summaryrefslogtreecommitdiff
path: root/templates/octavia.conf.j2
blob: c032a26db9535338d0931706acd8f95cee7080ee (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
[DEFAULT]
# Print debugging output (set logging level to DEBUG instead of default WARNING level).
debug = {{ debug }}

{% if not octavia_v2|bool %}
bind_host = 0.0.0.0
bind_port = {{ octavia_service_port }}
# api_handler = queue_producer
#
# How should authentication be handled (keystone, noauth)
auth_strategy = {{ octavia_auth_strategy }}
#
{% endif %}
# Plugin options are hot_plug_plugin (Hot-pluggable controller plugin)
#
# octavia_plugins = hot_plug_plugin

# Hostname to be used by the host machine for services running on it.
# The default value is the hostname of the host machine.
# host =

# AMQP Transport URL
# For Single Host, specify one full transport URL:
#   transport_url = rabbit://<user>:<pass>@127.0.0.1:5672/<vhost>
# For HA, specify queue nodes in cluster, comma delimited:
#   transport_url = rabbit://<user>:<pass>@server01,<user>:<pass>@server02/<vhost>

transport_url = {{ octavia_oslomsg_rpc_transport }}://{% for host in octavia_oslomsg_rpc_servers.split(',') %}{{ octavia_oslomsg_rpc_userid }}:{{ octavia_oslomsg_rpc_password }}@{{ host }}:{{ octavia_oslomsg_rpc_port }}{% if not loop.last %},{% else %}/{{ octavia_oslomsg_rpc_vhost }}{% if octavia_oslomsg_rpc_use_ssl | bool %}?ssl=1{% else %}?ssl=0{% endif %}{% endif %}{% endfor %}

[oslo_messaging_notifications]
transport_url = {{ octavia_oslomsg_notify_transport }}://{% for host in octavia_oslomsg_notify_servers.split(',') %}{{ octavia_oslomsg_notify_userid }}:{{ octavia_oslomsg_notify_password }}@{{ host }}:{{ octavia_oslomsg_notify_port }}{% if not loop.last %},{% else %}/{{ octavia_oslomsg_notify_vhost }}{% if octavia_oslomsg_notify_use_ssl | bool %}?ssl=1{% else %}?ssl=0{% endif %}{% endif %}{% endfor %}

[api_settings]
bind_host = 0.0.0.0
bind_port = {{ octavia_service_port }}
# api_handler = queue_producer
#
# How should authentication be handled (keystone, noauth)
# Note: remove "noauth" once LP bug is fixed
auth_strategy = {{ octavia_auth_strategy }}
#
api_v1_enabled = {{ octavia_v1 }}
api_v2_enabled = {{ octavia_v2 }}
# Allow users to create TLS Terminated listeners?
allow_tls_terminated_listeners = {{ octavia_tls_listener_enabled }}

# pre Ocata
[oslo_messaging_rabbit]
ssl = {{ octavia_oslomsg_rpc_use_ssl }}
rpc_conn_pool_size = {{ octavia_rpc_conn_pool_size }}

[database]
connection = mysql+pymysql://{{ octavia_galera_user }}:{{ octavia_container_mysql_password }}@{{ octavia_galera_address }}/{{ octavia_galera_database }}?charset=utf8{% if octavia_galera_use_ssl | bool %}&ssl_ca={{ octavia_galera_ssl_ca_cert }}{% endif %}

max_overflow = {{ octavia_db_max_overflow }}
max_pool_size = {{ octavia_db_pool_size }}
pool_timeout = {{ octavia_db_pool_timeout }}

[health_manager]
bind_ip = 0.0.0.0
bind_port = {{ octavia_health_manager_port }}
# controller_ip_port_list example: 127.0.0.1:5555, 127.0.0.1:5555
controller_ip_port_list = {% for host in octavia_hm_hosts.split(',') %}{{ host }}:{{ octavia_health_manager_port }}{% if not loop.last %},{% endif %}{% endfor %}

