Gitiles
Code Review Sign In
review.vexxhost.dev / atmosphere / f710176b9847ead343dbdbb89d4832200a3d7684 / . / charts / neutron / values.yaml
blob: e185837d8e75dd15edb331d74a47067ae1eb4b12 [file] [log] [blame]
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1# Licensed under the Apache License, Version 2.0 (the "License");
2# you may not use this file except in compliance with the License.
3# You may obtain a copy of the License at
4#
5# http://www.apache.org/licenses/LICENSE-2.0
6#
7# Unless required by applicable law or agreed to in writing, software
8# distributed under the License is distributed on an "AS IS" BASIS,
9# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
10# See the License for the specific language governing permissions and
11# limitations under the License.
12
13# Default values for neutron.
14# This is a YAML-formatted file.
15# Declare name/value pairs to be passed into your templates.
16# name: value
17
18---
19release_group: null
20
21images:
22 tags:
23 bootstrap: docker.io/openstackhelm/heat:stein-ubuntu_bionic
24 test: docker.io/xrally/xrally-openstack:2.0.0
25 purge_test: docker.io/openstackhelm/ospurge:latest
26 db_init: docker.io/openstackhelm/heat:stein-ubuntu_bionic
27 neutron_db_sync: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
28 db_drop: docker.io/openstackhelm/heat:stein-ubuntu_bionic
29 rabbit_init: docker.io/rabbitmq:3.7-management
30 ks_user: docker.io/openstackhelm/heat:stein-ubuntu_bionic
31 ks_service: docker.io/openstackhelm/heat:stein-ubuntu_bionic
32 ks_endpoints: docker.io/openstackhelm/heat:stein-ubuntu_bionic
Mohammed Nasera720f882023-06-30 23:48:02 -0400[diff] [blame]33 netoffload: ghcr.io/vexxhost/netoffload:v1.0.1
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]34 neutron_server: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
Rico Lin0e153482024-05-03 03:29:14 +0800[diff] [blame]35 neutron_rpc_server: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]36 neutron_dhcp: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
37 neutron_metadata: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]38 neutron_ovn_metadata: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]39 neutron_l3: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
40 neutron_l2gw: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
41 neutron_openvswitch_agent: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
42 neutron_linuxbridge_agent: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
43 neutron_sriov_agent: docker.io/openstackhelm/neutron:stein-18.04-sriov
44 neutron_sriov_agent_init: docker.io/openstackhelm/neutron:stein-18.04-sriov
45 neutron_bagpipe_bgp: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
Rico Lincf86b122023-11-02 01:29:14 +0800[diff] [blame]46 neutron_bgp_dragent: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]47 neutron_ironic_agent: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
48 neutron_netns_cleanup_cron: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
49 dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
50 image_repo_sync: docker.io/docker:17.07.0
51 pull_policy: "IfNotPresent"
52 local_registry:
53 active: false
54 exclude:
55 - dep_check
56 - image_repo_sync
57
58labels:
59 agent:
60 dhcp:
61 node_selector_key: openstack-control-plane
62 node_selector_value: enabled
63 l3:
64 node_selector_key: openstack-control-plane
65 node_selector_value: enabled
66 metadata:
67 node_selector_key: openstack-control-plane
68 node_selector_value: enabled
69 l2gw:
70 node_selector_key: openstack-control-plane
71 node_selector_value: enabled
72 job:
73 node_selector_key: openstack-control-plane
74 node_selector_value: enabled
75 lb:
76 node_selector_key: linuxbridge
77 node_selector_value: enabled
78 # openvswitch is a special case, requiring a special
79 # label that can apply to both control hosts
80 # and compute hosts, until we get more sophisticated
81 # with our daemonset scheduling
82 ovs:
83 node_selector_key: openvswitch
84 node_selector_value: enabled
85 sriov:
86 node_selector_key: sriov
87 node_selector_value: enabled
88 bagpipe_bgp:
89 node_selector_key: openstack-compute-node
90 node_selector_value: enabled
Rico Lincf86b122023-11-02 01:29:14 +0800[diff] [blame]91 bgp_dragent:
92 node_selector_key: openstack-compute-node
93 node_selector_value: enabled
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]94 server:
95 node_selector_key: openstack-control-plane
96 node_selector_value: enabled
Rico Lin0e153482024-05-03 03:29:14 +0800[diff] [blame]97 rpc_server:
98 node_selector_key: openstack-control-plane
99 node_selector_value: enabled
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]100 ironic_agent:
101 node_selector_key: openstack-control-plane
102 node_selector_value: enabled
103 netns_cleanup_cron:
104 node_selector_key: openstack-control-plane
105 node_selector_value: enabled
106 test:
107 node_selector_key: openstack-control-plane
108 node_selector_value: enabled
109
110network:
111 # provide what type of network wiring will be used
112 backend:
113 - openvswitch
114 # NOTE(Portdirect): Share network namespaces with the host,
115 # allowing agents to be restarted without packet loss and simpler
116 # debugging. This feature requires mount propagation support.
117 share_namespaces: true
118 interface:
119 # Tunnel interface will be used for VXLAN tunneling.
120 tunnel: null
121 # If tunnel is null there is a fallback mechanism to search
122 # for interface with routing using tunnel network cidr.
123 tunnel_network_cidr: "0/0"
124 # To perform setup of network interfaces using the SR-IOV init
125 # container you can use a section similar to:
126 # sriov:
127 # - device: ${DEV}
128 # num_vfs: 8
129 # mtu: 9214
130 # promisc: false
131 # qos:
132 # - vf_num: 0
133 # share: 10
134 # queues_per_vf:
135 # - num_queues: 16
136 # exclude_vf: 0,11,21
137 server:
138 ingress:
139 public: true
140 classes:
141 namespace: "nginx"
142 cluster: "nginx-cluster"
143 annotations:
144 nginx.ingress.kubernetes.io/rewrite-target: /
145 external_policy_local: false
146 node_port:
147 enabled: false
148 port: 30096
149
150bootstrap:
151 enabled: false
152 ks_user: neutron
153 script: |
154 openstack token issue
155
156dependencies:
157 dynamic:
158 common:
159 local_image_registry:
160 jobs:
161 - neutron-image-repo-sync
162 services:
163 - endpoint: node
164 service: local_image_registry
165 targeted:
166 sriov: {}
167 l2gateway: {}
168 bagpipe_bgp: {}
Mohammed Naserfd8edcc2023-09-06 22:32:16 +0000[diff] [blame]169 ovn:
170 server:
171 pod: null
Rico Lincf86b122023-11-02 01:29:14 +0800[diff] [blame]172 bgp_dragent: {}
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]173 openvswitch:
174 dhcp:
175 pod:
176 - requireSameNode: true
177 labels:
178 application: neutron
179 component: neutron-ovs-agent
180 l3:
181 pod:
182 - requireSameNode: true
183 labels:
184 application: neutron
185 component: neutron-ovs-agent
186 metadata:
187 pod:
188 - requireSameNode: true
189 labels:
190 application: neutron
191 component: neutron-ovs-agent
192 linuxbridge:
193 dhcp:
194 pod:
195 - requireSameNode: true
196 labels:
197 application: neutron
198 component: neutron-lb-agent
199 l3:
200 pod:
201 - requireSameNode: true
202 labels:
203 application: neutron
204 component: neutron-lb-agent
205 metadata:
206 pod:
207 - requireSameNode: true
208 labels:
209 application: neutron
210 component: neutron-lb-agent
211 lb_agent:
212 pod: null
213 static:
214 bootstrap:
215 services:
216 - endpoint: internal
217 service: network
218 - endpoint: internal
219 service: compute
220 db_drop:
221 services:
222 - endpoint: internal
223 service: oslo_db
224 db_init:
225 services:
226 - endpoint: internal
227 service: oslo_db
228 db_sync:
229 jobs:
230 - neutron-db-init
231 services:
232 - endpoint: internal
233 service: oslo_db
234 dhcp:
235 pod: null
236 jobs:
237 - neutron-rabbit-init
238 services:
239 - endpoint: internal
240 service: oslo_messaging
241 - endpoint: internal
242 service: network
243 - endpoint: internal
244 service: compute
245 ks_endpoints:
246 jobs:
247 - neutron-ks-service
248 services:
249 - endpoint: internal
250 service: identity
251 ks_service:
252 services:
253 - endpoint: internal
254 service: identity
255 ks_user:
256 services:
257 - endpoint: internal
258 service: identity
259 rabbit_init:
260 services:
261 - service: oslo_messaging
262 endpoint: internal
263 l3:
264 pod: null
265 jobs:
266 - neutron-rabbit-init
267 services:
268 - endpoint: internal
269 service: oslo_messaging
270 - endpoint: internal
271 service: network
272 - endpoint: internal
273 service: compute
274 lb_agent:
275 pod: null
276 jobs:
277 - neutron-rabbit-init
278 services:
279 - endpoint: internal
280 service: oslo_messaging
281 - endpoint: internal
282 service: network
283 metadata:
284 pod: null
285 jobs:
286 - neutron-rabbit-init
287 services:
288 - endpoint: internal
289 service: oslo_messaging
290 - endpoint: internal
291 service: network
292 - endpoint: internal
293 service: compute
294 - endpoint: public
295 service: compute_metadata
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]296 ovn_metadata:
Mohammed Naser593ec012023-07-23 09:20:05 +0000[diff] [blame]297 pod:
298 - requireSameNode: true
299 labels:
300 application: ovn
301 component: ovn-controller
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]302 services:
303 - endpoint: internal
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]304 service: compute_metadata
Mohammed Naserfd8edcc2023-09-06 22:32:16 +0000[diff] [blame]305 - endpoint: internal
