openstack
/
openstack-ansible-os_octavia
Code Issues Proposed changes

Cleanup octavia configuration 

This drops unused or fully commented out sections out of octavia.conf.
Also we start using service_token_roles as current behavior has been
deprecated a while ago

Change-Id: I1b2fe1cc2c6330e68d1acfa1b50bf732f77e8255
This commit is contained in:
Dmitriy Rabotyagov 2020-12-02 16:26:51 +02:00
parent e00cb9c563
commit 0df9a23a67
1 changed files with 9 additions and 221 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

230
templates/octavia.conf.j2
View File

@ -1,34 +1,15 @@
[DEFAULT]
# Print debugging output (set logging level to DEBUG instead of default WARNING level).
debug = {{ debug }}
use_journal = True
# Plugin options are hot_plug_plugin (Hot-pluggable controller plugin)
#
# octavia_plugins = hot_plug_plugin
# Hostname to be used by the host machine for services running on it.
# The default value is the hostname of the host machine.
# host =
# AMQP Transport URL
# For Single Host, specify one full transport URL:
# transport_url = rabbit://<user>:<pass>@127.0.0.1:5672/<vhost>
# For HA, specify queue nodes in cluster, comma delimited:
# transport_url = rabbit://<user>:<pass>@server01,<user>:<pass>@server02/<vhost>
transport_url = {{ octavia_oslomsg_rpc_transport }}://{% for host in octavia_oslomsg_rpc_servers.split(',') %}{{ octavia_oslomsg_rpc_userid }}:{{ octavia_oslomsg_rpc_password }}@{{ host }}:{{ octavia_oslomsg_rpc_port }}{% if not loop.last %},{% else %}/{{ octavia_oslomsg_rpc_vhost }}{% if octavia_oslomsg_rpc_use_ssl | bool %}?ssl=1{% else %}?ssl=0{% endif %}{% endif %}{% endfor %}
[oslo_messaging_notifications]
transport_url = {{ octavia_oslomsg_notify_transport }}://{% for host in octavia_oslomsg_notify_servers.split(',') %}{{ octavia_oslomsg_notify_userid }}:{{ octavia_oslomsg_notify_password }}@{{ host }}:{{ octavia_oslomsg_notify_port }}{% if not loop.last %},{% else %}/{{ octavia_oslomsg_notify_vhost }}{% if octavia_oslomsg_notify_use_ssl | bool %}?ssl=1{% else %}?ssl=0{% endif %}{% endif %}{% endfor %}
[api_settings]
bind_host = 0.0.0.0
bind_host = {{ octavia_uwsgi_bind_address }}
bind_port = {{ octavia_service_port }}
# api_handler = queue_producer
#
# How should authentication be handled (keystone, noauth)
# Note: remove "noauth" once LP bug is fixed
auth_strategy = {{ octavia_auth_strategy }}
# Allow users to create TLS Terminated listeners?
@ -52,13 +33,7 @@ bind_port = {{ octavia_health_manager_port }}
# controller_ip_port_list example: 127.0.0.1:5555, 127.0.0.1:5555
controller_ip_port_list = {% for host in octavia_hm_hosts.split(',') %}{{ host }}:{{ octavia_health_manager_port }}{% if not loop.last %},{% endif %}{% endfor %}
# failover_threads = 10
# status_update_threads = 50
# heartbeat_interval = 10
heartbeat_key = {{ octavia_health_hmac_key }}
# heartbeat_timeout = 60
# health_check_interval = 3
# sock_rlimit = 0
# EventStreamer options are
# queue_event_streamer,
@ -83,8 +58,9 @@ region_name = {{ keystone_service_region }}
auth_type = password
endpoint_type = {{ octavia_clients_endpoint }}
memcached_servers = {{ octavia_memcached_servers }}
token_cache_time = 300
service_token_roles = "{{ octavia_service_role_name }}"
service_token_roles_required = True
# if your memcached server is shared, use these settings to avoid cache poisoning
memcache_security_strategy = ENCRYPT
@ -98,134 +74,42 @@ ca_certificate = /etc/octavia/certs/ca.pem
ca_private_key = /etc/octavia/certs/ca_key.pem
ca_private_key_passphrase = {{ octavia_ca_private_key_passphrase }}
signing_digest = {{ octavia_signing_digest }}
# storage_path = /var/lib/octavia/certificates/
# For the TLS management
# Certificate Manager options are local_cert_manager
# barbican_cert_manager
# cert_manager = barbican_cert_manager
# For Barbican authentication (if using any Barbican based cert class)
# barbican_auth = barbican_acl_auth
#
# Region in Identity service catalog to use for communication with the Barbican service.
# region_name =
#
# Endpoint type to use for communication with the Barbican service.
endpoint_type = {{ octavia_clients_endpoint }}
