Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / salt-models / mcp-virtual-lab / b3cc577c24fe4eb83b69b7cfdfa0f98e55d12fb7 / . / classes / cluster_deprecated / virtual-offline-ssl / openstack / control.yml
blob: aa7010a04ecdfdd1b4a20040969f9de8d978050d [file] [log] [blame]
Tatyana Leontovich4f9d1a92018-03-28 15:36:40 +0300[diff] [blame]1classes:
2- system.salt.minion.cert.proxy
3- system.linux.system.lowmem
azvyagintsev98cba952018-07-13 12:40:53 +0300[diff] [blame]4- system.linux.system.repo.mcp.apt_mirantis.glusterfs
azvyagintsev03e26b12018-10-22 16:34:31 +0300[diff] [blame]5- system.linux.system.repo.mcp.apt_mirantis.openstack
6- system.linux.system.repo.mcp.apt_mirantis.percona
7- system.linux.system.repo.mcp.apt_mirantis.extra
azvyagintsev98cba952018-07-13 12:40:53 +0300[diff] [blame]8- system.linux.system.repo.mcp.apt_mirantis.saltstack
azvyagintsev03e26b12018-10-22 16:34:31 +0300[diff] [blame]9- system.linux.system.repo.mcp.apt_mirantis.ceph
Tatyana Leontovich4f9d1a92018-03-28 15:36:40 +0300[diff] [blame]10- system.memcached.server.single
11- system.rabbitmq.server.cluster
12- system.rabbitmq.server.vhost.openstack
13- system.apache.server.site.manila
14- system.apache.server.site.barbican
15- system.apache.server.site.nova-placement
16- system.apache.server.site.cinder
17- system.nginx.server.single
18- system.nginx.server.proxy.openstack_api
19- system.nginx.server.proxy.openstack.designate
Mykyta Karpin70f651e2018-08-02 18:34:54 +0300[diff] [blame]20- system.nginx.server.proxy.openstack.glance_registry
Tatyana Leontovich4f9d1a92018-03-28 15:36:40 +0300[diff] [blame]21- system.keystone.server.wsgi
22- system.keystone.server.cluster
23- system.glusterfs.client.cluster
24- system.glusterfs.client.volume.glance
Tatyana Leontovich4f9d1a92018-03-28 15:36:40 +0300[diff] [blame]25- system.glusterfs.server.volume.glance
Tatyana Leontovich4f9d1a92018-03-28 15:36:40 +0300[diff] [blame]26- system.glusterfs.server.cluster
27- system.glance.control.cluster
28- system.nova.control.cluster
29- system.neutron.control.openvswitch.cluster
30- system.cinder.control.cluster
31- system.heat.server.cluster
32- system.designate.server.cluster
33- system.galera.server.cluster
34- system.galera.server.database.cinder
35- system.galera.server.database.glance
36- system.galera.server.database.heat
37- system.galera.server.database.keystone
38- system.galera.server.database.nova
Dennis Dmitrievbb37f132018-10-30 12:16:11 +0200[diff] [blame]39- system.galera.server.database.neutron
Tatyana Leontovich4f9d1a92018-03-28 15:36:40 +0300[diff] [blame]40- system.galera.server.database.designate
41- system.galera.server.database.manila
42- system.galera.server.database.aodh
43- system.galera.server.database.panko
44- system.galera.server.database.gnocchi
45- system.galera.server.database.barbican
46- system.dogtag.server.cluster
47- system.barbican.server.cluster
48- service.barbican.server.plugin.dogtag
49- system.ceilometer.client
50- system.ceilometer.client.cinder_volume
51- system.ceilometer.client.neutron
52- system.haproxy.proxy.listen.openstack.placement
53- system.haproxy.proxy.listen.openstack.manila
54- system.manila.control.cluster
Mykyta Karpina75691c2018-07-31 09:49:49 +0000[diff] [blame]55- system.apache.server.ssl
56- system.nginx.server.proxy.ssl
Tatyana Leontovich4f9d1a92018-03-28 15:36:40 +0300[diff] [blame]57- cluster.virtual-offline-ssl.openstack.dns
58- cluster.virtual-offline-ssl
59parameters:
60 _param:
61 keepalived_vip_interface: ens4
62 salt_minion_ca_authority: salt_master_ca
63 ### nginx ssl sites settings
64 nginx_proxy_ssl:
Mykyta Karpina75691c2018-07-31 09:49:49 +0000[diff] [blame]65 authority: "${_param:salt_minion_ca_authority}"
66 key_file: "/etc/ssl/private/internal_proxy.key"
