58a4c980bb
We're enabling the audit middleware for the following API services:
* cinder
* nova
* neutron
* glance
* heat
* barbican
* octavia
* gnocchi
* config.verbose was deprecated a long time ago and Gnocchi doesn't
support a separate "logging.conf" file
* as such, Gnocchi can't be configured to use "info" level logging
* the audit logs will only be emitted in debug mode
* cf001e8428/gnocchi/service.py (L72-L79)
* newly defined audit map (the other services had already existing
definitions, which were updated):
* aodh
* designate
* magnum
* masakari
* updated wsgi log configuration
The following services do not support the audit middleware,
the support for api paste was dropped:
* placement
* watcher
* keystone (has its own pycadf audit implementation)
* emits notifications using oslo.notifications
* configurable driver, possible options include "messagingv2" and "log"
* we can't just use the log driver since the user may request amqp
notifications using:
"juju config keystone enable-telemetry-notifications=True"
* we'll listen for amqp notifications using a separate service
Reference:
* audit middleware configuration: https://docs.openstack.org/keystonemiddleware/latest/audit.html
* api map samples: https://opendev.org/openstack/pycadf/src/tag/3.1.1/etc/pycadf
Change-Id: I28a261b85067704221d6ab3d949c5d2a27a4a9d7
217 lines
5.4 KiB
Django/Jinja
217 lines
5.4 KiB
Django/Jinja
bundle: kubernetes
|
|
|
|
applications:
|
|
traefik:
|
|
charm: ch:traefik-k8s
|
|
channel: latest/candidate
|
|
base: ubuntu@20.04
|
|
scale: 1
|
|
trust: true
|
|
options:
|
|
kubernetes-service-annotations: metallb.universe.tf/address-pool=public
|
|
mysql:
|
|
charm: ch:mysql-k8s
|
|
channel: 8.0/stable
|
|
base: ubuntu@22.04
|
|
scale: 1
|
|
trust: true
|
|
options:
|
|
profile-limit-memory: 2560
|
|
experimental-max-connections: 150
|
|
vault:
|
|
charm: ch:vault-k8s
|
|
channel: 1.15/edge
|
|
revision: 190
|
|
base: ubuntu@22.04
|
|
scale: 1
|
|
trust: false
|
|
tls-operator:
|
|
charm: self-signed-certificates
|
|
channel: latest/beta
|
|
base: ubuntu@22.04
|
|
scale: 1
|
|
options:
|
|
ca-common-name: internal-ca
|
|
rabbitmq:
|
|
charm: ch:rabbitmq-k8s
|
|
channel: 3.12/edge
|
|
base: ubuntu@24.04
|
|
scale: 1
|
|
trust: true
|
|
options:
|
|
minimum-replicas: 1
|
|
ovn-central:
|
|
{% if ovn_central_k8s is defined and ovn_central_k8s is sameas true -%}
|
|
charm: ../../../ovn-central-k8s.charm
|
|
{% else -%}
|
|
charm: ch:ovn-central-k8s
|
|
channel: 25.03/edge
|
|
{% endif -%}
|
|
base: ubuntu@24.04
|
|
scale: 1
|
|
trust: true
|
|
resources:
|
|
ovn-sb-db-server-image: ghcr.io/canonical/ovn-consolidated:25.03
|
|
ovn-nb-db-server-image: ghcr.io/canonical/ovn-consolidated:25.03
|
|
ovn-northd-image: ghcr.io/canonical/ovn-consolidated:25.03
|
|
keystone:
|
|
{% if keystone_k8s is defined and keystone_k8s is sameas true -%}
|
|
charm: ../../../keystone-k8s.charm
|
|
{% else -%}
|
|
charm: ch:keystone-k8s
|
|
channel: 2025.1/edge
|
|
{% endif -%}
|
|
base: ubuntu@24.04
|
|
scale: 1
|
|
trust: true
|
|
storage:
|
|
fernet-keys: 5M
|
|
credential-keys: 5M
|
|
resources:
|
|
keystone-image: ghcr.io/canonical/keystone:2025.1
|
|
glance:
|
|
{% if glance_k8s is defined and glance_k8s is sameas true -%}
|
|
charm: ../../../glance-k8s.charm
|
|
{% else -%}
|
|
charm: ch:glance-k8s
|
|
channel: 2025.1/edge
|
|
{% endif -%}
|
|
base: ubuntu@24.04
|
|
scale: 1
|
|
trust: true
|
|
storage:
|
|
local-repository: 10G
|
|
resources:
|
|
glance-api-image: ghcr.io/canonical/glance-api:2025.1
|
|
heat:
|
|
{% if heat_k8s is defined and heat_k8s is sameas true -%}
