Gitiles
Code Review Sign In
review.vexxhost.dev / atmosphere / eaa3319aec97b2787091d88101d2b91e72a77a9a / . / charts / neutron / values.yaml
blob: 747baa53e13d949589307ff36ae35733a578db41 [file] [log] [blame]
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1# Licensed under the Apache License, Version 2.0 (the "License");
2# you may not use this file except in compliance with the License.
3# You may obtain a copy of the License at
4#
5# http://www.apache.org/licenses/LICENSE-2.0
6#
7# Unless required by applicable law or agreed to in writing, software
8# distributed under the License is distributed on an "AS IS" BASIS,
9# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
10# See the License for the specific language governing permissions and
11# limitations under the License.
12
13# Default values for neutron.
14# This is a YAML-formatted file.
15# Declare name/value pairs to be passed into your templates.
16# name: value
17
18---
19release_group: null
20
21images:
22 tags:
23 bootstrap: docker.io/openstackhelm/heat:stein-ubuntu_bionic
24 test: docker.io/xrally/xrally-openstack:2.0.0
25 purge_test: docker.io/openstackhelm/ospurge:latest
26 db_init: docker.io/openstackhelm/heat:stein-ubuntu_bionic
27 neutron_db_sync: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
28 db_drop: docker.io/openstackhelm/heat:stein-ubuntu_bionic
29 rabbit_init: docker.io/rabbitmq:3.7-management
30 ks_user: docker.io/openstackhelm/heat:stein-ubuntu_bionic
31 ks_service: docker.io/openstackhelm/heat:stein-ubuntu_bionic
32 ks_endpoints: docker.io/openstackhelm/heat:stein-ubuntu_bionic
Mohammed Nasera720f882023-06-30 23:48:02 -0400[diff] [blame]33 netoffload: ghcr.io/vexxhost/netoffload:v1.0.1
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]34 neutron_server: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
35 neutron_dhcp: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
36 neutron_metadata: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]37 neutron_ovn_metadata: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]38 neutron_l3: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
39 neutron_l2gw: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
40 neutron_openvswitch_agent: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
41 neutron_linuxbridge_agent: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
42 neutron_sriov_agent: docker.io/openstackhelm/neutron:stein-18.04-sriov
43 neutron_sriov_agent_init: docker.io/openstackhelm/neutron:stein-18.04-sriov
44 neutron_bagpipe_bgp: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
Rico Lincf86b122023-11-02 01:29:14 +0800[diff] [blame]45 neutron_bgp_dragent: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]46 neutron_ironic_agent: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
47 neutron_netns_cleanup_cron: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
48 dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
49 image_repo_sync: docker.io/docker:17.07.0
50 pull_policy: "IfNotPresent"
51 local_registry:
52 active: false
53 exclude:
54 - dep_check
55 - image_repo_sync
56
57labels:
58 agent:
59 dhcp:
60 node_selector_key: openstack-control-plane
61 node_selector_value: enabled
62 l3:
63 node_selector_key: openstack-control-plane
64 node_selector_value: enabled
65 metadata:
66 node_selector_key: openstack-control-plane
67 node_selector_value: enabled
68 l2gw:
69 node_selector_key: openstack-control-plane
70 node_selector_value: enabled
71 job:
72 node_selector_key: openstack-control-plane
73 node_selector_value: enabled
74 lb:
75 node_selector_key: linuxbridge
76 node_selector_value: enabled
77 # openvswitch is a special case, requiring a special
78 # label that can apply to both control hosts
79 # and compute hosts, until we get more sophisticated
80 # with our daemonset scheduling
81 ovs:
82 node_selector_key: openvswitch
83 node_selector_value: enabled
84 sriov:
85 node_selector_key: sriov
86 node_selector_value: enabled
87 bagpipe_bgp:
88 node_selector_key: openstack-compute-node
89 node_selector_value: enabled
Rico Lincf86b122023-11-02 01:29:14 +0800[diff] [blame]90 bgp_dragent:
91 node_selector_key: openstack-compute-node
92 node_selector_value: enabled
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]93 server:
94 node_selector_key: openstack-control-plane
95 node_selector_value: enabled
96 ironic_agent:
97 node_selector_key: openstack-control-plane
98 node_selector_value: enabled
99 netns_cleanup_cron:
100 node_selector_key: openstack-control-plane
101 node_selector_value: enabled
102 test:
103 node_selector_key: openstack-control-plane
104 node_selector_value: enabled
105
106network:
107 # provide what type of network wiring will be used
108 backend:
109 - openvswitch
110 # NOTE(Portdirect): Share network namespaces with the host,
111 # allowing agents to be restarted without packet loss and simpler
112 # debugging. This feature requires mount propagation support.
113 share_namespaces: true
114 interface:
115 # Tunnel interface will be used for VXLAN tunneling.
116 tunnel: null
117 # If tunnel is null there is a fallback mechanism to search
118 # for interface with routing using tunnel network cidr.
119 tunnel_network_cidr: "0/0"
120 # To perform setup of network interfaces using the SR-IOV init
121 # container you can use a section similar to:
122 # sriov:
123 # - device: ${DEV}
124 # num_vfs: 8
125 # mtu: 9214
126 # promisc: false
127 # qos:
128 # - vf_num: 0
129 # share: 10
130 # queues_per_vf:
131 # - num_queues: 16
132 # exclude_vf: 0,11,21
133 server:
134 ingress:
135 public: true
136 classes:
137 namespace: "nginx"
138 cluster: "nginx-cluster"
139 annotations:
140 nginx.ingress.kubernetes.io/rewrite-target: /
141 external_policy_local: false
142 node_port:
143 enabled: false
144 port: 30096
145
146bootstrap:
147 enabled: false
148 ks_user: neutron
149 script: |
150 openstack token issue
151
152dependencies:
153 dynamic:
154 common:
155 local_image_registry:
156 jobs:
157 - neutron-image-repo-sync
158 services:
159 - endpoint: node
160 service: local_image_registry
161 targeted:
162 sriov: {}
163 l2gateway: {}
164 bagpipe_bgp: {}
Mohammed Naserfd8edcc2023-09-06 22:32:16 +0000[diff] [blame]165 ovn:
166 server:
167 pod: null
Rico Lincf86b122023-11-02 01:29:14 +0800[diff] [blame]168 bgp_dragent: {}
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]169 openvswitch:
170 dhcp:
171 pod:
172 - requireSameNode: true
173 labels:
174 application: neutron
175 component: neutron-ovs-agent
176 l3:
177 pod:
178 - requireSameNode: true
179 labels:
180 application: neutron
181 component: neutron-ovs-agent
182 metadata:
183 pod:
184 - requireSameNode: true
185 labels:
186 application: neutron
187 component: neutron-ovs-agent
188 linuxbridge:
189 dhcp:
190 pod:
191 - requireSameNode: true
192 labels:
193 application: neutron
194 component: neutron-lb-agent
195 l3:
196 pod:
197 - requireSameNode: true
198 labels:
199 application: neutron
200 component: neutron-lb-agent
201 metadata:
202 pod:
203 - requireSameNode: true
204 labels:
205 application: neutron
206 component: neutron-lb-agent
207 lb_agent:
208 pod: null
209 static:
210 bootstrap:
211 services:
212 - endpoint: internal
213 service: network
214 - endpoint: internal
215 service: compute
216 db_drop:
217 services:
218 - endpoint: internal
219 service: oslo_db
220 db_init:
221 services:
222 - endpoint: internal
223 service: oslo_db
224 db_sync:
225 jobs:
226 - neutron-db-init
227 services:
228 - endpoint: internal
229 service: oslo_db
230 dhcp:
231 pod: null
232 jobs:
233 - neutron-rabbit-init
234 services:
235 - endpoint: internal
236 service: oslo_messaging
237 - endpoint: internal
238 service: network
239 - endpoint: internal
240 service: compute
241 ks_endpoints:
242 jobs:
243 - neutron-ks-service
244 services:
245 - endpoint: internal
246 service: identity
247 ks_service:
248 services:
249 - endpoint: internal
250 service: identity
251 ks_user:
252 services:
253 - endpoint: internal
254 service: identity
255 rabbit_init:
256 services:
257 - service: oslo_messaging
258 endpoint: internal
259 l3:
260 pod: null
261 jobs:
262 - neutron-rabbit-init
263 services:
264 - endpoint: internal
265 service: oslo_messaging
266 - endpoint: internal
267 service: network
268 - endpoint: internal
269 service: compute
270 lb_agent:
271 pod: null
272 jobs:
273 - neutron-rabbit-init
274 services:
275 - endpoint: internal
276 service: oslo_messaging
277 - endpoint: internal
278 service: network
279 metadata:
280 pod: null
281 jobs:
282 - neutron-rabbit-init
283 services:
284 - endpoint: internal
285 service: oslo_messaging
286 - endpoint: internal
287 service: network
288 - endpoint: internal
289 service: compute
290 - endpoint: public
291 service: compute_metadata
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]292 ovn_metadata:
Mohammed Naser593ec012023-07-23 09:20:05 +0000[diff] [blame]293 pod:
294 - requireSameNode: true
295 labels:
296 application: ovn
297 component: ovn-controller
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]298 services:
299 - endpoint: internal
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]300 service: compute_metadata
