2 # yamllint disable rule:comments rule:comments-indentation rule:line-length
6 # Licensed under the Apache License, Version 2.0 (the "License");
7 # you may not use this file except in compliance with the License.
8 # You may obtain a copy of the License at
10 # http://www.apache.org/licenses/LICENSE-2.0
12 # Unless required by applicable law or agreed to in writing, software
13 # distributed under the License is distributed on an "AS IS" BASIS,
14 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15 # See the License for the specific language governing permissions and
16 # limitations under the License.
18 ### Version numbering:
20 ### - Major structural changes compared to the previous version.
21 ### - Requires all users to update their user configuration to
24 ### - Significant changes in the template within current structure
25 ### (e.g. new mandatory attributes)
26 ### - Requires all users to update their user configuration according
27 ### to the new template (e.g. add new mandatory attributes)
29 ### - Minor changes in template (e.g. new optional attributes or
30 ### changes in possible values, value ranges or default values)
31 ### - Backwards compatible
34 ### Cloud name can consist of lower case letters, digits and dash (-).
35 ### Name must start and end with a letter or a digit.
41 ### Time related configuration
43 ### A list of NTP server IP addresses.
44 ntp_servers: [VALUE1, VALUE2, ...]
46 ### linux time zone name (e.g. Europe/Helsinki or Asia/Shanghai)
49 ### supported values for authentication method of NTP:
50 ### crypto, symmetric, none
53 ### If you are using authenticated NTP you must provide the url of the keys used for authentication
56 ### User related configuration
58 ### Admin user details
59 admin_user_name: <VALUE>
60 ### Example how to create SHA512 password hash that can be given as
61 ### the admin password:
62 ### python -c "from passlib.hash import sha512_crypt; import getpass; print sha512_crypt.using(rounds=5000).hash(getpass.getpass())"
63 admin_user_password: <VALUE>
65 # Authorized public keys for the admin user
66 #admin_user_authorized_keys: []
68 ### User details for the initial user (gets user_management_admin role)
69 initial_user_name: <VALUE>
70 initial_user_password: <VALUE>
72 ### For CaaS deployments
73 ### keystone admin users password (at least 8 characters; at least one letter)
74 admin_password: <VALUE>
76 ### Networking configuration
78 ### A list of DNS server IP addresses.
79 ### Max two addresses supported.
82 ### Optional. Default network device mtu.
83 ### Valid value range: 1280 - 9000
84 ### When not set, defaults to 1500
88 ### Optional network mtu
89 ### If not defined default value is used.
94 ### User defined name for network domain
96 ### Network address in CIDR format
102 ### IP address of the gateway for default route
105 ### Range for external IPs
106 ### - First IP address of the range is reserved for vip
107 ### (Public API access)
108 ### - following addresses are reserved for cmanagement hosts
109 ### (one address per management hosts)
110 ip_range_start: <VALUE>
111 ip_range_end: <VALUE>
114 ### This configuration is required if there are storage hosts in
115 ### the configuration. This network is used for OSD Replication.
116 #infra_storage_cluster:
117 ### Optional network mtu
118 ### If not defined default value is used.
123 ### User defined name for network domain
125 ### Network address in CIDR format (e.g. 192.168.4.0/26)
131 ### Optional IP range from the CIDR to limit IP addresses to use
132 #ip_range_start: <VALUE>
133 #ip_range_end: <VALUE>
135 ### Optional static routes
137 # - {to: <CIDR>, via: <IP>}
139 ### This network is used for:
140 ### - Internal communication/API
141 ### - SSH between hosts
142 ### - Internal services
143 ### - NTP between hosts
145 ### Optional network mtu
146 ### If not defined default value is used.
151 ### User defined name for network domain
153 ### Network address in CIDR format
154 cidr: 192.168.12.0/26
159 ### Optional IP range from the CIDR to limit IP addresses to use
160 #ip_range_start: <VALUE>
161 #ip_range_end: <VALUE>
163 ### Optional static routes
165 # - {to: 192.168.12.0/22, via: 192.168.12.1}
166 ### Use above structure for all the other network domains
168 #cidr: 192.168.12.64/26
170 #ip_range_start: 192.168.12.68
171 #ip_range_end: 192.168.12.126
173 # - {to: 192.168.12.0/22, via: 192.168.12.65}
176 ### This network is used as the underlay network for inter-cluster
177 ### communication within CaaS. Setting this network can expose CaaS cluster
178 ### services to this network.
