classes/cluster/virtual-offline-ssl/openstack/control.yml

classes:
- system.salt.minion.cert.proxy
- system.linux.system.lowmem
- system.linux.system.repo.mcp.apt_mirantis.glusterfs
- system.linux.system.repo_local.mcp.apt_mirantis.openstack
- system.linux.system.repo_local.mcp.extra
- system.linux.system.repo.mcp.apt_mirantis.saltstack
- system.linux.system.repo_local.mcp.apt_mirantis.ceph
- system.memcached.server.single
- system.rabbitmq.server.cluster
- system.rabbitmq.server.vhost.openstack
- system.apache.server.site.manila
- system.apache.server.site.barbican
- system.apache.server.site.nova-placement
- system.apache.server.site.cinder
- system.nginx.server.single
- system.nginx.server.proxy.openstack_api
- system.nginx.server.proxy.openstack.designate
- system.nginx.server.proxy.openstack.glance_registry
- system.keystone.server.wsgi
- system.keystone.server.cluster
- system.glusterfs.client.cluster
- system.glusterfs.client.volume.glance
- system.glusterfs.server.volume.glance
- system.glusterfs.server.cluster
- system.glance.control.cluster
- system.nova.control.cluster
- system.neutron.control.openvswitch.cluster
- system.cinder.control.cluster
- system.heat.server.cluster
- system.designate.server.cluster
- system.galera.server.cluster
- system.galera.server.database.cinder
- system.galera.server.database.glance
- system.galera.server.database.heat
- system.galera.server.database.keystone
- system.galera.server.database.nova
- system.galera.server.database.designate
- system.galera.server.database.manila
- system.galera.server.database.aodh
- system.galera.server.database.panko
- system.galera.server.database.gnocchi
- system.galera.server.database.barbican
- system.dogtag.server.cluster
- system.barbican.server.cluster
- service.barbican.server.plugin.dogtag
- system.ceilometer.client
- system.ceilometer.client.cinder_volume
- system.ceilometer.client.neutron
- system.haproxy.proxy.listen.openstack.placement
- system.haproxy.proxy.listen.openstack.manila
- system.manila.control.cluster
- system.apache.server.ssl
- system.nginx.server.proxy.ssl
- cluster.virtual-offline-ssl.openstack.dns
- cluster.virtual-offline-ssl
parameters:
  _param:
    keepalived_vip_interface: ens4
    salt_minion_ca_authority: salt_master_ca
    ### nginx ssl sites settings
    nginx_proxy_ssl:
      authority: "${_param:salt_minion_ca_authority}"
      key_file: "/etc/ssl/private/internal_proxy.key"
      cert_file: "/etc/ssl/certs/internal_proxy.crt"
      chain_file: "/etc/ssl/certs/internal_proxy-with-chain.crt"
    apache_ssl:
      authority: "${_param:salt_minion_ca_authority}"
      key_file: "/etc/ssl/private/internal_proxy.key"
      cert_file: "/etc/ssl/certs/internal_proxy.crt"
      chain_file: "/etc/ssl/certs/internal_proxy-with-chain.crt"
