repo-sync
164 services:
165 - endpoint: node
166 service: local_image_registry
167 targeted:
168 sriov: {}
169 l2gateway: {}
170 bagpipe_bgp: {}
Mohammed Naserfd8edcc2023-09-06 22:32:16 +0000[diff] [blame]171 ovn:
172 server:
173 pod: null
Rico Lincf86b122023-11-02 01:29:14 +0800[diff] [blame]174 bgp_dragent: {}
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]175 openvswitch:
176 dhcp:
177 pod:
178 - requireSameNode: true
179 labels:
180 application: neutron
181 component: neutron-ovs-agent
182 l3:
183 pod:
184 - requireSameNode: true
185 labels:
186 application: neutron
187 component: neutron-ovs-agent
188 metadata:
189 pod:
190 - requireSameNode: true
191 labels:
192 application: neutron
193 component: neutron-ovs-agent
194 linuxbridge:
195 dhcp:
196 pod:
197 - requireSameNode: true
198 labels:
199 application: neutron
200 component: neutron-lb-agent
201 l3:
202 pod:
203 - requireSameNode: true
204 labels:
205 application: neutron
206 component: neutron-lb-agent
207 metadata:
208 pod:
209 - requireSameNode: true
210 labels:
211 application: neutron
212 component: neutron-lb-agent
213 lb_agent:
214 pod: null
215 static:
216 bootstrap:
217 services:
218 - endpoint: internal
219 service: network
220 - endpoint: internal
221 service: compute
222 db_drop:
223 services:
224 - endpoint: internal
225 service: oslo_db
226 db_init:
227 services:
228 - endpoint: internal
229 service: oslo_db
230 db_sync:
231 jobs:
232 - neutron-db-init
233 services:
234 - endpoint: internal
235 service: oslo_db
236 dhcp:
237 pod: null
238 jobs:
239 - neutron-rabbit-init
240 services:
241 - endpoint: internal
242 service: oslo_messaging
243 - endpoint: internal
244 service: network
245 - endpoint: internal
246 service: compute
247 ks_endpoints:
248 jobs:
249 - neutron-ks-service
250 services:
251 - endpoint: internal
252 service: identity
253 ks_service:
254 services:
255 - endpoint: internal
256 service: identity
257 ks_user:
258 services:
259 - endpoint: internal
260 service: identity
261 rabbit_init:
262 services:
263 - service: oslo_messaging
264 endpoint: internal
265 l3:
266 pod: null
267 jobs:
268 - neutron-rabbit-init
269 services:
270 - endpoint: internal
271 service: oslo_messaging
272 - endpoint: internal
273 service: network
274 - endpoint: internal
275 service: compute
276 lb_agent:
277 pod: null
278 jobs:
279 - neutron-rabbit-init
280 services:
281 - endpoint: internal
282 service: oslo_messaging
283 - endpoint: internal
284 service: network
285 metadata:
286 pod: null
287 jobs:
288 - neutron-rabbit-init
289 services:
290 - endpoint: internal
291 service: oslo_messaging
292 - endpoint: internal
293 service: network
294 - endpoint: internal
295 service: compute
296 - endpoint: public
297 service: compute_metadata
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]298 ovn_metadata:
Mohammed Naser593ec012023-07-23 09:20:05 +0000[diff] [blame]299 pod:
300 - requireSameNode: true
301 labels:
302 application: ovn
303 component: ovn-controller
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]304 services:
305 - endpoint: internal
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]306 service: compute_metadata
Mohammed Naserfd8edcc2023-09-06 22:32:16 +0000[diff] [blame]307 - endpoint: internal
308 service: network
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]309 ovs_agent:
310 jobs:
311 - neutron-rabbit-init
312 pod:
313 - requireSameNode: true
314 labels:
315 application: openvswitch
316 component: server
317 services:
318 - endpoint: internal
319 service: oslo_messaging
320 - endpoint: internal
321 service: network
322 server:
323 jobs:
324 - neutron-db-sync
325 - neutron-ks-user
326 - neutron-ks-endpoints
327 - neutron-rabbit-init
328 services:
329 - endpoint: internal
330 service: oslo_db
331 - endpoint: internal
332 service: oslo_messaging
333 - endpoint: internal
334 service: oslo_cache
335 - endpoint: internal
336 service: identity
Rico Lin0e153482024-05-03 03:29:14 +0800[diff] [blame]337 rpc_server:
338 jobs:
339 - neutron-db-sync
340 - neutron-rabbit-init
341 services:
342 - endpoint: internal
343 service: oslo_db
344 - endpoint: internal
345 service: oslo_messaging
346 - endpoint: internal
347 service: oslo_cache
348 - endpoint: internal
349 service: identity
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]350 ironic_agent:
351 jobs:
352 - neutron-db-sync
353 - neutron-ks-user
354 - neutron-ks-endpoints
355 - neutron-rabbit-init
356 services:
357 - endpoint: internal
358 service: oslo_db
359 - endpoint: internal
360 service: oslo_messaging
361 - endpoint: internal
362 service: oslo_cache
363 - endpoint: internal
364 service: identity
365 tests:
366 services:
367 - endpoint: internal
368 service: network
369 - endpoint: internal
370 service: compute
371 image_repo_sync:
372 services:
373 - endpoint: internal
374 service: local_image_registry
375
376pod:
Dong Ma9403e982025-02-11 11:03:48 +0000[diff] [blame]377 priorityClassName:
378 neutron_bagpipe_bgp: null
379 neutron_bgp_dragent: null
380 neutron_dhcp_agent: null
381 neutron_l2gw_agent: null
382 neutron_l3_agent: null
383 neutron_lb_agent: null
384 neutron_metadata_agent: null
385 neutron_netns_cleanup_cron: null
386 neutron_ovn_vpn_agent: null
387 neutron_ovn_metadata_agent: null
388 neutron_ovs_agent: null
389 neutron_sriov_agent: null
390 neutron_ironic_agent: null
391 neutron_rpc_server: null
392 neutron_server: null
393 neutron_tests: null
394 db_sync: null
395 runtimeClassName:
396 neutron_bagpipe_bgp: null
397 neutron_bgp_dragent: null
398 neutron_dhcp_agent: null
399 neutron_l2gw_agent: null
400 neutron_l3_agent: null
401 neutron_lb_agent: null
402 neutron_metadata_agent: null
403 neutron_netns_cleanup_cron: null
404 neutron_ovn_vpn_agent: null
405 neutron_ovn_metadata_agent: null
406 neutron_ovs_agent: null
407 neutron_sriov_agent: null
408 neutron_ironic_agent: null
409 neutron_rpc_server: null
410 neutron_server: null
411 neutron_tests: null
412 db_sync: null
Mohammed Naser1c8e53f2024-07-03 13:04:36 -0400[diff] [blame]413 sidecars:
414 neutron_policy_server: false
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]415 use_fqdn:
416 neutron_agent: true
417 probes:
418 rpc_timeout: 60
419 rpc_retries: 2
420 dhcp_agent:
421 dhcp_agent:
422 readiness:
423 enabled: true
424 params:
425 initialDelaySeconds: 30
426 periodSeconds: 190
427 timeoutSeconds: 185
428 liveness:
429 enabled: true
430 params:
431 initialDelaySeconds: 120
432 periodSeconds: 600
433 timeoutSeconds: 580
434 l3_agent:
435 l3_agent:
436 readiness:
437 enabled: true
438 params:
439 initialDelaySeconds: 30
440 periodSeconds: 190
441 timeoutSeconds: 185
442 liveness:
443 enabled: true
444 params:
445 initialDelaySeconds: 120
446 periodSeconds: 600
447 timeoutSeconds: 580
448 lb_agent:
449 lb_agent:
450 readiness:
451 enabled: true
452 metadata_agent:
453 metadata_agent:
454 readiness:
455 enabled: true
456 params:
457 initialDelaySeconds: 30
458 periodSeconds: 190
459 timeoutSeconds: 185
460 liveness:
461 enabled: true
462 params:
463 initialDelaySeconds: 120
464 periodSeconds: 600
465 timeoutSeconds: 580
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]466 ovn_metadata_agent:
467 ovn_metadata_agent:
468 readiness:
469 enabled: true
470 params:
471 initialDelaySeconds: 30
472 periodSeconds: 190
473 timeoutSeconds: 185
474 liveness:
475 enabled: true
476 params:
477 initialDelaySeconds: 120
478 periodSeconds: 600
479 timeoutSeconds: 580
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]480 ovs_agent:
481 ovs_agent:
482 readiness:
483 enabled: true
484 params:
okozachenko120317930d42023-09-06 00:24:05 +1000[diff] [blame]485 timeoutSeconds: 10
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]486 liveness:
487 enabled: true
488 params:
489 initialDelaySeconds: 120
490 periodSeconds: 600
491 timeoutSeconds: 580
492 sriov_agent:
493 sriov_agent:
494 readiness:
495 enabled: true
496 params:
497 initialDelaySeconds: 30
498 periodSeconds: 190
499 timeoutSeconds: 185
500 bagpipe_bgp:
501 bagpipe_bgp:
502 readiness:
503 enabled: true
504 params:
505 liveness:
506 enabled: true
507 params:
508 initialDelaySeconds: 60
Rico Lincf86b122023-11-02 01:29:14 +0800[diff] [blame]509 bgp_dragent:
510 bgp_dragent:
511 readiness:
512 enabled: false
513 params:
514 liveness:
515 enabled: true
516 params:
517 initialDelaySeconds: 60
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]518 l2gw_agent:
519 l2gw_agent:
520 readiness:
521 enabled: true
522 params:
523 initialDelaySeconds: 30
524 periodSeconds: 15
525 timeoutSeconds: 65
526 liveness:
527 enabled: true
528 params:
529 initialDelaySeconds: 120
530 periodSeconds: 90
531 timeoutSeconds: 70
532 server:
533 server:
534 readiness:
535 enabled: true
536 params:
okozachenko120317930d42023-09-06 00:24:05 +1000[diff] [blame]537 periodSeconds: 15