179 ### If unspecified, infra_internal used as a fallback option.
181 ### Optional network mtu
182 ### If not defined default value is used.
187 ### User defined name for network domain
189 ### Network address in CIDR format
195 ### IP address of the gateway for default route.
196 ### If unspecified, the subnet's first IP address assumed.
200 #ip_range_start: <VALUE>
201 #ip_range_end: <VALUE>
203 ### Optional static routes
205 # - {to: <CIDR>, via: <IP>}
207 ### Provider networks
208 ### Provider network to physical interface mapping is done
209 ### in the network profile configuration
211 ### Any number of provider network names
212 #<provider_network_name1>:
213 ### Optional. Set provider network mtu.
214 ### If not defined default value is used.
217 ### Provider network vlan ranges
218 #vlan_ranges: "<VID_START1>:<VID_END1>,<VID_START2>:<VID_END2>,..."
220 ### Use above structure for all the other provider networks
221 #<provider_network_name2>:
224 ### Needed for non-CaaS deployments
226 ### keystone admin user password (at least 8 characters; at least one letter)
227 #admin_password: <VALUE>
229 ### Caas configuration
231 ### This parameter globally sets a maximum allowed writable disk space quota for every container,
232 ### on all caas related hosts. The quota physically forbids any containers from storing data more
233 ### than the allowed size on its own rootfs.
234 ### These ephemeral disks are allocated from the Docker Cinder volume attached to all hosts,
235 ### and as such are limited in size. The quota protects the containers from possible noisy neighbours
236 ### by limiting their maximum consumption, and thus assuring that no one faulty container
237 ### can eat up the disk space of a whole container execution host.
239 docker_size_quota: "2G"
241 ### This parameter, if provided, will be set into the configuration of the CaaS cluster's
242 ### internal DNS server's configuration. Whenever a DNS query cannot be served by the default server,
243 ### it will be forwarded to the configured address, regardless which sub-domain the query belongs to.
244 ### Please note, that in case the address points out of the infrastructure,
245 ### connectivity between the infrastructure and the external DNS server needs to be separately set-up.
246 #upstream_nameserver: "10.74.3.252"
248 ### This parameter, if provided, will be set into the configuration of the CaaS cluster's
249 ### internal DNS server's configuration. Whenever a DNS query cannot be served by the default server,
250 ### it might be forwarded to the address set into the "stub_domain_ip" parameter.
251 ### However, forwarding only happens if "stub_domain_name" matches the domain name in the DNS query.
252 ### Please note, that in case the address points out of the infrastructure, connectivity between the
253 ### infrastructure and the external DNS server needs to be separately set-up.
258 ### This parameter, if provided, controls how long a Helm install procedure waits before exiting with a timeout error.
259 ### Value is interpreted in minutes.
260 #helm_operation_timeout: "900"
262 ### The Docker container run-time engine creates a Linux network bridge by default, and provisions
263 ### a /24 IPv4 network on top of it. Even though this bridge is not used within CaaS subsytem,
264 ### the existence of this bridge is not configurable.
265 ### However, in certain customer environments the default IPv4 network of this bridge can collide with
266 ### real customer networks. To avoid IP collision issues in such cases, the application operator can globally set
267 ### the Docker bridge CIDRs of all host via this parameter.
268 #docker0_cidr: "172.17.0.1/16"
270 ### This parameter is used to set the overlay CIDR of the default network for containers, so pods can comminucate
271 ### over this subnet and Kubernetes services are available here also.
272 ### The parameter can be used to make sure the CIDR of this network does not overlap with any customer
273 ### specific provider network's
274 #oam_cidr: "10.244.0.0/16"
276 ### Mandatory parameter. All the infrastructure's HTTP servers are secured with TLS.
277 ### The certificates of the servers are created in infrastructure deployment time, and are signed by an externally provided CA certificate.
278 ### This CA certificate can be configured by setting its encrypted format into this configuration parameter.
279 ### Due to CBAM limitation the value of this parameters shall be provided as a one-element list in JSON format
280 ### e.g. ["U2FsdGVkX1+iaWyYk3W01IFpfVdughR5aDKo2NpcBw2USt.."]