    nginx_proxy_openstack_api_address: ${_param:cluster_local_address}
    nginx_proxy_openstack_keystone_host: 127.0.0.1
    nginx_proxy_openstack_nova_host: 127.0.0.1
    nginx_proxy_openstack_glance_host: 127.0.0.1
    nginx_proxy_openstack_neutron_host: 127.0.0.1
    nginx_proxy_openstack_heat_host: 127.0.0.1
    nginx_proxy_openstack_designate_host: 127.0.0.1
    apache_manila_api_address: ${_param:single_address}
    apache_keystone_api_host: ${_param:single_address}
    apache_barbican_api_address: ${_param:cluster_local_address}
    apache_barbican_api_host: ${_param:single_address}
    apache_nova_placement_api_address: ${_param:cluster_local_address}
    barbican_dogtag_nss_password: workshop
    barbican_dogtag_host: ${_param:cluster_vip_address}
    apache_cinder_api_address: ${_param:cluster_local_address}
    # dogtag listens on 8443 but there is no way to bind it to
    # Specific IP, as on this setup dogtag installed on ctl nodes
    # Change port on haproxy side to avoid binding conflict.
    haproxy_dogtag_bind_port: 8444
    cluster_dogtag_port: 8443
    dogtag_master_host: ctl01.${linux:system:domain}
    dogtag_pki_admin_password: workshop
    dogtag_pki_client_database_password: workshop
    dogtag_pki_client_pkcs12_password: workshop
    dogtag_pki_ds_password: workshop
    dogtag_pki_token_password: workshop
    dogtag_pki_security_domain_password: workshop
    dogtag_pki_clone_pkcs12_password: workshop
  nginx:
    server:
      site:
        nginx_proxy_openstack_api_keystone:
          enabled: false
        nginx_proxy_openstack_api_keystone_private:
          enabled: false
        nginx_proxy_openstack_api_cinder:
          enabled: false
  linux:
    system:
      package:
        python-msgpack:
          version: latest
    network:
      interface:
        ens4:
          enabled: true
          type: eth
          proto: static
          address: ${_param:single_address}
          netmask: 255.255.255.0
  keepalived:
    cluster:
      instance:
        VIP:
          virtual_router_id: 150
  dogtag:
   server:
     ldap_hostname: ${linux:network:fqdn}
     ldap_dn_password: workshop
     ldap_admin_password: workshop
     export_pem_file_path: /etc/dogtag/kra_admin_cert.pem
  # TODO drop this once reclass bumped, missing part in current version
  apache:
    server:
      site:
        barbican_admin:
          host:
            address: ${_param:apache_barbican_api_address}
            name: ${_param:apache_barbican_api_host}
            port: 9312
          log:
            custom:
              format: 'combined'
              file: '/var/log/barbican/barbican-api.log'
            error:
              enabled: true
              file: '/var/log/barbican/barbican-api.log'
  barbican:
    server:
      enabled: true
      dogtag_admin_cert:
        engine: mine
        minion: ${_param:dogtag_master_host}
      ks_notifications_enable: True
      store:
        software:
          store_plugin: dogtag_crypto
          global_default: True
      plugin:
        dogtag:
          port: ${_param:haproxy_dogtag_bind_port}
  keystone:
    server:
      admin_email: ${_param:admin_email}
  designate:
    pool_manager:
      enabled: ${_param:designate_pool_manager_enabled}
      periodic_sync_interval: ${_param:designate_pool_manager_periodic_sync_interval}
    server:
      identity:
        protocol: https
      bind:
        api:
          address: 127.0.0.1
      backend:
        pdns4:
          api_token: ${_param:designate_pdns_api_key}
          api_endpoint: ${_param:designate_pdns_api_endpoint}
      mdns:
        address: ${_param:designate_mdns_address}
        port: ${_param:designate_mdns_port}
      pools:
        default:
          description: 'test pool'
          targets:
            default:
              description: 'test target1'
            default1:
              type: ${_param:designate_pool_target_type}
              description: 'test target2'
              masters: ${_param:designate_pool_target_masters}
              options:
                host: ${_param:openstack_dns_node02_address}
                port: 53
                api_endpoint: "http://${_param:openstack_dns_node02_address}:${_param:powerdns_webserver_port}"
                api_token: ${_param:designate_pdns_api_key}
      quota:
        zones: ${_param:designate_quota_zones}
  glance:
    server:
      barbican:
        enabled: ${_param:barbican_integration_enabled}
      storage:
        engine: file
      images: []
      workers: 1
      bind:
        address: 127.0.0.1
      identity:
        protocol: https
      registry:
        protocol: https
  heat:
    server:
      bind:
        api:
          address: 127.0.0.1
        api_cfn:
          address: 127.0.0.1
        api_cloudwatch:
          address: 127.0.0.1
      identity:
        protocol: https
      # Since we using self signed cert not present in images, we have to
      # use insecure option when sending signal to wait condition from instance.
      clients:
        heat:
          insecure: true
  neutron:
    server:
      bind:
        address: 127.0.0.1
      identity:
        protocol: https
  nova:
    controller:
      networking: dvr
      cpu_allocation: 54
      barbican:
        enabled: ${_param:barbican_integration_enabled}
      metadata:
        password: ${_param:metadata_password}
        bind:
          address: ${_param:cluster_local_address}
      bind:
        public_address: ${_param:cluster_vip_address}
        novncproxy_port: 6080
        private_address: 127.0.0.1
      identity:
        protocol: https
      network:
        protocol: https
      glance:
        protocol: https
      vncproxy_url: http://${_param:cluster_vip_address}:6080
      workers: 1
  cinder:
    controller:
      controller:
      barbican:
        enabled: ${_param:barbican_integration_enabled}
      identity:
        protocol: https
      osapi:
        host: 127.0.0.1
      glance:
        protocol: https
  manila:
    common:
      identity:
        protocol: https
      default_share_type: default
  salt:
    minion:
      cert:
        internal_proxy:
          host: ${_param:salt_minion_ca_host}
          authority: ${_param:salt_minion_ca_authority}
          common_name: internal_proxy
          signing_policy: cert_open
          alternative_names: IP:127.0.0.1,IP:${_param:cluster_local_address},IP:${_param:cluster_public_host},DNS:${linux:system:name},DNS:${linux:network:fqdn},DNS:${_param:cluster_local_address},DNS:${_param:cluster_public_host}
          key_file: "/etc/ssl/private/internal_proxy.key"
          cert_file: "/etc/ssl/certs/internal_proxy.crt"
          all_file: "/etc/ssl/certs/internal_proxy-with-chain.crt"
  haproxy:
    proxy:
      listen:
        barbican-api:
          type: ~
        barbican-admin-api:
          type: ~
        designate_api:
          type: ~
        keystone_public_api:
          type: ~
        keystone_admin_api:
          type: ~
        manila_api:
          type: ~
        nova_api:
          type: ~
        nova_metadata_api:
          type: ~
        cinder_api:
          type: ~
        glance_api:
          type: ~
        glance_registry_api:
          type: ~
        heat_cloudwatch_api:
          type: ~
        heat_api:
          type: ~
        heat_cfn_api:
          type: ~
        neutron_api:
          type: ~
        placement_api:
          type: ~