306 service: network
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]307 ovs_agent:
308 jobs:
309 - neutron-rabbit-init
310 pod:
311 - requireSameNode: true
312 labels:
313 application: openvswitch
314 component: server
315 services:
316 - endpoint: internal
317 service: oslo_messaging
318 - endpoint: internal
319 service: network
320 server:
321 jobs:
322 - neutron-db-sync
323 - neutron-ks-user
324 - neutron-ks-endpoints
325 - neutron-rabbit-init
326 services:
327 - endpoint: internal
328 service: oslo_db
329 - endpoint: internal
330 service: oslo_messaging
331 - endpoint: internal
332 service: oslo_cache
333 - endpoint: internal
334 service: identity
Rico Lin0e153482024-05-03 03:29:14 +0800[diff] [blame]335 rpc_server:
336 jobs:
337 - neutron-db-sync
338 - neutron-rabbit-init
339 services:
340 - endpoint: internal
341 service: oslo_db
342 - endpoint: internal
343 service: oslo_messaging
344 - endpoint: internal
345 service: oslo_cache
346 - endpoint: internal
347 service: identity
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]348 ironic_agent:
349 jobs:
350 - neutron-db-sync
351 - neutron-ks-user
352 - neutron-ks-endpoints
353 - neutron-rabbit-init
354 services:
355 - endpoint: internal
356 service: oslo_db
357 - endpoint: internal
358 service: oslo_messaging
359 - endpoint: internal
360 service: oslo_cache
361 - endpoint: internal
362 service: identity
363 tests:
364 services:
365 - endpoint: internal
366 service: network
367 - endpoint: internal
368 service: compute
369 image_repo_sync:
370 services:
371 - endpoint: internal
372 service: local_image_registry
373
374pod:
375 use_fqdn:
376 neutron_agent: true
377 probes:
378 rpc_timeout: 60
379 rpc_retries: 2
380 dhcp_agent:
381 dhcp_agent:
382 readiness:
383 enabled: true
384 params:
385 initialDelaySeconds: 30
386 periodSeconds: 190
387 timeoutSeconds: 185
388 liveness:
389 enabled: true
390 params:
391 initialDelaySeconds: 120
392 periodSeconds: 600
393 timeoutSeconds: 580
394 l3_agent:
395 l3_agent:
396 readiness:
397 enabled: true
398 params:
399 initialDelaySeconds: 30
400 periodSeconds: 190
401 timeoutSeconds: 185
402 liveness:
403 enabled: true
404 params:
405 initialDelaySeconds: 120
406 periodSeconds: 600
407 timeoutSeconds: 580
408 lb_agent:
409 lb_agent:
410 readiness:
411 enabled: true
412 metadata_agent:
413 metadata_agent:
414 readiness:
415 enabled: true
416 params:
417 initialDelaySeconds: 30
418 periodSeconds: 190
419 timeoutSeconds: 185
420 liveness:
421 enabled: true
422 params:
423 initialDelaySeconds: 120
424 periodSeconds: 600
425 timeoutSeconds: 580
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]426 ovn_metadata_agent:
427 ovn_metadata_agent:
428 readiness:
429 enabled: true
430 params:
431 initialDelaySeconds: 30
432 periodSeconds: 190
433 timeoutSeconds: 185
434 liveness:
435 enabled: true
436 params:
437 initialDelaySeconds: 120
438 periodSeconds: 600
439 timeoutSeconds: 580
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]440 ovs_agent:
441 ovs_agent:
442 readiness:
443 enabled: true
444 params:
okozachenko120317930d42023-09-06 00:24:05 +1000[diff] [blame]445 timeoutSeconds: 10
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]446 liveness:
447 enabled: true
448 params:
449 initialDelaySeconds: 120
450 periodSeconds: 600
451 timeoutSeconds: 580
452 sriov_agent:
453 sriov_agent:
454 readiness:
455 enabled: true
456 params:
457 initialDelaySeconds: 30
458 periodSeconds: 190
459 timeoutSeconds: 185
460 bagpipe_bgp:
461 bagpipe_bgp:
462 readiness:
463 enabled: true
464 params:
465 liveness:
466 enabled: true
467 params:
468 initialDelaySeconds: 60
Rico Lincf86b122023-11-02 01:29:14 +0800[diff] [blame]469 bgp_dragent:
470 bgp_dragent:
471 readiness:
472 enabled: false
473 params:
474 liveness:
475 enabled: true
476 params:
477 initialDelaySeconds: 60
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]478 l2gw_agent:
479 l2gw_agent:
480 readiness:
481 enabled: true
482 params:
483 initialDelaySeconds: 30
484 periodSeconds: 15
485 timeoutSeconds: 65
486 liveness:
487 enabled: true
488 params:
489 initialDelaySeconds: 120
490 periodSeconds: 90
491 timeoutSeconds: 70
492 server:
493 server:
494 readiness:
495 enabled: true
496 params:
okozachenko120317930d42023-09-06 00:24:05 +1000[diff] [blame]497 periodSeconds: 15
498 timeoutSeconds: 10
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]499 liveness:
500 enabled: true
501 params:
502 initialDelaySeconds: 60
okozachenko120317930d42023-09-06 00:24:05 +1000[diff] [blame]503 periodSeconds: 15
504 timeoutSeconds: 10
Rico Lin0e153482024-05-03 03:29:14 +0800[diff] [blame]505 rpc_server:
506 rpc_server:
507 readiness:
508 enabled: true
509 params:
510 periodSeconds: 15
511 timeoutSeconds: 10
512 liveness:
513 enabled: true
514 params:
515 initialDelaySeconds: 60
516 periodSeconds: 15
517 timeoutSeconds: 10
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]518 security_context:
519 neutron_dhcp_agent:
520 pod:
521 runAsUser: 42424
522 container:
523 neutron_dhcp_agent:
524 readOnlyRootFilesystem: true
525 privileged: true
526 neutron_l2gw_agent:
527 pod:
528 runAsUser: 42424
529 container:
530 neutron_l2gw_agent:
531 readOnlyRootFilesystem: true
532 privileged: true
533 neutron_bagpipe_bgp:
534 pod:
535 runAsUser: 42424
536 container:
537 neutron_bagpipe_bgp:
538 readOnlyRootFilesystem: true
539 privileged: true
Rico Lincf86b122023-11-02 01:29:14 +0800[diff] [blame]540 neutron_bgp_dragent:
541 pod:
542 runAsUser: 42424
543 container:
544 neutron_bgp_dragent:
545 readOnlyRootFilesystem: true
546 privileged: true
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]547 neutron_l3_agent:
548 pod:
549 runAsUser: 42424
550 container:
551 neutron_l3_agent:
552 readOnlyRootFilesystem: true
553 privileged: true
554 neutron_lb_agent:
555 pod:
556 runAsUser: 42424
557 container:
558 neutron_lb_agent_kernel_modules:
559 capabilities:
560 add:
561 - SYS_MODULE
562 - SYS_CHROOT
563 runAsUser: 0
564 readOnlyRootFilesystem: true
565 neutron_lb_agent_init:
566 privileged: true
567 runAsUser: 0
568 readOnlyRootFilesystem: true
569 neutron_lb_agent:
570 readOnlyRootFilesystem: true
571 privileged: true
572 neutron_metadata_agent:
573 pod:
574 runAsUser: 42424
575 container:
576 neutron_metadata_agent_init:
577 runAsUser: 0
578 readOnlyRootFilesystem: true
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]579 neutron_ovn_metadata_agent:
580 pod:
581 runAsUser: 42424
582 container:
583 neutron_ovn_metadata_agent_init:
584 runAsUser: 0
585 readOnlyRootFilesystem: true
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]586 neutron_ovs_agent:
587 pod:
588 runAsUser: 42424
589 container:
590 neutron_openvswitch_agent_kernel_modules:
591 capabilities:
592 add:
593 - SYS_MODULE
594 - SYS_CHROOT
595 runAsUser: 0
596 readOnlyRootFilesystem: true
Mohammed Nasera720f882023-06-30 23:48:02 -0400[diff] [blame]597 netoffload:
598 privileged: true
599 runAsUser: 0
600 readOnlyRootFilesystem: true
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]601 neutron_ovs_agent_init:
602 privileged: true
603 runAsUser: 0
604 readOnlyRootFilesystem: true
605 neutron_ovs_agent:
606 readOnlyRootFilesystem: true
607 privileged: true
608 neutron_server:
609 pod:
610 runAsUser: 42424
611 container:
612 nginx:
613 runAsUser: 0
614 readOnlyRootFilesystem: false
615 neutron_server:
616 allowPrivilegeEscalation: false
617 readOnlyRootFilesystem: true
Rico Lin0e153482024-05-03 03:29:14 +0800[diff] [blame]618 neutron_rpc_server:
619 pod:
620 runAsUser: 42424
621 container:
622 neutron_rpc_server:
623 allowPrivilegeEscalation: false
624 readOnlyRootFilesystem: true
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]625 neutron_sriov_agent:
626 pod:
627 runAsUser: 42424
628 container:
629 neutron_sriov_agent_init:
630 privileged: true
631 runAsUser: 0
632 readOnlyRootFilesystem: false
633 neutron_sriov_agent:
634 readOnlyRootFilesystem: true
635 privileged: true
636 neutron_ironic_agent:
637 pod:
638 runAsUser: 42424
639 container:
640 neutron_ironic_agent:
641 allowPrivilegeEscalation: false
642 readOnlyRootFilesystem: true
643 neutron_netns_cleanup_cron:
644 pod:
645 runAsUser: 42424
646 container:
647 neutron_netns_cleanup_cron:
648 readOnlyRootFilesystem: true
649 privileged: true
650 affinity:
651 anti:
652 type:
653 default: preferredDuringSchedulingIgnoredDuringExecution
654 topologyKey:
655 default: kubernetes.io/hostname
656 weight:
657 default: 10
658 tolerations:
659 neutron:
660 enabled: false
661 tolerations:
662 - key: node-role.kubernetes.io/master
663 operator: Exists
664 effect: NoSchedule
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]665 - key: node-role.kubernetes.io/control-plane
666 operator: Exists
667 effect: NoSchedule
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]668 mounts:
669 neutron_server:
670 init_container: null
671 neutron_server:
672 volumeMounts:
673 volumes:
Rico Lin0e153482024-05-03 03:29:14 +0800[diff] [blame]674 neutron_rpc_server:
675 init_container: null
676 neutron_rpc_server:
677 volumeMounts:
678 volumes:
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]679 neutron_dhcp_agent:
680 init_container: null
681 neutron_dhcp_agent:
682 volumeMounts:
683 volumes:
684 neutron_l3_agent:
685 init_container: null
686 neutron_l3_agent:
687 volumeMounts:
688 volumes:
689 neutron_lb_agent:
690 init_container: null
691 neutron_lb_agent:
692 volumeMounts:
693 volumes:
694 neutron_metadata_agent:
695 init_container: null
696 neutron_metadata_agent:
697 volumeMounts:
698 volumes:
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]699 neutron_ovn_metadata_agent:
700 init_container: null
701 neutron_ovn_metadata_agent:
702 volumeMounts:
703 volumes:
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]704 neutron_ovs_agent:
705 init_container: null
706 neutron_ovs_agent:
707 volumeMounts:
708 volumes:
709 neutron_sriov_agent:
710 init_container: null
711 neutron_sriov_agent:
712 volumeMounts:
713 volumes:
714 neutron_l2gw_agent:
715 init_container: null
716 neutron_l2gw_agent:
717 volumeMounts:
718 volumes:
719 bagpipe_bgp:
720 init_container: null
721 bagpipe_bgp:
722 volumeMounts:
723 volumes:
Rico Lincf86b122023-11-02 01:29:14 +0800[diff] [blame]724 bgp_dragent:
725 init_container: null
726 bgp_dragent:
727 volumeMounts:
728 volumes:
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]729 neutron_ironic_agent:
730 init_container: null
731 neutron_ironic_agent:
732 volumeMounts:
733 volumes:
734 neutron_netns_cleanup_cron:
735 init_container: null
736 neutron_netns_cleanup_cron:
737 volumeMounts:
738 volumes:
739 neutron_tests:
740 init_container: null
741 neutron_tests:
742 volumeMounts:
743 volumes:
744 neutron_bootstrap:
745 init_container: null
746 neutron_bootstrap:
747 volumeMounts:
748 volumes:
749 neutron_db_sync:
750 neutron_db_sync:
751 volumeMounts:
752 - name: db-sync-conf
753 mountPath: /etc/neutron/plugins/ml2/ml2_conf.ini
754 subPath: ml2_conf.ini
755 readOnly: true
756 volumes:
757 replicas:
758 server: 1
Rico Lin0e153482024-05-03 03:29:14 +0800[diff] [blame]759 rpc_server: 1
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]760 ironic_agent: 1
761 lifecycle:
762 upgrades:
763 deployments:
764 revision_history: 3
765 pod_replacement_strategy: RollingUpdate
766 rolling_update:
767 max_unavailable: 1
768 max_surge: 3
769 daemonsets:
770 pod_replacement_strategy: RollingUpdate
771 dhcp_agent:
772 enabled: true
773 min_ready_seconds: 0
774 max_unavailable: 1
775 l3_agent:
776 enabled: true
777 min_ready_seconds: 0
778 max_unavailable: 1
779 lb_agent:
780 enabled: true
781 min_ready_seconds: 0
782 max_unavailable: 1
783 metadata_agent:
784 enabled: true
785 min_ready_seconds: 0
786 max_unavailable: 1
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]787 ovn_metadata_agent:
788 enabled: true
789 min_ready_seconds: 0
790 max_unavailable: 1
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]791 ovs_agent:
792 enabled: true
793 min_ready_seconds: 0
794 max_unavailable: 1
795 sriov_agent:
796 enabled: true
797 min_ready_seconds: 0
798 max_unavailable: 1
799 netns_cleanup_cron:
800 enabled: true
801 min_ready_seconds: 0
802 max_unavailable: 1
803 disruption_budget:
804 server:
805 min_available: 0
806 termination_grace_period:
807 server:
808 timeout: 30
Rico Lin0e153482024-05-03 03:29:14 +0800[diff] [blame]809 rpc_server:
810 timeout: 30
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]811 ironic_agent:
812 timeout: 30
813 resources:
814 enabled: false
815 agent:
816 dhcp:
817 requests:
818 memory: "128Mi"
819 cpu: "100m"
820 limits:
821 memory: "1024Mi"
822 cpu: "2000m"
823 l3:
824 requests:
825 memory: "128Mi"
826 cpu: "100m"
827 limits:
828 memory: "1024Mi"
829 cpu: "2000m"
830 lb:
831 requests:
832 memory: "128Mi"
833 cpu: "100m"
834 limits:
835 memory: "1024Mi"
836 cpu: "2000m"
837 metadata:
838 requests:
839 memory: "128Mi"
840 cpu: "100m"
841 limits:
842 memory: "1024Mi"
843 cpu: "2000m"
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]844 ovn_metadata:
845 requests:
846 memory: "128Mi"
847 cpu: "100m"
848 limits:
849 memory: "1024Mi"
850 cpu: "2000m"
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]851 ovs:
852 requests:
853 memory: "128Mi"
854 cpu: "100m"
855 limits:
856 memory: "1024Mi"
857 cpu: "2000m"
858 sriov:
859 requests:
860 memory: "128Mi"
861 cpu: "100m"
862 limits:
863 memory: "1024Mi"
864 cpu: "2000m"
865 l2gw:
866 requests:
867 memory: "128Mi"
868 cpu: "100m"
869 limits:
870 memory: "1024Mi"
871 cpu: "2000m"
872 bagpipe_bgp:
873 requests:
874 memory: "128Mi"
875 cpu: "100m"
876 limits:
877 memory: "1024Mi"
878 cpu: "2000m"
Rico Lincf86b122023-11-02 01:29:14 +0800[diff] [blame]879 bgp_dragent:
880 requests:
881 memory: "128Mi"
882 cpu: "100m"
883 limits:
884 memory: "1024Mi"
885 cpu: "2000m"
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]886 server:
887 requests:
888 memory: "128Mi"
889 cpu: "100m"
890 limits:
891 memory: "1024Mi"
892 cpu: "2000m"
893 ironic_agent:
894 requests:
895 memory: "128Mi"
896 cpu: "100m"
897 limits:
898 memory: "1024Mi"
899 cpu: "2000m"
900 netns_cleanup_cron:
901 requests:
902 memory: "128Mi"
903 cpu: "100m"
904 limits:
905 memory: "1024Mi"
906 cpu: "2000m"
907 jobs:
908 bootstrap:
909 requests:
910 memory: "128Mi"
911 cpu: "100m"
912 limits:
913 memory: "1024Mi"
914 cpu: "2000m"
915 db_init:
916 requests:
917 memory: "128Mi"
918 cpu: "100m"
919 limits:
920 memory: "1024Mi"
921 cpu: "2000m"
922 rabbit_init:
923 requests:
924 memory: "128Mi"
925 cpu: "100m"
926 limits:
927 memory: "1024Mi"
928 cpu: "2000m"
929 db_sync:
930 requests:
931 memory: "128Mi"
932 cpu: "100m"
933 limits:
934 memory: "1024Mi"
935 cpu: "2000m"
936 db_drop:
937 requests:
938 memory: "128Mi"
939 cpu: "100m"
940 limits:
941 memory: "1024Mi"
942 cpu: "2000m"
943 ks_endpoints:
944 requests:
945 memory: "128Mi"
946 cpu: "100m"
947 limits:
948 memory: "1024Mi"
949 cpu: "2000m"
950 ks_service:
951 requests:
952 memory: "128Mi"
953 cpu: "100m"
954 limits:
955 memory: "1024Mi"
956 cpu: "2000m"
957 ks_user:
958 requests:
959 memory: "128Mi"
960 cpu: "100m"
961 limits:
962 memory: "1024Mi"
963 cpu: "2000m"
964 tests:
965 requests:
966 memory: "128Mi"
967 cpu: "100m"
968 limits:
969 memory: "1024Mi"
970 cpu: "2000m"
971 image_repo_sync:
972 requests:
973 memory: "128Mi"
974 cpu: "100m"
975 limits:
976 memory: "1024Mi"
977 cpu: "2000m"
978
979conf:
980 rally_tests:
981 force_project_purge: false
982 run_tempest: false
983 clean_up: |
984 # NOTE: We will make the best effort to clean up rally generated networks and routers,
985 # but should not block further automated deployment.
986 set +e
987 PATTERN="^[sc]_rally_"
988
989 ROUTERS=$(openstack router list --format=value -c Name | grep -e $PATTERN | sort | tr -d '\r')
990 NETWORKS=$(openstack network list --format=value -c Name | grep -e $PATTERN | sort | tr -d '\r')
991
992 for ROUTER in $ROUTERS
993 do
994 openstack router unset --external-gateway $ROUTER
995 openstack router set --disable --no-ha $ROUTER
996
997 SUBNS=$(openstack router show $ROUTER -c interfaces_info --format=value | python -m json.tool | grep -oP '(?<="subnet_id": ")[a-f0-9\-]{36}(?=")' | sort | uniq)
998 for SUBN in $SUBNS
999 do
1000 openstack router remove subnet $ROUTER $SUBN
1001 done
1002
1003 for PORT in $(openstack port list --router $ROUTER --format=value -c ID | tr -d '\r')
1004 do
1005 openstack router remove port $ROUTER $PORT
1006 done
1007
1008 openstack router delete $ROUTER
1009 done
1010
1011 for NETWORK in $NETWORKS
1012 do
1013 for PORT in $(openstack port list --network $NETWORK --format=value -c ID | tr -d '\r')
1014 do
1015 openstack port delete $PORT
1016 done
1017 openstack network delete $NETWORK
1018 done
1019 set -e
1020 tests:
1021 NeutronNetworks.create_and_delete_networks:
1022 - args:
1023 network_create_args: {}
1024 context:
1025 quotas:
1026 neutron:
1027 network: -1
1028 runner:
1029 concurrency: 1
1030 times: 1
1031 type: constant
1032 sla:
1033 failure_rate:
1034 max: 0
1035 NeutronNetworks.create_and_delete_ports:
1036 - args:
1037 network_create_args: {}
1038 port_create_args: {}
1039 ports_per_network: 10
1040 context:
1041 network: {}
1042 quotas:
1043 neutron:
1044 network: -1
1045 port: -1
1046 runner:
1047 concurrency: 1
1048 times: 1
1049 type: constant
1050 sla:
1051 failure_rate:
1052 max: 0
1053 NeutronNetworks.create_and_delete_routers:
1054 - args:
1055 network_create_args: {}
1056 router_create_args: {}
1057 subnet_cidr_start: 1.1.0.0/30
1058 subnet_create_args: {}
1059 subnets_per_network: 2
1060 context:
1061 network: {}
1062 quotas:
1063 neutron:
1064 network: -1
1065 router: -1
1066 subnet: -1
1067 runner:
1068 concurrency: 1
1069 times: 1
1070 type: constant
1071 sla:
1072 failure_rate:
1073 max: 0
1074 NeutronNetworks.create_and_delete_subnets:
1075 - args:
1076 network_create_args: {}
1077 subnet_cidr_start: 1.1.0.0/30
1078 subnet_create_args: {}
1079 subnets_per_network: 2
1080 context:
1081 network: {}
1082 quotas:
1083 neutron:
1084 network: -1
1085 subnet: -1
1086 runner:
1087 concurrency: 1
1088 times: 1
1089 type: constant
1090 sla:
1091 failure_rate:
1092 max: 0
1093 NeutronNetworks.create_and_list_routers:
1094 - args:
1095 network_create_args: {}
1096 router_create_args: {}
1097 subnet_cidr_start: 1.1.0.0/30
1098 subnet_create_args: {}
1099 subnets_per_network: 2
1100 context:
1101 network: {}
1102 quotas:
1103 neutron:
1104 network: -1
1105 router: -1
1106 subnet: -1
1107 runner:
1108 concurrency: 1
1109 times: 1
1110 type: constant
1111 sla:
1112 failure_rate:
1113 max: 0
1114 NeutronNetworks.create_and_list_subnets:
1115 - args:
1116 network_create_args: {}
1117 subnet_cidr_start: 1.1.0.0/30
1118 subnet_create_args: {}
1119 subnets_per_network: 2
1120 context:
1121 network: {}
1122 quotas:
1123 neutron:
1124 network: -1
1125 subnet: -1
1126 runner:
1127 concurrency: 1
1128 times: 1
1129 type: constant
1130 sla:
1131 failure_rate:
1132 max: 0
1133 NeutronNetworks.create_and_show_network:
1134 - args:
1135 network_create_args: {}
1136 context:
1137 quotas:
1138 neutron:
1139 network: -1