281 encrypted_ca: '["<ENCRYPTED_CA>"]'
283 ### Manadatory parameter. All the infrastructure's HTTP servers are secured with TLS.
284 ### The certificates of the servers are created in infrastructure deployment time, and are signed by an externally provided CA certificate.
285 ### This CA certificate can be configured by setting its encrypted format into the "encrypted_CA" configuration parameter.
286 ### The key which can be used to decrypt this CA certificate shall be configured into this configuration parameter, but also encrypted.
287 ###This key shall be encrypted by the super-secret, static key, known only by infrastructure developers, and cloud operators.
288 ### Due to CBAM limitation the value of this parameters shall be provided as a one-element list in JSON format
289 ### e.g. ["U2FsdGVkX1+WlNST+W.."]
290 encrypted_ca_key: '["<ENCRYPTED_CA_KEY>"]'
292 ### This parameter defines the DNS domain served by the REC DNS server for example
293 ### in-cluster Kubernetes Services all belongs to this domain DNS queries.
294 ### Outside of this domain are either rejected, or forwarded to a configured upstream DNS server (if, any).
295 ### The default value is: rec.io
296 #dns_domain: "<VALUE>"
299 ### This list contains all provider networks dedicated to be used by CaaS tenant users.
300 ### These provider networks needs to binded homogenously to all CaaS hosts and the
301 ### provider network type must be caas.
302 ### SR-IOV provider networks also supported.
303 #tenant_networks: ["tenant_net1", "tenant_net2"]
305 ### Storage configuration
308 ### Configuration of supported storage backends.
309 ### At least one backend must be onfigured and only one backend can be enabled.
310 ### If more than one backend is configured then one should be enabled (enabled:true)
311 ### and the others should be disabled (enabled: false).
314 ### The ceph can be enbled only in a multi node configuration.
315 #enabled: <true/false>
317 ### The OSD replica count.
318 ### The number of replicas for objects in the pool.
319 ### Valid value range for any production environment: 2 - 3
320 ### (for testing purposes only, in environments with very limited
321 ### storage resource, value 1 can be used as well)
322 ### Required if there are ceph nodes.
323 #osd_pool_default_size: <VALUE>
328 ### Users can define multiple network profiles depending on the hardware.
330 ### Compulsory if bonding interfaces used for infra networks.
331 ### Bonding options for linux bonding interfaces used for infra
333 ### Supported options: "mode=lacp" and "mode=active-backup"
334 ### In "mode=lacp" both nics are active simultaniously.
335 ### In "mode=active-backup" only one slave in the bond is active and
336 ### the another slave becomes active only if the active slave fails.
337 #linux_bonding_options: <VALUE>
339 ### Optional bonding interfaces
341 ### Any number of bonding interface names.
342 ### Bonding interface name syntax must be bond[n]
343 ### where n is a number.
344 ### Numbers in bonding interface names must be
345 ### consecutive natural numbers starting from 0
346 ### (bond0, bond1, bond2, ...)
348 ### Value is a list of at least two physical interface names
349 ### (e.g. bond0: [eno3, eno4])
350 #<bonding interface name>: [<VALUE1>, <VALUE2>, ...]
352 ### Interface-subnet mapping
353 ### Any number of (name: value) pairs to map interfaces
354 ### (bonding or physical interface name) to subnets
355 ### Value is list of subnets
356 ### (e.g. bond0: [infra_internal, infra_storage_cluster] or
357 ### eno3: [infra_external])
358 ### An interface can be mapped to at most one non-vlan subnet
359 interface_net_mapping:
360 #<interface_name>: [<VALUE1>, <VALUE2>, ...]
362 ### Optional provider network interface
363 #provider_network_interfaces:
364 ### Provider network physical interface.
365 ### Either Ethernet or bonding interface.
367 ### Optional provider network type.
371 ### Containers as a Service (CaaS) provider network
373 ### CaaS bond interfaces are configured as a Linux bond interfaces.
376 ### Provider networks on this interface.
377 ### Provider networks must be defined also in the networking:
378 ### provider_networks: configuration.
379 #provider_networks: [<VALUE1>,<VALUE2>,...]