67 cert_file: "/etc/ssl/certs/internal_proxy.crt"
68 chain_file: "/etc/ssl/certs/internal_proxy-with-chain.crt"
69 apache_ssl:
Tatyana Leontovich4f9d1a92018-03-28 15:36:40 +0300[diff] [blame]70 authority: "${_param:salt_minion_ca_authority}"
71 key_file: "/etc/ssl/private/internal_proxy.key"
72 cert_file: "/etc/ssl/certs/internal_proxy.crt"
73 chain_file: "/etc/ssl/certs/internal_proxy-with-chain.crt"
74 nginx_proxy_openstack_api_address: ${_param:cluster_local_address}
75 nginx_proxy_openstack_keystone_host: 127.0.0.1
76 nginx_proxy_openstack_nova_host: 127.0.0.1
77 nginx_proxy_openstack_glance_host: 127.0.0.1
78 nginx_proxy_openstack_neutron_host: 127.0.0.1
79 nginx_proxy_openstack_heat_host: 127.0.0.1
80 nginx_proxy_openstack_designate_host: 127.0.0.1
81 apache_manila_api_address: ${_param:single_address}
Tatyana Leontovich4f9d1a92018-03-28 15:36:40 +0300[diff] [blame]82 apache_keystone_api_host: ${_param:single_address}
Tatyana Leontovich4f9d1a92018-03-28 15:36:40 +0300[diff] [blame]83 apache_barbican_api_address: ${_param:cluster_local_address}
84 apache_barbican_api_host: ${_param:single_address}
Tatyana Leontovich4f9d1a92018-03-28 15:36:40 +0300[diff] [blame]85 apache_nova_placement_api_address: ${_param:cluster_local_address}
Tatyana Leontovich4f9d1a92018-03-28 15:36:40 +0300[diff] [blame]86 barbican_dogtag_nss_password: workshop
87 barbican_dogtag_host: ${_param:cluster_vip_address}
88 apache_cinder_api_address: ${_param:cluster_local_address}
Tatyana Leontovich4f9d1a92018-03-28 15:36:40 +0300[diff] [blame]89 # dogtag listens on 8443 but there is no way to bind it to
90 # Specific IP, as on this setup dogtag installed on ctl nodes
91 # Change port on haproxy side to avoid binding conflict.
92 haproxy_dogtag_bind_port: 8444
93 cluster_dogtag_port: 8443
94 dogtag_master_host: ctl01.${linux:system:domain}
95 dogtag_pki_admin_password: workshop
96 dogtag_pki_client_database_password: workshop
97 dogtag_pki_client_pkcs12_password: workshop
98 dogtag_pki_ds_password: workshop
99 dogtag_pki_token_password: workshop
100 dogtag_pki_security_domain_password: workshop
101 dogtag_pki_clone_pkcs12_password: workshop
102 nginx:
103 server:
104 site:
105 nginx_proxy_openstack_api_keystone:
106 enabled: false
107 nginx_proxy_openstack_api_keystone_private:
108 enabled: false
109 nginx_proxy_openstack_api_cinder:
110 enabled: false
111 linux:
112 system:
113 package:
114 python-msgpack:
115 version: latest
116 network:
117 interface:
118 ens4:
119 enabled: true
120 type: eth
121 proto: static
122 address: ${_param:single_address}
123 netmask: 255.255.255.0
124 keepalived:
125 cluster:
126 instance:
127 VIP:
128 virtual_router_id: 150
129 dogtag:
130 server:
131 ldap_hostname: ${linux:network:fqdn}
132 ldap_dn_password: workshop
133 ldap_admin_password: workshop
134 export_pem_file_path: /etc/dogtag/kra_admin_cert.pem
135 # TODO drop this once reclass bumped, missing part in current version
136 apache:
137 server:
138 site:
139 barbican_admin:
140 host:
141 address: ${_param:apache_barbican_api_address}
142 name: ${_param:apache_barbican_api_host}
143 port: 9312
144 log:
145 custom:
146 format: 'combined'
147 file: '/var/log/barbican/barbican-api.log'
148 error:
149 enabled: true
150 file: '/var/log/barbican/barbican-api.log'
151 barbican:
152 server:
153 enabled: true
154 dogtag_admin_cert:
155 engine: mine
156 minion: ${_param:dogtag_master_host}
157 ks_notifications_enable: True
158 store:
159 software:
160 store_plugin: dogtag_crypto
161 global_default: True
162 plugin:
163 dogtag:
164 port: ${_param:haproxy_dogtag_bind_port}
165 keystone:
166 server:
167 admin_email: ${_param:admin_email}
168 designate:
169 pool_manager:
170 enabled: ${_param:designate_pool_manager_enabled}
