Gitiles
Code Review Sign In
review.vexxhost.dev / atmosphere / a90740c75f1ba093597c9cfb6bcba873a44edad6 / . / charts / libvirt / values.yaml
blob: 7314f785addc5617c0b087c1658899cadc137ffe [file] [log] [blame]
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1# Licensed under the Apache License, Version 2.0 (the "License");
2# you may not use this file except in compliance with the License.
3# You may obtain a copy of the License at
4#
5# http://www.apache.org/licenses/LICENSE-2.0
6#
7# Unless required by applicable law or agreed to in writing, software
8# distributed under the License is distributed on an "AS IS" BASIS,
9# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
10# See the License for the specific language governing permissions and
11# limitations under the License.
12
13# Default values for libvirt.
14# This is a YAML-formatted file.
15# Declare name/value pairs to be passed into your templates.
16# name: value
17
18---
19release_group: null
20
21labels:
22 agent:
23 libvirt:
24 node_selector_key: openstack-compute-node
25 node_selector_value: enabled
26
27images:
28 tags:
okozachenko1203d2cd6872023-08-31 19:53:51 +1000[diff] [blame]29 libvirt: docker.io/openstackhelm/libvirt:latest-ubuntu_focal
30 libvirt_exporter: vexxhost/libvirtd-exporter:latest
31 ceph_config_helper: 'docker.io/openstackhelm/ceph-config-helper:ubuntu_focal_17.2.6-1-20230508'
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]32 dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
33 image_repo_sync: docker.io/library/docker:17.07.0
okozachenko1203d2cd6872023-08-31 19:53:51 +1000[diff] [blame]34 kubectl: docker.io/bitnami/kubectl:latest
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]35 pull_policy: "IfNotPresent"
36 local_registry:
37 active: false
38 exclude:
39 - dep_check
40 - image_repo_sync
41
42network:
43 # provide what type of network wiring will be used
44 # possible options: openvswitch, linuxbridge, sriov
45 backend:
46 - openvswitch
47
48endpoints:
49 cluster_domain_suffix: cluster.local
50 local_image_registry:
51 name: docker-registry
52 namespace: docker-registry
53 hosts:
54 default: localhost
55 internal: docker-registry
56 node: localhost
57 host_fqdn_override:
58 default: null
59 port:
60 registry:
61 node: 5000
okozachenko1203d2cd6872023-08-31 19:53:51 +1000[diff] [blame]62 oci_image_registry:
63 name: oci-image-registry
64 namespace: oci-image-registry
65 auth:
66 enabled: false
67 libvirt:
68 username: libvirt
69 password: password
70 hosts:
71 default: localhost
72 host_fqdn_override:
73 default: null
74 port:
75 registry:
76 default: null
77 libvirt_exporter:
78 port:
79 metrics:
80 default: 9474
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]81
82network_policy:
83 libvirt:
84 ingress:
85 - {}
86 egress:
87 - {}
88
89ceph_client:
90 configmap: ceph-etc
91 user_secret_name: pvc-ceph-client-key
92
93conf:
94 ceph:
95 enabled: true
96 admin_keyring: null
97 cinder:
98 user: "cinder"
99 keyring: null
100 secret_uuid: 457eb676-33da-42ec-9a8c-9293d545c337
101 # Cinder Ceph backend that is not configured by the k8s cluter
102 external_ceph:
103 enabled: false
104 user: null
105 secret_uuid: null
106 user_secret_name: null
107 libvirt:
okozachenko120314e38012023-09-01 01:40:19 +1000[diff] [blame]108 # Issuer to issue a certificate for libvirt api when listen_tls is enabled.
109 issuer:
110 kind: ClusterIssuer
111 name: ca-clusterissuer
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]112 listen_tcp: "1"
113 listen_tls: "0"
114 auth_tcp: "none"
115 ca_file: "/etc/pki/CA/cacert.pem"
116 cert_file: "/etc/pki/libvirt/servercert.pem"
117 key_file: "/etc/pki/libvirt/private/serverkey.pem"
118 auth_unix_rw: "none"
119 listen_addr: 127.0.0.1
120 log_level: "3"
121 log_outputs: "1:file:/var/log/libvirt/libvirtd.log"
122 qemu:
okozachenko1203d2cd6872023-08-31 19:53:51 +1000[diff] [blame]123 vnc_tls: "0"
124 vnc_tls_x509_verify: "0"
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]125 stdio_handler: "file"
126 user: "nova"
127 group: "kvm"
128 kubernetes:
okozachenko1203d2cd6872023-08-31 19:53:51 +1000[diff] [blame]129 cgroup: "kubepods.slice"
130 vencrypt:
131 # Issuer to use for the vencrypt certs.
