blob: 45b602d8afe7de0f6bab9f98fd791c2e390675ae [file] [log] [blame]
Mohammed Naserf3f59a72023-01-15 21:02:04 -05001# Licensed under the Apache License, Version 2.0 (the "License");
2# you may not use this file except in compliance with the License.
3# You may obtain a copy of the License at
4#
5# http://www.apache.org/licenses/LICENSE-2.0
6#
7# Unless required by applicable law or agreed to in writing, software
8# distributed under the License is distributed on an "AS IS" BASIS,
9# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
10# See the License for the specific language governing permissions and
11# limitations under the License.
12
13# Default values for neutron.
14# This is a YAML-formatted file.
15# Declare name/value pairs to be passed into your templates.
16# name: value
17
18---
19release_group: null
20
21images:
22 tags:
Oleksandr K.10a2db72025-01-07 23:11:24 -080023 bootstrap: docker.io/openstackhelm/heat:2024.1-ubuntu_jammy
Mohammed Naserf3f59a72023-01-15 21:02:04 -050024 test: docker.io/xrally/xrally-openstack:2.0.0
25 purge_test: docker.io/openstackhelm/ospurge:latest
Oleksandr K.10a2db72025-01-07 23:11:24 -080026 db_init: docker.io/openstackhelm/heat:2024.1-ubuntu_jammy
27 neutron_db_sync: docker.io/openstackhelm/neutron:2024.1-ubuntu_jammy
28 db_drop: docker.io/openstackhelm/heat:2024.1-ubuntu_jammy
29 rabbit_init: docker.io/rabbitmq:3.13-management
30 ks_user: docker.io/openstackhelm/heat:2024.1-ubuntu_jammy
31 ks_service: docker.io/openstackhelm/heat:2024.1-ubuntu_jammy
32 ks_endpoints: docker.io/openstackhelm/heat:2024.1-ubuntu_jammy
Mohammed Nasera720f882023-06-30 23:48:02 -040033 netoffload: ghcr.io/vexxhost/netoffload:v1.0.1
Oleksandr K.10a2db72025-01-07 23:11:24 -080034 neutron_server: docker.io/openstackhelm/neutron:2024.1-ubuntu_jammy
35 neutron_policy_server: docker.io/openstackhelm/neutron:2024.1-ubuntu_jammy
36 neutron_rpc_server: docker.io/openstackhelm/neutron:2024.1-ubuntu_jammy
37 neutron_dhcp: docker.io/openstackhelm/neutron:2024.1-ubuntu_jammy
38 neutron_metadata: docker.io/openstackhelm/neutron:2024.1-ubuntu_jammy
39 neutron_ovn_metadata: docker.io/openstackhelm/neutron:2024.1-ubuntu_jammy
40 neutron_l3: docker.io/openstackhelm/neutron:2024.1-ubuntu_jammy
41 neutron_l2gw: docker.io/openstackhelm/neutron:2024.1-ubuntu_jammy
42 neutron_openvswitch_agent: docker.io/openstackhelm/neutron:2024.1-ubuntu_jammy
43 neutron_linuxbridge_agent: docker.io/openstackhelm/neutron:2024.1-ubuntu_jammy
Mohammed Naserf3f59a72023-01-15 21:02:04 -050044 neutron_sriov_agent: docker.io/openstackhelm/neutron:stein-18.04-sriov
45 neutron_sriov_agent_init: docker.io/openstackhelm/neutron:stein-18.04-sriov
Oleksandr K.10a2db72025-01-07 23:11:24 -080046 neutron_bagpipe_bgp: docker.io/openstackhelm/neutron:2024.1-ubuntu_jammy
47 neutron_bgp_dragent: docker.io/openstackhelm/neutron:2024.1-ubuntu_jammy
Dong Ma9a6ef682025-01-16 09:57:50 +000048 neutron_ironic_agent_init: docker.io/openstackhelm/neutron:2024.1-ubuntu_jammy
Oleksandr K.10a2db72025-01-07 23:11:24 -080049 neutron_ironic_agent: docker.io/openstackhelm/neutron:2024.1-ubuntu_jammy
50 neutron_netns_cleanup_cron: docker.io/openstackhelm/neutron:2024.1-ubuntu_jammy
Mohammed Naserf3f59a72023-01-15 21:02:04 -050051 dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
52 image_repo_sync: docker.io/docker:17.07.0
53 pull_policy: "IfNotPresent"
54 local_registry:
55 active: false
56 exclude:
57 - dep_check
58 - image_repo_sync
59
60labels:
61 agent:
62 dhcp:
63 node_selector_key: openstack-control-plane
64 node_selector_value: enabled
65 l3:
66 node_selector_key: openstack-control-plane
67 node_selector_value: enabled
68 metadata:
69 node_selector_key: openstack-control-plane
70 node_selector_value: enabled
71 l2gw:
72 node_selector_key: openstack-control-plane
73 node_selector_value: enabled
74 job:
75 node_selector_key: openstack-control-plane
76 node_selector_value: enabled
77 lb:
78 node_selector_key: linuxbridge
79 node_selector_value: enabled
80 # openvswitch is a special case, requiring a special
81 # label that can apply to both control hosts
82 # and compute hosts, until we get more sophisticated
83 # with our daemonset scheduling
84 ovs:
85 node_selector_key: openvswitch
86 node_selector_value: enabled
87 sriov:
88 node_selector_key: sriov
89 node_selector_value: enabled
90 bagpipe_bgp:
91 node_selector_key: openstack-compute-node
92 node_selector_value: enabled
Rico Lincf86b122023-11-02 01:29:14 +080093 bgp_dragent:
94 node_selector_key: openstack-compute-node
95 node_selector_value: enabled
Mohammed Naserf3f59a72023-01-15 21:02:04 -050096 server:
97 node_selector_key: openstack-control-plane
98 node_selector_value: enabled
Oleksandr K.10a2db72025-01-07 23:11:24 -080099 rpc_server:
100 node_selector_key: openstack-control-plane
101 node_selector_value: enabled
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500102 ironic_agent:
103 node_selector_key: openstack-control-plane
104 node_selector_value: enabled
105 netns_cleanup_cron:
106 node_selector_key: openstack-control-plane
107 node_selector_value: enabled
108 test:
109 node_selector_key: openstack-control-plane
110 node_selector_value: enabled
111
112network:
113 # provide what type of network wiring will be used
114 backend:
115 - openvswitch
116 # NOTE(Portdirect): Share network namespaces with the host,
117 # allowing agents to be restarted without packet loss and simpler
118 # debugging. This feature requires mount propagation support.
119 share_namespaces: true
120 interface:
121 # Tunnel interface will be used for VXLAN tunneling.
122 tunnel: null
123 # If tunnel is null there is a fallback mechanism to search
124 # for interface with routing using tunnel network cidr.
125 tunnel_network_cidr: "0/0"
126 # To perform setup of network interfaces using the SR-IOV init
127 # container you can use a section similar to:
128 # sriov:
129 # - device: ${DEV}
130 # num_vfs: 8
131 # mtu: 9214
132 # promisc: false
133 # qos:
134 # - vf_num: 0
135 # share: 10
136 # queues_per_vf:
137 # - num_queues: 16
138 # exclude_vf: 0,11,21
139 server:
140 ingress:
141 public: true
142 classes:
143 namespace: "nginx"
144 cluster: "nginx-cluster"
145 annotations:
146 nginx.ingress.kubernetes.io/rewrite-target: /
147 external_policy_local: false
148 node_port:
149 enabled: false
150 port: 30096
151
152bootstrap:
153 enabled: false
154 ks_user: neutron
155 script: |
156 openstack token issue
157
158dependencies:
159 dynamic:
160 common:
161 local_image_registry:
162 jobs:
163 - neutron-image-repo-sync
164 services:
165 - endpoint: node
166 service: local_image_registry
167 targeted:
168 sriov: {}
169 l2gateway: {}
170 bagpipe_bgp: {}
Mohammed Naserfd8edcc2023-09-06 22:32:16 +0000171 ovn:
172 server:
173 pod: null
Rico Lincf86b122023-11-02 01:29:14 +0800174 bgp_dragent: {}
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500175 openvswitch:
176 dhcp:
177 pod:
178 - requireSameNode: true
179 labels:
180 application: neutron
181 component: neutron-ovs-agent
182 l3:
183 pod:
184 - requireSameNode: true
185 labels:
186 application: neutron
187 component: neutron-ovs-agent
188 metadata:
189 pod:
190 - requireSameNode: true
191 labels:
192 application: neutron
193 component: neutron-ovs-agent
194 linuxbridge:
195 dhcp:
196 pod:
197 - requireSameNode: true
198 labels:
199 application: neutron
200 component: neutron-lb-agent
201 l3:
202 pod:
203 - requireSameNode: true
204 labels:
205 application: neutron
206 component: neutron-lb-agent
207 metadata:
208 pod:
209 - requireSameNode: true
210 labels:
211 application: neutron
212 component: neutron-lb-agent
213 lb_agent:
214 pod: null
215 static:
216 bootstrap:
217 services:
218 - endpoint: internal
219 service: network
220 - endpoint: internal
221 service: compute
222 db_drop:
223 services:
224 - endpoint: internal
225 service: oslo_db
226 db_init:
227 services:
228 - endpoint: internal
229 service: oslo_db
230 db_sync:
231 jobs:
232 - neutron-db-init
233 services:
234 - endpoint: internal
235 service: oslo_db
236 dhcp:
237 pod: null
238 jobs:
239 - neutron-rabbit-init
240 services:
241 - endpoint: internal
242 service: oslo_messaging
243 - endpoint: internal
244 service: network
245 - endpoint: internal
246 service: compute
247 ks_endpoints:
248 jobs:
249 - neutron-ks-service
250 services:
251 - endpoint: internal
252 service: identity
253 ks_service:
254 services:
255 - endpoint: internal
256 service: identity
257 ks_user:
258 services:
259 - endpoint: internal
260 service: identity
261 rabbit_init:
262 services:
263 - service: oslo_messaging
264 endpoint: internal
265 l3:
266 pod: null
267 jobs:
268 - neutron-rabbit-init
269 services:
270 - endpoint: internal
271 service: oslo_messaging
272 - endpoint: internal
273 service: network
274 - endpoint: internal
275 service: compute
276 lb_agent:
277 pod: null
278 jobs:
279 - neutron-rabbit-init
280 services:
281 - endpoint: internal
282 service: oslo_messaging
283 - endpoint: internal
284 service: network
285 metadata:
286 pod: null
287 jobs:
288 - neutron-rabbit-init
289 services:
290 - endpoint: internal
291 service: oslo_messaging
292 - endpoint: internal
293 service: network
294 - endpoint: internal
295 service: compute
296 - endpoint: public
297 service: compute_metadata
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200298 ovn_metadata:
Mohammed Naser593ec012023-07-23 09:20:05 +0000299 pod:
300 - requireSameNode: true
301 labels:
302 application: ovn
303 component: ovn-controller
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200304 services:
305 - endpoint: internal
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200306 service: compute_metadata
Mohammed Naserfd8edcc2023-09-06 22:32:16 +0000307 - endpoint: internal
308 service: network
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500309 ovs_agent:
310 jobs:
311 - neutron-rabbit-init
312 pod:
313 - requireSameNode: true
314 labels:
315 application: openvswitch
316 component: server
317 services:
318 - endpoint: internal
319 service: oslo_messaging
320 - endpoint: internal
321 service: network
322 server:
323 jobs:
324 - neutron-db-sync
325 - neutron-ks-user
326 - neutron-ks-endpoints
327 - neutron-rabbit-init
328 services:
329 - endpoint: internal
330 service: oslo_db
331 - endpoint: internal
332 service: oslo_messaging
333 - endpoint: internal
334 service: oslo_cache
335 - endpoint: internal
336 service: identity
Oleksandr K.10a2db72025-01-07 23:11:24 -0800337 rpc_server:
338 jobs:
339 - neutron-db-sync
340 - neutron-rabbit-init
341 services:
342 - endpoint: internal
343 service: oslo_db
344 - endpoint: internal
345 service: oslo_messaging
346 - endpoint: internal
347 service: oslo_cache
348 - endpoint: internal
349 service: identity
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500350 ironic_agent:
351 jobs:
352 - neutron-db-sync
353 - neutron-ks-user
354 - neutron-ks-endpoints
355 - neutron-rabbit-init
356 services:
357 - endpoint: internal
358 service: oslo_db
359 - endpoint: internal
360 service: oslo_messaging
361 - endpoint: internal
362 service: oslo_cache
363 - endpoint: internal
364 service: identity
365 tests:
366 services:
367 - endpoint: internal
368 service: network
369 - endpoint: internal
370 service: compute
371 image_repo_sync:
372 services:
373 - endpoint: internal
374 service: local_image_registry
375
376pod:
Mohammed Nasere40c3e82024-07-04 02:52:34 -0400377 sidecars:
378 neutron_policy_server: false
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500379 use_fqdn:
380 neutron_agent: true
381 probes:
382 rpc_timeout: 60
383 rpc_retries: 2
384 dhcp_agent:
385 dhcp_agent:
386 readiness:
387 enabled: true
388 params:
389 initialDelaySeconds: 30
390 periodSeconds: 190
391 timeoutSeconds: 185
392 liveness:
393 enabled: true
394 params:
395 initialDelaySeconds: 120
396 periodSeconds: 600
397 timeoutSeconds: 580
398 l3_agent:
399 l3_agent:
400 readiness:
401 enabled: true
402 params:
403 initialDelaySeconds: 30
404 periodSeconds: 190
405 timeoutSeconds: 185
406 liveness:
407 enabled: true
408 params:
409 initialDelaySeconds: 120
410 periodSeconds: 600
411 timeoutSeconds: 580
412 lb_agent:
413 lb_agent:
414 readiness:
415 enabled: true
416 metadata_agent:
417 metadata_agent:
418 readiness:
419 enabled: true
420 params:
421 initialDelaySeconds: 30
422 periodSeconds: 190
423 timeoutSeconds: 185
424 liveness:
425 enabled: true
426 params:
427 initialDelaySeconds: 120
428 periodSeconds: 600
429 timeoutSeconds: 580
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200430 ovn_metadata_agent:
431 ovn_metadata_agent:
432 readiness:
433 enabled: true
434 params:
435 initialDelaySeconds: 30
436 periodSeconds: 190
437 timeoutSeconds: 185
438 liveness:
439 enabled: true
440 params:
441 initialDelaySeconds: 120
442 periodSeconds: 600
443 timeoutSeconds: 580
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500444 ovs_agent:
445 ovs_agent:
446 readiness:
447 enabled: true
448 params:
okozachenko120317930d42023-09-06 00:24:05 +1000449 timeoutSeconds: 10
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500450 liveness:
451 enabled: true
452 params:
453 initialDelaySeconds: 120
454 periodSeconds: 600
455 timeoutSeconds: 580
456 sriov_agent:
457 sriov_agent:
458 readiness:
459 enabled: true
460 params:
461 initialDelaySeconds: 30
462 periodSeconds: 190
463 timeoutSeconds: 185
464 bagpipe_bgp:
465 bagpipe_bgp:
466 readiness:
467 enabled: true
468 params:
469 liveness:
470 enabled: true
471 params:
472 initialDelaySeconds: 60
Rico Lincf86b122023-11-02 01:29:14 +0800473 bgp_dragent:
474 bgp_dragent:
475 readiness:
476 enabled: false
477 params:
478 liveness:
479 enabled: true
480 params:
481 initialDelaySeconds: 60
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500482 l2gw_agent:
483 l2gw_agent:
484 readiness:
485 enabled: true
486 params:
487 initialDelaySeconds: 30
488 periodSeconds: 15
489 timeoutSeconds: 65
490 liveness:
491 enabled: true
492 params:
493 initialDelaySeconds: 120
494 periodSeconds: 90
495 timeoutSeconds: 70
496 server:
497 server:
498 readiness:
499 enabled: true
500 params:
okozachenko120317930d42023-09-06 00:24:05 +1000501 periodSeconds: 15
502 timeoutSeconds: 10
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500503 liveness:
504 enabled: true
505 params:
506 initialDelaySeconds: 60
okozachenko120317930d42023-09-06 00:24:05 +1000507 periodSeconds: 15
508 timeoutSeconds: 10
Oleksandr K.10a2db72025-01-07 23:11:24 -0800509 rpc_server:
510 rpc_server:
511 readiness:
512 enabled: true
513 params:
514 periodSeconds: 15
515 timeoutSeconds: 10
516 liveness:
517 enabled: true
518 params:
519 initialDelaySeconds: 60
520 periodSeconds: 15
521 timeoutSeconds: 10
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500522 security_context:
523 neutron_dhcp_agent:
524 pod:
525 runAsUser: 42424
526 container:
527 neutron_dhcp_agent:
528 readOnlyRootFilesystem: true
529 privileged: true
530 neutron_l2gw_agent:
531 pod:
532 runAsUser: 42424
533 container:
534 neutron_l2gw_agent:
535 readOnlyRootFilesystem: true
536 privileged: true
537 neutron_bagpipe_bgp:
538 pod:
539 runAsUser: 42424
540 container:
541 neutron_bagpipe_bgp:
542 readOnlyRootFilesystem: true
543 privileged: true
Rico Lincf86b122023-11-02 01:29:14 +0800544 neutron_bgp_dragent:
545 pod:
546 runAsUser: 42424
547 container:
548 neutron_bgp_dragent:
549 readOnlyRootFilesystem: true
550 privileged: true
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500551 neutron_l3_agent:
552 pod:
553 runAsUser: 42424
554 container:
555 neutron_l3_agent:
556 readOnlyRootFilesystem: true
557 privileged: true
558 neutron_lb_agent:
559 pod:
560 runAsUser: 42424
561 container:
562 neutron_lb_agent_kernel_modules:
563 capabilities:
564 add:
565 - SYS_MODULE
566 - SYS_CHROOT
567 runAsUser: 0
568 readOnlyRootFilesystem: true
569 neutron_lb_agent_init:
570 privileged: true
571 runAsUser: 0
572 readOnlyRootFilesystem: true
573 neutron_lb_agent:
574 readOnlyRootFilesystem: true
575 privileged: true
576 neutron_metadata_agent:
577 pod:
578 runAsUser: 42424
579 container:
580 neutron_metadata_agent_init:
581 runAsUser: 0
582 readOnlyRootFilesystem: true
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200583 neutron_ovn_metadata_agent:
584 pod:
585 runAsUser: 42424
586 container:
587 neutron_ovn_metadata_agent_init:
588 runAsUser: 0
589 readOnlyRootFilesystem: true
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500590 neutron_ovs_agent:
591 pod:
592 runAsUser: 42424
593 container:
594 neutron_openvswitch_agent_kernel_modules:
595 capabilities:
596 add:
597 - SYS_MODULE
598 - SYS_CHROOT
599 runAsUser: 0
600 readOnlyRootFilesystem: true
Mohammed Nasera720f882023-06-30 23:48:02 -0400601 netoffload:
602 privileged: true
603 runAsUser: 0
604 readOnlyRootFilesystem: true
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500605 neutron_ovs_agent_init:
606 privileged: true
607 runAsUser: 0
608 readOnlyRootFilesystem: true
609 neutron_ovs_agent:
610 readOnlyRootFilesystem: true
611 privileged: true
612 neutron_server:
613 pod:
614 runAsUser: 42424
615 container:
616 nginx:
617 runAsUser: 0
618 readOnlyRootFilesystem: false
619 neutron_server:
620 allowPrivilegeEscalation: false
621 readOnlyRootFilesystem: true
Mohammed Nasere40c3e82024-07-04 02:52:34 -0400622 neutron_policy_server:
623 allowPrivilegeEscalation: false
624 readOnlyRootFilesystem: true
Oleksandr K.10a2db72025-01-07 23:11:24 -0800625 neutron_rpc_server:
626 pod:
627 runAsUser: 42424
628 container:
629 neutron_rpc_server:
630 allowPrivilegeEscalation: false
631 readOnlyRootFilesystem: true
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500632 neutron_sriov_agent:
633 pod:
634 runAsUser: 42424
635 container:
636 neutron_sriov_agent_init:
637 privileged: true
638 runAsUser: 0
639 readOnlyRootFilesystem: false
640 neutron_sriov_agent:
641 readOnlyRootFilesystem: true
642 privileged: true
643 neutron_ironic_agent:
644 pod:
645 runAsUser: 42424
646 container:
Dong Ma9a6ef682025-01-16 09:57:50 +0000647 neutron_ironic_agent_init:
648 runAsUser: 0
649 readOnlyRootFilesystem: true
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500650 neutron_ironic_agent:
651 allowPrivilegeEscalation: false
652 readOnlyRootFilesystem: true
653 neutron_netns_cleanup_cron:
654 pod:
655 runAsUser: 42424
656 container:
657 neutron_netns_cleanup_cron:
658 readOnlyRootFilesystem: true
659 privileged: true
660 affinity:
661 anti:
662 type:
663 default: preferredDuringSchedulingIgnoredDuringExecution
664 topologyKey:
665 default: kubernetes.io/hostname
666 weight:
667 default: 10
668 tolerations:
669 neutron:
670 enabled: false
671 tolerations:
672 - key: node-role.kubernetes.io/master
673 operator: Exists
674 effect: NoSchedule
