Gitiles
Code Review Sign In
review.vexxhost.dev / atmosphere / b45baa37c70e2ede08cdaef331203684b9ae98e9 / . / charts / neutron / values.yaml
blob: 17f854158e3dcb4a6735b1e966072e8710eb8d73 [file] [log] [blame]
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1# Licensed under the Apache License, Version 2.0 (the "License");
2# you may not use this file except in compliance with the License.
3# You may obtain a copy of the License at
4#
5# http://www.apache.org/licenses/LICENSE-2.0
6#
7# Unless required by applicable law or agreed to in writing, software
8# distributed under the License is distributed on an "AS IS" BASIS,
9# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
10# See the License for the specific language governing permissions and
11# limitations under the License.
12
13# Default values for neutron.
14# This is a YAML-formatted file.
15# Declare name/value pairs to be passed into your templates.
16# name: value
17
18---
19release_group: null
20
21images:
22 tags:
23 bootstrap: docker.io/openstackhelm/heat:stein-ubuntu_bionic
24 test: docker.io/xrally/xrally-openstack:2.0.0
25 purge_test: docker.io/openstackhelm/ospurge:latest
26 db_init: docker.io/openstackhelm/heat:stein-ubuntu_bionic
27 neutron_db_sync: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
28 db_drop: docker.io/openstackhelm/heat:stein-ubuntu_bionic
29 rabbit_init: docker.io/rabbitmq:3.7-management
30 ks_user: docker.io/openstackhelm/heat:stein-ubuntu_bionic
31 ks_service: docker.io/openstackhelm/heat:stein-ubuntu_bionic
32 ks_endpoints: docker.io/openstackhelm/heat:stein-ubuntu_bionic
Mohammed Nasera720f882023-06-30 23:48:02 -0400[diff] [blame]33 netoffload: ghcr.io/vexxhost/netoffload:v1.0.1
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]34 neutron_server: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
Mohammed Nasere40c3e82024-07-04 02:52:34 -0400[diff] [blame]35 neutron_policy_server: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]36 neutron_dhcp: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
37 neutron_metadata: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]38 neutron_ovn_metadata: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]39 neutron_l3: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
40 neutron_l2gw: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
41 neutron_openvswitch_agent: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
42 neutron_linuxbridge_agent: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
43 neutron_sriov_agent: docker.io/openstackhelm/neutron:stein-18.04-sriov
44 neutron_sriov_agent_init: docker.io/openstackhelm/neutron:stein-18.04-sriov
45 neutron_bagpipe_bgp: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
Rico Lincf86b122023-11-02 01:29:14 +0800[diff] [blame]46 neutron_bgp_dragent: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]47 neutron_ironic_agent: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
48 neutron_netns_cleanup_cron: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
49 dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
50 image_repo_sync: docker.io/docker:17.07.0
51 pull_policy: "IfNotPresent"
52 local_registry:
53 active: false
54 exclude:
55 - dep_check
56 - image_repo_sync
57
58labels:
59 agent:
60 dhcp:
61 node_selector_key: openstack-control-plane
62 node_selector_value: enabled
63 l3:
64 node_selector_key: openstack-control-plane
65 node_selector_value: enabled
66 metadata:
67 node_selector_key: openstack-control-plane
68 node_selector_value: enabled
69 l2gw:
70 node_selector_key: openstack-control-plane
71 node_selector_value: enabled
72 job:
73 node_selector_key: openstack-control-plane
74 node_selector_value: enabled
75 lb:
76 node_selector_key: linuxbridge
77 node_selector_value: enabled
78 # openvswitch is a special case, requiring a special
79 # label that can apply to both control hosts
80 # and compute hosts, until we get more sophisticated
81 # with our daemonset scheduling
82 ovs:
83 node_selector_key: openvswitch
84 node_selector_value: enabled
85 sriov:
86 node_selector_key: sriov
87 node_selector_value: enabled
88 bagpipe_bgp:
89 node_selector_key: openstack-compute-node
90 node_selector_value: enabled
Rico Lincf86b122023-11-02 01:29:14 +0800[diff] [blame]91 bgp_dragent:
92 node_selector_key: openstack-compute-node
93 node_selector_value: enabled
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]94 server:
95 node_selector_key: openstack-control-plane
96 node_selector_value: enabled
97 ironic_agent:
98 node_selector_key: openstack-control-plane
99 node_selector_value: enabled
100 netns_cleanup_cron:
101 node_selector_key: openstack-control-plane
102 node_selector_value: enabled
103 test:
104 node_selector_key: openstack-control-plane
105 node_selector_value: enabled
106
107network:
108 # provide what type of network wiring will be used
109 backend:
110 - openvswitch
111 # NOTE(Portdirect): Share network namespaces with the host,
112 # allowing agents to be restarted without packet loss and simpler
113 # debugging. This feature requires mount propagation support.
114 share_namespaces: true
115 interface:
116 # Tunnel interface will be used for VXLAN tunneling.
117 tunnel: null
118 # If tunnel is null there is a fallback mechanism to search
119 # for interface with routing using tunnel network cidr.
120 tunnel_network_cidr: "0/0"
121 # To perform setup of network interfaces using the SR-IOV init
122 # container you can use a section similar to:
123 # sriov:
124 # - device: ${DEV}
125 # num_vfs: 8
126 # mtu: 9214
127 # promisc: false
128 # qos:
129 # - vf_num: 0
130 # share: 10
131 # queues_per_vf:
132 # - num_queues: 16
133 # exclude_vf: 0,11,21
134 server:
135 ingress:
136 public: true
137 classes:
138 namespace: "nginx"
139 cluster: "nginx-cluster"
140 annotations:
141 nginx.ingress.kubernetes.io/rewrite-target: /
142 external_policy_local: false
143 node_port:
144 enabled: false
145 port: 30096
146
147bootstrap:
148 enabled: false
149 ks_user: neutron
150 script: |
151 openstack token issue
152
153dependencies:
154 dynamic:
155 common:
156 local_image_registry:
157 jobs:
158 - neutron-image-repo-sync
159 services:
160 - endpoint: node
161 service: local_image_registry
162 targeted:
163 sriov: {}
164 l2gateway: {}
165 bagpipe_bgp: {}
Mohammed Naserfd8edcc2023-09-06 22:32:16 +0000[diff] [blame]166 ovn:
167 server:
168 pod: null
Rico Lincf86b122023-11-02 01:29:14 +0800[diff] [blame]169 bgp_dragent: {}
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]170 openvswitch:
171 dhcp:
172 pod:
173 - requireSameNode: true
174 labels:
175 application: neutron
176 component: neutron-ovs-agent
177 l3:
178 pod:
179 - requireSameNode: true
180 labels:
181 application: neutron
182 component: neutron-ovs-agent
183 metadata:
184 pod:
185 - requireSameNode: true
186 labels:
187 application: neutron
188 component: neutron-ovs-agent
189 linuxbridge:
190 dhcp:
191 pod:
192 - requireSameNode: true
193 labels:
194 application: neutron
195 component: neutron-lb-agent
196 l3:
197 pod:
198 - requireSameNode: true
199 labels:
200 application: neutron
201 component: neutron-lb-agent
202 metadata:
203 pod:
204 - requireSameNode: true
205 labels:
206 application: neutron
207 component: neutron-lb-agent
208 lb_agent:
209 pod: null
210 static:
211 bootstrap:
212 services:
213 - endpoint: internal
214 service: network
215 - endpoint: internal
216 service: compute
217 db_drop:
218 services:
219 - endpoint: internal
220 service: oslo_db
221 db_init:
222 services:
223 - endpoint: internal
224 service: oslo_db
225 db_sync:
226 jobs:
227 - neutron-db-init
228 services:
229 - endpoint: internal
230 service: oslo_db
231 dhcp:
232 pod: null
233 jobs:
234 - neutron-rabbit-init
235 services:
236 - endpoint: internal
237 service: oslo_messaging
238 - endpoint: internal
239 service: network
240 - endpoint: internal
241 service: compute
242 ks_endpoints:
243 jobs:
244 - neutron-ks-service
245 services:
246 - endpoint: internal
247 service: identity
248 ks_service:
249 services:
250 - endpoint: internal
251 service: identity
252 ks_user:
253 services:
254 - endpoint: internal
255 service: identity
256 rabbit_init:
257 services:
258 - service: oslo_messaging
259 endpoint: internal
260 l3:
261 pod: null
262 jobs:
263 - neutron-rabbit-init
264 services:
265 - endpoint: internal
266 service: oslo_messaging
267 - endpoint: internal
268 service: network
269 - endpoint: internal
270 service: compute
271 lb_agent:
272 pod: null
273 jobs:
274 - neutron-rabbit-init
275 services:
276 - endpoint: internal
277 service: oslo_messaging
278 - endpoint: internal
279 service: network
280 metadata:
281 pod: null
282 jobs:
283 - neutron-rabbit-init
284 services:
285 - endpoint: internal
286 service: oslo_messaging
287 - endpoint: internal
288 service: network
289 - endpoint: internal
290 service: compute
291 - endpoint: public
292 service: compute_metadata
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]293 ovn_metadata:
Mohammed Naser593ec012023-07-23 09:20:05 +0000[diff] [blame]294 pod:
295 - requireSameNode: true
296 labels:
297 application: ovn
298 component: ovn-controller
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]299 services:
300 - endpoint: internal
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]301 service: compute_metadata
