Add TLS support for backend Neutron API Server communication using HAProxy to perform TLS termination. When used in conjunction with enabling TLS for service API endpoints, network communication will be encrypted end to end, from client through HAProxy to the Neutron service. Change-Id: Ib333a1f1bd12491df72a9e52d961161210e2d330 Partially-Implements: blueprint add-ssl-internal-network
219 lines
6.6 KiB
219 lines
6.6 KiB
# neutron.conf
debug = {{ neutron_logging_debug }}
log_dir = /var/log/kolla/neutron
# NOTE(elemoine): set use_stderr to False or the logs will also be sent to
# stderr and collected by Docker
use_stderr = False
{% if neutron_enable_tls_backend | bool %}
bind_host =
{% else %}
bind_host = {{ api_interface_address }}
{% endif %}
bind_port = {{ neutron_server_listen_port }}
api_paste_config = /usr/share/neutron/api-paste.ini
api_workers = {{ openstack_service_workers }}
metadata_workers = {{ openstack_service_workers }}
rpc_workers = {{ openstack_service_rpc_workers }}
rpc_state_report_workers = {{ openstack_service_rpc_workers }}
# NOTE(SamYaple): We must specify this value here rather than the metadata conf
# because it is used by the l3 and dhcp agents. The reason the path has 'kolla'
# in it is because we are sharing this socket in a volume which is it's own dir
metadata_proxy_socket = /var/lib/neutron/kolla/metadata_proxy
{% if neutron_plugin_agent == "openvswitch" %}
interface_driver = openvswitch
{% elif neutron_plugin_agent == "linuxbridge" %}
interface_driver = linuxbridge
{% endif %}
{% if enable_nova_fake | bool %}
ovs_integration_bridge = br-int-{{ item }}
host = {{ ansible_hostname }}_{{ item }}
{% endif %}
allow_overlapping_ips = true
{% if neutron_plugin_agent == 'vmware_nsxv' %}
core_plugin = vmware_nsx.plugin.NsxVPlugin
{% elif neutron_plugin_agent == 'vmware_nsxv3' %}
core_plugin = vmware_nsx.plugin.NsxV3Plugin
dhcp_agent_notification = False
{% elif neutron_plugin_agent == 'vmware_dvs' %}
core_plugin = vmware_nsx.plugin.NsxDvsPlugin
{% else %}
core_plugin = ml2
service_plugins = {{ neutron_service_plugins|map(attribute='name')|join(',') }}
{% endif %}
{% if enable_neutron_agent_ha | bool %}
dhcp_agents_per_network = {{ dhcp_agents_per_network }}
l3_ha = true
max_l3_agents_per_router = {{ max_l3_agents_per_router }}
{% endif %}
transport_url = {{ rpc_transport_url }}
{% if enable_neutron_dvr | bool %}
router_distributed = True
{% endif %}
{% if enable_designate | bool %}
dns_domain = {{ designate_ns_record }}.