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200675 - key: node-role.kubernetes.io/control-plane
676 operator: Exists
677 effect: NoSchedule
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500678 mounts:
679 neutron_server:
680 init_container: null
681 neutron_server:
682 volumeMounts:
683 volumes:
Oleksandr K.10a2db72025-01-07 23:11:24 -0800684 neutron_rpc_server:
685 init_container: null
686 neutron_rpc_server:
687 volumeMounts:
688 volumes:
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500689 neutron_dhcp_agent:
690 init_container: null
691 neutron_dhcp_agent:
692 volumeMounts:
693 volumes:
694 neutron_l3_agent:
695 init_container: null
696 neutron_l3_agent:
697 volumeMounts:
698 volumes:
699 neutron_lb_agent:
700 init_container: null
701 neutron_lb_agent:
702 volumeMounts:
703 volumes:
704 neutron_metadata_agent:
705 init_container: null
706 neutron_metadata_agent:
707 volumeMounts:
708 volumes:
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200709 neutron_ovn_metadata_agent:
710 init_container: null
711 neutron_ovn_metadata_agent:
712 volumeMounts:
713 volumes:
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500714 neutron_ovs_agent:
715 init_container: null
716 neutron_ovs_agent:
717 volumeMounts:
718 volumes:
719 neutron_sriov_agent:
720 init_container: null
721 neutron_sriov_agent:
722 volumeMounts:
723 volumes:
724 neutron_l2gw_agent:
725 init_container: null
726 neutron_l2gw_agent:
727 volumeMounts:
728 volumes:
729 bagpipe_bgp:
730 init_container: null
731 bagpipe_bgp:
732 volumeMounts:
733 volumes:
Rico Lincf86b122023-11-02 01:29:14 +0800734 bgp_dragent:
735 init_container: null
736 bgp_dragent:
737 volumeMounts:
738 volumes:
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500739 neutron_ironic_agent:
740 init_container: null
741 neutron_ironic_agent:
742 volumeMounts:
743 volumes:
744 neutron_netns_cleanup_cron:
745 init_container: null
746 neutron_netns_cleanup_cron:
747 volumeMounts:
748 volumes:
749 neutron_tests:
750 init_container: null
751 neutron_tests:
752 volumeMounts:
753 volumes:
754 neutron_bootstrap:
755 init_container: null
756 neutron_bootstrap:
757 volumeMounts:
758 volumes:
759 neutron_db_sync:
760 neutron_db_sync:
761 volumeMounts:
762 - name: db-sync-conf
763 mountPath: /etc/neutron/plugins/ml2/ml2_conf.ini
764 subPath: ml2_conf.ini
765 readOnly: true
766 volumes:
767 replicas:
768 server: 1
Oleksandr K.10a2db72025-01-07 23:11:24 -0800769 rpc_server: 1
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500770 ironic_agent: 1
771 lifecycle:
772 upgrades:
773 deployments:
774 revision_history: 3
775 pod_replacement_strategy: RollingUpdate
776 rolling_update:
777 max_unavailable: 1
778 max_surge: 3
779 daemonsets:
780 pod_replacement_strategy: RollingUpdate
781 dhcp_agent:
782 enabled: true
783 min_ready_seconds: 0
784 max_unavailable: 1
785 l3_agent:
786 enabled: true
787 min_ready_seconds: 0
788 max_unavailable: 1
789 lb_agent:
790 enabled: true
791 min_ready_seconds: 0
792 max_unavailable: 1
793 metadata_agent:
794 enabled: true
795 min_ready_seconds: 0
796 max_unavailable: 1
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200797 ovn_metadata_agent:
798 enabled: true
799 min_ready_seconds: 0
800 max_unavailable: 1
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500801 ovs_agent:
802 enabled: true
803 min_ready_seconds: 0
804 max_unavailable: 1
805 sriov_agent:
806 enabled: true
807 min_ready_seconds: 0
808 max_unavailable: 1
809 netns_cleanup_cron:
810 enabled: true
811 min_ready_seconds: 0
812 max_unavailable: 1
813 disruption_budget:
814 server:
815 min_available: 0
816 termination_grace_period:
817 server:
818 timeout: 30
Oleksandr K.10a2db72025-01-07 23:11:24 -0800819 rpc_server:
820 timeout: 30
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500821 ironic_agent:
822 timeout: 30
823 resources:
824 enabled: false
825 agent:
826 dhcp:
827 requests:
828 memory: "128Mi"
829 cpu: "100m"
830 limits:
831 memory: "1024Mi"
832 cpu: "2000m"
833 l3:
834 requests:
835 memory: "128Mi"
836 cpu: "100m"
837 limits:
838 memory: "1024Mi"
839 cpu: "2000m"
840 lb:
841 requests:
842 memory: "128Mi"
843 cpu: "100m"
844 limits:
845 memory: "1024Mi"
846 cpu: "2000m"
847 metadata:
848 requests:
849 memory: "128Mi"
850 cpu: "100m"
851 limits:
852 memory: "1024Mi"
853 cpu: "2000m"
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200854 ovn_metadata:
855 requests:
856 memory: "128Mi"
857 cpu: "100m"
858 limits:
859 memory: "1024Mi"
860 cpu: "2000m"
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500861 ovs:
862 requests:
863 memory: "128Mi"
864 cpu: "100m"
865 limits:
866 memory: "1024Mi"
867 cpu: "2000m"
868 sriov:
869 requests:
870 memory: "128Mi"
871 cpu: "100m"
872 limits:
873 memory: "1024Mi"
874 cpu: "2000m"
875 l2gw:
876 requests:
877 memory: "128Mi"
878 cpu: "100m"
879 limits:
880 memory: "1024Mi"
881 cpu: "2000m"
882 bagpipe_bgp:
883 requests:
884 memory: "128Mi"
885 cpu: "100m"
886 limits:
887 memory: "1024Mi"
888 cpu: "2000m"
Rico Lincf86b122023-11-02 01:29:14 +0800889 bgp_dragent:
890 requests:
891 memory: "128Mi"
892 cpu: "100m"
893 limits:
894 memory: "1024Mi"
895 cpu: "2000m"
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500896 server:
897 requests:
898 memory: "128Mi"
899 cpu: "100m"
900 limits:
901 memory: "1024Mi"
902 cpu: "2000m"
Mohammed Nasere40c3e82024-07-04 02:52:34 -0400903 neutron_policy_server:
904 requests:
905 memory: "128Mi"
906 cpu: "100m"
907 limits:
908 memory: "256Mi"
909 cpu: "500m"
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500910 ironic_agent:
911 requests:
912 memory: "128Mi"
913 cpu: "100m"
914 limits:
915 memory: "1024Mi"
916 cpu: "2000m"
917 netns_cleanup_cron:
918 requests:
919 memory: "128Mi"
920 cpu: "100m"
921 limits:
922 memory: "1024Mi"
923 cpu: "2000m"
924 jobs:
925 bootstrap:
926 requests:
927 memory: "128Mi"
928 cpu: "100m"
929 limits:
930 memory: "1024Mi"
931 cpu: "2000m"
932 db_init:
933 requests:
934 memory: "128Mi"
935 cpu: "100m"
936 limits:
937 memory: "1024Mi"
938 cpu: "2000m"
939 rabbit_init:
940 requests:
941 memory: "128Mi"
942 cpu: "100m"
943 limits:
944 memory: "1024Mi"
945 cpu: "2000m"
946 db_sync:
947 requests:
948 memory: "128Mi"
949 cpu: "100m"
950 limits:
951 memory: "1024Mi"
952 cpu: "2000m"
953 db_drop:
954 requests:
955 memory: "128Mi"
956 cpu: "100m"
957 limits:
958 memory: "1024Mi"
959 cpu: "2000m"
960 ks_endpoints:
961 requests:
962 memory: "128Mi"
963 cpu: "100m"
964 limits:
965 memory: "1024Mi"
966 cpu: "2000m"
967 ks_service:
968 requests:
969 memory: "128Mi"
970 cpu: "100m"
971 limits:
972 memory: "1024Mi"
973 cpu: "2000m"
974 ks_user:
975 requests:
976 memory: "128Mi"
977 cpu: "100m"
978 limits:
979 memory: "1024Mi"
980 cpu: "2000m"
981 tests:
982 requests:
983 memory: "128Mi"
984 cpu: "100m"
985 limits:
986 memory: "1024Mi"
987 cpu: "2000m"
988 image_repo_sync:
989 requests:
990 memory: "128Mi"
991 cpu: "100m"
992 limits:
993 memory: "1024Mi"
994 cpu: "2000m"
995
996conf:
997 rally_tests:
998 force_project_purge: false
999 run_tempest: false
1000 clean_up: |
1001 # NOTE: We will make the best effort to clean up rally generated networks and routers,
1002 # but should not block further automated deployment.
1003 set +e
1004 PATTERN="^[sc]_rally_"
1005
1006 ROUTERS=$(openstack router list --format=value -c Name | grep -e $PATTERN | sort | tr -d '\r')
1007 NETWORKS=$(openstack network list --format=value -c Name | grep -e $PATTERN | sort | tr -d '\r')
1008
1009 for ROUTER in $ROUTERS
1010 do
1011 openstack router unset --external-gateway $ROUTER
1012 openstack router set --disable --no-ha $ROUTER
1013
1014 SUBNS=$(openstack router show $ROUTER -c interfaces_info --format=value | python -m json.tool | grep -oP '(?<="subnet_id": ")[a-f0-9\-]{36}(?=")' | sort | uniq)
1015 for SUBN in $SUBNS
1016 do
1017 openstack router remove subnet $ROUTER $SUBN
1018 done
1019
1020 for PORT in $(openstack port list --router $ROUTER --format=value -c ID | tr -d '\r')
1021 do
1022 openstack router remove port $ROUTER $PORT
1023 done
1024
1025 openstack router delete $ROUTER
1026 done
1027
1028 for NETWORK in $NETWORKS
1029 do
1030 for PORT in $(openstack port list --network $NETWORK --format=value -c ID | tr -d '\r')
1031 do
1032 openstack port delete $PORT
1033 done
1034 openstack network delete $NETWORK
1035 done
1036 set -e
1037 tests:
1038 NeutronNetworks.create_and_delete_networks:
1039 - args:
1040 network_create_args: {}
1041 context:
1042 quotas:
1043 neutron:
1044 network: -1
1045 runner:
1046 concurrency: 1
1047 times: 1
1048 type: constant
1049 sla:
1050 failure_rate:
1051 max: 0
1052 NeutronNetworks.create_and_delete_ports:
1053 - args:
1054 network_create_args: {}
1055 port_create_args: {}
1056 ports_per_network: 10
1057 context:
1058 network: {}
1059 quotas:
1060 neutron:
1061 network: -1
1062 port: -1
1063 runner:
1064 concurrency: 1
1065 times: 1
1066 type: constant
1067 sla:
1068 failure_rate:
1069 max: 0
1070 NeutronNetworks.create_and_delete_routers:
1071 - args:
1072 network_create_args: {}
1073 router_create_args: {}
1074 subnet_cidr_start: 1.1.0.0/30
1075 subnet_create_args: {}
1076 subnets_per_network: 2
1077 context:
1078 network: {}
1079 quotas:
1080 neutron:
1081 network: -1
1082 router: -1
1083 subnet: -1
1084 runner:
1085 concurrency: 1
1086 times: 1
1087 type: constant
1088 sla:
1089 failure_rate:
1090 max: 0
1091 NeutronNetworks.create_and_delete_subnets:
1092 - args:
1093 network_create_args: {}
1094 subnet_cidr_start: 1.1.0.0/30
1095 subnet_create_args: {}
1096 subnets_per_network: 2
1097 context:
1098 network: {}
1099 quotas:
1100 neutron:
1101 network: -1
1102 subnet: -1
1103 runner:
1104 concurrency: 1
1105 times: 1
1106 type: constant
1107 sla:
1108 failure_rate:
1109 max: 0
1110 NeutronNetworks.create_and_list_routers:
1111 - args:
1112 network_create_args: {}
1113 router_create_args: {}
1114 subnet_cidr_start: 1.1.0.0/30
1115 subnet_create_args: {}
1116 subnets_per_network: 2
1117 context:
1118 network: {}
1119 quotas:
1120 neutron:
1121 network: -1
1122 router: -1
1123 subnet: -1
1124 runner:
1125 concurrency: 1
1126 times: 1
1127 type: constant
1128 sla:
1129 failure_rate:
1130 max: 0
1131 NeutronNetworks.create_and_list_subnets:
1132 - args:
1133 network_create_args: {}
1134 subnet_cidr_start: 1.1.0.0/30
1135 subnet_create_args: {}
1136 subnets_per_network: 2
1137 context:
1138 network: {}
1139 quotas:
1140 neutron:
1141 network: -1
1142 subnet: -1
1143 runner:
1144 concurrency: 1
1145 times: 1
1146 type: constant
1147 sla:
1148 failure_rate:
1149 max: 0
1150 NeutronNetworks.create_and_show_network:
1151 - args:
1152 network_create_args: {}
1153 context:
1154 quotas:
1155 neutron:
1156 network: -1
1157 runner:
1158 concurrency: 1
1159 times: 1
1160 type: constant
1161 sla:
1162 failure_rate:
1163 max: 0
1164 NeutronNetworks.create_and_update_networks:
1165 - args:
1166 network_create_args: {}
1167 network_update_args:
1168 admin_state_up: false
1169 context:
1170 quotas:
1171 neutron:
1172 network: -1
1173 runner:
1174 concurrency: 1
1175 times: 1
1176 type: constant
1177 sla:
1178 failure_rate:
1179 max: 0
1180 NeutronNetworks.create_and_update_ports:
1181 - args:
1182 network_create_args: {}
1183 port_create_args: {}
1184 port_update_args:
1185 admin_state_up: false
1186 device_id: dummy_id
1187 device_owner: dummy_owner
1188 ports_per_network: 5
1189 context:
1190 network: {}
1191 quotas:
1192 neutron:
1193 network: -1
1194 port: -1
1195 runner:
1196 concurrency: 1
1197 times: 1
1198 type: constant
1199 sla:
1200 failure_rate:
1201 max: 0
1202 NeutronNetworks.create_and_update_routers:
1203 - args:
1204 network_create_args: {}
1205 router_create_args: {}
1206 router_update_args:
1207 admin_state_up: false
1208 subnet_cidr_start: 1.1.0.0/30
1209 subnet_create_args: {}
1210 subnets_per_network: 2
1211 context:
1212 network: {}
1213 quotas:
1214 neutron:
1215 network: -1
1216 router: -1
1217 subnet: -1
1218 runner:
1219 concurrency: 1
1220 times: 1
1221 type: constant
1222 sla:
1223 failure_rate:
1224 max: 0
1225 NeutronNetworks.create_and_update_subnets:
1226 - args:
1227 network_create_args: {}
1228 subnet_cidr_start: 1.4.0.0/16
1229 subnet_create_args: {}
1230 subnet_update_args:
1231 enable_dhcp: false
1232 subnets_per_network: 2
1233 context:
1234 network: {}
1235 quotas:
1236 neutron:
1237 network: -1
1238 subnet: -1
1239 runner:
1240 concurrency: 1
1241 times: 1
1242 type: constant
1243 sla:
1244 failure_rate:
1245 max: 0
1246 NeutronNetworks.list_agents:
1247 - args:
1248 agent_args: {}
1249 runner:
1250 concurrency: 1
1251 times: 1
1252 type: constant
1253 sla:
1254 failure_rate:
1255 max: 0
1256 NeutronSecurityGroup.create_and_list_security_groups:
1257 - args:
1258 security_group_create_args: {}
1259 context:
1260 quotas:
1261 neutron:
1262 security_group: -1
1263 runner:
1264 concurrency: 1
1265 times: 1
1266 type: constant
1267 sla:
1268 failure_rate:
1269 max: 0
1270 NeutronSecurityGroup.create_and_update_security_groups:
1271 - args:
1272 security_group_create_args: {}
1273 security_group_update_args: {}
1274 context:
1275 quotas:
1276 neutron:
1277 security_group: -1
1278 runner:
1279 concurrency: 1
1280 times: 1
1281 type: constant
1282 sla:
1283 failure_rate:
1284 max: 0
okozachenko120317930d42023-09-06 00:24:05 +10001285 paste:
1286 composite:neutron:
1287 use: egg:Paste#urlmap
1288 /: neutronversions_composite
1289 /v2.0: neutronapi_v2_0
1290 composite:neutronapi_v2_0:
1291 use: call:neutron.auth:pipeline_factory
1292 noauth: cors http_proxy_to_wsgi request_id catch_errors extensions neutronapiapp_v2_0
1293 keystone: cors http_proxy_to_wsgi request_id catch_errors authtoken audit keystonecontext extensions neutronapiapp_v2_0
1294 composite:neutronversions_composite:
1295 use: call:neutron.auth:pipeline_factory
1296 noauth: cors http_proxy_to_wsgi neutronversions
1297 keystone: cors http_proxy_to_wsgi neutronversions
1298 filter:request_id:
1299 paste.filter_factory: oslo_middleware:RequestId.factory
1300 filter:catch_errors:
1301 paste.filter_factory: oslo_middleware:CatchErrors.factory
1302 filter:cors:
1303 paste.filter_factory: oslo_middleware.cors:filter_factory
1304 oslo_config_project: neutron
1305 filter:http_proxy_to_wsgi:
1306 paste.filter_factory: oslo_middleware.http_proxy_to_wsgi:HTTPProxyToWSGI.factory
1307 filter:keystonecontext:
1308 paste.filter_factory: neutron.auth:NeutronKeystoneContext.factory
1309 filter:authtoken:
1310 paste.filter_factory: keystonemiddleware.auth_token:filter_factory
1311 filter:audit:
1312 paste.filter_factory: keystonemiddleware.audit:filter_factory
1313 audit_map_file: /etc/neutron/api_audit_map.conf
1314 filter:extensions:
1315 paste.filter_factory: neutron.api.extensions:plugin_aware_extension_middleware_factory
1316 app:neutronversions:
1317 paste.app_factory: neutron.pecan_wsgi.app:versions_factory
1318 app:neutronapiapp_v2_0:
1319 paste.app_factory: neutron.api.v2.router:APIRouter.factory
1320 filter:osprofiler:
1321 paste.filter_factory: osprofiler.web:WsgiMiddleware.factory
Oleksandr K.10a2db72025-01-07 23:11:24 -08001322 neutron_api_uwsgi:
1323 uwsgi:
1324 add-header: "Connection: close"
1325 buffer-size: 65535
1326 die-on-term: true
1327 enable-threads: true
1328 exit-on-reload: false
1329 hook-master-start: unix_signal:15 gracefully_kill_them_all
1330 lazy-apps: true
1331 log-x-forwarded-for: true
1332 master: true
1333 procname-prefix-spaced: "neutron-api:"
1334 route-user-agent: '^kube-probe.* donotlog:'
1335 thunder-lock: true
1336 worker-reload-mercy: 80
1337 wsgi-file: /var/lib/openstack/bin/neutron-api
Mohammed Nasere40c3e82024-07-04 02:52:34 -04001338 neutron_policy_server_uwsgi:
1339 uwsgi:
1340 add-header: "Connection: close"
1341 buffer-size: 65535
1342 die-on-term: true
1343 enable-threads: true
1344 exit-on-reload: false
1345 hook-master-start: unix_signal:15 gracefully_kill_them_all
1346 lazy-apps: true
1347 log-x-forwarded-for: true
1348 master: true
1349 procname-prefix-spaced: "neutron-policy-server:"
1350 route-user-agent: '^kube-probe.* donotlog:'
1351 thunder-lock: true
1352 worker-reload-mercy: 80
1353 wsgi-file: /var/lib/openstack/bin/neutron-policy-server-wsgi
Mohammed Naserf3f59a72023-01-15 21:02:04 -05001354 policy: {}
1355 api_audit_map:
1356 DEFAULT:
1357 target_endpoint_type: None
1358 custom_actions:
1359 add_router_interface: update/add
1360 remove_router_interface: update/remove
1361 path_keywords:
1362 floatingips: ip
1363 healthmonitors: healthmonitor
1364 health_monitors: health_monitor
1365 lb: None
1366 members: member
1367 metering-labels: label
1368 metering-label-rules: rule
1369 networks: network
1370 pools: pool
1371 ports: port
1372 routers: router
1373 quotas: quota
1374 security-groups: security-group
1375 security-group-rules: rule
1376 subnets: subnet
1377 vips: vip
1378 service_endpoints:
1379 network: service/network
1380 neutron_sudoers: |
1381 # This sudoers file supports rootwrap for both Kolla and LOCI Images.
1382 Defaults !requiretty
1383 Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin:/var/lib/openstack/bin:/var/lib/kolla/venv/bin"
1384 neutron ALL = (root) NOPASSWD: /var/lib/kolla/venv/bin/neutron-rootwrap /etc/neutron/rootwrap.conf *, /var/lib/openstack/bin/neutron-rootwrap /etc/neutron/rootwrap.conf *
1385 neutron ALL = (root) NOPASSWD: /var/lib/kolla/venv/bin/neutron-rootwrap-daemon /etc/neutron/rootwrap.conf, /var/lib/openstack/bin/neutron-rootwrap-daemon /etc/neutron/rootwrap.conf
1386 rootwrap: |
1387 # Configuration for neutron-rootwrap
1388 # This file should be owned by (and only-writeable by) the root user
1389
1390 [DEFAULT]
1391 # List of directories to load filter definitions from (separated by ',').
1392 # These directories MUST all be only writeable by root !
1393 filters_path=/etc/neutron/rootwrap.d,/usr/share/neutron/rootwrap,/var/lib/openstack/etc/neutron/rootwrap.d
1394
1395 # List of directories to search executables in, in case filters do not
1396 # explicitely specify a full path (separated by ',')
1397 # If not specified, defaults to system PATH environment variable.
1398 # These directories MUST all be only writeable by root !
1399 exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin,/var/lib/openstack/bin,/var/lib/kolla/venv/bin
1400
1401 # Enable logging to syslog
1402 # Default value is False
1403 use_syslog=False
1404
1405 # Which syslog facility to use.
1406 # Valid values include auth, authpriv, syslog, local0, local1...
1407 # Default value is 'syslog'
1408 syslog_log_facility=syslog
1409
1410 # Which messages to log.
1411 # INFO means log all usage
1412 # ERROR means only log unsuccessful attempts
1413 syslog_log_level=ERROR
1414
1415 [xenapi]
1416 # XenAPI configuration is only required by the L2 agent if it is to
1417 # target a XenServer/XCP compute host's dom0.