Mohammed Naserfd8edcc2023-09-06 22:32:16 +0000[diff] [blame]302 - endpoint: internal
303 service: network
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]304 ovs_agent:
305 jobs:
306 - neutron-rabbit-init
307 pod:
308 - requireSameNode: true
309 labels:
310 application: openvswitch
311 component: server
312 services:
313 - endpoint: internal
314 service: oslo_messaging
315 - endpoint: internal
316 service: network
317 server:
318 jobs:
319 - neutron-db-sync
320 - neutron-ks-user
321 - neutron-ks-endpoints
322 - neutron-rabbit-init
323 services:
324 - endpoint: internal
325 service: oslo_db
326 - endpoint: internal
327 service: oslo_messaging
328 - endpoint: internal
329 service: oslo_cache
330 - endpoint: internal
331 service: identity
332 ironic_agent:
333 jobs:
334 - neutron-db-sync
335 - neutron-ks-user
336 - neutron-ks-endpoints
337 - neutron-rabbit-init
338 services:
339 - endpoint: internal
340 service: oslo_db
341 - endpoint: internal
342 service: oslo_messaging
343 - endpoint: internal
344 service: oslo_cache
345 - endpoint: internal
346 service: identity
347 tests:
348 services:
349 - endpoint: internal
350 service: network
351 - endpoint: internal
352 service: compute
353 image_repo_sync:
354 services:
355 - endpoint: internal
356 service: local_image_registry
357
358pod:
Mohammed Nasere40c3e82024-07-04 02:52:34 -0400[diff] [blame]359 sidecars:
360 neutron_policy_server: false
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]361 use_fqdn:
362 neutron_agent: true
363 probes:
364 rpc_timeout: 60
365 rpc_retries: 2
366 dhcp_agent:
367 dhcp_agent:
368 readiness:
369 enabled: true
370 params:
371 initialDelaySeconds: 30
372 periodSeconds: 190
373 timeoutSeconds: 185
374 liveness:
375 enabled: true
376 params:
377 initialDelaySeconds: 120
378 periodSeconds: 600
379 timeoutSeconds: 580
380 l3_agent:
381 l3_agent:
382 readiness:
383 enabled: true
384 params:
385 initialDelaySeconds: 30
386 periodSeconds: 190
387 timeoutSeconds: 185
388 liveness:
389 enabled: true
390 params:
391 initialDelaySeconds: 120
392 periodSeconds: 600
393 timeoutSeconds: 580
394 lb_agent:
395 lb_agent:
396 readiness:
397 enabled: true
398 metadata_agent:
399 metadata_agent:
400 readiness:
401 enabled: true
402 params:
403 initialDelaySeconds: 30
404 periodSeconds: 190
405 timeoutSeconds: 185
406 liveness:
407 enabled: true
408 params:
409 initialDelaySeconds: 120
410 periodSeconds: 600
411 timeoutSeconds: 580
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]412 ovn_metadata_agent:
413 ovn_metadata_agent:
414 readiness:
415 enabled: true
416 params:
417 initialDelaySeconds: 30
418 periodSeconds: 190
419 timeoutSeconds: 185
420 liveness:
421 enabled: true
422 params:
423 initialDelaySeconds: 120
424 periodSeconds: 600
425 timeoutSeconds: 580
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]426 ovs_agent:
427 ovs_agent:
428 readiness:
429 enabled: true
430 params:
okozachenko120317930d42023-09-06 00:24:05 +1000[diff] [blame]431 timeoutSeconds: 10
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]432 liveness:
433 enabled: true
434 params:
435 initialDelaySeconds: 120
436 periodSeconds: 600
437 timeoutSeconds: 580
438 sriov_agent:
439 sriov_agent:
440 readiness:
441 enabled: true
442 params:
443 initialDelaySeconds: 30
444 periodSeconds: 190
445 timeoutSeconds: 185
446 bagpipe_bgp:
447 bagpipe_bgp:
448 readiness:
449 enabled: true
450 params:
451 liveness:
452 enabled: true
453 params:
454 initialDelaySeconds: 60
Rico Lincf86b122023-11-02 01:29:14 +0800[diff] [blame]455 bgp_dragent:
456 bgp_dragent:
457 readiness:
458 enabled: false
459 params:
460 liveness:
461 enabled: true
462 params:
463 initialDelaySeconds: 60
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]464 l2gw_agent:
465 l2gw_agent:
466 readiness:
467 enabled: true
468 params:
469 initialDelaySeconds: 30
470 periodSeconds: 15
471 timeoutSeconds: 65
472 liveness:
473 enabled: true
474 params:
475 initialDelaySeconds: 120
476 periodSeconds: 90
477 timeoutSeconds: 70
478 server:
479 server:
480 readiness:
481 enabled: true
482 params:
okozachenko120317930d42023-09-06 00:24:05 +1000[diff] [blame]483 periodSeconds: 15
484 timeoutSeconds: 10
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]485 liveness:
486 enabled: true
487 params:
488 initialDelaySeconds: 60
okozachenko120317930d42023-09-06 00:24:05 +1000[diff] [blame]489 periodSeconds: 15
490 timeoutSeconds: 10
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]491 security_context:
492 neutron_dhcp_agent:
493 pod:
494 runAsUser: 42424
495 container:
496 neutron_dhcp_agent:
497 readOnlyRootFilesystem: true
498 privileged: true
499 neutron_l2gw_agent:
500 pod:
501 runAsUser: 42424
502 container:
503 neutron_l2gw_agent:
504 readOnlyRootFilesystem: true
505 privileged: true
506 neutron_bagpipe_bgp:
507 pod:
508 runAsUser: 42424
509 container:
510 neutron_bagpipe_bgp:
511 readOnlyRootFilesystem: true
512 privileged: true
Rico Lincf86b122023-11-02 01:29:14 +0800[diff] [blame]513 neutron_bgp_dragent:
514 pod:
515 runAsUser: 42424
516 container:
517 neutron_bgp_dragent:
518 readOnlyRootFilesystem: true
519 privileged: true
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]520 neutron_l3_agent:
521 pod:
522 runAsUser: 42424
523 container:
524 neutron_l3_agent:
525 readOnlyRootFilesystem: true
526 privileged: true
527 neutron_lb_agent:
528 pod:
529 runAsUser: 42424
530 container:
531 neutron_lb_agent_kernel_modules:
532 capabilities:
533 add:
534 - SYS_MODULE
535 - SYS_CHROOT
536 runAsUser: 0
537 readOnlyRootFilesystem: true
538 neutron_lb_agent_init:
539 privileged: true
540 runAsUser: 0
541 readOnlyRootFilesystem: true
542 neutron_lb_agent:
543 readOnlyRootFilesystem: true
544 privileged: true
545 neutron_metadata_agent:
546 pod:
547 runAsUser: 42424
548 container:
549 neutron_metadata_agent_init:
550 runAsUser: 0
551 readOnlyRootFilesystem: true
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]552 neutron_ovn_metadata_agent:
553 pod:
554 runAsUser: 42424
555 container:
556 neutron_ovn_metadata_agent_init:
557 runAsUser: 0
558 readOnlyRootFilesystem: true
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]559 neutron_ovs_agent:
560 pod:
561 runAsUser: 42424
562 container:
563 neutron_openvswitch_agent_kernel_modules:
564 capabilities:
565 add:
566 - SYS_MODULE
567 - SYS_CHROOT
568 runAsUser: 0
569 readOnlyRootFilesystem: true
Mohammed Nasera720f882023-06-30 23:48:02 -0400[diff] [blame]570 netoffload:
571 privileged: true
572 runAsUser: 0
573 readOnlyRootFilesystem: true
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]574 neutron_ovs_agent_init:
575 privileged: true
576 runAsUser: 0
577 readOnlyRootFilesystem: true
578 neutron_ovs_agent:
579 readOnlyRootFilesystem: true
580 privileged: true
581 neutron_server:
582 pod:
583 runAsUser: 42424
584 container:
585 nginx:
586 runAsUser: 0
587 readOnlyRootFilesystem: false
588 neutron_server:
589 allowPrivilegeEscalation: false
590 readOnlyRootFilesystem: true
Mohammed Nasere40c3e82024-07-04 02:52:34 -0400[diff] [blame]591 neutron_policy_server:
592 allowPrivilegeEscalation: false
593 readOnlyRootFilesystem: true
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]594 neutron_sriov_agent:
595 pod:
596 runAsUser: 42424
597 container:
598 neutron_sriov_agent_init:
599 privileged: true
600 runAsUser: 0
601 readOnlyRootFilesystem: false
602 neutron_sriov_agent:
603 readOnlyRootFilesystem: true
604 privileged: true
605 neutron_ironic_agent:
606 pod:
607 runAsUser: 42424
608 container:
609 neutron_ironic_agent:
610 allowPrivilegeEscalation: false
611 readOnlyRootFilesystem: true
612 neutron_netns_cleanup_cron:
613 pod:
614 runAsUser: 42424
615 container:
616 neutron_netns_cleanup_cron:
617 readOnlyRootFilesystem: true
618 privileged: true
619 affinity:
620 anti:
621 type:
622 default: preferredDuringSchedulingIgnoredDuringExecution
623 topologyKey:
624 default: kubernetes.io/hostname
625 weight:
626 default: 10
627 tolerations:
628 neutron:
629 enabled: false
630 tolerations:
631 - key: node-role.kubernetes.io/master
632 operator: Exists
633 effect: NoSchedule
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]634 - key: node-role.kubernetes.io/control-plane
635 operator: Exists
636 effect: NoSchedule
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]637 mounts:
638 neutron_server:
639 init_container: null
640 neutron_server:
641 volumeMounts:
642 volumes:
643 neutron_dhcp_agent:
644 init_container: null
645 neutron_dhcp_agent:
646 volumeMounts:
647 volumes:
648 neutron_l3_agent:
649 init_container: null
650 neutron_l3_agent:
651 volumeMounts:
652 volumes:
653 neutron_lb_agent:
654 init_container: null
655 neutron_lb_agent:
656 volumeMounts:
657 volumes:
658 neutron_metadata_agent:
659 init_container: null
660 neutron_metadata_agent:
661 volumeMounts:
662 volumes:
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]663 neutron_ovn_metadata_agent:
664 init_container: null
665 neutron_ovn_metadata_agent:
666 volumeMounts:
667 volumes:
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]668 neutron_ovs_agent:
669 init_container: null
670 neutron_ovs_agent:
671 volumeMounts:
672 volumes:
673 neutron_sriov_agent:
674 init_container: null
675 neutron_sriov_agent:
676 volumeMounts:
677 volumes:
678 neutron_l2gw_agent:
679 init_container: null
