# Copyright 2017-2020 Canonical Ltd. All rights reserved. # # Foundation HyperConverged # series: bionic variables: # https://wiki.ubuntu.com/OpenStack/CloudArchive # packages for an LTS release come in a form of SRUs # do not use cloud: for an LTS version as # installation hooks will fail. Example: openstack-origin: &openstack-origin cloud:bionic-ussuri openstack-region: &openstack-region RegionOne # !> Important virtual core ratio to use in the Nova scheduler. # Note: This option affects the whole cloud. # Increase it for achieving more density in the cloud. cpu-allocation-ratio: &cpu-allocation-ratio 16 # Configure RAM allocation params for nova. For hyperconverged # nodes, we need to have plenty reserves for service containers, # Ceph OSDs, and swift-storage daemons. Those processes will not # only directly allocate RAM but also indirectly via pagecache, file # system caches, system buffers usage. Adjust for higher density # clouds, e.g. high OSD/host ratio or when running >2 service # containers/host adapt appropriately. reserved-host-memory: &reserved-host-memory 16384 ram-allocation-ratio: &ram-allocation-ratio 1.0 # Configure the bridge-interface-mappings by replacing FCE_TEMPLATE with the # correct value. Do not change 'br-data'. This port will be used by # ovn-chassis to provide connectivity to a physical network, therefore, do # not configure an IP address for this port in MAAS. You have two choices of # configuration: # 1) A raw bond interface for ovn-chassis, # i.e: bridge-interface-mappings: br-data:bond0 # ovn-bridge-mappings: dcfabric:br-data # flat-network-providers: #left intentionally blank # vlan-ranges: dcfabric # Note 1.1) No vlan range specified - only a physnet which means no vlan # tenant networks and all vlan networks are provider networks created by # admin user with a specific segmentation ID. Physnets correspond to # fabrics in MAAS. Each fabric has its own set of independant VLANs # from 1-4094. # Note 1.2) Allows for dynamic addition of vlan provider networks # Note 1.3) For Neutron-API, make sure that the vlan-ranges matches. # 2) flat provider networks with bonds for the data-port, # i.e: bridge-interface-mappings: br-100:bond0.100 br-101:bond0.101 # ovn-bridge-mappings: physnetvlan100:br-100 physnetvlan101:br-101 # flat-network-providers: physnetvlan100 physnetvlan101 # vlan-ranges: '' #Charm default cleared # Note 2.1) A VLAN port can be used here (e.g. configured via MAAS) # but note that in this case a provider network must be # configured as 'flat' not as 'VLAN' as there will # be two 802.1q headers appended - one by the OVS itself and one # by the kernel 802.1q module which will result in the lack of # connectivity for no apparent reason. # Note 2.2) This does not allow a dynamic addition of new provider networks # with different VLANs. data-port: &data-port br-data:eth1 bridge-mappings: &bridge-mappings physnet1:br-data flat-network-providers: &flat-network-providers '' vlan-ranges: &vlan-ranges physnet1 # This is Management network, unrelated to OpenStack and other applications # OAM - Operations, Administration and Maintenance oam-space: &oam-space oam-space # This is OpenStack Admin network; for adminURL endpoints admin-space: &admin-space internal-space # This is OpenStack Public network; for publicURL endpoints public-space: &public-space public-space # DNS access space that should include DNS access VLANs separate # from public API VLANs, see lp:1804057 dns-access-space: &dns-access-space oam-space # This is OpenStack Internal network; for internalURL endpoints internal-space: &internal-space internal-space # This is the overlay network overlay-space: &overlay-space internal-space # CEPH configuration # CEPH access network ceph-public-space: &ceph-public-space ceph-access-space # CEPH replication network ceph-cluster-space: &ceph-cluster-space ceph-replica-space # Workaround for 'only one default binding supported' oam-space-constr: &oam-space-constr spaces=oam-space ceph-access-constr: &ceph-access-constr spaces=ceph-access-space combi-access-constr: &combi-access-constr spaces=ceph-access-space,oam-space # CEPH OSD device osd-devices: &osd-devices /dev/disk/by-dname/bcache1 # Customize-failure-domains is a dangerous option in the Ceph-MON and Ceph-OSD # charms. Never set this 'true' unless you have multiple zones configured in # MAAS which correlate to racks in the data center. Setting this option inappropriately # will result in a broken crush map but a valid Juju status which is both difficult # to diagnose and fix without a redeployment. #1764492 customize-failure-domain: &customize-failure-domain True # Expected OSD count is total number of OSD disks that will be part of Ceph cluster. # Never set this number higher or much lower than the real number. 10-20% less than # actual number is acceptable expected-osd-count: &expected-osd-count 6 expected-mon-count: &expected-mon-count 3 # Baseline CPU model across the cloud. # On x86 the CPU model maps to a baseline CPUID mask, and the flags can be # used to then toggle bits in the mask on or off. When expanding nova-compute # services across a cloud that has multiple CPU models, it is required for # live-migration of VMs from newer cpu compute hosts to older cpu compute # hosts to determine and configure a baseline CPU model which will allow VMs # to migrate to any node in the cloud. # CPU model can be determined by executing # "virsh capabilities | awk '//,/<\/cpu>/' | awk '//,/<\/model>/'" # on each compute. Then, you'll need to find out a oldest CPU model in the # cloud by comparing outputs and replace the following config value with that. # For example, given "Broadwell-Server-IBRS" and "Skylake-Server-IBRS" # in the same cloud, Broadwell should be selected as a baseline. cpu-model: &cpu-model Haswell-noTSX-IBRS # XXX: LP #1673547 # DNS configuration # This configuration for overlay networks. Usually domain should be set to something # like "openstack.customername.lan." (notice . at the end), while cidr is for PTR # records, so in most cases 24 is just fine (16 is another option) dns-domain: &dns-domain "production.solutionsqa." dns-cidr: &dns-cidr 24 # DNS servers should generally be the upstream corporate DNS servers or the Designate bind # servers depending on the scenario. See document "Neutron DNS and Designate Overview and # Best Practices" on Google Drive for more information. Using # Designate bind servers here require additional modifications (recursion, etc.) covered # in that document. dns-servers: &dns-servers 10.244.32.1 ephemeral-device: &ephemeral-device /dev/disk/by-dname/bcache-nova-ephemeral # Octavia loadbalancer image cloud archive series retrofit-uca-pocket: &retrofit-uca-pocket ussuri retrofit-series: &retrofit-series bionic # Octavia management certs # These should be specified relative to the bundle with include-base64 # ex: include-base64://../certs/controller_ca.pem lb-mgmt-issuing-cacert: &lb-mgmt-issuing-cacert include-base64://../ssl/octavia/controller_ca.pem lb-mgmt-issuing-ca-private-key: &lb-mgmt-issuing-ca-private-key include-base64://../ssl/octavia/controller_ca_key.pem lb-mgmt-issuing-ca-key-passphrase: &lb-mgmt-issuing-ca-key-passphrase foobar lb-mgmt-controller-cacert: &lb-mgmt-controller-cacert include-base64://../ssl/octavia/controller_ca.pem lb-mgmt-controller-cert: &lb-mgmt-controller-cert include-base64://../ssl/octavia/controller_cert_bundle.pem # Various VIPs aodh-vip: &aodh-vip "10.244.8.80 192.168.33.2" barbican-vip: &barbican-vip "10.244.8.93 192.168.33.16" ceilometer-vip: &ceilometer-vip "10.244.8.81 192.168.33.3" cinder-vip: &cinder-vip "10.244.8.82 192.168.33.4" dashboard-vip: &dashboard-vip "10.244.8.83" designate-vip: &designate-vip "10.244.8.84 192.168.33.6" glance-vip: &glance-vip "10.244.8.85 192.168.33.7" gnocchi-vip: &gnocchi-vip "10.244.8.86 192.168.33.8" heat-vip: &heat-vip "10.244.8.87 192.168.33.9" keystone-vip: &keystone-vip "10.244.8.88 192.168.33.10" mysql-vip: &mysql-vip "192.168.33.11" neutron-api-vip: &neutron-api-vip "10.244.8.90 192.168.33.12" nova-cc-vip: &nova-cc-vip "10.244.8.91 192.168.33.13" octavia-vip: &octavia-vip "10.244.8.94 192.168.33.17" placement-vip: &placement-vip "10.244.8.95 192.168.33.18" rados-gateway-vip: &rados-gateway-vip "10.244.8.92 192.168.33.14" vault-vip: &vault-vip "192.168.33.15" ssl-ca: &ssl-ca include-base64:///home/ubuntu/project/ssl/root.pem # NTP configuration ntp-source: &ntp-source "ntp.ubuntu.com" # designate nameservers designate-nameservers: &designate-nameservers "ns1.example.com." machines: # KVMs "15": constraints: tags=vault zones=zone1 "16": constraints: tags=vault zones=zone2 "17": constraints: tags=vault zones=zone3 # Baremetals "1000": constraints: tags=foundation-nodes zones=zone1 "1001": constraints: tags=foundation-nodes zones=zone2 "1002": constraints: tags=foundation-nodes zones=zone3 "1003": constraints: tags=foundation-nodes zones=zone1 "1004": constraints: tags=foundation-nodes zones=zone2 "1005": constraints: tags=foundation-nodes zones=zone3 applications: # HAcluster hacluster-aodh: charm: cs:hacluster hacluster-barbican: charm: cs:hacluster hacluster-cinder: charm: cs:hacluster hacluster-glance: charm: cs:hacluster hacluster-gnocchi: charm: cs:hacluster hacluster-horizon: charm: cs:hacluster hacluster-keystone: charm: cs:hacluster hacluster-neutron: charm: cs:hacluster hacluster-nova: charm: cs:hacluster hacluster-mysql: charm: cs:hacluster hacluster-octavia: charm: cs:hacluster hacluster-placement: charm: cs:hacluster hacluster-radosgw: charm: cs:hacluster hacluster-designate: charm: cs:hacluster hacluster-heat: charm: cs:hacluster hacluster-ceilometer: charm: cs:hacluster hacluster-vault: charm: cs:hacluster # Ceph ceph-mon: charm: cs:ceph-mon num_units: 3 bindings: "": *oam-space public: *ceph-public-space osd: *ceph-public-space client: *ceph-public-space admin: *ceph-public-space cluster: *ceph-cluster-space options: expected-osd-count: *expected-osd-count source: *openstack-origin monitor-count: *expected-mon-count customize-failure-domain: *customize-failure-domain to: - lxd:1000 - lxd:1001 - lxd:1002 ceph-osd: charm: cs:ceph-osd num_units: 6 bindings: "": *oam-space public: *ceph-public-space cluster: *ceph-cluster-space secrets-storage: *internal-space mon: *ceph-public-space options: osd-devices: *osd-devices source: *openstack-origin customize-failure-domain: *customize-failure-domain autotune: false aa-profile-mode: complain bluestore: true osd-encrypt: true osd-encrypt-keymanager: vault to: - '1000' - '1001' - '1002' - '1003' - '1004' - '1005' ceph-radosgw: charm: cs:ceph-radosgw num_units: 3 constraints: *combi-access-constr bindings: "": *oam-space public: *public-space admin: *admin-space internal: *internal-space mon: *ceph-public-space options: source: *openstack-origin vip: *rados-gateway-vip region: *openstack-region to: - lxd:1000 - lxd:1001 - lxd:1002 # OpenStack aodh: charm: cs:aodh num_units: 3 bindings: "": *oam-space public: *public-space admin: *admin-space internal: *internal-space shared-db: *internal-space options: worker-multiplier: *worker-multiplier openstack-origin: *openstack-origin region: *openstack-region vip: *aodh-vip use-internal-endpoints: True to: - lxd:1001 - lxd:1003 - lxd:1005 