1418 xenapi_connection_url=<None>
1419 xenapi_connection_username=root
1420 xenapi_connection_password=<None>
1421 rootwrap_filters:
1422 debug:
1423 pods:
1424 - dhcp_agent
1425 - l3_agent
1426 - lb_agent
1427 - metadata_agent
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +02001428 - ovn_metadata_agent
Mohammed Naserf3f59a72023-01-15 21:02:04 -05001429 - ovs_agent
1430 - sriov_agent
1431 content: |
1432 # neutron-rootwrap command filters for nodes on which neutron is
1433 # expected to control network
1434 #
1435 # This file should be owned by (and only-writeable by) the root user
1436
1437 # format seems to be
1438 # cmd-name: filter-name, raw-command, user, args
1439
1440 [Filters]
1441
1442 # This is needed because we should ping
1443 # from inside a namespace which requires root
1444 # _alt variants allow to match -c and -w in any order
1445 # (used by NeutronDebugAgent.ping_all)
1446 ping: RegExpFilter, ping, root, ping, -w, \d+, -c, \d+, [0-9\.]+
1447 ping_alt: RegExpFilter, ping, root, ping, -c, \d+, -w, \d+, [0-9\.]+
1448 ping6: RegExpFilter, ping6, root, ping6, -w, \d+, -c, \d+, [0-9A-Fa-f:]+
1449 ping6_alt: RegExpFilter, ping6, root, ping6, -c, \d+, -w, \d+, [0-9A-Fa-f:]+
1450 dibbler:
1451 pods:
1452 - dhcp_agent
1453 - l3_agent
1454 - lb_agent
1455 - metadata_agent
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +02001456 - ovn_metadata_agent
Mohammed Naserf3f59a72023-01-15 21:02:04 -05001457 - ovs_agent
1458 - sriov_agent
1459 content: |
1460 # neutron-rootwrap command filters for nodes on which neutron is
1461 # expected to control network
1462 #
1463 # This file should be owned by (and only-writeable by) the root user
1464
1465 # format seems to be
1466 # cmd-name: filter-name, raw-command, user, args
1467
1468 [Filters]
1469
1470 # Filters for the dibbler-based reference implementation of the pluggable
1471 # Prefix Delegation driver. Other implementations using an alternative agent
1472 # should include a similar filter in this folder.
1473
1474 # prefix_delegation_agent
1475 dibbler-client: CommandFilter, dibbler-client, root
1476 ipset_firewall:
1477 pods:
1478 - dhcp_agent
1479 - l3_agent
1480 - lb_agent
1481 - metadata_agent
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +02001482 - ovn_metadata_agent
Mohammed Naserf3f59a72023-01-15 21:02:04 -05001483 - ovs_agent
1484 - sriov_agent
1485 content: |
1486 # neutron-rootwrap command filters for nodes on which neutron is
1487 # expected to control network
1488 #
1489 # This file should be owned by (and only-writeable by) the root user
1490
1491 # format seems to be
1492 # cmd-name: filter-name, raw-command, user, args
1493
1494 [Filters]
1495 # neutron/agent/linux/iptables_firewall.py
1496 # "ipset", "-A", ...
1497 ipset: CommandFilter, ipset, root
1498 l3:
1499 pods:
1500 - dhcp_agent
1501 - l3_agent
1502 - lb_agent
1503 - metadata_agent
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +02001504 - ovn_metadata_agent
Mohammed Naserf3f59a72023-01-15 21:02:04 -05001505 - ovs_agent
1506 - sriov_agent
1507 content: |
1508 # neutron-rootwrap command filters for nodes on which neutron is
1509 # expected to control network
1510 #
1511 # This file should be owned by (and only-writeable by) the root user
1512
1513 # format seems to be
1514 # cmd-name: filter-name, raw-command, user, args
1515
1516 [Filters]
1517
1518 # arping
1519 arping: CommandFilter, arping, root
1520
1521 # l3_agent
1522 sysctl: CommandFilter, sysctl, root
1523 route: CommandFilter, route, root
1524 radvd: CommandFilter, radvd, root
1525
1526 # haproxy
1527 haproxy: RegExpFilter, haproxy, root, haproxy, -f, .*
1528 kill_haproxy: KillFilter, root, haproxy, -15, -9, -HUP
1529
1530 # metadata proxy
1531 metadata_proxy: CommandFilter, neutron-ns-metadata-proxy, root
1532 # RHEL invocation of the metadata proxy will report /usr/bin/python
1533 kill_metadata: KillFilter, root, python, -15, -9
1534 kill_metadata2: KillFilter, root, python2, -15, -9
1535 kill_metadata7: KillFilter, root, python2.7, -15, -9
1536 kill_metadata3: KillFilter, root, python3, -15, -9
1537 kill_metadata35: KillFilter, root, python3.5, -15, -9
1538 kill_metadata36: KillFilter, root, python3.6, -15, -9
1539 kill_metadata37: KillFilter, root, python3.7, -15, -9
1540 kill_radvd_usr: KillFilter, root, /usr/sbin/radvd, -15, -9, -HUP
1541 kill_radvd: KillFilter, root, /sbin/radvd, -15, -9, -HUP
1542
1543 # ip_lib
1544 ip: IpFilter, ip, root
1545 find: RegExpFilter, find, root, find, /sys/class/net, -maxdepth, 1, -type, l, -printf, %.*
1546 ip_exec: IpNetnsExecFilter, ip, root
1547
1548 # l3_tc_lib
1549 l3_tc_show_qdisc: RegExpFilter, tc, root, tc, qdisc, show, dev, .+
1550 l3_tc_add_qdisc_ingress: RegExpFilter, tc, root, tc, qdisc, add, dev, .+, ingress
1551 l3_tc_add_qdisc_egress: RegExpFilter, tc, root, tc, qdisc, add, dev, .+, root, handle, 1:, htb
1552 l3_tc_show_filters: RegExpFilter, tc, root, tc, -p, -s, -d, filter, show, dev, .+, parent, .+, prio, 1
1553 l3_tc_delete_filters: RegExpFilter, tc, root, tc, filter, del, dev, .+, parent, .+, prio, 1, handle, .+, u32
1554 l3_tc_add_filter_ingress: RegExpFilter, tc, root, tc, filter, add, dev, .+, parent, .+, protocol, ip, prio, 1, u32, match, ip, dst, .+, police, rate, .+, burst, .+, drop, flowid, :1
1555 l3_tc_add_filter_egress: RegExpFilter, tc, root, tc, filter, add, dev, .+, parent, .+, protocol, ip, prio, 1, u32, match, ip, src, .+, police, rate, .+, burst, .+, drop, flowid, :1
1556
1557 # For ip monitor
1558 kill_ip_monitor: KillFilter, root, ip, -9
1559
1560 # ovs_lib (if OVSInterfaceDriver is used)
1561 ovs-vsctl: CommandFilter, ovs-vsctl, root
1562
1563 # iptables_manager
1564 iptables-save: CommandFilter, iptables-save, root
1565 iptables-restore: CommandFilter, iptables-restore, root
1566 ip6tables-save: CommandFilter, ip6tables-save, root
1567 ip6tables-restore: CommandFilter, ip6tables-restore, root
1568
1569 # Keepalived
1570 keepalived: CommandFilter, keepalived, root
1571 kill_keepalived: KillFilter, root, keepalived, -HUP, -15, -9
1572
1573 # l3 agent to delete floatingip's conntrack state
1574 conntrack: CommandFilter, conntrack, root
1575
1576 # keepalived state change monitor
1577 keepalived_state_change: CommandFilter, neutron-keepalived-state-change, root
1578 # The following filters are used to kill the keepalived state change monitor.
1579 # Since the monitor runs as a Python script, the system reports that the
1580 # command of the process to be killed is python.
1581 # TODO(mlavalle) These kill filters will be updated once we come up with a
1582 # mechanism to kill using the name of the script being executed by Python
1583 kill_keepalived_monitor_py: KillFilter, root, python, -15
1584 kill_keepalived_monitor_py27: KillFilter, root, python2.7, -15
1585 kill_keepalived_monitor_py3: KillFilter, root, python3, -15
1586 kill_keepalived_monitor_py35: KillFilter, root, python3.5, -15
1587 kill_keepalived_monitor_py36: KillFilter, root, python3.6, -15
1588 kill_keepalived_monitor_py37: KillFilter, root, python3.7, -15
1589 netns_cleanup:
1590 pods:
1591 - dhcp_agent
1592 - l3_agent
1593 - lb_agent
1594 - metadata_agent
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +02001595 - ovn_metadata_agent
Mohammed Naserf3f59a72023-01-15 21:02:04 -05001596 - ovs_agent
1597 - sriov_agent
1598 - netns_cleanup_cron
1599 content: |
1600 # neutron-rootwrap command filters for nodes on which neutron is
1601 # expected to control network
1602 #
1603 # This file should be owned by (and only-writeable by) the root user
1604
1605 # format seems to be
1606 # cmd-name: filter-name, raw-command, user, args
1607
1608 [Filters]
1609
1610 # netns-cleanup
1611 netstat: CommandFilter, netstat, root
1612 dhcp:
1613 pods:
1614 - dhcp_agent
1615 - l3_agent
1616 - lb_agent
1617 - metadata_agent
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +02001618 - ovn_metadata_agent
Mohammed Naserf3f59a72023-01-15 21:02:04 -05001619 - ovs_agent
1620 - sriov_agent
1621 - netns_cleanup_cron
1622 content: |
1623 # neutron-rootwrap command filters for nodes on which neutron is
1624 # expected to control network
1625 #
1626 # This file should be owned by (and only-writeable by) the root user
1627
1628 # format seems to be
1629 # cmd-name: filter-name, raw-command, user, args
1630
1631 [Filters]
1632
1633 # dhcp-agent
1634 dnsmasq: CommandFilter, dnsmasq, root
1635 # dhcp-agent uses kill as well, that's handled by the generic KillFilter
1636 # it looks like these are the only signals needed, per
1637 # neutron/agent/linux/dhcp.py
1638 kill_dnsmasq: KillFilter, root, /sbin/dnsmasq, -9, -HUP, -15
1639 kill_dnsmasq_usr: KillFilter, root, /usr/sbin/dnsmasq, -9, -HUP, -15
1640
1641 ovs-vsctl: CommandFilter, ovs-vsctl, root
1642 ivs-ctl: CommandFilter, ivs-ctl, root
1643 mm-ctl: CommandFilter, mm-ctl, root
1644 dhcp_release: CommandFilter, dhcp_release, root
1645 dhcp_release6: CommandFilter, dhcp_release6, root
1646
1647 # metadata proxy
1648 metadata_proxy: CommandFilter, neutron-ns-metadata-proxy, root
1649 # RHEL invocation of the metadata proxy will report /usr/bin/python
1650 kill_metadata: KillFilter, root, python, -9
1651 kill_metadata2: KillFilter, root, python2, -9
1652 kill_metadata7: KillFilter, root, python2.7, -9
1653 kill_metadata3: KillFilter, root, python3, -9
1654 kill_metadata35: KillFilter, root, python3.5, -9
1655 kill_metadata36: KillFilter, root, python3.6, -9
1656 kill_metadata37: KillFilter, root, python3.7, -9
1657
1658 # ip_lib
1659 ip: IpFilter, ip, root
1660 find: RegExpFilter, find, root, find, /sys/class/net, -maxdepth, 1, -type, l, -printf, %.*
1661 ip_exec: IpNetnsExecFilter, ip, root
1662 ebtables:
1663 pods:
1664 - dhcp_agent
1665 - l3_agent
1666 - lb_agent
1667 - metadata_agent
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +02001668 - ovn_metadata_agent
Mohammed Naserf3f59a72023-01-15 21:02:04 -05001669 - ovs_agent
1670 - sriov_agent
1671 content: |
1672 # neutron-rootwrap command filters for nodes on which neutron is
1673 # expected to control network
1674 #
1675 # This file should be owned by (and only-writeable by) the root user
1676
1677 # format seems to be
1678 # cmd-name: filter-name, raw-command, user, args
1679
1680 [Filters]
1681
1682 ebtables: CommandFilter, ebtables, root
1683 iptables_firewall:
1684 pods:
1685 - dhcp_agent
1686 - l3_agent
1687 - lb_agent
1688 - metadata_agent
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +02001689 - ovn_metadata_agent
Mohammed Naserf3f59a72023-01-15 21:02:04 -05001690 - ovs_agent
1691 - sriov_agent
1692 content: |
1693 # neutron-rootwrap command filters for nodes on which neutron is
1694 # expected to control network
1695 #
1696 # This file should be owned by (and only-writeable by) the root user
1697
1698 # format seems to be
1699 # cmd-name: filter-name, raw-command, user, args
1700
1701 [Filters]
1702
1703 # neutron/agent/linux/iptables_firewall.py
1704 # "iptables-save", ...