680 neutron_l2gw_agent:
681 volumeMounts:
682 volumes:
683 bagpipe_bgp:
684 init_container: null
685 bagpipe_bgp:
686 volumeMounts:
687 volumes:
Rico Lincf86b122023-11-02 01:29:14 +0800[diff] [blame]688 bgp_dragent:
689 init_container: null
690 bgp_dragent:
691 volumeMounts:
692 volumes:
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]693 neutron_ironic_agent:
694 init_container: null
695 neutron_ironic_agent:
696 volumeMounts:
697 volumes:
698 neutron_netns_cleanup_cron:
699 init_container: null
700 neutron_netns_cleanup_cron:
701 volumeMounts:
702 volumes:
703 neutron_tests:
704 init_container: null
705 neutron_tests:
706 volumeMounts:
707 volumes:
708 neutron_bootstrap:
709 init_container: null
710 neutron_bootstrap:
711 volumeMounts:
712 volumes:
713 neutron_db_sync:
714 neutron_db_sync:
715 volumeMounts:
716 - name: db-sync-conf
717 mountPath: /etc/neutron/plugins/ml2/ml2_conf.ini
718 subPath: ml2_conf.ini
719 readOnly: true
720 volumes:
721 replicas:
722 server: 1
723 ironic_agent: 1
724 lifecycle:
725 upgrades:
726 deployments:
727 revision_history: 3
728 pod_replacement_strategy: RollingUpdate
729 rolling_update:
730 max_unavailable: 1
731 max_surge: 3
732 daemonsets:
733 pod_replacement_strategy: RollingUpdate
734 dhcp_agent:
735 enabled: true
736 min_ready_seconds: 0
737 max_unavailable: 1
738 l3_agent:
739 enabled: true
740 min_ready_seconds: 0
741 max_unavailable: 1
742 lb_agent:
743 enabled: true
744 min_ready_seconds: 0
745 max_unavailable: 1
746 metadata_agent:
747 enabled: true
748 min_ready_seconds: 0
749 max_unavailable: 1
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]750 ovn_metadata_agent:
751 enabled: true
752 min_ready_seconds: 0
753 max_unavailable: 1
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]754 ovs_agent:
755 enabled: true
756 min_ready_seconds: 0
757 max_unavailable: 1
758 sriov_agent:
759 enabled: true
760 min_ready_seconds: 0
761 max_unavailable: 1
762 netns_cleanup_cron:
763 enabled: true
764 min_ready_seconds: 0
765 max_unavailable: 1
766 disruption_budget:
767 server:
768 min_available: 0
769 termination_grace_period:
770 server:
771 timeout: 30
772 ironic_agent:
773 timeout: 30
774 resources:
775 enabled: false
776 agent:
777 dhcp:
778 requests:
779 memory: "128Mi"
780 cpu: "100m"
781 limits:
782 memory: "1024Mi"
783 cpu: "2000m"
784 l3:
785 requests:
786 memory: "128Mi"
787 cpu: "100m"
788 limits:
789 memory: "1024Mi"
790 cpu: "2000m"
791 lb:
792 requests:
793 memory: "128Mi"
794 cpu: "100m"
795 limits:
796 memory: "1024Mi"
797 cpu: "2000m"
798 metadata:
799 requests:
800 memory: "128Mi"
801 cpu: "100m"
802 limits:
803 memory: "1024Mi"
804 cpu: "2000m"
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]805 ovn_metadata:
806 requests:
807 memory: "128Mi"
808 cpu: "100m"
809 limits:
810 memory: "1024Mi"
811 cpu: "2000m"
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]812 ovs:
813 requests:
814 memory: "128Mi"
815 cpu: "100m"
816 limits:
817 memory: "1024Mi"
818 cpu: "2000m"
819 sriov:
820 requests:
821 memory: "128Mi"
822 cpu: "100m"
823 limits:
824 memory: "1024Mi"
825 cpu: "2000m"
826 l2gw:
827 requests:
828 memory: "128Mi"
829 cpu: "100m"
830 limits:
831 memory: "1024Mi"
832 cpu: "2000m"
833 bagpipe_bgp:
834 requests:
835 memory: "128Mi"
836 cpu: "100m"
837 limits:
838 memory: "1024Mi"
839 cpu: "2000m"
Rico Lincf86b122023-11-02 01:29:14 +0800[diff] [blame]840 bgp_dragent:
841 requests:
842 memory: "128Mi"
843 cpu: "100m"
844 limits:
845 memory: "1024Mi"
846 cpu: "2000m"
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]847 server:
848 requests:
849 memory: "128Mi"
850 cpu: "100m"
851 limits:
852 memory: "1024Mi"
853 cpu: "2000m"
Mohammed Nasere40c3e82024-07-04 02:52:34 -0400[diff] [blame]854 neutron_policy_server:
855 requests:
856 memory: "128Mi"
857 cpu: "100m"
858 limits:
859 memory: "256Mi"
860 cpu: "500m"
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]861 ironic_agent:
862 requests:
863 memory: "128Mi"
864 cpu: "100m"
865 limits:
866 memory: "1024Mi"
867 cpu: "2000m"
868 netns_cleanup_cron:
869 requests:
870 memory: "128Mi"
871 cpu: "100m"
872 limits:
873 memory: "1024Mi"
874 cpu: "2000m"
875 jobs:
876 bootstrap:
877 requests:
878 memory: "128Mi"
879 cpu: "100m"
880 limits:
881 memory: "1024Mi"
882 cpu: "2000m"
883 db_init:
884 requests:
885 memory: "128Mi"
886 cpu: "100m"
887 limits:
888 memory: "1024Mi"
889 cpu: "2000m"
890 rabbit_init:
891 requests:
892 memory: "128Mi"
893 cpu: "100m"
894 limits:
895 memory: "1024Mi"
896 cpu: "2000m"
897 db_sync:
898 requests:
899 memory: "128Mi"
900 cpu: "100m"
901 limits:
902 memory: "1024Mi"
903 cpu: "2000m"
904 db_drop:
905 requests:
906 memory: "128Mi"
907 cpu: "100m"
908 limits:
909 memory: "1024Mi"
910 cpu: "2000m"
911 ks_endpoints:
912 requests:
913 memory: "128Mi"
914 cpu: "100m"
915 limits:
916 memory: "1024Mi"
917 cpu: "2000m"
918 ks_service:
919 requests:
920 memory: "128Mi"
921 cpu: "100m"
922 limits:
923 memory: "1024Mi"
924 cpu: "2000m"
925 ks_user:
926 requests:
927 memory: "128Mi"
928 cpu: "100m"
929 limits:
930 memory: "1024Mi"
931 cpu: "2000m"
932 tests:
933 requests:
934 memory: "128Mi"
935 cpu: "100m"
936 limits:
937 memory: "1024Mi"
938 cpu: "2000m"
939 image_repo_sync:
940 requests:
941 memory: "128Mi"
942 cpu: "100m"
943 limits:
944 memory: "1024Mi"
945 cpu: "2000m"
946
947conf:
948 rally_tests:
949 force_project_purge: false
950 run_tempest: false
951 clean_up: |
952 # NOTE: We will make the best effort to clean up rally generated networks and routers,
953 # but should not block further automated deployment.
954 set +e
955 PATTERN="^[sc]_rally_"
956
957 ROUTERS=$(openstack router list --format=value -c Name | grep -e $PATTERN | sort | tr -d '\r')
958 NETWORKS=$(openstack network list --format=value -c Name | grep -e $PATTERN | sort | tr -d '\r')
959
960 for ROUTER in $ROUTERS
961 do
962 openstack router unset --external-gateway $ROUTER
963 openstack router set --disable --no-ha $ROUTER
964
965 SUBNS=$(openstack router show $ROUTER -c interfaces_info --format=value | python -m json.tool | grep -oP '(?<="subnet_id": ")[a-f0-9\-]{36}(?=")' | sort | uniq)
966 for SUBN in $SUBNS
967 do
968 openstack router remove subnet $ROUTER $SUBN
969 done
970
971 for PORT in $(openstack port list --router $ROUTER --format=value -c ID | tr -d '\r')
972 do
973 openstack router remove port $ROUTER $PORT
974 done
975
976 openstack router delete $ROUTER
977 done
978
979 for NETWORK in $NETWORKS
980 do
981 for PORT in $(openstack port list --network $NETWORK --format=value -c ID | tr -d '\r')
982 do
983 openstack port delete $PORT
984 done
985 openstack network delete $NETWORK
986 done
987 set -e
988 tests:
989 NeutronNetworks.create_and_delete_networks:
990 - args:
991 network_create_args: {}
992 context:
993 quotas:
994 neutron:
995 network: -1
996 runner:
997 concurrency: 1
998 times: 1
999 type: constant
1000 sla:
1001 failure_rate:
1002 max: 0
1003 NeutronNetworks.create_and_delete_ports:
1004 - args:
1005 network_create_args: {}
1006 port_create_args: {}
1007 ports_per_network: 10
1008 context:
1009 network: {}
1010 quotas:
1011 neutron:
1012 network: -1
1013 port: -1
1014 runner:
1015 concurrency: 1
1016 times: 1
1017 type: constant
1018 sla:
1019 failure_rate:
1020 max: 0
1021 NeutronNetworks.create_and_delete_routers:
1022 - args:
1023 network_create_args: {}
1024 router_create_args: {}
1025 subnet_cidr_start: 1.1.0.0/30
1026 subnet_create_args: {}
1027 subnets_per_network: 2
1028 context:
1029 network: {}
1030 quotas:
1031 neutron:
1032 network: -1
1033 router: -1
1034 subnet: -1
1035 runner:
1036 concurrency: 1
1037 times: 1
1038 type: constant
1039 sla:
1040 failure_rate:
1041 max: 0
1042 NeutronNetworks.create_and_delete_subnets:
1043 - args:
1044 network_create_args: {}
1045 subnet_cidr_start: 1.1.0.0/30
1046 subnet_create_args: {}
1047 subnets_per_network: 2
1048 context:
1049 network: {}
1050 quotas:
1051 neutron:
1052 network: -1
1053 subnet: -1
1054 runner:
1055 concurrency: 1
1056 times: 1
1057 type: constant
1058 sla:
1059 failure_rate:
1060 max: 0
1061 NeutronNetworks.create_and_list_routers:
1062 - args:
1063 network_create_args: {}
1064 router_create_args: {}
1065 subnet_cidr_start: 1.1.0.0/30
1066 subnet_create_args: {}
1067 subnets_per_network: 2
1068 context:
1069 network: {}
1070 quotas:
1071 neutron:
1072 network: -1
1073 router: -1
1074 subnet: -1
1075 runner:
1076 concurrency: 1
1077 times: 1
1078 type: constant
1079 sla:
1080 failure_rate:
1081 max: 0
1082 NeutronNetworks.create_and_list_subnets:
1083 - args:
1084 network_create_args: {}
1085 subnet_cidr_start: 1.1.0.0/30
1086 subnet_create_args: {}
1087 subnets_per_network: 2
1088 context:
1089 network: {}
1090 quotas:
1091 neutron:
1092 network: -1
1093 subnet: -1
1094 runner:
1095 concurrency: 1
1096 times: 1
1097 type: constant
1098 sla:
1099 failure_rate:
1100 max: 0
1101 NeutronNetworks.create_and_show_network:
1102 - args:
1103 network_create_args: {}
1104 context:
1105 quotas:
1106 neutron:
1107 network: -1
1108 runner:
1109 concurrency: 1
1110 times: 1
1111 type: constant
1112 sla:
1113 failure_rate:
1114 max: 0
1115 NeutronNetworks.create_and_update_networks:
1116 - args:
1117 network_create_args: {}
1118 network_update_args:
1119 admin_state_up: false
1120 context:
1121 quotas:
1122 neutron:
1123 network: -1
1124 runner:
1125 concurrency: 1
1126 times: 1
1127 type: constant
1128 sla:
1129 failure_rate:
1130 max: 0
1131 NeutronNetworks.create_and_update_ports:
1132 - args:
1133 network_create_args: {}
1134 port_create_args: {}
1135 port_update_args:
1136 admin_state_up: false
1137 device_id: dummy_id
1138 device_owner: dummy_owner
1139 ports_per_network: 5
1140 context:
1141 network: {}
1142 quotas:
1143 neutron:
1144 network: -1
1145 port: -1
1146 runner:
1147 concurrency: 1
1148 times: 1
1149 type: constant
1150 sla:
1151 failure_rate:
1152 max: 0
1153 NeutronNetworks.create_and_update_routers:
1154 - args:
1155 network_create_args: {}
1156 router_create_args: {}
1157 router_update_args:
1158 admin_state_up: false
1159 subnet_cidr_start: 1.1.0.0/30
1160 subnet_create_args: {}
1161 subnets_per_network: 2
1162 context:
1163 network: {}
1164 quotas:
1165 neutron:
1166 network: -1
1167 router: -1
1168 subnet: -1
1169 runner:
1170 concurrency: 1
1171 times: 1
1172 type: constant
1173 sla:
1174 failure_rate:
1175 max: 0
1176 NeutronNetworks.create_and_update_subnets:
1177 - args:
1178 network_create_args: {}
1179 subnet_cidr_start: 1.4.0.0/16
1180 subnet_create_args: {}
1181 subnet_update_args:
1182 enable_dhcp: false
1183 subnets_per_network: 2
1184 context:
1185 network: {}
1186 quotas:
1187 neutron:
1188 network: -1
1189 subnet: -1
1190 runner:
1191 concurrency: 1
1192 times: 1
1193 type: constant
1194 sla:
1195 failure_rate:
1196 max: 0
1197 NeutronNetworks.list_agents:
1198 - args:
1199 agent_args: {}
1200 runner:
1201 concurrency: 1
1202 times: 1
1203 type: constant
1204 sla:
1205 failure_rate:
1206 max: 0
1207 NeutronSecurityGroup.create_and_list_security_groups:
1208 - args:
1209 security_group_create_args: {}
1210 context:
1211 quotas:
1212 neutron:
1213 security_group: -1
1214 runner:
1215 concurrency: 1
1216 times: 1
1217 type: constant
1218 sla:
1219 failure_rate:
1220 max: 0
1221 NeutronSecurityGroup.create_and_update_security_groups:
1222 - args:
1223 security_group_create_args: {}
1224 security_group_update_args: {}
1225 context:
1226 quotas:
1227 neutron:
1228 security_group: -1
1229 runner:
1230 concurrency: 1
1231 times: 1
1232 type: constant
1233 sla:
1234 failure_rate:
1235 max: 0
okozachenko120317930d42023-09-06 00:24:05 +1000[diff] [blame]1236 paste:
1237 composite:neutron:
1238 use: egg:Paste#urlmap
1239 /: neutronversions_composite
1240 /v2.0: neutronapi_v2_0
1241 composite:neutronapi_v2_0:
1242 use: call:neutron.auth:pipeline_factory
1243 noauth: cors http_proxy_to_wsgi request_id catch_errors extensions neutronapiapp_v2_0
1244 keystone: cors http_proxy_to_wsgi request_id catch_errors authtoken audit keystonecontext extensions neutronapiapp_v2_0
1245 composite:neutronversions_composite:
1246 use: call:neutron.auth:pipeline_factory
1247 noauth: cors http_proxy_to_wsgi neutronversions
1248 keystone: cors http_proxy_to_wsgi neutronversions
1249 filter:request_id:
1250 paste.filter_factory: oslo_middleware:RequestId.factory
1251 filter:catch_errors:
1252 paste.filter_factory: oslo_middleware:CatchErrors.factory
1253 filter:cors:
1254 paste.filter_factory: oslo_middleware.cors:filter_factory
1255 oslo_config_project: neutron
1256 filter:http_proxy_to_wsgi:
1257 paste.filter_factory: oslo_middleware.http_proxy_to_wsgi:HTTPProxyToWSGI.factory
1258 filter:keystonecontext:
1259 paste.filter_factory: neutron.auth:NeutronKeystoneContext.factory
1260 filter:authtoken:
1261 paste.filter_factory: keystonemiddleware.auth_token:filter_factory
1262 filter:audit:
1263 paste.filter_factory: keystonemiddleware.audit:filter_factory
1264 audit_map_file: /etc/neutron/api_audit_map.conf
1265 filter:extensions:
1266 paste.filter_factory: neutron.api.extensions:plugin_aware_extension_middleware_factory
1267 app:neutronversions:
1268 paste.app_factory: neutron.pecan_wsgi.app:versions_factory
1269 app:neutronapiapp_v2_0:
1270 paste.app_factory: neutron.api.v2.router:APIRouter.factory
1271 filter:osprofiler:
1272 paste.filter_factory: osprofiler.web:WsgiMiddleware.factory
Mohammed Nasere40c3e82024-07-04 02:52:34 -0400[diff] [blame]1273 neutron_policy_server_uwsgi:
1274 uwsgi:
1275 add-header: "Connection: close"
1276 buffer-size: 65535
1277 die-on-term: true
1278 enable-threads: true
1279 exit-on-reload: false
1280 hook-master-start: unix_signal:15 gracefully_kill_them_all
1281 lazy-apps: true
1282 log-x-forwarded-for: true
1283 master: true
1284 procname-prefix-spaced: "neutron-policy-server:"
1285 route-user-agent: '^kube-probe.* donotlog:'
1286 thunder-lock: true
1287 worker-reload-mercy: 80
1288 wsgi-file: /var/lib/openstack/bin/neutron-policy-server-wsgi
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1289 policy: {}
1290 api_audit_map:
1291 DEFAULT:
1292 target_endpoint_type: None
1293 custom_actions:
1294 add_router_interface: update/add
1295 remove_router_interface: update/remove
1296 path_keywords:
1297 floatingips: ip
1298 healthmonitors: healthmonitor
1299 health_monitors: health_monitor
1300 lb: None
1301 members: member
1302 metering-labels: label
1303 metering-label-rules: rule
1304 networks: network
1305 pools: pool
1306 ports: port
1307 routers: router
1308 quotas: quota
1309 security-groups: security-group
1310 security-group-rules: rule
1311 subnets: subnet
1312 vips: vip
1313 service_endpoints:
1314 network: service/network
1315 neutron_sudoers: |
1316 # This sudoers file supports rootwrap for both Kolla and LOCI Images.
1317 Defaults !requiretty
1318 Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin:/var/lib/openstack/bin:/var/lib/kolla/venv/bin"
1319 neutron ALL = (root) NOPASSWD: /var/lib/kolla/venv/bin/neutron-rootwrap /etc/neutron/rootwrap.conf *, /var/lib/openstack/bin/neutron-rootwrap /etc/neutron/rootwrap.conf *
1320 neutron ALL = (root) NOPASSWD: /var/lib/kolla/venv/bin/neutron-rootwrap-daemon /etc/neutron/rootwrap.conf, /var/lib/openstack/bin/neutron-rootwrap-daemon /etc/neutron/rootwrap.conf
1321 rootwrap: |
1322 # Configuration for neutron-rootwrap
1323 # This file should be owned by (and only-writeable by) the root user
1324
1325 [DEFAULT]
1326 # List of directories to load filter definitions from (separated by ',').
1327 # These directories MUST all be only writeable by root !
1328 filters_path=/etc/neutron/rootwrap.d,/usr/share/neutron/rootwrap,/var/lib/openstack/etc/neutron/rootwrap.d
1329
1330 # List of directories to search executables in, in case filters do not
1331 # explicitely specify a full path (separated by ',')
1332 # If not specified, defaults to system PATH environment variable.
1333 # These directories MUST all be only writeable by root !
1334 exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin,/var/lib/openstack/bin,/var/lib/kolla/venv/bin
1335
1336 # Enable logging to syslog
1337 # Default value is False
1338 use_syslog=False
1339
1340 # Which syslog facility to use.
1341 # Valid values include auth, authpriv, syslog, local0, local1...
1342 # Default value is 'syslog'
1343 syslog_log_facility=syslog
1344
1345 # Which messages to log.
1346 # INFO means log all usage
1347 # ERROR means only log unsuccessful attempts
1348 syslog_log_level=ERROR
1349
1350 [xenapi]
1351 # XenAPI configuration is only required by the L2 agent if it is to
1352 # target a XenServer/XCP compute host's dom0.
1353 xenapi_connection_url=<None>
1354 xenapi_connection_username=root
1355 xenapi_connection_password=<None>
1356 rootwrap_filters:
1357 debug:
1358 pods:
1359 - dhcp_agent
1360 - l3_agent
1361 - lb_agent
1362 - metadata_agent
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]1363 - ovn_metadata_agent
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1364 - ovs_agent
1365 - sriov_agent
1366 content: |
1367 # neutron-rootwrap command filters for nodes on which neutron is
1368 # expected to control network
1369 #
1370 # This file should be owned by (and only-writeable by) the root user
1371
1372 # format seems to be
1373 # cmd-name: filter-name, raw-command, user, args
1374
1375 [Filters]
1376
1377 # This is needed because we should ping
1378 # from inside a namespace which requires root
1379 # _alt variants allow to match -c and -w in any order
1380 # (used by NeutronDebugAgent.ping_all)
1381 ping: RegExpFilter, ping, root, ping, -w, \d+, -c, \d+, [0-9\.]+
1382 ping_alt: RegExpFilter, ping, root, ping, -c, \d+, -w, \d+, [0-9\.]+
1383 ping6: RegExpFilter, ping6, root, ping6, -w, \d+, -c, \d+, [0-9A-Fa-f:]+
1384 ping6_alt: RegExpFilter, ping6, root, ping6, -c, \d+, -w, \d+, [0-9A-Fa-f:]+
1385 dibbler:
1386 pods:
1387 - dhcp_agent
1388 - l3_agent
1389 - lb_agent
1390 - metadata_agent
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]1391 - ovn_metadata_agent
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1392 - ovs_agent
1393 - sriov_agent
1394 content: |
1395 # neutron-rootwrap command filters for nodes on which neutron is
1396 # expected to control network
1397 #
1398 # This file should be owned by (and only-writeable by) the root user
1399
1400 # format seems to be
1401 # cmd-name: filter-name, raw-command, user, args
1402
1403 [Filters]
1404
1405 # Filters for the dibbler-based reference implementation of the pluggable
1406 # Prefix Delegation driver. Other implementations using an alternative agent
1407 # should include a similar filter in this folder.