[anchor]
# Use OpenStack anchor to sign the amphora REST API certificates
# url = http://localhost:9999/v1/sign/default
# username =
# password =
[networking]
# The maximum attempts to retry an action with the networking service.
# max_retries = 15
# Seconds to wait before retrying an action with the networking service.
# retry_interval = 1
# The maximum time to wait, in seconds, for a port to detach from an amphora
# port_detach_timeout = 300
[haproxy_amphora]
# base_path = /var/lib/octavia
# base_cert_dir = /var/lib/octavia/certs
# Absolute path to a custom HAProxy template file
{% if octavia_haproxy_amphora_template is defined %}
haproxy_template = {{ octavia_haproxy_amphora_template }}
{% endif %}
# connection_max_retries = 300
# connection_retry_interval = 5
# Maximum number of entries that can fit in the stick table.
# The size supports "k", "m", "g" suffixes.
# haproxy_stick_size = 10k
# REST Driver specific
# bind_host = 0.0.0.0
bind_port = {{ octavia_agent_port }}
#
# This setting is only needed with IPv6 link-local addresses (fe80::/64) are
# used for communication between Octavia and its Amphora, if IPv4 or other IPv6
# addresses are used it can be ignored.
# lb_network_interface = o-hm0
#
# haproxy_cmd = /usr/sbin/haproxy
# respawn_count = 2
# respawn_interval = 2
client_cert = /etc/octavia/certs/client.pem
server_ca = /etc/octavia/certs/server_ca.pem
#
# This setting is deprecated. It is now automatically discovered.
# use_upstart = True
#
# rest_request_conn_timeout = 10
# rest_request_read_timeout = 60
[controller_worker]
amp_active_retries = {{ octavia_amp_active_retries }}
# amp_active_wait_sec = 10
# Glance parameters to extract image ID to use for amphora. Only one of
# parameters is needed. Using tags is the recommended way to refer to images.
amp_image_id = {{ octavia_amp_image_id }}
amp_image_tag = {{ octavia_glance_image_tag }}
# Optional owner ID used to restrict glance images to one owner ID.
# This is a recommended security setting.
amp_image_owner_id = {{ octavia_amp_image_owner_id }}
# octavia parameters to use when booting amphora
amp_flavor_id = {{ octavia_nova_flavor_uuid }}
amp_ssh_key_name = {{ octavia_ssh_key_name }}
amp_ssh_access_allowed = {{ octavia_ssh_enabled }}
# Networks to attach to the Amphorae examples:
# - One primary network
# - - amp_boot_network_list = 22222222-3333-4444-5555-666666666666
# - Multiple networks
# - - amp_boot_network_list = 11111111-2222-33333-4444-555555555555, 22222222-3333-4444-5555-666666666666
# - All networks defined in the list will be attached to each amphora
amp_boot_network_list = {{ octavia_neutron_management_network_uuid }}
# Takes a single network id that is attached to amphorae on boot
# Deprecated...
# amp_network =
amp_secgroup_list = {{ octavia_security_group_name }}
client_ca = /etc/octavia/certs/client_ca.pem
# Amphora driver options are amphora_noop_driver,
# amphora_haproxy_rest_driver
#
amphora_driver = {{ octavia_amphora_driver }}
#
# Compute driver options are compute_noop_driver
# compute_octavia_driver
#
compute_driver = {{ octavia_compute_driver }}
#
# Network driver options are network_noop_driver
# allowed_address_pairs_driver
#
network_driver = {{ octavia_network_driver }}
#
# Cinder Volume driver options are volume_noop_driver
# volume_cinder_driver
#
{% if octavia_cinder_enabled %}
volume_driver = volume_cinder_driver
{% else %}
volume_driver = volume_noop_driver
{% endif %}
#
# Certificate Generator options are local_cert_generator
# barbican_cert_generator
# anchor_cert_generator
# cert_generator = local_cert_generator
#
# Load balancer topology options are SINGLE, ACTIVE_STANDBY
loadbalancer_topology = {{ octavia_loadbalancer_topology }}
# user_data_config_drive = False
[task_flow]
# engine = serial
@ -248,49 +132,10 @@ event_stream_transport_url = {{ neutron_oslomsg_rpc_transport }}://{% for host i