1705 iptables-save: CommandFilter, iptables-save, root
1706 iptables-restore: CommandFilter, iptables-restore, root
1707 ip6tables-save: CommandFilter, ip6tables-save, root
1708 ip6tables-restore: CommandFilter, ip6tables-restore, root
1709
1710 # neutron/agent/linux/iptables_firewall.py
1711 # "iptables", "-A", ...
1712 iptables: CommandFilter, iptables, root
1713 ip6tables: CommandFilter, ip6tables, root
1714
1715 # neutron/agent/linux/iptables_firewall.py
1716 sysctl: CommandFilter, sysctl, root
1717
1718 # neutron/agent/linux/ip_conntrack.py
1719 conntrack: CommandFilter, conntrack, root
1720 linuxbridge_plugin:
1721 pods:
1722 - dhcp_agent
1723 - l3_agent
1724 - lb_agent
1725 - metadata_agent
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +02001726 - ovn_metadata_agent
Mohammed Naserf3f59a72023-01-15 21:02:04 -05001727 - ovs_agent
1728 - sriov_agent
1729 content: |
1730 # neutron-rootwrap command filters for nodes on which neutron is
1731 # expected to control network
1732 #
1733 # This file should be owned by (and only-writeable by) the root user
1734
1735 # format seems to be
1736 # cmd-name: filter-name, raw-command, user, args
1737
1738 [Filters]
1739
1740 # linuxbridge-agent
1741 # unclear whether both variants are necessary, but I'm transliterating
1742 # from the old mechanism
1743 brctl: CommandFilter, brctl, root
1744 bridge: CommandFilter, bridge, root
1745
1746 # ip_lib
1747 ip: IpFilter, ip, root
1748 find: RegExpFilter, find, root, find, /sys/class/net, -maxdepth, 1, -type, l, -printf, %.*
1749 ip_exec: IpNetnsExecFilter, ip, root
1750
1751 # tc commands needed for QoS support
1752 tc_replace_tbf: RegExpFilter, tc, root, tc, qdisc, replace, dev, .+, root, tbf, rate, .+, latency, .+, burst, .+
1753 tc_add_ingress: RegExpFilter, tc, root, tc, qdisc, add, dev, .+, ingress, handle, .+
1754 tc_delete: RegExpFilter, tc, root, tc, qdisc, del, dev, .+, .+
1755 tc_show_qdisc: RegExpFilter, tc, root, tc, qdisc, show, dev, .+
1756 tc_show_filters: RegExpFilter, tc, root, tc, filter, show, dev, .+, parent, .+
1757 tc_add_filter: RegExpFilter, tc, root, tc, filter, add, dev, .+, parent, .+, protocol, all, prio, .+, basic, police, rate, .+, burst, .+, mtu, .+, drop
1758 openvswitch_plugin:
1759 pods:
1760 - dhcp_agent
1761 - l3_agent
1762 - lb_agent
1763 - metadata_agent
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +02001764 - ovn_metadata_agent
Mohammed Naserf3f59a72023-01-15 21:02:04 -05001765 - ovs_agent
1766 - sriov_agent
1767 content: |
1768 # neutron-rootwrap command filters for nodes on which neutron is
1769 # expected to control network
1770 #
1771 # This file should be owned by (and only-writeable by) the root user
1772
1773 # format seems to be
1774 # cmd-name: filter-name, raw-command, user, args
1775
1776 [Filters]
1777
1778 # openvswitch-agent
1779 # unclear whether both variants are necessary, but I'm transliterating
1780 # from the old mechanism
1781 ovs-vsctl: CommandFilter, ovs-vsctl, root
1782 # NOTE(yamamoto): of_interface=native doesn't use ovs-ofctl
1783 ovs-ofctl: CommandFilter, ovs-ofctl, root
1784 ovs-appctl: CommandFilter, ovs-appctl, root
1785 kill_ovsdb_client: KillFilter, root, /usr/bin/ovsdb-client, -9
1786 ovsdb-client: CommandFilter, ovsdb-client, root
1787 xe: CommandFilter, xe, root
1788
1789 # ip_lib
1790 ip: IpFilter, ip, root
1791 find: RegExpFilter, find, root, find, /sys/class/net, -maxdepth, 1, -type, l, -printf, %.*
1792 ip_exec: IpNetnsExecFilter, ip, root
1793
1794 # needed for FDB extension
1795 bridge: CommandFilter, bridge, root
1796 privsep:
1797 pods:
1798 - dhcp_agent
1799 - l3_agent
1800 - lb_agent
1801 - metadata_agent
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +02001802 - ovn_metadata_agent
Mohammed Naserf3f59a72023-01-15 21:02:04 -05001803 - ovs_agent
1804 - sriov_agent
1805 - netns_cleanup_cron
1806 content: |
1807 # Command filters to allow privsep daemon to be started via rootwrap.
1808 #
1809 # This file should be owned by (and only-writeable by) the root user
1810
1811 [Filters]
1812
1813 # By installing the following, the local admin is asserting that:
1814 #
1815 # 1. The python module load path used by privsep-helper
1816 # command as root (as started by sudo/rootwrap) is trusted.
1817 # 2. Any oslo.config files matching the --config-file
1818 # arguments below are trusted.
1819 # 3. Users allowed to run sudo/rootwrap with this configuration(*) are
1820 # also allowed to invoke python "entrypoint" functions from
1821 # --privsep_context with the additional (possibly root) privileges
1822 # configured for that context.
1823 #
1824 # (*) ie: the user is allowed by /etc/sudoers to run rootwrap as root
1825 #
1826 # In particular, the oslo.config and python module path must not
1827 # be writeable by the unprivileged user.
1828
1829 # oslo.privsep default neutron context
1830 privsep: PathFilter, privsep-helper, root,
1831 --config-file, /etc,
1832 --privsep_context, neutron.privileged.default,
1833 --privsep_sock_path, /
1834
1835 # NOTE: A second `--config-file` arg can also be added above. Since
1836 # many neutron components are installed like that (eg: by devstack).
1837 # Adjust to suit local requirements.
1838 linux_vxlan:
1839 pods:
1840 - bagpipe_bgp
1841 content: |
1842 # bagpipe-bgp-rootwrap command filters for nodes on which bagpipe-bgp is
1843 # expected to control VXLAN Linux Bridge dataplane
1844 #
1845 # This file should be owned by (and only-writeable by) the root user
1846
1847 # format seems to be
1848 # cmd-name: filter-name, raw-command, user, args
1849
1850 [Filters]
1851
1852 #
1853 modprobe: CommandFilter, modprobe, root
1854
1855 #
1856 brctl: CommandFilter, brctl, root
1857 bridge: CommandFilter, bridge, root
1858
1859 # ip_lib
1860 ip: IpFilter, ip, root
1861 ip_exec: IpNetnsExecFilter, ip, root
1862
1863 # shell (for piped commands)
1864 sh: CommandFilter, sh, root
1865 mpls_ovs_dataplane:
1866 pods:
1867 - bagpipe_bgp
1868 content: |
1869 # bagpipe-bgp-rootwrap command filters for nodes on which bagpipe-bgp is
1870 # expected to control MPLS OpenVSwitch dataplane
1871 #
1872 # This file should be owned by (and only-writeable by) the root user
1873
1874 # format seems to be
1875 # cmd-name: filter-name, raw-command, user, args
1876
1877 [Filters]
1878
1879 # openvswitch
1880 ovs-vsctl: CommandFilter, ovs-vsctl, root
1881 ovs-ofctl: CommandFilter, ovs-ofctl, root
1882
1883 # ip_lib
1884 ip: IpFilter, ip, root
1885 ip_exec: IpNetnsExecFilter, ip, root
1886
1887 # shell (for piped commands)
1888 sh: CommandFilter, sh, root
1889 neutron:
1890 DEFAULT:
1891 metadata_proxy_socket: /var/lib/neutron/openstack-helm/metadata_proxy
1892 log_config_append: /etc/neutron/logging.conf
1893 # NOTE(portdirect): the bind port should not be defined, and is manipulated
1894 # via the endpoints section.
1895 bind_port: null
1896 default_availability_zones: nova
1897 api_workers: 1
1898 rpc_workers: 4
1899 allow_overlapping_ips: True
1900 state_path: /var/lib/neutron
1901 # core_plugin can be: ml2, calico
1902 core_plugin: ml2
1903 # service_plugin can be: router, odl-router, empty for calico,
1904 # networking_ovn.l3.l3_ovn.OVNL3RouterPlugin for OVN
1905 service_plugins: router
1906 allow_automatic_l3agent_failover: True
1907 l3_ha: True
1908 max_l3_agents_per_router: 2
1909 l3_ha_network_type: vxlan
1910 network_auto_schedule: True
1911 router_auto_schedule: True
1912 # (NOTE)portdirect: if unset this is populated dynamically from the value in
1913 # 'network.backend' to sane defaults.