Mohammed Naserfd8edcc2023-09-06 22:32:16 +0000[diff] [blame]301 - endpoint: internal
302 service: network
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]303 ovs_agent:
304 jobs:
305 - neutron-rabbit-init
306 pod:
307 - requireSameNode: true
308 labels:
309 application: openvswitch
310 component: server
311 services:
312 - endpoint: internal
313 service: oslo_messaging
314 - endpoint: internal
315 service: network
316 server:
317 jobs:
318 - neutron-db-sync
319 - neutron-ks-user
320 - neutron-ks-endpoints
321 - neutron-rabbit-init
322 services:
323 - endpoint: internal
324 service: oslo_db
325 - endpoint: internal
326 service: oslo_messaging
327 - endpoint: internal
328 service: oslo_cache
329 - endpoint: internal
330 service: identity
331 ironic_agent:
332 jobs:
333 - neutron-db-sync
334 - neutron-ks-user
335 - neutron-ks-endpoints
336 - neutron-rabbit-init
337 services:
338 - endpoint: internal
339 service: oslo_db
340 - endpoint: internal
341 service: oslo_messaging
342 - endpoint: internal
343 service: oslo_cache
344 - endpoint: internal
345 service: identity
346 tests:
347 services:
348 - endpoint: internal
349 service: network
350 - endpoint: internal
351 service: compute
352 image_repo_sync:
353 services:
354 - endpoint: internal
355 service: local_image_registry
356
357pod:
358 use_fqdn:
359 neutron_agent: true
360 probes:
361 rpc_timeout: 60
362 rpc_retries: 2
363 dhcp_agent:
364 dhcp_agent:
365 readiness:
366 enabled: true
367 params:
368 initialDelaySeconds: 30
369 periodSeconds: 190
370 timeoutSeconds: 185
371 liveness:
372 enabled: true
373 params:
374 initialDelaySeconds: 120
375 periodSeconds: 600
376 timeoutSeconds: 580
377 l3_agent:
378 l3_agent:
379 readiness:
380 enabled: true
381 params:
382 initialDelaySeconds: 30
383 periodSeconds: 190
384 timeoutSeconds: 185
385 liveness:
386 enabled: true
387 params:
388 initialDelaySeconds: 120
389 periodSeconds: 600
390 timeoutSeconds: 580
391 lb_agent:
392 lb_agent:
393 readiness:
394 enabled: true
395 metadata_agent:
396 metadata_agent:
397 readiness:
398 enabled: true
399 params:
400 initialDelaySeconds: 30
401 periodSeconds: 190
402 timeoutSeconds: 185
403 liveness:
404 enabled: true
405 params:
406 initialDelaySeconds: 120
407 periodSeconds: 600
408 timeoutSeconds: 580
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]409 ovn_metadata_agent:
410 ovn_metadata_agent:
411 readiness:
412 enabled: true
413 params:
414 initialDelaySeconds: 30
415 periodSeconds: 190
416 timeoutSeconds: 185
417 liveness:
418 enabled: true
419 params:
420 initialDelaySeconds: 120
421 periodSeconds: 600
422 timeoutSeconds: 580
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]423 ovs_agent:
424 ovs_agent:
425 readiness:
426 enabled: true
427 params:
okozachenko120317930d42023-09-06 00:24:05 +1000[diff] [blame]428 timeoutSeconds: 10
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]429 liveness:
430 enabled: true
431 params:
432 initialDelaySeconds: 120
433 periodSeconds: 600
434 timeoutSeconds: 580
435 sriov_agent:
436 sriov_agent:
437 readiness:
438 enabled: true
439 params:
440 initialDelaySeconds: 30
441 periodSeconds: 190
442 timeoutSeconds: 185
443 bagpipe_bgp:
444 bagpipe_bgp:
445 readiness:
446 enabled: true
447 params:
448 liveness:
449 enabled: true
450 params:
451 initialDelaySeconds: 60
Rico Lincf86b122023-11-02 01:29:14 +0800[diff] [blame]452 bgp_dragent:
453 bgp_dragent:
454 readiness:
455 enabled: false
456 params:
457 liveness:
458 enabled: true
459 params:
460 initialDelaySeconds: 60
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]461 l2gw_agent:
462 l2gw_agent:
463 readiness:
464 enabled: true
465 params:
466 initialDelaySeconds: 30
467 periodSeconds: 15
468 timeoutSeconds: 65
469 liveness:
470 enabled: true
471 params:
472 initialDelaySeconds: 120
473 periodSeconds: 90
474 timeoutSeconds: 70
475 server:
476 server:
477 readiness:
478 enabled: true
479 params:
okozachenko120317930d42023-09-06 00:24:05 +1000[diff] [blame]480 periodSeconds: 15
481 timeoutSeconds: 10
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]482 liveness:
483 enabled: true
484 params:
485 initialDelaySeconds: 60
okozachenko120317930d42023-09-06 00:24:05 +1000[diff] [blame]486 periodSeconds: 15
487 timeoutSeconds: 10
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]488 security_context:
489 neutron_dhcp_agent:
490 pod:
491 runAsUser: 42424
492 container:
493 neutron_dhcp_agent:
494 readOnlyRootFilesystem: true
495 privileged: true
496 neutron_l2gw_agent:
497 pod:
498 runAsUser: 42424
499 container:
500 neutron_l2gw_agent:
501 readOnlyRootFilesystem: true
502 privileged: true
503 neutron_bagpipe_bgp:
504 pod:
505 runAsUser: 42424
506 container:
507 neutron_bagpipe_bgp:
508 readOnlyRootFilesystem: true
509 privileged: true
Rico Lincf86b122023-11-02 01:29:14 +0800[diff] [blame]510 neutron_bgp_dragent:
511 pod:
512 runAsUser: 42424
513 container:
514 neutron_bgp_dragent:
515 readOnlyRootFilesystem: true
516 privileged: true
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]517 neutron_l3_agent:
518 pod:
519 runAsUser: 42424
520 container:
521 neutron_l3_agent:
522 readOnlyRootFilesystem: true
523 privileged: true
524 neutron_lb_agent:
525 pod:
526 runAsUser: 42424
527 container:
528 neutron_lb_agent_kernel_modules:
529 capabilities:
530 add:
531 - SYS_MODULE
532 - SYS_CHROOT
533 runAsUser: 0
534 readOnlyRootFilesystem: true
535 neutron_lb_agent_init:
536 privileged: true
537 runAsUser: 0
538 readOnlyRootFilesystem: true
539 neutron_lb_agent:
540 readOnlyRootFilesystem: true
541 privileged: true
542 neutron_metadata_agent:
543 pod:
544 runAsUser: 42424
545 container:
546 neutron_metadata_agent_init:
547 runAsUser: 0
548 readOnlyRootFilesystem: true
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]549 neutron_ovn_metadata_agent:
550 pod:
551 runAsUser: 42424
552 container:
553 neutron_ovn_metadata_agent_init:
554 runAsUser: 0
555 readOnlyRootFilesystem: true
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]556 neutron_ovs_agent:
557 pod:
558 runAsUser: 42424
559 container:
560 neutron_openvswitch_agent_kernel_modules:
561 capabilities:
562 add:
563 - SYS_MODULE
564 - SYS_CHROOT
565 runAsUser: 0
566 readOnlyRootFilesystem: true
Mohammed Nasera720f882023-06-30 23:48:02 -0400[diff] [blame]567 netoffload:
568 privileged: true
569 runAsUser: 0
570 readOnlyRootFilesystem: true
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]571 neutron_ovs_agent_init:
572 privileged: true
573 runAsUser: 0
574 readOnlyRootFilesystem: true
575 neutron_ovs_agent:
576 readOnlyRootFilesystem: true
577 privileged: true
578 neutron_server:
579 pod:
580 runAsUser: 42424
581 container:
582 nginx:
583 runAsUser: 0
584 readOnlyRootFilesystem: false
585 neutron_server:
586 allowPrivilegeEscalation: false
587 readOnlyRootFilesystem: true
588 neutron_sriov_agent:
589 pod:
590 runAsUser: 42424
591 container:
592 neutron_sriov_agent_init:
593 privileged: true
594 runAsUser: 0
595 readOnlyRootFilesystem: false
596 neutron_sriov_agent:
597 readOnlyRootFilesystem: true
598 privileged: true
599 neutron_ironic_agent:
600 pod:
601 runAsUser: 42424
602 container:
603 neutron_ironic_agent:
604 allowPrivilegeEscalation: false
605 readOnlyRootFilesystem: true
606 neutron_netns_cleanup_cron:
607 pod:
608 runAsUser: 42424
609 container:
610 neutron_netns_cleanup_cron:
611 readOnlyRootFilesystem: true
612 privileged: true
613 affinity:
614 anti:
615 type:
616 default: preferredDuringSchedulingIgnoredDuringExecution
617 topologyKey:
618 default: kubernetes.io/hostname
619 weight:
620 default: 10
621 tolerations:
622 neutron:
623 enabled: false
624 tolerations:
625 - key: node-role.kubernetes.io/master
626 operator: Exists
627 effect: NoSchedule
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]628 - key: node-role.kubernetes.io/control-plane
629 operator: Exists
630 effect: NoSchedule
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]631 mounts:
632 neutron_server:
633 init_container: null
634 neutron_server:
635 volumeMounts:
636 volumes:
637 neutron_dhcp_agent:
638 init_container: null
639 neutron_dhcp_agent:
640 volumeMounts:
641 volumes:
642 neutron_l3_agent:
643 init_container: null
644 neutron_l3_agent:
645 volumeMounts:
646 volumes:
647 neutron_lb_agent:
648 init_container: null
649 neutron_lb_agent:
650 volumeMounts:
651 volumes:
652 neutron_metadata_agent:
653 init_container: null
654 neutron_metadata_agent:
655 volumeMounts:
656 volumes:
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]657 neutron_ovn_metadata_agent:
658 init_container: null
659 neutron_ovn_metadata_agent:
660 volumeMounts:
661 volumes:
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]662 neutron_ovs_agent:
663 init_container: null
664 neutron_ovs_agent:
665 volumeMounts:
666 volumes:
667 neutron_sriov_agent:
668 init_container: null
669 neutron_sriov_agent:
670 volumeMounts:
671 volumes:
672 neutron_l2gw_agent:
673 init_container: null
674 neutron_l2gw_agent:
675 volumeMounts:
676 volumes:
677 bagpipe_bgp:
678 init_container: null
679 bagpipe_bgp:
680 volumeMounts:
681 volumes:
Rico Lincf86b122023-11-02 01:29:14 +0800[diff] [blame]682 bgp_dragent:
683 init_container: null
684 bgp_dragent:
685 volumeMounts:
686 volumes:
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]687 neutron_ironic_agent:
688 init_container: null
689 neutron_ironic_agent:
690 volumeMounts:
691 volumes:
692 neutron_netns_cleanup_cron:
693 init_container: null
694 neutron_netns_cleanup_cron:
695 volumeMounts:
696 volumes:
697 neutron_tests:
698 init_container: null
699 neutron_tests:
700 volumeMounts:
701 volumes:
702 neutron_bootstrap:
703 init_container: null
704 neutron_bootstrap:
705 volumeMounts:
706 volumes:
707 neutron_db_sync:
708 neutron_db_sync:
709 volumeMounts:
710 - name: db-sync-conf
711 mountPath: /etc/neutron/plugins/ml2/ml2_conf.ini
712 subPath: ml2_conf.ini
713 readOnly: true
714 volumes:
715 replicas:
716 server: 1
717 ironic_agent: 1
718 lifecycle:
719 upgrades:
720 deployments:
721 revision_history: 3
722 pod_replacement_strategy: RollingUpdate
723 rolling_update:
724 max_unavailable: 1
725 max_surge: 3
726 daemonsets:
727 pod_replacement_strategy: RollingUpdate
728 dhcp_agent:
729 enabled: true
730 min_ready_seconds: 0
731 max_unavailable: 1
732 l3_agent:
733 enabled: true
734 min_ready_seconds: 0
735 max_unavailable: 1
736 lb_agent:
737 enabled: true
738 min_ready_seconds: 0
739 max_unavailable: 1
740 metadata_agent:
741 enabled: true
742 min_ready_seconds: 0
743 max_unavailable: 1
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]744 ovn_metadata_agent:
745 enabled: true
746 min_ready_seconds: 0
747 max_unavailable: 1
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]748 ovs_agent:
749 enabled: true
750 min_ready_seconds: 0
751 max_unavailable: 1
752 sriov_agent:
753 enabled: true
754 min_ready_seconds: 0
755 max_unavailable: 1
756 netns_cleanup_cron:
757 enabled: true
758 min_ready_seconds: 0
759 max_unavailable: 1
760 disruption_budget:
761 server:
762 min_available: 0
763 termination_grace_period:
764 server:
765 timeout: 30
766 ironic_agent:
767 timeout: 30
768 resources:
769 enabled: false
770 agent:
771 dhcp:
772 requests:
773 memory: "128Mi"
774 cpu: "100m"
775 limits:
776 memory: "1024Mi"
777 cpu: "2000m"
778 l3:
779 requests:
780 memory: "128Mi"
781 cpu: "100m"
782 limits:
783 memory: "1024Mi"
784 cpu: "2000m"
785 lb:
786 requests:
787 memory: "128Mi"
788 cpu: "100m"
789 limits:
790 memory: "1024Mi"
791 cpu: "2000m"
792 metadata:
793 requests:
794 memory: "128Mi"
795 cpu: "100m"
796 limits:
797 memory: "1024Mi"
798 cpu: "2000m"
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]799 ovn_metadata:
800 requests:
801 memory: "128Mi"
802 cpu: "100m"
803 limits:
804 memory: "1024Mi"
805 cpu: "2000m"
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]806 ovs:
807 requests:
808 memory: "128Mi"
809 cpu: "100m"
810 limits:
811 memory: "1024Mi"
812 cpu: "2000m"
813 sriov:
814 requests:
815 memory: "128Mi"
816 cpu: "100m"
817 limits:
818 memory: "1024Mi"
819 cpu: "2000m"
820 l2gw:
821 requests:
822 memory: "128Mi"
823 cpu: "100m"
824 limits:
825 memory: "1024Mi"
826 cpu: "2000m"
827 bagpipe_bgp:
828 requests:
829 memory: "128Mi"
830 cpu: "100m"
831 limits:
832 memory: "1024Mi"
833 cpu: "2000m"
Rico Lincf86b122023-11-02 01:29:14 +0800[diff] [blame]834 bgp_dragent:
835 requests:
836 memory: "128Mi"
837 cpu: "100m"
838 limits:
839 memory: "1024Mi"
840 cpu: "2000m"
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]841 server:
842 requests:
843 memory: "128Mi"
844 cpu: "100m"
845 limits:
846 memory: "1024Mi"
847 cpu: "2000m"
848 ironic_agent:
849 requests:
850 memory: "128Mi"
851 cpu: "100m"
852 limits:
853 memory: "1024Mi"
854 cpu: "2000m"
855 netns_cleanup_cron:
856 requests:
857 memory: "128Mi"
858 cpu: "100m"
859 limits:
860 memory: "1024Mi"
861 cpu: "2000m"
862 jobs:
863 bootstrap:
864 requests:
865 memory: "128Mi"
866 cpu: "100m"
867 limits:
868 memory: "1024Mi"
869 cpu: "2000m"
870 db_init:
871 requests:
872 memory: "128Mi"
873 cpu: "100m"
874 limits:
875 memory: "1024Mi"
876 cpu: "2000m"
877 rabbit_init:
878 requests:
879 memory: "128Mi"
880 cpu: "100m"
881 limits:
882 memory: "1024Mi"
883 cpu: "2000m"
884 db_sync:
885 requests:
886 memory: "128Mi"
887 cpu: "100m"
888 limits:
889 memory: "1024Mi"
890 cpu: "2000m"
891 db_drop:
892 requests:
893 memory: "128Mi"
894 cpu: "100m"
895 limits:
896 memory: "1024Mi"
897 cpu: "2000m"
898 ks_endpoints:
899 requests:
900 memory: "128Mi"
901 cpu: "100m"
902 limits:
903 memory: "1024Mi"
904 cpu: "2000m"
905 ks_service:
906 requests:
907 memory: "128Mi"
908 cpu: "100m"
909 limits:
910 memory: "1024Mi"
911 cpu: "2000m"
912 ks_user:
913 requests:
914 memory: "128Mi"
915 cpu: "100m"
916 limits:
917 memory: "1024Mi"
918 cpu: "2000m"
919 tests:
920 requests:
921 memory: "128Mi"
922 cpu: "100m"
923 limits:
924 memory: "1024Mi"
925 cpu: "2000m"
926 image_repo_sync:
927 requests:
928 memory: "128Mi"
929 cpu: "100m"
930 limits:
931 memory: "1024Mi"
932 cpu: "2000m"
933
934conf:
935 rally_tests:
936 force_project_purge: false
937 run_tempest: false
938 clean_up: |
939 # NOTE: We will make the best effort to clean up rally generated networks and routers,
940 # but should not block further automated deployment.
941 set +e
942 PATTERN="^[sc]_rally_"
943
944 ROUTERS=$(openstack router list --format=value -c Name | grep -e $PATTERN | sort | tr -d '\r')
945 NETWORKS=$(openstack network list --format=value -c Name | grep -e $PATTERN | sort | tr -d '\r')
946
947 for ROUTER in $ROUTERS
948 do
949 openstack router unset --external-gateway $ROUTER
950 openstack router set --disable --no-ha $ROUTER
951
952 SUBNS=$(openstack router show $ROUTER -c interfaces_info --format=value | python -m json.tool | grep -oP '(?<="subnet_id": ")[a-f0-9\-]{36}(?=")' | sort | uniq)
953 for SUBN in $SUBNS
954 do
955 openstack router remove subnet $ROUTER $SUBN
956 done
957
958 for PORT in $(openstack port list --router $ROUTER --format=value -c ID | tr -d '\r')
959 do
960 openstack router remove port $ROUTER $PORT
961 done
962
963 openstack router delete $ROUTER
964 done
965
966 for NETWORK in $NETWORKS
967 do
968 for PORT in $(openstack port list --network $NETWORK --format=value -c ID | tr -d '\r')
969 do
970 openstack port delete $PORT
971 done
972 openstack network delete $NETWORK
973 done
974 set -e
975 tests:
976 NeutronNetworks.create_and_delete_networks:
977 - args:
978 network_create_args: {}
979 context:
980 quotas:
981 neutron:
982 network: -1
983 runner:
984 concurrency: 1
985 times: 1
986 type: constant
987 sla:
988 failure_rate:
989 max: 0
990 NeutronNetworks.create_and_delete_ports:
991 - args:
992 network_create_args: {}
993 port_create_args: {}
994 ports_per_network: 10
995 context:
996 network: {}
997 quotas:
998 neutron:
999 network: -1
1000 port: -1
1001 runner:
1002 concurrency: 1
1003 times: 1
1004 type: constant
1005 sla:
1006 failure_rate:
1007 max: 0
1008 NeutronNetworks.create_and_delete_routers:
1009 - args:
1010 network_create_args: {}
1011 router_create_args: {}
1012 subnet_cidr_start: 1.1.0.0/30
1013 subnet_create_args: {}
1014 subnets_per_network: 2
1015 context:
1016 network: {}
1017 quotas:
1018 neutron:
1019 network: -1
1020 router: -1
1021 subnet: -1
1022 runner:
1023 concurrency: 1
1024 times: 1
1025 type: constant
1026 sla:
1027 failure_rate:
1028 max: 0
1029 NeutronNetworks.create_and_delete_subnets:
1030 - args:
1031 network_create_args: {}
1032 subnet_cidr_start: 1.1.0.0/30
1033 subnet_create_args: {}
1034 subnets_per_network: 2
1035 context:
1036 network: {}
1037 quotas:
1038 neutron:
1039 network: -1
1040 subnet: -1
1041 runner:
1042 concurrency: 1
1043 times: 1
1044 type: constant
1045 sla:
1046 failure_rate:
1047 max: 0
1048 NeutronNetworks.create_and_list_routers:
1049 - args:
1050 network_create_args: {}
1051 router_create_args: {}
1052 subnet_cidr_start: 1.1.0.0/30
1053 subnet_create_args: {}
1054 subnets_per_network: 2
1055 context:
1056 network: {}
1057 quotas:
1058 neutron:
1059 network: -1
1060 router: -1
1061 subnet: -1
1062 runner:
1063 concurrency: 1
1064 times: 1
1065 type: constant
1066 sla:
1067 failure_rate:
1068 max: 0
1069 NeutronNetworks.create_and_list_subnets:
1070 - args:
1071 network_create_args: {}
1072 subnet_cidr_start: 1.1.0.0/30
1073 subnet_create_args: {}
1074 subnets_per_network: 2
1075 context:
1076 network: {}
1077 quotas:
1078 neutron:
1079 network: -1
1080 subnet: -1
1081 runner:
1082 concurrency: 1
1083 times: 1
1084 type: constant
1085 sla:
1086 failure_rate:
1087 max: 0
1088 NeutronNetworks.create_and_show_network:
1089 - args:
1090 network_create_args: {}
1091 context:
1092 quotas:
1093 neutron:
1094 network: -1
1095 runner:
1096 concurrency: 1
1097 times: 1
1098 type: constant
1099 sla:
1100 failure_rate:
1101 max: 0
1102 NeutronNetworks.create_and_update_networks:
1103 - args:
1104 network_create_args: {}
1105 network_update_args:
1106 admin_state_up: false
1107 context:
1108 quotas:
1109 neutron:
1110 network: -1
1111 runner:
1112 concurrency: 1
1113 times: 1
1114 type: constant
1115 sla:
1116 failure_rate:
1117 max: 0
1118 NeutronNetworks.create_and_update_ports:
1119 - args:
1120 network_create_args: {}
1121 port_create_args: {}
1122 port_update_args:
1123 admin_state_up: false
1124 device_id: dummy_id