1140 runner:
1141 concurrency: 1
1142 times: 1
1143 type: constant
1144 sla:
1145 failure_rate:
1146 max: 0
1147 NeutronNetworks.create_and_update_networks:
1148 - args:
1149 network_create_args: {}
1150 network_update_args:
1151 admin_state_up: false
1152 context:
1153 quotas:
1154 neutron:
1155 network: -1
1156 runner:
1157 concurrency: 1
1158 times: 1
1159 type: constant
1160 sla:
1161 failure_rate:
1162 max: 0
1163 NeutronNetworks.create_and_update_ports:
1164 - args:
1165 network_create_args: {}
1166 port_create_args: {}
1167 port_update_args:
1168 admin_state_up: false
1169 device_id: dummy_id
1170 device_owner: dummy_owner
1171 ports_per_network: 5
1172 context:
1173 network: {}
1174 quotas:
1175 neutron:
1176 network: -1
1177 port: -1
1178 runner:
1179 concurrency: 1
1180 times: 1
1181 type: constant
1182 sla:
1183 failure_rate:
1184 max: 0
1185 NeutronNetworks.create_and_update_routers:
1186 - args:
1187 network_create_args: {}
1188 router_create_args: {}
1189 router_update_args:
1190 admin_state_up: false
1191 subnet_cidr_start: 1.1.0.0/30
1192 subnet_create_args: {}
1193 subnets_per_network: 2
1194 context:
1195 network: {}
1196 quotas:
1197 neutron:
1198 network: -1
1199 router: -1
1200 subnet: -1
1201 runner:
1202 concurrency: 1
1203 times: 1
1204 type: constant
1205 sla:
1206 failure_rate:
1207 max: 0
1208 NeutronNetworks.create_and_update_subnets:
1209 - args:
1210 network_create_args: {}
1211 subnet_cidr_start: 1.4.0.0/16
1212 subnet_create_args: {}
1213 subnet_update_args:
1214 enable_dhcp: false
1215 subnets_per_network: 2
1216 context:
1217 network: {}
1218 quotas:
1219 neutron:
1220 network: -1
1221 subnet: -1
1222 runner:
1223 concurrency: 1
1224 times: 1
1225 type: constant
1226 sla:
1227 failure_rate:
1228 max: 0
1229 NeutronNetworks.list_agents:
1230 - args:
1231 agent_args: {}
1232 runner:
1233 concurrency: 1
1234 times: 1
1235 type: constant
1236 sla:
1237 failure_rate:
1238 max: 0
1239 NeutronSecurityGroup.create_and_list_security_groups:
1240 - args:
1241 security_group_create_args: {}
1242 context:
1243 quotas:
1244 neutron:
1245 security_group: -1
1246 runner:
1247 concurrency: 1
1248 times: 1
1249 type: constant
1250 sla:
1251 failure_rate:
1252 max: 0
1253 NeutronSecurityGroup.create_and_update_security_groups:
1254 - args:
1255 security_group_create_args: {}
1256 security_group_update_args: {}
1257 context:
1258 quotas:
1259 neutron:
1260 security_group: -1
1261 runner:
1262 concurrency: 1
1263 times: 1
1264 type: constant
1265 sla:
1266 failure_rate:
1267 max: 0
okozachenko120317930d42023-09-06 00:24:05 +1000[diff] [blame]1268 paste:
1269 composite:neutron:
1270 use: egg:Paste#urlmap
1271 /: neutronversions_composite
1272 /v2.0: neutronapi_v2_0
1273 composite:neutronapi_v2_0:
1274 use: call:neutron.auth:pipeline_factory
1275 noauth: cors http_proxy_to_wsgi request_id catch_errors extensions neutronapiapp_v2_0
1276 keystone: cors http_proxy_to_wsgi request_id catch_errors authtoken audit keystonecontext extensions neutronapiapp_v2_0
1277 composite:neutronversions_composite:
1278 use: call:neutron.auth:pipeline_factory
1279 noauth: cors http_proxy_to_wsgi neutronversions
1280 keystone: cors http_proxy_to_wsgi neutronversions
1281 filter:request_id:
1282 paste.filter_factory: oslo_middleware:RequestId.factory
1283 filter:catch_errors:
1284 paste.filter_factory: oslo_middleware:CatchErrors.factory
1285 filter:cors:
1286 paste.filter_factory: oslo_middleware.cors:filter_factory
1287 oslo_config_project: neutron
1288 filter:http_proxy_to_wsgi:
1289 paste.filter_factory: oslo_middleware.http_proxy_to_wsgi:HTTPProxyToWSGI.factory
1290 filter:keystonecontext:
1291 paste.filter_factory: neutron.auth:NeutronKeystoneContext.factory
1292 filter:authtoken:
1293 paste.filter_factory: keystonemiddleware.auth_token:filter_factory
1294 filter:audit:
1295 paste.filter_factory: keystonemiddleware.audit:filter_factory
1296 audit_map_file: /etc/neutron/api_audit_map.conf
1297 filter:extensions:
1298 paste.filter_factory: neutron.api.extensions:plugin_aware_extension_middleware_factory
1299 app:neutronversions:
1300 paste.app_factory: neutron.pecan_wsgi.app:versions_factory
1301 app:neutronapiapp_v2_0:
1302 paste.app_factory: neutron.api.v2.router:APIRouter.factory
1303 filter:osprofiler:
1304 paste.filter_factory: osprofiler.web:WsgiMiddleware.factory
Rico Lin0e153482024-05-03 03:29:14 +0800[diff] [blame]1305 neutron_api_uwsgi:
1306 uwsgi:
1307 add-header: "Connection: close"
1308 buffer-size: 65535
1309 die-on-term: true
1310 enable-threads: true
1311 exit-on-reload: false
1312 hook-master-start: unix_signal:15 gracefully_kill_them_all
1313 lazy-apps: true
1314 log-x-forwarded-for: true
1315 master: true
1316 procname-prefix-spaced: "neutron-api:"
1317 route-user-agent: '^kube-probe.* donotlog:'
1318 thunder-lock: true
1319 worker-reload-mercy: 80
1320 wsgi-file: /var/lib/openstack/bin/neutron-api
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1321 policy: {}
1322 api_audit_map:
1323 DEFAULT:
1324 target_endpoint_type: None
1325 custom_actions:
1326 add_router_interface: update/add
1327 remove_router_interface: update/remove
1328 path_keywords:
1329 floatingips: ip
1330 healthmonitors: healthmonitor
1331 health_monitors: health_monitor
1332 lb: None
1333 members: member
1334 metering-labels: label
1335 metering-label-rules: rule
1336 networks: network
1337 pools: pool
1338 ports: port
1339 routers: router
1340 quotas: quota
1341 security-groups: security-group
1342 security-group-rules: rule
1343 subnets: subnet
1344 vips: vip
1345 service_endpoints:
1346 network: service/network
1347 neutron_sudoers: |
1348 # This sudoers file supports rootwrap for both Kolla and LOCI Images.
1349 Defaults !requiretty
1350 Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin:/var/lib/openstack/bin:/var/lib/kolla/venv/bin"
1351 neutron ALL = (root) NOPASSWD: /var/lib/kolla/venv/bin/neutron-rootwrap /etc/neutron/rootwrap.conf *, /var/lib/openstack/bin/neutron-rootwrap /etc/neutron/rootwrap.conf *
1352 neutron ALL = (root) NOPASSWD: /var/lib/kolla/venv/bin/neutron-rootwrap-daemon /etc/neutron/rootwrap.conf, /var/lib/openstack/bin/neutron-rootwrap-daemon /etc/neutron/rootwrap.conf
1353 rootwrap: |
1354 # Configuration for neutron-rootwrap
1355 # This file should be owned by (and only-writeable by) the root user
1356
1357 [DEFAULT]
1358 # List of directories to load filter definitions from (separated by ',').
1359 # These directories MUST all be only writeable by root !
1360 filters_path=/etc/neutron/rootwrap.d,/usr/share/neutron/rootwrap,/var/lib/openstack/etc/neutron/rootwrap.d
1361
1362 # List of directories to search executables in, in case filters do not
1363 # explicitely specify a full path (separated by ',')
1364 # If not specified, defaults to system PATH environment variable.
1365 # These directories MUST all be only writeable by root !
1366 exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin,/var/lib/openstack/bin,/var/lib/kolla/venv/bin
1367
1368 # Enable logging to syslog
1369 # Default value is False
1370 use_syslog=False
1371
1372 # Which syslog facility to use.
1373 # Valid values include auth, authpriv, syslog, local0, local1...
1374 # Default value is 'syslog'
1375 syslog_log_facility=syslog
1376
1377 # Which messages to log.
1378 # INFO means log all usage
1379 # ERROR means only log unsuccessful attempts
1380 syslog_log_level=ERROR
1381
1382 [xenapi]
1383 # XenAPI configuration is only required by the L2 agent if it is to
1384 # target a XenServer/XCP compute host's dom0.
1385 xenapi_connection_url=<None>
1386 xenapi_connection_username=root
1387 xenapi_connection_password=<None>
1388 rootwrap_filters:
1389 debug:
1390 pods:
1391 - dhcp_agent
1392 - l3_agent
1393 - lb_agent
1394 - metadata_agent
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]1395 - ovn_metadata_agent
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1396 - ovs_agent
1397 - sriov_agent
1398 content: |
1399 # neutron-rootwrap command filters for nodes on which neutron is
1400 # expected to control network
1401 #
1402 # This file should be owned by (and only-writeable by) the root user
1403
1404 # format seems to be
1405 # cmd-name: filter-name, raw-command, user, args
1406
1407 [Filters]
1408
1409 # This is needed because we should ping
1410 # from inside a namespace which requires root
1411 # _alt variants allow to match -c and -w in any order
1412 # (used by NeutronDebugAgent.ping_all)
1413 ping: RegExpFilter, ping, root, ping, -w, \d+, -c, \d+, [0-9\.]+
1414 ping_alt: RegExpFilter, ping, root, ping, -c, \d+, -w, \d+, [0-9\.]+
1415 ping6: RegExpFilter, ping6, root, ping6, -w, \d+, -c, \d+, [0-9A-Fa-f:]+
1416 ping6_alt: RegExpFilter, ping6, root, ping6, -c, \d+, -w, \d+, [0-9A-Fa-f:]+
1417 dibbler:
1418 pods:
1419 - dhcp_agent
1420 - l3_agent
1421 - lb_agent
1422 - metadata_agent
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]1423 - ovn_metadata_agent
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1424 - ovs_agent
1425 - sriov_agent
1426 content: |
1427 # neutron-rootwrap command filters for nodes on which neutron is
1428 # expected to control network
1429 #
1430 # This file should be owned by (and only-writeable by) the root user
1431
1432 # format seems to be
1433 # cmd-name: filter-name, raw-command, user, args
1434
1435 [Filters]
1436
1437 # Filters for the dibbler-based reference implementation of the pluggable
1438 # Prefix Delegation driver. Other implementations using an alternative agent
1439 # should include a similar filter in this folder.