1914 interface_driver: null
1915 oslo_concurrency:
1916 lock_path: /var/lib/neutron/tmp
1917 database:
1918 max_retries: -1
1919 agent:
1920 root_helper: sudo /var/lib/openstack/bin/neutron-rootwrap /etc/neutron/rootwrap.conf
1921 root_helper_daemon: sudo /var/lib/openstack/bin/neutron-rootwrap-daemon /etc/neutron/rootwrap.conf
1922 oslo_messaging_notifications:
1923 driver: messagingv2
1924 oslo_messaging_rabbit:
1925 rabbit_ha_queues: true
1926 oslo_middleware:
1927 enable_proxy_headers_parsing: true
1928 oslo_policy:
1929 policy_file: /etc/neutron/policy.yaml
Mohammed Naser593ec012023-07-23 09:20:05 +00001930 ovn:
Mohammed Naser593ec012023-07-23 09:20:05 +00001931 ovn_metadata_enabled: true
Mohammed Naserf3f59a72023-01-15 21:02:04 -05001932 nova:
1933 auth_type: password
1934 auth_version: v3
1935 endpoint_type: internal
Oleksandr Kozachenkoa10d7852023-02-02 22:01:16 +01001936 placement:
1937 auth_type: password
1938 auth_version: v3
1939 endpoint_type: internal
Mohammed Naserf3f59a72023-01-15 21:02:04 -05001940 designate:
1941 auth_type: password
1942 auth_version: v3
1943 endpoint_type: internal
1944 allow_reverse_dns_lookup: true
1945 ironic:
1946 endpoint_type: internal
1947 keystone_authtoken:
okozachenko120317930d42023-09-06 00:24:05 +10001948 service_token_roles: service
1949 service_token_roles_required: true
Mohammed Naserf3f59a72023-01-15 21:02:04 -05001950 memcache_security_strategy: ENCRYPT
1951 auth_type: password
1952 auth_version: v3
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +02001953 service_type: network
Mohammed Naserf3f59a72023-01-15 21:02:04 -05001954 octavia:
1955 request_poll_timeout: 3000
1956 logging:
1957 loggers:
1958 keys:
1959 - root
1960 - neutron
1961 - neutron_taas
1962 handlers:
1963 keys:
1964 - stdout
1965 - stderr
1966 - "null"
1967 formatters:
1968 keys:
1969 - context
1970 - default
1971 logger_root:
1972 level: WARNING
1973 handlers: 'null'
1974 logger_neutron:
1975 level: INFO
1976 handlers:
1977 - stdout
1978 qualname: neutron
1979 logger_neutron_taas:
1980 level: INFO
1981 handlers:
1982 - stdout
1983 qualname: neutron_taas
1984 logger_amqp:
1985 level: WARNING
1986 handlers: stderr
1987 qualname: amqp
1988 logger_amqplib:
1989 level: WARNING
1990 handlers: stderr
1991 qualname: amqplib
1992 logger_eventletwsgi:
1993 level: WARNING
1994 handlers: stderr
1995 qualname: eventlet.wsgi.server
1996 logger_sqlalchemy:
1997 level: WARNING
1998 handlers: stderr
1999 qualname: sqlalchemy
2000 logger_boto:
2001 level: WARNING
2002 handlers: stderr
2003 qualname: boto
2004 handler_null:
2005 class: logging.NullHandler
2006 formatter: default
2007 args: ()
2008 handler_stdout:
2009 class: StreamHandler
2010 args: (sys.stdout,)
2011 formatter: context
2012 handler_stderr:
2013 class: StreamHandler
2014 args: (sys.stderr,)
2015 formatter: context
2016 formatter_context:
2017 class: oslo_log.formatters.ContextFormatter
2018 datefmt: "%Y-%m-%d %H:%M:%S"
2019 formatter_default:
2020 format: "%(message)s"
2021 datefmt: "%Y-%m-%d %H:%M:%S"
2022 plugins:
2023 ml2_conf:
2024 ml2:
2025 extension_drivers: port_security
2026 # (NOTE)portdirect: if unset this is populated dyanmicly from the value
2027 # in 'network.backend' to sane defaults.
2028 mechanism_drivers: null
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +02002029 type_drivers: flat,vlan,vxlan,local
Mohammed Naserf3f59a72023-01-15 21:02:04 -05002030 tenant_network_types: vxlan
2031 ml2_type_vxlan:
2032 vni_ranges: 1:1000
2033 vxlan_group: 239.1.1.1
2034 ml2_type_flat:
2035 flat_networks: "*"
2036 # If you want to use the external network as a tagged provider network,
2037 # a range should be specified including the intended VLAN target
2038 # using ml2_type_vlan.network_vlan_ranges:
2039 # ml2_type_vlan:
2040 # network_vlan_ranges: "external:1100:1110"
Mohammed Naser593ec012023-07-23 09:20:05 +00002041 ml2_type_geneve:
2042 vni_ranges: 1:65536
2043 max_header_size: 38
Mohammed Naserf3f59a72023-01-15 21:02:04 -05002044 agent:
2045 extensions: ""
2046 ml2_conf_sriov: null
2047 taas:
2048 taas:
2049 enabled: False
2050 openvswitch_agent:
2051 agent:
2052 tunnel_types: vxlan
2053 l2_population: True
2054 arp_responder: True
2055 ovs:
2056 bridge_mappings: "external:br-ex"
2057 securitygroup:
2058 firewall_driver: neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
2059 linuxbridge_agent:
2060 linux_bridge:
2061 # To define Flat and VLAN connections, in LB we can assign
2062 # specific interface to the flat/vlan network name using:
2063 # physical_interface_mappings: "external:eth3"
2064 # Or we can set the mapping between the network and bridge:
2065 bridge_mappings: "external:br-ex"
2066 # The two above options are exclusive, do not use both of them at once
2067 securitygroup:
2068 firewall_driver: iptables
2069 vxlan:
2070 l2_population: True
2071 arp_responder: True
2072 macvtap_agent: null
2073 sriov_agent:
2074 securitygroup:
2075 firewall_driver: neutron.agent.firewall.NoopFirewallDriver
2076 sriov_nic:
2077 physical_device_mappings: physnet2:enp3s0f1
2078 # NOTE: do not use null here, use an empty string
2079 exclude_devices: ""
2080 dhcp_agent:
2081 DEFAULT:
2082 # (NOTE)portdirect: if unset this is populated dyanmicly from the value in
2083 # 'network.backend' to sane defaults.
2084 interface_driver: null
2085 dnsmasq_config_file: /etc/neutron/dnsmasq.conf
2086 force_metadata: True
JustHumanz92a0be22025-02-11 00:09:55 +07002087 # NOTE(mnaser): This has to be here in order for the DHCP agent to work with OVN.
2088 ovs: {}
Mohammed Naserf3f59a72023-01-15 21:02:04 -05002089 dnsmasq: |
2090 #no-hosts
2091 #port=5353
2092 #cache-size=500
2093 #no-negcache
2094 #dns-forward-max=100
2095 #resolve-file=
2096 #strict-order
2097 #bind-interface
2098 #bind-dynamic
2099 #domain=
2100 #dhcp-range=10.10.10.10,10.10.10.100,24h
2101 #dhcp-lease-max=150
2102 #dhcp-host=11:22:33:44:55:66,ignore
2103 #dhcp-option=3,10.10.10.1
2104 #dhcp-option-force=26,1450
2105
2106 l3_agent:
2107 DEFAULT:
2108 # (NOTE)portdirect: if unset this is populated dyanmicly from the value in
2109 # 'network.backend' to sane defaults.
2110 interface_driver: null
2111 agent_mode: legacy
2112 metering_agent: null
2113 metadata_agent:
2114 DEFAULT:
2115 # we cannot change the proxy socket path as it is declared
2116 # as a hostPath volume from agent daemonsets
2117 metadata_proxy_socket: /var/lib/neutron/openstack-helm/metadata_proxy
2118 metadata_proxy_shared_secret: "password"
2119 cache:
2120 enabled: true
2121 backend: dogpile.cache.memcached
2122 bagpipe_bgp: {}
Mohammed Naser593ec012023-07-23 09:20:05 +00002123 ovn_metadata_agent:
2124 DEFAULT:
2125 # we cannot change the proxy socket path as it is declared
2126 # as a hostPath volume from agent daemonsets
2127 metadata_proxy_socket: /var/lib/neutron/openstack-helm/metadata_proxy
2128 metadata_proxy_shared_secret: "password"
2129 metadata_workers: 2
2130 cache:
2131 enabled: true
2132 backend: dogpile.cache.memcached
2133 ovs:
2134 ovsdb_connection: unix:/run/openvswitch/db.sock
Rico Lincf86b122023-11-02 01:29:14 +08002135 bgp_dragent: {}
Mohammed Naserf3f59a72023-01-15 21:02:04 -05002136
2137 rabbitmq:
2138 # NOTE(rk760n): adding rmq policy to mirror messages from notification queues and set expiration time for the ones
2139 policies:
2140 - vhost: "neutron"
2141 name: "ha_ttl_neutron"
2142 definition:
2143 # mirror messges to other nodes in rmq cluster
2144 ha-mode: "all"
2145 ha-sync-mode: "automatic"
2146 # 70s
2147 message-ttl: 70000
2148 priority: 0
2149 apply-to: all
2150 pattern: '^(?!(amq\.|reply_)).*'
2151 ## NOTE: "besteffort" is meant for dev env with mixed compute type only.
2152 ## This helps prevent sriov init script from failing due to mis-matched NIC
2153 ## For prod env, target NIC should match and init script should fail otherwise.
2154 ## sriov_init:
2155 ## - besteffort
2156 sriov_init:
2157 -
2158 # auto_bridge_add is a table of "bridge: interface" pairs
2159 # To automatically add a physical interfaces to a specific bridges,
2160 # for example eth3 to bridge br-physnet1, if0 to br0 and iface_two
2161 # to br1 do something like:
2162 #
2163 # auto_bridge_add:
2164 # br-physnet1: eth3
2165 # br0: if0
2166 # br1: iface_two
2167 # br-ex will be added by default
2168 auto_bridge_add:
2169 br-ex: null
2170
Mohammed Nasera720f882023-06-30 23:48:02 -04002171 # Network off-loading configuration
2172 netoffload:
ricolin18e6fd32023-07-17 06:17:15 +00002173 enabled: false
Mohammed Nasera720f882023-06-30 23:48:02 -04002174 asap2:
2175 # - dev: enp97s0f0
2176 # vfs: 16
2177
Mohammed Naserf3f59a72023-01-15 21:02:04 -05002178 # configuration of OVS DPDK bridges and NICs
2179 # this is a separate section and not part of the auto_bridge_add section
2180 # because additional parameters are needed
2181 ovs_dpdk:
2182 enabled: false
2183 # setting update_dpdk_bond_config to true will have default behavior,
2184 # which may cause disruptions in ovs dpdk traffic in case of neutron
2185 # ovs agent restart or when dpdk nic/bond configurations are changed.
2186 # Setting this to false will configure dpdk in the first run and
2187 # disable nic/bond config on event of restart or config update.
2188 update_dpdk_bond_config: true
2189 driver: uio_pci_generic
2190 # In case bonds are configured, the nics which are part of those bonds
2191 # must NOT be provided here.
2192 nics:
2193 - name: dpdk0
2194 pci_id: '0000:05:00.0'
2195 # Set VF Index in case some particular VF(s) need to be
2196 # used with ovs-dpdk.
2197 # vf_index: 0
2198 bridge: br-phy
2199 migrate_ip: true
2200 n_rxq: 2
2201 n_txq: 2
2202 pmd_rxq_affinity: "0:3,1:27"
2203 ofport_request: 1
2204 # optional parameters for tuning the OVS DPDK config
2205 # in alignment with the available hardware resources
2206 # mtu: 2000
2207 # n_rxq_size: 1024
2208 # n_txq_size: 1024
2209 # vhost-iommu-support: true
2210 bridges:
2211 - name: br-phy
2212 # optional parameter, in case tunnel traffic needs to be transported over a vlan underlay
2213 # - tunnel_underlay_vlan: 45
2214 # Optional parameter for configuring bonding in OVS-DPDK
2215 # - name: br-phy-bond0
2216 # bonds:
2217 # - name: dpdkbond0
2218 # bridge: br-phy-bond0
2219 # # The IP from the first nic in nics list shall be used
2220 # migrate_ip: true
2221 # mtu: 2000
2222 # # Please note that n_rxq is set for each NIC individually
2223 # # rather than denoting the total number of rx queues for
2224 # # the bond as a whole. So setting n_rxq = 2 below for ex.
2225 # # would be 4 rx queues in total for the bond.
2226 # # Same for n_txq
2227 # n_rxq: 2
2228 # n_txq: 2
2229 # ofport_request: 1
2230 # n_rxq_size: 1024
2231 # n_txq_size: 1024
2232 # vhost-iommu-support: true
2233 # ovs_options: "bond_mode=active-backup"
2234 # nics:
2235 # - name: dpdk_b0s0
2236 # pci_id: '0000:06:00.0'
2237 # pmd_rxq_affinity: "0:3,1:27"
2238 # # Set VF Index in case some particular VF(s) need to be
2239 # # used with ovs-dpdk. In which case pci_id of PF must be
2240 # # provided above.