132 issuer:
133 kind: ClusterIssuer
134 name: ca-clusterissuer
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]135
136pod:
137 probes:
138 libvirt:
139 libvirt:
140 liveness:
141 enabled: true
142 params:
143 initialDelaySeconds: 30
144 periodSeconds: 60
145 timeoutSeconds: 5
146 readiness:
147 enabled: true
148 params:
149 initialDelaySeconds: 15
150 periodSeconds: 60
151 timeoutSeconds: 5
152 security_context:
153 libvirt:
154 pod:
155 runAsUser: 0
156 container:
157 ceph_admin_keyring_placement:
158 readOnlyRootFilesystem: false
159 ceph_keyring_placement:
160 readOnlyRootFilesystem: false
161 libvirt:
162 privileged: true
163 readOnlyRootFilesystem: false
okozachenko1203d2cd6872023-08-31 19:53:51 +1000[diff] [blame]164 libvirt_exporter:
165 privileged: true
166 sidecars:
167 libvirt_exporter: false
168
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]169 affinity:
170 anti:
171 type:
172 default: preferredDuringSchedulingIgnoredDuringExecution
173 topologyKey:
174 default: kubernetes.io/hostname
175 weight:
176 default: 10
okozachenko1203d2cd6872023-08-31 19:53:51 +1000[diff] [blame]177 tolerations:
178 libvirt:
179 enabled: false
180 tolerations:
181 - key: node-role.kubernetes.io/master
182 operator: Exists
183 effect: NoSchedule
184 - key: node-role.kubernetes.io/control-plane
185 operator: Exists
186 effect: NoSchedule
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]187 dns_policy: "ClusterFirstWithHostNet"
188 mounts:
189 libvirt:
190 init_container: null
191 libvirt:
192 lifecycle:
193 upgrades:
194 daemonsets:
195 pod_replacement_strategy: RollingUpdate
196 libvirt:
197 enabled: true
198 min_ready_seconds: 0
199 max_unavailable: 1
200 resources:
201 enabled: false
202 libvirt:
203 requests:
204 memory: "128Mi"
205 cpu: "100m"
206 limits:
207 memory: "1024Mi"
208 cpu: "2000m"
209 jobs:
210 image_repo_sync:
211 requests:
212 memory: "128Mi"
213 cpu: "100m"
214 limits:
215 memory: "1024Mi"
216 cpu: "2000m"
okozachenko1203d2cd6872023-08-31 19:53:51 +1000[diff] [blame]217 libvirt_exporter:
218 requests:
219 memory: "128Mi"
220 cpu: "100m"
221 limits:
222 memory: "256Mi"
223 cpu: "500m"
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]224
225dependencies:
226 dynamic:
227 common:
228 local_image_registry:
229 jobs:
230 - libvirt-image-repo-sync
231 services:
232 - endpoint: node
233 service: local_image_registry
234 targeted:
Mohammed Naserd6db2452023-07-23 14:34:59 +0000[diff] [blame]235 ovn:
236 libvirt:
237 pod:
238 - requireSameNode: true
239 labels:
240 application: ovn
241 component: ovn-controller
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]242 openvswitch:
243 libvirt:
244 pod:
245 - requireSameNode: true
246 labels:
247 application: neutron
248 component: neutron-ovs-agent
249 linuxbridge:
250 libvirt:
251 pod:
252 - requireSameNode: true
253 labels:
254 application: neutron
255 component: neutron-lb-agent
256 sriov:
257 libvirt:
258 pod:
259 - requireSameNode: true
260 labels:
261 application: neutron
262 component: neutron-sriov-agent
263 static:
264 libvirt:
265 services: null
266 image_repo_sync:
267 services:
268 - endpoint: internal
269 service: local_image_registry
270
okozachenko120314e38012023-09-01 01:40:19 +1000[diff] [blame]271scripts:
272 # Script is included here (vs in bin/) to allow overriding.
273 cert_init_sh: |
274 #!/bin/bash
275 set -x
276
277 # Script to create certs for each libvirt pod based on pod IP (by default).
278
279 cat <<EOF | kubectl apply -f -
280 apiVersion: cert-manager.io/v1
281 kind: Certificate
282 metadata:
283 name: ${POD_NAME}-${TYPE}
284 namespace: ${POD_NAMESPACE}
285 ownerReferences:
286 - apiVersion: v1
287 kind: Pod
288 name: ${POD_NAME}
289 uid: ${POD_UID}
290 spec:
291 secretName: ${POD_NAME}-${TYPE}
292 commonName: ${POD_IP}
293 usages:
294 - client auth
295 - server auth
296 dnsNames:
297 - ${HOSTNAME}
298 ipAddresses:
299 - ${POD_IP}
300 issuerRef:
301 kind: ${ISSUER_KIND}
302 name: ${ISSUER_NAME}
303 EOF
304
305 kubectl -n ${POD_NAMESPACE} wait --for=condition=Ready --timeout=300s \
306 certificate/${POD_NAME}-${TYPE}
307
308 # NOTE(mnaser): cert-manager does not clean-up the secrets when the certificate
309 # is deleted, so we should add an owner reference to the secret
310 # to ensure that it is cleaned up when the pod is deleted.
311 kubectl -n ${POD_NAMESPACE} patch secret ${POD_NAME}-${TYPE} \
312 --type=json -p='[{"op": "add", "path": "/metadata/ownerReferences", "value": [{"apiVersion": "v1", "kind": "Pod", "name": "'${POD_NAME}'", "uid": "'${POD_UID}'"}]}]'
313
314 kubectl -n ${POD_NAMESPACE} get secret ${POD_NAME}-${TYPE} -o jsonpath='{.data.tls\.crt}' | base64 -d > /tmp/${TYPE}.crt
315 kubectl -n ${POD_NAMESPACE} get secret ${POD_NAME}-${TYPE} -o jsonpath='{.data.tls\.key}' | base64 -d > /tmp/${TYPE}.key
316 kubectl -n ${POD_NAMESPACE} get secret ${POD_NAME}-${TYPE} -o jsonpath='{.data.ca\.crt}' | base64 -d > /tmp/${TYPE}-ca.crt
317
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]318manifests:
319 configmap_bin: true
320 configmap_etc: true
321 daemonset_libvirt: true
322 job_image_repo_sync: true
323 network_policy: false
okozachenko1203d2cd6872023-08-31 19:53:51 +1000[diff] [blame]324 role_cert_manager: false
325 secret_registry: true
326
327secrets:
328 oci_image_registry:
329 libvirt: libvirt-oci-image-registry-key
330 tls:
331 server: libvirt-tls-server
332 client: libvirt-tls-client
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]333...