1440
1441 # prefix_delegation_agent
1442 dibbler-client: CommandFilter, dibbler-client, root
1443 ipset_firewall:
1444 pods:
1445 - dhcp_agent
1446 - l3_agent
1447 - lb_agent
1448 - metadata_agent
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]1449 - ovn_metadata_agent
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1450 - ovs_agent
1451 - sriov_agent
1452 content: |
1453 # neutron-rootwrap command filters for nodes on which neutron is
1454 # expected to control network
1455 #
1456 # This file should be owned by (and only-writeable by) the root user
1457
1458 # format seems to be
1459 # cmd-name: filter-name, raw-command, user, args
1460
1461 [Filters]
1462 # neutron/agent/linux/iptables_firewall.py
1463 # "ipset", "-A", ...
1464 ipset: CommandFilter, ipset, root
1465 l3:
1466 pods:
1467 - dhcp_agent
1468 - l3_agent
1469 - lb_agent
1470 - metadata_agent
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]1471 - ovn_metadata_agent
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1472 - ovs_agent
1473 - sriov_agent
1474 content: |
1475 # neutron-rootwrap command filters for nodes on which neutron is
1476 # expected to control network
1477 #
1478 # This file should be owned by (and only-writeable by) the root user
1479
1480 # format seems to be
1481 # cmd-name: filter-name, raw-command, user, args
1482
1483 [Filters]
1484
1485 # arping
1486 arping: CommandFilter, arping, root
1487
1488 # l3_agent
1489 sysctl: CommandFilter, sysctl, root
1490 route: CommandFilter, route, root
1491 radvd: CommandFilter, radvd, root
1492
1493 # haproxy
1494 haproxy: RegExpFilter, haproxy, root, haproxy, -f, .*
1495 kill_haproxy: KillFilter, root, haproxy, -15, -9, -HUP
1496
1497 # metadata proxy
1498 metadata_proxy: CommandFilter, neutron-ns-metadata-proxy, root
1499 # RHEL invocation of the metadata proxy will report /usr/bin/python
1500 kill_metadata: KillFilter, root, python, -15, -9
1501 kill_metadata2: KillFilter, root, python2, -15, -9
1502 kill_metadata7: KillFilter, root, python2.7, -15, -9
1503 kill_metadata3: KillFilter, root, python3, -15, -9
1504 kill_metadata35: KillFilter, root, python3.5, -15, -9
1505 kill_metadata36: KillFilter, root, python3.6, -15, -9
1506 kill_metadata37: KillFilter, root, python3.7, -15, -9
1507 kill_radvd_usr: KillFilter, root, /usr/sbin/radvd, -15, -9, -HUP
1508 kill_radvd: KillFilter, root, /sbin/radvd, -15, -9, -HUP
1509
1510 # ip_lib
1511 ip: IpFilter, ip, root
1512 find: RegExpFilter, find, root, find, /sys/class/net, -maxdepth, 1, -type, l, -printf, %.*
1513 ip_exec: IpNetnsExecFilter, ip, root
1514
1515 # l3_tc_lib
1516 l3_tc_show_qdisc: RegExpFilter, tc, root, tc, qdisc, show, dev, .+
1517 l3_tc_add_qdisc_ingress: RegExpFilter, tc, root, tc, qdisc, add, dev, .+, ingress
1518 l3_tc_add_qdisc_egress: RegExpFilter, tc, root, tc, qdisc, add, dev, .+, root, handle, 1:, htb
1519 l3_tc_show_filters: RegExpFilter, tc, root, tc, -p, -s, -d, filter, show, dev, .+, parent, .+, prio, 1
1520 l3_tc_delete_filters: RegExpFilter, tc, root, tc, filter, del, dev, .+, parent, .+, prio, 1, handle, .+, u32
1521 l3_tc_add_filter_ingress: RegExpFilter, tc, root, tc, filter, add, dev, .+, parent, .+, protocol, ip, prio, 1, u32, match, ip, dst, .+, police, rate, .+, burst, .+, drop, flowid, :1
1522 l3_tc_add_filter_egress: RegExpFilter, tc, root, tc, filter, add, dev, .+, parent, .+, protocol, ip, prio, 1, u32, match, ip, src, .+, police, rate, .+, burst, .+, drop, flowid, :1
1523
1524 # For ip monitor
1525 kill_ip_monitor: KillFilter, root, ip, -9
1526
1527 # ovs_lib (if OVSInterfaceDriver is used)
1528 ovs-vsctl: CommandFilter, ovs-vsctl, root
1529
1530 # iptables_manager
1531 iptables-save: CommandFilter, iptables-save, root
1532 iptables-restore: CommandFilter, iptables-restore, root
1533 ip6tables-save: CommandFilter, ip6tables-save, root
1534 ip6tables-restore: CommandFilter, ip6tables-restore, root
1535
1536 # Keepalived
1537 keepalived: CommandFilter, keepalived, root
1538 kill_keepalived: KillFilter, root, keepalived, -HUP, -15, -9
1539
1540 # l3 agent to delete floatingip's conntrack state
1541 conntrack: CommandFilter, conntrack, root
1542
1543 # keepalived state change monitor
1544 keepalived_state_change: CommandFilter, neutron-keepalived-state-change, root
1545 # The following filters are used to kill the keepalived state change monitor.
1546 # Since the monitor runs as a Python script, the system reports that the
1547 # command of the process to be killed is python.
1548 # TODO(mlavalle) These kill filters will be updated once we come up with a
1549 # mechanism to kill using the name of the script being executed by Python
1550 kill_keepalived_monitor_py: KillFilter, root, python, -15
1551 kill_keepalived_monitor_py27: KillFilter, root, python2.7, -15
1552 kill_keepalived_monitor_py3: KillFilter, root, python3, -15
1553 kill_keepalived_monitor_py35: KillFilter, root, python3.5, -15
1554 kill_keepalived_monitor_py36: KillFilter, root, python3.6, -15
1555 kill_keepalived_monitor_py37: KillFilter, root, python3.7, -15
1556 netns_cleanup:
1557 pods:
1558 - dhcp_agent
1559 - l3_agent
1560 - lb_agent
1561 - metadata_agent
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]1562 - ovn_metadata_agent
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1563 - ovs_agent
1564 - sriov_agent
1565 - netns_cleanup_cron
1566 content: |
1567 # neutron-rootwrap command filters for nodes on which neutron is
1568 # expected to control network
1569 #
1570 # This file should be owned by (and only-writeable by) the root user
1571
1572 # format seems to be
1573 # cmd-name: filter-name, raw-command, user, args
1574
1575 [Filters]
1576
1577 # netns-cleanup
1578 netstat: CommandFilter, netstat, root
1579 dhcp:
1580 pods:
1581 - dhcp_agent
1582 - l3_agent
1583 - lb_agent
1584 - metadata_agent
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]1585 - ovn_metadata_agent
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1586 - ovs_agent
1587 - sriov_agent
1588 - netns_cleanup_cron
1589 content: |
1590 # neutron-rootwrap command filters for nodes on which neutron is
1591 # expected to control network
1592 #
1593 # This file should be owned by (and only-writeable by) the root user
1594
1595 # format seems to be
1596 # cmd-name: filter-name, raw-command, user, args
1597
1598 [Filters]
1599
1600 # dhcp-agent
1601 dnsmasq: CommandFilter, dnsmasq, root
1602 # dhcp-agent uses kill as well, that's handled by the generic KillFilter
1603 # it looks like these are the only signals needed, per
1604 # neutron/agent/linux/dhcp.py
1605 kill_dnsmasq: KillFilter, root, /sbin/dnsmasq, -9, -HUP, -15
1606 kill_dnsmasq_usr: KillFilter, root, /usr/sbin/dnsmasq, -9, -HUP, -15
1607
1608 ovs-vsctl: CommandFilter, ovs-vsctl, root
1609 ivs-ctl: CommandFilter, ivs-ctl, root
1610 mm-ctl: CommandFilter, mm-ctl, root
1611 dhcp_release: CommandFilter, dhcp_release, root
1612 dhcp_release6: CommandFilter, dhcp_release6, root
1613
1614 # metadata proxy
1615 metadata_proxy: CommandFilter, neutron-ns-metadata-proxy, root
1616 # RHEL invocation of the metadata proxy will report /usr/bin/python
1617 kill_metadata: KillFilter, root, python, -9
1618 kill_metadata2: KillFilter, root, python2, -9
1619 kill_metadata7: KillFilter, root, python2.7, -9
1620 kill_metadata3: KillFilter, root, python3, -9
1621 kill_metadata35: KillFilter, root, python3.5, -9
1622 kill_metadata36: KillFilter, root, python3.6, -9
1623 kill_metadata37: KillFilter, root, python3.7, -9
1624
1625 # ip_lib
1626 ip: IpFilter, ip, root
1627 find: RegExpFilter, find, root, find, /sys/class/net, -maxdepth, 1, -type, l, -printf, %.*
1628 ip_exec: IpNetnsExecFilter, ip, root
1629 ebtables:
1630 pods:
1631 - dhcp_agent
1632 - l3_agent
1633 - lb_agent
1634 - metadata_agent
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]1635 - ovn_metadata_agent
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1636 - ovs_agent
1637 - sriov_agent
1638 content: |
1639 # neutron-rootwrap command filters for nodes on which neutron is
1640 # expected to control network
1641 #
1642 # This file should be owned by (and only-writeable by) the root user
1643
1644 # format seems to be
1645 # cmd-name: filter-name, raw-command, user, args
1646
1647 [Filters]
1648
1649 ebtables: CommandFilter, ebtables, root
1650 iptables_firewall:
1651 pods:
1652 - dhcp_agent
1653 - l3_agent
1654 - lb_agent
1655 - metadata_agent
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]1656 - ovn_metadata_agent
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1657 - ovs_agent
1658 - sriov_agent
1659 content: |
1660 # neutron-rootwrap command filters for nodes on which neutron is
1661 # expected to control network
1662 #
1663 # This file should be owned by (and only-writeable by) the root user
1664
1665 # format seems to be
1666 # cmd-name: filter-name, raw-command, user, args
1667
1668 [Filters]
1669
1670 # neutron/agent/linux/iptables_firewall.py
1671 # "iptables-save", ...