538 timeoutSeconds: 10
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]539 liveness:
540 enabled: true
541 params:
542 initialDelaySeconds: 60
okozachenko120317930d42023-09-06 00:24:05 +1000[diff] [blame]543 periodSeconds: 15
544 timeoutSeconds: 10
Rico Lin0e153482024-05-03 03:29:14 +0800[diff] [blame]545 rpc_server:
546 rpc_server:
547 readiness:
548 enabled: true
549 params:
550 periodSeconds: 15
551 timeoutSeconds: 10
552 liveness:
553 enabled: true
554 params:
555 initialDelaySeconds: 60
556 periodSeconds: 15
557 timeoutSeconds: 10
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]558 security_context:
559 neutron_dhcp_agent:
560 pod:
561 runAsUser: 42424
562 container:
563 neutron_dhcp_agent:
564 readOnlyRootFilesystem: true
565 privileged: true
566 neutron_l2gw_agent:
567 pod:
568 runAsUser: 42424
569 container:
570 neutron_l2gw_agent:
571 readOnlyRootFilesystem: true
572 privileged: true
573 neutron_bagpipe_bgp:
574 pod:
575 runAsUser: 42424
576 container:
577 neutron_bagpipe_bgp:
578 readOnlyRootFilesystem: true
579 privileged: true
Rico Lincf86b122023-11-02 01:29:14 +0800[diff] [blame]580 neutron_bgp_dragent:
581 pod:
582 runAsUser: 42424
583 container:
584 neutron_bgp_dragent:
585 readOnlyRootFilesystem: true
586 privileged: true
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]587 neutron_l3_agent:
588 pod:
589 runAsUser: 42424
590 container:
591 neutron_l3_agent:
592 readOnlyRootFilesystem: true
593 privileged: true
594 neutron_lb_agent:
595 pod:
596 runAsUser: 42424
597 container:
598 neutron_lb_agent_kernel_modules:
599 capabilities:
600 add:
601 - SYS_MODULE
602 - SYS_CHROOT
603 runAsUser: 0
604 readOnlyRootFilesystem: true
605 neutron_lb_agent_init:
606 privileged: true
607 runAsUser: 0
608 readOnlyRootFilesystem: true
609 neutron_lb_agent:
610 readOnlyRootFilesystem: true
611 privileged: true
612 neutron_metadata_agent:
613 pod:
614 runAsUser: 42424
615 container:
616 neutron_metadata_agent_init:
617 runAsUser: 0
618 readOnlyRootFilesystem: true
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]619 neutron_ovn_metadata_agent:
620 pod:
621 runAsUser: 42424
622 container:
623 neutron_ovn_metadata_agent_init:
624 runAsUser: 0
625 readOnlyRootFilesystem: true
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]626 neutron_ovs_agent:
627 pod:
628 runAsUser: 42424
629 container:
630 neutron_openvswitch_agent_kernel_modules:
631 capabilities:
632 add:
633 - SYS_MODULE
634 - SYS_CHROOT
635 runAsUser: 0
636 readOnlyRootFilesystem: true
Mohammed Nasera720f882023-06-30 23:48:02 -0400[diff] [blame]637 netoffload:
638 privileged: true
639 runAsUser: 0
640 readOnlyRootFilesystem: true
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]641 neutron_ovs_agent_init:
642 privileged: true
643 runAsUser: 0
644 readOnlyRootFilesystem: true
645 neutron_ovs_agent:
646 readOnlyRootFilesystem: true
647 privileged: true
648 neutron_server:
649 pod:
650 runAsUser: 42424
651 container:
652 nginx:
653 runAsUser: 0
654 readOnlyRootFilesystem: false
655 neutron_server:
656 allowPrivilegeEscalation: false
657 readOnlyRootFilesystem: true
Mohammed Naser1c8e53f2024-07-03 13:04:36 -0400[diff] [blame]658 neutron_policy_server:
659 allowPrivilegeEscalation: false
660 readOnlyRootFilesystem: true
Rico Lin0e153482024-05-03 03:29:14 +0800[diff] [blame]661 neutron_rpc_server:
662 pod:
663 runAsUser: 42424
664 container:
665 neutron_rpc_server:
666 allowPrivilegeEscalation: false
667 readOnlyRootFilesystem: true
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]668 neutron_sriov_agent:
669 pod:
670 runAsUser: 42424
671 container:
672 neutron_sriov_agent_init:
673 privileged: true
674 runAsUser: 0
675 readOnlyRootFilesystem: false
676 neutron_sriov_agent:
677 readOnlyRootFilesystem: true
678 privileged: true
679 neutron_ironic_agent:
680 pod:
681 runAsUser: 42424
682 container:
Dong Mabd61aa22025-01-16 09:57:50 +0000[diff] [blame]683 neutron_ironic_agent_init:
684 runAsUser: 0
685 readOnlyRootFilesystem: true
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]686 neutron_ironic_agent:
687 allowPrivilegeEscalation: false
688 readOnlyRootFilesystem: true
689 neutron_netns_cleanup_cron:
690 pod:
691 runAsUser: 42424
692 container:
693 neutron_netns_cleanup_cron:
694 readOnlyRootFilesystem: true
695 privileged: true
696 affinity:
697 anti:
698 type:
699 default: preferredDuringSchedulingIgnoredDuringExecution
700 topologyKey:
701 default: kubernetes.io/hostname
702 weight:
703 default: 10
704 tolerations:
705 neutron:
706 enabled: false
707 tolerations:
708 - key: node-role.kubernetes.io/master
709 operator: Exists
710 effect: NoSchedule
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]711 - key: node-role.kubernetes.io/control-plane
712 operator: Exists
713 effect: NoSchedule
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]714 mounts:
715 neutron_server:
716 init_container: null
717 neutron_server:
718 volumeMounts:
719 volumes:
Rico Lin0e153482024-05-03 03:29:14 +0800[diff] [blame]720 neutron_rpc_server:
721 init_container: null
722 neutron_rpc_server:
723 volumeMounts:
724 volumes:
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]725 neutron_dhcp_agent:
726 init_container: null
727 neutron_dhcp_agent:
728 volumeMounts:
729 volumes:
730 neutron_l3_agent:
731 init_container: null
732 neutron_l3_agent:
733 volumeMounts:
734 volumes:
735 neutron_lb_agent:
736 init_container: null
737 neutron_lb_agent:
738 volumeMounts:
739 volumes:
740 neutron_metadata_agent:
741 init_container: null
742 neutron_metadata_agent:
743 volumeMounts:
744 volumes:
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]745 neutron_ovn_metadata_agent:
746 init_container: null
747 neutron_ovn_metadata_agent:
748 volumeMounts:
749 volumes:
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]750 neutron_ovs_agent:
751 init_container: null
752 neutron_ovs_agent:
753 volumeMounts:
754 volumes:
755 neutron_sriov_agent:
756 init_container: null
757 neutron_sriov_agent:
758 volumeMounts:
759 volumes:
760 neutron_l2gw_agent:
761 init_container: null
762 neutron_l2gw_agent:
763 volumeMounts:
764 volumes:
765 bagpipe_bgp:
766 init_container: null
767 bagpipe_bgp:
768 volumeMounts:
769 volumes:
Rico Lincf86b122023-11-02 01:29:14 +0800[diff] [blame]770 bgp_dragent:
771 init_container: null
772 bgp_dragent:
773 volumeMounts:
774 volumes:
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]775 neutron_ironic_agent:
776 init_container: null
777 neutron_ironic_agent:
778 volumeMounts:
779 volumes:
780 neutron_netns_cleanup_cron:
781 init_container: null
782 neutron_netns_cleanup_cron:
783 volumeMounts:
784 volumes:
785 neutron_tests:
786 init_container: null
787 neutron_tests:
788 volumeMounts:
789 volumes:
790 neutron_bootstrap:
791 init_container: null
792 neutron_bootstrap:
793 volumeMounts:
794 volumes:
795 neutron_db_sync:
796 neutron_db_sync:
797 volumeMounts:
798 - name: db-sync-conf
799 mountPath: /etc/neutron/plugins/ml2/ml2_conf.ini
800 subPath: ml2_conf.ini
801 readOnly: true
802 volumes:
803 replicas:
804 server: 1
Rico Lin0e153482024-05-03 03:29:14 +0800[diff] [blame]805 rpc_server: 1
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]806 ironic_agent: 1
807 lifecycle:
808 upgrades:
809 deployments:
810 revision_history: 3
811 pod_replacement_strategy: RollingUpdate
812 rolling_update:
813 max_unavailable: 1
814 max_surge: 3
815 daemonsets:
816 pod_replacement_strategy: RollingUpdate
817 dhcp_agent:
818 enabled: true
819 min_ready_seconds: 0
820 max_unavailable: 1
821 l3_agent:
822 enabled: true
823 min_ready_seconds: 0
824 max_unavailable: 1
825 lb_agent:
826 enabled: true
827 min_ready_seconds: 0
828 max_unavailable: 1
829 metadata_agent:
830 enabled: true
831 min_ready_seconds: 0
832 max_unavailable: 1
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]833 ovn_metadata_agent:
834 enabled: true
835 min_ready_seconds: 0
836 max_unavailable: 1
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]837 ovs_agent:
838 enabled: true
839 min_ready_seconds: 0
840 max_unavailable: 1
841 sriov_agent:
842 enabled: true
843 min_ready_seconds: 0
844 max_unavailable: 1
845 netns_cleanup_cron:
846 enabled: true
847 min_ready_seconds: 0
848 max_unavailable: 1
849 disruption_budget:
850 server:
851 min_available: 0
852 termination_grace_period:
853 server:
854 timeout: 30
Rico Lin0e153482024-05-03 03:29:14 +0800[diff] [blame]855 rpc_server:
856 timeout: 30
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]857 ironic_agent:
858 timeout: 30
859 resources:
860 enabled: false
861 agent:
862 dhcp:
863 requests:
864 memory: "128Mi"
865 cpu: "100m"
866 limits:
867 memory: "1024Mi"
868 cpu: "2000m"
869 l3:
870 requests:
871 memory: "128Mi"
872 cpu: "100m"
873 limits:
874 memory: "1024Mi"
875 cpu: "2000m"
