Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / salt-models / mcp-virtual-lab / 8ad2959152a428c60faf86ba6f49a2635466f618 / . / classes / cluster / virtual-mcp-pike-dvr-ssl-barbican / openstack / control.yml
blob: 958e72d300ec2b4e8a0766d87d01ac3faf8c3b94 [file] [log] [blame]
Vasyl Saienko060481c2018-03-23 14:29:13 +0200[diff] [blame]1classes:
2- system.salt.minion.cert.proxy
Vasyl Saienkoe43865c2018-03-30 22:00:39 +0300[diff] [blame]3- system.salt.minion.cert.mysql.server
4- system.salt.minion.cert.rabbitmq_server
Vasyl Saienko060481c2018-03-23 14:29:13 +0200[diff] [blame]5- system.linux.system.lowmem
6- system.linux.system.repo.mcp.apt_mirantis.glusterfs
7- system.linux.system.repo.mcp.apt_mirantis.openstack
8- system.linux.system.repo.mcp.extra
Martin Polreicha0addcc2018-06-25 11:32:52 +0200[diff] [blame]9- system.linux.system.repo.mcp.apt_mirantis.saltstack
Vasyl Saienko060481c2018-03-23 14:29:13 +0200[diff] [blame]10- system.memcached.server.single
11- system.rabbitmq.server.cluster
Vasyl Saienkoe43865c2018-03-30 22:00:39 +0300[diff] [blame]12- service.rabbitmq.server.ssl
Vasyl Saienko060481c2018-03-23 14:29:13 +0200[diff] [blame]13- system.rabbitmq.server.vhost.openstack
14- system.apache.server.site.manila
15- system.apache.server.site.barbican
Vasyl Saienko5883a7c2018-04-02 18:21:42 +0300[diff] [blame]16- system.apache.server.site.nova-placement
17- system.apache.server.site.cinder
Vasyl Saienko060481c2018-03-23 14:29:13 +0200[diff] [blame]18- system.nginx.server.single
19- system.nginx.server.proxy.openstack_api
20- system.nginx.server.proxy.openstack.designate
Mykyta Karpin70f651e2018-08-02 18:34:54 +0300[diff] [blame]21- system.nginx.server.proxy.openstack.glance_registry
Vasyl Saienko060481c2018-03-23 14:29:13 +0200[diff] [blame]22- system.keystone.server.wsgi
23- system.keystone.server.cluster
24- system.glusterfs.client.cluster
25- system.glusterfs.client.volume.glance
Vasyl Saienko060481c2018-03-23 14:29:13 +0200[diff] [blame]26- system.glusterfs.server.volume.glance
Vasyl Saienko060481c2018-03-23 14:29:13 +0200[diff] [blame]27- system.glusterfs.server.cluster
28- system.glance.control.cluster
29- system.nova.control.cluster
30- system.neutron.control.openvswitch.cluster
31- system.cinder.control.cluster
Oleksii Butenkof93170c2018-05-16 16:29:10 +0300[diff] [blame]32- system.cinder.control.backend.lvm
Vasyl Saienko060481c2018-03-23 14:29:13 +0200[diff] [blame]33- system.heat.server.cluster
34- system.designate.server.cluster
35- system.galera.server.cluster
Mykyta Karpina75691c2018-07-31 09:49:49 +0000[diff] [blame]36- system.apache.server.ssl
37- system.nginx.server.proxy.ssl
Vasyl Saienko060481c2018-03-23 14:29:13 +0200[diff] [blame]38- system.galera.server.database.cinder
39- system.galera.server.database.glance
40- system.galera.server.database.heat
41- system.galera.server.database.keystone
42- system.galera.server.database.nova
43- system.galera.server.database.designate
44- system.galera.server.database.manila
45- system.galera.server.database.aodh
46- system.galera.server.database.panko
47- system.galera.server.database.gnocchi
48- system.galera.server.database.barbican
49- system.dogtag.server.cluster
50- system.barbican.server.cluster
51- service.barbican.server.plugin.dogtag
52- system.ceilometer.client
53- system.ceilometer.client.cinder_volume
54- system.ceilometer.client.neutron
Vasyl Saienko060481c2018-03-23 14:29:13 +0200[diff] [blame]55- system.haproxy.proxy.listen.openstack.placement
56- system.haproxy.proxy.listen.openstack.manila
57- system.manila.control.cluster
58- cluster.virtual-mcp-pike-dvr-ssl-barbican
59parameters:
60 _param:
61 keepalived_vip_interface: ens4