barbican: charm: cs:barbican num_units: 3 bindings: "": *oam-space public: *public-space admin: *admin-space internal: *internal-space shared-db: *internal-space secrets: *internal-space certificates: *internal-space options: worker-multiplier: *worker-multiplier openstack-origin: *openstack-origin region: *openstack-region vip: *barbican-vip use-internal-endpoints: True to: - lxd:1000 - lxd:1001 - lxd:1002 barbican-vault: charm: cs:~openstack-charmers-next/barbican-vault # XXX: 1871981 num_units: 0 bindings: "": *oam-space secrets: *internal-space secrets-storage: *internal-space certificates: *internal-space gnocchi: charm: cs:gnocchi num_units: 3 bindings: "": *oam-space public: *public-space admin: *admin-space internal: *internal-space shared-db: *internal-space storage-ceph: *ceph-public-space coordinator-memcached: *internal-space options: worker-multiplier: *worker-multiplier openstack-origin: *openstack-origin region: *openstack-region vip: *gnocchi-vip use-internal-endpoints: True to: - lxd:1001 - lxd:1003 - lxd:1005 cinder: charm: cs:cinder num_units: 3 constraints: *combi-access-constr bindings: "": *oam-space public: *public-space admin: *admin-space internal: *internal-space shared-db: *internal-space options: worker-multiplier: *worker-multiplier openstack-origin: *openstack-origin block-device: None glance-api-version: 2 vip: *cinder-vip use-internal-endpoints: True region: *openstack-region to: - lxd:1000 - lxd:1001 - lxd:1002 cinder-ceph: charm: cs:cinder-ceph num_units: 0 options: restrict-ceph-pools: False glance: charm: cs:glance constraints: *combi-access-constr bindings: "": *oam-space public: *public-space admin: *admin-space internal: *internal-space shared-db: *internal-space options: worker-multiplier: *worker-multiplier openstack-origin: *openstack-origin vip: *glance-vip use-internal-endpoints: True restrict-ceph-pools: False region: *openstack-region num_units: 3 to: - lxd:1000 - lxd:1001 - lxd:1002 keystone: charm: cs:keystone num_units: 3 bindings: "": *oam-space public: *public-space admin: *admin-space internal: *internal-space shared-db: *internal-space options: worker-multiplier: *worker-multiplier openstack-origin: *openstack-origin vip: *keystone-vip region: *openstack-region preferred-api-version: 3 token-provider: 'fernet' # override default token timeout to 24hr (86400 seconds) to address # LP: #1856876 namnely to fix long-running live migration issues and # horizon re-auth. token-expiration: 86400 to: - lxd:1000 - lxd:1001 - lxd:1002 keystone-ldap: charm: cs:keystone-ldap num_units: 0 options: domain-name: cdoqa ldap-config-flags: "{ user_tree_dn: 'ou=users,dc=test,dc=com', user_objectclass: posixAccount, user_id_attribute: uidNumber, user_name_attribute: uid, group_tree_dn: 'ou=groups,dc=test,dc=com', group_objectclass: posixGroup, group_id_attribute: gidNumber, group_name_attribute: cn, group_member_attribute: memberUid, group_members_are_ids: True}" ldap-readonly: true ldap-password: "crapper" ldap-server: "ldap://10.245.221.126:389" ldap-suffix: "dc=test,dc=com" ldap-user: "cn=admin,dc=test,dc=com" logrotate: charm: cs:~logrotate-charmers/logrotate-charm num_units: 0 options: logrotate-retention: 60 mysql: charm: cs:percona-cluster num_units: 3 bindings: "": *oam-space cluster: *internal-space shared-db: *internal-space ha: *internal-space db: *internal-space db-admin: *internal-space options: source: *openstack-origin innodb-buffer-pool-size: *mysql-innodb-buffer-pool-size vip: *mysql-vip #root-password: password #sst-password: password wait-timeout: *mysql-wait-timeout min-cluster-size: 3 enable-binlogs: True performance-schema: True max-connections: *mysql-connections tuning-level: *mysql-tuning-level to: - lxd:1000 - lxd:1001 - lxd:1002 