380 ### Use above structure for all the provider network interfaces
385 ### Optional SR-IOV provider networks
386 #sriov_provider_networks:
387 ### Provider network name.
388 ### Must be defined also in the
389 ### networking: provider_networks: configuration.
390 #<provider_network_name1>:
391 ### SR-IOV physical function interfaces
392 ### Multiple Ethernet interfaces can be mapped to implement one
394 ### SR-IOV interfaces can be used also for the infra networks
395 ### but only if network card type supports that
396 ### (for example Mellanox ConnectX-4 Lx
397 ### does and Intel Niantic doesn't). Another restriction is that
398 ### bond option cannot be "mode=lacp" if SR-IOV interfaces are
399 ### also bonding slave interfaces.
400 #interfaces: [<VALUE1>, <VALUE2>, ...]
402 ### Optional VF count per physical PF interface
403 ### If this parameter is not defined, default is to create
404 ### maximum supported amount of VF interfaces. In case of
405 ### Mellanox NIC (mlx5_core driver) given VF count will be
406 ### configured to the NIC HW as a maximum VF count.
409 ### Optional VF trusted mode setting
410 ### If enabled, PF can accept some priviledged operations from
411 ### the VF. See the NIC manufacturer documentation for more
414 #trusted: [true|false]
416 ### Optional provider network type
417 ### - caas: configure as CaaS SR-IOV cluster network
420 ### Use above structure for all the SR-IOV provider networks in
422 #<provider_network_name2>
425 ### Performance profiles
426 performance_profiles:
428 ### The parameters specified here are affected by the type
429 ### of network profile selected for the node as follows:
430 ### The following types are supported:
431 ### SR-IOV: no mandatory parameters, but following can be used:
432 ### - default_hugepagesz
436 ### Configuration for huge page usage.
437 ### Notice: Huge page values must be in balance with RAM available
440 ### Default huge page size. Valid values are 2M and 1G.
441 #default_hugepagesz: <VALUE>
442 ### Huge page size selection parameter. Valid values are 2M and 1G.
444 ### The number of allocated persistent huge pages
447 ### Host CPU allocations.
448 ### Any host CPUs that are not allocated for some specific purpose
449 ### here will be automatically assigned by the system:
450 ### - If the node contains 'caas' in its service_profiles remaining
451 ### CPUs are allocated for CaaS CPU pools. Remainder CaaS CPU CPUs
452 ### allocated for default container execution.
453 ### - Any CPUs that don't fall into the above categories are allocated
454 ### for the host platform.
456 ### Optional. Allocate CPUs for the host platform.
457 ### The configured counts determine the number of full CPU cores to
458 ### allocate from each specified NUMA node. If hyperthreading is
459 ### enabled, all sibling threads are automatically grouped together
460 ### and counted as one CPU core. The actual configurable range
461 ### depends on target hardware CPU topology and desired performance
463 ### Notice: The host platform must always have have at least one CPU
464 ### core from NUMA node 0.
469 ### Optional. Performance tuning.
470 ### Valid values are low_latency and standard (default).
471 ### Note that low_latency mode will turn off power saving, etc
472 #tuning: <low_latency|standard>
474 ### Optional. Create CPU pools in CaaS CPU manager.
475 ### Type of this parameter is dictionary, consisting of the following attributes:
476 ### - exclusive_pool_percentage
477 ### - shared_pool_percentage
478 ### Attributes are optional, but at least one of them shall be defined
479 ### if caas_cpu_pools is defined. The sum of values can't exceed 100.
480 ### Minimum allocation is 1 CPU, which means anything greater than 0
481 ### ensures 1 CPU allocation.
483 #exclusive_pool_percentage: <VALUE>
484 #shared_pool_percentage: <VALUE>
488 ### The storage_profiles section name is part of mandatory configuration.
490 ### There must always be at least one profile defined when ceph or lvm
491 ### have been configured and enabled as the backend in the storage section.
492 ### This profile represents the enabled backend in question.
494 ### In addition the user can optionally configure storage instance profiles
498 ### Name of the storage backend. The allowed values for the backend are
504 ### Backend specific attributes - see examples of supported backend
505 ### specific attributes in the following storage profile templates.
508 #ceph_backend_profile:
510 ### A storage profile for ceph backend. This storage profile is linked
511 ### to all of the storage hosts. The ceph profile is possible only with
512 ### a multihost configuration with three (3) management hosts.