1408
1409 # prefix_delegation_agent
1410 dibbler-client: CommandFilter, dibbler-client, root
1411 ipset_firewall:
1412 pods:
1413 - dhcp_agent
1414 - l3_agent
1415 - lb_agent
1416 - metadata_agent
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]1417 - ovn_metadata_agent
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1418 - ovs_agent
1419 - sriov_agent
1420 content: |
1421 # neutron-rootwrap command filters for nodes on which neutron is
1422 # expected to control network
1423 #
1424 # This file should be owned by (and only-writeable by) the root user
1425
1426 # format seems to be
1427 # cmd-name: filter-name, raw-command, user, args
1428
1429 [Filters]
1430 # neutron/agent/linux/iptables_firewall.py
1431 # "ipset", "-A", ...
1432 ipset: CommandFilter, ipset, root
1433 l3:
1434 pods:
1435 - dhcp_agent
1436 - l3_agent
1437 - lb_agent
1438 - metadata_agent
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]1439 - ovn_metadata_agent
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1440 - ovs_agent
1441 - sriov_agent
1442 content: |
1443 # neutron-rootwrap command filters for nodes on which neutron is
1444 # expected to control network
1445 #
1446 # This file should be owned by (and only-writeable by) the root user
1447
1448 # format seems to be
1449 # cmd-name: filter-name, raw-command, user, args
1450
1451 [Filters]
1452
1453 # arping
1454 arping: CommandFilter, arping, root
1455
1456 # l3_agent
1457 sysctl: CommandFilter, sysctl, root
1458 route: CommandFilter, route, root
1459 radvd: CommandFilter, radvd, root
1460
1461 # haproxy
1462 haproxy: RegExpFilter, haproxy, root, haproxy, -f, .*
1463 kill_haproxy: KillFilter, root, haproxy, -15, -9, -HUP
1464
1465 # metadata proxy
1466 metadata_proxy: CommandFilter, neutron-ns-metadata-proxy, root
1467 # RHEL invocation of the metadata proxy will report /usr/bin/python
1468 kill_metadata: KillFilter, root, python, -15, -9
1469 kill_metadata2: KillFilter, root, python2, -15, -9
1470 kill_metadata7: KillFilter, root, python2.7, -15, -9
1471 kill_metadata3: KillFilter, root, python3, -15, -9
1472 kill_metadata35: KillFilter, root, python3.5, -15, -9
1473 kill_metadata36: KillFilter, root, python3.6, -15, -9
1474 kill_metadata37: KillFilter, root, python3.7, -15, -9
1475 kill_radvd_usr: KillFilter, root, /usr/sbin/radvd, -15, -9, -HUP
1476 kill_radvd: KillFilter, root, /sbin/radvd, -15, -9, -HUP
1477
1478 # ip_lib
1479 ip: IpFilter, ip, root
1480 find: RegExpFilter, find, root, find, /sys/class/net, -maxdepth, 1, -type, l, -printf, %.*
1481 ip_exec: IpNetnsExecFilter, ip, root
1482
1483 # l3_tc_lib
1484 l3_tc_show_qdisc: RegExpFilter, tc, root, tc, qdisc, show, dev, .+
1485 l3_tc_add_qdisc_ingress: RegExpFilter, tc, root, tc, qdisc, add, dev, .+, ingress
1486 l3_tc_add_qdisc_egress: RegExpFilter, tc, root, tc, qdisc, add, dev, .+, root, handle, 1:, htb
1487 l3_tc_show_filters: RegExpFilter, tc, root, tc, -p, -s, -d, filter, show, dev, .+, parent, .+, prio, 1
1488 l3_tc_delete_filters: RegExpFilter, tc, root, tc, filter, del, dev, .+, parent, .+, prio, 1, handle, .+, u32
1489 l3_tc_add_filter_ingress: RegExpFilter, tc, root, tc, filter, add, dev, .+, parent, .+, protocol, ip, prio, 1, u32, match, ip, dst, .+, police, rate, .+, burst, .+, drop, flowid, :1
1490 l3_tc_add_filter_egress: RegExpFilter, tc, root, tc, filter, add, dev, .+, parent, .+, protocol, ip, prio, 1, u32, match, ip, src, .+, police, rate, .+, burst, .+, drop, flowid, :1
1491
1492 # For ip monitor
1493 kill_ip_monitor: KillFilter, root, ip, -9
1494
1495 # ovs_lib (if OVSInterfaceDriver is used)
1496 ovs-vsctl: CommandFilter, ovs-vsctl, root
1497
1498 # iptables_manager
1499 iptables-save: CommandFilter, iptables-save, root
1500 iptables-restore: CommandFilter, iptables-restore, root
1501 ip6tables-save: CommandFilter, ip6tables-save, root
1502 ip6tables-restore: CommandFilter, ip6tables-restore, root
1503
1504 # Keepalived
1505 keepalived: CommandFilter, keepalived, root
1506 kill_keepalived: KillFilter, root, keepalived, -HUP, -15, -9
1507
1508 # l3 agent to delete floatingip's conntrack state
1509 conntrack: CommandFilter, conntrack, root
1510
1511 # keepalived state change monitor
1512 keepalived_state_change: CommandFilter, neutron-keepalived-state-change, root
1513 # The following filters are used to kill the keepalived state change monitor.
1514 # Since the monitor runs as a Python script, the system reports that the
1515 # command of the process to be killed is python.
1516 # TODO(mlavalle) These kill filters will be updated once we come up with a
1517 # mechanism to kill using the name of the script being executed by Python
1518 kill_keepalived_monitor_py: KillFilter, root, python, -15
1519 kill_keepalived_monitor_py27: KillFilter, root, python2.7, -15
1520 kill_keepalived_monitor_py3: KillFilter, root, python3, -15
1521 kill_keepalived_monitor_py35: KillFilter, root, python3.5, -15
1522 kill_keepalived_monitor_py36: KillFilter, root, python3.6, -15
1523 kill_keepalived_monitor_py37: KillFilter, root, python3.7, -15
1524 netns_cleanup:
1525 pods:
1526 - dhcp_agent
1527 - l3_agent
1528 - lb_agent
1529 - metadata_agent
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]1530 - ovn_metadata_agent
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1531 - ovs_agent
1532 - sriov_agent
1533 - netns_cleanup_cron
1534 content: |
1535 # neutron-rootwrap command filters for nodes on which neutron is
1536 # expected to control network
1537 #
1538 # This file should be owned by (and only-writeable by) the root user
1539
1540 # format seems to be
1541 # cmd-name: filter-name, raw-command, user, args
1542
1543 [Filters]
1544
1545 # netns-cleanup
1546 netstat: CommandFilter, netstat, root
1547 dhcp:
1548 pods:
1549 - dhcp_agent
1550 - l3_agent
1551 - lb_agent
1552 - metadata_agent
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]1553 - ovn_metadata_agent
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1554 - ovs_agent
1555 - sriov_agent
1556 - netns_cleanup_cron
1557 content: |
1558 # neutron-rootwrap command filters for nodes on which neutron is
1559 # expected to control network
1560 #
1561 # This file should be owned by (and only-writeable by) the root user
1562
1563 # format seems to be
1564 # cmd-name: filter-name, raw-command, user, args
1565
1566 [Filters]
1567
1568 # dhcp-agent
1569 dnsmasq: CommandFilter, dnsmasq, root
1570 # dhcp-agent uses kill as well, that's handled by the generic KillFilter
1571 # it looks like these are the only signals needed, per
1572 # neutron/agent/linux/dhcp.py
1573 kill_dnsmasq: KillFilter, root, /sbin/dnsmasq, -9, -HUP, -15
1574 kill_dnsmasq_usr: KillFilter, root, /usr/sbin/dnsmasq, -9, -HUP, -15
1575
1576 ovs-vsctl: CommandFilter, ovs-vsctl, root
1577 ivs-ctl: CommandFilter, ivs-ctl, root
1578 mm-ctl: CommandFilter, mm-ctl, root
1579 dhcp_release: CommandFilter, dhcp_release, root
1580 dhcp_release6: CommandFilter, dhcp_release6, root
1581
1582 # metadata proxy
1583 metadata_proxy: CommandFilter, neutron-ns-metadata-proxy, root
1584 # RHEL invocation of the metadata proxy will report /usr/bin/python
1585 kill_metadata: KillFilter, root, python, -9
1586 kill_metadata2: KillFilter, root, python2, -9
1587 kill_metadata7: KillFilter, root, python2.7, -9
1588 kill_metadata3: KillFilter, root, python3, -9
1589 kill_metadata35: KillFilter, root, python3.5, -9
1590 kill_metadata36: KillFilter, root, python3.6, -9
1591 kill_metadata37: KillFilter, root, python3.7, -9
1592
1593 # ip_lib
1594 ip: IpFilter, ip, root
1595 find: RegExpFilter, find, root, find, /sys/class/net, -maxdepth, 1, -type, l, -printf, %.*
1596 ip_exec: IpNetnsExecFilter, ip, root
1597 ebtables:
1598 pods:
1599 - dhcp_agent
1600 - l3_agent
1601 - lb_agent
1602 - metadata_agent
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]1603 - ovn_metadata_agent
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1604 - ovs_agent
1605 - sriov_agent
1606 content: |
1607 # neutron-rootwrap command filters for nodes on which neutron is
1608 # expected to control network
1609 #
1610 # This file should be owned by (and only-writeable by) the root user
1611
1612 # format seems to be
1613 # cmd-name: filter-name, raw-command, user, args
1614
1615 [Filters]
1616
1617 ebtables: CommandFilter, ebtables, root
1618 iptables_firewall:
1619 pods:
1620 - dhcp_agent
1621 - l3_agent
1622 - lb_agent
1623 - metadata_agent
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]1624 - ovn_metadata_agent
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1625 - ovs_agent
1626 - sriov_agent
1627 content: |
1628 # neutron-rootwrap command filters for nodes on which neutron is
1629 # expected to control network
1630 #
1631 # This file should be owned by (and only-writeable by) the root user
1632
1633 # format seems to be
1634 # cmd-name: filter-name, raw-command, user, args
1635
1636 [Filters]
1637
1638 # neutron/agent/linux/iptables_firewall.py
1639 # "iptables-save", ...
1640 iptables-save: CommandFilter, iptables-save, root
1641 iptables-restore: CommandFilter, iptables-restore, root
1642 ip6tables-save: CommandFilter, ip6tables-save, root
1643 ip6tables-restore: CommandFilter, ip6tables-restore, root
1644
1645 # neutron/agent/linux/iptables_firewall.py
1646 # "iptables", "-A", ...