# failover_threads = 10
# status_update_threads = 50
# heartbeat_interval = 10
heartbeat_key = {{ octavia_health_hmac_key }}
# heartbeat_timeout = 60
# health_check_interval = 3
# sock_rlimit = 0

# EventStreamer options are
#                            queue_event_streamer,
#                            noop_event_streamer
event_streamer_driver = {% if octavia_event_streamer|bool %}queue_event_streamer{% else %}noop_event_streamer{% endif %}

# Enable provisioning status sync with neutron db
sync_provisioning_status = {{ octavia_sync_provisioning_status }}

[keystone_authtoken]
insecure = {{ keystone_service_internaluri_insecure | bool }}
auth_type = {{ octavia_keystone_auth_plugin }}
auth_url = {{ keystone_service_internaluri }}/v3
www_authenticate_uri = {{ keystone_service_internaluri }}/v3
auth_version = 3
project_domain_id = {{ octavia_service_project_domain_id }}
user_domain_id = {{ octavia_service_user_domain_id }}
project_name = {{ octavia_service_project_name }}
username = {{ octavia_service_user_name }}
password = {{ octavia_service_password }}
region_name = {{ keystone_service_region }}
auth_type = password
endpoint_type = {{ octavia_clients_endpoint }}
memcached_servers = {{ memcached_servers }}

token_cache_time = 300

# if your memcached server is shared, use these settings to avoid cache poisoning
memcache_security_strategy = ENCRYPT
memcache_secret_key = {{ memcached_encryption_key }}

[certificates]
# cert_generator = local_cert_generator

# For local certificate signing (development only):
ca_certificate = /etc/octavia/certs/ca.pem
ca_private_key = /etc/octavia/certs/ca_key.pem
ca_private_key_passphrase = {{ octavia_ca_private_key_passphrase }}
signing_digest = {{ octavia_signing_digest }}
# storage_path = /var/lib/octavia/certificates/

# For the TLS management
# Certificate Manager options are local_cert_manager
#                                 barbican_cert_manager
# cert_manager = barbican_cert_manager
# For Barbican authentication (if using any Barbican based cert class)
# barbican_auth = barbican_acl_auth
#
# Region in Identity service catalog to use for communication with the Barbican service.
# region_name =
#
# Endpoint type to use for communication with the Barbican service.
# endpoint_type = publicURL


[anchor]
# Use OpenStack anchor to sign the amphora REST API certificates
# url = http://localhost:9999/v1/sign/default
# username =
# password =

[networking]
# The maximum attempts to retry an action with the networking service.
# max_retries = 15
# Seconds to wait before retrying an action with the networking service.
# retry_interval = 1
# The maximum time to wait, in seconds, for a port to detach from an amphora
# port_detach_timeout = 300

[haproxy_amphora]
# base_path = /var/lib/octavia
# base_cert_dir = /var/lib/octavia/certs
# Absolute path to a custom HAProxy template file
{% if octavia_haproxy_amphora_template is defined %}
haproxy_template = {{ octavia_haproxy_amphora_template }}
{% endif %}
# connection_max_retries = 300
# connection_retry_interval = 5

# Maximum number of entries that can fit in the stick table.
# The size supports "k", "m", "g" suffixes.
# haproxy_stick_size = 10k

# REST Driver specific
# bind_host = 0.0.0.0
bind_port = {{ octavia_agent_port }}
#
# This setting is only needed with IPv6 link-local addresses (fe80::/64) are
# used for communication between Octavia and its Amphora, if IPv4 or other IPv6
# addresses are used it can be ignored.
# lb_network_interface = o-hm0
#
# haproxy_cmd = /usr/sbin/haproxy
# respawn_count = 2
# respawn_interval = 2
client_cert = /etc/octavia/certs/client.pem
server_ca = /etc/octavia/certs/server_ca.pem
#
# This setting is deprecated.  It is now automatically discovered.
# use_upstart = True
#
# rest_request_conn_timeout = 10
# rest_request_read_timeout = 60