517 ### Number of devices that should be used as osd disks in one node.
518 ### This is a mandatory attribute for ceph storage hosts.
519 ### Max number of ceph osd disks is 3.
520 #nr_of_ceph_osd_disks: <VALUE>
523 ### The share ratio between the Openstack & CaaS subsystems for
524 ### the available Ceph storage. Expected to be in ratio format (A:B),
525 ### where the first number is for Openstack, the second one is for CaaS subsystem.
526 ### Always quote the value! Default value is "1:0".
527 #ceph_pg_openstack_caas_share_ratio: "<VALUE>"
531 ### A storage profile to create bare lvm volumes.
533 ### This profile can be used to create an LVM volume that will be
534 ### available under the defined directory for any further use.
536 ### This profile is mandatory for caas_worker hosts and should be
537 ### mounted to /var/lib/docker.
542 ### This paramater contains which partitions to be used
543 ### for instance volume group.
544 #lvm_instance_storage_partitions: [<VALUE1>, <VALUE2>, ...]
547 ### This paramater defines bare_lvm how much space should take
549 ### Note that this option left for compatibility reasons, actual value
550 ### dynamically calculated.
552 #bare_lvm_storage_percentage: <VALUE>
555 ### This parameter contains the name for the created LVM volume.
559 ### The value of this parameter is used to protect the entire GRUB 2 menu structure of all the infrastructure nodes.
560 ### The configured value should be a properly salted PBKDF2 (Password-Based Key Derivation Function 2) hash.
561 ### Interactive tool "grub2-mkpasswd-pbkdf2" can be used to create the hash.
562 ### Operators will be only able to make changes in the GRUB menu, if the
563 ### hashed version of the typed-in password matches with the value of this parameter.
565 #grub2_password: "<VALUE>"
566 ### User lockout parameters are set with failed_login_attempts (default is 5)
567 ### and lockout_time (default is 300 seconds (5 minutes))
568 #failed_login_attempts: <VALUE>
569 #lockout_time: <VALUE>
574 ### The service profiles for this node. Valid values are the following:
575 ### management/base/storage/caas_master/caas_worker
576 ### Currently supported service profile combinations:
577 ### 1 Any permutations of: management/base/storage e.g: [ manangement, storage ]
578 ### 2 Either or both [management, caas_master] e.g.: [ management, caas_master ]
579 ### 3 caas_worker can't be combined with any other profile: e.g.: [ caas_worker ]
580 service_profiles: [<VALUE1>, <VALUE2>, ...]
582 ### The network profiles for this node, the value used in the list
583 ### should match a profile from the network_profiles section.
584 ### Only one network profile per host supported at the moment.
585 network_profiles: [profile1]
587 ### The storage profiles for this node, the value used in the list
588 ### should match a profile from the storage_profiles section.
589 #storage_profiles: [profile1]
591 ### The performance profiles for this node, the value used in the list
592 ### should match a profile from the performance_profiles section.
593 ### Only one performance profile per host supported at the moment.
594 #performance_profiles: [profile1]
596 ### The kubernetes label set of the node, you can define an arbitrary set of key-value pairs.
597 ### These key-value pairs will be provisioned to the corresponding
598 ### Kubernetes node object as kubernetes labels.
599 ### Optional parameter, only interpreted when the node has a CaaS subsystem related service profile.
600 ### For any other node this attribute will be silently ignored.
601 ### The keys under "labels" can be anything, except: 'name', 'nodetype', 'nodeindex', 'nodename'
602 ### These labels are reserved for infrastructure usage
604 # type: "performance"
606 # hyperthreading: "off"
609 ### Network domain for this node
610 ### Value should match some network domain in networking section.
611 network_domain: rack-1
613 ### HW management (e.g. IPMI or iLO) address and credentials
618 # Optional: the IPMI privilege level to request.
619 # Typical values include 'USER', 'OPERATOR', 'ADMINISTRATOR'
620 # default is 'ADMINISTRATOR' if unspecified.
621 # priv_level: <VALUE>
622 ### Optional parameter needed for virtual deployment to identify the
623 ### nodes the mac address for the provisioning interface
624 #mgmt_mac: [<VALUE1>, <VALUE2>, ...]