1647 iptables: CommandFilter, iptables, root
1648 ip6tables: CommandFilter, ip6tables, root
1649
1650 # neutron/agent/linux/iptables_firewall.py
1651 sysctl: CommandFilter, sysctl, root
1652
1653 # neutron/agent/linux/ip_conntrack.py
1654 conntrack: CommandFilter, conntrack, root
1655 linuxbridge_plugin:
1656 pods:
1657 - dhcp_agent
1658 - l3_agent
1659 - lb_agent
1660 - metadata_agent
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]1661 - ovn_metadata_agent
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1662 - ovs_agent
1663 - sriov_agent
1664 content: |
1665 # neutron-rootwrap command filters for nodes on which neutron is
1666 # expected to control network
1667 #
1668 # This file should be owned by (and only-writeable by) the root user
1669
1670 # format seems to be
1671 # cmd-name: filter-name, raw-command, user, args
1672
1673 [Filters]
1674
1675 # linuxbridge-agent
1676 # unclear whether both variants are necessary, but I'm transliterating
1677 # from the old mechanism
1678 brctl: CommandFilter, brctl, root
1679 bridge: CommandFilter, bridge, root
1680
1681 # ip_lib
1682 ip: IpFilter, ip, root
1683 find: RegExpFilter, find, root, find, /sys/class/net, -maxdepth, 1, -type, l, -printf, %.*
1684 ip_exec: IpNetnsExecFilter, ip, root
1685
1686 # tc commands needed for QoS support
1687 tc_replace_tbf: RegExpFilter, tc, root, tc, qdisc, replace, dev, .+, root, tbf, rate, .+, latency, .+, burst, .+
1688 tc_add_ingress: RegExpFilter, tc, root, tc, qdisc, add, dev, .+, ingress, handle, .+
1689 tc_delete: RegExpFilter, tc, root, tc, qdisc, del, dev, .+, .+
1690 tc_show_qdisc: RegExpFilter, tc, root, tc, qdisc, show, dev, .+
1691 tc_show_filters: RegExpFilter, tc, root, tc, filter, show, dev, .+, parent, .+
1692 tc_add_filter: RegExpFilter, tc, root, tc, filter, add, dev, .+, parent, .+, protocol, all, prio, .+, basic, police, rate, .+, burst, .+, mtu, .+, drop
1693 openvswitch_plugin:
1694 pods:
1695 - dhcp_agent
1696 - l3_agent
1697 - lb_agent
1698 - metadata_agent
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]1699 - ovn_metadata_agent
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1700 - ovs_agent
1701 - sriov_agent
1702 content: |
1703 # neutron-rootwrap command filters for nodes on which neutron is
1704 # expected to control network
1705 #
1706 # This file should be owned by (and only-writeable by) the root user
1707
1708 # format seems to be
1709 # cmd-name: filter-name, raw-command, user, args
1710
1711 [Filters]
1712
1713 # openvswitch-agent
1714 # unclear whether both variants are necessary, but I'm transliterating
1715 # from the old mechanism
1716 ovs-vsctl: CommandFilter, ovs-vsctl, root
1717 # NOTE(yamamoto): of_interface=native doesn't use ovs-ofctl
1718 ovs-ofctl: CommandFilter, ovs-ofctl, root
1719 ovs-appctl: CommandFilter, ovs-appctl, root
1720 kill_ovsdb_client: KillFilter, root, /usr/bin/ovsdb-client, -9
1721 ovsdb-client: CommandFilter, ovsdb-client, root
1722 xe: CommandFilter, xe, root
1723
1724 # ip_lib
1725 ip: IpFilter, ip, root
1726 find: RegExpFilter, find, root, find, /sys/class/net, -maxdepth, 1, -type, l, -printf, %.*
1727 ip_exec: IpNetnsExecFilter, ip, root
1728
1729 # needed for FDB extension
1730 bridge: CommandFilter, bridge, root
1731 privsep:
1732 pods:
1733 - dhcp_agent
1734 - l3_agent
1735 - lb_agent
1736 - metadata_agent
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]1737 - ovn_metadata_agent
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1738 - ovs_agent
1739 - sriov_agent
1740 - netns_cleanup_cron
1741 content: |
1742 # Command filters to allow privsep daemon to be started via rootwrap.
1743 #
1744 # This file should be owned by (and only-writeable by) the root user
1745
1746 [Filters]
1747
1748 # By installing the following, the local admin is asserting that:
1749 #
1750 # 1. The python module load path used by privsep-helper
1751 # command as root (as started by sudo/rootwrap) is trusted.
1752 # 2. Any oslo.config files matching the --config-file
1753 # arguments below are trusted.
1754 # 3. Users allowed to run sudo/rootwrap with this configuration(*) are
1755 # also allowed to invoke python "entrypoint" functions from
1756 # --privsep_context with the additional (possibly root) privileges
1757 # configured for that context.
1758 #
1759 # (*) ie: the user is allowed by /etc/sudoers to run rootwrap as root
1760 #
1761 # In particular, the oslo.config and python module path must not
1762 # be writeable by the unprivileged user.
1763
1764 # oslo.privsep default neutron context
1765 privsep: PathFilter, privsep-helper, root,
1766 --config-file, /etc,
1767 --privsep_context, neutron.privileged.default,
1768 --privsep_sock_path, /
1769
1770 # NOTE: A second `--config-file` arg can also be added above. Since
1771 # many neutron components are installed like that (eg: by devstack).
1772 # Adjust to suit local requirements.
1773 linux_vxlan:
1774 pods:
1775 - bagpipe_bgp
1776 content: |
1777 # bagpipe-bgp-rootwrap command filters for nodes on which bagpipe-bgp is
1778 # expected to control VXLAN Linux Bridge dataplane
1779 #
1780 # This file should be owned by (and only-writeable by) the root user
1781
1782 # format seems to be
1783 # cmd-name: filter-name, raw-command, user, args
1784
1785 [Filters]
1786
1787 #
1788 modprobe: CommandFilter, modprobe, root
1789
1790 #
1791 brctl: CommandFilter, brctl, root
1792 bridge: CommandFilter, bridge, root
1793
1794 # ip_lib
1795 ip: IpFilter, ip, root
1796 ip_exec: IpNetnsExecFilter, ip, root
1797
1798 # shell (for piped commands)
1799 sh: CommandFilter, sh, root
1800 mpls_ovs_dataplane:
1801 pods:
1802 - bagpipe_bgp
1803 content: |
1804 # bagpipe-bgp-rootwrap command filters for nodes on which bagpipe-bgp is
1805 # expected to control MPLS OpenVSwitch dataplane
1806 #
1807 # This file should be owned by (and only-writeable by) the root user
1808
1809 # format seems to be
1810 # cmd-name: filter-name, raw-command, user, args
1811
1812 [Filters]
1813
1814 # openvswitch
1815 ovs-vsctl: CommandFilter, ovs-vsctl, root
1816 ovs-ofctl: CommandFilter, ovs-ofctl, root
1817
1818 # ip_lib
1819 ip: IpFilter, ip, root
1820 ip_exec: IpNetnsExecFilter, ip, root
1821
1822 # shell (for piped commands)
1823 sh: CommandFilter, sh, root
1824 neutron:
1825 DEFAULT:
1826 metadata_proxy_socket: /var/lib/neutron/openstack-helm/metadata_proxy
1827 log_config_append: /etc/neutron/logging.conf
1828 # NOTE(portdirect): the bind port should not be defined, and is manipulated
1829 # via the endpoints section.
1830 bind_port: null
1831 default_availability_zones: nova
1832 api_workers: 1
1833 rpc_workers: 4
1834 allow_overlapping_ips: True
1835 state_path: /var/lib/neutron
1836 # core_plugin can be: ml2, calico
1837 core_plugin: ml2
1838 # service_plugin can be: router, odl-router, empty for calico,
1839 # networking_ovn.l3.l3_ovn.OVNL3RouterPlugin for OVN
1840 service_plugins: router
1841 allow_automatic_l3agent_failover: True
1842 l3_ha: True
1843 max_l3_agents_per_router: 2
1844 l3_ha_network_type: vxlan
1845 network_auto_schedule: True
1846 router_auto_schedule: True
1847 # (NOTE)portdirect: if unset this is populated dynamically from the value in
1848 # 'network.backend' to sane defaults.
1849 interface_driver: null
1850 oslo_concurrency:
1851 lock_path: /var/lib/neutron/tmp
1852 database:
1853 max_retries: -1
1854 agent:
1855 root_helper: sudo /var/lib/openstack/bin/neutron-rootwrap /etc/neutron/rootwrap.conf
1856 root_helper_daemon: sudo /var/lib/openstack/bin/neutron-rootwrap-daemon /etc/neutron/rootwrap.conf
1857 oslo_messaging_notifications:
1858 driver: messagingv2
1859 oslo_messaging_rabbit:
1860 rabbit_ha_queues: true
1861 oslo_middleware:
1862 enable_proxy_headers_parsing: true
1863 oslo_policy:
1864 policy_file: /etc/neutron/policy.yaml
Mohammed Naser593ec012023-07-23 09:20:05 +0000[diff] [blame]1865 ovn:
Mohammed Naser593ec012023-07-23 09:20:05 +0000[diff] [blame]1866 ovn_metadata_enabled: true
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1867 nova:
1868 auth_type: password
1869 auth_version: v3
1870 endpoint_type: internal
Oleksandr Kozachenkoa10d7852023-02-02 22:01:16 +0100[diff] [blame]1871 placement:
1872 auth_type: password
1873 auth_version: v3
1874 endpoint_type: internal
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1875 designate:
1876 auth_type: password
1877 auth_version: v3
1878 endpoint_type: internal
1879 allow_reverse_dns_lookup: true
1880 ironic:
1881 endpoint_type: internal
1882 keystone_authtoken:
okozachenko120317930d42023-09-06 00:24:05 +1000[diff] [blame]1883 service_token_roles: service
1884 service_token_roles_required: true
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1885 memcache_security_strategy: ENCRYPT
1886 auth_type: password
1887 auth_version: v3
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]1888 service_type: network
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1889 octavia:
1890 request_poll_timeout: 3000
1891 logging:
1892 loggers:
1893 keys:
1894 - root
1895 - neutron
1896 - neutron_taas
1897 handlers:
1898 keys:
1899 - stdout
1900 - stderr
1901 - "null"
1902 formatters:
1903 keys:
1904 - context
1905 - default
1906 logger_root:
1907 level: WARNING
1908 handlers: 'null'
1909 logger_neutron:
1910 level: INFO
1911 handlers:
1912 - stdout
1913 qualname: neutron
1914 logger_neutron_taas:
1915 level: INFO
1916 handlers:
1917 - stdout
1918 qualname: neutron_taas
1919 logger_amqp:
1920 level: WARNING
1921 handlers: stderr
1922 qualname: amqp
1923 logger_amqplib:
1924 level: WARNING
1925 handlers: stderr
1926 qualname: amqplib
1927 logger_eventletwsgi:
1928 level: WARNING
1929 handlers: stderr
1930 qualname: eventlet.wsgi.server
1931 logger_sqlalchemy:
1932 level: WARNING
1933 handlers: stderr
1934 qualname: sqlalchemy
1935 logger_boto:
1936 level: WARNING
1937 handlers: stderr
1938 qualname: boto
1939 handler_null:
1940 class: logging.NullHandler
1941 formatter: default
1942 args: ()
1943 handler_stdout:
1944 class: StreamHandler
1945 args: (sys.stdout,)
1946 formatter: context
1947 handler_stderr:
1948 class: StreamHandler
1949 args: (sys.stderr,)
1950 formatter: context
1951 formatter_context:
1952 class: oslo_log.formatters.ContextFormatter
1953 datefmt: "%Y-%m-%d %H:%M:%S"
1954 formatter_default:
1955 format: "%(message)s"
1956 datefmt: "%Y-%m-%d %H:%M:%S"
1957 plugins:
1958 ml2_conf:
1959 ml2:
1960 extension_drivers: port_security
1961 # (NOTE)portdirect: if unset this is populated dyanmicly from the value
1962 # in 'network.backend' to sane defaults.