876 lb:
877 requests:
878 memory: "128Mi"
879 cpu: "100m"
880 limits:
881 memory: "1024Mi"
882 cpu: "2000m"
883 metadata:
884 requests:
885 memory: "128Mi"
886 cpu: "100m"
887 limits:
888 memory: "1024Mi"
889 cpu: "2000m"
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]890 ovn_metadata:
891 requests:
892 memory: "128Mi"
893 cpu: "100m"
894 limits:
895 memory: "1024Mi"
896 cpu: "2000m"
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]897 ovs:
898 requests:
899 memory: "128Mi"
900 cpu: "100m"
901 limits:
902 memory: "1024Mi"
903 cpu: "2000m"
904 sriov:
905 requests:
906 memory: "128Mi"
907 cpu: "100m"
908 limits:
909 memory: "1024Mi"
910 cpu: "2000m"
911 l2gw:
912 requests:
913 memory: "128Mi"
914 cpu: "100m"
915 limits:
916 memory: "1024Mi"
917 cpu: "2000m"
918 bagpipe_bgp:
919 requests:
920 memory: "128Mi"
921 cpu: "100m"
922 limits:
923 memory: "1024Mi"
924 cpu: "2000m"
Rico Lincf86b122023-11-02 01:29:14 +0800[diff] [blame]925 bgp_dragent:
926 requests:
927 memory: "128Mi"
928 cpu: "100m"
929 limits:
930 memory: "1024Mi"
931 cpu: "2000m"
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]932 server:
933 requests:
934 memory: "128Mi"
935 cpu: "100m"
936 limits:
937 memory: "1024Mi"
938 cpu: "2000m"
Mohammed Naser1c8e53f2024-07-03 13:04:36 -0400[diff] [blame]939 neutron_policy_server:
940 requests:
941 memory: "128Mi"
942 cpu: "100m"
943 limits:
944 memory: "256Mi"
945 cpu: "500m"
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]946 ironic_agent:
947 requests:
948 memory: "128Mi"
949 cpu: "100m"
950 limits:
951 memory: "1024Mi"
952 cpu: "2000m"
953 netns_cleanup_cron:
954 requests:
955 memory: "128Mi"
956 cpu: "100m"
957 limits:
958 memory: "1024Mi"
959 cpu: "2000m"
960 jobs:
961 bootstrap:
962 requests:
963 memory: "128Mi"
964 cpu: "100m"
965 limits:
966 memory: "1024Mi"
967 cpu: "2000m"
968 db_init:
969 requests:
970 memory: "128Mi"
971 cpu: "100m"
972 limits:
973 memory: "1024Mi"
974 cpu: "2000m"
975 rabbit_init:
976 requests:
977 memory: "128Mi"
978 cpu: "100m"
979 limits:
980 memory: "1024Mi"
981 cpu: "2000m"
982 db_sync:
983 requests:
984 memory: "128Mi"
985 cpu: "100m"
986 limits:
987 memory: "1024Mi"
988 cpu: "2000m"
989 db_drop:
990 requests:
991 memory: "128Mi"
992 cpu: "100m"
993 limits:
994 memory: "1024Mi"
995 cpu: "2000m"
996 ks_endpoints:
997 requests:
998 memory: "128Mi"
999 cpu: "100m"
1000 limits:
1001 memory: "1024Mi"
1002 cpu: "2000m"
1003 ks_service:
1004 requests:
1005 memory: "128Mi"
1006 cpu: "100m"
1007 limits:
1008 memory: "1024Mi"
1009 cpu: "2000m"
1010 ks_user:
1011 requests:
1012 memory: "128Mi"
1013 cpu: "100m"
1014 limits:
1015 memory: "1024Mi"
1016 cpu: "2000m"
1017 tests:
1018 requests:
1019 memory: "128Mi"
1020 cpu: "100m"
1021 limits:
1022 memory: "1024Mi"
1023 cpu: "2000m"
1024 image_repo_sync:
1025 requests:
1026 memory: "128Mi"
1027 cpu: "100m"
1028 limits:
1029 memory: "1024Mi"
1030 cpu: "2000m"
1031
1032conf:
1033 rally_tests:
1034 force_project_purge: false
1035 run_tempest: false
1036 clean_up: |
1037 # NOTE: We will make the best effort to clean up rally generated networks and routers,
1038 # but should not block further automated deployment.
1039 set +e
1040 PATTERN="^[sc]_rally_"
1041
1042 ROUTERS=$(openstack router list --format=value -c Name | grep -e $PATTERN | sort | tr -d '\r')
1043 NETWORKS=$(openstack network list --format=value -c Name | grep -e $PATTERN | sort | tr -d '\r')
1044
1045 for ROUTER in $ROUTERS
1046 do
1047 openstack router unset --external-gateway $ROUTER
1048 openstack router set --disable --no-ha $ROUTER
1049
1050 SUBNS=$(openstack router show $ROUTER -c interfaces_info --format=value | python -m json.tool | grep -oP '(?<="subnet_id": ")[a-f0-9\-]{36}(?=")' | sort | uniq)
1051 for SUBN in $SUBNS
1052 do
1053 openstack router remove subnet $ROUTER $SUBN
1054 done
1055
1056 for PORT in $(openstack port list --router $ROUTER --format=value -c ID | tr -d '\r')
1057 do
1058 openstack router remove port $ROUTER $PORT
1059 done
1060
1061 openstack router delete $ROUTER
1062 done
1063
1064 for NETWORK in $NETWORKS
1065 do
1066 for PORT in $(openstack port list --network $NETWORK --format=value -c ID | tr -d '\r')
1067 do
1068 openstack port delete $PORT
1069 done
1070 openstack network delete $NETWORK
1071 done
1072 set -e
1073 tests:
1074 NeutronNetworks.create_and_delete_networks:
1075 - args:
1076 network_create_args: {}
1077 context:
1078 quotas:
1079 neutron:
1080 network: -1
1081 runner:
1082 concurrency: 1
1083 times: 1
1084 type: constant
1085 sla:
1086 failure_rate:
1087 max: 0
1088 NeutronNetworks.create_and_delete_ports:
1089 - args:
1090 network_create_args: {}
1091 port_create_args: {}
1092 ports_per_network: 10
1093 context:
1094 network: {}
1095 quotas:
1096 neutron:
1097 network: -1
1098 port: -1
1099 runner:
1100 concurrency: 1
1101 times: 1
1102 type: constant
1103 sla:
1104 failure_rate:
1105 max: 0
1106 NeutronNetworks.create_and_delete_routers:
1107 - args:
1108 network_create_args: {}
1109 router_create_args: {}
1110 subnet_cidr_start: 1.1.0.0/30
1111 subnet_create_args: {}
1112 subnets_per_network: 2
1113 context:
1114 network: {}
1115 quotas:
1116 neutron:
1117 network: -1
1118 router: -1
1119 subnet: -1
1120 runner:
1121 concurrency: 1
1122 times: 1
1123 type: constant
1124 sla:
1125 failure_rate:
1126 max: 0
1127 NeutronNetworks.create_and_delete_subnets:
1128 - args:
1129 network_create_args: {}
1130 subnet_cidr_start: 1.1.0.0/30
1131 subnet_create_args: {}
1132 subnets_per_network: 2
1133 context:
1134 network: {}
1135 quotas:
1136 neutron:
1137 network: -1
1138 subnet: -1
1139 runner:
1140 concurrency: 1
1141 times: 1
1142 type: constant
1143 sla:
1144 failure_rate:
1145 max: 0
1146 NeutronNetworks.create_and_list_routers:
1147 - args:
1148 network_create_args: {}
1149 router_create_args: {}
1150 subnet_cidr_start: 1.1.0.0/30
1151 subnet_create_args: {}
1152 subnets_per_network: 2
1153 context:
1154 network: {}
1155 quotas:
1156 neutron:
1157 network: -1
1158 router: -1
1159 subnet: -1
1160 runner:
1161 concurrency: 1
1162 times: 1
1163 type: constant
1164 sla:
1165 failure_rate:
1166 max: 0
1167 NeutronNetworks.create_and_list_subnets:
1168 - args:
1169 network_create_args: {}
1170 subnet_cidr_start: 1.1.0.0/30
1171 subnet_create_args: {}
1172 subnets_per_network: 2
1173 context:
1174 network: {}
1175 quotas:
1176 neutron:
1177 network: -1
1178 subnet: -1
1179 runner:
1180 concurrency: 1
1181 times: 1
1182 type: constant
1183 sla:
1184 failure_rate:
1185 max: 0
1186 NeutronNetworks.create_and_show_network:
1187 - args:
1188 network_create_args: {}
1189 context:
1190 quotas:
1191 neutron:
1192 network: -1
1193 runner:
1194 concurrency: 1
1195 times: 1
1196 type: constant
1197 sla:
1198 failure_rate:
1199 max: 0
1200 NeutronNetworks.create_and_update_networks:
1201 - args:
1202 network_create_args: {}
1203 network_update_args:
1204 admin_state_up: false
1205 context:
1206 quotas:
1207 neutron:
1208 network: -1
1209 runner:
1210 concurrency: 1
1211 times: 1
1212 type: constant
1213 sla:
1214 failure_rate:
1215 max: 0
1216 NeutronNetworks.create_and_update_ports:
1217 - args:
1218 network_create_args: {}
1219 port_create_args: {}
1220 port_update_args:
1221 admin_state_up: false
1222 device_id: dummy_id
1223 device_owner: dummy_owner
1224 ports_per_network: 5
1225 context:
1226 network: {}
1227 quotas:
1228 neutron:
1229 network: -1
1230 port: -1
1231 runner:
1232 concurrency: 1
1233 times: 1
1234 type: constant
1235 sla:
1236 failure_rate:
1237 max: 0
1238 NeutronNetworks.create_and_update_routers:
1239 - args:
1240 network_create_args: {}
1241 router_create_args: {}
1242 router_update_args:
1243 admin_state_up: false
1244 subnet_cidr_start: 1.1.0.0/30
1245 subnet_create_args: {}
1246 subnets_per_network: 2
1247 context:
1248 network: {}
1249 quotas:
1250 neutron:
1251 network: -1
1252 router: -1
1253 subnet: -1
1254 runner:
1255 concurrency: 1
1256 times: 1
1257 type: constant
1258 sla:
1259 failure_rate:
1260 max: 0
1261 NeutronNetworks.create_and_update_subnets:
1262 - args:
1263 network_create_args: {}
1264 subnet_cidr_start: 1.4.0.0/16
1265 subnet_create_args: {}
1266 subnet_update_args:
1267 enable_dhcp: false
1268 subnets_per_network: 2
1269 context:
1270 network: {}
1271 quotas:
1272 neutron:
1273 network: -1
1274 subnet: -1
1275 runner:
1276 concurrency: 1
1277 times: 1
1278 type: constant
1279 sla:
1280 failure_rate:
1281 max: 0
1282 NeutronNetworks.list_agents:
1283 - args:
1284 agent_args: {}
1285 runner:
1286 concurrency: 1
1287 times: 1
1288 type: constant
1289 sla:
1290 failure_rate:
1291 max: 0
1292 NeutronSecurityGroup.create_and_list_security_groups:
1293 - args:
1294 security_group_create_args: {}
1295 context:
1296 quotas:
1297 neutron:
1298 security_group: -1
1299 runner:
1300 concurrency: 1
1301 times: 1
1302 type: constant
1303 sla:
1304 failure_rate:
1305 max: 0
1306 NeutronSecurityGroup.create_and_update_security_groups:
1307 - args:
1308 security_group_create_args: {}
1309 security_group_update_args: {}
1310 context:
1311 quotas:
1312 neutron:
1313 security_group: -1
1314 runner:
1315 concurrency: 1
1316 times: 1
1317 type: constant
1318 sla:
1319 failure_rate:
1320 max: 0
okozachenko120317930d42023-09-06 00:24:05 +1000[diff] [blame]1321 paste:
1322 composite:neutron:
1323 use: egg:Paste#urlmap
1324 /: neutronversions_composite
1325 /v2.0: neutronapi_v2_0
1326 composite:neutronapi_v2_0:
1327 use: call:neutron.auth:pipeline_factory
1328 noauth: cors http_proxy_to_wsgi request_id catch_errors extensions neutronapiapp_v2_0
1329 keystone: cors http_proxy_to_wsgi request_id catch_errors authtoken audit keystonecontext extensions neutronapiapp_v2_0
1330 composite:neutronversions_composite:
1331 use: call:neutron.auth:pipeline_factory
1332 noauth: cors http_proxy_to_wsgi neutronversions
1333 keystone: cors http_proxy_to_wsgi neutronversions
1334 filter:request_id:
1335 paste.filter_factory: oslo_middleware:RequestId.factory
1336 filter:catch_errors:
1337 paste.filter_factory: oslo_middleware:CatchErrors.factory
1338 filter:cors:
1339 paste.filter_factory: oslo_middleware.cors:filter_factory
1340 oslo_config_project: neutron
1341 filter:http_proxy_to_wsgi:
1342 paste.filter_factory: oslo_middleware.http_proxy_to_wsgi:HTTPProxyToWSGI.factory
1343 filter:keystonecontext:
1344 paste.filter_factory: neutron.auth:NeutronKeystoneContext.factory
1345 filter:authtoken:
1346 paste.filter_factory: keystonemiddleware.auth_token:filter_factory
1347 filter:audit:
1348 paste.filter_factory: keystonemiddleware.audit:filter_factory
1349 audit_map_file: /etc/neutron/api_audit_map.conf
1350 filter:extensions:
1351 paste.filter_factory: neutron.api.extensions:plugin_aware_extension_middleware_factory
1352 app:neutronversions:
1353 paste.app_factory: neutron.pecan_wsgi.app:versions_factory
1354 app:neutronapiapp_v2_0:
1355 paste.app_factory: neutron.api.v2.router:APIRouter.factory
1356 filter:osprofiler:
1357 paste.filter_factory: osprofiler.web:WsgiMiddleware.factory
Rico Lin0e153482024-05-03 03:29:14 +0800[diff] [blame]1358 neutron_api_uwsgi:
1359 uwsgi:
1360 add-header: "Connection: close"
1361 buffer-size: 65535
1362 die-on-term: true
1363 enable-threads: true
1364 exit-on-reload: false
1365 hook-master-start: unix_signal:15 gracefully_kill_them_all
1366 lazy-apps: true
1367 log-x-forwarded-for: true
1368 master: true
1369 procname-prefix-spaced: "neutron-api:"
1370 route-user-agent: '^kube-probe.* donotlog:'
1371 thunder-lock: true
1372 worker-reload-mercy: 80
1373 wsgi-file: /var/lib/openstack/bin/neutron-api
Mohammed Naser1c8e53f2024-07-03 13:04:36 -0400[diff] [blame]1374 neutron_policy_server_uwsgi:
1375 uwsgi:
1376 add-header: "Connection: close"
1377 buffer-size: 65535
1378 die-on-term: true
1379 enable-threads: true
1380 exit-on-reload: false
1381 hook-master-start: unix_signal:15 gracefully_kill_them_all
1382 lazy-apps: true
1383 log-x-forwarded-for: true
1384 master: true
1385 procname-prefix-spaced: "neutron-policy-server:"
1386 route-user-agent: '^kube-probe.* donotlog:'
1387 thunder-lock: true
1388 worker-reload-mercy: 80
1389 wsgi-file: /var/lib/openstack/bin/neutron-policy-server-wsgi
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1390 policy: {}
1391 api_audit_map:
1392 DEFAULT:
1393 target_endpoint_type: None
1394 custom_actions:
1395 add_router_interface: update/add
1396 remove_router_interface: update/remove
1397 path_keywords:
1398 floatingips: ip
1399 healthmonitors: healthmonitor
1400 health_monitors: health_monitor
1401 lb: None
1402 members: member
1403 metering-labels: label
1404 metering-label-rules: rule
1405 networks: network
1406 pools: pool
1407 ports: port
1408 routers: router
1409 quotas: quota
1410 security-groups: security-group
1411 security-group-rules: rule
1412 subnets: subnet
1413 vips: vip
1414 service_endpoints:
1415 network: service/network
1416 neutron_sudoers: |
1417 # This sudoers file supports rootwrap for both Kolla and LOCI Images.
1418 Defaults !requiretty
1419 Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin:/var/lib/openstack/bin:/var/lib/kolla/venv/bin"
1420 neutron ALL = (root) NOPASSWD: /var/lib/kolla/venv/bin/neutron-rootwrap /etc/neutron/rootwrap.conf *, /var/lib/openstack/bin/neutron-rootwrap /etc/neutron/rootwrap.conf *
1421 neutron ALL = (root) NOPASSWD: /var/lib/kolla/venv/bin/neutron-rootwrap-daemon /etc/neutron/rootwrap.conf, /var/lib/openstack/bin/neutron-rootwrap-daemon /etc/neutron/rootwrap.conf
1422 rootwrap: |
1423 # Configuration for neutron-rootwrap
1424 # This file should be owned by (and only-writeable by) the root user
1425
1426 [DEFAULT]
1427 # List of directories to load filter definitions from (separated by ',').
1428 # These directories MUST all be only writeable by root !
1429 filters_path=/etc/neutron/rootwrap.d,/usr/share/neutron/rootwrap,/var/lib/openstack/etc/neutron/rootwrap.d
1430
1431 # List of directories to search executables in, in case filters do not
1432 # explicitely specify a full path (separated by ',')
1433 # If not specified, defaults to system PATH environment variable.
1434 # These directories MUST all be only writeable by root !
1435 exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin,/var/lib/openstack/bin,/var/lib/kolla/venv/bin
1436
1437 # Enable logging to syslog
1438 # Default value is False
1439 use_syslog=False
1440
1441 # Which syslog facility to use.
1442 # Valid values include auth, authpriv, syslog, local0, local1...
1443 # Default value is 'syslog'
1444 syslog_log_facility=syslog
1445
1446 # Which messages to log.
1447 # INFO means log all usage
1448 # ERROR means only log unsuccessful attempts
1449 syslog_log_level=ERROR
1450
1451 [xenapi]
1452 # XenAPI configuration is only required by the L2 agent if it is to
1453 # target a XenServer/XCP compute host's dom0.
1454 xenapi_connection_url=<None>
1455 xenapi_connection_username=root
1456 xenapi_connection_password=<None>
1457 rootwrap_filters:
1458 debug:
1459 pods:
1460 - dhcp_agent
1461 - l3_agent
1462 - lb_agent
1463 - metadata_agent
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]1464 - ovn_metadata_agent
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1465 - ovs_agent
1466 - sriov_agent
1467 content: |
1468 # neutron-rootwrap command filters for nodes on which neutron is
1469 # expected to control network
1470 #
1471 # This file should be owned by (and only-writeable by) the root user
1472
1473 # format seems to be
1474 # cmd-name: filter-name, raw-command, user, args
1475
1476 [Filters]
1477
1478 # This is needed because we should ping
1479 # from inside a namespace which requires root
1480 # _alt variants allow to match -c and -w in any order
1481 # (used by NeutronDebugAgent.ping_all)
1482 ping: RegExpFilter, ping, root, ping, -w, \d+, -c, \d+, [0-9\.]+
1483 ping_alt: RegExpFilter, ping, root, ping, -c, \d+, -w, \d+, [0-9\.]+
1484 ping6: RegExpFilter, ping6, root, ping6, -w, \d+, -c, \d+, [0-9A-Fa-f:]+
1485 ping6_alt: RegExpFilter, ping6, root, ping6, -c, \d+, -w, \d+, [0-9A-Fa-f:]+
1486 dibbler:
1487 pods:
1488 - dhcp_agent
1489 - l3_agent
1490 - lb_agent
1491 - metadata_agent
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]1492 - ovn_metadata_agent
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1493 - ovs_agent
1494 - sriov_agent
1495 content: |
1496 # neutron-rootwrap command filters for nodes on which neutron is
1497 # expected to control network
1498 #
1499 # This file should be owned by (and only-writeable by) the root user
1500
1501 # format seems to be
1502 # cmd-name: filter-name, raw-command, user, args
1503
1504 [Filters]
1505
1506 # Filters for the dibbler-based reference implementation of the pluggable
1507 # Prefix Delegation driver. Other implementations using an alternative agent
1508 # should include a similar filter in this folder.
1509
1510 # prefix_delegation_agent
1511 dibbler-client: CommandFilter, dibbler-client, root
1512 ipset_firewall:
1513 pods:
1514 - dhcp_agent
1515 - l3_agent
1516 - lb_agent
1517 - metadata_agent
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]1518 - ovn_metadata_agent
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1519 - ovs_agent
1520 - sriov_agent
1521 content: |
1522 # neutron-rootwrap command filters for nodes on which neutron is
1523 # expected to control network
1524 #
1525 # This file should be owned by (and only-writeable by) the root user
1526
1527 # format seems to be
1528 # cmd-name: filter-name, raw-command, user, args
1529
1530 [Filters]
1531 # neutron/agent/linux/iptables_firewall.py
1532 # "ipset", "-A", ...