neutron-api-plugin-ovn: charm: cs:neutron-api-plugin-ovn num_units: 0 bindings: "": *oam-space certificates: *internal-space options: dns-servers: *dns-servers ovn-central: charm: cs:ovn-central num_units: 3 bindings: "": *oam-space certificates: *internal-space options: source: *openstack-origin to: - lxd:1000 - lxd:1001 - lxd:1002 neutron-api: charm: cs:neutron-api num_units: 3 bindings: "": *oam-space public: *public-space admin: *admin-space internal: *internal-space shared-db: *internal-space options: worker-multiplier: *worker-multiplier openstack-origin: *openstack-origin region: *openstack-region # configure physical-network-mtus for every physnet mentioned in # ***flat-network-providers*** flat-network-providers: *flat-network-providers # configure physical-network-mtus for every physnet mentioned in # ***vlan-ranges*** # When provider networks are used directly, Designate-generated # records will only be created for vlans ***outside*** the range # specified in this option # :: vlan-ranges: *vlan-ranges neutron-security-groups: True use-internal-endpoints: True vip: *neutron-api-vip enable-ml2-port-security: True enable-ml2-dns: True dns-domain: *dns-domain # default changed to False to support OVN manage-neutron-plugin-legacy-mode: False # set MTU settings to achieve 1500 MTU on instance interfaces in # the overlay network. This will only work provided that the VTEP # VLANs (overlay-space) are configured to have MTU larger than # 1550 (jumbo frames) which is documented in the prerequisites doc # Note: The internal net in the solutions-qa lab is used as the # underlay network, and it is configured for 1500 MTU, not 1550. global-physnet-mtu: 1500 path-mtu: 1500 # Space-delimited list of : pairs specifying # MTU for individual physical networks # i.e: dcfabric:1500 physical-network-mtus: physnet1:1500 to: - lxd:1001 - lxd:1003 - lxd:1005 octavia-ovn-chassis: charm: cs:ovn-chassis num_units: 0 bindings: "": *oam-space data: *overlay-space certificates: *internal-space options: ovn-bridge-mappings: *bridge-mappings bridge-interface-mappings: *data-port ovn-chassis: charm: cs:ovn-chassis num_units: 0 bindings: "": *oam-space data: *overlay-space certificates: *internal-space options: ovn-bridge-mappings: *bridge-mappings bridge-interface-mappings: *data-port nova-cloud-controller: charm: cs:nova-cloud-controller num_units: 3 bindings: "": *oam-space public: *public-space admin: *admin-space internal: *internal-space shared-db: *internal-space memcache: *internal-space cloud-compute: *internal-space options: worker-multiplier: *worker-multiplier openstack-origin: *openstack-origin network-manager: Neutron region: *openstack-region vip: *nova-cc-vip console-access-protocol: spice console-proxy-ip: local use-internal-endpoints: True cpu-allocation-ratio: *cpu-allocation-ratio ram-allocation-ratio: *ram-allocation-ratio to: - lxd:1001 - lxd:1003 - lxd:1005 nova-compute-kvm: charm: cs:nova-compute num_units: 6 bindings: "": *oam-space internal: *internal-space secrets-storage: *internal-space migration: *internal-space cloud-compute: *internal-space options: openstack-origin: *openstack-origin enable-live-migration: True enable-resize: True migration-auth-type: ssh use-internal-endpoints: True libvirt-image-backend: qcow2 restrict-ceph-pools: False aa-profile-mode: enforce virt-type: kvm customize-failure-domain: *customize-failure-domain reserved-host-memory: *reserved-host-memory worker-multiplier: *worker-multiplier encrypt: true ephemeral-device: *ephemeral-device cpu-mode: custom cpu-model: *cpu-model to: - 1000 - 1001 - 1002 - 1003 - 1004 - 1005 ntp: charm: cs:ntp num_units: 0 options: source: *ntp-source octavia: charm: cs:octavia num_units: 3 bindings: "": *oam-space public: *public-space admin: *admin-space internal: *internal-space shared-db: *internal-space options: openstack-origin: *openstack-origin region: *openstack-region vip: *octavia-vip use-internal-endpoints: True lb-mgmt-issuing-cacert: *lb-mgmt-issuing-cacert lb-mgmt-issuing-ca-private-key: *lb-mgmt-issuing-ca-private-key lb-mgmt-issuing-ca-key-passphrase: *lb-mgmt-issuing-ca-key-passphrase lb-mgmt-controller-cacert: *lb-mgmt-controller-cacert lb-mgmt-controller-cert: *lb-mgmt-controller-cert to: - lxd:1001 - lxd:1003 - lxd:1005 octavia-dashboard: charm: cs:octavia-dashboard num_units: 0 octavia-diskimage-retrofit: charm: cs:octavia-diskimage-retrofit options: retrofit-uca-pocket: *retrofit-uca-pocket retrofit-series: *retrofit-series amp-image-tag: octavia-amphora bindings: identity-credentials: *internal-space openstack-dashboard: charm: cs:openstack-dashboard num_units: 3 constraints: *oam-space-constr bindings: "": *public-space shared-db: *internal-space options: openstack-origin: *openstack-origin webroot: "/" secret: "encryptcookieswithme" vip: *dashboard-vip neutron-network-lb: True cinder-backup: False password-retrieve: True endpoint-type: publicURL to: - lxd:1001 - lxd:1003 - lxd:1005 placement: charm: cs:placement num_units: 3 bindings: "": *oam-space public: *public-space admin: *admin-space internal: *internal-space shared-db: *internal-space options: worker-multiplier: *worker-multiplier openstack-origin: *openstack-origin to: - lxd:1001 - lxd:1003 - lxd:1005 rabbitmq-server: charm: cs:rabbitmq-server bindings: "": *oam-space amqp: *internal-space cluster: *internal-space options: source: *openstack-origin min-cluster-size: 3 num_units: 3 to: - lxd:1001 - lxd:1003 - lxd:1005 heat: charm: cs:heat num_units: 3 bindings: "": *oam-space public: *public-space admin: *admin-space internal: *internal-space shared-db: *internal-space options: worker-multiplier: *worker-multiplier openstack-origin: *openstack-origin region: *openstack-region vip: *heat-vip use-internal-endpoints: True to: - lxd:1000 - lxd:1001 - lxd:1002 designate: charm: cs:designate num_units: 3 bindings: "": *oam-space public: *public-space admin: *admin-space internal: *internal-space shared-db: *internal-space dns-backend: *internal-space coordinator-memcached: *internal-space options: openstack-origin: *openstack-origin region: *openstack-region vip: *designate-vip use-internal-endpoints: True nameservers: *designate-nameservers to: - lxd:1001 - lxd:1003 - lxd:1005 designate-bind: charm: cs:designate-bind num_units: 2 constraints: *oam-space-constr bindings: "": *internal-space # DNS port 53 access for external clients and tenants via provider networks dns-backend: *internal-space dns-frontend: *dns-access-space options: use-internal-endpoints: True # By default, only names in zones managed by Designate are resolved. # Enable recursion and forwarders to resolve names outside of Designate, # such as google.com or archive.ubuntu.com # Recursion and forwarders should be enabled with extra care. Otherwise, # the DNS server may be open for anyone, which could be used for some # attacks as an open resolver. Set ACLs with allowed_nets and/or # allowed_recursion_nets. Allowed_recursion_nets is only set when # recursion and forwarder access needs to be controlled separately. # An example of the allowed_nets list would be: # "Tenant CIDR;Provider network CIDR" ("172.16.0.0/24;10.244.33.0/21") # allowed_recursion_nets: FCE_TEMPLATE allowed_nets: "172.16.0.0/24;10.0.0.0/8" forwarders: "10.244.40.33" recursion: True disable-dnssec-validation: True to: - lxd:1001 - lxd:1002 memcached: charm: cs:memcached num_units: 2 constraints: *oam-space-constr bindings: "": *internal-space cache: *internal-space options: allow-ufw-ip6-softfail: True to: - designate-bind/0 - designate-bind/1 ceilometer: charm: cs:ceilometer num_units: 3 bindings: "": *oam-space public: *public-space admin: *admin-space internal: *internal-space options: openstack-origin: *openstack-origin region: *openstack-region vip: *ceilometer-vip use-internal-endpoints: True to: - lxd:1001 - lxd:1003 - lxd:1005 ceilometer-agent: charm: cs:ceilometer-agent num_units: 0 options: use-internal-endpoints: True bcache-tuning: charm: cs:bcache-tuning num_units: 0 # XXX: LP: #1829150 - since juju won't setup additional # routes from MAAS, we have to use this policy-routing # charm to configure the gateway for the public network. public-policy-routing: charm: cs:advanced-routing options: enable-advanced-routing: True action-managed-update: False advanced-routing-config: |- [{ "type": "table", "table": "public" },{ "type": "route", "default_route": true, "gateway": "10.244.8.1", "table": "public", "metric": "101" },{ "type": "rule", "from-net": "10.244.8.0/24", "table": "public", "priority": "101" },{ "type": "rule", "from-net": "10.244.8.0/24", "to-net": "10.244.8.0/24" }] glance-simplestreams-sync: charm: cs:glance-simplestreams-sync num_units: 1 options: source: ppa:simplestreams-dev/trunk run: false bindings: "": *oam-space identity-service: *internal-space to: - lxd:1005 #Vault/FDE easyrsa: charm: cs:~containers/easyrsa num_units: 1 bindings: "": *oam-space to: - lxd:1004 etcd: charm: cs:etcd-530 # XXX: 1867544 num_units: 3 constraints: spaces=oam-space bindings: "": *internal-space options: channel: 3.2/stable to: - lxd:1001 - lxd:1003 - lxd:1005 vault: charm: cs:vault num_units: 3 bindings: "": *internal-space options: vip: *vault-vip auto-generate-root-ca-cert: True to: - 15 - 16 - 17 relations: # openstack - [ aodh, mysql ] - [ aodh, keystone ] - [ "aodh:amqp", "rabbitmq-server:amqp" ] - [ aodh, logrotate ] - [ "barbican:amqp", "rabbitmq-server:amqp" ] - [ "barbican:shared-db", "mysql:shared-db" ] - [ "barbican:identity-service", "keystone:identity-service" ] - [ "barbican:secrets", "barbican-vault:secrets" ] - [ "barbican-vault:secrets-storage", "vault:secrets" ] - [ barbican, hacluster-barbican ] - [ ceph-osd, ceph-mon ] - [ ceph-radosgw, ceph-mon ] - [ keystone, ceph-radosgw ] - [ keystone, keystone-ldap ] - [ nova-compute-kvm, ntp ] - [ ceph-radosgw, hacluster-radosgw ] - [ mysql, hacluster-mysql ] - [ keystone, hacluster-keystone ] - [ aodh, hacluster-aodh ] - [ glance, hacluster-glance ] - [ gnocchi, hacluster-gnocchi ] - [ cinder, hacluster-cinder ] - [ designate, hacluster-designate ] - [ neutron-api, hacluster-neutron ] - [ nova-cloud-controller, hacluster-nova ] - [ openstack-dashboard, hacluster-horizon ] - [ placement, hacluster-placement ] - [ heat, hacluster-heat ] - [ keystone, mysql ] - [ "ceilometer:identity-credentials", "keystone:identity-credentials" ] - [ "ceilometer:amqp", "rabbitmq-server:amqp" ] - [ ceilometer, hacluster-ceilometer ] - [ cinder, mysql ] - [ cinder, keystone ] - [ cinder-ceph, ceph-mon ] - [ cinder-ceph, cinder ] - [ "cinder:amqp", "rabbitmq-server:amqp" ] - [ designate, mysql ] - [ designate, designate-bind ] - [ designate, keystone ] - [ "designate:amqp", "rabbitmq-server:amqp" ] - [ designate, memcached ] - [ glance, mysql ] - [ glance, keystone ] - [ glance, ceph-mon ] - [ "glance:amqp", "rabbitmq-server:amqp" ] - [ gnocchi, mysql ] - [ "gnocchi:amqp", "rabbitmq-server:amqp" ] - [ gnocchi, keystone ] - [ gnocchi, ceph-mon ] - [ gnocchi, memcached ] - [ gnocchi, ceilometer ] - [ gnocchi, logrotate ] - [ heat, mysql ] - [ heat, keystone ] - [ "heat:amqp", "rabbitmq-server:amqp" ] - [ "nova-cloud-controller:shared-db", "mysql:shared-db" ] - [ "nova-cloud-controller:amqp", "rabbitmq-server:amqp" ] - [ nova-cloud-controller, keystone ] - [ nova-cloud-controller, glance ] - [ "nova-cloud-controller:memcache", "memcached:cache" ] - [ neutron-api, mysql ] - [ "neutron-api:amqp", "rabbitmq-server:amqp" ] - [ neutron-api, nova-cloud-controller ] - [ neutron-api, keystone ] - [ "neutron-api-plugin-ovn:neutron-plugin", "neutron-api:neutron-plugin-api-subordinate" ] - [ "neutron-api-plugin-ovn:certificates", "vault:certificates" ] - [ "neutron-api-plugin-ovn:ovsdb-cms", "ovn-central:ovsdb-cms" ] - [ "nova-compute-kvm:amqp", "rabbitmq-server:amqp" ] - [ nova-compute-kvm, ceph-mon ] - [ nova-compute-kvm, cinder-ceph ] - [ nova-compute-kvm, glance ] - [ nova-compute-kvm, nova-cloud-controller ] - [ "octavia:amqp", "rabbitmq-server:amqp" ] - [ "octavia:shared-db", "mysql:shared-db" ] - [ "octavia:identity-service", "keystone:identity-service" ] - [ "octavia:neutron-api", "neutron-api:neutron-load-balancer" ] - [ "octavia:ovsdb-subordinate", "octavia-ovn-chassis:ovsdb-subordinate" ] - [ octavia, hacluster-octavia ] - [ octavia-diskimage-retrofit, glance-simplestreams-sync ] - [ octavia-diskimage-retrofit, keystone ] - [ "ovn-central:certificates", "vault:certificates" ] - [ ovn-central, logrotate ] - [ "octavia-ovn-chassis:certificates", "vault:certificates" ] - [ "octavia-ovn-chassis:ovsdb", "ovn-central:ovsdb" ] - [ "ovn-chassis:nova-compute", "nova-compute-kvm:neutron-plugin" ] - [ "ovn-chassis:certificates", "vault:certificates" ] - [ "ovn-chassis:ovsdb", "ovn-central:ovsdb" ] - [ "openstack-dashboard:identity-service", "keystone:identity-service" ] - [ openstack-dashboard, mysql ] - [ "placement:shared-db", "mysql:shared-db" ] - [ "placement:identity-service", "keystone:identity-service" ] - [ "placement:placement", "nova-cloud-controller:placement" ] - [ ceilometer-agent, nova-compute-kvm ] - [ ceilometer-agent, ceilometer ] - [ "ceilometer-agent:amqp", "rabbitmq-server:amqp" ] - [ "bcache-tuning:juju-info", "ceph-osd:juju-info" ] - [ nova-compute-kvm, logrotate ] - [ ceph-mon, logrotate ] - [ ceph-radosgw, logrotate ] - [ cinder, logrotate ] - [ "glance:image-service", "cinder:image-service" ] - [ glance, logrotate ] - [ keystone, logrotate ] - [ mysql, logrotate ] - [ neutron-api, logrotate ] - [ nova-cloud-controller, logrotate ] - [ openstack-dashboard, logrotate ] - [ rabbitmq-server, logrotate ] - [ heat, logrotate ] - [ designate, logrotate ] - [ designate, neutron-api ] - [ designate-bind, logrotate ] - [ ceilometer, logrotate ] - [ glance-simplestreams-sync, keystone ] # Vault/FDE - [ vault, hacluster-vault ] - [ "ceph-osd:secrets-storage", "vault:secrets" ] - [ "vault:shared-db", "mysql:shared-db"] - [ "etcd:certificates", "easyrsa:client" ] - [ "etcd:db", "vault:etcd" ] - [ "vault:secrets", "nova-compute-kvm:secrets-storage" ] - [ ntp, vault ] # Public policy-routing relations - ["public-policy-routing:juju-info", "aodh:juju-info"] - ["public-policy-routing:juju-info", "ceilometer:juju-info"] - ["public-policy-routing:juju-info", "ceph-radosgw:juju-info"] - ["public-policy-routing:juju-info", "cinder:juju-info"] - ["public-policy-routing:juju-info", "designate:juju-info"] - ["public-policy-routing:juju-info", "designate-bind:juju-info"] - ["public-policy-routing:juju-info", "glance:juju-info"] - ["public-policy-routing:juju-info", "gnocchi:juju-info"] - ["public-policy-routing:juju-info", "heat:juju-info"] - ["public-policy-routing:juju-info", "keystone:juju-info"] - ["public-policy-routing:juju-info", "neutron-api:juju-info"] - ["public-policy-routing:juju-info", "nova-cloud-controller:juju-info"] - ["public-policy-routing:juju-info", "octavia:juju-info"] - ["public-policy-routing:juju-info", "openstack-dashboard:juju-info"] - ["public-policy-routing:juju-info", "placement:juju-info"]