-
James Kirsch authored
This patch introduces an optional backend encryption for Keystone service. When used in conjunction with enabling TLS for service API endpoints, network communcation will be encrypted end to end, from client through HAProxy to the Keystone service. Change-Id: I6351147ddaff8b2ae629179a9bc3bae2ebac9519 Partially-Implements: blueprint add-ssl-internal-network
James Kirsch authoredThis patch introduces an optional backend encryption for Keystone service. When used in conjunction with enabling TLS for service API endpoints, network communcation will be encrypted end to end, from client through HAProxy to the Keystone service. Change-Id: I6351147ddaff8b2ae629179a9bc3bae2ebac9519 Partially-Implements: blueprint add-ssl-internal-network
globals-default.j2 3.92 KiB
---
{% if ansible_os_family == 'RedHat' and ansible_distribution_major_version == '7' %}
# Force the use of python2 on CentOS7 remote hosts. This is necessary for
# delegate_to: localhost, which will otherwise use the local python interpreter
# (python3). On CentOS 7, that fails due to a lack of python3 bindings for
# SELinux. https://bugs.centos.org/view.php?id=16389
ansible_python_interpreter: /usr/bin/python2
{% endif %}
kolla_base_distro: "{{ base_distro }}"
kolla_install_type: "{{ install_type }}"
network_interface: "{{ api_interface_name }}"
network_address_family: "{{ address_family }}"
docker_restart_policy: "no"
docker_custom_config:
debug: true
registry-mirrors:
- {{ infra_dockerhub_mirror }}
# Use a random router id, otherwise it may result in the same router id
# in the CI gate.
keepalived_virtual_router_id: "{{ 250 | random(1) }}"
# MariaDB/Galera - fine tune gmcast.peer_timeout
mariadb_wsrep_extra_provider_options:
- "gmcast.peer_timeout=PT15S"
enable_openstack_core: "{{ openstack_core_enabled }}"
enable_horizon: "{{ dashboard_enabled }}"
enable_heat: "{{ openstack_core_tested }}"
{% if scenario != 'bifrost' %}
kolla_internal_vip_address: "{{ kolla_internal_vip_address }}"
neutron_external_interface: "{{ neutron_external_interface_name }}"
openstack_logging_debug: "True"
openstack_service_workers: "1"
{% endif %}
{% if need_build_image and not is_previous_release %}
# NOTE(Jeffrey4l): use different a docker namespace name in case it pull image from hub.docker.io when deplying
docker_namespace: "lokolla"
# NOTE(yoctozepto): use hostname or FQDN to be compatible between IPv4 and IPv6
# docker does not support referencing registry via an IPv6 address
# see: https://github.com/moby/moby/issues/39033
docker_registry: "primary:4000"
openstack_tag: "{{ build_image_tag }}"
{% else %}
# use docker hub images
docker_namespace: "kolla"
{% if need_build_image and is_previous_release %}
# NOTE(mgoddard): Ensure that the insecure local registry is trusted, since it
# will be the source of images during the upgrade.
# NOTE(yoctozepto): this is required here for CI because we run templating
# of docker systemd command only once
docker_custom_option: "--insecure-registry primary:4000"
{% endif %}
{% if is_previous_release %}
openstack_release: "{{ previous_release }}"
{% endif %}
{% endif %}
{% if scenario == "zun" %}
enable_zun: "yes"
enable_kuryr: "yes"
enable_etcd: "yes"
docker_configure_for_zun: "yes"
enable_cinder: "yes"
# lvm backup driver for cinder-backup does not exist
enable_cinder_backup: "no"
enable_cinder_backend_lvm: "yes"{% endif %}
{% if scenario == "swift" %}
enable_swift: "yes"
{% endif %}
{% if scenario == "scenario_nfv" %}
enable_tacker: "yes"
enable_neutron_sfc: "yes"
enable_mistral: "yes"
enable_redis: "yes"
enable_barbican: "yes"
enable_heat: "yes"
{% endif %}
{% if scenario == "ironic" %}
enable_ironic: "yes"
ironic_dnsmasq_dhcp_range: "10.42.0.2,10.42.0.254"
{% endif %}
{% if scenario == "masakari" %}
enable_masakari: "yes"
{% endif %}
{% if scenario == "cells" %}
enable_cells: "yes"
{% endif %}
{% if scenario == "mariadb" %}
enable_chrony: "no"
enable_fluentd: "yes"
enable_mariadb: "yes"
enable_memcached: "no"
enable_rabbitmq: "no"
{% endif %}
{% if scenario == "ceph-ansible" %}
# kolla-ansible vars
enable_cinder: "yes"
# External Ceph
glance_backend_ceph: "yes"
cinder_backend_ceph: "yes"
nova_backend_ceph: "yes"
ceph_nova_user: "cinder"
{% endif %}
{% if tls_enabled %}
kolla_enable_tls_external: "yes"
kolla_enable_tls_internal: "yes"
kolla_copy_ca_into_containers: "yes"
kolla_enable_tls_backend: "yes"
{% if base_distro == "ubuntu" or base_distro == "debian" %}
openstack_cacert: "/usr/local/share/ca-certificates/kolla-customca-haproxy-internal.crt"
{% endif %}
{% if base_distro == "centos" %}
openstack_cacert: "/etc/pki/ca-trust/source/anchors/kolla-customca-haproxy-internal.crt"
{% endif %}
{% endif %}
{% if scenario == 'linuxbridge' %}
neutron_plugin_agent: "linuxbridge"
{% endif %}