1125 device_owner: dummy_owner
1126 ports_per_network: 5
1127 context:
1128 network: {}
1129 quotas:
1130 neutron:
1131 network: -1
1132 port: -1
1133 runner:
1134 concurrency: 1
1135 times: 1
1136 type: constant
1137 sla:
1138 failure_rate:
1139 max: 0
1140 NeutronNetworks.create_and_update_routers:
1141 - args:
1142 network_create_args: {}
1143 router_create_args: {}
1144 router_update_args:
1145 admin_state_up: false
1146 subnet_cidr_start: 1.1.0.0/30
1147 subnet_create_args: {}
1148 subnets_per_network: 2
1149 context:
1150 network: {}
1151 quotas:
1152 neutron:
1153 network: -1
1154 router: -1
1155 subnet: -1
1156 runner:
1157 concurrency: 1
1158 times: 1
1159 type: constant
1160 sla:
1161 failure_rate:
1162 max: 0
1163 NeutronNetworks.create_and_update_subnets:
1164 - args:
1165 network_create_args: {}
1166 subnet_cidr_start: 1.4.0.0/16
1167 subnet_create_args: {}
1168 subnet_update_args:
1169 enable_dhcp: false
1170 subnets_per_network: 2
1171 context:
1172 network: {}
1173 quotas:
1174 neutron:
1175 network: -1
1176 subnet: -1
1177 runner:
1178 concurrency: 1
1179 times: 1
1180 type: constant
1181 sla:
1182 failure_rate:
1183 max: 0
1184 NeutronNetworks.list_agents:
1185 - args:
1186 agent_args: {}
1187 runner:
1188 concurrency: 1
1189 times: 1
1190 type: constant
1191 sla:
1192 failure_rate:
1193 max: 0
1194 NeutronSecurityGroup.create_and_list_security_groups:
1195 - args:
1196 security_group_create_args: {}
1197 context:
1198 quotas:
1199 neutron:
1200 security_group: -1
1201 runner:
1202 concurrency: 1
1203 times: 1
1204 type: constant
1205 sla:
1206 failure_rate:
1207 max: 0
1208 NeutronSecurityGroup.create_and_update_security_groups:
1209 - args:
1210 security_group_create_args: {}
1211 security_group_update_args: {}
1212 context:
1213 quotas:
1214 neutron:
1215 security_group: -1
1216 runner:
1217 concurrency: 1
1218 times: 1
1219 type: constant
1220 sla:
1221 failure_rate:
1222 max: 0
okozachenko120317930d42023-09-06 00:24:05 +1000[diff] [blame]1223 paste:
1224 composite:neutron:
1225 use: egg:Paste#urlmap
1226 /: neutronversions_composite
1227 /v2.0: neutronapi_v2_0
1228 composite:neutronapi_v2_0:
1229 use: call:neutron.auth:pipeline_factory
1230 noauth: cors http_proxy_to_wsgi request_id catch_errors extensions neutronapiapp_v2_0
1231 keystone: cors http_proxy_to_wsgi request_id catch_errors authtoken audit keystonecontext extensions neutronapiapp_v2_0
1232 composite:neutronversions_composite:
1233 use: call:neutron.auth:pipeline_factory
1234 noauth: cors http_proxy_to_wsgi neutronversions
1235 keystone: cors http_proxy_to_wsgi neutronversions
1236 filter:request_id:
1237 paste.filter_factory: oslo_middleware:RequestId.factory
1238 filter:catch_errors:
1239 paste.filter_factory: oslo_middleware:CatchErrors.factory
1240 filter:cors:
1241 paste.filter_factory: oslo_middleware.cors:filter_factory
1242 oslo_config_project: neutron
1243 filter:http_proxy_to_wsgi:
1244 paste.filter_factory: oslo_middleware.http_proxy_to_wsgi:HTTPProxyToWSGI.factory
1245 filter:keystonecontext:
1246 paste.filter_factory: neutron.auth:NeutronKeystoneContext.factory
1247 filter:authtoken:
1248 paste.filter_factory: keystonemiddleware.auth_token:filter_factory
1249 filter:audit:
1250 paste.filter_factory: keystonemiddleware.audit:filter_factory
1251 audit_map_file: /etc/neutron/api_audit_map.conf
1252 filter:extensions:
1253 paste.filter_factory: neutron.api.extensions:plugin_aware_extension_middleware_factory
1254 app:neutronversions:
1255 paste.app_factory: neutron.pecan_wsgi.app:versions_factory
1256 app:neutronapiapp_v2_0:
1257 paste.app_factory: neutron.api.v2.router:APIRouter.factory
1258 filter:osprofiler:
1259 paste.filter_factory: osprofiler.web:WsgiMiddleware.factory
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1260 policy: {}
1261 api_audit_map:
1262 DEFAULT:
1263 target_endpoint_type: None
1264 custom_actions:
1265 add_router_interface: update/add
1266 remove_router_interface: update/remove
1267 path_keywords:
1268 floatingips: ip
1269 healthmonitors: healthmonitor
1270 health_monitors: health_monitor
1271 lb: None
1272 members: member
1273 metering-labels: label
1274 metering-label-rules: rule
1275 networks: network
1276 pools: pool
1277 ports: port
1278 routers: router
1279 quotas: quota
1280 security-groups: security-group
1281 security-group-rules: rule
1282 subnets: subnet
1283 vips: vip
1284 service_endpoints:
1285 network: service/network
1286 neutron_sudoers: |
1287 # This sudoers file supports rootwrap for both Kolla and LOCI Images.
1288 Defaults !requiretty
1289 Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin:/var/lib/openstack/bin:/var/lib/kolla/venv/bin"
1290 neutron ALL = (root) NOPASSWD: /var/lib/kolla/venv/bin/neutron-rootwrap /etc/neutron/rootwrap.conf *, /var/lib/openstack/bin/neutron-rootwrap /etc/neutron/rootwrap.conf *
1291 neutron ALL = (root) NOPASSWD: /var/lib/kolla/venv/bin/neutron-rootwrap-daemon /etc/neutron/rootwrap.conf, /var/lib/openstack/bin/neutron-rootwrap-daemon /etc/neutron/rootwrap.conf
1292 rootwrap: |
1293 # Configuration for neutron-rootwrap
1294 # This file should be owned by (and only-writeable by) the root user
1295
1296 [DEFAULT]
1297 # List of directories to load filter definitions from (separated by ',').
1298 # These directories MUST all be only writeable by root !
1299 filters_path=/etc/neutron/rootwrap.d,/usr/share/neutron/rootwrap,/var/lib/openstack/etc/neutron/rootwrap.d
1300
1301 # List of directories to search executables in, in case filters do not
1302 # explicitely specify a full path (separated by ',')
1303 # If not specified, defaults to system PATH environment variable.
1304 # These directories MUST all be only writeable by root !
1305 exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin,/var/lib/openstack/bin,/var/lib/kolla/venv/bin
1306
1307 # Enable logging to syslog
1308 # Default value is False
1309 use_syslog=False
1310
1311 # Which syslog facility to use.
1312 # Valid values include auth, authpriv, syslog, local0, local1...
1313 # Default value is 'syslog'
1314 syslog_log_facility=syslog
1315
1316 # Which messages to log.
1317 # INFO means log all usage
1318 # ERROR means only log unsuccessful attempts
1319 syslog_log_level=ERROR
1320
1321 [xenapi]
1322 # XenAPI configuration is only required by the L2 agent if it is to
1323 # target a XenServer/XCP compute host's dom0.
1324 xenapi_connection_url=<None>
1325 xenapi_connection_username=root
1326 xenapi_connection_password=<None>
1327 rootwrap_filters:
1328 debug:
1329 pods:
1330 - dhcp_agent
1331 - l3_agent
1332 - lb_agent
1333 - metadata_agent
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]1334 - ovn_metadata_agent
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1335 - ovs_agent
1336 - sriov_agent
1337 content: |
1338 # neutron-rootwrap command filters for nodes on which neutron is
1339 # expected to control network
1340 #
1341 # This file should be owned by (and only-writeable by) the root user
1342
1343 # format seems to be
1344 # cmd-name: filter-name, raw-command, user, args
1345
1346 [Filters]
1347
1348 # This is needed because we should ping
1349 # from inside a namespace which requires root
1350 # _alt variants allow to match -c and -w in any order
1351 # (used by NeutronDebugAgent.ping_all)
1352 ping: RegExpFilter, ping, root, ping, -w, \d+, -c, \d+, [0-9\.]+
1353 ping_alt: RegExpFilter, ping, root, ping, -c, \d+, -w, \d+, [0-9\.]+
1354 ping6: RegExpFilter, ping6, root, ping6, -w, \d+, -c, \d+, [0-9A-Fa-f:]+
1355 ping6_alt: RegExpFilter, ping6, root, ping6, -c, \d+, -w, \d+, [0-9A-Fa-f:]+
1356 dibbler:
1357 pods:
1358 - dhcp_agent
1359 - l3_agent
1360 - lb_agent
1361 - metadata_agent
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]1362 - ovn_metadata_agent
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1363 - ovs_agent
1364 - sriov_agent
1365 content: |
1366 # neutron-rootwrap command filters for nodes on which neutron is
1367 # expected to control network
1368 #
1369 # This file should be owned by (and only-writeable by) the root user
1370
1371 # format seems to be
1372 # cmd-name: filter-name, raw-command, user, args
1373
1374 [Filters]
1375
1376 # Filters for the dibbler-based reference implementation of the pluggable
1377 # Prefix Delegation driver. Other implementations using an alternative agent
1378 # should include a similar filter in this folder.
1379
1380 # prefix_delegation_agent
1381 dibbler-client: CommandFilter, dibbler-client, root
1382 ipset_firewall:
1383 pods:
1384 - dhcp_agent
1385 - l3_agent
1386 - lb_agent
1387 - metadata_agent
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]1388 - ovn_metadata_agent
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1389 - ovs_agent
1390 - sriov_agent
1391 content: |
1392 # neutron-rootwrap command filters for nodes on which neutron is
1393 # expected to control network
1394 #
1395 # This file should be owned by (and only-writeable by) the root user
1396
1397 # format seems to be
1398 # cmd-name: filter-name, raw-command, user, args
1399
1400 [Filters]
1401 # neutron/agent/linux/iptables_firewall.py
1402 # "ipset", "-A", ...
