Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / salt-models / mcp-virtual-lab / eed4f63fb22464d331764c7120e66d06105c8e4c / . / classes / cluster / virtual-mcp-pike-dvr-ssl-barbican / openstack / control.yml
blob: a0fa51021f31940b74e5c174afc777b898d5cfd6 [file] [log] [blame]
Vasyl Saienko060481c2018-03-23 14:29:13 +0200[diff] [blame]1classes:
2- system.salt.minion.cert.proxy
Vasyl Saienkoe43865c2018-03-30 22:00:39 +0300[diff] [blame]3- system.salt.minion.cert.mysql.server
4- system.salt.minion.cert.rabbitmq_server
Vasyl Saienko060481c2018-03-23 14:29:13 +0200[diff] [blame]5- system.linux.system.lowmem
6- system.linux.system.repo.mcp.apt_mirantis.glusterfs
7- system.linux.system.repo.mcp.apt_mirantis.openstack
8- system.linux.system.repo.mcp.extra
Martin Polreicha0addcc2018-06-25 11:32:52 +0200[diff] [blame]9- system.linux.system.repo.mcp.apt_mirantis.saltstack
Vasyl Saienko060481c2018-03-23 14:29:13 +0200[diff] [blame]10- system.memcached.server.single
11- system.rabbitmq.server.cluster
Vasyl Saienkoe43865c2018-03-30 22:00:39 +0300[diff] [blame]12- service.rabbitmq.server.ssl
Vasyl Saienko060481c2018-03-23 14:29:13 +0200[diff] [blame]13- system.rabbitmq.server.vhost.openstack
14- system.apache.server.site.manila
15- system.apache.server.site.barbican
Vasyl Saienko5883a7c2018-04-02 18:21:42 +0300[diff] [blame]16- system.apache.server.site.nova-placement
17- system.apache.server.site.cinder
Vasyl Saienko060481c2018-03-23 14:29:13 +0200[diff] [blame]18- system.nginx.server.single
19- system.nginx.server.proxy.openstack_api
20- system.nginx.server.proxy.openstack.designate
Mykyta Karpin70f651e2018-08-02 18:34:54 +0300[diff] [blame]21- system.nginx.server.proxy.openstack.glance_registry
Vasyl Saienko060481c2018-03-23 14:29:13 +0200[diff] [blame]22- system.keystone.server.wsgi
23- system.keystone.server.cluster
24- system.glusterfs.client.cluster
25- system.glusterfs.client.volume.glance
26- system.glusterfs.client.volume.keystone
27- system.glusterfs.server.volume.glance
28- system.glusterfs.server.volume.keystone
29- system.glusterfs.server.cluster
30- system.glance.control.cluster
31- system.nova.control.cluster
32- system.neutron.control.openvswitch.cluster
33- system.cinder.control.cluster
Oleksii Butenkof93170c2018-05-16 16:29:10 +0300[diff] [blame]34- system.cinder.control.backend.lvm
Vasyl Saienko060481c2018-03-23 14:29:13 +0200[diff] [blame]35- system.heat.server.cluster
36- system.designate.server.cluster
37- system.galera.server.cluster
Vasyl Saienkoe43865c2018-03-30 22:00:39 +0300[diff] [blame]38- service.galera.ssl
Mykyta Karpina75691c2018-07-31 09:49:49 +0000[diff] [blame]39- system.apache.server.ssl
40- system.nginx.server.proxy.ssl
Vasyl Saienko060481c2018-03-23 14:29:13 +0200[diff] [blame]41- system.galera.server.database.cinder
42- system.galera.server.database.glance
43- system.galera.server.database.heat
44- system.galera.server.database.keystone
45- system.galera.server.database.nova
46- system.galera.server.database.designate
47- system.galera.server.database.manila
48- system.galera.server.database.aodh
49- system.galera.server.database.panko
50- system.galera.server.database.gnocchi
51- system.galera.server.database.barbican
52- system.dogtag.server.cluster
53- system.barbican.server.cluster
54- service.barbican.server.plugin.dogtag
55- system.ceilometer.client
56- system.ceilometer.client.cinder_volume
57- system.ceilometer.client.neutron
Vasyl Saienko060481c2018-03-23 14:29:13 +0200[diff] [blame]58- system.haproxy.proxy.listen.openstack.placement
59- system.haproxy.proxy.listen.openstack.manila
60- system.manila.control.cluster
61- cluster.virtual-mcp-pike-dvr-ssl-barbican
62parameters:
63 _param:
64 keepalived_vip_interface: ens4
