blob: aefcf5e055c6efdb1de12593a2c7d015a5362000 [file] [log] [blame]
azvyagintsevf94ab8c2018-10-12 20:48:59 +03001parameters:
2 _param:
Vasyl Saienko1cc05de2018-11-19 16:49:27 +02003 # Enable barbican integration in other services nova,glance,cinder
4 barbican_integration_enabled: False
azvyagintsev3f736c42018-11-01 20:04:29 +02005 # General
6 cluster_public_protocol: https
7 cluster_internal_protocol: http
Vasyl Saienko71e8c542018-11-16 16:19:17 +02008 openstack_service_hostname: os-ctl-vip
Vasyl Saienkob0931af2019-01-15 15:42:12 +02009 openstack_share_service_hostname: os-share-vip
10 openstack_kmn_service_hostname: os-kmn-vip
11 openstack_telemetry_service_hostname: os-telemetry-vip
Vasyl Saienko71e8c542018-11-16 16:19:17 +020012 openstack_service_host: ${_param:openstack_service_hostname}.${linux:system:domain}
Vasyl Saienkob0931af2019-01-15 15:42:12 +020013 openstack_share_service_host: ${_param:openstack_share_service_hostname}.${linux:system:domain}
14 openstack_kmn_service_host: ${_param:openstack_kmn_service_hostname}.${linux:system:domain}
15 openstack_telemetry_service_host: ${_param:openstack_telemetry_service_hostname}.${linux:system:domain}
Oleksandr Bryndzii0062ffe2019-03-06 11:18:05 +020016 openstack_service_user_enabled: True
Oleksandr Bryndziifab80db2019-04-05 12:49:23 +030017 openstack_telemetry_redis_db: '0'
18 openstack_telemetry_redis_sentinel_mastername: 'master_1'
azvyagintsevf94ab8c2018-10-12 20:48:59 +030019 # SSL
20 ceilometer_agent_ssl_enabled: False
21 openstack_mysql_x509_enabled: False
22 # for non-ssl use 5672 / for ssl 5671
23 openstack_rabbitmq_port: 5672
24 openstack_rabbitmq_x509_enabled: False
azvyagintsev3f736c42018-11-01 20:04:29 +020025 # Openstack memcache
Oleh Hryhorov26e8d6f2018-11-21 16:18:57 +020026 openstack_memcached_server_bind_address: 0.0.0.0
Oleksandr Bryndzii87f24232018-10-02 09:51:13 +000027 openstack_memcache_security_enabled: False
28 openstack_memcache_security_strategy: 'ENCRYPT'
azvyagintsev3f736c42018-11-01 20:04:29 +020029 openstack_memcached_proto_tcp_enabled: True
30 openstack_memcached_proto_udp_enabled: False
Vasyl Saienko26763162019-01-22 18:55:48 +020031 openstack_version: queens
Mykyta Karpin569ac8f2018-12-11 11:33:55 +020032 openstack_old_version: ${_param:openstack_version}
Mykyta Karpin882dcac2018-11-30 16:37:28 +020033 openstack_upgrade_enabled: False
Oleksandr Shyshkob508ed42019-02-27 13:23:06 +020034 # Security compliance user options
35 openstack_service_user_options:
36 ignore_change_password_upon_first_use: True
37 ignore_password_expiry: True
Pavlo Shchelokovskyyc2d455a2019-05-16 16:04:33 +030038 ignore_lockout_failure_attempts: True
Oleksandr Shyshkob508ed42019-02-27 13:23:06 +020039 lock_password: False
Oleksandr Bryndzii256f63e2018-10-02 11:36:05 +000040 # Cinder
41 cinder_memcache_security_enabled: ${_param:openstack_memcache_security_enabled}
42 cinder_memcache_secret_key: ''
Mykyta Karpin882dcac2018-11-30 16:37:28 +020043 cinder_old_version: ${_param:openstack_old_version}
44 cinder_version: ${_param:openstack_version}
45 cinder_upgrade_enabled: ${_param:openstack_upgrade_enabled}
Oleksandr Bryndzii0062ffe2019-03-06 11:18:05 +020046 cinder_service_user_enabled: ${_param:openstack_service_user_enabled}
Oleksandr Pidrepnyiedaf7482019-05-06 18:56:27 +030047 cinder_image_conversion_dir_path: /var/tmp/cinder/conversion
Oleksandr Bryndzii48cf31f2018-10-24 16:08:46 +030048 # Nova
49 nova_memcache_security_enabled: ${_param:openstack_memcache_security_enabled}
50 nova_memcache_secret_key: ''
Mykyta Karpin882dcac2018-11-30 16:37:28 +020051 nova_old_version: ${_param:openstack_old_version}
52 nova_version: ${_param:openstack_version}