1403 ipset: CommandFilter, ipset, root
1404 l3:
1405 pods:
1406 - dhcp_agent
1407 - l3_agent
1408 - lb_agent
1409 - metadata_agent
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]1410 - ovn_metadata_agent
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1411 - ovs_agent
1412 - sriov_agent
1413 content: |
1414 # neutron-rootwrap command filters for nodes on which neutron is
1415 # expected to control network
1416 #
1417 # This file should be owned by (and only-writeable by) the root user
1418
1419 # format seems to be
1420 # cmd-name: filter-name, raw-command, user, args
1421
1422 [Filters]
1423
1424 # arping
1425 arping: CommandFilter, arping, root
1426
1427 # l3_agent
1428 sysctl: CommandFilter, sysctl, root
1429 route: CommandFilter, route, root
1430 radvd: CommandFilter, radvd, root
1431
1432 # haproxy
1433 haproxy: RegExpFilter, haproxy, root, haproxy, -f, .*
1434 kill_haproxy: KillFilter, root, haproxy, -15, -9, -HUP
1435
1436 # metadata proxy
1437 metadata_proxy: CommandFilter, neutron-ns-metadata-proxy, root
1438 # RHEL invocation of the metadata proxy will report /usr/bin/python
1439 kill_metadata: KillFilter, root, python, -15, -9
1440 kill_metadata2: KillFilter, root, python2, -15, -9
1441 kill_metadata7: KillFilter, root, python2.7, -15, -9
1442 kill_metadata3: KillFilter, root, python3, -15, -9
1443 kill_metadata35: KillFilter, root, python3.5, -15, -9
1444 kill_metadata36: KillFilter, root, python3.6, -15, -9
1445 kill_metadata37: KillFilter, root, python3.7, -15, -9
1446 kill_radvd_usr: KillFilter, root, /usr/sbin/radvd, -15, -9, -HUP
1447 kill_radvd: KillFilter, root, /sbin/radvd, -15, -9, -HUP
1448
1449 # ip_lib
1450 ip: IpFilter, ip, root
1451 find: RegExpFilter, find, root, find, /sys/class/net, -maxdepth, 1, -type, l, -printf, %.*
1452 ip_exec: IpNetnsExecFilter, ip, root
1453
1454 # l3_tc_lib
1455 l3_tc_show_qdisc: RegExpFilter, tc, root, tc, qdisc, show, dev, .+
1456 l3_tc_add_qdisc_ingress: RegExpFilter, tc, root, tc, qdisc, add, dev, .+, ingress
1457 l3_tc_add_qdisc_egress: RegExpFilter, tc, root, tc, qdisc, add, dev, .+, root, handle, 1:, htb
1458 l3_tc_show_filters: RegExpFilter, tc, root, tc, -p, -s, -d, filter, show, dev, .+, parent, .+, prio, 1
1459 l3_tc_delete_filters: RegExpFilter, tc, root, tc, filter, del, dev, .+, parent, .+, prio, 1, handle, .+, u32
1460 l3_tc_add_filter_ingress: RegExpFilter, tc, root, tc, filter, add, dev, .+, parent, .+, protocol, ip, prio, 1, u32, match, ip, dst, .+, police, rate, .+, burst, .+, drop, flowid, :1
1461 l3_tc_add_filter_egress: RegExpFilter, tc, root, tc, filter, add, dev, .+, parent, .+, protocol, ip, prio, 1, u32, match, ip, src, .+, police, rate, .+, burst, .+, drop, flowid, :1
1462
1463 # For ip monitor
1464 kill_ip_monitor: KillFilter, root, ip, -9
1465
1466 # ovs_lib (if OVSInterfaceDriver is used)
1467 ovs-vsctl: CommandFilter, ovs-vsctl, root
1468
1469 # iptables_manager
1470 iptables-save: CommandFilter, iptables-save, root
1471 iptables-restore: CommandFilter, iptables-restore, root
1472 ip6tables-save: CommandFilter, ip6tables-save, root
1473 ip6tables-restore: CommandFilter, ip6tables-restore, root
1474
1475 # Keepalived
1476 keepalived: CommandFilter, keepalived, root
1477 kill_keepalived: KillFilter, root, keepalived, -HUP, -15, -9
1478
1479 # l3 agent to delete floatingip's conntrack state
1480 conntrack: CommandFilter, conntrack, root
1481
1482 # keepalived state change monitor
1483 keepalived_state_change: CommandFilter, neutron-keepalived-state-change, root
1484 # The following filters are used to kill the keepalived state change monitor.
1485 # Since the monitor runs as a Python script, the system reports that the
1486 # command of the process to be killed is python.
1487 # TODO(mlavalle) These kill filters will be updated once we come up with a
1488 # mechanism to kill using the name of the script being executed by Python
1489 kill_keepalived_monitor_py: KillFilter, root, python, -15
1490 kill_keepalived_monitor_py27: KillFilter, root, python2.7, -15
1491 kill_keepalived_monitor_py3: KillFilter, root, python3, -15
1492 kill_keepalived_monitor_py35: KillFilter, root, python3.5, -15
1493 kill_keepalived_monitor_py36: KillFilter, root, python3.6, -15
1494 kill_keepalived_monitor_py37: KillFilter, root, python3.7, -15
1495 netns_cleanup:
1496 pods:
1497 - dhcp_agent
1498 - l3_agent
1499 - lb_agent
1500 - metadata_agent
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]1501 - ovn_metadata_agent
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1502 - ovs_agent
1503 - sriov_agent
1504 - netns_cleanup_cron
1505 content: |
1506 # neutron-rootwrap command filters for nodes on which neutron is
1507 # expected to control network
1508 #
1509 # This file should be owned by (and only-writeable by) the root user
1510
1511 # format seems to be
1512 # cmd-name: filter-name, raw-command, user, args
1513
1514 [Filters]
1515
1516 # netns-cleanup
1517 netstat: CommandFilter, netstat, root
1518 dhcp:
1519 pods:
1520 - dhcp_agent
1521 - l3_agent
1522 - lb_agent
1523 - metadata_agent
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]1524 - ovn_metadata_agent
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1525 - ovs_agent
1526 - sriov_agent
1527 - netns_cleanup_cron
1528 content: |
1529 # neutron-rootwrap command filters for nodes on which neutron is
1530 # expected to control network
1531 #
1532 # This file should be owned by (and only-writeable by) the root user
1533
1534 # format seems to be
1535 # cmd-name: filter-name, raw-command, user, args
1536
1537 [Filters]
1538
1539 # dhcp-agent
1540 dnsmasq: CommandFilter, dnsmasq, root
1541 # dhcp-agent uses kill as well, that's handled by the generic KillFilter
1542 # it looks like these are the only signals needed, per
1543 # neutron/agent/linux/dhcp.py
1544 kill_dnsmasq: KillFilter, root, /sbin/dnsmasq, -9, -HUP, -15
1545 kill_dnsmasq_usr: KillFilter, root, /usr/sbin/dnsmasq, -9, -HUP, -15
1546
1547 ovs-vsctl: CommandFilter, ovs-vsctl, root
1548 ivs-ctl: CommandFilter, ivs-ctl, root
1549 mm-ctl: CommandFilter, mm-ctl, root
1550 dhcp_release: CommandFilter, dhcp_release, root
1551 dhcp_release6: CommandFilter, dhcp_release6, root
1552
1553 # metadata proxy
1554 metadata_proxy: CommandFilter, neutron-ns-metadata-proxy, root
1555 # RHEL invocation of the metadata proxy will report /usr/bin/python
1556 kill_metadata: KillFilter, root, python, -9
1557 kill_metadata2: KillFilter, root, python2, -9
1558 kill_metadata7: KillFilter, root, python2.7, -9
1559 kill_metadata3: KillFilter, root, python3, -9
1560 kill_metadata35: KillFilter, root, python3.5, -9
1561 kill_metadata36: KillFilter, root, python3.6, -9
1562 kill_metadata37: KillFilter, root, python3.7, -9
1563
1564 # ip_lib
1565 ip: IpFilter, ip, root
1566 find: RegExpFilter, find, root, find, /sys/class/net, -maxdepth, 1, -type, l, -printf, %.*
1567 ip_exec: IpNetnsExecFilter, ip, root
1568 ebtables:
1569 pods:
1570 - dhcp_agent
1571 - l3_agent
1572 - lb_agent
1573 - metadata_agent
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]1574 - ovn_metadata_agent
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1575 - ovs_agent
1576 - sriov_agent
1577 content: |
1578 # neutron-rootwrap command filters for nodes on which neutron is
1579 # expected to control network
1580 #
1581 # This file should be owned by (and only-writeable by) the root user
1582
1583 # format seems to be
1584 # cmd-name: filter-name, raw-command, user, args
1585
1586 [Filters]
1587
1588 ebtables: CommandFilter, ebtables, root
1589 iptables_firewall:
1590 pods:
1591 - dhcp_agent
1592 - l3_agent
1593 - lb_agent
1594 - metadata_agent
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]1595 - ovn_metadata_agent
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1596 - ovs_agent
1597 - sriov_agent
1598 content: |
1599 # neutron-rootwrap command filters for nodes on which neutron is
1600 # expected to control network
1601 #
1602 # This file should be owned by (and only-writeable by) the root user
1603
1604 # format seems to be
1605 # cmd-name: filter-name, raw-command, user, args
1606
1607 [Filters]
1608
1609 # neutron/agent/linux/iptables_firewall.py
1610 # "iptables-save", ...
1611 iptables-save: CommandFilter, iptables-save, root
1612 iptables-restore: CommandFilter, iptables-restore, root
1613 ip6tables-save: CommandFilter, ip6tables-save, root
1614 ip6tables-restore: CommandFilter, ip6tables-restore, root
1615
1616 # neutron/agent/linux/iptables_firewall.py
1617 # "iptables", "-A", ...
