classes/cluster/virtual-mcp11-aio/openstack/init.yml

classes:
- system.salt.minion.cert.mysql.server
- system.salt.minion.cert.rabbitmq_server
- system.linux.system.lowmem
- system.linux.system.repo.mcp.openstack
- system.linux.system.repo.mcp.extra
- system.linux.storage.loopback
- service.rabbitmq.server.ssl
- system.rabbitmq.server.vhost.openstack
- system.nginx.server.single
- system.nginx.server.proxy.openstack_api
- system.nginx.server.proxy.openstack.barbican
- system.nginx.server.proxy.openstack.designate
- system.nginx.server.proxy.openstack.placement
- system.keystone.server.wsgi
- system.keystone.server.single
- service.galera.ssl
- service.galera.master.cluster
- system.galera.server.database.cinder
- system.galera.server.database.designate
- system.galera.server.database.glance
- system.galera.server.database.heat
- system.galera.server.database.keystone
- system.galera.server.database.nova
- system.galera.server.database.barbican
- system.keystone.client.single
- system.keystone.client.service.barbican
- system.keystone.client.service.cinder3
- system.keystone.client.service.nova21
- system.keystone.client.service.nova-placement
- system.keystone.client.service.designate
- system.glance.control.single
- system.nova.control.single
- system.neutron.control.openvswitch.single
- system.neutron.client.service.public
- system.heat.server.single
- system.nova.compute.single
- service.neutron.gateway.single
- system.cinder.control.single
- system.cinder.control.backend.lvm
- service.cinder.volume.single
- system.cinder.volume.backend.lvm
- system.horizon.server.single
- system.horizon.server.plugin.theme
- system.bind.server.single
- system.barbican.server.single
- service.barbican.server.plugin.simple_crypto
- system.designate.server.single
- system.designate.server.backend.bind
- service.runtest.tempest
parameters:
  _param:
    openstack_version: pike
    cluster_public_host: ${_param:single_address}
    cluster_public_protocol: https
    cluster_internal_protocol: https
    keystone_service_protocol: ${_param:cluster_internal_protocol}
    glance_service_protocol: ${_param:cluster_internal_protocol}
    nova_service_protocol: ${_param:cluster_internal_protocol}
    neutron_service_protocol: ${_param:cluster_internal_protocol}
    heat_service_protocol: ${_param:cluster_internal_protocol}
    cinder_service_protocol: ${_param:cluster_internal_protocol}
    barbican_service_protocol: ${_param:cluster_internal_protocol}
    designate_service_protocol: ${_param:cluster_internal_protocol}
    openstack_region: RegionOne
    admin_email: root@localhost
    rabbitmq_openstack_password: workshop
    galera_server_cluster_name: openstack_cluster
    galera_server_maintenance_password: workshop
    galera_server_admin_password: workshop
    keystone_version: ${_param:openstack_version}
    barbican_version: ${_param:openstack_version}
    glance_version: ${_param:openstack_version}
    nova_version: ${_param:openstack_version}
    neutron_version: ${_param:openstack_version}
    cinder_version: ${_param:openstack_version}
    heat_version: ${_param:openstack_version}
    horizon_version: ${_param:openstack_version}
    designate_version: ${_param:openstack_version}
    keystone_service_token: workshop
    keystone_admin_password: workshop
    keystone_barbican_password: workshop
    keystone_ceilometer_password: workshop
    keystone_cinder_password: workshop
    keystone_glance_password: workshop
    keystone_heat_password: workshop
    keystone_neutron_password: workshop
    keystone_nova_password: workshop
    keystone_designate_password: workshop
    keystone_service_host: ${_param:single_address}
    mysql_keystone_password: workshop
    mysql_barbican_password: workshop
    mysql_glance_password: workshop
    mysql_nova_password: workshop
    mysql_neutron_password: workshop
    mysql_cinder_password: workshop
    mysql_heat_password: workshop
    mysql_designate_password: workshop
    barbican_service_host: ${_param:single_address}
    heat_service_host: ${_param:single_address}
    neutron_service_host: ${_param:single_address}
    glance_service_host: ${_param:single_address}
    cinder_service_host: ${_param:single_address}
    designate_service_host: ${_param:single_address}
    nova_service_host: ${_param:single_address}
    control_address: ${_param:single_address}
    metadata_password: workshop
    cluster_vip_address: ${_param:single_address}
    cluster_local_address: ${_param:single_address}
    openstack_database_address: ${_param:single_address}
    tenant_address: ${_param:single_address}
    heat_domain_admin_password: workshop
    horizon_secret_key: workshop
    horizon_identity_encryption: none
    horizon_identity_version: 2
    horizon_identity_host: ${_param:single_address}
    designate_admin_api_enabled: true
    designate_bind9_rndc_key: 4pc+X4PDqb2q+5o72dISm72LM1Ds9X2EYZjqg+nmsS7FhdTwzFFY8l/iEDmHxnyjkA33EQC8H+z0fLLBunoitw==
    designate_pool_target_type: bind9
    designate_domain_id: 5186883b-91fb-4891-bd49-e6769234a8fc
    designate_pool_ns_records:
      - hostname: 'ns1.example.org.'