external_dns_driver = designate
{% if neutron_plugin_agent == 'vmware_nsxv' %}
nsx_extension_drivers = vmware_nsxv_dns
{% elif neutron_plugin_agent == 'vmware_nsxv3' %}
nsx_extension_drivers = vmware_nsxv3_dns
{% elif neutron_plugin_agent == 'vmware_dvs' %}
nsx_extension_drivers = vmware_dvs_dns
{% endif %}
{% endif %}
ipam_driver = {{ neutron_ipam_driver }}
auth_url = {{ keystone_admin_url }}
auth_type = password
project_domain_id = {{ default_project_domain_id }}
user_domain_id = {{ default_user_domain_id }}
region_name = {{ openstack_region_name }}
project_name = service
username = {{ nova_keystone_user }}
password = {{ nova_keystone_password }}
endpoint_type = internal
cafile = {{ openstack_cacert }}
enable_proxy_headers_parsing = True
lock_path = /var/lib/neutron/tmp
root_helper = sudo neutron-rootwrap /etc/neutron/rootwrap.conf
connection = mysql+pymysql://{{ neutron_database_user }}:{{ neutron_database_password }}@{{ neutron_database_address }}/{{ neutron_database_name }}
connection_recycle_time = {{ database_connection_recycle_time }}
max_pool_size = {{ database_max_pool_size }}
max_retries = -1
www_authenticate_uri = {{ keystone_internal_url }}
auth_url = {{ keystone_admin_url }}
auth_type = password
project_domain_id = {{ default_project_domain_id }}
user_domain_id = {{ default_user_domain_id }}
project_name = service
username = {{ neutron_keystone_user }}
password = {{ neutron_keystone_password }}
cafile = {{ openstack_cacert }}
memcache_security_strategy = ENCRYPT
memcache_secret_key = {{ memcache_secret_key }}
memcached_servers = {% for host in groups['memcached'] %}{{ 'api' | kolla_address(host) | put_address_in_context('memcache') }}:{{ memcached_port }}{% if not loop.last %},{% endif %}{% endfor %}
# Workaround for https://bugs.launchpad.net/keystonemiddleware/+bug/1883659
memcache_use_advanced_pool = True
transport_url = {{ notify_transport_url }}
{% if neutron_enabled_notification_topics %}
driver = messagingv2
topics = {{ neutron_enabled_notification_topics | map(attribute='name') | join(',') }}
{% else %}
driver = noop
{% endif %}
{% if om_enable_rabbitmq_tls | bool %}
ssl = true
ssl_ca_file = {{ om_rabbitmq_cacert }}
{% endif %}
{% if neutron_policy_file is defined %}
policy_file = {{ neutron_policy_file }}
{% endif %}
{% if enable_neutron_sfc | bool %}
drivers = ovs
drivers = ovs
{% endif %}
{% if enable_octavia | bool %}
base_url = {{ octavia_internal_endpoint }}
{% endif %}
{% if enable_designate | bool %}
url = {{ designate_internal_endpoint }}/v2
auth_uri = {{ keystone_internal_url }}
auth_url = {{ keystone_admin_url }}
auth_type = password
project_domain_id = {{ default_project_domain_id }}
user_domain_id = {{ default_user_domain_id }}
project_name = service
username = {{ designate_keystone_user }}
password = {{ designate_keystone_password }}
allow_reverse_dns_lookup = True
ipv4_ptr_zone_prefix_size = 24
ipv6_ptr_zone_prefix_size = 116
cafile = {{ openstack_cacert }}
{% endif %}
{% if enable_osprofiler | bool %}
enabled = true
trace_sqlalchemy = true
hmac_keys = {{ osprofiler_secret }}
connection_string = {{ osprofiler_backend_connection_string }}
{% endif %}
auth_type = password
auth_url = {{ keystone_admin_url }}
username = {{ placement_keystone_user }}
password = {{ placement_keystone_password }}
user_domain_name = {{ default_user_domain_name }}
project_name = service
project_domain_name = {{ default_project_domain_name }}
os_region_name = {{ openstack_region_name }}
os_interface = internal
cafile = {{ openstack_cacert }}
helper_command=sudo neutron-rootwrap /etc/neutron/rootwrap.conf privsep-helper
{% if enable_neutron_infoblox_ipam_agent | bool %}
keystone_admin_project_domain_id = {{ default_project_domain_id }}
keystone_admin_user_domain_id = {{ default_user_domain_id }}
keystone_admin_project_name = service
keystone_admin_username = {{ neutron_keystone_user }}
keystone_admin_password = {{ neutron_keystone_password }}
keystone_auth_uri = {{ keystone_internal_url }}
keystone_auth_version = v3
cloud_data_center_id = {{ infoblox_cloud_data_center_id }}
[infoblox-dc:{{ infoblox_cloud_data_center_id }}]
grid_master_host = {{ infoblox_grid_master_host }}
grid_master_name = {{ infoblox_grid_master_name }}
admin_user_name = {{ infoblox_admin_user_name }}
admin_password = {{ infoblox_admin_password }}
wapi_version = {{ infoblox_wapi_version }}
wapi_max_results = {{ infoblox_wapi_max_results }}
{% endif %}