1618 iptables: CommandFilter, iptables, root
1619 ip6tables: CommandFilter, ip6tables, root
1620
1621 # neutron/agent/linux/iptables_firewall.py
1622 sysctl: CommandFilter, sysctl, root
1623
1624 # neutron/agent/linux/ip_conntrack.py
1625 conntrack: CommandFilter, conntrack, root
1626 linuxbridge_plugin:
1627 pods:
1628 - dhcp_agent
1629 - l3_agent
1630 - lb_agent
1631 - metadata_agent
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]1632 - ovn_metadata_agent
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1633 - ovs_agent
1634 - sriov_agent
1635 content: |
1636 # neutron-rootwrap command filters for nodes on which neutron is
1637 # expected to control network
1638 #
1639 # This file should be owned by (and only-writeable by) the root user
1640
1641 # format seems to be
1642 # cmd-name: filter-name, raw-command, user, args
1643
1644 [Filters]
1645
1646 # linuxbridge-agent
1647 # unclear whether both variants are necessary, but I'm transliterating
1648 # from the old mechanism
1649 brctl: CommandFilter, brctl, root
1650 bridge: CommandFilter, bridge, root
1651
1652 # ip_lib
1653 ip: IpFilter, ip, root
1654 find: RegExpFilter, find, root, find, /sys/class/net, -maxdepth, 1, -type, l, -printf, %.*
1655 ip_exec: IpNetnsExecFilter, ip, root
1656
1657 # tc commands needed for QoS support
1658 tc_replace_tbf: RegExpFilter, tc, root, tc, qdisc, replace, dev, .+, root, tbf, rate, .+, latency, .+, burst, .+
1659 tc_add_ingress: RegExpFilter, tc, root, tc, qdisc, add, dev, .+, ingress, handle, .+
1660 tc_delete: RegExpFilter, tc, root, tc, qdisc, del, dev, .+, .+
1661 tc_show_qdisc: RegExpFilter, tc, root, tc, qdisc, show, dev, .+
1662 tc_show_filters: RegExpFilter, tc, root, tc, filter, show, dev, .+, parent, .+
1663 tc_add_filter: RegExpFilter, tc, root, tc, filter, add, dev, .+, parent, .+, protocol, all, prio, .+, basic, police, rate, .+, burst, .+, mtu, .+, drop
1664 openvswitch_plugin:
1665 pods:
1666 - dhcp_agent
1667 - l3_agent
1668 - lb_agent
1669 - metadata_agent
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]1670 - ovn_metadata_agent
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1671 - ovs_agent
1672 - sriov_agent
1673 content: |
1674 # neutron-rootwrap command filters for nodes on which neutron is
1675 # expected to control network
1676 #
1677 # This file should be owned by (and only-writeable by) the root user
1678
1679 # format seems to be
1680 # cmd-name: filter-name, raw-command, user, args
1681
1682 [Filters]
1683
1684 # openvswitch-agent
1685 # unclear whether both variants are necessary, but I'm transliterating
1686 # from the old mechanism
1687 ovs-vsctl: CommandFilter, ovs-vsctl, root
1688 # NOTE(yamamoto): of_interface=native doesn't use ovs-ofctl
1689 ovs-ofctl: CommandFilter, ovs-ofctl, root
1690 ovs-appctl: CommandFilter, ovs-appctl, root
1691 kill_ovsdb_client: KillFilter, root, /usr/bin/ovsdb-client, -9
1692 ovsdb-client: CommandFilter, ovsdb-client, root
1693 xe: CommandFilter, xe, root
1694
1695 # ip_lib
1696 ip: IpFilter, ip, root
1697 find: RegExpFilter, find, root, find, /sys/class/net, -maxdepth, 1, -type, l, -printf, %.*
1698 ip_exec: IpNetnsExecFilter, ip, root
1699
1700 # needed for FDB extension
1701 bridge: CommandFilter, bridge, root
1702 privsep:
1703 pods:
1704 - dhcp_agent
1705 - l3_agent
1706 - lb_agent
1707 - metadata_agent
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]1708 - ovn_metadata_agent
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1709 - ovs_agent
1710 - sriov_agent
1711 - netns_cleanup_cron
1712 content: |
1713 # Command filters to allow privsep daemon to be started via rootwrap.
1714 #
1715 # This file should be owned by (and only-writeable by) the root user
1716
1717 [Filters]
1718
1719 # By installing the following, the local admin is asserting that:
1720 #
1721 # 1. The python module load path used by privsep-helper
1722 # command as root (as started by sudo/rootwrap) is trusted.
1723 # 2. Any oslo.config files matching the --config-file
1724 # arguments below are trusted.
1725 # 3. Users allowed to run sudo/rootwrap with this configuration(*) are
1726 # also allowed to invoke python "entrypoint" functions from
1727 # --privsep_context with the additional (possibly root) privileges
1728 # configured for that context.
1729 #
1730 # (*) ie: the user is allowed by /etc/sudoers to run rootwrap as root
1731 #
1732 # In particular, the oslo.config and python module path must not
1733 # be writeable by the unprivileged user.
1734
1735 # oslo.privsep default neutron context
1736 privsep: PathFilter, privsep-helper, root,
1737 --config-file, /etc,
1738 --privsep_context, neutron.privileged.default,
1739 --privsep_sock_path, /
1740
1741 # NOTE: A second `--config-file` arg can also be added above. Since
1742 # many neutron components are installed like that (eg: by devstack).
1743 # Adjust to suit local requirements.
1744 linux_vxlan:
1745 pods:
1746 - bagpipe_bgp
1747 content: |
1748 # bagpipe-bgp-rootwrap command filters for nodes on which bagpipe-bgp is
1749 # expected to control VXLAN Linux Bridge dataplane
1750 #
1751 # This file should be owned by (and only-writeable by) the root user
1752
1753 # format seems to be
1754 # cmd-name: filter-name, raw-command, user, args
1755
1756 [Filters]
1757
1758 #
1759 modprobe: CommandFilter, modprobe, root
1760
1761 #
1762 brctl: CommandFilter, brctl, root
1763 bridge: CommandFilter, bridge, root
1764
1765 # ip_lib
1766 ip: IpFilter, ip, root
1767 ip_exec: IpNetnsExecFilter, ip, root
1768
1769 # shell (for piped commands)
1770 sh: CommandFilter, sh, root
1771 mpls_ovs_dataplane:
1772 pods:
1773 - bagpipe_bgp
1774 content: |
1775 # bagpipe-bgp-rootwrap command filters for nodes on which bagpipe-bgp is
1776 # expected to control MPLS OpenVSwitch dataplane
1777 #
1778 # This file should be owned by (and only-writeable by) the root user
1779
1780 # format seems to be
1781 # cmd-name: filter-name, raw-command, user, args
1782
1783 [Filters]
1784
1785 # openvswitch
1786 ovs-vsctl: CommandFilter, ovs-vsctl, root
1787 ovs-ofctl: CommandFilter, ovs-ofctl, root
1788
1789 # ip_lib
1790 ip: IpFilter, ip, root
1791 ip_exec: IpNetnsExecFilter, ip, root
1792
1793 # shell (for piped commands)
1794 sh: CommandFilter, sh, root
1795 neutron:
1796 DEFAULT:
1797 metadata_proxy_socket: /var/lib/neutron/openstack-helm/metadata_proxy
1798 log_config_append: /etc/neutron/logging.conf
1799 # NOTE(portdirect): the bind port should not be defined, and is manipulated
1800 # via the endpoints section.
1801 bind_port: null
1802 default_availability_zones: nova
1803 api_workers: 1
1804 rpc_workers: 4
1805 allow_overlapping_ips: True
1806 state_path: /var/lib/neutron
1807 # core_plugin can be: ml2, calico
1808 core_plugin: ml2
1809 # service_plugin can be: router, odl-router, empty for calico,
1810 # networking_ovn.l3.l3_ovn.OVNL3RouterPlugin for OVN
1811 service_plugins: router
1812 allow_automatic_l3agent_failover: True
1813 l3_ha: True
1814 max_l3_agents_per_router: 2
1815 l3_ha_network_type: vxlan
1816 network_auto_schedule: True
1817 router_auto_schedule: True
1818 # (NOTE)portdirect: if unset this is populated dynamically from the value in
1819 # 'network.backend' to sane defaults.
1820 interface_driver: null
1821 oslo_concurrency:
1822 lock_path: /var/lib/neutron/tmp
1823 database:
1824 max_retries: -1
1825 agent:
1826 root_helper: sudo /var/lib/openstack/bin/neutron-rootwrap /etc/neutron/rootwrap.conf
1827 root_helper_daemon: sudo /var/lib/openstack/bin/neutron-rootwrap-daemon /etc/neutron/rootwrap.conf
1828 oslo_messaging_notifications:
1829 driver: messagingv2
1830 oslo_messaging_rabbit:
1831 rabbit_ha_queues: true
1832 oslo_middleware:
1833 enable_proxy_headers_parsing: true
1834 oslo_policy:
1835 policy_file: /etc/neutron/policy.yaml
Mohammed Naser593ec012023-07-23 09:20:05 +0000[diff] [blame]1836 ovn:
Mohammed Naser593ec012023-07-23 09:20:05 +0000[diff] [blame]1837 ovn_metadata_enabled: true
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1838 nova:
1839 auth_type: password
1840 auth_version: v3
1841 endpoint_type: internal
Oleksandr Kozachenkoa10d7852023-02-02 22:01:16 +0100[diff] [blame]1842 placement:
1843 auth_type: password
1844 auth_version: v3
1845 endpoint_type: internal
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1846 designate:
1847 auth_type: password
1848 auth_version: v3
1849 endpoint_type: internal
1850 allow_reverse_dns_lookup: true
1851 ironic:
1852 endpoint_type: internal
1853 keystone_authtoken:
okozachenko120317930d42023-09-06 00:24:05 +1000[diff] [blame]1854 service_token_roles: service
1855 service_token_roles_required: true
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1856 memcache_security_strategy: ENCRYPT
1857 auth_type: password
1858 auth_version: v3
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]1859 service_type: network
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1860 octavia:
1861 request_poll_timeout: 3000
1862 logging:
1863 loggers:
1864 keys:
1865 - root
1866 - neutron
1867 - neutron_taas
1868 handlers:
1869 keys:
1870 - stdout
1871 - stderr
1872 - "null"
1873 formatters:
1874 keys:
1875 - context
1876 - default
1877 logger_root:
1878 level: WARNING
1879 handlers: 'null'
1880 logger_neutron:
1881 level: INFO
1882 handlers:
1883 - stdout
1884 qualname: neutron
1885 logger_neutron_taas:
1886 level: INFO
1887 handlers:
1888 - stdout
1889 qualname: neutron_taas
1890 logger_amqp:
1891 level: WARNING
1892 handlers: stderr
1893 qualname: amqp
1894 logger_amqplib:
1895 level: WARNING
1896 handlers: stderr
1897 qualname: amqplib
1898 logger_eventletwsgi:
1899 level: WARNING
1900 handlers: stderr
1901 qualname: eventlet.wsgi.server
1902 logger_sqlalchemy:
1903 level: WARNING
1904 handlers: stderr
1905 qualname: sqlalchemy
1906 logger_boto:
1907 level: WARNING
1908 handlers: stderr
1909 qualname: boto
1910 handler_null:
1911 class: logging.NullHandler
1912 formatter: default
1913 args: ()
1914 handler_stdout:
1915 class: StreamHandler
1916 args: (sys.stdout,)
1917 formatter: context
1918 handler_stderr:
1919 class: StreamHandler
1920 args: (sys.stderr,)
1921 formatter: context
1922 formatter_context:
1923 class: oslo_log.formatters.ContextFormatter
1924 datefmt: "%Y-%m-%d %H:%M:%S"
1925 formatter_default:
1926 format: "%(message)s"
1927 datefmt: "%Y-%m-%d %H:%M:%S"
1928 plugins:
1929 ml2_conf:
1930 ml2:
1931 extension_drivers: port_security
1932 # (NOTE)portdirect: if unset this is populated dyanmicly from the value
1933 # in 'network.backend' to sane defaults.
