From cebfa7f74d7779ee09b9dd0ed8ec0c9917a3e6f3 Mon Sep 17 00:00:00 2001 From: Shane Peters Date: Mon, 5 Jun 2017 18:33:42 -0400 Subject: [PATCH] Cleanup config.yaml Change-Id: I62d6452cf1372afeb99a1e1d9fb8d90adaf8909d --- config.yaml | 346 ++++++++++++++++++++++++++++------------------------ 1 file changed, 188 insertions(+), 158 deletions(-) diff --git a/config.yaml b/config.yaml index 774aaa33..0a60b659 100644 --- a/config.yaml +++ b/config.yaml @@ -2,55 +2,53 @@ options: debug: type: boolean default: False - description: Enable verbose logging. + description: Enable debug logging. verbose: type: boolean default: False - description: Enable debug logging. + description: Enable verbose logging. + log-level: + type: string + default: WARNING + description: Log level (WARNING, INFO, DEBUG, ERROR) use-syslog: type: boolean default: False description: | Setting this to True will allow supporting services to log to syslog. openstack-origin: - default: distro type: string + default: distro description: | - Repository from which to install. May be one of the following: + Repository from which to install. May be one of the following: distro (default), ppa:somecustom/ppa, a deb url sources entry, - or a supported Cloud Archive release pocket. - - Supported Cloud Archive sources include: - + or a supported Ubuntu Cloud Archive e.g. + . cloud:- cloud:-/updates cloud:-/staging cloud:-/proposed - - For series=Precise we support cloud archives for openstack-release: - * icehouse - - For series=Trusty we support cloud archives for openstack-release: - * juno - * kilo - * ... - + . + See https://wiki.ubuntu.com/OpenStack/CloudArchive for info on which + cloud archives are available and supported. + . NOTE: updating this setting to a source that is known to provide - a later version of OpenStack will trigger a software upgrade. + a later version of OpenStack will trigger a software upgrade unless + action-managed-upgrade is set to True. openstack-origin-git: - default: type: string + default: description: | Specifies a default OpenStack release name, or a YAML dictionary listing the git repositories to install from. - + . The default Openstack release name may be one of the following, where the corresponding OpenStack github branch will be used: * liberty * mitaka * newton * master - + . The YAML must minimally include requirements and keystone repositories, and may also include repositories for other dependencies: repositories: @@ -61,127 +59,219 @@ options: repository: 'git://github.com/openstack/keystone', branch: master} release: master + action-managed-upgrade: + type: boolean + default: False + description: | + If True enables openstack upgrades for this charm via juju actions. + You will still need to set openstack-origin to the new repository but + instead of an upgrade running automatically across all units, it will + wait for you to execute the openstack-upgrade action for this charm on + each unit. If False it will revert to existing behavior of upgrading + all units on config change. + harden: + type: string + default: + description: | + Apply system hardening. Supports a space-delimited list of modules + to run. Supported modules currently include os, ssh, apache and mysql. config-file: + type: string default: "/etc/keystone/keystone.conf" - type: string description: "Location of keystone configuration file" - log-level: - default: WARNING - type: string - description: Log level (WARNING, INFO, DEBUG, ERROR) service-port: - default: 5000 type: int + default: 5000 description: Port the bind the API server to. admin-port: - default: 35357 type: int + default: 35357 description: Port the bind the Admin API server to. keystone-admin-role: - default: "Admin" type: string + default: "Admin" description: Role that allows admin operations (access to all operations). keystone-service-admin-role: - default: "KeystoneServiceAdmin" type: string + default: "KeystoneServiceAdmin" description: Role that allows acting as service admin. admin-user: - default: admin type: string + default: admin description: Default admin user to create and manage. admin-password: - default: None type: string + default: None description: | Admin password. To be used *for testing only*. Randomly generated by default. admin-token: - default: None type: string + default: None description: | Admin token. If set, this token will be used for all services instead of being generated per service. admin-role: + type: string default: 'Admin' - type: string - description: Admin role to be associated with admin and service users + description: Admin role to be associated with admin and service users. token-expiration: - default: 3600 type: int - description: Amount of time a token should remain valid (in seconds). + default: 3600 + description: Amount of time (in seconds) a token should remain valid. service-tenant: - default: "services" type: string + default: "services" description: Name of tenant to associate service credentials. service-admin-prefix: type: string - default: + default: description: | When service relations are joined they provide a name used to create a service admin_username in keystone. The name used may be too crude for some situations e.g. pre-populated LDAP identity backend. If set, this option will be prepended to each service admin_username. - # Database settings used to request access via shared-db-relation-* relations - database: - default: "keystone" + worker-multiplier: + type: float + default: + description: | + The CPU core multiplier to use when configuring worker processes for + Keystone. By default, the number of workers for each daemon is set to + twice the number of CPU cores a service unit has. When deployed in + a LXD container, this default value will be capped to 4 workers + unless this configuration option is set. + enable-pki: type: string + default: "false" + description: Enable PKI token signing. + preferred-api-version: + type: int + default: 2 + description: | + Use this keystone api version for keystone endpoints and advertise this + version to identity client charms. + haproxy-server-timeout: + type: int + default: + description: | + Server timeout configuration in ms for haproxy, used in HA + configurations. If not provided, default value of 30000ms is used. + haproxy-client-timeout: + type: int + default: + description: | + Client timeout configuration in ms for haproxy, used in HA + configurations. If not provided, default value of 30000ms is used. + haproxy-queue-timeout: + type: int + default: + description: | + Queue timeout configuration in ms for haproxy, used in HA + configurations. If not provided, default value of 5000ms is used. + haproxy-connect-timeout: + type: int + default: + description: | + Connect timeout configuration in ms for haproxy, used in HA + configurations. If not provided, default value of 5000ms is used. + database: + type: string + default: "keystone" description: Keystone database name. database-user: - default: "keystone" type: string + default: "keystone" description: Username used for connecting to the Keystone database. region: - default: RegionOne type: string + default: RegionOne description: | Space-separated list of Openstack regions. identity-backend: type: string default: "sql" description: | - Keystone identity backend, valid options are: sql, ldap, kvs, pam. + Keystone identity backend, valid options are: sql, ldap, pam. + . + NOTE: this option should no longer be used to configure ldap. Instead + the cs:keystone-ldap subordinate charm should be used to configure ldap + backends. assignment-backend: type: string default: "sql" description: | - Keystone assignment backend, valid options are sql, ldap, kvs. + Keystone assignment backend, valid options are sql, ldap. + . + [DEPRECATED] this option should no longer be used to configure ldap. + Instead the cs:keystone-ldap subordinate charm should be used to + configure ldap backends. This option will be removed in the next release. ldap-server: type: string default: None - description: Ldap server address for keystone identity backend. + description: | + Ldap server address for keystone identity backend. + . + [DEPRECATED] this option should no longer be used to configure ldap. + Instead the cs:keystone-ldap subordinate charm should be used to + configure ldap backends. This option will be removed in the next release. ldap-user: type: string default: None - description: Username of the ldap identity server. + description: | + Username of the ldap identity server. + . + [DEPRECATED] this option should no longer be used to configure ldap. + Instead the cs:keystone-ldap subordinate charm should be used to + configure ldap backends. This option will be removed in the next release. ldap-password: type: string default: None - description: Password of the ldap identity server. + description: | + Password of the ldap identity server. + . + [DEPRECATED] this option should no longer be used to configure ldap. + Instead the cs:keystone-ldap subordinate charm should be used to + configure ldap backends. This option will be removed in the next release. ldap-suffix: type: string default: None - description: Ldap server suffix to be used by keystone. + description: | + Ldap server suffix to be used by keystone. + . + [DEPRECATED] this option should no longer be used to configure ldap. + Instead the cs:keystone-ldap subordinate charm should be used to + configure ldap backends. This option will be removed in the next release. ldap-config-flags: type: string default: None - description: comma sperated options for ldap configuration. + description: | + Comma-separated options for ldap configuration. + . + [DEPRECATED] this option should no longer be used to configure ldap. + Instead the cs:keystone-ldap subordinate charm should be used to + configure ldap backends. This option will be removed in the next release. ldap-readonly: type: boolean default: True - description: Ldap identity server backend readonly to keystone. + description: | + Ldap identity server backend readonly to keystone. + . + [DEPRECATED] this option should no longer be used to configure ldap. + Instead the cs:keystone-ldap subordinate charm should be used to + configure ldap backends. This option will be removed in the next release. # HA configuration settings dns-ha: type: boolean default: False description: | - Use DNS HA with MAAS 2.0. Note if this is set do not set vip - settings below. + Use DNS HA with MAAS 2.0. Note if this is set do not set vip settings + below. vip: type: string default: description: | Virtual IP(s) to use to front API services in HA configuration. - + . If multiple networks are being used, a VIP should be provided for each network, separated by spaces. vip_iface: @@ -208,46 +298,12 @@ options: description: | Default multicast port number that will be used to communicate between HA Cluster nodes. - # PKI enablement and configuration (Grizzly and beyond) - enable-pki: - default: "false" - type: string - description: Enable PKI token signing (>= Grizzly). - https-service-endpoints: - default: "False" - type: string - description: Manage SSL certificates for all service endpoints. - use-https: - default: "no" - type: string - description: Use SSL for Keystone itself. Set to 'yes' to enable it. - ssl_cert: - type: string - default: - description: | - base64-encoded SSL certificate to install and use for API ports. Setting - this value and ssl_key will enable reverse proxying, point Keystone's - entry in the Keystone catalog to use https, and override any certficiate - and key issued by Keystone (if it is configured to do so). - ssl_key: - type: string - default: - description: base64-encoded SSL key to use with certificate specified as - ssl_cert. - ssl_ca: - type: string - default: - description: | - base64-encoded SSL CA to use with the certificate and key provided - - this is only required