1533 ipset: CommandFilter, ipset, root
1534 l3:
1535 pods:
1536 - dhcp_agent
1537 - l3_agent
1538 - lb_agent
1539 - metadata_agent
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]1540 - ovn_metadata_agent
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1541 - ovs_agent
1542 - sriov_agent
1543 content: |
1544 # neutron-rootwrap command filters for nodes on which neutron is
1545 # expected to control network
1546 #
1547 # This file should be owned by (and only-writeable by) the root user
1548
1549 # format seems to be
1550 # cmd-name: filter-name, raw-command, user, args
1551
1552 [Filters]
1553
1554 # arping
1555 arping: CommandFilter, arping, root
1556
1557 # l3_agent
1558 sysctl: CommandFilter, sysctl, root
1559 route: CommandFilter, route, root
1560 radvd: CommandFilter, radvd, root
1561
1562 # haproxy
1563 haproxy: RegExpFilter, haproxy, root, haproxy, -f, .*
1564 kill_haproxy: KillFilter, root, haproxy, -15, -9, -HUP
1565
1566 # metadata proxy
1567 metadata_proxy: CommandFilter, neutron-ns-metadata-proxy, root
1568 # RHEL invocation of the metadata proxy will report /usr/bin/python
1569 kill_metadata: KillFilter, root, python, -15, -9
1570 kill_metadata2: KillFilter, root, python2, -15, -9
1571 kill_metadata7: KillFilter, root, python2.7, -15, -9
1572 kill_metadata3: KillFilter, root, python3, -15, -9
1573 kill_metadata35: KillFilter, root, python3.5, -15, -9
1574 kill_metadata36: KillFilter, root, python3.6, -15, -9
1575 kill_metadata37: KillFilter, root, python3.7, -15, -9
1576 kill_radvd_usr: KillFilter, root, /usr/sbin/radvd, -15, -9, -HUP
1577 kill_radvd: KillFilter, root, /sbin/radvd, -15, -9, -HUP
1578
1579 # ip_lib
1580 ip: IpFilter, ip, root
1581 find: RegExpFilter, find, root, find, /sys/class/net, -maxdepth, 1, -type, l, -printf, %.*
1582 ip_exec: IpNetnsExecFilter, ip, root
1583
1584 # l3_tc_lib
1585 l3_tc_show_qdisc: RegExpFilter, tc, root, tc, qdisc, show, dev, .+
1586 l3_tc_add_qdisc_ingress: RegExpFilter, tc, root, tc, qdisc, add, dev, .+, ingress
1587 l3_tc_add_qdisc_egress: RegExpFilter, tc, root, tc, qdisc, add, dev, .+, root, handle, 1:, htb
1588 l3_tc_show_filters: RegExpFilter, tc, root, tc, -p, -s, -d, filter, show, dev, .+, parent, .+, prio, 1
1589 l3_tc_delete_filters: RegExpFilter, tc, root, tc, filter, del, dev, .+, parent, .+, prio, 1, handle, .+, u32
1590 l3_tc_add_filter_ingress: RegExpFilter, tc, root, tc, filter, add, dev, .+, parent, .+, protocol, ip, prio, 1, u32, match, ip, dst, .+, police, rate, .+, burst, .+, drop, flowid, :1
1591 l3_tc_add_filter_egress: RegExpFilter, tc, root, tc, filter, add, dev, .+, parent, .+, protocol, ip, prio, 1, u32, match, ip, src, .+, police, rate, .+, burst, .+, drop, flowid, :1
1592
1593 # For ip monitor
1594 kill_ip_monitor: KillFilter, root, ip, -9
1595
1596 # ovs_lib (if OVSInterfaceDriver is used)
1597 ovs-vsctl: CommandFilter, ovs-vsctl, root
1598
1599 # iptables_manager
1600 iptables-save: CommandFilter, iptables-save, root
1601 iptables-restore: CommandFilter, iptables-restore, root
1602 ip6tables-save: CommandFilter, ip6tables-save, root
1603 ip6tables-restore: CommandFilter, ip6tables-restore, root
1604
1605 # Keepalived
1606 keepalived: CommandFilter, keepalived, root
1607 kill_keepalived: KillFilter, root, keepalived, -HUP, -15, -9
1608
1609 # l3 agent to delete floatingip's conntrack state
1610 conntrack: CommandFilter, conntrack, root
1611
1612 # keepalived state change monitor
1613 keepalived_state_change: CommandFilter, neutron-keepalived-state-change, root
1614 # The following filters are used to kill the keepalived state change monitor.
1615 # Since the monitor runs as a Python script, the system reports that the
1616 # command of the process to be killed is python.
1617 # TODO(mlavalle) These kill filters will be updated once we come up with a
1618 # mechanism to kill using the name of the script being executed by Python
1619 kill_keepalived_monitor_py: KillFilter, root, python, -15
1620 kill_keepalived_monitor_py27: KillFilter, root, python2.7, -15
1621 kill_keepalived_monitor_py3: KillFilter, root, python3, -15
1622 kill_keepalived_monitor_py35: KillFilter, root, python3.5, -15
1623 kill_keepalived_monitor_py36: KillFilter, root, python3.6, -15
1624 kill_keepalived_monitor_py37: KillFilter, root, python3.7, -15
1625 netns_cleanup:
1626 pods:
1627 - dhcp_agent
1628 - l3_agent
1629 - lb_agent
1630 - metadata_agent
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]1631 - ovn_metadata_agent
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1632 - ovs_agent
1633 - sriov_agent
1634 - netns_cleanup_cron
1635 content: |
1636 # neutron-rootwrap command filters for nodes on which neutron is
1637 # expected to control network
1638 #
1639 # This file should be owned by (and only-writeable by) the root user
1640
1641 # format seems to be
1642 # cmd-name: filter-name, raw-command, user, args
1643
1644 [Filters]
1645
1646 # netns-cleanup
1647 netstat: CommandFilter, netstat, root
1648 dhcp:
1649 pods:
1650 - dhcp_agent
1651 - l3_agent
1652 - lb_agent
1653 - metadata_agent
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]1654 - ovn_metadata_agent
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1655 - ovs_agent
1656 - sriov_agent
1657 - netns_cleanup_cron
1658 content: |
1659 # neutron-rootwrap command filters for nodes on which neutron is
1660 # expected to control network
1661 #
1662 # This file should be owned by (and only-writeable by) the root user
1663
1664 # format seems to be
1665 # cmd-name: filter-name, raw-command, user, args
1666
1667 [Filters]
1668
1669 # dhcp-agent
1670 dnsmasq: CommandFilter, dnsmasq, root
1671 # dhcp-agent uses kill as well, that's handled by the generic KillFilter
1672 # it looks like these are the only signals needed, per
1673 # neutron/agent/linux/dhcp.py
1674 kill_dnsmasq: KillFilter, root, /sbin/dnsmasq, -9, -HUP, -15
1675 kill_dnsmasq_usr: KillFilter, root, /usr/sbin/dnsmasq, -9, -HUP, -15
1676
1677 ovs-vsctl: CommandFilter, ovs-vsctl, root
1678 ivs-ctl: CommandFilter, ivs-ctl, root
1679 mm-ctl: CommandFilter, mm-ctl, root
1680 dhcp_release: CommandFilter, dhcp_release, root
1681 dhcp_release6: CommandFilter, dhcp_release6, root
1682
1683 # metadata proxy
1684 metadata_proxy: CommandFilter, neutron-ns-metadata-proxy, root
1685 # RHEL invocation of the metadata proxy will report /usr/bin/python
1686 kill_metadata: KillFilter, root, python, -9
1687 kill_metadata2: KillFilter, root, python2, -9
1688 kill_metadata7: KillFilter, root, python2.7, -9
1689 kill_metadata3: KillFilter, root, python3, -9
1690 kill_metadata35: KillFilter, root, python3.5, -9
1691 kill_metadata36: KillFilter, root, python3.6, -9
1692 kill_metadata37: KillFilter, root, python3.7, -9
1693
1694 # ip_lib
1695 ip: IpFilter, ip, root
1696 find: RegExpFilter, find, root, find, /sys/class/net, -maxdepth, 1, -type, l, -printf, %.*
1697 ip_exec: IpNetnsExecFilter, ip, root
1698 ebtables:
1699 pods:
1700 - dhcp_agent
1701 - l3_agent
1702 - lb_agent
1703 - metadata_agent
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]1704 - ovn_metadata_agent
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1705 - ovs_agent
1706 - sriov_agent
1707 content: |
1708 # neutron-rootwrap command filters for nodes on which neutron is
1709 # expected to control network
1710 #
1711 # This file should be owned by (and only-writeable by) the root user
1712
1713 # format seems to be
1714 # cmd-name: filter-name, raw-command, user, args
1715
1716 [Filters]
1717
1718 ebtables: CommandFilter, ebtables, root
1719 iptables_firewall:
1720 pods:
1721 - dhcp_agent
1722 - l3_agent
1723 - lb_agent
1724 - metadata_agent
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]1725 - ovn_metadata_agent
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1726 - ovs_agent
1727 - sriov_agent
1728 content: |
1729 # neutron-rootwrap command filters for nodes on which neutron is
1730 # expected to control network
1731 #
1732 # This file should be owned by (and only-writeable by) the root user
1733
1734 # format seems to be
1735 # cmd-name: filter-name, raw-command, user, args
1736
1737 [Filters]
1738
1739 # neutron/agent/linux/iptables_firewall.py
1740 # "iptables-save", ...
1741 iptables-save: CommandFilter, iptables-save, root
1742 iptables-restore: CommandFilter, iptables-restore, root
1743 ip6tables-save: CommandFilter, ip6tables-save, root
1744 ip6tables-restore: CommandFilter, ip6tables-restore, root
1745
1746 # neutron/agent/linux/iptables_firewall.py
1747 # "iptables", "-A", ...
