Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / salt-models / mcp-virtual-lab / a75691c0d21cecda4c5469e168fd8d31f868f7d1 / . / classes / cluster / virtual-mcp-pike-dvr-ssl-barbican / openstack / control.yml
blob: 678972b6167e9110d69d148051298a9514d00210 [file] [log] [blame]
Vasyl Saienko060481c2018-03-23 14:29:13 +0200[diff] [blame]1classes:
2- system.salt.minion.cert.proxy
Vasyl Saienkoe43865c2018-03-30 22:00:39 +0300[diff] [blame]3- system.salt.minion.cert.mysql.server
4- system.salt.minion.cert.rabbitmq_server
Vasyl Saienko060481c2018-03-23 14:29:13 +0200[diff] [blame]5- system.linux.system.lowmem
6- system.linux.system.repo.mcp.apt_mirantis.glusterfs
7- system.linux.system.repo.mcp.apt_mirantis.openstack
8- system.linux.system.repo.mcp.extra
Martin Polreicha0addcc2018-06-25 11:32:52 +0200[diff] [blame]9- system.linux.system.repo.mcp.apt_mirantis.saltstack
Vasyl Saienko060481c2018-03-23 14:29:13 +0200[diff] [blame]10- system.memcached.server.single
11- system.rabbitmq.server.cluster
Vasyl Saienkoe43865c2018-03-30 22:00:39 +0300[diff] [blame]12- service.rabbitmq.server.ssl
Vasyl Saienko060481c2018-03-23 14:29:13 +0200[diff] [blame]13- system.rabbitmq.server.vhost.openstack
14- system.apache.server.site.manila
15- system.apache.server.site.barbican
Vasyl Saienko5883a7c2018-04-02 18:21:42 +0300[diff] [blame]16- system.apache.server.site.nova-placement
17- system.apache.server.site.cinder
Vasyl Saienko060481c2018-03-23 14:29:13 +0200[diff] [blame]18- system.nginx.server.single
19- system.nginx.server.proxy.openstack_api
20- system.nginx.server.proxy.openstack.designate
Vasyl Saienko060481c2018-03-23 14:29:13 +0200[diff] [blame]21- system.keystone.server.wsgi
22- system.keystone.server.cluster
23- system.glusterfs.client.cluster
24- system.glusterfs.client.volume.glance
25- system.glusterfs.client.volume.keystone
26- system.glusterfs.server.volume.glance
27- system.glusterfs.server.volume.keystone
28- system.glusterfs.server.cluster
29- system.glance.control.cluster
30- system.nova.control.cluster
31- system.neutron.control.openvswitch.cluster
32- system.cinder.control.cluster
Oleksii Butenkof93170c2018-05-16 16:29:10 +0300[diff] [blame]33- system.cinder.control.backend.lvm
Vasyl Saienko060481c2018-03-23 14:29:13 +0200[diff] [blame]34- system.heat.server.cluster
35- system.designate.server.cluster
36- system.galera.server.cluster
Vasyl Saienkoe43865c2018-03-30 22:00:39 +0300[diff] [blame]37- service.galera.ssl
Mykyta Karpina75691c2018-07-31 09:49:49 +0000[diff] [blame^]38- system.apache.server.ssl
39- system.nginx.server.proxy.ssl
Vasyl Saienko060481c2018-03-23 14:29:13 +0200[diff] [blame]40- system.galera.server.database.cinder
41- system.galera.server.database.glance
42- system.galera.server.database.heat
43- system.galera.server.database.keystone
44- system.galera.server.database.nova
45- system.galera.server.database.designate
46- system.galera.server.database.manila
47- system.galera.server.database.aodh
48- system.galera.server.database.panko
49- system.galera.server.database.gnocchi
50- system.galera.server.database.barbican
51- system.dogtag.server.cluster
52- system.barbican.server.cluster
53- service.barbican.server.plugin.dogtag
54- system.ceilometer.client
55- system.ceilometer.client.cinder_volume
56- system.ceilometer.client.neutron
Vasyl Saienko060481c2018-03-23 14:29:13 +0200[diff] [blame]57- system.haproxy.proxy.listen.openstack.placement
58- system.haproxy.proxy.listen.openstack.manila
59- system.manila.control.cluster
60- cluster.virtual-mcp-pike-dvr-ssl-barbican
61parameters:
62 _param:
63 keepalived_vip_interface: ens4
64 salt_minion_ca_authority: salt_master_ca
65 ### nginx ssl sites settings
