COMPUTED VALUES: conf: auto_bridge_add: br-ex: null ovn_bgp_agent: DEFAULT: bgp_driver: frr_k8s ovsdb_connection: unix:/run/openvswitch/db.sock agent: root_helper: sudo /var/lib/openstack/bin/ovn-bgp-agent-rootwrap /etc/ovn-bgp-agent/rootwrap.conf root_helper_daemon: sudo /var/lib/openstack/bin/ovn-bgp-agent-rootwrap-daemon /etc/ovn-bgp-agent/rootwrap.conf frr_k8s: namespace: openstack ovn_bgp_agent_sudoers: | # This sudoers file supports rootwrap for both Kolla and LOCI Images. Defaults !requiretty Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin:/var/lib/openstack/bin:/var/lib/kolla/venv/bin" ovn_bgp_agent ALL = (root) NOPASSWD: /var/lib/kolla/venv/bin/ovn-bgp-agent-rootwrap /etc/ovn-bgp-agent/rootwrap.conf *, /var/lib/openstack/bin/ovn-bgp-agent-rootwrap /etc/ovn-bgp-agent/rootwrap.conf * ovn_bgp_agent ALL = (root) NOPASSWD: /var/lib/kolla/venv/bin/ovn-bgp-agent-rootwrap-daemon /etc/ovn-bgp-agent/rootwrap.conf, /var/lib/openstack/bin/ovn-bgp-agent-rootwrap-daemon /etc/ovn-bgp-aegnt/rootwrap.conf ovn_bridge: br-int ovn_bridge_mappings: external:br-ex ovn_cms_options: availability-zones=nova ovn_cms_options_gw_enabled: enable-chassis-as-gw,availability-zones=nova ovn_encap_type: geneve ovn_network_logging_parser_uwsgi: uwsgi: add-header: 'Connection: close' buffer-size: 65535 die-on-term: true enable-threads: true exit-on-reload: false hook-master-start: unix_signal:15 gracefully_kill_them_all http-socket: 0.0.0.0:9697 lazy-apps: true log-x-forwarded-for: true master: true processes: 1 procname-prefix-spaced: 'neutron-ovn-network-logging-parser:' route-user-agent: '^kube-probe.* donotlog:' thunder-lock: true worker-reload-mercy: 80 wsgi-file: /var/lib/openstack/bin/neutron-ovn-network-logging-parser-wsgi ovs_user_name: openvswitch rootwrap: | # Configuration for ovn-bgp-agent-rootwrap # This file should be owned by (and only-writeable by) the root user [DEFAULT] # List of directories to load filter definitions from (separated by ','). # These directories MUST all be only writeable by root ! filters_path=/etc/ovn-bgp-agent/rootwrap.d,/usr/share/ovn-bgp-agent/rootwrap # List of directories to search executables in, in case filters do not # explicitely specify a full path (separated by ',') # If not specified, defaults to system PATH environment variable. # These directories MUST all be only writeable by root ! exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin,/var/lib/openstack/bin,/var/lib/kolla/venv/bin # Enable logging to syslog # Default value is False use_syslog=False # Which syslog facility to use. # Valid values include auth, authpriv, syslog, local0, local1... # Default value is 'syslog' syslog_log_facility=syslog # Which messages to log. # INFO means log all usage # ERROR means only log unsuccessful attempts syslog_log_level=ERROR rootwrap_filters: ovn_bgp_agent: content: | # ovn-bgp-agent-rootwrap command filters for scripts # This file should be owned by (and only-writable by) the root user [Filters] # privileged/__init__.py: priv_context.PrivContext(default) # This line ties the superuser privs with the config files, context name, # and (implicitly) the actual python code invoked. privsep-rootwrap: RegExpFilter, privsep-helper, root, privsep-helper, --config-file, /etc/(?!\.\.).*, --privsep_context, ovn_bgp_agent.privileged.default, --privsep_sock_path, /tmp/.