3daded6242
TLS can be used to encrypt and authenticate the connection with OpenStack endpoints. This patch provides the necessary parameters and changes the resulting service configurations to enable TLS for the Kolla deployed OpenStack cloud. The new input parameters are: kolla_enable_tls_external: "yes" or "no" (default is "no") kolla_external_fqdn_cert: "/etc/kolla/certificates/haproxy.pem" kolla_external_fqdn_cacert: "/etc/kolla/certificates/haproxy-ca.crt" Implements: blueprint kolla-ssl Change-Id: I48ef8a781c3035d58817f9bf6f36d59a488bab41
162 lines
6.1 KiB
Django/Jinja
162 lines
6.1 KiB
Django/Jinja
# nova.conf
|
|
[DEFAULT]
|
|
debug = {{ nova_logging_debug }}
|
|
|
|
log_dir = /var/log/kolla/nova
|
|
use_forwarded_for = true
|
|
|
|
api_paste_config = /etc/nova/api-paste.ini
|
|
state_path = /var/lib/nova
|
|
|
|
{% if kolla_enable_tls_external | bool %}
|
|
secure_proxy_ssl_header = X-Forwarded-Proto
|
|
{% endif %}
|
|
|
|
osapi_compute_listen = {{ hostvars[inventory_hostname]['ansible_' + api_interface]['ipv4']['address'] }}
|
|
osapi_compute_listen_port = {{ nova_api_port }}
|
|
|
|
metadata_listen = {{ hostvars[inventory_hostname]['ansible_' + api_interface]['ipv4']['address'] }}
|
|
metadata_listen_port = {{ nova_metadata_port }}
|
|
|
|
ec2_listen = {{ hostvars[inventory_hostname]['ansible_' + api_interface]['ipv4']['address'] }}
|
|
ec2_listen_port = {{ nova_api_ec2_port }}
|
|
|
|
|
|
security_group_api = neutron
|
|
network_api_class = nova.network.neutronv2.api.API
|
|
firewall_driver = nova.virt.firewall.NoopFirewallDriver
|
|
|
|
{% if neutron_plugin_agent == "openvswitch" %}
|
|
linuxnet_interface_driver = nova.network.linux_net.LinuxOVSInterfaceDriver
|
|
{% elif neutron_plugin_agent == "linuxbridge" %}
|
|
linuxnet_interface_driver = nova.network.linux_net.BridgeInterfaceDriver
|
|
{% endif %}
|
|
|
|
allow_resize_to_same_host = true
|
|
|
|
{% if enable_ironic | bool %}
|
|
scheduler_host_manager = nova.scheduler.ironic_host_manager.IronicHostManager
|
|
{% endif %}
|
|
|
|
{% if service_name == "nova-compute-ironic" %}
|
|
compute_driver = nova.virt.ironic.IronicDriver
|
|
vnc_enabled = False
|
|
ram_allocation_ratio = 1.0
|
|
reserved_host_memory_mb = 0
|
|
{% elif enable_nova_fake | bool %}
|
|
scheduler_default_filters = RetryFilter,AvailabilityZoneFilter,ComputeFilter,ComputeCapabilitiesFilter,ImagePropertiesFilter
|
|
host = {{ ansible_hostname }}_{{ item }}
|
|
compute_driver = fake.FakeDriver
|
|
{% else %}
|
|
compute_driver = libvirt.LibvirtDriver
|
|
{% endif %}
|
|
|
|
memcached_servers = {% for host in groups['memcached'] %}{{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ memcached_port }}{% if not loop.last %},{% endif %}{% endfor %}
|
|
|
|
|
|
# Though my_ip is not used directly, lots of other variables use $my_ip
|
|
my_ip = {{ hostvars[inventory_hostname]['ansible_' + api_interface]['ipv4']['address'] }}
|
|
|
|
{% if nova_console == 'novnc' %}
|
|
novncproxy_host = {{ hostvars[inventory_hostname]['ansible_' + api_interface]['ipv4']['address'] }}
|
|
novncproxy_port = {{ nova_novncproxy_port }}
|
|
[vnc]
|
|
vncserver_listen = {{ hostvars[inventory_hostname]['ansible_' + api_interface]['ipv4']['address'] }}
|
|
vncserver_proxyclient_address = {{ hostvars[inventory_hostname]['ansible_' + api_interface]['ipv4']['address'] }}
|
|
{% if inventory_hostname in groups['compute'] %}
|
|
novncproxy_base_url = {{ public_protocol }}://{{ kolla_external_fqdn }}:{{ nova_novncproxy_port }}/vnc_auto.html
|
|
{% endif %}
|
|
{% elif nova_console == 'spice' %}
|
|
[vnc]
|
|
# We have to turn off vnc to use spice
|
|
enabled = false
|
|
[spice]
|
|