1672 iptables-save: CommandFilter, iptables-save, root
1673 iptables-restore: CommandFilter, iptables-restore, root
1674 ip6tables-save: CommandFilter, ip6tables-save, root
1675 ip6tables-restore: CommandFilter, ip6tables-restore, root
1676
1677 # neutron/agent/linux/iptables_firewall.py
1678 # "iptables", "-A", ...
1679 iptables: CommandFilter, iptables, root
1680 ip6tables: CommandFilter, ip6tables, root
1681
1682 # neutron/agent/linux/iptables_firewall.py
1683 sysctl: CommandFilter, sysctl, root
1684
1685 # neutron/agent/linux/ip_conntrack.py
1686 conntrack: CommandFilter, conntrack, root
1687 linuxbridge_plugin:
1688 pods:
1689 - dhcp_agent
1690 - l3_agent
1691 - lb_agent
1692 - metadata_agent
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]1693 - ovn_metadata_agent
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1694 - ovs_agent
1695 - sriov_agent
1696 content: |
1697 # neutron-rootwrap command filters for nodes on which neutron is
1698 # expected to control network
1699 #
1700 # This file should be owned by (and only-writeable by) the root user
1701
1702 # format seems to be
1703 # cmd-name: filter-name, raw-command, user, args
1704
1705 [Filters]
1706
1707 # linuxbridge-agent
1708 # unclear whether both variants are necessary, but I'm transliterating
1709 # from the old mechanism
1710 brctl: CommandFilter, brctl, root
1711 bridge: CommandFilter, bridge, root
1712
1713 # ip_lib
1714 ip: IpFilter, ip, root
1715 find: RegExpFilter, find, root, find, /sys/class/net, -maxdepth, 1, -type, l, -printf, %.*
1716 ip_exec: IpNetnsExecFilter, ip, root
1717
1718 # tc commands needed for QoS support
1719 tc_replace_tbf: RegExpFilter, tc, root, tc, qdisc, replace, dev, .+, root, tbf, rate, .+, latency, .+, burst, .+
1720 tc_add_ingress: RegExpFilter, tc, root, tc, qdisc, add, dev, .+, ingress, handle, .+
1721 tc_delete: RegExpFilter, tc, root, tc, qdisc, del, dev, .+, .+
1722 tc_show_qdisc: RegExpFilter, tc, root, tc, qdisc, show, dev, .+
1723 tc_show_filters: RegExpFilter, tc, root, tc, filter, show, dev, .+, parent, .+
1724 tc_add_filter: RegExpFilter, tc, root, tc, filter, add, dev, .+, parent, .+, protocol, all, prio, .+, basic, police, rate, .+, burst, .+, mtu, .+, drop
1725 openvswitch_plugin:
1726 pods:
1727 - dhcp_agent
1728 - l3_agent
1729 - lb_agent
1730 - metadata_agent
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]1731 - ovn_metadata_agent
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1732 - ovs_agent
1733 - sriov_agent
1734 content: |
1735 # neutron-rootwrap command filters for nodes on which neutron is
1736 # expected to control network
1737 #
1738 # This file should be owned by (and only-writeable by) the root user
1739
1740 # format seems to be
1741 # cmd-name: filter-name, raw-command, user, args
1742
1743 [Filters]
1744
1745 # openvswitch-agent
1746 # unclear whether both variants are necessary, but I'm transliterating
1747 # from the old mechanism
1748 ovs-vsctl: CommandFilter, ovs-vsctl, root
1749 # NOTE(yamamoto): of_interface=native doesn't use ovs-ofctl
1750 ovs-ofctl: CommandFilter, ovs-ofctl, root
1751 ovs-appctl: CommandFilter, ovs-appctl, root
1752 kill_ovsdb_client: KillFilter, root, /usr/bin/ovsdb-client, -9
1753 ovsdb-client: CommandFilter, ovsdb-client, root
1754 xe: CommandFilter, xe, root
1755
1756 # ip_lib
1757 ip: IpFilter, ip, root
1758 find: RegExpFilter, find, root, find, /sys/class/net, -maxdepth, 1, -type, l, -printf, %.*
1759 ip_exec: IpNetnsExecFilter, ip, root
1760
1761 # needed for FDB extension
1762 bridge: CommandFilter, bridge, root
1763 privsep:
1764 pods:
1765 - dhcp_agent
1766 - l3_agent
1767 - lb_agent
1768 - metadata_agent
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]1769 - ovn_metadata_agent
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1770 - ovs_agent
1771 - sriov_agent
1772 - netns_cleanup_cron
1773 content: |
1774 # Command filters to allow privsep daemon to be started via rootwrap.
1775 #
1776 # This file should be owned by (and only-writeable by) the root user
1777
1778 [Filters]
1779
1780 # By installing the following, the local admin is asserting that:
1781 #
1782 # 1. The python module load path used by privsep-helper
1783 # command as root (as started by sudo/rootwrap) is trusted.
1784 # 2. Any oslo.config files matching the --config-file
1785 # arguments below are trusted.
1786 # 3. Users allowed to run sudo/rootwrap with this configuration(*) are
1787 # also allowed to invoke python "entrypoint" functions from
1788 # --privsep_context with the additional (possibly root) privileges
1789 # configured for that context.
1790 #
1791 # (*) ie: the user is allowed by /etc/sudoers to run rootwrap as root
1792 #
1793 # In particular, the oslo.config and python module path must not
1794 # be writeable by the unprivileged user.
1795
1796 # oslo.privsep default neutron context
1797 privsep: PathFilter, privsep-helper, root,
1798 --config-file, /etc,
1799 --privsep_context, neutron.privileged.default,
1800 --privsep_sock_path, /
1801
1802 # NOTE: A second `--config-file` arg can also be added above. Since
1803 # many neutron components are installed like that (eg: by devstack).
1804 # Adjust to suit local requirements.
1805 linux_vxlan:
1806 pods:
1807 - bagpipe_bgp
1808 content: |
1809 # bagpipe-bgp-rootwrap command filters for nodes on which bagpipe-bgp is
1810 # expected to control VXLAN Linux Bridge dataplane
1811 #
1812 # This file should be owned by (and only-writeable by) the root user
1813
1814 # format seems to be
1815 # cmd-name: filter-name, raw-command, user, args
1816
1817 [Filters]
1818
1819 #
1820 modprobe: CommandFilter, modprobe, root
1821
1822 #
1823 brctl: CommandFilter, brctl, root
1824 bridge: CommandFilter, bridge, root
1825
1826 # ip_lib
1827 ip: IpFilter, ip, root
1828 ip_exec: IpNetnsExecFilter, ip, root
1829
1830 # shell (for piped commands)
1831 sh: CommandFilter, sh, root
1832 mpls_ovs_dataplane:
1833 pods:
1834 - bagpipe_bgp
1835 content: |
1836 # bagpipe-bgp-rootwrap command filters for nodes on which bagpipe-bgp is
1837 # expected to control MPLS OpenVSwitch dataplane
1838 #
1839 # This file should be owned by (and only-writeable by) the root user
1840
1841 # format seems to be
1842 # cmd-name: filter-name, raw-command, user, args
1843
1844 [Filters]
1845
1846 # openvswitch
1847 ovs-vsctl: CommandFilter, ovs-vsctl, root
1848 ovs-ofctl: CommandFilter, ovs-ofctl, root
1849
1850 # ip_lib
1851 ip: IpFilter, ip, root
1852 ip_exec: IpNetnsExecFilter, ip, root
1853
1854 # shell (for piped commands)
1855 sh: CommandFilter, sh, root
1856 neutron:
1857 DEFAULT:
1858 metadata_proxy_socket: /var/lib/neutron/openstack-helm/metadata_proxy
1859 log_config_append: /etc/neutron/logging.conf
1860 # NOTE(portdirect): the bind port should not be defined, and is manipulated
1861 # via the endpoints section.
1862 bind_port: null
1863 default_availability_zones: nova
1864 api_workers: 1
1865 rpc_workers: 4
1866 allow_overlapping_ips: True
1867 state_path: /var/lib/neutron
1868 # core_plugin can be: ml2, calico
1869 core_plugin: ml2
1870 # service_plugin can be: router, odl-router, empty for calico,
1871 # networking_ovn.l3.l3_ovn.OVNL3RouterPlugin for OVN
1872 service_plugins: router
1873 allow_automatic_l3agent_failover: True
1874 l3_ha: True
1875 max_l3_agents_per_router: 2
1876 l3_ha_network_type: vxlan
1877 network_auto_schedule: True
1878 router_auto_schedule: True
1879 # (NOTE)portdirect: if unset this is populated dynamically from the value in
1880 # 'network.backend' to sane defaults.
1881 interface_driver: null
1882 oslo_concurrency:
1883 lock_path: /var/lib/neutron/tmp
1884 database:
1885 max_retries: -1
1886 agent:
1887 root_helper: sudo /var/lib/openstack/bin/neutron-rootwrap /etc/neutron/rootwrap.conf
1888 root_helper_daemon: sudo /var/lib/openstack/bin/neutron-rootwrap-daemon /etc/neutron/rootwrap.conf
1889 oslo_messaging_notifications:
1890 driver: messagingv2
1891 oslo_messaging_rabbit:
1892 rabbit_ha_queues: true
1893 oslo_middleware:
1894 enable_proxy_headers_parsing: true
1895 oslo_policy:
1896 policy_file: /etc/neutron/policy.yaml
Mohammed Naser593ec012023-07-23 09:20:05 +0000[diff] [blame]1897 ovn:
Mohammed Naser593ec012023-07-23 09:20:05 +0000[diff] [blame]1898 ovn_metadata_enabled: true
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1899 nova:
1900 auth_type: password
1901 auth_version: v3
1902 endpoint_type: internal
Oleksandr Kozachenkoa10d7852023-02-02 22:01:16 +0100[diff] [blame]1903 placement:
1904 auth_type: password
1905 auth_version: v3
1906 endpoint_type: internal
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1907 designate:
1908 auth_type: password
1909 auth_version: v3
1910 endpoint_type: internal
1911 allow_reverse_dns_lookup: true
1912 ironic:
1913 endpoint_type: internal
1914 keystone_authtoken:
okozachenko120317930d42023-09-06 00:24:05 +1000[diff] [blame]1915 service_token_roles: service
1916 service_token_roles_required: true
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1917 memcache_security_strategy: ENCRYPT
1918 auth_type: password
1919 auth_version: v3
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]1920 service_type: network
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1921 octavia:
1922 request_poll_timeout: 3000
1923 logging:
1924 loggers:
1925 keys:
1926 - root
1927 - neutron
1928 - neutron_taas
1929 handlers:
1930 keys:
1931 - stdout
1932 - stderr
1933 - "null"
1934 formatters:
1935 keys:
1936 - context
1937 - default
1938 logger_root:
1939 level: WARNING
1940 handlers: 'null'
1941 logger_neutron:
1942 level: INFO
1943 handlers:
1944 - stdout
1945 qualname: neutron
1946 logger_neutron_taas:
1947 level: INFO
1948 handlers:
1949 - stdout
1950 qualname: neutron_taas
1951 logger_amqp:
1952 level: WARNING
1953 handlers: stderr
1954 qualname: amqp
1955 logger_amqplib:
1956 level: WARNING
1957 handlers: stderr
1958 qualname: amqplib
1959 logger_eventletwsgi:
1960 level: WARNING
1961 handlers: stderr
1962 qualname: eventlet.wsgi.server
1963 logger_sqlalchemy:
1964 level: WARNING
1965 handlers: stderr
1966 qualname: sqlalchemy
1967 logger_boto:
1968 level: WARNING
1969 handlers: stderr
1970 qualname: boto
1971 handler_null:
1972 class: logging.NullHandler
1973 formatter: default
1974 args: ()
1975 handler_stdout:
1976 class: StreamHandler
1977 args: (sys.stdout,)
1978 formatter: context
1979 handler_stderr:
1980 class: StreamHandler
1981 args: (sys.stderr,)
1982 formatter: context
1983 formatter_context:
1984 class: oslo_log.formatters.ContextFormatter
1985 datefmt: "%Y-%m-%d %H:%M:%S"
1986 formatter_default:
1987 format: "%(message)s"
1988 datefmt: "%Y-%m-%d %H:%M:%S"
1989 plugins:
1990 ml2_conf:
1991 ml2:
1992 extension_drivers: port_security
1993 # (NOTE)portdirect: if unset this is populated dyanmicly from the value
1994 # in 'network.backend' to sane defaults.