65 salt_minion_ca_authority: salt_master_ca
66 ### nginx ssl sites settings
67 nginx_proxy_ssl:
Mykyta Karpina75691c2018-07-31 09:49:49 +0000[diff] [blame]68 authority: "${_param:salt_minion_ca_authority}"
69 key_file: "/etc/ssl/private/internal_proxy.key"
70 cert_file: "/etc/ssl/certs/internal_proxy.crt"
71 chain_file: "/etc/ssl/certs/internal_proxy-with-chain.crt"
72 apache_ssl:
Vasyl Saienko060481c2018-03-23 14:29:13 +0200[diff] [blame]73 authority: "${_param:salt_minion_ca_authority}"
74 key_file: "/etc/ssl/private/internal_proxy.key"
75 cert_file: "/etc/ssl/certs/internal_proxy.crt"
76 chain_file: "/etc/ssl/certs/internal_proxy-with-chain.crt"
77 nginx_proxy_openstack_api_address: ${_param:cluster_local_address}
78 nginx_proxy_openstack_keystone_host: 127.0.0.1
79 nginx_proxy_openstack_nova_host: 127.0.0.1
Vasyl Saienko060481c2018-03-23 14:29:13 +0200[diff] [blame]80 nginx_proxy_openstack_glance_host: 127.0.0.1
81 nginx_proxy_openstack_neutron_host: 127.0.0.1
82 nginx_proxy_openstack_heat_host: 127.0.0.1
83 nginx_proxy_openstack_designate_host: 127.0.0.1
Vasyl Saienko060481c2018-03-23 14:29:13 +0200[diff] [blame]84 apache_manila_api_address: ${_param:single_address}
Vasyl Saienko060481c2018-03-23 14:29:13 +0200[diff] [blame]85 apache_keystone_api_host: ${_param:single_address}
Vasyl Saienko060481c2018-03-23 14:29:13 +0200[diff] [blame]86 apache_barbican_api_address: ${_param:cluster_local_address}
87 apache_barbican_api_host: ${_param:single_address}
Vasyl Saienko5883a7c2018-04-02 18:21:42 +0300[diff] [blame]88 apache_nova_placement_api_address: ${_param:cluster_local_address}
Vasyl Saienko060481c2018-03-23 14:29:13 +0200[diff] [blame]89 barbican_dogtag_nss_password: workshop
90 barbican_dogtag_host: ${_param:cluster_vip_address}
Vasyl Saienko5883a7c2018-04-02 18:21:42 +0300[diff] [blame]91 apache_cinder_api_address: ${_param:cluster_local_address}
Vasyl Saienko060481c2018-03-23 14:29:13 +0200[diff] [blame]92 # dogtag listens on 8443 but there is no way to bind it to
93 # Specific IP, as on this setup dogtag installed on ctl nodes
94 # Change port on haproxy side to avoid binding conflict.
95 haproxy_dogtag_bind_port: 8444
96 cluster_dogtag_port: 8443
97 dogtag_master_host: ctl01.${linux:system:domain}
98 dogtag_pki_admin_password: workshop
99 dogtag_pki_client_database_password: workshop
100 dogtag_pki_client_pkcs12_password: workshop
101 dogtag_pki_ds_password: workshop
102 dogtag_pki_token_password: workshop
103 dogtag_pki_security_domain_password: workshop
104 dogtag_pki_clone_pkcs12_password: workshop
Vasyl Saienkoe43865c2018-03-30 22:00:39 +0300[diff] [blame]105 rabbitmq:
106 server:
107 ssl:
108 enabled: ${_param:rabbitmq_ssl_enabled}
Vasyl Saienko060481c2018-03-23 14:29:13 +0200[diff] [blame]109 nginx:
110 server:
111 site:
112 nginx_proxy_openstack_api_keystone:
113 enabled: false
114 nginx_proxy_openstack_api_keystone_private:
115 enabled: false
Vasyl Saienko5883a7c2018-04-02 18:21:42 +0300[diff] [blame]116 nginx_proxy_openstack_api_cinder:
117 enabled: false
Vasyl Saienko060481c2018-03-23 14:29:13 +0200[diff] [blame]118 linux:
119 system:
120 package:
121 python-msgpack:
122 version: latest
123 network:
124 interface:
125 ens4:
126 enabled: true
127 type: eth
128 proto: static
129 address: ${_param:single_address}
130 netmask: 255.255.255.0
131 keepalived:
132 cluster:
133 instance:
134 VIP:
135 virtual_router_id: 150
136 dogtag:
137 server:
138 ldap_hostname: ${linux:network:fqdn}
139 ldap_dn_password: workshop
140 ldap_admin_password: workshop
141 export_pem_file_path: /etc/dogtag/kra_admin_cert.pem
142 # TODO drop this once reclass bumped, missing part in current version
143 apache:
144 server:
145 site:
146 barbican_admin:
147 host:
148 address: ${_param:apache_barbican_api_address}
149 name: ${_param:apache_barbican_api_host}
150 port: 9312
151 log:
152 custom:
153 format: 'combined'
154 file: '/var/log/barbican/barbican-api.log'
155 error:
156 enabled: true
157 file: '/var/log/barbican/barbican-api.log'
158 barbican:
159 server:
160 enabled: true
161 dogtag_admin_cert:
162 engine: mine
163 minion: ${_param:dogtag_master_host}
164 ks_notifications_enable: True
165 store:
166 software:
167 store_plugin: dogtag_crypto
168 global_default: True
169 plugin:
170 dogtag:
171 port: ${_param:haproxy_dogtag_bind_port}
Vasyl Saienkoe43865c2018-03-30 22:00:39 +0300[diff] [blame]172 database:
173 ssl:
174 enabled: ${_param:galera_ssl_enabled}
175 message_queue:
176 port: ${_param:rabbitmq_port}
177 ssl:
178 enabled: ${_param:rabbitmq_ssl_enabled}
Vasyl Saienko060481c2018-03-23 14:29:13 +0200[diff] [blame]179 keystone:
180 server:
181 admin_email: ${_param:admin_email}
Vasyl Saienkoe43865c2018-03-30 22:00:39 +0300[diff] [blame]182 database:
183 ssl:
184 enabled: ${_param:galera_ssl_enabled}
185 message_queue:
186 port: ${_param:rabbitmq_port}
187 ssl:
188 enabled: ${_param:rabbitmq_ssl_enabled}
Vasyl Saienko060481c2018-03-23 14:29:13 +0200[diff] [blame]189 designate:
190 pool_manager:
191 enabled: ${_param:designate_pool_manager_enabled}
192 periodic_sync_interval: ${_param:designate_pool_manager_periodic_sync_interval}
193 server:
194 identity:
195 protocol: https
196 bind:
197 api:
198 address: 127.0.0.1
Vasyl Saienkoe43865c2018-03-30 22:00:39 +0300[diff] [blame]199 database:
200 ssl:
201 enabled: ${_param:galera_ssl_enabled}
202 message_queue:
203 port: ${_param:rabbitmq_port}
204 ssl:
205 enabled: ${_param:rabbitmq_ssl_enabled}
Vasyl Saienko060481c2018-03-23 14:29:13 +0200[diff] [blame]206 backend:
207 pdns4:
208 api_token: ${_param:designate_pdns_api_key}
209 api_endpoint: ${_param:designate_pdns_api_endpoint}
210 mdns:
211 address: ${_param:designate_mdns_address}
212 port: ${_param:designate_mdns_port}
213 pools:
214 default:
215 description: 'test pool'
216 targets:
217 default:
218 description: 'test target1'
219 default1:
220 type: ${_param:designate_pool_target_type}
221 description: 'test target2'
222 masters: ${_param:designate_pool_target_masters}
223 options:
224 host: ${_param:openstack_dns_node02_address}
225 port: 53
226 api_endpoint: "http://${_param:openstack_dns_node02_address}:${_param:powerdns_webserver_port}"
227 api_token: ${_param:designate_pdns_api_key}
228 quota:
229 zones: ${_param:designate_quota_zones}
230 glance:
231 server:
232 barbican:
233 enabled: ${_param:barbican_integration_enabled}
234 storage:
235 engine: file
236 images: []
237 workers: 1
238 bind:
239 address: 127.0.0.1
240 identity:
241 protocol: https
242 registry:
243 protocol: https
Vasyl Saienkoe43865c2018-03-30 22:00:39 +0300[diff] [blame]244 database:
245 ssl:
246 enabled: ${_param:galera_ssl_enabled}
247 message_queue:
248 port: ${_param:rabbitmq_port}
249 ssl:
250 enabled: ${_param:rabbitmq_ssl_enabled}
Vasyl Saienko060481c2018-03-23 14:29:13 +0200[diff] [blame]251 heat:
252 server:
253 bind:
254 api:
255 address: 127.0.0.1
256 api_cfn:
257 address: 127.0.0.1
258 api_cloudwatch:
259 address: 127.0.0.1
260 identity:
261 protocol: https
Vasyl Saienkoe43865c2018-03-30 22:00:39 +0300[diff] [blame]262 database:
263 ssl:
264 enabled: ${_param:galera_ssl_enabled}
265 message_queue:
266 port: ${_param:rabbitmq_port}
267 ssl:
268 enabled: ${_param:rabbitmq_ssl_enabled}
Vasyl Saienko8a06faa2018-07-16 14:04:54 +0300[diff] [blame]269 # Since we using self signed cert not present in images, we have to
270 # use insecure option when sending signal to wait condition from instance.