1748 iptables: CommandFilter, iptables, root
1749 ip6tables: CommandFilter, ip6tables, root
1750
1751 # neutron/agent/linux/iptables_firewall.py
1752 sysctl: CommandFilter, sysctl, root
1753
1754 # neutron/agent/linux/ip_conntrack.py
1755 conntrack: CommandFilter, conntrack, root
1756 linuxbridge_plugin:
1757 pods:
1758 - dhcp_agent
1759 - l3_agent
1760 - lb_agent
1761 - metadata_agent
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]1762 - ovn_metadata_agent
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1763 - ovs_agent
1764 - sriov_agent
1765 content: |
1766 # neutron-rootwrap command filters for nodes on which neutron is
1767 # expected to control network
1768 #
1769 # This file should be owned by (and only-writeable by) the root user
1770
1771 # format seems to be
1772 # cmd-name: filter-name, raw-command, user, args
1773
1774 [Filters]
1775
1776 # linuxbridge-agent
1777 # unclear whether both variants are necessary, but I'm transliterating
1778 # from the old mechanism
1779 brctl: CommandFilter, brctl, root
1780 bridge: CommandFilter, bridge, root
1781
1782 # ip_lib
1783 ip: IpFilter, ip, root
1784 find: RegExpFilter, find, root, find, /sys/class/net, -maxdepth, 1, -type, l, -printf, %.*
1785 ip_exec: IpNetnsExecFilter, ip, root
1786
1787 # tc commands needed for QoS support
1788 tc_replace_tbf: RegExpFilter, tc, root, tc, qdisc, replace, dev, .+, root, tbf, rate, .+, latency, .+, burst, .+
1789 tc_add_ingress: RegExpFilter, tc, root, tc, qdisc, add, dev, .+, ingress, handle, .+
1790 tc_delete: RegExpFilter, tc, root, tc, qdisc, del, dev, .+, .+
1791 tc_show_qdisc: RegExpFilter, tc, root, tc, qdisc, show, dev, .+
1792 tc_show_filters: RegExpFilter, tc, root, tc, filter, show, dev, .+, parent, .+
1793 tc_add_filter: RegExpFilter, tc, root, tc, filter, add, dev, .+, parent, .+, protocol, all, prio, .+, basic, police, rate, .+, burst, .+, mtu, .+, drop
1794 openvswitch_plugin:
1795 pods:
1796 - dhcp_agent
1797 - l3_agent
1798 - lb_agent
1799 - metadata_agent
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]1800 - ovn_metadata_agent
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1801 - ovs_agent
1802 - sriov_agent
1803 content: |
1804 # neutron-rootwrap command filters for nodes on which neutron is
1805 # expected to control network
1806 #
1807 # This file should be owned by (and only-writeable by) the root user
1808
1809 # format seems to be
1810 # cmd-name: filter-name, raw-command, user, args
1811
1812 [Filters]
1813
1814 # openvswitch-agent
1815 # unclear whether both variants are necessary, but I'm transliterating
1816 # from the old mechanism
1817 ovs-vsctl: CommandFilter, ovs-vsctl, root
1818 # NOTE(yamamoto): of_interface=native doesn't use ovs-ofctl
1819 ovs-ofctl: CommandFilter, ovs-ofctl, root
1820 ovs-appctl: CommandFilter, ovs-appctl, root
1821 kill_ovsdb_client: KillFilter, root, /usr/bin/ovsdb-client, -9
1822 ovsdb-client: CommandFilter, ovsdb-client, root
1823 xe: CommandFilter, xe, root
1824
1825 # ip_lib
1826 ip: IpFilter, ip, root
1827 find: RegExpFilter, find, root, find, /sys/class/net, -maxdepth, 1, -type, l, -printf, %.*
1828 ip_exec: IpNetnsExecFilter, ip, root
1829
1830 # needed for FDB extension
1831 bridge: CommandFilter, bridge, root
1832 privsep:
1833 pods:
1834 - dhcp_agent
1835 - l3_agent
1836 - lb_agent
1837 - metadata_agent
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]1838 - ovn_metadata_agent
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1839 - ovs_agent
1840 - sriov_agent
1841 - netns_cleanup_cron
1842 content: |
1843 # Command filters to allow privsep daemon to be started via rootwrap.
1844 #
1845 # This file should be owned by (and only-writeable by) the root user
1846
1847 [Filters]
1848
1849 # By installing the following, the local admin is asserting that:
1850 #
1851 # 1. The python module load path used by privsep-helper
1852 # command as root (as started by sudo/rootwrap) is trusted.
1853 # 2. Any oslo.config files matching the --config-file
1854 # arguments below are trusted.
1855 # 3. Users allowed to run sudo/rootwrap with this configuration(*) are
1856 # also allowed to invoke python "entrypoint" functions from
1857 # --privsep_context with the additional (possibly root) privileges
1858 # configured for that context.
1859 #
1860 # (*) ie: the user is allowed by /etc/sudoers to run rootwrap as root
1861 #
1862 # In particular, the oslo.config and python module path must not
1863 # be writeable by the unprivileged user.
1864
1865 # oslo.privsep default neutron context
1866 privsep: PathFilter, privsep-helper, root,
1867 --config-file, /etc,
1868 --privsep_context, neutron.privileged.default,
1869 --privsep_sock_path, /
1870
1871 # NOTE: A second `--config-file` arg can also be added above. Since
1872 # many neutron components are installed like that (eg: by devstack).
1873 # Adjust to suit local requirements.
1874 linux_vxlan:
1875 pods:
1876 - bagpipe_bgp
1877 content: |
1878 # bagpipe-bgp-rootwrap command filters for nodes on which bagpipe-bgp is
1879 # expected to control VXLAN Linux Bridge dataplane
1880 #
1881 # This file should be owned by (and only-writeable by) the root user
1882
1883 # format seems to be
1884 # cmd-name: filter-name, raw-command, user, args
1885
1886 [Filters]
1887
1888 #
1889 modprobe: CommandFilter, modprobe, root
1890
1891 #
1892 brctl: CommandFilter, brctl, root
1893 bridge: CommandFilter, bridge, root
1894
1895 # ip_lib
1896 ip: IpFilter, ip, root
1897 ip_exec: IpNetnsExecFilter, ip, root
1898
1899 # shell (for piped commands)
1900 sh: CommandFilter, sh, root
1901 mpls_ovs_dataplane:
1902 pods:
1903 - bagpipe_bgp
1904 content: |
1905 # bagpipe-bgp-rootwrap command filters for nodes on which bagpipe-bgp is
1906 # expected to control MPLS OpenVSwitch dataplane
1907 #
1908 # This file should be owned by (and only-writeable by) the root user
1909
1910 # format seems to be
1911 # cmd-name: filter-name, raw-command, user, args
1912
1913 [Filters]
1914
1915 # openvswitch
1916 ovs-vsctl: CommandFilter, ovs-vsctl, root
1917 ovs-ofctl: CommandFilter, ovs-ofctl, root
1918
1919 # ip_lib
1920 ip: IpFilter, ip, root
1921 ip_exec: IpNetnsExecFilter, ip, root
1922
1923 # shell (for piped commands)
1924 sh: CommandFilter, sh, root
1925 neutron:
1926 DEFAULT:
1927 metadata_proxy_socket: /var/lib/neutron/openstack-helm/metadata_proxy
1928 log_config_append: /etc/neutron/logging.conf
1929 # NOTE(portdirect): the bind port should not be defined, and is manipulated
1930 # via the endpoints section.
1931 bind_port: null
1932 default_availability_zones: nova
1933 api_workers: 1
1934 rpc_workers: 4
1935 allow_overlapping_ips: True
1936 state_path: /var/lib/neutron
1937 # core_plugin can be: ml2, calico
1938 core_plugin: ml2
1939 # service_plugin can be: router, odl-router, empty for calico,
1940 # networking_ovn.l3.l3_ovn.OVNL3RouterPlugin for OVN
1941 service_plugins: router
1942 allow_automatic_l3agent_failover: True
1943 l3_ha: True
1944 max_l3_agents_per_router: 2
1945 l3_ha_network_type: vxlan
1946 network_auto_schedule: True
1947 router_auto_schedule: True
1948 # (NOTE)portdirect: if unset this is populated dynamically from the value in
1949 # 'network.backend' to sane defaults.
1950 interface_driver: null
1951 oslo_concurrency:
1952 lock_path: /var/lib/neutron/tmp
1953 database:
1954 max_retries: -1
1955 agent:
1956 root_helper: sudo /var/lib/openstack/bin/neutron-rootwrap /etc/neutron/rootwrap.conf
1957 root_helper_daemon: sudo /var/lib/openstack/bin/neutron-rootwrap-daemon /etc/neutron/rootwrap.conf
1958 oslo_messaging_notifications:
1959 driver: messagingv2
1960 oslo_messaging_rabbit:
1961 rabbit_ha_queues: true
1962 oslo_middleware:
1963 enable_proxy_headers_parsing: true
1964 oslo_policy:
1965 policy_file: /etc/neutron/policy.yaml
Mohammed Naser593ec012023-07-23 09:20:05 +0000[diff] [blame]1966 ovn:
Mohammed Naser593ec012023-07-23 09:20:05 +0000[diff] [blame]1967 ovn_metadata_enabled: true
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1968 nova:
1969 auth_type: password
1970 auth_version: v3
1971 endpoint_type: internal
Oleksandr Kozachenkoa10d7852023-02-02 22:01:16 +0100[diff] [blame]1972 placement:
1973 auth_type: password
1974 auth_version: v3
1975 endpoint_type: internal
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1976 designate:
1977 auth_type: password
1978 auth_version: v3
1979 endpoint_type: internal
1980 allow_reverse_dns_lookup: true
1981 ironic:
1982 endpoint_type: internal
1983 keystone_authtoken:
okozachenko120317930d42023-09-06 00:24:05 +1000[diff] [blame]1984 service_token_roles: service
1985 service_token_roles_required: true
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1986 memcache_security_strategy: ENCRYPT
1987 auth_type: password
1988 auth_version: v3
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]1989 service_type: network
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1990 octavia:
1991 request_poll_timeout: 3000
1992 logging:
1993 loggers:
1994 keys:
1995 - root
1996 - neutron
1997 - neutron_taas
1998 handlers:
1999 keys:
2000 - stdout
2001 - stderr
2002 - "null"
2003 formatters:
2004 keys:
2005 - context
2006 - default
2007 logger_root:
2008 level: WARNING
2009 handlers: 'null'
2010 logger_neutron:
2011 level: INFO
2012 handlers:
2013 - stdout
2014 qualname: neutron
2015 logger_neutron_taas:
2016 level: INFO
2017 handlers:
2018 - stdout
2019 qualname: neutron_taas
2020 logger_amqp:
2021 level: WARNING
2022 handlers: stderr
2023 qualname: amqp
2024 logger_amqplib:
2025 level: WARNING
2026 handlers: stderr
2027 qualname: amqplib
2028 logger_eventletwsgi:
2029 level: WARNING
2030 handlers: stderr
2031 qualname: eventlet.wsgi.server
2032 logger_sqlalchemy:
2033 level: WARNING
2034 handlers: stderr
2035 qualname: sqlalchemy
2036 logger_boto:
2037 level: WARNING
2038 handlers: stderr
2039 qualname: boto
2040 handler_null:
2041 class: logging.NullHandler
2042 formatter: default
2043 args: ()
2044 handler_stdout:
2045 class: StreamHandler
2046 args: (sys.stdout,)
2047 formatter: context
2048 handler_stderr:
2049 class: StreamHandler
2050 args: (sys.stderr,)
2051 formatter: context
2052 formatter_context:
2053 class: oslo_log.formatters.ContextFormatter
2054 datefmt: "%Y-%m-%d %H:%M:%S"
2055 formatter_default:
2056 format: "%(message)s"
2057 datefmt: "%Y-%m-%d %H:%M:%S"
2058 plugins:
2059 ml2_conf:
2060 ml2:
2061 extension_drivers: port_security
2062 # (NOTE)portdirect: if unset this is populated dyanmicly from the value
2063 # in 'network.backend' to sane defaults.