171 periodic_sync_interval: ${_param:designate_pool_manager_periodic_sync_interval}
172 server:
173 identity:
174 protocol: https
175 bind:
176 api:
177 address: 127.0.0.1
178 backend:
179 pdns4:
180 api_token: ${_param:designate_pdns_api_key}
181 api_endpoint: ${_param:designate_pdns_api_endpoint}
182 mdns:
183 address: ${_param:designate_mdns_address}
184 port: ${_param:designate_mdns_port}
185 pools:
186 default:
187 description: 'test pool'
188 targets:
189 default:
190 description: 'test target1'
191 default1:
192 type: ${_param:designate_pool_target_type}
193 description: 'test target2'
194 masters: ${_param:designate_pool_target_masters}
195 options:
196 host: ${_param:openstack_dns_node02_address}
197 port: 53
198 api_endpoint: "http://${_param:openstack_dns_node02_address}:${_param:powerdns_webserver_port}"
199 api_token: ${_param:designate_pdns_api_key}
200 quota:
201 zones: ${_param:designate_quota_zones}
202 glance:
203 server:
204 barbican:
205 enabled: ${_param:barbican_integration_enabled}
206 storage:
207 engine: file
208 images: []
209 workers: 1
210 bind:
211 address: 127.0.0.1
212 identity:
213 protocol: https
214 registry:
215 protocol: https
216 heat:
217 server:
218 bind:
219 api:
220 address: 127.0.0.1
221 api_cfn:
222 address: 127.0.0.1
223 api_cloudwatch:
224 address: 127.0.0.1
225 identity:
226 protocol: https
Vasyl Saienkoe4047612018-07-16 17:17:17 +0300[diff] [blame]227 # Since we using self signed cert not present in images, we have to
228 # use insecure option when sending signal to wait condition from instance.
229 clients:
230 heat:
231 insecure: true
Tatyana Leontovich4f9d1a92018-03-28 15:36:40 +0300[diff] [blame]232 neutron:
233 server:
234 bind:
235 address: 127.0.0.1
236 identity:
237 protocol: https
238 nova:
239 controller:
240 networking: dvr
241 cpu_allocation: 54
242 barbican:
243 enabled: ${_param:barbican_integration_enabled}
244 metadata:
245 password: ${_param:metadata_password}
246 bind:
247 address: ${_param:cluster_local_address}
248 bind:
249 public_address: ${_param:cluster_vip_address}
250 novncproxy_port: 6080
251 private_address: 127.0.0.1
252 identity:
253 protocol: https
254 network:
255 protocol: https
256 glance:
257 protocol: https
258 vncproxy_url: http://${_param:cluster_vip_address}:6080
259 workers: 1
260 cinder:
261 controller:
262 controller:
263 barbican:
264 enabled: ${_param:barbican_integration_enabled}
265 identity:
266 protocol: https
267 osapi:
268 host: 127.0.0.1
269 glance:
270 protocol: https
271 manila:
272 common:
273 identity:
274 protocol: https
275 default_share_type: default
276 salt:
277 minion:
278 cert:
279 internal_proxy:
280 host: ${_param:salt_minion_ca_host}
281 authority: ${_param:salt_minion_ca_authority}
282 common_name: internal_proxy
283 signing_policy: cert_open
284 alternative_names: IP:127.0.0.1,IP:${_param:cluster_local_address},IP:${_param:cluster_public_host},DNS:${linux:system:name},DNS:${linux:network:fqdn},DNS:${_param:cluster_local_address},DNS:${_param:cluster_public_host}
285 key_file: "/etc/ssl/private/internal_proxy.key"
286 cert_file: "/etc/ssl/certs/internal_proxy.crt"
287 all_file: "/etc/ssl/certs/internal_proxy-with-chain.crt"
288 haproxy:
289 proxy:
290 listen:
291 barbican-api:
292 type: ~
293 barbican-admin-api:
294 type: ~
295 designate_api:
296 type: ~
297 keystone_public_api:
298 type: ~
299 keystone_admin_api:
300 type: ~
301 manila_api:
302 type: ~
303 nova_api:
304 type: ~
305 nova_metadata_api:
306 type: ~
307 cinder_api:
308 type: ~
309 glance_api:
310 type: ~
311 glance_registry_api:
312 type: ~
313 heat_cloudwatch_api:
314 type: ~
315 heat_api:
316 type: ~
317 heat_cfn_api:
318 type: ~
319 neutron_api:
320 type: ~
321 placement_api:
322 type: ~