53 nova_upgrade_enabled: ${_param:openstack_upgrade_enabled}
Vasyl Saienkoe2bad8d2019-02-19 18:36:40 +020054 nova_instance_build_timeout: 3600
Oleksandr Bryndzii0062ffe2019-03-06 11:18:05 +020055 nova_service_user_enabled: ${_param:openstack_service_user_enabled}
Oleksandr Bryndzii61d8db82018-10-24 16:03:12 +030056 # Glance
57 glance_memcache_security_enabled: ${_param:openstack_memcache_security_enabled}
58 glance_memcache_secret_key: ''
Mykyta Karpin882dcac2018-11-30 16:37:28 +020059 glance_old_version: ${_param:openstack_old_version}
60 glance_version: ${_param:openstack_version}
61 glance_upgrade_enabled: ${_param:openstack_upgrade_enabled}
Vasyl Saienkoebe90622018-11-12 11:03:18 +020062 # Allow CORS from horizon, needed for direct upload
63 glance_cors_allowed_origin: '${_param:horizon_public_protocol}://${_param:horizon_public_host}'
Oleksandr Bryndziib7c92172018-10-24 12:02:20 +030064 # Heat
65 heat_memcache_security_enabled: ${_param:openstack_memcache_security_enabled}
66 heat_memcache_secret_key: ''
Mykyta Karpin882dcac2018-11-30 16:37:28 +020067 heat_old_version: ${_param:openstack_old_version}
68 heat_version: ${_param:openstack_version}
69 heat_upgrade_enabled: ${_param:openstack_upgrade_enabled}
Oleksandr Bryndziic72982c2018-10-24 11:50:20 +030070 # Aodh
71 aodh_memcache_security_enabled: ${_param:openstack_memcache_security_enabled}
72 aodh_memcache_secret_key: ''
Mykyta Karpin882dcac2018-11-30 16:37:28 +020073 aodh_old_version: ${_param:openstack_old_version}
74 aodh_version: ${_param:openstack_version}
75 aodh_upgrade_enabled: ${_param:openstack_upgrade_enabled}
Oleksandr Bryndziia4946032019-04-05 13:18:25 +030076 aodh_redis_db: ${_param:openstack_telemetry_redis_db}
77 aodh_redis_sentinel_mastername: ${_param:openstack_telemetry_redis_sentinel_mastername}
Mykyta Karpin882dcac2018-11-30 16:37:28 +020078 # Ceilometer
79 ceilometer_old_version: ${_param:openstack_old_version}
80 ceilometer_version: ${_param:openstack_version}
81 ceilometer_upgrade_enabled: ${_param:openstack_upgrade_enabled}
sgarbuze9101572019-02-25 11:08:25 +020082 ceilometer_gnocchi_archive_policy: default
Oleksandr Bryndzii271c9e72019-04-05 13:22:48 +030083 ceilometer_redis_db: ${_param:openstack_telemetry_redis_db}
84 ceilometer_redis_sentinel_mastername: ${_param:openstack_telemetry_redis_sentinel_mastername}
Oleksandr Bryndzii0b5809e2018-11-01 18:23:35 +020085 # Gnocchi
86 gnocchi_memcache_security_enabled: ${_param:openstack_memcache_security_enabled}
87 gnocchi_memcache_secret_key: ''
Mykyta Karpin882dcac2018-11-30 16:37:28 +020088 gnocchi_version: 4.0
Mykyta Karpin569ac8f2018-12-11 11:33:55 +020089 gnocchi_old_version: ${_param:gnocchi_version}
Mykyta Karpin882dcac2018-11-30 16:37:28 +020090 gnocchi_upgrade_enabled: ${_param:openstack_upgrade_enabled}
Oleksandr Bryndziifab80db2019-04-05 12:49:23 +030091 gnocchi_redis_db: ${_param:openstack_telemetry_redis_db}
92 gnocchi_redis_sentinel_mastername: ${_param:openstack_telemetry_redis_sentinel_mastername}
Oleksandr Bryndzii0bf966d2018-11-01 18:36:54 +020093 # Panko
94 panko_memcache_security_enabled: ${_param:openstack_memcache_security_enabled}
95 panko_memcache_secret_key: ''
Mykyta Karpin882dcac2018-11-30 16:37:28 +020096 panko_old_version: ${_param:openstack_old_version}
97 panko_version: ${_param:openstack_version}
98 panko_upgrade_enabled: ${_param:openstack_upgrade_enabled}
Oleksandr Bryndzii43fed5f2018-11-01 19:26:19 +020099 # Barbican
100 barbican_memcache_security_enabled: ${_param:openstack_memcache_security_enabled}
101 barbican_memcache_secret_key: ''
Mykyta Karpin882dcac2018-11-30 16:37:28 +0200102 barbican_old_version: ${_param:openstack_old_version}
103 barbican_version: ${_param:openstack_version}