|
|
charm: ../../../heat-k8s.charm
|
|
{% else -%}
|
|
charm: ch:heat-k8s
|
|
channel: 2025.1/edge
|
|
{% endif -%}
|
|
base: ubuntu@24.04
|
|
scale: 1
|
|
trust: true
|
|
resources:
|
|
heat-api-image: ghcr.io/canonical/heat-consolidated:2025.1
|
|
heat-engine-image: ghcr.io/canonical/heat-consolidated:2025.1
|
|
octavia:
|
|
{% if octavia_k8s is defined and octavia_k8s is sameas true -%}
|
|
charm: ../../../octavia-k8s.charm
|
|
{% else -%}
|
|
charm: ch:octavia-k8s
|
|
channel: 2025.1/edge
|
|
{% endif -%}
|
|
base: ubuntu@24.04
|
|
scale: 1
|
|
trust: true
|
|
resources:
|
|
octavia-api-image: ghcr.io/canonical/octavia-consolidated:2025.1
|
|
octavia-driver-agent-image: ghcr.io/canonical/octavia-consolidated:2025.1
|
|
octavia-housekeeping-image: ghcr.io/canonical/octavia-consolidated:2025.1
|
|
barbican:
|
|
{% if barbican_k8s is defined and barbican_k8s is sameas true -%}
|
|
charm: ../../../barbican-k8s.charm
|
|
{% else -%}
|
|
charm: ch:barbican-k8s
|
|
channel: 2025.1/edge
|
|
{% endif -%}
|
|
base: ubuntu@24.04
|
|
scale: 1
|
|
trust: false
|
|
resources:
|
|
barbican-api-image: ghcr.io/canonical/barbican-consolidated:2025.1
|
|
barbican-worker-image: ghcr.io/canonical/barbican-consolidated:2025.1
|
|
magnum:
|
|
{% if magnum_k8s is defined and magnum_k8s is sameas true -%}
|
|
charm: ../../../magnum-k8s.charm
|
|
{% else -%}
|
|
charm: ch:magnum-k8s
|
|
channel: 2025.1/edge
|
|
{% endif -%}
|
|
base: ubuntu@24.04
|
|
scale: 1
|
|
trust: false
|
|
resources:
|
|
magnum-api-image: ghcr.io/canonical/magnum-consolidated:2025.1
|
|
magnum-conductor-image: ghcr.io/canonical/magnum-consolidated:2025.1
|
|
|
|
relations:
|
|
- - tls-operator:certificates
|
|
- ovn-central:certificates
|
|
|
|
- - mysql:database
|
|
- keystone:database
|
|
- - traefik:ingress
|
|
- keystone:ingress-internal
|
|
- - rabbitmq:amqp
|
|
- keystone:amqp
|
|
|
|
- - mysql:database
|
|
- glance:database
|
|
- - keystone:identity-service
|
|
- glance:identity-service
|
|
- - rabbitmq:amqp
|
|
- glance:amqp
|
|
- - traefik:ingress
|
|
- glance:ingress-internal
|
|
- - keystone:send-ca-cert
|
|
- glance:receive-ca-cert
|
|
|
|
- - mysql:database
|
|
- heat:database
|
|
- - keystone:identity-service
|
|
- heat:identity-service
|
|
- - keystone:identity-ops
|
|
- heat:identity-ops
|
|
- - traefik:traefik-route
|
|
- heat:traefik-route-internal
|
|
- - rabbitmq:amqp
|
|
- heat:amqp
|
|
- - keystone:send-ca-cert
|
|
- heat:receive-ca-cert
|
|
|
|
- - mysql:database
|
|
- octavia:database
|
|
- - keystone:identity-service
|
|
- octavia:identity-service
|
|
- - keystone:identity-ops
|
|
- octavia:identity-ops
|
|
- - traefik:ingress
|
|
- octavia:ingress-internal
|
|
- - tls-operator:certificates
|
|
- octavia:certificates
|
|
- - octavia:ovsdb-cms
|
|
- ovn-central:ovsdb-cms
|
|
- - keystone:send-ca-cert
|
|
- octavia:receive-ca-cert
|
|
|
|
- - mysql:database
|
|
- barbican:database
|
|
- - rabbitmq:amqp
|
|
- barbican:amqp
|
|
- - keystone:identity-service
|
|
- barbican:identity-service
|
|
- - keystone:identity-ops
|
|
- barbican:identity-ops
|
|
- - traefik:ingress
|
|
- barbican:ingress-internal
|
|
- - vault:vault-kv
|
|
- barbican:vault-kv
|
|
- - keystone:send-ca-cert
|
|
- barbican:receive-ca-cert
|
|
|
|
- - mysql:database
|
|
- magnum:database
|
|
- - rabbitmq:amqp
|
|
- magnum:amqp
|
|
- - keystone:identity-service
|
|
- magnum:identity-service
|
|
- - keystone:identity-ops
|
|
- magnum:identity-ops
|
|
- - traefik:ingress
|
|
- magnum:ingress-internal
|
|
- - keystone:send-ca-cert
|
|
- magnum:receive-ca-cert
|