* ovs-vsctl: CommandFilter, ovs-vsctl, root sysctl: CommandFilter, sysctl, root ip: IpFilter, ip, root vtysh: CommandFilter, vtysh, root pods: - ovn_bgp_agent vector: | [sources.file_logs] type = "file" include = [ "/logs/ovn-controller.log" ] [sinks.ovn_log_parser_in] type = "http" inputs = ["file_logs"] uri = "{{ tuple "ovn_logging_parser" "default" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }}" encoding.codec = "json" method = "post" [sources.ovn_log_parser_out] type = "http_server" address = "0.0.0.0:5001" encoding = "json" [transforms.parse_log_message] type = "remap" inputs = ["ovn_log_parser_out"] source = ''' del(.source_type) del(.path) ''' [sinks.loki_sink] type = "loki" labels.event_source = "network_logs" inputs = ["parse_log_message"] endpoint = "http://loki.monitoring:3100" encoding.codec = "json" tenant_id = "{{`{{ project_id }}`}}" dependencies: dynamic: common: local_image_registry: jobs: - openvswitch-image-repo-sync services: - endpoint: node service: local_image_registry static: image_repo_sync: services: - endpoint: internal service: local_image_registry ovn_controller: pod: - labels: application: openvswitch component: server requireSameNode: true services: - endpoint: internal service: ovn-ovsdb-sb ovn_northd: services: - endpoint: internal service: ovn-ovsdb-nb - endpoint: internal service: ovn-ovsdb-sb ovn_ovsdb_nb: null ovn_ovsdb_sb: null endpoints: cluster_domain_suffix: cluster.local local_image_registry: host_fqdn_override: default: null hosts: default: localhost internal: docker-registry node: localhost name: docker-registry namespace: docker-registry port: registry: node: 5000 oci_image_registry: auth: enabled: false openvswitch: password: password username: openvswitch host_fqdn_override: default: null hosts: default: localhost name: oci-image-registry namespace: oci-image-registry port: registry: default: null ovn_logging_parser: host_fqdn_override: default: localhost hosts: default: localhost name: ovn-logging-parser namespace: null path: default: /logs port: api: default: 9697 service: 9697 scheme: default: http service: http ovn_ovsdb_nb: host_fqdn_override: default: null hosts: default: ovn-ovsdb-nb name: ovn-ovsdb-nb namespace: null port: ovsdb: default: 6641 raft: default: 6643 ovn_ovsdb_sb: host_fqdn_override: default: null hosts: default: ovn-ovsdb-sb name: ovn-ovsdb-sb namespace: null port: ovsdb: default: 6642 raft: default: 6644 helm-toolkit: global: {} images: local_registry: active: false exclude: - dep_check - image_repo_sync pull_policy: IfNotPresent tags: dep_check: harbor.atmosphere.dev/ghcr.io/vexxhost/kubernetes-entrypoint:edge image_repo_sync: docker.io/library/docker:17.07.0 ovn_bgp_agent: harbor.atmosphere.dev/ghcr.io/vexxhost/ovn-bgp-agent:main@sha256:98f80380aec29ea1cedd9a923edb411706fb7528bfe13daae6dd086e40997d55 ovn_controller: harbor.atmosphere.dev/ghcr.io/vexxhost/ovn:v24.03.7-3@sha256:deb1966eff94d8da072a3647db63546722094deb3ef34b6b464609bcba61887a ovn_controller_kubectl: harbor.atmosphere.dev/ghcr.io/vexxhost/ovn:v24.03.7-3@sha256:deb1966eff94d8da072a3647db63546722094deb3ef34b6b464609bcba61887a ovn_logging_parser: harbor.atmosphere.dev/ghcr.io/vexxhost/neutron:main@sha256:55f9c67dda4cc7082739eea7cb21810862a56aac6fe8107a5f31627c601ab23e ovn_northd: harbor.atmosphere.dev/ghcr.io/vexxhost/ovn:v24.03.7-3@sha256:deb1966eff94d8da072a3647db63546722094deb3ef34b6b464609bcba61887a ovn_ovsdb_nb: harbor.atmosphere.dev/ghcr.io/vexxhost/ovn:v24.03.7-3@sha256:deb1966eff94d8da072a3647db63546722094deb3ef34b6b464609bcba61887a ovn_ovsdb_sb: harbor.atmosphere.dev/ghcr.io/vexxhost/ovn:v24.03.7-3@sha256:deb1966eff94d8da072a3647db63546722094deb3ef34b6b464609bcba61887a vector: harbor.atmosphere.dev/docker.io/timberio/vector:0.38.0-debian labels: ovn_bgp_agent: node_selector_key: openvswitch node_selector_value: enabled ovn_controller: node_selector_key: openvswitch node_selector_value: enabled ovn_controller_gw: node_selector_key: openstack-control-plane