if you are providing a privately signed ssl_cert - and ssl_key. - # Network configuration options - # by default all access is over 'private-address' + # Network config (by default all access is over 'private-address') os-admin-network: type: string default: description: | - The IP address and netmask of the OpenStack Admin network (e.g., + The IP address and netmask of the OpenStack Admin network (e.g. 192.168.0.0/24) . This network will be used for admin endpoints. @@ -255,7 +311,7 @@ options: type: string default: description: | - The IP address and netmask of the OpenStack Internal network (e.g., + The IP address and netmask of the OpenStack Internal network (e.g. 192.168.0.0/24) . This network will be used for internal endpoints. @@ -263,7 +319,7 @@ options: type: string default: description: | - The IP address and netmask of the OpenStack Public network (e.g., + The IP address and netmask of the OpenStack Public network (e.g. 192.168.0.0/24) . This network will be used for public endpoints. @@ -287,8 +343,8 @@ options: in the keystone identity provider (itself). . This value will be used for internal endpoints. For example, an - os-internal-hostname set to 'keystone.internal.example.com' with ssl enabled will - create a internal endpoint for keystone as: + os-internal-hostname set to 'keystone.internal.example.com' with ssl + enabled will create a internal endpoint for keystone as: . https://keystone.internal.example.com:5000/v2.0 os-admin-hostname: @@ -299,8 +355,8 @@ options: in the keystone identity provider (itself). . This value will be used for admin endpoints. For example, an - os-admin-hostname set to 'keystone.admin.example.com' with ssl enabled will - create a admin endpoint for keystone as: + os-admin-hostname set to 'keystone.admin.example.com' with ssl enabled + will create a admin endpoint for keystone as: . https://keystone.admin.example.com:5000/v2.0 prefer-ipv6: @@ -315,74 +371,48 @@ options: order for this charm to function correctly, the privacy extension must be disabled and a non-temporary address must be configured/available on your network interface. - worker-multiplier: - type: float + https-service-endpoints: + type: string + default: "False" + description: Manage SSL certificates for all service endpoints. + use-https: + type: string + default: "no" + description: Use SSL for Keystone itself. Set to 'yes' to enable it. + ssl_cert: + type: string default: description: | - The CPU core multiplier to use when configuring worker processes for - Keystone. By default, the number of workers for each daemon is set to - twice the number of CPU cores a service unit has. When deployed in - a LXD container, this default value will be capped to 4 workers - unless this configuration option is set. - nagios_context: - default: "juju" + base64-encoded SSL certificate to install and use for API ports. Setting + this value and ssl_key will enable reverse proxying, point Keystone's + entry in the Keystone catalog to use https, and override any certificate + and key issued by Keystone (if it is configured to do so). + ssl_key: type: string + default: description: | - Used by the nrpe-external-master subordinate charm. - A string that will be prepended to instance name to set the host name - in nagios. So for instance the hostname would be something like: - juju-myservice-0 - If you're running multiple environments with the same services in them + base64-encoded SSL key to use with certificate specified as ssl_cert. + ssl_ca: + type: string + default: + description: | + base64-encoded SSL CA to use with the certificate and key provided - + this is only required if you are providing a privately signed ssl_cert + and ssl_key. + # Monitoring config + nagios_context: + type: string + default: "juju" + description: | + Used by the nrpe-external-master subordinate charm. A string that will + be prepended to instance name to set the host name in nagios. So for + instance the hostname would be something like 'juju-myservice-0'. If + you are running multiple environments with the same services in them this allows you to differentiate between them. nagios_servicegroups: - default: "" type: string + default: "" description: | A comma-separated list of nagios servicegroups. If left empty, the nagios_context will be used as the servicegroup - preferred-api-version: - default: 2 - type: int - description: | - Use this keystone api version for keystone endpoints and advertise this - version to identity client charms - action-managed-upgrade: - type: boolean - default: False - description: | - If True enables openstack upgrades for this charm via juju actions. - You will still need to set openstack-origin to the new repository but - instead of an upgrade running automatically across all units, it will - wait for you to execute the openstack-upgrade action for this charm on - each unit. If False it will revert to existing behavior of upgrading - all units on config change. - haproxy-server-timeout: - type: int - default: - description: | - Server timeout configuration in ms for haproxy, used in HA - configurations. If not provided, default value of 30000ms is used. - haproxy-client-timeout: - type: int - default: - description: | - Client timeout configuration in ms for haproxy, used in HA - configurations. If not provided, default value of 30000ms is used. - haproxy-queue-timeout: - type: int - default: - description: | - Queue timeout configuration in ms for haproxy, used in HA - configurations. If not provided, default value of 5000ms is used. - haproxy-connect-timeout: - type: int - default: - description: | - Connect timeout configuration in ms for haproxy, used in HA - configurations. If not provided, default value of 5000ms is used. - harden: - default: - type: string - description: | - Apply system hardening. Supports a space-delimited list of modules - to run. Supported modules currently include os, ssh, apache and mysql. +