1934 mechanism_drivers: null
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]1935 type_drivers: flat,vlan,vxlan,local
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1936 tenant_network_types: vxlan
1937 ml2_type_vxlan:
1938 vni_ranges: 1:1000
1939 vxlan_group: 239.1.1.1
1940 ml2_type_flat:
1941 flat_networks: "*"
1942 # If you want to use the external network as a tagged provider network,
1943 # a range should be specified including the intended VLAN target
1944 # using ml2_type_vlan.network_vlan_ranges:
1945 # ml2_type_vlan:
1946 # network_vlan_ranges: "external:1100:1110"
Mohammed Naser593ec012023-07-23 09:20:05 +0000[diff] [blame]1947 ml2_type_geneve:
1948 vni_ranges: 1:65536
1949 max_header_size: 38
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1950 agent:
1951 extensions: ""
1952 ml2_conf_sriov: null
1953 taas:
1954 taas:
1955 enabled: False
1956 openvswitch_agent:
1957 agent:
1958 tunnel_types: vxlan
1959 l2_population: True
1960 arp_responder: True
1961 ovs:
1962 bridge_mappings: "external:br-ex"
1963 securitygroup:
1964 firewall_driver: neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
1965 linuxbridge_agent:
1966 linux_bridge:
1967 # To define Flat and VLAN connections, in LB we can assign
1968 # specific interface to the flat/vlan network name using:
1969 # physical_interface_mappings: "external:eth3"
1970 # Or we can set the mapping between the network and bridge:
1971 bridge_mappings: "external:br-ex"
1972 # The two above options are exclusive, do not use both of them at once
1973 securitygroup:
1974 firewall_driver: iptables
1975 vxlan:
1976 l2_population: True
1977 arp_responder: True
1978 macvtap_agent: null
1979 sriov_agent:
1980 securitygroup:
1981 firewall_driver: neutron.agent.firewall.NoopFirewallDriver
1982 sriov_nic:
1983 physical_device_mappings: physnet2:enp3s0f1
1984 # NOTE: do not use null here, use an empty string
1985 exclude_devices: ""
1986 dhcp_agent:
1987 DEFAULT:
1988 # (NOTE)portdirect: if unset this is populated dyanmicly from the value in
1989 # 'network.backend' to sane defaults.
1990 interface_driver: null
1991 dnsmasq_config_file: /etc/neutron/dnsmasq.conf
1992 force_metadata: True
1993 dnsmasq: |
1994 #no-hosts
1995 #port=5353
1996 #cache-size=500
1997 #no-negcache
1998 #dns-forward-max=100
1999 #resolve-file=
2000 #strict-order
2001 #bind-interface
2002 #bind-dynamic
2003 #domain=
2004 #dhcp-range=10.10.10.10,10.10.10.100,24h
2005 #dhcp-lease-max=150
2006 #dhcp-host=11:22:33:44:55:66,ignore
2007 #dhcp-option=3,10.10.10.1
2008 #dhcp-option-force=26,1450
2009
2010 l3_agent:
2011 DEFAULT:
2012 # (NOTE)portdirect: if unset this is populated dyanmicly from the value in
2013 # 'network.backend' to sane defaults.
2014 interface_driver: null
2015 agent_mode: legacy
2016 metering_agent: null
2017 metadata_agent:
2018 DEFAULT:
2019 # we cannot change the proxy socket path as it is declared
2020 # as a hostPath volume from agent daemonsets
2021 metadata_proxy_socket: /var/lib/neutron/openstack-helm/metadata_proxy
2022 metadata_proxy_shared_secret: "password"
2023 cache:
2024 enabled: true
2025 backend: dogpile.cache.memcached
2026 bagpipe_bgp: {}
Mohammed Naser593ec012023-07-23 09:20:05 +0000[diff] [blame]2027 ovn_metadata_agent:
2028 DEFAULT:
2029 # we cannot change the proxy socket path as it is declared
2030 # as a hostPath volume from agent daemonsets
2031 metadata_proxy_socket: /var/lib/neutron/openstack-helm/metadata_proxy
2032 metadata_proxy_shared_secret: "password"
2033 metadata_workers: 2
2034 cache:
2035 enabled: true
2036 backend: dogpile.cache.memcached
2037 ovs:
2038 ovsdb_connection: unix:/run/openvswitch/db.sock
Rico Lincf86b122023-11-02 01:29:14 +0800[diff] [blame]2039 bgp_dragent: {}
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]2040
2041 rabbitmq:
2042 # NOTE(rk760n): adding rmq policy to mirror messages from notification queues and set expiration time for the ones
2043 policies:
2044 - vhost: "neutron"
2045 name: "ha_ttl_neutron"
2046 definition:
2047 # mirror messges to other nodes in rmq cluster
2048 ha-mode: "all"
2049 ha-sync-mode: "automatic"
2050 # 70s
2051 message-ttl: 70000
2052 priority: 0
2053 apply-to: all
2054 pattern: '^(?!(amq\.|reply_)).*'
2055 ## NOTE: "besteffort" is meant for dev env with mixed compute type only.
2056 ## This helps prevent sriov init script from failing due to mis-matched NIC
2057 ## For prod env, target NIC should match and init script should fail otherwise.
2058 ## sriov_init:
2059 ## - besteffort
2060 sriov_init:
2061 -
2062 # auto_bridge_add is a table of "bridge: interface" pairs
2063 # To automatically add a physical interfaces to a specific bridges,
2064 # for example eth3 to bridge br-physnet1, if0 to br0 and iface_two
2065 # to br1 do something like:
2066 #
2067 # auto_bridge_add:
2068 # br-physnet1: eth3
2069 # br0: if0
2070 # br1: iface_two
2071 # br-ex will be added by default
2072 auto_bridge_add:
2073 br-ex: null
2074
Mohammed Nasera720f882023-06-30 23:48:02 -0400[diff] [blame]2075 # Network off-loading configuration
2076 netoffload:
ricolin18e6fd32023-07-17 06:17:15 +0000[diff] [blame]2077 enabled: false
Mohammed Nasera720f882023-06-30 23:48:02 -0400[diff] [blame]2078 asap2:
2079 # - dev: enp97s0f0
2080 # vfs: 16
2081
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]2082 # configuration of OVS DPDK bridges and NICs
2083 # this is a separate section and not part of the auto_bridge_add section
2084 # because additional parameters are needed
2085 ovs_dpdk:
2086 enabled: false
2087 # setting update_dpdk_bond_config to true will have default behavior,
2088 # which may cause disruptions in ovs dpdk traffic in case of neutron
2089 # ovs agent restart or when dpdk nic/bond configurations are changed.
2090 # Setting this to false will configure dpdk in the first run and
2091 # disable nic/bond config on event of restart or config update.
2092 update_dpdk_bond_config: true
2093 driver: uio_pci_generic
2094 # In case bonds are configured, the nics which are part of those bonds
2095 # must NOT be provided here.
2096 nics:
2097 - name: dpdk0
2098 pci_id: '0000:05:00.0'
2099 # Set VF Index in case some particular VF(s) need to be
2100 # used with ovs-dpdk.
2101 # vf_index: 0
2102 bridge: br-phy
2103 migrate_ip: true
2104 n_rxq: 2
2105 n_txq: 2
2106 pmd_rxq_affinity: "0:3,1:27"
2107 ofport_request: 1
2108 # optional parameters for tuning the OVS DPDK config
2109 # in alignment with the available hardware resources
2110 # mtu: 2000
2111 # n_rxq_size: 1024
2112 # n_txq_size: 1024
2113 # vhost-iommu-support: true
2114 bridges:
2115 - name: br-phy
2116 # optional parameter, in case tunnel traffic needs to be transported over a vlan underlay
2117 # - tunnel_underlay_vlan: 45
2118 # Optional parameter for configuring bonding in OVS-DPDK
2119 # - name: br-phy-bond0
2120 # bonds:
2121 # - name: dpdkbond0
2122 # bridge: br-phy-bond0
2123 # # The IP from the first nic in nics list shall be used
2124 # migrate_ip: true
2125 # mtu: 2000
2126 # # Please note that n_rxq is set for each NIC individually
2127 # # rather than denoting the total number of rx queues for
2128 # # the bond as a whole. So setting n_rxq = 2 below for ex.
2129 # # would be 4 rx queues in total for the bond.
2130 # # Same for n_txq
2131 # n_rxq: 2
2132 # n_txq: 2
2133 # ofport_request: 1
2134 # n_rxq_size: 1024
2135 # n_txq_size: 1024
2136 # vhost-iommu-support: true
2137 # ovs_options: "bond_mode=active-backup"
2138 # nics:
2139 # - name: dpdk_b0s0
2140 # pci_id: '0000:06:00.0'
2141 # pmd_rxq_affinity: "0:3,1:27"
2142 # # Set VF Index in case some particular VF(s) need to be
2143 # # used with ovs-dpdk. In which case pci_id of PF must be
2144 # # provided above.