66 nginx_proxy_ssl:
Mykyta Karpina75691c2018-07-31 09:49:49 +0000[diff] [blame^]67 authority: "${_param:salt_minion_ca_authority}"
68 key_file: "/etc/ssl/private/internal_proxy.key"
69 cert_file: "/etc/ssl/certs/internal_proxy.crt"
70 chain_file: "/etc/ssl/certs/internal_proxy-with-chain.crt"
71 apache_ssl:
Vasyl Saienko060481c2018-03-23 14:29:13 +0200[diff] [blame]72 authority: "${_param:salt_minion_ca_authority}"
73 key_file: "/etc/ssl/private/internal_proxy.key"
74 cert_file: "/etc/ssl/certs/internal_proxy.crt"
75 chain_file: "/etc/ssl/certs/internal_proxy-with-chain.crt"
76 nginx_proxy_openstack_api_address: ${_param:cluster_local_address}
77 nginx_proxy_openstack_keystone_host: 127.0.0.1
78 nginx_proxy_openstack_nova_host: 127.0.0.1
Vasyl Saienko060481c2018-03-23 14:29:13 +0200[diff] [blame]79 nginx_proxy_openstack_glance_host: 127.0.0.1
80 nginx_proxy_openstack_neutron_host: 127.0.0.1
81 nginx_proxy_openstack_heat_host: 127.0.0.1
82 nginx_proxy_openstack_designate_host: 127.0.0.1
Vasyl Saienko060481c2018-03-23 14:29:13 +0200[diff] [blame]83 apache_manila_api_address: ${_param:single_address}
Vasyl Saienko060481c2018-03-23 14:29:13 +0200[diff] [blame]84 apache_keystone_api_host: ${_param:single_address}
Vasyl Saienko060481c2018-03-23 14:29:13 +0200[diff] [blame]85 apache_barbican_api_address: ${_param:cluster_local_address}
86 apache_barbican_api_host: ${_param:single_address}
Vasyl Saienko5883a7c2018-04-02 18:21:42 +0300[diff] [blame]87 apache_nova_placement_api_address: ${_param:cluster_local_address}
Vasyl Saienko060481c2018-03-23 14:29:13 +0200[diff] [blame]88 barbican_dogtag_nss_password: workshop
89 barbican_dogtag_host: ${_param:cluster_vip_address}
Vasyl Saienko5883a7c2018-04-02 18:21:42 +0300[diff] [blame]90 apache_cinder_api_address: ${_param:cluster_local_address}
Vasyl Saienko060481c2018-03-23 14:29:13 +0200[diff] [blame]91 # dogtag listens on 8443 but there is no way to bind it to
92 # Specific IP, as on this setup dogtag installed on ctl nodes
93 # Change port on haproxy side to avoid binding conflict.
94 haproxy_dogtag_bind_port: 8444
95 cluster_dogtag_port: 8443
96 dogtag_master_host: ctl01.${linux:system:domain}
97 dogtag_pki_admin_password: workshop
98 dogtag_pki_client_database_password: workshop
99 dogtag_pki_client_pkcs12_password: workshop
100 dogtag_pki_ds_password: workshop
101 dogtag_pki_token_password: workshop
102 dogtag_pki_security_domain_password: workshop
103 dogtag_pki_clone_pkcs12_password: workshop
Vasyl Saienkoe43865c2018-03-30 22:00:39 +0300[diff] [blame]104 rabbitmq:
105 server:
106 ssl:
107 enabled: ${_param:rabbitmq_ssl_enabled}
Vasyl Saienko060481c2018-03-23 14:29:13 +0200[diff] [blame]108 nginx:
109 server:
110 site:
111 nginx_proxy_openstack_api_keystone:
112 enabled: false
113 nginx_proxy_openstack_api_keystone_private:
114 enabled: false
Vasyl Saienko5883a7c2018-04-02 18:21:42 +0300[diff] [blame]115 nginx_proxy_openstack_api_cinder:
116 enabled: false
Vasyl Saienko060481c2018-03-23 14:29:13 +0200[diff] [blame]117 linux:
118 system:
119 package:
120 python-msgpack:
121 version: latest
122 network:
123 interface:
124 ens4:
125 enabled: true
126 type: eth
127 proto: static
128 address: ${_param:single_address}
129 netmask: 255.255.255.0
130 keepalived:
131 cluster:
132 instance:
133 VIP:
134 virtual_router_id: 150
135 dogtag:
136 server:
137 ldap_hostname: ${linux:network:fqdn}
138 ldap_dn_password: workshop
139 ldap_admin_password: workshop
140 export_pem_file_path: /etc/dogtag/kra_admin_cert.pem
141 # TODO drop this once reclass bumped, missing part in current version
142 apache:
143 server:
144 site:
145 barbican_admin:
146 host:
147 address: ${_param:apache_barbican_api_address}
148 name: ${_param:apache_barbican_api_host}
149 port: 9312
150 log:
151 custom:
152 format: 'combined'
153 file: '/var/log/barbican/barbican-api.log'
154 error:
155 enabled: true
156 file: '/var/log/barbican/barbican-api.log'
157 barbican:
158 server:
159 enabled: true
160 dogtag_admin_cert:
161 engine: mine
162 minion: ${_param:dogtag_master_host}
163 ks_notifications_enable: True
164 store:
165 software:
166 store_plugin: dogtag_crypto
167 global_default: True
168 plugin:
169 dogtag:
170 port: ${_param:haproxy_dogtag_bind_port}
Vasyl Saienkoe43865c2018-03-30 22:00:39 +0300[diff] [blame]171 database:
172 ssl:
173 enabled: ${_param:galera_ssl_enabled}
174 message_queue:
175 port: ${_param:rabbitmq_port}
176 ssl:
177 enabled: ${_param:rabbitmq_ssl_enabled}
Vasyl Saienko060481c2018-03-23 14:29:13 +0200[diff] [blame]178 keystone:
179 server:
180 admin_email: ${_param:admin_email}
Vasyl Saienkoe43865c2018-03-30 22:00:39 +0300[diff] [blame]181 database:
182 ssl:
183 enabled: ${_param:galera_ssl_enabled}
184 message_queue:
185 port: ${_param:rabbitmq_port}
186 ssl:
187 enabled: ${_param:rabbitmq_ssl_enabled}
Vasyl Saienko060481c2018-03-23 14:29:13 +0200[diff] [blame]188 designate:
189 pool_manager:
190 enabled: ${_param:designate_pool_manager_enabled}
191 periodic_sync_interval: ${_param:designate_pool_manager_periodic_sync_interval}
192 server:
193 identity:
194 protocol: https
195 bind:
196 api:
197 address: 127.0.0.1
Vasyl Saienkoe43865c2018-03-30 22:00:39 +0300[diff] [blame]198 database:
199 ssl:
200 enabled: ${_param:galera_ssl_enabled}
201 message_queue:
202 port: ${_param:rabbitmq_port}
203 ssl:
204 enabled: ${_param:rabbitmq_ssl_enabled}
Vasyl Saienko060481c2018-03-23 14:29:13 +0200[diff] [blame]205 backend:
206 pdns4:
207 api_token: ${_param:designate_pdns_api_key}
208 api_endpoint: ${_param:designate_pdns_api_endpoint}
209 mdns:
210 address: ${_param:designate_mdns_address}
211 port: ${_param:designate_mdns_port}
212 pools:
213 default:
214 description: 'test pool'
215 targets:
216 default:
217 description: 'test target1'
218 default1:
219 type: ${_param:designate_pool_target_type}
220 description: 'test target2'
221 masters: ${_param:designate_pool_target_masters}
222 options:
223 host: ${_param:openstack_dns_node02_address}
224 port: 53
225 api_endpoint: "http://${_param:openstack_dns_node02_address}:${_param:powerdns_webserver_port}"
226 api_token: ${_param:designate_pdns_api_key}
227 quota:
228 zones: ${_param:designate_quota_zones}
229 glance:
230 server:
231 barbican:
232 enabled: ${_param:barbican_integration_enabled}
233 storage:
234 engine: file
235 images: []
236 workers: 1
237 bind:
238 address: 127.0.0.1
239 identity:
240 protocol: https
241 registry:
242 protocol: https
Vasyl Saienkoe43865c2018-03-30 22:00:39 +0300[diff] [blame]243 database:
244 ssl:
245 enabled: ${_param:galera_ssl_enabled}
246 message_queue:
247 port: ${_param:rabbitmq_port}
248 ssl:
249 enabled: ${_param:rabbitmq_ssl_enabled}
Vasyl Saienko060481c2018-03-23 14:29:13 +0200[diff] [blame]250 heat:
251 server:
252 bind:
253 api:
254 address: 127.0.0.1
255 api_cfn:
256 address: 127.0.0.1
257 api_cloudwatch:
258 address: 127.0.0.1
259 identity:
260 protocol: https
Vasyl Saienkoe43865c2018-03-30 22:00:39 +0300[diff] [blame]261 database:
262 ssl:
263 enabled: ${_param:galera_ssl_enabled}
264 message_queue:
265 port: ${_param:rabbitmq_port}
266 ssl:
267 enabled: ${_param:rabbitmq_ssl_enabled}
Vasyl Saienko8a06faa2018-07-16 14:04:54 +0300[diff] [blame]268 # Since we using self signed cert not present in images, we have to
269 # use insecure option when sending signal to wait condition from instance.