[controller_worker]
amp_active_retries = {{ octavia_amp_active_retries }}
# amp_active_wait_sec = 10
# Glance parameters to extract image ID to use for amphora. Only one of
# parameters is needed. Using tags is the recommended way to refer to images.
amp_image_id = {{ octavia_amp_image_id }}
amp_image_tag = {{ octavia_glance_image_tag }}
# Optional owner ID used to restrict glance images to one owner ID.
# This is a recommended security setting.
amp_image_owner_id = {{ octavia_amp_image_owner_id }}
# octavia parameters to use when booting amphora
amp_flavor_id = {{ octavia_nova_flavor_uuid }}
amp_ssh_key_name = {{ octavia_ssh_key_name }}
amp_ssh_access_allowed = {{ octavia_ssh_enabled }}


# Networks to attach to the Amphorae examples:
#  - One primary network
#  - - amp_boot_network_list = 22222222-3333-4444-5555-666666666666
#  - Multiple networks
#  - - amp_boot_network_list = 11111111-2222-33333-4444-555555555555, 22222222-3333-4444-5555-666666666666
#  - All networks defined in the list will be attached to each amphora
amp_boot_network_list = {{ octavia_neutron_management_network_uuid }}

# Takes a single network id that is attached to amphorae on boot
# Deprecated...
# amp_network =

amp_secgroup_list = {{ octavia_security_group_name }}
client_ca = /etc/octavia/certs/client_ca.pem

# Amphora driver options are amphora_noop_driver,
#                            amphora_haproxy_rest_driver
#
amphora_driver = {{ octavia_amphora_driver }}
#
# Compute driver options are compute_noop_driver
#                            compute_octavia_driver
#
compute_driver = {{ octavia_compute_driver }}
#
# Network driver options are network_noop_driver
#                            allowed_address_pairs_driver
#
network_driver = {{ octavia_network_driver }}
#
# Certificate Generator options are local_cert_generator
#                                   barbican_cert_generator
#                                   anchor_cert_generator
# cert_generator = local_cert_generator
#
# Load balancer topology options are SINGLE, ACTIVE_STANDBY
loadbalancer_topology = {{ octavia_loadbalancer_topology }}
# user_data_config_drive = False

[task_flow]
# engine = serial
max_workers = {{ octavia_task_flow_max_workers }}

[oslo_messaging]
# Queue Consumer Thread Pool Size
rpc_thread_pool_size = {{ octavia_rpc_thread_pool_size }}

# Topic (i.e. Queue) Name
topic = octavia_prov

# Topic for octavia's events sent to a queue
event_stream_topic = neutron_lbaas_event

# Put it into the Neutron queue
{% if octavia_event_streamer|bool %}
event_stream_transport_url = {{ neutron_oslomsg_rpc_transport }}://{% for host in neutron_oslomsg_rpc_servers.split(',') %}{{ octavia_neutron_oslomsg_rpc_userid }}:{{ octavia_neutron_oslomsg_rpc_password }}@{{ host }}:{{ neutron_oslomsg_rpc_port }}{% if not loop.last %},{% else %}/{{ neutron_oslomsg_rpc_vhost }}{% if neutron_oslomsg_rpc_use_ssl | bool %}?ssl=1{% else %}?ssl=0{% endif %}{% endif %}{% endfor %}
{% endif %}


[house_keeping]
# Interval in seconds to initiate spare amphora checks
# spare_check_interval = 30
spare_amphora_pool_size = {{ octavia_spare_amphora_pool_size }}

# Cleanup interval for Deleted amphora
# cleanup_interval = 30
# Amphora expiry age in seconds. Default is 1 week
# amphora_expiry_age = 604800

# Load balancer expiry age in seconds. Default is 1 week
# load_balancer_expiry_age = 604800

[amphora_agent]
# agent_server_ca = /etc/octavia/certs/client_ca.pem
# agent_server_cert = /etc/octavia/certs/server.pem
# agent_server_network_dir = /etc/netns/amphora-haproxy/network/interfaces.d/
# agent_server_network_file =
# agent_request_read_timeout = 120