[house_keeping]
# Interval in seconds to initiate spare amphora checks
# spare_check_interval = 30
spare_amphora_pool_size = {{ octavia_spare_amphora_pool_size }}
# Cleanup interval for Deleted amphora
# cleanup_interval = 30
# Amphora expiry age in seconds. Default is 1 week
# amphora_expiry_age = 604800
# Load balancer expiry age in seconds. Default is 1 week
# load_balancer_expiry_age = 604800
[amphora_agent]
# agent_server_ca = /etc/octavia/certs/client_ca.pem
# agent_server_cert = /etc/octavia/certs/server.pem
# agent_server_network_dir = /etc/netns/amphora-haproxy/network/interfaces.d/
# agent_server_network_file =
# agent_request_read_timeout = 120
[keepalived_vrrp]
# Amphora Role/Priority advertisement interval in seconds
# vrrp_advert_int = 1
# Service health check interval and success/fail count
# vrrp_check_interval = 5
# vrpp_fail_count = 2
# vrrp_success_count = 2
# Amphora MASTER gratuitous ARP refresh settings
# vrrp_garp_refresh_interval = 5
# vrrp_garp_refresh_count = 2
[service_auth]
# memcached_servers =
# signing_dir =
# cafile = /opt/stack/data/ca-bundle.pem
# project_domain_name = Default
# project_name = admin
# user_domain_name = Default
# password = password
# username = admin
# auth_type = password
# auth_url = http://localhost:5555/
insecure = {{ keystone_service_internaluri_insecure | bool }}
auth_plugin = {{ octavia_keystone_auth_plugin }}
auth_url = {{ keystone_service_internaluri }}/v3
@ -313,41 +158,12 @@ memcache_secret_key = {{ memcached_encryption_key }}
[octavia]
# The name of the octavia service in the keystone catalog
# service_name =
# Custom octavia endpoint if override is necessary
# endpoint =
# Region in Identity service catalog to use for communication with the
# OpenStack services.
region_name = {{ keystone_service_region }}
# Endpoint type in Identity service catalog to use for communication with
# the OpenStack services.
endpoint_type = {{ octavia_clients_endpoint }}
# CA certificates file to verify neutron connections when TLS is enabled
# insecure = False
# ca_certificates_file =
[nova]
# The name of the nova service in the keystone catalog
# service_name =
# Custom nova endpoint if override is necessary
# endpoint =
# Region in Identity service catalog to use for communication with the
# OpenStack services.
region_name = {{ keystone_service_region }}
# Endpoint type in Identity service catalog to use for communication with
# the OpenStack services.
endpoint_type = {{ octavia_clients_endpoint }}
# CA certificates file to verify neutron connections when TLS is enabled
# insecure = False
# ca_certificates_file =
enable_anti_affinity = {{ octavia_enable_anti_affinity }}
{% if octavia_amp_availability_zone is defined %}availability_zone={{ octavia_amp_availability_zone }}{%endif%}
@ -366,37 +182,9 @@ volume_create_max_retries = 2
{% endif %}
[glance]
# The name of the glance service in the keystone catalog
# service_name =
# Custom glance endpoint if override is necessary
# endpoint =
# Region in Identity service catalog to use for communication with the
# OpenStack services.
region_name = {{ keystone_service_region }}
# Endpoint type in Identity service catalog to use for communication with
# the OpenStack services.
endpoint_type = {{ octavia_clients_endpoint }}
# CA certificates file to verify neutron connections when TLS is enabled
# insecure = False
# ca_certificates_file =
[neutron]
# The name of the neutron service in the keystone catalog
# service_name =
# Custom neutron endpoint if override is necessary
# endpoint =
# Region in Identity service catalog to use for communication with the
# OpenStack services.
region_name = {{ keystone_service_region }}
# Endpoint type in Identity service catalog to use for communication with
# the OpenStack services.
endpoint_type = {{ octavia_clients_endpoint }}
# CA certificates file to verify neutron connections when TLS is enabled
# insecure = False
# ca_certificates_file =