62 salt_minion_ca_authority: salt_master_ca
63 ### nginx ssl sites settings
64 nginx_proxy_ssl:
Mykyta Karpina75691c2018-07-31 09:49:49 +0000[diff] [blame]65 authority: "${_param:salt_minion_ca_authority}"
66 key_file: "/etc/ssl/private/internal_proxy.key"
67 cert_file: "/etc/ssl/certs/internal_proxy.crt"
68 chain_file: "/etc/ssl/certs/internal_proxy-with-chain.crt"
69 apache_ssl:
Vasyl Saienko060481c2018-03-23 14:29:13 +0200[diff] [blame]70 authority: "${_param:salt_minion_ca_authority}"
71 key_file: "/etc/ssl/private/internal_proxy.key"
72 cert_file: "/etc/ssl/certs/internal_proxy.crt"
73 chain_file: "/etc/ssl/certs/internal_proxy-with-chain.crt"
74 nginx_proxy_openstack_api_address: ${_param:cluster_local_address}
75 nginx_proxy_openstack_keystone_host: 127.0.0.1
76 nginx_proxy_openstack_nova_host: 127.0.0.1
Vasyl Saienko060481c2018-03-23 14:29:13 +0200[diff] [blame]77 nginx_proxy_openstack_glance_host: 127.0.0.1
78 nginx_proxy_openstack_neutron_host: 127.0.0.1
79 nginx_proxy_openstack_heat_host: 127.0.0.1
80 nginx_proxy_openstack_designate_host: 127.0.0.1
Vasyl Saienko060481c2018-03-23 14:29:13 +0200[diff] [blame]81 apache_manila_api_address: ${_param:single_address}
Vasyl Saienko060481c2018-03-23 14:29:13 +0200[diff] [blame]82 apache_keystone_api_host: ${_param:single_address}
Vasyl Saienko060481c2018-03-23 14:29:13 +0200[diff] [blame]83 apache_barbican_api_address: ${_param:cluster_local_address}
84 apache_barbican_api_host: ${_param:single_address}
Vasyl Saienko5883a7c2018-04-02 18:21:42 +0300[diff] [blame]85 apache_nova_placement_api_address: ${_param:cluster_local_address}
Vasyl Saienko060481c2018-03-23 14:29:13 +0200[diff] [blame]86 barbican_dogtag_nss_password: workshop
87 barbican_dogtag_host: ${_param:cluster_vip_address}
Vasyl Saienko5883a7c2018-04-02 18:21:42 +0300[diff] [blame]88 apache_cinder_api_address: ${_param:cluster_local_address}
Vasyl Saienko060481c2018-03-23 14:29:13 +0200[diff] [blame]89 # dogtag listens on 8443 but there is no way to bind it to
90 # Specific IP, as on this setup dogtag installed on ctl nodes
91 # Change port on haproxy side to avoid binding conflict.
92 haproxy_dogtag_bind_port: 8444
93 cluster_dogtag_port: 8443
94 dogtag_master_host: ctl01.${linux:system:domain}
95 dogtag_pki_admin_password: workshop
96 dogtag_pki_client_database_password: workshop
97 dogtag_pki_client_pkcs12_password: workshop
98 dogtag_pki_ds_password: workshop
99 dogtag_pki_token_password: workshop
100 dogtag_pki_security_domain_password: workshop
101 dogtag_pki_clone_pkcs12_password: workshop
Vasyl Saienkoe43865c2018-03-30 22:00:39 +0300[diff] [blame]102 rabbitmq:
103 server:
104 ssl:
105 enabled: ${_param:rabbitmq_ssl_enabled}
Vasyl Saienko060481c2018-03-23 14:29:13 +0200[diff] [blame]106 nginx:
107 server:
108 site:
109 nginx_proxy_openstack_api_keystone:
110 enabled: false
111 nginx_proxy_openstack_api_keystone_private:
112 enabled: false
Vasyl Saienko5883a7c2018-04-02 18:21:42 +0300[diff] [blame]113 nginx_proxy_openstack_api_cinder:
114 enabled: false
Vasyl Saienko060481c2018-03-23 14:29:13 +0200[diff] [blame]115 linux:
116 system:
117 package:
118 python-msgpack:
119 version: latest
120 network:
121 interface:
122 ens4:
123 enabled: true
124 type: eth
125 proto: static
126 address: ${_param:single_address}
127 netmask: 255.255.255.0
128 keepalived:
129 cluster:
130 instance:
131 VIP:
132 virtual_router_id: 150
133 dogtag:
134 server:
135 ldap_hostname: ${linux:network:fqdn}
136 ldap_dn_password: workshop
137 ldap_admin_password: workshop
138 export_pem_file_path: /etc/dogtag/kra_admin_cert.pem
139 # TODO drop this once reclass bumped, missing part in current version
140 apache:
141 server:
142 site:
143 barbican_admin:
144 host:
145 address: ${_param:apache_barbican_api_address}
146 name: ${_param:apache_barbican_api_host}
147 port: 9312
148 log:
149 custom:
150 format: 'combined'
151 file: '/var/log/barbican/barbican-api.log'
152 error:
153 enabled: true
154 file: '/var/log/barbican/barbican-api.log'
155 barbican:
156 server:
157 enabled: true
158 dogtag_admin_cert:
159 engine: mine
160 minion: ${_param:dogtag_master_host}
161 ks_notifications_enable: True
162 store:
163 software:
164 store_plugin: dogtag_crypto
165 global_default: True
166 plugin:
167 dogtag:
168 port: ${_param:haproxy_dogtag_bind_port}
Vasyl Saienkoe43865c2018-03-30 22:00:39 +0300[diff] [blame]169 database:
170 ssl:
171 enabled: ${_param:galera_ssl_enabled}
172 message_queue:
173 port: ${_param:rabbitmq_port}
174 ssl:
175 enabled: ${_param:rabbitmq_ssl_enabled}
Vasyl Saienko060481c2018-03-23 14:29:13 +0200[diff] [blame]176 keystone:
177 server:
178 admin_email: ${_param:admin_email}
Vasyl Saienkoe43865c2018-03-30 22:00:39 +0300[diff] [blame]179 database:
180 ssl:
181 enabled: ${_param:galera_ssl_enabled}
182 message_queue:
183 port: ${_param:rabbitmq_port}
184 ssl:
185 enabled: ${_param:rabbitmq_ssl_enabled}
Vasyl Saienko060481c2018-03-23 14:29:13 +0200[diff] [blame]186 designate:
187 pool_manager:
188 enabled: ${_param:designate_pool_manager_enabled}
189 periodic_sync_interval: ${_param:designate_pool_manager_periodic_sync_interval}
190 server:
191 identity:
192 protocol: https
193 bind:
194 api:
195 address: 127.0.0.1
Vasyl Saienkoe43865c2018-03-30 22:00:39 +0300[diff] [blame]196 database:
197 ssl:
198 enabled: ${_param:galera_ssl_enabled}
199 message_queue:
200 port: ${_param:rabbitmq_port}
201 ssl:
202 enabled: ${_param:rabbitmq_ssl_enabled}
Vasyl Saienko060481c2018-03-23 14:29:13 +0200[diff] [blame]203 backend:
204 pdns4:
205 api_token: ${_param:designate_pdns_api_key}
206 api_endpoint: ${_param:designate_pdns_api_endpoint}
207 mdns:
208 address: ${_param:designate_mdns_address}
209 port: ${_param:designate_mdns_port}
210 pools:
211 default:
212 description: 'test pool'
213 targets:
214 default:
215 description: 'test target1'
216 default1:
217 type: ${_param:designate_pool_target_type}
218 description: 'test target2'
219 masters: ${_param:designate_pool_target_masters}
220 options:
221 host: ${_param:openstack_dns_node02_address}
222 port: 53
223 api_endpoint: "http://${_param:openstack_dns_node02_address}:${_param:powerdns_webserver_port}"
224 api_token: ${_param:designate_pdns_api_key}
225 quota:
226 zones: ${_param:designate_quota_zones}
227 glance:
228 server:
229 barbican:
230 enabled: ${_param:barbican_integration_enabled}
231 storage:
232 engine: file
233 images: []
234 workers: 1
235 bind:
236 address: 127.0.0.1
237 identity:
238 protocol: https
239 registry:
240 protocol: https
Vasyl Saienkoe43865c2018-03-30 22:00:39 +0300[diff] [blame]241 database:
242 ssl:
243 enabled: ${_param:galera_ssl_enabled}
244 message_queue:
245 port: ${_param:rabbitmq_port}
246 ssl:
247 enabled: ${_param:rabbitmq_ssl_enabled}
Vasyl Saienko060481c2018-03-23 14:29:13 +0200[diff] [blame]248 heat:
249 server:
250 bind:
251 api:
252 address: 127.0.0.1
253 api_cfn:
254 address: 127.0.0.1
255 api_cloudwatch:
256 address: 127.0.0.1
257 identity:
258 protocol: https
Vasyl Saienkoe43865c2018-03-30 22:00:39 +0300[diff] [blame]259 database:
260 ssl:
261 enabled: ${_param:galera_ssl_enabled}
262 message_queue:
263 port: ${_param:rabbitmq_port}
264 ssl:
265 enabled: ${_param:rabbitmq_ssl_enabled}
Vasyl Saienko8a06faa2018-07-16 14:04:54 +0300[diff] [blame]266 # Since we using self signed cert not present in images, we have to
267 # use insecure option when sending signal to wait condition from instance.