270 clients:
271 heat:
272 insecure: true
Vasyl Saienko060481c2018-03-23 14:29:13 +0200[diff] [blame]273 neutron:
274 server:
275 bind:
276 address: 127.0.0.1
277 identity:
278 protocol: https
Vasyl Saienkoe43865c2018-03-30 22:00:39 +0300[diff] [blame]279 database:
280 ssl:
281 enabled: ${_param:galera_ssl_enabled}
282 message_queue:
283 port: ${_param:rabbitmq_port}
284 ssl:
285 enabled: ${_param:rabbitmq_ssl_enabled}
Vasyl Saienko060481c2018-03-23 14:29:13 +0200[diff] [blame]286 nova:
287 controller:
288 networking: dvr
289 cpu_allocation: 54
290 barbican:
291 enabled: ${_param:barbican_integration_enabled}
292 metadata:
293 password: ${_param:metadata_password}
Oleksii Butenko0c6a75b2018-04-03 20:33:37 +0300[diff] [blame]294 bind:
295 address: ${_param:cluster_local_address}
Vasyl Saienko060481c2018-03-23 14:29:13 +0200[diff] [blame]296 bind:
297 public_address: ${_param:cluster_vip_address}
298 novncproxy_port: 6080
299 private_address: 127.0.0.1
300 identity:
301 protocol: https
302 network:
303 protocol: https
304 glance:
305 protocol: https
306 vncproxy_url: http://${_param:cluster_vip_address}:6080
307 workers: 1
Vasyl Saienkoe43865c2018-03-30 22:00:39 +0300[diff] [blame]308 database:
309 ssl:
310 enabled: ${_param:galera_ssl_enabled}
311 message_queue:
312 port: ${_param:rabbitmq_port}
313 ssl:
314 enabled: ${_param:rabbitmq_ssl_enabled}
Mykyta Karpin6b2ed052018-04-20 13:42:57 +0300[diff] [blame]315 notification:
316 notify_on:
317 state_change: vm_and_task_state
Vasyl Saienko060481c2018-03-23 14:29:13 +0200[diff] [blame]318 cinder:
319 controller:
320 controller:
321 barbican:
322 enabled: ${_param:barbican_integration_enabled}
323 identity:
324 protocol: https
325 osapi:
326 host: 127.0.0.1
327 glance:
328 protocol: https
Vasyl Saienkoe43865c2018-03-30 22:00:39 +0300[diff] [blame]329 database:
330 ssl:
331 enabled: ${_param:galera_ssl_enabled}
332 message_queue:
333 port: ${_param:rabbitmq_port}
334 ssl:
335 enabled: ${_param:rabbitmq_ssl_enabled}
Vasyl Saienko060481c2018-03-23 14:29:13 +0200[diff] [blame]336 manila:
337 common:
338 identity:
339 protocol: https
Vasyl Saienko827d29d2018-03-29 13:13:27 +0300[diff] [blame]340 default_share_type: default
Vasyl Saienkoe43865c2018-03-30 22:00:39 +0300[diff] [blame]341 database:
342 ssl:
343 enabled: ${_param:galera_ssl_enabled}
344 message_queue:
345 port: ${_param:rabbitmq_port}
346 ssl:
347 enabled: ${_param:rabbitmq_ssl_enabled}
Vasyl Saienko060481c2018-03-23 14:29:13 +0200[diff] [blame]348 salt:
349 minion:
350 cert:
351 internal_proxy:
352 host: ${_param:salt_minion_ca_host}
353 authority: ${_param:salt_minion_ca_authority}
354 common_name: internal_proxy
355 signing_policy: cert_open
356 alternative_names: IP:127.0.0.1,IP:${_param:cluster_local_address},IP:${_param:cluster_public_host},DNS:${linux:system:name},DNS:${linux:network:fqdn},DNS:${_param:cluster_local_address},DNS:${_param:cluster_public_host}
357 key_file: "/etc/ssl/private/internal_proxy.key"
358 cert_file: "/etc/ssl/certs/internal_proxy.crt"
359 all_file: "/etc/ssl/certs/internal_proxy-with-chain.crt"
360 haproxy:
361 proxy:
362 listen:
363 barbican-api:
364 type: ~
365 barbican-admin-api:
366 type: ~
367 designate_api:
368 type: ~
369 keystone_public_api:
370 type: ~
371 keystone_admin_api:
372 type: ~
373 manila_api:
374 type: ~
375 nova_api:
376 type: ~
377 nova_metadata_api:
378 type: ~
379 cinder_api:
380 type: ~
381 glance_api:
382 type: ~
383 glance_registry_api:
384 type: ~
385 heat_cloudwatch_api:
386 type: ~
387 heat_api:
388 type: ~
389 heat_cfn_api:
390 type: ~
391 neutron_api:
392 type: ~
393 placement_api:
394 type: ~