1963 mechanism_drivers: null
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]1964 type_drivers: flat,vlan,vxlan,local
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1965 tenant_network_types: vxlan
1966 ml2_type_vxlan:
1967 vni_ranges: 1:1000
1968 vxlan_group: 239.1.1.1
1969 ml2_type_flat:
1970 flat_networks: "*"
1971 # If you want to use the external network as a tagged provider network,
1972 # a range should be specified including the intended VLAN target
1973 # using ml2_type_vlan.network_vlan_ranges:
1974 # ml2_type_vlan:
1975 # network_vlan_ranges: "external:1100:1110"
Mohammed Naser593ec012023-07-23 09:20:05 +0000[diff] [blame]1976 ml2_type_geneve:
1977 vni_ranges: 1:65536
1978 max_header_size: 38
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1979 agent:
1980 extensions: ""
1981 ml2_conf_sriov: null
1982 taas:
1983 taas:
1984 enabled: False
1985 openvswitch_agent:
1986 agent:
1987 tunnel_types: vxlan
1988 l2_population: True
1989 arp_responder: True
1990 ovs:
1991 bridge_mappings: "external:br-ex"
1992 securitygroup:
1993 firewall_driver: neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
1994 linuxbridge_agent:
1995 linux_bridge:
1996 # To define Flat and VLAN connections, in LB we can assign
1997 # specific interface to the flat/vlan network name using:
1998 # physical_interface_mappings: "external:eth3"
1999 # Or we can set the mapping between the network and bridge:
2000 bridge_mappings: "external:br-ex"
2001 # The two above options are exclusive, do not use both of them at once
2002 securitygroup:
2003 firewall_driver: iptables
2004 vxlan:
2005 l2_population: True
2006 arp_responder: True
2007 macvtap_agent: null
2008 sriov_agent:
2009 securitygroup:
2010 firewall_driver: neutron.agent.firewall.NoopFirewallDriver
2011 sriov_nic:
2012 physical_device_mappings: physnet2:enp3s0f1
2013 # NOTE: do not use null here, use an empty string
2014 exclude_devices: ""
2015 dhcp_agent:
2016 DEFAULT:
2017 # (NOTE)portdirect: if unset this is populated dyanmicly from the value in
2018 # 'network.backend' to sane defaults.
2019 interface_driver: null
2020 dnsmasq_config_file: /etc/neutron/dnsmasq.conf
2021 force_metadata: True
2022 dnsmasq: |
2023 #no-hosts
2024 #port=5353
2025 #cache-size=500
2026 #no-negcache
2027 #dns-forward-max=100
2028 #resolve-file=
2029 #strict-order
2030 #bind-interface
2031 #bind-dynamic
2032 #domain=
2033 #dhcp-range=10.10.10.10,10.10.10.100,24h
2034 #dhcp-lease-max=150
2035 #dhcp-host=11:22:33:44:55:66,ignore
2036 #dhcp-option=3,10.10.10.1
2037 #dhcp-option-force=26,1450
2038
2039 l3_agent:
2040 DEFAULT:
2041 # (NOTE)portdirect: if unset this is populated dyanmicly from the value in
2042 # 'network.backend' to sane defaults.
2043 interface_driver: null
2044 agent_mode: legacy
2045 metering_agent: null
2046 metadata_agent:
2047 DEFAULT:
2048 # we cannot change the proxy socket path as it is declared
2049 # as a hostPath volume from agent daemonsets
2050 metadata_proxy_socket: /var/lib/neutron/openstack-helm/metadata_proxy
2051 metadata_proxy_shared_secret: "password"
2052 cache:
2053 enabled: true
2054 backend: dogpile.cache.memcached
2055 bagpipe_bgp: {}
Mohammed Naser593ec012023-07-23 09:20:05 +0000[diff] [blame]2056 ovn_metadata_agent:
2057 DEFAULT:
2058 # we cannot change the proxy socket path as it is declared
2059 # as a hostPath volume from agent daemonsets
2060 metadata_proxy_socket: /var/lib/neutron/openstack-helm/metadata_proxy
2061 metadata_proxy_shared_secret: "password"
2062 metadata_workers: 2
2063 cache:
2064 enabled: true
2065 backend: dogpile.cache.memcached
2066 ovs:
2067 ovsdb_connection: unix:/run/openvswitch/db.sock
Rico Lincf86b122023-11-02 01:29:14 +0800[diff] [blame]2068 bgp_dragent: {}
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]2069
2070 rabbitmq:
2071 # NOTE(rk760n): adding rmq policy to mirror messages from notification queues and set expiration time for the ones
2072 policies:
2073 - vhost: "neutron"
2074 name: "ha_ttl_neutron"
2075 definition:
2076 # mirror messges to other nodes in rmq cluster
2077 ha-mode: "all"
2078 ha-sync-mode: "automatic"
2079 # 70s
2080 message-ttl: 70000
2081 priority: 0
2082 apply-to: all
2083 pattern: '^(?!(amq\.|reply_)).*'
2084 ## NOTE: "besteffort" is meant for dev env with mixed compute type only.
2085 ## This helps prevent sriov init script from failing due to mis-matched NIC
2086 ## For prod env, target NIC should match and init script should fail otherwise.
2087 ## sriov_init:
2088 ## - besteffort
2089 sriov_init:
2090 -
2091 # auto_bridge_add is a table of "bridge: interface" pairs
2092 # To automatically add a physical interfaces to a specific bridges,
2093 # for example eth3 to bridge br-physnet1, if0 to br0 and iface_two
2094 # to br1 do something like:
2095 #
2096 # auto_bridge_add:
2097 # br-physnet1: eth3
2098 # br0: if0
2099 # br1: iface_two
2100 # br-ex will be added by default
2101 auto_bridge_add:
2102 br-ex: null
2103
Mohammed Nasera720f882023-06-30 23:48:02 -0400[diff] [blame]2104 # Network off-loading configuration
2105 netoffload:
ricolin18e6fd32023-07-17 06:17:15 +0000[diff] [blame]2106 enabled: false
Mohammed Nasera720f882023-06-30 23:48:02 -0400[diff] [blame]2107 asap2:
2108 # - dev: enp97s0f0
2109 # vfs: 16
2110
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]2111 # configuration of OVS DPDK bridges and NICs
2112 # this is a separate section and not part of the auto_bridge_add section
2113 # because additional parameters are needed
2114 ovs_dpdk:
2115 enabled: false
2116 # setting update_dpdk_bond_config to true will have default behavior,
2117 # which may cause disruptions in ovs dpdk traffic in case of neutron
2118 # ovs agent restart or when dpdk nic/bond configurations are changed.
2119 # Setting this to false will configure dpdk in the first run and
2120 # disable nic/bond config on event of restart or config update.
2121 update_dpdk_bond_config: true
2122 driver: uio_pci_generic
2123 # In case bonds are configured, the nics which are part of those bonds
2124 # must NOT be provided here.
2125 nics:
2126 - name: dpdk0
2127 pci_id: '0000:05:00.0'
2128 # Set VF Index in case some particular VF(s) need to be
2129 # used with ovs-dpdk.
2130 # vf_index: 0
2131 bridge: br-phy
2132 migrate_ip: true
2133 n_rxq: 2
2134 n_txq: 2
2135 pmd_rxq_affinity: "0:3,1:27"
2136 ofport_request: 1
2137 # optional parameters for tuning the OVS DPDK config
2138 # in alignment with the available hardware resources
2139 # mtu: 2000
2140 # n_rxq_size: 1024
2141 # n_txq_size: 1024
2142 # vhost-iommu-support: true
2143 bridges:
2144 - name: br-phy
2145 # optional parameter, in case tunnel traffic needs to be transported over a vlan underlay
2146 # - tunnel_underlay_vlan: 45
2147 # Optional parameter for configuring bonding in OVS-DPDK
2148 # - name: br-phy-bond0
2149 # bonds:
2150 # - name: dpdkbond0
2151 # bridge: br-phy-bond0
2152 # # The IP from the first nic in nics list shall be used
2153 # migrate_ip: true
2154 # mtu: 2000
2155 # # Please note that n_rxq is set for each NIC individually
2156 # # rather than denoting the total number of rx queues for
2157 # # the bond as a whole. So setting n_rxq = 2 below for ex.
2158 # # would be 4 rx queues in total for the bond.
2159 # # Same for n_txq
2160 # n_rxq: 2
2161 # n_txq: 2
2162 # ofport_request: 1
2163 # n_rxq_size: 1024
2164 # n_txq_size: 1024
2165 # vhost-iommu-support: true
2166 # ovs_options: "bond_mode=active-backup"
2167 # nics:
2168 # - name: dpdk_b0s0
2169 # pci_id: '0000:06:00.0'
2170 # pmd_rxq_affinity: "0:3,1:27"
2171 # # Set VF Index in case some particular VF(s) need to be
2172 # # used with ovs-dpdk. In which case pci_id of PF must be
2173 # # provided above.