[keepalived_vrrp]
# Amphora Role/Priority advertisement interval in seconds
# vrrp_advert_int = 1

# Service health check interval and success/fail count
# vrrp_check_interval = 5
# vrpp_fail_count = 2
# vrrp_success_count = 2

# Amphora MASTER gratuitous ARP refresh settings
# vrrp_garp_refresh_interval = 5
# vrrp_garp_refresh_count = 2

[service_auth]
# memcached_servers =
# signing_dir =
# cafile = /opt/stack/data/ca-bundle.pem
# project_domain_name = Default
# project_name = admin
# user_domain_name = Default
# password = password
# username = admin
# auth_type = password
# auth_url = http://localhost:5555/
insecure = {{ keystone_service_internaluri_insecure | bool }}
auth_plugin = {{ octavia_keystone_auth_plugin }}
auth_url = {{ keystone_service_internaluri }}/v3
www_authenticate_uri = {{ keystone_service_internaluri }}/v3
auth_version = 3
project_domain_name = {{ octavia_service_project_domain_id }}
user_domain_name = {{ octavia_service_user_domain_id }}
project_name = {{ octavia_service_project_name }}
username = {{ octavia_service_user_name }}
password = {{ octavia_service_password }}
region_name = {{ keystone_service_region }}
auth_type = password
memcached_servers = {{ memcached_servers }}
endpoint_type = {{ octavia_clients_endpoint }}
token_cache_time = 300

# if your memcached server is shared, use these settings to avoid cache poisoning
memcache_security_strategy = ENCRYPT
memcache_secret_key = {{ memcached_encryption_key }}


[octavia]
# The name of the octavia service in the keystone catalog
# service_name =
# Custom octavia endpoint if override is necessary
# endpoint =

# Region in Identity service catalog to use for communication with the
# OpenStack services.
region_name = {{ keystone_service_region }}

# Endpoint type in Identity service catalog to use for communication with
# the OpenStack services.
endpoint_type = {{ octavia_clients_endpoint }}

# CA certificates file to verify neutron connections when TLS is enabled
# insecure = False
# ca_certificates_file =

[nova]
# The name of the nova service in the keystone catalog
# service_name =
# Custom nova endpoint if override is necessary
# endpoint =

# Region in Identity service catalog to use for communication with the
# OpenStack services.
region_name = {{ keystone_service_region }}

# Endpoint type in Identity service catalog to use for communication with
# the OpenStack services.
endpoint_type = {{ octavia_clients_endpoint }}

# CA certificates file to verify neutron connections when TLS is enabled
# insecure = False
# ca_certificates_file =

enable_anti_affinity = {{ octavia_enable_anti_affinity }}

{% if octavia_amp_availability_zone is defined %}availability_zone={{ octavia_amp_availability_zone }}{%endif%}

[glance]
# The name of the glance service in the keystone catalog
# service_name =
# Custom glance endpoint if override is necessary
# endpoint =

# Region in Identity service catalog to use for communication with the
# OpenStack services.
region_name = {{ keystone_service_region }}

# Endpoint type in Identity service catalog to use for communication with
# the OpenStack services.
endpoint_type = {{ octavia_clients_endpoint }}

# CA certificates file to verify neutron connections when TLS is enabled
# insecure = False
# ca_certificates_file =

[neutron]
# The name of the neutron service in the keystone catalog
# service_name =
# Custom neutron endpoint if override is necessary
# endpoint =

# Region in Identity service catalog to use for communication with the
# OpenStack services.
region_name = {{ keystone_service_region }}

# Endpoint type in Identity service catalog to use for communication with
# the OpenStack services.
endpoint_type = {{ octavia_clients_endpoint }}

# CA certificates file to verify neutron connections when TLS is enabled
# insecure = False
# ca_certificates_file =