2064 mechanism_drivers: null
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]2065 type_drivers: flat,vlan,vxlan,local
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]2066 tenant_network_types: vxlan
2067 ml2_type_vxlan:
2068 vni_ranges: 1:1000
2069 vxlan_group: 239.1.1.1
2070 ml2_type_flat:
2071 flat_networks: "*"
2072 # If you want to use the external network as a tagged provider network,
2073 # a range should be specified including the intended VLAN target
2074 # using ml2_type_vlan.network_vlan_ranges:
2075 # ml2_type_vlan:
2076 # network_vlan_ranges: "external:1100:1110"
Mohammed Naser593ec012023-07-23 09:20:05 +0000[diff] [blame]2077 ml2_type_geneve:
2078 vni_ranges: 1:65536
2079 max_header_size: 38
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]2080 agent:
2081 extensions: ""
2082 ml2_conf_sriov: null
2083 taas:
2084 taas:
2085 enabled: False
2086 openvswitch_agent:
2087 agent:
2088 tunnel_types: vxlan
2089 l2_population: True
2090 arp_responder: True
2091 ovs:
2092 bridge_mappings: "external:br-ex"
2093 securitygroup:
2094 firewall_driver: neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
2095 linuxbridge_agent:
2096 linux_bridge:
2097 # To define Flat and VLAN connections, in LB we can assign
2098 # specific interface to the flat/vlan network name using:
2099 # physical_interface_mappings: "external:eth3"
2100 # Or we can set the mapping between the network and bridge:
2101 bridge_mappings: "external:br-ex"
2102 # The two above options are exclusive, do not use both of them at once
2103 securitygroup:
2104 firewall_driver: iptables
2105 vxlan:
2106 l2_population: True
2107 arp_responder: True
2108 macvtap_agent: null
2109 sriov_agent:
2110 securitygroup:
2111 firewall_driver: neutron.agent.firewall.NoopFirewallDriver
2112 sriov_nic:
2113 physical_device_mappings: physnet2:enp3s0f1
2114 # NOTE: do not use null here, use an empty string
2115 exclude_devices: ""
2116 dhcp_agent:
2117 DEFAULT:
2118 # (NOTE)portdirect: if unset this is populated dyanmicly from the value in
2119 # 'network.backend' to sane defaults.
2120 interface_driver: null
2121 dnsmasq_config_file: /etc/neutron/dnsmasq.conf
2122 force_metadata: True
JustHumanzbfee65a2025-02-11 00:09:55 +0700[diff] [blame]2123 # NOTE(mnaser): This has to be here in order for the DHCP agent to work with OVN.
2124 ovs: {}
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]2125 dnsmasq: |
2126 #no-hosts
2127 #port=5353
2128 #cache-size=500
2129 #no-negcache
2130 #dns-forward-max=100
2131 #resolve-file=
2132 #strict-order
2133 #bind-interface
2134 #bind-dynamic
2135 #domain=
2136 #dhcp-range=10.10.10.10,10.10.10.100,24h
2137 #dhcp-lease-max=150
2138 #dhcp-host=11:22:33:44:55:66,ignore
2139 #dhcp-option=3,10.10.10.1
2140 #dhcp-option-force=26,1450
2141
2142 l3_agent:
2143 DEFAULT:
2144 # (NOTE)portdirect: if unset this is populated dyanmicly from the value in
2145 # 'network.backend' to sane defaults.
2146 interface_driver: null
2147 agent_mode: legacy
2148 metering_agent: null
2149 metadata_agent:
2150 DEFAULT:
2151 # we cannot change the proxy socket path as it is declared
2152 # as a hostPath volume from agent daemonsets
2153 metadata_proxy_socket: /var/lib/neutron/openstack-helm/metadata_proxy
2154 metadata_proxy_shared_secret: "password"
2155 cache:
2156 enabled: true
2157 backend: dogpile.cache.memcached
2158 bagpipe_bgp: {}
Mohammed Naser593ec012023-07-23 09:20:05 +0000[diff] [blame]2159 ovn_metadata_agent:
2160 DEFAULT:
2161 # we cannot change the proxy socket path as it is declared
2162 # as a hostPath volume from agent daemonsets
2163 metadata_proxy_socket: /var/lib/neutron/openstack-helm/metadata_proxy
2164 metadata_proxy_shared_secret: "password"
2165 metadata_workers: 2
2166 cache:
2167 enabled: true
2168 backend: dogpile.cache.memcached
2169 ovs:
2170 ovsdb_connection: unix:/run/openvswitch/db.sock
Rico Lincf86b122023-11-02 01:29:14 +0800[diff] [blame]2171 bgp_dragent: {}
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]2172
2173 rabbitmq:
2174 # NOTE(rk760n): adding rmq policy to mirror messages from notification queues and set expiration time for the ones
2175 policies:
2176 - vhost: "neutron"
2177 name: "ha_ttl_neutron"
2178 definition:
2179 # mirror messges to other nodes in rmq cluster
2180 ha-mode: "all"
2181 ha-sync-mode: "automatic"
2182 # 70s
2183 message-ttl: 70000
2184 priority: 0
2185 apply-to: all
2186 pattern: '^(?!(amq\.|reply_)).*'
2187 ## NOTE: "besteffort" is meant for dev env with mixed compute type only.
2188 ## This helps prevent sriov init script from failing due to mis-matched NIC
2189 ## For prod env, target NIC should match and init script should fail otherwise.
2190 ## sriov_init:
2191 ## - besteffort
2192 sriov_init:
2193 -
2194 # auto_bridge_add is a table of "bridge: interface" pairs
2195 # To automatically add a physical interfaces to a specific bridges,
2196 # for example eth3 to bridge br-physnet1, if0 to br0 and iface_two
2197 # to br1 do something like:
2198 #
2199 # auto_bridge_add:
2200 # br-physnet1: eth3
2201 # br0: if0
2202 # br1: iface_two
2203 # br-ex will be added by default
2204 auto_bridge_add:
2205 br-ex: null
2206
Mohammed Nasera720f882023-06-30 23:48:02 -0400[diff] [blame]2207 # Network off-loading configuration
2208 netoffload:
ricolin18e6fd32023-07-17 06:17:15 +0000[diff] [blame]2209 enabled: false
Mohammed Nasera720f882023-06-30 23:48:02 -0400[diff] [blame]2210 asap2:
2211 # - dev: enp97s0f0
2212 # vfs: 16
2213
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]2214 # configuration of OVS DPDK bridges and NICs
2215 # this is a separate section and not part of the auto_bridge_add section
2216 # because additional parameters are needed
2217 ovs_dpdk:
2218 enabled: false
2219 # setting update_dpdk_bond_config to true will have default behavior,
2220 # which may cause disruptions in ovs dpdk traffic in case of neutron
2221 # ovs agent restart or when dpdk nic/bond configurations are changed.
2222 # Setting this to false will configure dpdk in the first run and
2223 # disable nic/bond config on event of restart or config update.
2224 update_dpdk_bond_config: true
2225 driver: uio_pci_generic
2226 # In case bonds are configured, the nics which are part of those bonds
2227 # must NOT be provided here.
2228 nics:
2229 - name: dpdk0
2230 pci_id: '0000:05:00.0'
2231 # Set VF Index in case some particular VF(s) need to be
2232 # used with ovs-dpdk.
2233 # vf_index: 0
2234 bridge: br-phy
2235 migrate_ip: true
2236 n_rxq: 2
2237 n_txq: 2
2238 pmd_rxq_affinity: "0:3,1:27"
2239 ofport_request: 1
2240 # optional parameters for tuning the OVS DPDK config
2241 # in alignment with the available hardware resources
2242 # mtu: 2000
2243 # n_rxq_size: 1024
2244 # n_txq_size: 1024
2245 # vhost-iommu-support: true
2246 bridges:
2247 - name: br-phy
2248 # optional parameter, in case tunnel traffic needs to be transported over a vlan underlay
2249 # - tunnel_underlay_vlan: 45
2250 # Optional parameter for configuring bonding in OVS-DPDK
2251 # - name: br-phy-bond0
2252 # bonds:
2253 # - name: dpdkbond0
2254 # bridge: br-phy-bond0
2255 # # The IP from the first nic in nics list shall be used
2256 # migrate_ip: true
2257 # mtu: 2000
2258 # # Please note that n_rxq is set for each NIC individually
2259 # # rather than denoting the total number of rx queues for
2260 # # the bond as a whole. So setting n_rxq = 2 below for ex.
2261 # # would be 4 rx queues in total for the bond.
2262 # # Same for n_txq
2263 # n_rxq: 2
2264 # n_txq: 2
2265 # ofport_request: 1
2266 # n_rxq_size: 1024
2267 # n_txq_size: 1024
2268 # vhost-iommu-support: true
2269 # ovs_options: "bond_mode=active-backup"
2270 # nics:
2271 # - name: dpdk_b0s0
2272 # pci_id: '0000:06:00.0'
2273 # pmd_rxq_affinity: "0:3,1:27"
2274 # # Set VF Index in case some particular VF(s) need to be
2275 # # used with ovs-dpdk. In which case pci_id of PF must be
2276 # # provided above.
2277 # # vf_index: 0
2278 # - name: dpdk_b0s1
2279 # pci_id: '0000:07:00.0'
2280 # pmd_rxq_affinity: "0:3,1:27"
2281 # # Set VF Index in case some particular VF(s) need to be
2282 # # used with ovs-dpdk. In which case pci_id of PF must be
2283 # # provided above.