2241 # # vf_index: 0
2242 # - name: dpdk_b0s1
2243 # pci_id: '0000:07:00.0'
2244 # pmd_rxq_affinity: "0:3,1:27"
2245 # # Set VF Index in case some particular VF(s) need to be
2246 # # used with ovs-dpdk. In which case pci_id of PF must be
2247 # # provided above.
2248 # # vf_index: 0
2249 #
2250 # Set the log level for each target module (default level is always dbg)
2251 # Supported log levels are: off, emer, err, warn, info, dbg
2252 #
2253 # modules:
2254 # - name: dpdk
2255 # log_level: info
2256
2257# Names of secrets used by bootstrap and environmental checks
2258secrets:
2259 identity:
2260 admin: neutron-keystone-admin
2261 neutron: neutron-keystone-user
2262 test: neutron-keystone-test
2263 oslo_db:
2264 admin: neutron-db-admin
2265 neutron: neutron-db-user
2266 oslo_messaging:
2267 admin: neutron-rabbitmq-admin
2268 neutron: neutron-rabbitmq-user
2269 tls:
2270 compute_metadata:
2271 metadata:
2272 internal: metadata-tls-metadata
2273 network:
2274 server:
2275 public: neutron-tls-public
2276 internal: neutron-tls-server
2277 oci_image_registry:
2278 neutron: neutron-oci-image-registry
2279
2280# typically overridden by environmental
2281# values, but should include all endpoints
2282# required by this chart
2283endpoints:
2284 cluster_domain_suffix: cluster.local
2285 local_image_registry:
2286 name: docker-registry
2287 namespace: docker-registry
2288 hosts:
2289 default: localhost
2290 internal: docker-registry
2291 node: localhost
2292 host_fqdn_override:
2293 default: null
2294 port:
2295 registry:
2296 node: 5000
2297 oci_image_registry:
2298 name: oci-image-registry
2299 namespace: oci-image-registry
2300 auth:
2301 enabled: false
2302 neutron:
2303 username: neutron
2304 password: password
2305 hosts:
2306 default: localhost
2307 host_fqdn_override:
2308 default: null
2309 port:
2310 registry:
2311 default: null
2312 oslo_db:
2313 auth:
2314 admin:
2315 username: root
2316 password: password
2317 secret:
2318 tls:
2319 internal: mariadb-tls-direct
2320 neutron:
2321 username: neutron
2322 password: password
2323 hosts:
2324 default: mariadb
2325 host_fqdn_override:
2326 default: null
2327 path: /neutron
2328 scheme: mysql+pymysql
2329 port:
2330 mysql:
2331 default: 3306
2332 oslo_messaging:
2333 auth:
2334 admin:
2335 username: rabbitmq
2336 password: password
2337 secret:
2338 tls:
2339 internal: rabbitmq-tls-direct
2340 neutron:
2341 username: neutron
2342 password: password
2343 statefulset:
2344 replicas: 2
2345 name: rabbitmq-rabbitmq
2346 hosts:
2347 default: rabbitmq
2348 host_fqdn_override:
2349 default: null
2350 path: /neutron
2351 scheme: rabbit
2352 port:
2353 amqp:
2354 default: 5672
2355 http:
2356 default: 15672
2357 oslo_cache:
2358 auth:
2359 # NOTE(portdirect): this is used to define the value for keystone
2360 # authtoken cache encryption key, if not set it will be populated
2361 # automatically with a random value, but to take advantage of
2362 # this feature all services should be set to use the same key,
2363 # and memcache service.
2364 memcache_secret_key: null
2365 hosts:
2366 default: memcached
2367 host_fqdn_override:
2368 default: null
2369 port:
2370 memcache:
2371 default: 11211
2372 compute:
2373 name: nova
2374 hosts:
2375 default: nova-api
2376 public: nova
2377 host_fqdn_override:
2378 default: null
2379 path:
2380 default: "/v2.1/%(tenant_id)s"
2381 scheme:
2382 default: 'http'
2383 port:
2384 api:
2385 default: 8774
2386 public: 80
2387 novncproxy:
2388 default: 6080
2389 compute_metadata:
2390 name: nova
2391 hosts:
2392 default: nova-metadata
2393 public: metadata
2394 host_fqdn_override:
2395 default: null
2396 path:
2397 default: /
2398 scheme:
2399 default: 'http'
2400 port:
2401 metadata:
2402 default: 8775
2403 public: 80
2404 identity:
2405 name: keystone
2406 auth:
2407 admin:
2408 region_name: RegionOne
2409 username: admin
2410 password: password
2411 project_name: admin
2412 user_domain_name: default
2413 project_domain_name: default
2414 neutron:
Oleksandr K.10a2db72025-01-07 23:11:24 -08002415 role: admin,service
Mohammed Naserf3f59a72023-01-15 21:02:04 -05002416 region_name: RegionOne
2417 username: neutron
2418 password: password
2419 project_name: service
2420 user_domain_name: service
2421 project_domain_name: service
2422 nova:
2423 region_name: RegionOne
2424 project_name: service
2425 username: nova
2426 password: password
2427 user_domain_name: service
2428 project_domain_name: service
Oleksandr Kozachenkoa10d7852023-02-02 22:01:16 +01002429 placement:
2430 region_name: RegionOne
2431 project_name: service
2432 username: placement
2433 password: password
2434 user_domain_name: service
2435 project_domain_name: service
Mohammed Naserf3f59a72023-01-15 21:02:04 -05002436 designate:
2437 region_name: RegionOne
2438 project_name: service
2439 username: designate
2440 password: password
2441 user_domain_name: service
2442 project_domain_name: service
2443 ironic:
2444 region_name: RegionOne
2445 project_name: service
2446 username: ironic
2447 password: password
2448 user_domain_name: service
2449 project_domain_name: service
2450 test:
2451 role: admin
2452 region_name: RegionOne
2453 username: neutron-test
2454 password: password
2455 # NOTE: this project will be purged and reset if
2456 # conf.rally_tests.force_project_purge is set to true
2457 # which may be required upon test failure, but be aware that this will
2458 # expunge all openstack objects, so if this is used a seperate project
2459 # should be used for each helm test, and also it should be ensured
2460 # that this project is not in use by other tenants
2461 project_name: test
2462 user_domain_name: service
2463 project_domain_name: service
2464 hosts:
2465 default: keystone
2466 internal: keystone-api
2467 host_fqdn_override:
2468 default: null
2469 path:
2470 default: /v3
2471 scheme:
2472 default: http
2473 port:
2474 api:
2475 default: 80
2476 internal: 5000
2477 network:
2478 name: neutron
2479 hosts:
2480 default: neutron-server
2481 public: neutron
2482 host_fqdn_override:
2483 default: null
2484 # NOTE(portdirect): this chart supports TLS for fqdn over-ridden public
2485 # endpoints using the following format:
2486 # public:
2487 # host: null
2488 # tls:
2489 # crt: null
2490 # key: null
2491 path:
2492 default: null
2493 scheme:
2494 default: 'http'
2495 service: 'http'
2496 port:
2497 api:
2498 default: 9696
2499 public: 80
2500 service: 9696
Mohammed Nasere40c3e82024-07-04 02:52:34 -04002501 policy_server:
2502 default: 9697
2503 public: 80
2504 service: 9697
Mohammed Naserf3f59a72023-01-15 21:02:04 -05002505 load_balancer:
2506 name: octavia
2507 hosts:
2508 default: octavia-api
2509 public: octavia
2510 host_fqdn_override:
2511 default: null
2512 path:
2513 default: null
2514 scheme:
2515 default: http
2516 port:
2517 api:
2518 default: 9876
2519 public: 80
2520 fluentd:
2521 namespace: osh-infra
2522 name: fluentd
2523 hosts:
2524 default: fluentd-logging
2525 host_fqdn_override:
2526 default: null
2527 path:
2528 default: null
2529 scheme: 'http'
2530 port:
2531 service:
2532 default: 24224
2533 metrics:
2534 default: 24220
2535 dns:
2536 name: designate
2537 hosts:
2538 default: designate-api
2539 public: designate
2540 host_fqdn_override:
2541 default: null
2542 path:
2543 default: /
2544 scheme:
2545 default: 'http'
2546 port:
2547 api:
2548 default: 9001
2549 public: 80
2550 baremetal:
2551 name: ironic
2552 hosts:
2553 default: ironic-api
2554 public: ironic
2555 host_fqdn_override:
2556 default: null
2557 path:
2558 default: null
2559 scheme:
2560 default: 'http'
2561 port:
2562 api:
2563 default: 6385
2564 public: 80
2565 # NOTE(tp6510): these endpoints allow for things like DNS lookups and ingress
2566 # They are using to enable the Egress K8s network policy.
2567 kube_dns:
2568 namespace: kube-system
2569 name: kubernetes-dns
2570 hosts:
2571 default: kube-dns
2572 host_fqdn_override:
2573 default: null
2574 path:
2575 default: null
2576 scheme: http
2577 port:
2578 dns:
2579 default: 53
2580 protocol: UDP
2581 ingress:
2582 namespace: null
2583 name: ingress
2584 hosts:
2585 default: ingress
2586 port:
2587 ingress:
2588 default: 80
2589
2590network_policy:
2591 neutron:
2592 # TODO(lamt): Need to tighten this ingress for security.
2593 ingress:
2594 - {}
2595 egress:
2596 - {}
2597
2598helm3_hook: true
2599
2600health_probe:
2601 logging:
2602 level: ERROR
2603
2604tls:
2605 identity: false
2606 oslo_messaging: false
2607 oslo_db: false
2608
2609manifests:
2610 certificates: false
2611 configmap_bin: true
2612 configmap_etc: true
2613 daemonset_dhcp_agent: true
2614 daemonset_l3_agent: true
2615 daemonset_lb_agent: true
2616 daemonset_metadata_agent: true
2617 daemonset_ovs_agent: true
2618 daemonset_sriov_agent: true
2619 daemonset_l2gw_agent: false
2620 daemonset_bagpipe_bgp: false
Rico Lincf86b122023-11-02 01:29:14 +08002621 daemonset_bgp_dragent: false
Mohammed Naserf3f59a72023-01-15 21:02:04 -05002622 daemonset_netns_cleanup_cron: true
2623 deployment_ironic_agent: false
2624 deployment_server: true
Oleksandr K.10a2db72025-01-07 23:11:24 -08002625 deployment_rpc_server: true
Mohammed Naserf3f59a72023-01-15 21:02:04 -05002626 ingress_server: true
2627 job_bootstrap: true
2628 job_db_init: true
2629 job_db_sync: true
2630 job_db_drop: false
2631 job_image_repo_sync: true
2632 job_ks_endpoints: true
2633 job_ks_service: true
2634 job_ks_user: true
2635 job_rabbit_init: true
2636 pdb_server: true
2637 pod_rally_test: true
2638 network_policy: false
2639 secret_db: true
2640 secret_ingress_tls: true
2641 secret_keystone: true
2642 secret_rabbitmq: true
2643 secret_registry: true
2644 service_ingress_server: true
2645 service_server: true
2646...