104 barbican_upgrade_enabled: ${_param:openstack_upgrade_enabled}
105 # Designate
106 designate_old_version: ${_param:openstack_old_version}
107 designate_version: ${_param:openstack_version}
108 designate_upgrade_enabled: ${_param:openstack_upgrade_enabled}
Oleksandr Bryndzii242b2d12018-11-07 13:49:15 +0200109 # Ironic
110 ironic_memcache_security_enabled: ${_param:openstack_memcache_security_enabled}
111 ironic_memcache_secret_key: ''
Vasyl Saienko07730452019-01-31 11:04:48 +0200112 ironic_console_enabled: true
Oleksii Grudev2399a032019-02-07 14:04:11 +0200113 ironic_old_version: ${_param:openstack_old_version}
114 ironic_version: ${_param:openstack_version}
115 ironic_upgrade_enabled: ${_param:openstack_upgrade_enabled}
Mykyta Karpin882dcac2018-11-30 16:37:28 +0200116 # Keystone
117 keystone_old_version: ${_param:openstack_old_version}
118 keystone_version: ${_param:openstack_version}
119 keystone_upgrade_enabled: ${_param:openstack_upgrade_enabled}
Oleksandr Bryndzii1558a8e2019-02-27 14:23:23 +0200120 # (obryndzii) Rotating keys too frequently, or with ``[fernet_tokens] max_active_keys``
121 # set too low, will cause tokens to become invalid prior to their expiration.
122 # As tokens may be fetched beyond their initial expiration period (nova live migration,
123 # cider volume backup), keys should not be fully rotated within the period of
124 # ``[token] expiration``+``[token] allow_expired_window`` seconds to prevent the tokens
125 # becoming unavailable.
126 # The max_active_keys default value was adjusted according to the following defaults:
127 # [token]/allow_expired_window = 172800 (48 hours)
128 # [token]/expiration = 3600 (1 hour)
129 # rotation_frequency = 1 hour (keystone_fernet_rotate_rsync_minute/hour 0 *)
130 # max_active_keys = (allow_expired_window + expiration)/rotation_frequency + 2
131 # In case of changing those defaults the keystone_tokens_max_active_keys value should be
132 # calculated according to the definition above.
133 keystone_tokens_expiration: 3600
134 keystone_tokens_max_active_keys: 51
Oleksandr Bryndzii8b98a632019-03-01 18:52:45 +0200135 keystone_tokens_allow_expired_window: 172800
Oleksandr Bryndzii1558a8e2019-02-27 14:23:23 +0200136 keystone_fernet_rotate_rsync_minute: 0
137 keystone_fernet_rotate_rsync_hour: '*'
Mykyta Karpin882dcac2018-11-30 16:37:28 +0200138 # Manila
139 manila_old_version: ${_param:openstack_old_version}
140 manila_version: ${_param:openstack_version}
141 manila_upgrade_enabled: ${_param:openstack_upgrade_enabled}
142 # Neutron
143 neutron_old_version: ${_param:openstack_old_version}
144 neutron_version: ${_param:openstack_version}
145 neutron_upgrade_enabled: ${_param:openstack_upgrade_enabled}
Oleksandr Bryndzii1d423492018-11-06 10:35:02 +0200146 # Apache mods defaults
Oleksandr Bryndzii955e67a12018-12-13 23:31:28 +0000147 # Stacklight uses /server-status endpoint to monitor apache
Oleksandr Bryndzii1d423492018-11-06 10:35:02 +0200148 apache_mods_status_enabled: True
Oleksandr Bryndzii955e67a12018-12-13 23:31:28 +0000149 apache_mods_status_status: 'enabled'
Oleksandr Bryndziida2c7832018-12-18 12:58:36 +0000150 apache_mods_status_host_address: '127.0.0.1'
151 apache_mods_status_host_port: 80
Oleh Hryhorov1b5be042018-11-29 19:04:34 +0200152 apache_horizon_listen_address: '0.0.0.0'
Mykyta Karpin3ed24aa2018-12-21 10:58:30 +0200153 # Apache proxies for openstack aren't used as HA proxies, they are
154 # simply ssl terminators in case of setup of ssl on internal endpoints
155 # for services which don't support running under apache and wsgi.
156 # So retry parameter is set 0, to eliminate maintenance mode for backend
157 # which is 60 seconds by default.