271 clients:
272 heat:
273 insecure: true
Vasyl Saienko060481c2018-03-23 14:29:13 +0200[diff] [blame]274 neutron:
275 server:
276 bind:
277 address: 127.0.0.1
278 identity:
279 protocol: https
Vasyl Saienkoe43865c2018-03-30 22:00:39 +0300[diff] [blame]280 database:
281 ssl:
282 enabled: ${_param:galera_ssl_enabled}
283 message_queue:
284 port: ${_param:rabbitmq_port}
285 ssl:
286 enabled: ${_param:rabbitmq_ssl_enabled}
Vasyl Saienko060481c2018-03-23 14:29:13 +0200[diff] [blame]287 nova:
288 controller:
289 networking: dvr
290 cpu_allocation: 54
291 barbican:
292 enabled: ${_param:barbican_integration_enabled}
293 metadata:
294 password: ${_param:metadata_password}
Oleksii Butenko0c6a75b2018-04-03 20:33:37 +0300[diff] [blame]295 bind:
296 address: ${_param:cluster_local_address}
Vasyl Saienko060481c2018-03-23 14:29:13 +0200[diff] [blame]297 bind:
298 public_address: ${_param:cluster_vip_address}
299 novncproxy_port: 6080
300 private_address: 127.0.0.1
301 identity:
302 protocol: https
303 network:
304 protocol: https
305 glance:
306 protocol: https
307 vncproxy_url: http://${_param:cluster_vip_address}:6080
308 workers: 1
Vasyl Saienkoe43865c2018-03-30 22:00:39 +0300[diff] [blame]309 database:
310 ssl:
311 enabled: ${_param:galera_ssl_enabled}
312 message_queue:
313 port: ${_param:rabbitmq_port}
314 ssl:
315 enabled: ${_param:rabbitmq_ssl_enabled}
Mykyta Karpin6b2ed052018-04-20 13:42:57 +0300[diff] [blame]316 notification:
317 notify_on:
318 state_change: vm_and_task_state
Vasyl Saienko060481c2018-03-23 14:29:13 +0200[diff] [blame]319 cinder:
320 controller:
321 controller:
322 barbican:
323 enabled: ${_param:barbican_integration_enabled}
324 identity:
325 protocol: https
326 osapi:
327 host: 127.0.0.1
328 glance:
329 protocol: https
Vasyl Saienkoe43865c2018-03-30 22:00:39 +0300[diff] [blame]330 database:
331 ssl:
332 enabled: ${_param:galera_ssl_enabled}
333 message_queue:
334 port: ${_param:rabbitmq_port}
335 ssl:
336 enabled: ${_param:rabbitmq_ssl_enabled}
Vasyl Saienko060481c2018-03-23 14:29:13 +0200[diff] [blame]337 manila:
338 common:
339 identity:
340 protocol: https
Vasyl Saienko827d29d2018-03-29 13:13:27 +0300[diff] [blame]341 default_share_type: default
Vasyl Saienkoe43865c2018-03-30 22:00:39 +0300[diff] [blame]342 database:
343 ssl:
344 enabled: ${_param:galera_ssl_enabled}
345 message_queue:
346 port: ${_param:rabbitmq_port}
347 ssl:
348 enabled: ${_param:rabbitmq_ssl_enabled}
Vasyl Saienko060481c2018-03-23 14:29:13 +0200[diff] [blame]349 salt:
350 minion:
351 cert:
352 internal_proxy:
353 host: ${_param:salt_minion_ca_host}
354 authority: ${_param:salt_minion_ca_authority}
355 common_name: internal_proxy
356 signing_policy: cert_open
357 alternative_names: IP:127.0.0.1,IP:${_param:cluster_local_address},IP:${_param:cluster_public_host},DNS:${linux:system:name},DNS:${linux:network:fqdn},DNS:${_param:cluster_local_address},DNS:${_param:cluster_public_host}
358 key_file: "/etc/ssl/private/internal_proxy.key"
359 cert_file: "/etc/ssl/certs/internal_proxy.crt"
360 all_file: "/etc/ssl/certs/internal_proxy-with-chain.crt"
361 haproxy:
362 proxy:
363 listen:
364 barbican-api:
365 type: ~
366 barbican-admin-api:
367 type: ~
368 designate_api:
369 type: ~
370 keystone_public_api:
371 type: ~
372 keystone_admin_api:
373 type: ~
374 manila_api:
375 type: ~
376 nova_api:
377 type: ~
378 nova_metadata_api:
379 type: ~
380 cinder_api:
381 type: ~
382 glance_api:
383 type: ~
384 glance_registry_api:
385 type: ~
386 heat_cloudwatch_api:
387 type: ~
388 heat_api:
389 type: ~
390 heat_cfn_api:
391 type: ~
392 neutron_api:
393 type: ~
394 placement_api:
395 type: ~