1995 mechanism_drivers: null
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]1996 type_drivers: flat,vlan,vxlan,local
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1997 tenant_network_types: vxlan
1998 ml2_type_vxlan:
1999 vni_ranges: 1:1000
2000 vxlan_group: 239.1.1.1
2001 ml2_type_flat:
2002 flat_networks: "*"
2003 # If you want to use the external network as a tagged provider network,
2004 # a range should be specified including the intended VLAN target
2005 # using ml2_type_vlan.network_vlan_ranges:
2006 # ml2_type_vlan:
2007 # network_vlan_ranges: "external:1100:1110"
Mohammed Naser593ec012023-07-23 09:20:05 +0000[diff] [blame]2008 ml2_type_geneve:
2009 vni_ranges: 1:65536
2010 max_header_size: 38
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]2011 agent:
2012 extensions: ""
2013 ml2_conf_sriov: null
2014 taas:
2015 taas:
2016 enabled: False
2017 openvswitch_agent:
2018 agent:
2019 tunnel_types: vxlan
2020 l2_population: True
2021 arp_responder: True
2022 ovs:
2023 bridge_mappings: "external:br-ex"
2024 securitygroup:
2025 firewall_driver: neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
2026 linuxbridge_agent:
2027 linux_bridge:
2028 # To define Flat and VLAN connections, in LB we can assign
2029 # specific interface to the flat/vlan network name using:
2030 # physical_interface_mappings: "external:eth3"
2031 # Or we can set the mapping between the network and bridge:
2032 bridge_mappings: "external:br-ex"
2033 # The two above options are exclusive, do not use both of them at once
2034 securitygroup:
2035 firewall_driver: iptables
2036 vxlan:
2037 l2_population: True
2038 arp_responder: True
2039 macvtap_agent: null
2040 sriov_agent:
2041 securitygroup:
2042 firewall_driver: neutron.agent.firewall.NoopFirewallDriver
2043 sriov_nic:
2044 physical_device_mappings: physnet2:enp3s0f1
2045 # NOTE: do not use null here, use an empty string
2046 exclude_devices: ""
2047 dhcp_agent:
2048 DEFAULT:
2049 # (NOTE)portdirect: if unset this is populated dyanmicly from the value in
2050 # 'network.backend' to sane defaults.
2051 interface_driver: null
2052 dnsmasq_config_file: /etc/neutron/dnsmasq.conf
2053 force_metadata: True
2054 dnsmasq: |
2055 #no-hosts
2056 #port=5353
2057 #cache-size=500
2058 #no-negcache
2059 #dns-forward-max=100
2060 #resolve-file=
2061 #strict-order
2062 #bind-interface
2063 #bind-dynamic
2064 #domain=
2065 #dhcp-range=10.10.10.10,10.10.10.100,24h
2066 #dhcp-lease-max=150
2067 #dhcp-host=11:22:33:44:55:66,ignore
2068 #dhcp-option=3,10.10.10.1
2069 #dhcp-option-force=26,1450
2070
2071 l3_agent:
2072 DEFAULT:
2073 # (NOTE)portdirect: if unset this is populated dyanmicly from the value in
2074 # 'network.backend' to sane defaults.
2075 interface_driver: null
2076 agent_mode: legacy
2077 metering_agent: null
2078 metadata_agent:
2079 DEFAULT:
2080 # we cannot change the proxy socket path as it is declared
2081 # as a hostPath volume from agent daemonsets
2082 metadata_proxy_socket: /var/lib/neutron/openstack-helm/metadata_proxy
2083 metadata_proxy_shared_secret: "password"
2084 cache:
2085 enabled: true
2086 backend: dogpile.cache.memcached
2087 bagpipe_bgp: {}
Mohammed Naser593ec012023-07-23 09:20:05 +0000[diff] [blame]2088 ovn_metadata_agent:
2089 DEFAULT:
2090 # we cannot change the proxy socket path as it is declared
2091 # as a hostPath volume from agent daemonsets
2092 metadata_proxy_socket: /var/lib/neutron/openstack-helm/metadata_proxy
2093 metadata_proxy_shared_secret: "password"
2094 metadata_workers: 2
2095 cache:
2096 enabled: true
2097 backend: dogpile.cache.memcached
2098 ovs:
2099 ovsdb_connection: unix:/run/openvswitch/db.sock
Rico Lincf86b122023-11-02 01:29:14 +0800[diff] [blame]2100 bgp_dragent: {}
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]2101
2102 rabbitmq:
2103 # NOTE(rk760n): adding rmq policy to mirror messages from notification queues and set expiration time for the ones
2104 policies:
2105 - vhost: "neutron"
2106 name: "ha_ttl_neutron"
2107 definition:
2108 # mirror messges to other nodes in rmq cluster
2109 ha-mode: "all"
2110 ha-sync-mode: "automatic"
2111 # 70s
2112 message-ttl: 70000
2113 priority: 0
2114 apply-to: all
2115 pattern: '^(?!(amq\.|reply_)).*'
2116 ## NOTE: "besteffort" is meant for dev env with mixed compute type only.
2117 ## This helps prevent sriov init script from failing due to mis-matched NIC
2118 ## For prod env, target NIC should match and init script should fail otherwise.
2119 ## sriov_init:
2120 ## - besteffort
2121 sriov_init:
2122 -
2123 # auto_bridge_add is a table of "bridge: interface" pairs
2124 # To automatically add a physical interfaces to a specific bridges,
2125 # for example eth3 to bridge br-physnet1, if0 to br0 and iface_two
2126 # to br1 do something like:
2127 #
2128 # auto_bridge_add:
2129 # br-physnet1: eth3
2130 # br0: if0
2131 # br1: iface_two
2132 # br-ex will be added by default
2133 auto_bridge_add:
2134 br-ex: null
2135
Mohammed Nasera720f882023-06-30 23:48:02 -0400[diff] [blame]2136 # Network off-loading configuration
2137 netoffload:
ricolin18e6fd32023-07-17 06:17:15 +0000[diff] [blame]2138 enabled: false
Mohammed Nasera720f882023-06-30 23:48:02 -0400[diff] [blame]2139 asap2:
2140 # - dev: enp97s0f0
2141 # vfs: 16
2142
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]2143 # configuration of OVS DPDK bridges and NICs
2144 # this is a separate section and not part of the auto_bridge_add section
2145 # because additional parameters are needed
2146 ovs_dpdk:
2147 enabled: false
2148 # setting update_dpdk_bond_config to true will have default behavior,
2149 # which may cause disruptions in ovs dpdk traffic in case of neutron
2150 # ovs agent restart or when dpdk nic/bond configurations are changed.
2151 # Setting this to false will configure dpdk in the first run and
2152 # disable nic/bond config on event of restart or config update.
2153 update_dpdk_bond_config: true
2154 driver: uio_pci_generic
2155 # In case bonds are configured, the nics which are part of those bonds
2156 # must NOT be provided here.
2157 nics:
2158 - name: dpdk0
2159 pci_id: '0000:05:00.0'
2160 # Set VF Index in case some particular VF(s) need to be
2161 # used with ovs-dpdk.
2162 # vf_index: 0
2163 bridge: br-phy
2164 migrate_ip: true
2165 n_rxq: 2
2166 n_txq: 2
2167 pmd_rxq_affinity: "0:3,1:27"
2168 ofport_request: 1
2169 # optional parameters for tuning the OVS DPDK config
2170 # in alignment with the available hardware resources
2171 # mtu: 2000
2172 # n_rxq_size: 1024
2173 # n_txq_size: 1024
2174 # vhost-iommu-support: true
2175 bridges:
2176 - name: br-phy
2177 # optional parameter, in case tunnel traffic needs to be transported over a vlan underlay
2178 # - tunnel_underlay_vlan: 45
2179 # Optional parameter for configuring bonding in OVS-DPDK
2180 # - name: br-phy-bond0
2181 # bonds:
2182 # - name: dpdkbond0
2183 # bridge: br-phy-bond0
2184 # # The IP from the first nic in nics list shall be used
2185 # migrate_ip: true
2186 # mtu: 2000
2187 # # Please note that n_rxq is set for each NIC individually
2188 # # rather than denoting the total number of rx queues for
2189 # # the bond as a whole. So setting n_rxq = 2 below for ex.
2190 # # would be 4 rx queues in total for the bond.
2191 # # Same for n_txq
2192 # n_rxq: 2
2193 # n_txq: 2
2194 # ofport_request: 1
2195 # n_rxq_size: 1024
2196 # n_txq_size: 1024
2197 # vhost-iommu-support: true
2198 # ovs_options: "bond_mode=active-backup"
2199 # nics:
2200 # - name: dpdk_b0s0
2201 # pci_id: '0000:06:00.0'
2202 # pmd_rxq_affinity: "0:3,1:27"
2203 # # Set VF Index in case some particular VF(s) need to be
2204 # # used with ovs-dpdk. In which case pci_id of PF must be
2205 # # provided above.