        priority: 10
    designate_pool_nameservers:
      - host: ${_param:single_address}
        port: 53
    designate_pool_target_masters:
      - host: ${_param:single_address}
        port: 5354
    designate_pool_target_options:
      host: ${_param:single_address}
      port: 53
      rndc_host: 127.0.0.1
      rndc_port: 953
      rndc_key_file: /etc/designate/rndc.key
    designate_quota_zones: 40
    designate_worker_enabled: true
    linux_system_repo: deb [arch=amd64] http://mirror.fuel-infra.org/mcp-repos/${_param:openstack_version}/xenial ${_param:openstack_version} main
    linux_system_repo_pin: release a=${_param:openstack_version}
    linux_system_repo_priority: 1200
    openstack_public_neutron_subnet_gateway:  192.168.130.1
    openstack_public_neutron_subnet_cidr: 192.168.130.0/24
    openstack_public_neutron_subnet_allocation_start: 192.168.130.10
    openstack_public_neutron_subnet_allocation_end: 192.168.130.254
    barbican_simple_crypto_kek: YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoxMjM0NTY=
    barbican_integration_enabled: False
    galera_ssl_enabled: true
    rabbitmq_ssl_enabled: true
    rabbitmq_port: 5671 # for non-ssl use 5672
    ### nginx ssl sites settings
    nginx_proxy_ssl:
      enabled: true
      engine: salt
      authority: "${_param:salt_minion_ca_authority}"
      key_file: "/etc/ssl/private/${_param:cluster_vip_address}.key"
      cert_file: "/etc/ssl/certs/${_param:cluster_vip_address}.crt"
      chain_file: "/etc/ssl/certs/${_param:cluster_vip_address}-with-chain.crt"
    nginx_proxy_openstack_api_address: ${_param:cluster_public_host}
    nginx_proxy_openstack_keystone_host: 127.0.0.1
    nginx_proxy_openstack_nova_host: 127.0.0.1
    nginx_proxy_openstack_cinder_host: 127.0.0.1
    nginx_proxy_openstack_glance_host: 127.0.0.1
    nginx_proxy_openstack_neutron_host: 127.0.0.1
    nginx_proxy_openstack_heat_host: 127.0.0.1
    nginx_proxy_openstack_designate_host: 127.0.0.1
    nginx_proxy_openstack_placement_host: 127.0.0.1
    apache_keystone_api_host: ${_param:single_address}
    apache_keystone_ssl: ${_param:nginx_proxy_ssl}
    runtest_tempest_cfg_dir: /root/rally_reports/
    runtest_tempest_cfg_name: tempest_generated.conf
    artifactory_user: artifactory_user
    artifactory_password: artifactory_password
  # Disable keystone nginx sites as we configure SSL for them in Apache
  nginx:
    server:
      site:
        nginx_proxy_openstack_api_keystone:
          enabled: false
        nginx_proxy_openstack_api_keystone_private:
          enabled: false
  rabbitmq:
    server:
      ssl:
        enabled: ${_param:rabbitmq_ssl_enabled}
  galera:
    master:
      members: ~
      innodb_buffer_pool_size: 1024M
      max_connections: 1000
    slave:
      enabled: false
  barbican:
    server:
      ks_notifications_enable: True
      store:
        software:
          crypto_plugin: simple_crypto
          store_plugin: store_crypto
          global_default: True
      database:
        ssl:
          enabled: ${_param:galera_ssl_enabled}
      message_queue:
        port: ${_param:rabbitmq_port}
        ssl:
          enabled: ${_param:rabbitmq_ssl_enabled}
      bind:
        address: 127.0.0.1
      identity:
        protocol: https
  neutron:
    server:
      # Temporary install neutron-plugin-ml2 untill https://gerrit.mcp.mirantis.net/#/c/16262/ promoted
      # to stable
      pkgs:
        - neutron-server
        - python-neutron-lbaas
        - gettext-base
        - python-pycadf
        - neutron-plugin-ml2
      api_workers: 2
      rpc_state_report_workers: 2
      rpc_workers: 2
      bind:
        address: 127.0.0.1
      identity:
        protocol: https
      message_queue:
        members: ~
        port: ${_param:rabbitmq_port}
        ssl:
          enabled: ${_param:rabbitmq_ssl_enabled}
      database:
        ssl:
          enabled: ${_param:galera_ssl_enabled}
    gateway:
      metadata:
        workers: 2
      agent_mode: dvr_snat
      dvr: True
      message_queue:
        port: ${_param:rabbitmq_port}
        ssl:
          enabled: ${_param:rabbitmq_ssl_enabled}
  nova:
    compute:
      barbican:
        enabled: ${_param:barbican_integration_enabled}
      vncproxy_url: http://${_param:single_address}:6080
      network:
        user: neutron
        password: ${_param:keystone_neutron_password}
        tenant: service
      cache:
        members: ~
      message_queue:
        port: ${_param:rabbitmq_port}
        ssl:
          enabled: ${_param:rabbitmq_ssl_enabled}
    controller:
      barbican:
        enabled: ${_param:barbican_integration_enabled}
      vncproxy_url: http://${_param:single_address}:6080
      database:
        ssl:
          enabled: ${_param:galera_ssl_enabled}
      message_queue:
        port: ${_param:rabbitmq_port}
        ssl:
          enabled: ${_param:rabbitmq_ssl_enabled}
      bind:
         private_address: 127.0.0.1
      identity:
         protocol: https
      network:
         protocol: https
      glance:
         protocol: https
      metadata:
         bind:
           address: ${_param:nova_service_host}

  cinder:
    controller:
      barbican:
        enabled: ${_param:barbican_integration_enabled}
      database:
        ssl:
          enabled: ${_param:galera_ssl_enabled}
      message_queue:
        port: ${_param:rabbitmq_port}
        ssl:
          enabled: ${_param:rabbitmq_ssl_enabled}
      identity:
        protocol: https
      osapi:
        host: 127.0.0.1
      glance:
        protocol: https
    volume:
      cache:
        members: ~
      database:
        ssl:
          enabled: ${_param:galera_ssl_enabled}
      message_queue:
        port: ${_param:rabbitmq_port}
        ssl:
          enabled: ${_param:rabbitmq_ssl_enabled}
  horizon:
    server:
      secure: False
      identity:
        encryption: ssl
      api_versions:
        identity: 3
  designate:
    server:
      quota:
        zones: ${_param:designate_quota_zones}
      database:
        ssl:
          enabled: ${_param:galera_ssl_enabled}
      message_queue:
        port: ${_param:rabbitmq_port}
        ssl:
          enabled: ${_param:rabbitmq_ssl_enabled}
      identity:
        protocol: https
      bind:
        api:
          address: 127.0.0.1
    worker:
      enabled: ${_param:designate_worker_enabled}
  glance:
    server:
      barbican:
        enabled: ${_param:barbican_integration_enabled}
      database:
        ssl:
          enabled: ${_param:galera_ssl_enabled}
      message_queue:
        port: ${_param:rabbitmq_port}
        ssl:
          enabled: ${_param:rabbitmq_ssl_enabled}
      bind:
        address: 127.0.0.1
      identity:
        protocol: https
      registry:
        protocol: https
  keystone:
    server:
      database:
        ssl:
          enabled: ${_param:galera_ssl_enabled}
      message_queue:
        port: ${_param:rabbitmq_port}
        ssl:
          enabled: ${_param:rabbitmq_ssl_enabled}
  heat:
    server:
      database:
        ssl:
          enabled: ${_param:galera_ssl_enabled}
      message_queue:
        port: ${_param:rabbitmq_port}
        ssl:
          enabled: ${_param:rabbitmq_ssl_enabled}
      bind:
        api:
          address: 127.0.0.1
        api_cfn:
          address: 127.0.0.1
        api_cloudwatch:
          address: 127.0.0.1
      identity:
        protocol: https
  runtest:
    enabled: True
    tempest:
      enabled: True
      cfg_dir: ${_param:runtest_tempest_cfg_dir}
      cfg_name: ${_param:runtest_tempest_cfg_name}
      DEFAULT:
        log_file: /home/rally/rally_reports/tempest.log
      compute:
        build_timeout: 600
        min_microversion: 2.1
        max_microversion: 2.42
      orchestration:
        max_template_size: 5440000
        max_resources_per_stack: 20000
      dns_feature_enabled:
        # Switch this to designate_admin_api_enabled once [1] is promoted to stable packages
        # [1] https://gerrit.mcp.mirantis.net/gitweb?p=salt-formulas/designate.git;a=commit;h=96a3f43f6cf1149559e54a00b5548bdf46333749
        api_admin: false
        api_v1: false
        api_v2: true
        api_v2_quotas: true
        api_v2_root_recordsets: true
        bug_1573141_fixed: true
      volume-feature-enabled:
        backup: false
    artifact_collector:
      enabled: true
      artifactory:
       enabled: true
       user: ${_param:artifactory_user}
       password: ${_param:artifactory_password}
       host: artifactory.mcp.mirantis.net
       port: 443
       proto: https
       endpoint: /oscore-local/${_param:cluster_domain}/${_param:infra_config_hostname}
      artifacts:
        sys_logs:
          path: /var/log
        etc:
          path: /etc
      cmds:
        service_status:
          cmd: '(. /root/keystonercv3; openstack compute service list; openstack volume service list)'
          dst: /tmp/openstack_service_report.txt