node_selector_value: enabled ovn_northd: node_selector_key: openstack-control-plane node_selector_value: enabled ovn_ovsdb_nb: node_selector_key: openstack-control-plane node_selector_value: enabled ovn_ovsdb_sb: node_selector_key: openstack-control-plane node_selector_value: enabled manifests: configmap_bin: true configmap_etc: true daemonset_ovn_bgp_agent: false daemonset_ovn_controller: true deployment_northd: true deployment_ovn_northd: true job_image_repo_sync: true service_ovn_ovsdb_nb: true service_ovn_ovsdb_sb: true statefulset_ovn_ovsdb_nb: true statefulset_ovn_ovsdb_sb: true network: interface: tunnel: null tunnel_network_cidr: 0/0 network_policy: ovn_controller: egress: - {} ingress: - {} ovn_northd: egress: - {} ingress: - {} ovn_ovsdb_nb: egress: - {} ingress: - {} ovn_ovsdb_sb: egress: - {} ingress: - {} pod: affinity: anti: topologyKey: default: kubernetes.io/hostname type: default: requiredDuringSchedulingIgnoredDuringExecution weight: default: 10 dns_policy: ClusterFirstWithHostNet labels: include_app_kubernetes_io: false lifecycle: upgrades: daemonsets: ovn_controller: enabled: true max_unavailable: 1 min_ready_seconds: 0 ovn_northd: enabled: true max_unavailable: 1 min_ready_seconds: 0 ovn_ovsdb_nb: enabled: true max_unavailable: 1 min_ready_seconds: 0 ovn_ovsdb_sb: enabled: true max_unavailable: 1 min_ready_seconds: 0 pod_replacement_strategy: RollingUpdate probes: ovn_controller: controller: readiness: enabled: true params: initialDelaySeconds: 30 periodSeconds: 60 timeoutSeconds: 30 ovn_controller_gw: controller: readiness: enabled: true params: initialDelaySeconds: 30 periodSeconds: 60 timeoutSeconds: 30 ovn_northd: northd: liveness: enabled: true params: initialDelaySeconds: 30 periodSeconds: 60 timeoutSeconds: 30 readiness: enabled: true params: initialDelaySeconds: 30 periodSeconds: 60 timeoutSeconds: 30 ovn_ovsdb_nb: ovsdb: readiness: enabled: true params: initialDelaySeconds: 30 periodSeconds: 60 timeoutSeconds: 30 ovn_ovsdb_sb: ovsdb: readiness: enabled: true params: initialDelaySeconds: 30 periodSeconds: 60 timeoutSeconds: 30 replicas: ovn_northd: 1 ovn_ovsdb_nb: 1 ovn_ovsdb_sb: 1 resources: enabled: false jobs: image_repo_sync: limits: cpu: 2000m memory: 1024Mi requests: cpu: 100m memory: 128Mi ovn_controller: limits: cpu: 2000m memory: 1024Mi requests: cpu: 100m memory: 128Mi ovn_logging_parser: limits: cpu: 500m memory: 256Mi requests: cpu: 100m memory: 128Mi ovn_northd: limits: cpu: 2000m memory: 1024Mi requests: cpu: 100m memory: 128Mi ovn_ovsdb_nb: limits: cpu: 1000m memory: 1024Mi requests: cpu: 100m memory: 384Mi ovn_ovsdb_sb: limits: cpu: 1000m memory: 1024Mi requests: cpu: 100m memory: 384Mi vector: limits: cpu: 500m memory: 256Mi requests: cpu: 100m memory: 128Mi security_context: ovn_bgp_agent: container: ovn_bgp_agent: privileged: true ovn_bgp_agent_init: privileged: true readOnlyRootFilesystem: true ovn_controller: container: controller: privileged: true readOnlyRootFilesystem: true controller_init: privileged: true readOnlyRootFilesystem: true ovn_logging_parser: allowPrivilegeEscalation: false readOnlyRootFilesystem: true vector: allowPrivilegeEscalation: false readOnlyRootFilesystem: true ovn_northd: container: northd: capabilities: add: - SYS_NICE sidecars: ovn_logging_parser: true vector: true tolerations: ovn_controller: enabled: false ovn_northd: enabled: false ovn_ovsdb_nb: enabled: false ovn_ovsdb_sb: enabled: false use_fqdn: compute: true release_group: null secrets: oci_image_registry: ovn: ovn-oci-image-registry-key volume: ovn_ovsdb_nb: class_name: general enabled: true size: 20Gi ovn_ovsdb_sb: class_name: general enabled: true size: 20Gi