2206 # # vf_index: 0
2207 # - name: dpdk_b0s1
2208 # pci_id: '0000:07:00.0'
2209 # pmd_rxq_affinity: "0:3,1:27"
2210 # # Set VF Index in case some particular VF(s) need to be
2211 # # used with ovs-dpdk. In which case pci_id of PF must be
2212 # # provided above.
2213 # # vf_index: 0
2214 #
2215 # Set the log level for each target module (default level is always dbg)
2216 # Supported log levels are: off, emer, err, warn, info, dbg
2217 #
2218 # modules:
2219 # - name: dpdk
2220 # log_level: info
2221
2222# Names of secrets used by bootstrap and environmental checks
2223secrets:
2224 identity:
2225 admin: neutron-keystone-admin
2226 neutron: neutron-keystone-user
2227 test: neutron-keystone-test
2228 oslo_db:
2229 admin: neutron-db-admin
2230 neutron: neutron-db-user
2231 oslo_messaging:
2232 admin: neutron-rabbitmq-admin
2233 neutron: neutron-rabbitmq-user
2234 tls:
2235 compute_metadata:
2236 metadata:
2237 internal: metadata-tls-metadata
2238 network:
2239 server:
2240 public: neutron-tls-public
2241 internal: neutron-tls-server
2242 oci_image_registry:
2243 neutron: neutron-oci-image-registry
2244
2245# typically overridden by environmental
2246# values, but should include all endpoints
2247# required by this chart
2248endpoints:
2249 cluster_domain_suffix: cluster.local
2250 local_image_registry:
2251 name: docker-registry
2252 namespace: docker-registry
2253 hosts:
2254 default: localhost
2255 internal: docker-registry
2256 node: localhost
2257 host_fqdn_override:
2258 default: null
2259 port:
2260 registry:
2261 node: 5000
2262 oci_image_registry:
2263 name: oci-image-registry
2264 namespace: oci-image-registry
2265 auth:
2266 enabled: false
2267 neutron:
2268 username: neutron
2269 password: password
2270 hosts:
2271 default: localhost
2272 host_fqdn_override:
2273 default: null
2274 port:
2275 registry:
2276 default: null
2277 oslo_db:
2278 auth:
2279 admin:
2280 username: root
2281 password: password
2282 secret:
2283 tls:
2284 internal: mariadb-tls-direct
2285 neutron:
2286 username: neutron
2287 password: password
2288 hosts:
2289 default: mariadb
2290 host_fqdn_override:
2291 default: null
2292 path: /neutron
2293 scheme: mysql+pymysql
2294 port:
2295 mysql:
2296 default: 3306
2297 oslo_messaging:
2298 auth:
2299 admin:
2300 username: rabbitmq
2301 password: password
2302 secret:
2303 tls:
2304 internal: rabbitmq-tls-direct
2305 neutron:
2306 username: neutron
2307 password: password
2308 statefulset:
2309 replicas: 2
2310 name: rabbitmq-rabbitmq
2311 hosts:
2312 default: rabbitmq
2313 host_fqdn_override:
2314 default: null
2315 path: /neutron
2316 scheme: rabbit
2317 port:
2318 amqp:
2319 default: 5672
2320 http:
2321 default: 15672
2322 oslo_cache:
2323 auth:
2324 # NOTE(portdirect): this is used to define the value for keystone
2325 # authtoken cache encryption key, if not set it will be populated
2326 # automatically with a random value, but to take advantage of
2327 # this feature all services should be set to use the same key,
2328 # and memcache service.
2329 memcache_secret_key: null
2330 hosts:
2331 default: memcached
2332 host_fqdn_override:
2333 default: null
2334 port:
2335 memcache:
2336 default: 11211
2337 compute:
2338 name: nova
2339 hosts:
2340 default: nova-api
2341 public: nova
2342 host_fqdn_override:
2343 default: null
2344 path:
2345 default: "/v2.1/%(tenant_id)s"
2346 scheme:
2347 default: 'http'
2348 port:
2349 api:
2350 default: 8774
2351 public: 80
2352 novncproxy:
2353 default: 6080
2354 compute_metadata:
2355 name: nova
2356 hosts:
2357 default: nova-metadata
2358 public: metadata
2359 host_fqdn_override:
2360 default: null
2361 path:
2362 default: /
2363 scheme:
2364 default: 'http'
2365 port:
2366 metadata:
2367 default: 8775
2368 public: 80
2369 identity:
2370 name: keystone
2371 auth:
2372 admin:
2373 region_name: RegionOne
2374 username: admin
2375 password: password
2376 project_name: admin
2377 user_domain_name: default
2378 project_domain_name: default
2379 neutron:
Mohammed Naserda994232024-04-13 12:34:01 -0400[diff] [blame]2380 role: admin,service
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]2381 region_name: RegionOne
2382 username: neutron
2383 password: password
2384 project_name: service
2385 user_domain_name: service
2386 project_domain_name: service
2387 nova:
2388 region_name: RegionOne
2389 project_name: service
2390 username: nova
2391 password: password
2392 user_domain_name: service
2393 project_domain_name: service
Oleksandr Kozachenkoa10d7852023-02-02 22:01:16 +0100[diff] [blame]2394 placement:
2395 region_name: RegionOne
2396 project_name: service
2397 username: placement
2398 password: password
2399 user_domain_name: service
2400 project_domain_name: service
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]2401 designate:
2402 region_name: RegionOne
2403 project_name: service
2404 username: designate
2405 password: password
2406 user_domain_name: service
2407 project_domain_name: service
2408 ironic:
2409 region_name: RegionOne
2410 project_name: service
2411 username: ironic
2412 password: password
2413 user_domain_name: service
2414 project_domain_name: service
2415 test:
2416 role: admin
2417 region_name: RegionOne
2418 username: neutron-test
2419 password: password
2420 # NOTE: this project will be purged and reset if
2421 # conf.rally_tests.force_project_purge is set to true
2422 # which may be required upon test failure, but be aware that this will
2423 # expunge all openstack objects, so if this is used a seperate project
2424 # should be used for each helm test, and also it should be ensured
2425 # that this project is not in use by other tenants
2426 project_name: test
2427 user_domain_name: service
2428 project_domain_name: service
2429 hosts:
2430 default: keystone
2431 internal: keystone-api
2432 host_fqdn_override:
2433 default: null
2434 path:
2435 default: /v3
2436 scheme:
2437 default: http
2438 port:
2439 api:
2440 default: 80
2441 internal: 5000
2442 network:
2443 name: neutron
2444 hosts:
2445 default: neutron-server
2446 public: neutron
2447 host_fqdn_override:
2448 default: null
2449 # NOTE(portdirect): this chart supports TLS for fqdn over-ridden public
2450 # endpoints using the following format:
2451 # public:
2452 # host: null
2453 # tls:
2454 # crt: null
2455 # key: null
2456 path:
2457 default: null
2458 scheme:
2459 default: 'http'
2460 service: 'http'
2461 port:
2462 api:
2463 default: 9696
2464 public: 80
2465 service: 9696
2466 load_balancer:
2467 name: octavia
2468 hosts:
2469 default: octavia-api
2470 public: octavia
2471 host_fqdn_override:
2472 default: null
2473 path:
2474 default: null
2475 scheme:
2476 default: http
2477 port:
2478 api:
2479 default: 9876
2480 public: 80
2481 fluentd:
2482 namespace: osh-infra
2483 name: fluentd
2484 hosts:
2485 default: fluentd-logging
2486 host_fqdn_override:
2487 default: null
2488 path:
2489 default: null
2490 scheme: 'http'
2491 port:
2492 service:
2493 default: 24224
2494 metrics:
2495 default: 24220
2496 dns:
2497 name: designate
2498 hosts:
2499 default: designate-api
2500 public: designate
2501 host_fqdn_override:
2502 default: null
2503 path:
2504 default: /
2505 scheme:
2506 default: 'http'
2507 port:
2508 api:
2509 default: 9001
2510 public: 80
2511 baremetal:
2512 name: ironic
2513 hosts:
2514 default: ironic-api
2515 public: ironic
2516 host_fqdn_override:
2517 default: null
2518 path:
2519 default: null
2520 scheme:
2521 default: 'http'
2522 port:
2523 api:
2524 default: 6385
2525 public: 80
2526 # NOTE(tp6510): these endpoints allow for things like DNS lookups and ingress
2527 # They are using to enable the Egress K8s network policy.
2528 kube_dns:
2529 namespace: kube-system
2530 name: kubernetes-dns
2531 hosts:
2532 default: kube-dns
2533 host_fqdn_override:
2534 default: null
2535 path:
2536 default: null
2537 scheme: http
2538 port:
2539 dns:
2540 default: 53
2541 protocol: UDP
2542 ingress:
2543 namespace: null
2544 name: ingress
2545 hosts:
2546 default: ingress
2547 port:
2548 ingress:
2549 default: 80
2550
2551network_policy:
2552 neutron:
2553 # TODO(lamt): Need to tighten this ingress for security.
2554 ingress:
2555 - {}
2556 egress:
2557 - {}
2558
2559helm3_hook: true
2560
2561health_probe:
2562 logging:
2563 level: ERROR
2564
2565tls:
2566 identity: false
2567 oslo_messaging: false
2568 oslo_db: false
2569
2570manifests:
2571 certificates: false
2572 configmap_bin: true
2573 configmap_etc: true
2574 daemonset_dhcp_agent: true
2575 daemonset_l3_agent: true
2576 daemonset_lb_agent: true
2577 daemonset_metadata_agent: true
2578 daemonset_ovs_agent: true
2579 daemonset_sriov_agent: true
2580 daemonset_l2gw_agent: false
2581 daemonset_bagpipe_bgp: false
Rico Lincf86b122023-11-02 01:29:14 +0800[diff] [blame]2582 daemonset_bgp_dragent: false
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]2583 daemonset_netns_cleanup_cron: true
2584 deployment_ironic_agent: false
2585 deployment_server: true
Rico Lin0e153482024-05-03 03:29:14 +0800[diff] [blame]2586 deployment_rpc_server: true
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]2587 ingress_server: true
2588 job_bootstrap: true
2589 job_db_init: true
2590 job_db_sync: true
2591 job_db_drop: false
2592 job_image_repo_sync: true
2593 job_ks_endpoints: true
2594 job_ks_service: true
2595 job_ks_user: true
2596 job_rabbit_init: true
2597 pdb_server: true
2598 pod_rally_test: true
2599 network_policy: false
2600 secret_db: true
2601 secret_ingress_tls: true
2602 secret_keystone: true
2603 secret_rabbitmq: true
2604 secret_registry: true
2605 service_ingress_server: true
2606 service_server: true
2607...