server_listen = {{ hostvars[inventory_hostname]['ansible_' + api_interface]['ipv4']['address'] }}
|
|
server_proxyclient_address = {{ hostvars[inventory_hostname]['ansible_' + api_interface]['ipv4']['address'] }}
|
|
{% if inventory_hostname in groups['compute'] %}
|
|
html5proxy_base_url = {{ public_protocol }}://{{ kolla_external_fqdn }}:{{ nova_spicehtml5proxy_port }}/spice_auto.html
|
|
{% endif %}
|
|
html5proxy_host = {{ hostvars[inventory_hostname]['ansible_' + api_interface]['ipv4']['address'] }}
|
|
html5proxy_port = {{ nova_spicehtml5proxy_port }}
|
|
{% endif %}
|
|
|
|
{% if service_name == "nova-compute-ironic" %}
|
|
[ironic]
|
|
admin_username = {{ ironic_keystone_user }}
|
|
admin_password = {{ ironic_keystone_password }}
|
|
admin_url = {{ openstack_auth.auth_url }}
|
|
admin_tenant_name = service
|
|
api_endpoint = {{ internal_protocol }}://{{ kolla_internal_fqdn }}:{{ ironic_api_port }}/v1
|
|
{% endif %}
|
|
|
|
[oslo_messaging_rabbit]
|
|
rabbit_userid = {{ rabbitmq_user }}
|
|
rabbit_password = {{ rabbitmq_password }}
|
|
rabbit_ha_queues = true
|
|
rabbit_hosts = {% for host in groups['rabbitmq'] %}{{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ rabbitmq_port }}{% if not loop.last %},{% endif %}{% endfor %}
|
|
|
|
[oslo_concurrency]
|
|
lock_path = /var/lib/nova/tmp
|
|
|
|
[glance]
|
|
{% if enable_ceph | bool %}
|
|
host = {{ kolla_internal_fqdn }}
|
|
port = {{ glance_api_port }}
|
|
{% else %}
|
|
api_servers = {% for host in groups['glance-api'] %}{{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ glance_api_port }}{% if not loop.last %},{% endif %}{% endfor %}
|
|
|
|
num_retries = {{ groups['glance-api'] | length }}
|
|
{% endif %}
|
|
|
|
[cinder]
|
|
catalog_info = volume:cinder:internalURL
|
|
|
|
[neutron]
|
|
url = {{ internal_protocol }}://{{ kolla_internal_fqdn }}:{{ neutron_server_port }}
|
|
auth_strategy = keystone
|
|
metadata_proxy_shared_secret = {{ metadata_secret }}
|
|
service_metadata_proxy = true
|
|
|
|
auth_url = {{ admin_protocol }}://{{ kolla_internal_fqdn }}:{{ keystone_admin_port }}
|
|
auth_plugin = password
|
|
project_domain_name = default
|
|
user_domain_id = default
|
|
project_name = service
|
|
username = {{ neutron_keystone_user }}
|
|
password = {{ neutron_keystone_password }}
|
|
|
|
[database]
|
|
connection = mysql+pymysql://{{ nova_database_user }}:{{ nova_database_password }}@{{ nova_database_address }}/{{ nova_database_name }}
|
|
|
|
[api_database]
|
|
connection = mysql+pymysql://{{ nova_api_database_user }}:{{ nova_api_database_password }}@{{ nova_api_database_address }}/{{ nova_api_database_name }}
|
|
|
|
[keystone_authtoken]
|
|
auth_uri = {{ internal_protocol }}://{{ kolla_internal_fqdn }}:{{ keystone_public_port }}
|
|
auth_url = {{ admin_protocol }}://{{ kolla_internal_fqdn }}:{{ keystone_admin_port }}
|
|
auth_type = password
|
|
project_domain_id = default
|
|
user_domain_id = default
|
|
project_name = service
|
|
username = {{ nova_keystone_user }}
|
|
password = {{ nova_keystone_password }}
|
|
|
|
[libvirt]
|
|
connection_uri = "qemu+tcp://{{ hostvars[inventory_hostname]['ansible_' + api_interface]['ipv4']['address'] }}/system"
|
|
{% if enable_ceph | bool %}
|
|
images_type = rbd
|
|
images_rbd_pool = {{ ceph_nova_pool_name }}
|
|
images_rbd_ceph_conf = /etc/ceph/ceph.conf
|
|
rbd_user = nova
|
|
rbd_secret_uuid = {{ rbd_secret_uuid }}
|
|
disk_cachemodes="network=writeback"
|
|
live_migration_flag="VIR_MIGRATE_UNDEFINE_SOURCE,VIR_MIGRATE_PEER2PEER,VIR_MIGRATE_LIVE,VIR_MIGRATE_PERSIST_DEST,VIR_MIGRATE_TUNNELLED"
|
|
hw_disk_discard = unmap
|
|
{% endif %}
|
|
|
|
[upgrade_levels]
|
|
compute = auto
|
|
|
|
[oslo_messaging_notifications]
|
|
driver = noop
|