268 clients:
269 heat:
270 insecure: true
Vasyl Saienko060481c2018-03-23 14:29:13 +0200[diff] [blame]271 neutron:
272 server:
273 bind:
274 address: 127.0.0.1
275 identity:
276 protocol: https
Vasyl Saienkoe43865c2018-03-30 22:00:39 +0300[diff] [blame]277 database:
278 ssl:
279 enabled: ${_param:galera_ssl_enabled}
280 message_queue:
281 port: ${_param:rabbitmq_port}
282 ssl:
283 enabled: ${_param:rabbitmq_ssl_enabled}
Vasyl Saienko060481c2018-03-23 14:29:13 +0200[diff] [blame]284 nova:
285 controller:
286 networking: dvr
287 cpu_allocation: 54
288 barbican:
289 enabled: ${_param:barbican_integration_enabled}
290 metadata:
291 password: ${_param:metadata_password}
Oleksii Butenko0c6a75b2018-04-03 20:33:37 +0300[diff] [blame]292 bind:
293 address: ${_param:cluster_local_address}
Vasyl Saienko060481c2018-03-23 14:29:13 +0200[diff] [blame]294 bind:
295 public_address: ${_param:cluster_vip_address}
296 novncproxy_port: 6080
297 private_address: 127.0.0.1
298 identity:
299 protocol: https
300 network:
301 protocol: https
302 glance:
303 protocol: https
304 vncproxy_url: http://${_param:cluster_vip_address}:6080
305 workers: 1
Vasyl Saienkoe43865c2018-03-30 22:00:39 +0300[diff] [blame]306 database:
307 ssl:
308 enabled: ${_param:galera_ssl_enabled}
309 message_queue:
310 port: ${_param:rabbitmq_port}
311 ssl:
312 enabled: ${_param:rabbitmq_ssl_enabled}
Mykyta Karpin6b2ed052018-04-20 13:42:57 +0300[diff] [blame]313 notification:
314 notify_on:
315 state_change: vm_and_task_state
Vasyl Saienko060481c2018-03-23 14:29:13 +0200[diff] [blame]316 cinder:
317 controller:
318 controller:
319 barbican:
320 enabled: ${_param:barbican_integration_enabled}
321 identity:
322 protocol: https
323 osapi:
324 host: 127.0.0.1
325 glance:
326 protocol: https
Vasyl Saienkoe43865c2018-03-30 22:00:39 +0300[diff] [blame]327 database:
328 ssl:
329 enabled: ${_param:galera_ssl_enabled}
330 message_queue:
331 port: ${_param:rabbitmq_port}
332 ssl:
333 enabled: ${_param:rabbitmq_ssl_enabled}
Vasyl Saienko060481c2018-03-23 14:29:13 +0200[diff] [blame]334 manila:
335 common:
336 identity:
337 protocol: https
Vasyl Saienko827d29d2018-03-29 13:13:27 +0300[diff] [blame]338 default_share_type: default
Vasyl Saienkoe43865c2018-03-30 22:00:39 +0300[diff] [blame]339 database:
340 ssl:
341 enabled: ${_param:galera_ssl_enabled}
342 message_queue:
343 port: ${_param:rabbitmq_port}
344 ssl:
345 enabled: ${_param:rabbitmq_ssl_enabled}
Vasyl Saienko060481c2018-03-23 14:29:13 +0200[diff] [blame]346 salt:
347 minion:
348 cert:
349 internal_proxy:
350 host: ${_param:salt_minion_ca_host}
351 authority: ${_param:salt_minion_ca_authority}
352 common_name: internal_proxy
353 signing_policy: cert_open
354 alternative_names: IP:127.0.0.1,IP:${_param:cluster_local_address},IP:${_param:cluster_public_host},DNS:${linux:system:name},DNS:${linux:network:fqdn},DNS:${_param:cluster_local_address},DNS:${_param:cluster_public_host}
355 key_file: "/etc/ssl/private/internal_proxy.key"
356 cert_file: "/etc/ssl/certs/internal_proxy.crt"
357 all_file: "/etc/ssl/certs/internal_proxy-with-chain.crt"
358 haproxy:
359 proxy:
360 listen:
361 barbican-api:
362 type: ~
363 barbican-admin-api:
364 type: ~
365 designate_api:
366 type: ~
367 keystone_public_api:
368 type: ~
369 keystone_admin_api:
370 type: ~
371 manila_api:
372 type: ~
373 nova_api:
374 type: ~
375 nova_metadata_api:
376 type: ~
377 cinder_api:
378 type: ~
379 glance_api:
380 type: ~
381 glance_registry_api:
382 type: ~
383 heat_cloudwatch_api:
384 type: ~
385 heat_api:
386 type: ~
387 heat_cfn_api:
388 type: ~
389 neutron_api:
390 type: ~
391 placement_api:
392 type: ~