158 apache_proxy_openstack_api_retry: 0
159 apache_proxy_openstack_cinder_retry: ${_param:apache_proxy_openstack_api_retry}
160 apache_proxy_openstack_designate_retry: ${_param:apache_proxy_openstack_api_retry}
161 apache_proxy_openstack_glance_retry: ${_param:apache_proxy_openstack_api_retry}
162 apache_proxy_openstack_heat_retry: ${_param:apache_proxy_openstack_api_retry}
163 apache_proxy_openstack_ironic_retry: ${_param:apache_proxy_openstack_api_retry}
164 apache_proxy_openstack_nova_retry: ${_param:apache_proxy_openstack_api_retry}
165 apache_proxy_openstack_neutron_retry: ${_param:apache_proxy_openstack_api_retry}
166 apache_proxy_openstack_aodh_retry: ${_param:apache_proxy_openstack_api_retry}
167 apache_proxy_openstack_placement_retry: ${_param:apache_proxy_openstack_api_retry}
Vasyl Saienko6a26e282019-01-28 11:38:28 +0200168 apache_proxy_openstack_octavia_retry: ${_param:apache_proxy_openstack_api_retry}
Dmitry Kalashnik33691422019-03-14 18:42:59 +0400169 # Formats for logs for openstack apache sites
170 apache_site_openstack_api_log_format: >-
171 %v:%p %h %l %u %t \"%r\" %>s %D %O \"%{Referer}i\" \"%{User-Agent}i\"
172 apache_site_openstack_aodh_log_format: ${_param:apache_site_openstack_api_log_format}
173 apache_site_openstack_barbican_log_format: ${_param:apache_site_openstack_api_log_format}
174 apache_site_openstack_cinder_log_format: ${_param:apache_site_openstack_api_log_format}
175 apache_site_openstack_gnocchi_log_format: ${_param:apache_site_openstack_api_log_format}
176 apache_site_openstack_horizon_log_format: >-
177 %v:%p %{X-Forwarded-For}i %h %l %u %t \"%r\" %>s %D %O \"%{Referer}i\" \"%{User-Agent}i\"
178 apache_site_openstack_manila_log_format: ${_param:apache_site_openstack_api_log_format}
179 apache_site_openstack_placement_log_format: ${_param:apache_site_openstack_api_log_format}
180 apache_site_openstack_panko_log_format: ${_param:apache_site_openstack_api_log_format}
Vasyl Saienko0e5c1052018-11-06 17:35:51 +0200181 # Horizon
182 # 'direct' mode will require cors on glance side to be enabled.
Vasyl Saienkoebe90622018-11-12 11:03:18 +0200183 horizon_images_upload_mode: 'direct'
184 # TODO (vsaineko): switch to openstack_cluster_public_host
185 horizon_public_host: ${_param:cluster_public_host}
186 horizon_public_port: 443
187 horizon_public_protocol: https
Oleh Hryhorov2368cdb2018-12-04 14:43:44 +0200188 horizon_server_bind_address: ${_param:single_address}
Mykyta Karpin882dcac2018-11-30 16:37:28 +0200189 horizon_old_version: ${_param:openstack_old_version}
190 horizon_version: ${_param:openstack_version}
191 horizon_upgrade_enabled: ${_param:openstack_upgrade_enabled}
Ann Kamyshnikova119d3ec2018-11-28 14:32:29 +0400192 # Octavia
193 octavia_health_manager_node01_address: 192.168.10.10
194 octavia_health_manager_node02_address: 192.168.10.11
195 octavia_health_manager_node03_address: 192.168.10.12
azvyagintsev2ecced22019-01-21 18:46:02 +0200196 #
197 amphora_image_name: amphora-x64-haproxy
Michael Polenchuk16f2ae22019-02-19 13:02:59 +0400198 amphora_image_url: ${_param:mcp_static_images_url}/octavia/amphora-x64-haproxy-${_param:openstack_version}-${_param:mcp_version}.qcow2
Oleh Hryhorov81c4c212018-11-23 17:23:15 +0200199 # HAproxy
200 haproxy_openstack_web_bind_port: ${_param:horizon_public_port}
201 #
202 # haproxy_openstack_web_sticks_params is defined for SSL by default
203 # if cluster_protocolr HTTP is going to be used then haproxy_openstack_web_sticks_params
204 # should be redefined peroperly. For example empty list.
205 #
206 haproxy_openstack_web_sticks_params:
207 - stick-table type binary len 32 size 30k expire 30m
208 - acl clienthello req_ssl_hello_type 1
209 - acl serverhello rep_ssl_hello_type 2
210 - tcp-request inspect-delay 5s
211 - tcp-request content accept if clienthello
212 - tcp-response content accept if serverhello
213 - stick on payload_lv(43,1) if clienthello
214 - stick store-response payload_lv(43,1) if serverhello