2174 # # vf_index: 0
2175 # - name: dpdk_b0s1
2176 # pci_id: '0000:07:00.0'
2177 # pmd_rxq_affinity: "0:3,1:27"
2178 # # Set VF Index in case some particular VF(s) need to be
2179 # # used with ovs-dpdk. In which case pci_id of PF must be
2180 # # provided above.
2181 # # vf_index: 0
2182 #
2183 # Set the log level for each target module (default level is always dbg)
2184 # Supported log levels are: off, emer, err, warn, info, dbg
2185 #
2186 # modules:
2187 # - name: dpdk
2188 # log_level: info
2189
2190# Names of secrets used by bootstrap and environmental checks
2191secrets:
2192 identity:
2193 admin: neutron-keystone-admin
2194 neutron: neutron-keystone-user
2195 test: neutron-keystone-test
2196 oslo_db:
2197 admin: neutron-db-admin
2198 neutron: neutron-db-user
2199 oslo_messaging:
2200 admin: neutron-rabbitmq-admin
2201 neutron: neutron-rabbitmq-user
2202 tls:
2203 compute_metadata:
2204 metadata:
2205 internal: metadata-tls-metadata
2206 network:
2207 server:
2208 public: neutron-tls-public
2209 internal: neutron-tls-server
2210 oci_image_registry:
2211 neutron: neutron-oci-image-registry
2212
2213# typically overridden by environmental
2214# values, but should include all endpoints
2215# required by this chart
2216endpoints:
2217 cluster_domain_suffix: cluster.local
2218 local_image_registry:
2219 name: docker-registry
2220 namespace: docker-registry
2221 hosts:
2222 default: localhost
2223 internal: docker-registry
2224 node: localhost
2225 host_fqdn_override:
2226 default: null
2227 port:
2228 registry:
2229 node: 5000
2230 oci_image_registry:
2231 name: oci-image-registry
2232 namespace: oci-image-registry
2233 auth:
2234 enabled: false
2235 neutron:
2236 username: neutron
2237 password: password
2238 hosts:
2239 default: localhost
2240 host_fqdn_override:
2241 default: null
2242 port:
2243 registry:
2244 default: null
2245 oslo_db:
2246 auth:
2247 admin:
2248 username: root
2249 password: password
2250 secret:
2251 tls:
2252 internal: mariadb-tls-direct
2253 neutron:
2254 username: neutron
2255 password: password
2256 hosts:
2257 default: mariadb
2258 host_fqdn_override:
2259 default: null
2260 path: /neutron
2261 scheme: mysql+pymysql
2262 port:
2263 mysql:
2264 default: 3306
2265 oslo_messaging:
2266 auth:
2267 admin:
2268 username: rabbitmq
2269 password: password
2270 secret:
2271 tls:
2272 internal: rabbitmq-tls-direct
2273 neutron:
2274 username: neutron
2275 password: password
2276 statefulset:
2277 replicas: 2
2278 name: rabbitmq-rabbitmq
2279 hosts:
2280 default: rabbitmq
2281 host_fqdn_override:
2282 default: null
2283 path: /neutron
2284 scheme: rabbit
2285 port:
2286 amqp:
2287 default: 5672
2288 http:
2289 default: 15672
2290 oslo_cache:
2291 auth:
2292 # NOTE(portdirect): this is used to define the value for keystone
2293 # authtoken cache encryption key, if not set it will be populated
2294 # automatically with a random value, but to take advantage of
2295 # this feature all services should be set to use the same key,
2296 # and memcache service.
2297 memcache_secret_key: null
2298 hosts:
2299 default: memcached
2300 host_fqdn_override:
2301 default: null
2302 port:
2303 memcache:
2304 default: 11211
2305 compute:
2306 name: nova
2307 hosts:
2308 default: nova-api
2309 public: nova
2310 host_fqdn_override:
2311 default: null
2312 path:
2313 default: "/v2.1/%(tenant_id)s"
2314 scheme:
2315 default: 'http'
2316 port:
2317 api:
2318 default: 8774
2319 public: 80
2320 novncproxy:
2321 default: 6080
2322 compute_metadata:
2323 name: nova
2324 hosts:
2325 default: nova-metadata
2326 public: metadata
2327 host_fqdn_override:
2328 default: null
2329 path:
2330 default: /
2331 scheme:
2332 default: 'http'
2333 port:
2334 metadata:
2335 default: 8775
2336 public: 80
2337 identity:
2338 name: keystone
2339 auth:
2340 admin:
2341 region_name: RegionOne
2342 username: admin
2343 password: password
2344 project_name: admin
2345 user_domain_name: default
2346 project_domain_name: default
2347 neutron:
2348 role: admin
2349 region_name: RegionOne
2350 username: neutron
2351 password: password
2352 project_name: service
2353 user_domain_name: service
2354 project_domain_name: service
2355 nova:
2356 region_name: RegionOne
2357 project_name: service
2358 username: nova
2359 password: password
2360 user_domain_name: service
2361 project_domain_name: service
Oleksandr Kozachenkoa10d7852023-02-02 22:01:16 +0100[diff] [blame]2362 placement:
2363 region_name: RegionOne
2364 project_name: service
2365 username: placement
2366 password: password
2367 user_domain_name: service
2368 project_domain_name: service
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]2369 designate:
2370 region_name: RegionOne
2371 project_name: service
2372 username: designate
2373 password: password
2374 user_domain_name: service
2375 project_domain_name: service
2376 ironic:
2377 region_name: RegionOne
2378 project_name: service
2379 username: ironic
2380 password: password
2381 user_domain_name: service
2382 project_domain_name: service
2383 test:
2384 role: admin
2385 region_name: RegionOne
2386 username: neutron-test
2387 password: password
2388 # NOTE: this project will be purged and reset if
2389 # conf.rally_tests.force_project_purge is set to true
2390 # which may be required upon test failure, but be aware that this will
2391 # expunge all openstack objects, so if this is used a seperate project
2392 # should be used for each helm test, and also it should be ensured
2393 # that this project is not in use by other tenants
2394 project_name: test
2395 user_domain_name: service
2396 project_domain_name: service
2397 hosts:
2398 default: keystone
2399 internal: keystone-api
2400 host_fqdn_override:
2401 default: null
2402 path:
2403 default: /v3
2404 scheme:
2405 default: http
2406 port:
2407 api:
2408 default: 80
2409 internal: 5000
2410 network:
2411 name: neutron
2412 hosts:
2413 default: neutron-server
2414 public: neutron
2415 host_fqdn_override:
2416 default: null
2417 # NOTE(portdirect): this chart supports TLS for fqdn over-ridden public
2418 # endpoints using the following format:
2419 # public:
2420 # host: null
2421 # tls:
2422 # crt: null
2423 # key: null
2424 path:
2425 default: null
2426 scheme:
2427 default: 'http'
2428 service: 'http'
2429 port:
2430 api:
2431 default: 9696
2432 public: 80
2433 service: 9696
Mohammed Nasere40c3e82024-07-04 02:52:34 -0400[diff] [blame]2434 policy_server:
2435 default: 9697
2436 public: 80
2437 service: 9697
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]2438 load_balancer:
2439 name: octavia
2440 hosts:
2441 default: octavia-api
2442 public: octavia
2443 host_fqdn_override:
2444 default: null
2445 path:
2446 default: null
2447 scheme:
2448 default: http
2449 port:
2450 api:
2451 default: 9876
2452 public: 80
2453 fluentd:
2454 namespace: osh-infra
2455 name: fluentd
2456 hosts:
2457 default: fluentd-logging
2458 host_fqdn_override:
2459 default: null
2460 path:
2461 default: null
2462 scheme: 'http'
2463 port:
2464 service:
2465 default: 24224
2466 metrics:
2467 default: 24220
2468 dns:
2469 name: designate
2470 hosts:
2471 default: designate-api
2472 public: designate
2473 host_fqdn_override:
2474 default: null
2475 path:
2476 default: /
2477 scheme:
2478 default: 'http'
2479 port:
2480 api:
2481 default: 9001
2482 public: 80
2483 baremetal:
2484 name: ironic
2485 hosts:
2486 default: ironic-api
2487 public: ironic
2488 host_fqdn_override:
2489 default: null
2490 path:
2491 default: null
2492 scheme:
2493 default: 'http'
2494 port:
2495 api:
2496 default: 6385
2497 public: 80
2498 # NOTE(tp6510): these endpoints allow for things like DNS lookups and ingress
2499 # They are using to enable the Egress K8s network policy.
2500 kube_dns:
2501 namespace: kube-system
2502 name: kubernetes-dns
2503 hosts:
2504 default: kube-dns
2505 host_fqdn_override:
2506 default: null
2507 path:
2508 default: null
2509 scheme: http
2510 port:
2511 dns:
2512 default: 53
2513 protocol: UDP
2514 ingress:
2515 namespace: null
2516 name: ingress
2517 hosts:
2518 default: ingress
2519 port:
2520 ingress:
2521 default: 80
2522
2523network_policy:
2524 neutron:
2525 # TODO(lamt): Need to tighten this ingress for security.
2526 ingress:
2527 - {}
2528 egress:
2529 - {}
2530
2531helm3_hook: true
2532
2533health_probe:
2534 logging:
2535 level: ERROR
2536
2537tls:
2538 identity: false
2539 oslo_messaging: false
2540 oslo_db: false
2541
2542manifests:
2543 certificates: false
2544 configmap_bin: true
2545 configmap_etc: true
2546 daemonset_dhcp_agent: true
2547 daemonset_l3_agent: true
2548 daemonset_lb_agent: true
2549 daemonset_metadata_agent: true
2550 daemonset_ovs_agent: true
2551 daemonset_sriov_agent: true
2552 daemonset_l2gw_agent: false
2553 daemonset_bagpipe_bgp: false
Rico Lincf86b122023-11-02 01:29:14 +0800[diff] [blame]2554 daemonset_bgp_dragent: false
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]2555 daemonset_netns_cleanup_cron: true
2556 deployment_ironic_agent: false
2557 deployment_server: true
2558 ingress_server: true
2559 job_bootstrap: true
2560 job_db_init: true
2561 job_db_sync: true
2562 job_db_drop: false
2563 job_image_repo_sync: true
2564 job_ks_endpoints: true
2565 job_ks_service: true
2566 job_ks_user: true
2567 job_rabbit_init: true
2568 pdb_server: true
2569 pod_rally_test: true
2570 network_policy: false
2571 secret_db: true
2572 secret_ingress_tls: true
2573 secret_keystone: true
2574 secret_rabbitmq: true
2575 secret_registry: true
2576 service_ingress_server: true
2577 service_server: true
2578...