2145 # # vf_index: 0
2146 # - name: dpdk_b0s1
2147 # pci_id: '0000:07:00.0'
2148 # pmd_rxq_affinity: "0:3,1:27"
2149 # # Set VF Index in case some particular VF(s) need to be
2150 # # used with ovs-dpdk. In which case pci_id of PF must be
2151 # # provided above.
2152 # # vf_index: 0
2153 #
2154 # Set the log level for each target module (default level is always dbg)
2155 # Supported log levels are: off, emer, err, warn, info, dbg
2156 #
2157 # modules:
2158 # - name: dpdk
2159 # log_level: info
2160
2161# Names of secrets used by bootstrap and environmental checks
2162secrets:
2163 identity:
2164 admin: neutron-keystone-admin
2165 neutron: neutron-keystone-user
2166 test: neutron-keystone-test
2167 oslo_db:
2168 admin: neutron-db-admin
2169 neutron: neutron-db-user
2170 oslo_messaging:
2171 admin: neutron-rabbitmq-admin
2172 neutron: neutron-rabbitmq-user
2173 tls:
2174 compute_metadata:
2175 metadata:
2176 internal: metadata-tls-metadata
2177 network:
2178 server:
2179 public: neutron-tls-public
2180 internal: neutron-tls-server
2181 oci_image_registry:
2182 neutron: neutron-oci-image-registry
2183
2184# typically overridden by environmental
2185# values, but should include all endpoints
2186# required by this chart
2187endpoints:
2188 cluster_domain_suffix: cluster.local
2189 local_image_registry:
2190 name: docker-registry
2191 namespace: docker-registry
2192 hosts:
2193 default: localhost
2194 internal: docker-registry
2195 node: localhost
2196 host_fqdn_override:
2197 default: null
2198 port:
2199 registry:
2200 node: 5000
2201 oci_image_registry:
2202 name: oci-image-registry
2203 namespace: oci-image-registry
2204 auth:
2205 enabled: false
2206 neutron:
2207 username: neutron
2208 password: password
2209 hosts:
2210 default: localhost
2211 host_fqdn_override:
2212 default: null
2213 port:
2214 registry:
2215 default: null
2216 oslo_db:
2217 auth:
2218 admin:
2219 username: root
2220 password: password
2221 secret:
2222 tls:
2223 internal: mariadb-tls-direct
2224 neutron:
2225 username: neutron
2226 password: password
2227 hosts:
2228 default: mariadb
2229 host_fqdn_override:
2230 default: null
2231 path: /neutron
2232 scheme: mysql+pymysql
2233 port:
2234 mysql:
2235 default: 3306
2236 oslo_messaging:
2237 auth:
2238 admin:
2239 username: rabbitmq
2240 password: password
2241 secret:
2242 tls:
2243 internal: rabbitmq-tls-direct
2244 neutron:
2245 username: neutron
2246 password: password
2247 statefulset:
2248 replicas: 2
2249 name: rabbitmq-rabbitmq
2250 hosts:
2251 default: rabbitmq
2252 host_fqdn_override:
2253 default: null
2254 path: /neutron
2255 scheme: rabbit
2256 port:
2257 amqp:
2258 default: 5672
2259 http:
2260 default: 15672
2261 oslo_cache:
2262 auth:
2263 # NOTE(portdirect): this is used to define the value for keystone
2264 # authtoken cache encryption key, if not set it will be populated
2265 # automatically with a random value, but to take advantage of
2266 # this feature all services should be set to use the same key,
2267 # and memcache service.
2268 memcache_secret_key: null
2269 hosts:
2270 default: memcached
2271 host_fqdn_override:
2272 default: null
2273 port:
2274 memcache:
2275 default: 11211
2276 compute:
2277 name: nova
2278 hosts:
2279 default: nova-api
2280 public: nova
2281 host_fqdn_override:
2282 default: null
2283 path:
2284 default: "/v2.1/%(tenant_id)s"
2285 scheme:
2286 default: 'http'
2287 port:
2288 api:
2289 default: 8774
2290 public: 80
2291 novncproxy:
2292 default: 6080
2293 compute_metadata:
2294 name: nova
2295 hosts:
2296 default: nova-metadata
2297 public: metadata
2298 host_fqdn_override:
2299 default: null
2300 path:
2301 default: /
2302 scheme:
2303 default: 'http'
2304 port:
2305 metadata:
2306 default: 8775
2307 public: 80
2308 identity:
2309 name: keystone
2310 auth:
2311 admin:
2312 region_name: RegionOne
2313 username: admin
2314 password: password
2315 project_name: admin
2316 user_domain_name: default
2317 project_domain_name: default
2318 neutron:
2319 role: admin
2320 region_name: RegionOne
2321 username: neutron
2322 password: password
2323 project_name: service
2324 user_domain_name: service
2325 project_domain_name: service
2326 nova:
2327 region_name: RegionOne
2328 project_name: service
2329 username: nova
2330 password: password
2331 user_domain_name: service
2332 project_domain_name: service
Oleksandr Kozachenkoa10d7852023-02-02 22:01:16 +0100[diff] [blame]2333 placement:
2334 region_name: RegionOne
2335 project_name: service
2336 username: placement
2337 password: password
2338 user_domain_name: service
2339 project_domain_name: service
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]2340 designate:
2341 region_name: RegionOne
2342 project_name: service
2343 username: designate
2344 password: password
2345 user_domain_name: service
2346 project_domain_name: service
2347 ironic:
2348 region_name: RegionOne
2349 project_name: service
2350 username: ironic
2351 password: password
2352 user_domain_name: service
2353 project_domain_name: service
2354 test:
2355 role: admin
2356 region_name: RegionOne
2357 username: neutron-test
2358 password: password
2359 # NOTE: this project will be purged and reset if
2360 # conf.rally_tests.force_project_purge is set to true
2361 # which may be required upon test failure, but be aware that this will
2362 # expunge all openstack objects, so if this is used a seperate project
2363 # should be used for each helm test, and also it should be ensured
2364 # that this project is not in use by other tenants
2365 project_name: test
2366 user_domain_name: service
2367 project_domain_name: service
2368 hosts:
2369 default: keystone
2370 internal: keystone-api
2371 host_fqdn_override:
2372 default: null
2373 path:
2374 default: /v3
2375 scheme:
2376 default: http
2377 port:
2378 api:
2379 default: 80
2380 internal: 5000
2381 network:
2382 name: neutron
2383 hosts:
2384 default: neutron-server
2385 public: neutron
2386 host_fqdn_override:
2387 default: null
2388 # NOTE(portdirect): this chart supports TLS for fqdn over-ridden public
2389 # endpoints using the following format:
2390 # public:
2391 # host: null
2392 # tls:
2393 # crt: null
2394 # key: null
2395 path:
2396 default: null
2397 scheme:
2398 default: 'http'
2399 service: 'http'
2400 port:
2401 api:
2402 default: 9696
2403 public: 80
2404 service: 9696
2405 load_balancer:
2406 name: octavia
2407 hosts:
2408 default: octavia-api
2409 public: octavia
2410 host_fqdn_override:
2411 default: null
2412 path:
2413 default: null
2414 scheme:
2415 default: http
2416 port:
2417 api:
2418 default: 9876
2419 public: 80
2420 fluentd:
2421 namespace: osh-infra
2422 name: fluentd
2423 hosts:
2424 default: fluentd-logging
2425 host_fqdn_override:
2426 default: null
2427 path:
2428 default: null
2429 scheme: 'http'
2430 port:
2431 service:
2432 default: 24224
2433 metrics:
2434 default: 24220
2435 dns:
2436 name: designate
2437 hosts:
2438 default: designate-api
2439 public: designate
2440 host_fqdn_override:
2441 default: null
2442 path:
2443 default: /
2444 scheme:
2445 default: 'http'
2446 port:
2447 api:
2448 default: 9001
2449 public: 80
2450 baremetal:
2451 name: ironic
2452 hosts:
2453 default: ironic-api
2454 public: ironic
2455 host_fqdn_override:
2456 default: null
2457 path:
2458 default: null
2459 scheme:
2460 default: 'http'
2461 port:
2462 api:
2463 default: 6385
2464 public: 80
2465 # NOTE(tp6510): these endpoints allow for things like DNS lookups and ingress
2466 # They are using to enable the Egress K8s network policy.
2467 kube_dns:
2468 namespace: kube-system
2469 name: kubernetes-dns
2470 hosts:
2471 default: kube-dns
2472 host_fqdn_override:
2473 default: null
2474 path:
2475 default: null
2476 scheme: http
2477 port:
2478 dns:
2479 default: 53
2480 protocol: UDP
2481 ingress:
2482 namespace: null
2483 name: ingress
2484 hosts:
2485 default: ingress
2486 port:
2487 ingress:
2488 default: 80
2489
2490network_policy:
2491 neutron:
2492 # TODO(lamt): Need to tighten this ingress for security.
2493 ingress:
2494 - {}
2495 egress:
2496 - {}
2497
2498helm3_hook: true
2499
2500health_probe:
2501 logging:
2502 level: ERROR
2503
2504tls:
2505 identity: false
2506 oslo_messaging: false
2507 oslo_db: false
2508
2509manifests:
2510 certificates: false
2511 configmap_bin: true
2512 configmap_etc: true
2513 daemonset_dhcp_agent: true
2514 daemonset_l3_agent: true
2515 daemonset_lb_agent: true
2516 daemonset_metadata_agent: true
2517 daemonset_ovs_agent: true
2518 daemonset_sriov_agent: true
2519 daemonset_l2gw_agent: false
2520 daemonset_bagpipe_bgp: false
Rico Lincf86b122023-11-02 01:29:14 +0800[diff] [blame]2521 daemonset_bgp_dragent: false
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]2522 daemonset_netns_cleanup_cron: true
2523 deployment_ironic_agent: false
2524 deployment_server: true
2525 ingress_server: true
2526 job_bootstrap: true
2527 job_db_init: true
2528 job_db_sync: true
2529 job_db_drop: false
2530 job_image_repo_sync: true
2531 job_ks_endpoints: true
2532 job_ks_service: true
2533 job_ks_user: true
2534 job_rabbit_init: true
2535 pdb_server: true
2536 pod_rally_test: true
2537 network_policy: false
2538 secret_db: true
2539 secret_ingress_tls: true
2540 secret_keystone: true
2541 secret_rabbitmq: true
2542 secret_registry: true
2543 service_ingress_server: true
2544 service_server: true
2545...