2284 # # vf_index: 0
2285 #
2286 # Set the log level for each target module (default level is always dbg)
2287 # Supported log levels are: off, emer, err, warn, info, dbg
2288 #
2289 # modules:
2290 # - name: dpdk
2291 # log_level: info
2292
2293# Names of secrets used by bootstrap and environmental checks
2294secrets:
2295 identity:
2296 admin: neutron-keystone-admin
2297 neutron: neutron-keystone-user
2298 test: neutron-keystone-test
2299 oslo_db:
2300 admin: neutron-db-admin
2301 neutron: neutron-db-user
2302 oslo_messaging:
2303 admin: neutron-rabbitmq-admin
2304 neutron: neutron-rabbitmq-user
2305 tls:
2306 compute_metadata:
2307 metadata:
2308 internal: metadata-tls-metadata
2309 network:
2310 server:
2311 public: neutron-tls-public
2312 internal: neutron-tls-server
2313 oci_image_registry:
2314 neutron: neutron-oci-image-registry
2315
2316# typically overridden by environmental
2317# values, but should include all endpoints
2318# required by this chart
2319endpoints:
2320 cluster_domain_suffix: cluster.local
2321 local_image_registry:
2322 name: docker-registry
2323 namespace: docker-registry
2324 hosts:
2325 default: localhost
2326 internal: docker-registry
2327 node: localhost
2328 host_fqdn_override:
2329 default: null
2330 port:
2331 registry:
2332 node: 5000
2333 oci_image_registry:
2334 name: oci-image-registry
2335 namespace: oci-image-registry
2336 auth:
2337 enabled: false
2338 neutron:
2339 username: neutron
2340 password: password
2341 hosts:
2342 default: localhost
2343 host_fqdn_override:
2344 default: null
2345 port:
2346 registry:
2347 default: null
2348 oslo_db:
2349 auth:
2350 admin:
2351 username: root
2352 password: password
2353 secret:
2354 tls:
2355 internal: mariadb-tls-direct
2356 neutron:
2357 username: neutron
2358 password: password
2359 hosts:
2360 default: mariadb
2361 host_fqdn_override:
2362 default: null
2363 path: /neutron
2364 scheme: mysql+pymysql
2365 port:
2366 mysql:
2367 default: 3306
2368 oslo_messaging:
2369 auth:
2370 admin:
2371 username: rabbitmq
2372 password: password
2373 secret:
2374 tls:
2375 internal: rabbitmq-tls-direct
2376 neutron:
2377 username: neutron
2378 password: password
2379 statefulset:
2380 replicas: 2
2381 name: rabbitmq-rabbitmq
2382 hosts:
2383 default: rabbitmq
2384 host_fqdn_override:
2385 default: null
2386 path: /neutron
2387 scheme: rabbit
2388 port:
2389 amqp:
2390 default: 5672
2391 http:
2392 default: 15672
2393 oslo_cache:
2394 auth:
2395 # NOTE(portdirect): this is used to define the value for keystone
2396 # authtoken cache encryption key, if not set it will be populated
2397 # automatically with a random value, but to take advantage of
2398 # this feature all services should be set to use the same key,
2399 # and memcache service.
2400 memcache_secret_key: null
2401 hosts:
2402 default: memcached
2403 host_fqdn_override:
2404 default: null
2405 port:
2406 memcache:
2407 default: 11211
2408 compute:
2409 name: nova
2410 hosts:
2411 default: nova-api
2412 public: nova
2413 host_fqdn_override:
2414 default: null
2415 path:
2416 default: "/v2.1/%(tenant_id)s"
2417 scheme:
2418 default: 'http'
2419 port:
2420 api:
2421 default: 8774
2422 public: 80
2423 novncproxy:
2424 default: 6080
2425 compute_metadata:
2426 name: nova
2427 hosts:
2428 default: nova-metadata
2429 public: metadata
2430 host_fqdn_override:
2431 default: null
2432 path:
2433 default: /
2434 scheme:
2435 default: 'http'
2436 port:
2437 metadata:
2438 default: 8775
2439 public: 80
2440 identity:
2441 name: keystone
2442 auth:
2443 admin:
2444 region_name: RegionOne
2445 username: admin
2446 password: password
2447 project_name: admin
2448 user_domain_name: default
2449 project_domain_name: default
2450 neutron:
Mohammed Naserda994232024-04-13 12:34:01 -0400[diff] [blame]2451 role: admin,service
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]2452 region_name: RegionOne
2453 username: neutron
2454 password: password
2455 project_name: service
2456 user_domain_name: service
2457 project_domain_name: service
2458 nova:
2459 region_name: RegionOne
2460 project_name: service
2461 username: nova
2462 password: password
2463 user_domain_name: service
2464 project_domain_name: service
Oleksandr Kozachenkoa10d7852023-02-02 22:01:16 +0100[diff] [blame]2465 placement:
2466 region_name: RegionOne
2467 project_name: service
2468 username: placement
2469 password: password
2470 user_domain_name: service
2471 project_domain_name: service
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]2472 designate:
2473 region_name: RegionOne
2474 project_name: service
2475 username: designate
2476 password: password
2477 user_domain_name: service
2478 project_domain_name: service
2479 ironic:
2480 region_name: RegionOne
2481 project_name: service
2482 username: ironic
2483 password: password
2484 user_domain_name: service
2485 project_domain_name: service
2486 test:
2487 role: admin
2488 region_name: RegionOne
2489 username: neutron-test
2490 password: password
2491 # NOTE: this project will be purged and reset if
2492 # conf.rally_tests.force_project_purge is set to true
2493 # which may be required upon test failure, but be aware that this will
2494 # expunge all openstack objects, so if this is used a seperate project
2495 # should be used for each helm test, and also it should be ensured
2496 # that this project is not in use by other tenants
2497 project_name: test
2498 user_domain_name: service
2499 project_domain_name: service
2500 hosts:
2501 default: keystone
2502 internal: keystone-api
2503 host_fqdn_override:
2504 default: null
2505 path:
2506 default: /v3
2507 scheme:
2508 default: http
2509 port:
2510 api:
2511 default: 80
2512 internal: 5000
2513 network:
2514 name: neutron
2515 hosts:
2516 default: neutron-server
2517 public: neutron
2518 host_fqdn_override:
2519 default: null
2520 # NOTE(portdirect): this chart supports TLS for fqdn over-ridden public
2521 # endpoints using the following format:
2522 # public:
2523 # host: null
2524 # tls:
2525 # crt: null
2526 # key: null
2527 path:
2528 default: null
2529 scheme:
2530 default: 'http'
2531 service: 'http'
2532 port:
2533 api:
2534 default: 9696
2535 public: 80
2536 service: 9696
Mohammed Naser1c8e53f2024-07-03 13:04:36 -0400[diff] [blame]2537 policy_server:
2538 default: 9697
2539 public: 80
2540 service: 9697
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]2541 load_balancer:
2542 name: octavia
2543 hosts:
2544 default: octavia-api
2545 public: octavia
2546 host_fqdn_override:
2547 default: null
2548 path:
2549 default: null
2550 scheme:
2551 default: http
2552 port:
2553 api:
2554 default: 9876
2555 public: 80
2556 fluentd:
2557 namespace: osh-infra
2558 name: fluentd
2559 hosts:
2560 default: fluentd-logging
2561 host_fqdn_override:
2562 default: null
2563 path:
2564 default: null
2565 scheme: 'http'
2566 port:
2567 service:
2568 default: 24224
2569 metrics:
2570 default: 24220
2571 dns:
2572 name: designate
2573 hosts:
2574 default: designate-api
2575 public: designate
2576 host_fqdn_override:
2577 default: null
2578 path:
2579 default: /
2580 scheme:
2581 default: 'http'
2582 port:
2583 api:
2584 default: 9001
2585 public: 80
2586 baremetal:
2587 name: ironic
2588 hosts:
2589 default: ironic-api
2590 public: ironic
2591 host_fqdn_override:
2592 default: null
2593 path:
2594 default: null
2595 scheme:
2596 default: 'http'
2597 port:
2598 api:
2599 default: 6385
2600 public: 80
2601 # NOTE(tp6510): these endpoints allow for things like DNS lookups and ingress
2602 # They are using to enable the Egress K8s network policy.
2603 kube_dns:
2604 namespace: kube-system
2605 name: kubernetes-dns
2606 hosts:
2607 default: kube-dns
2608 host_fqdn_override:
2609 default: null
2610 path:
2611 default: null
2612 scheme: http
2613 port:
2614 dns:
2615 default: 53
2616 protocol: UDP
2617 ingress:
2618 namespace: null
2619 name: ingress
2620 hosts:
2621 default: ingress
2622 port:
2623 ingress:
2624 default: 80
2625
2626network_policy:
2627 neutron:
2628 # TODO(lamt): Need to tighten this ingress for security.
2629 ingress:
2630 - {}
2631 egress:
2632 - {}
2633
2634helm3_hook: true
2635
2636health_probe:
2637 logging:
2638 level: ERROR
2639
2640tls:
2641 identity: false
2642 oslo_messaging: false
2643 oslo_db: false
2644
2645manifests:
2646 certificates: false
2647 configmap_bin: true
2648 configmap_etc: true
2649 daemonset_dhcp_agent: true
2650 daemonset_l3_agent: true
2651 daemonset_lb_agent: true
2652 daemonset_metadata_agent: true
2653 daemonset_ovs_agent: true
2654 daemonset_sriov_agent: true
2655 daemonset_l2gw_agent: false
2656 daemonset_bagpipe_bgp: false
Rico Lincf86b122023-11-02 01:29:14 +0800[diff] [blame]2657 daemonset_bgp_dragent: false
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]2658 daemonset_netns_cleanup_cron: true
2659 deployment_ironic_agent: false
2660 deployment_server: true
Rico Lin0e153482024-05-03 03:29:14 +0800[diff] [blame]2661 deployment_rpc_server: true
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]2662 ingress_server: true
2663 job_bootstrap: true
2664 job_db_init: true
2665 job_db_sync: true
2666 job_db_drop: false
2667 job_image_repo_sync: true
2668 job_ks_endpoints: true
2669 job_ks_service: true
2670 job_ks_user: true
2671 job_rabbit_init: true
2672 pdb_server: true
2673 pod_rally_test: true
2674 network_policy: false
2675 secret_db: true
2676 secret_ingress_tls: true
2677 secret_keystone: true
2678 secret_rabbitmq: true
2679 secret_registry: true
2680 service_ingress_server: true
2681 service_server: true
2682...