---
# Copyright 2014, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Enable/Disable barbican configurations
zun_barbican_enabled: "{{ (groups['barbican_all'] is defined) and (groups['barbican_all'] | length > 0) }}"
# Enable/Disable designate configurations
zun_designate_enabled: "{{ (groups['designate_all'] is defined) and (groups['designate_all'] | length > 0) }}"
# Notification topics for designate.
zun_notifications_designate: notifications_designate
# Enable/Disable ceilometer configurations
zun_ceilometer_enabled: "{{ (groups['ceilometer_all'] is defined) and (groups['ceilometer_all'] | length > 0) }}"

## Verbosity Options
debug: false

# python venv executable
zun_venv_python_executable: "{{ openstack_venv_python_executable | default('python3') }}"

# Set the host which will execute the shade modules
# for the service setup. The host must already have
# clouds.yaml properly configured.
zun_service_setup_host: "{{ openstack_service_setup_host | default('localhost') }}"
zun_service_setup_host_python_interpreter: >-
  {{
    openstack_service_setup_host_python_interpreter | default(
      (zun_service_setup_host == 'localhost') | ternary(ansible_playbook_python, ansible_facts['python']['executable']))
  }}

# Set the package install state for distribution packages
# Options are 'present' and 'latest'
zun_package_state: "{{ package_state | default('latest') }}"

zun_git_repo: https://opendev.org/openstack/zun
zun_git_install_branch: master

zun_kuryr_git_repo: https://opendev.org/openstack/kuryr-libnetwork
zun_kuryr_git_install_branch: master

# This is only required until kuryr-libnetwork depends upon a version of kuryr-lib
# which includes https://review.opendev.org/c/openstack/kuryr/+/764908
zun_kuryr_lib_git_repo: https://opendev.org/openstack/kuryr
zun_kuryr_lib_git_install_branch: master

zun_upper_constraints_url: >-
  {{ requirements_git_url | default('https://releases.openstack.org/constraints/upper/' ~ requirements_git_install_branch | default('master')) }}
zun_git_constraints:
  - "--constraint {{ zun_upper_constraints_url }}"

zun_pip_install_args: "{{ pip_install_options | default('') }}"

# Name of the virtual env to deploy into
zun_venv_tag: "{{ venv_tag | default('untagged') }}"
zun_bin: "/openstack/venvs/zun-{{ zun_venv_tag }}/bin"

zun_fatal_deprecations: false

## Zun user information
zun_system_user_name: zun
zun_system_group_name: zun
zun_system_shell: /bin/false
zun_system_comment: zun system user
zun_system_home_folder: "/var/lib/{{ zun_system_user_name }}"
zun_system_slice_name: zun
zun_log_dir: "/var/log/zun"

zun_lock_dir: "{{ openstack_lock_dir | default('/run/lock') }}"

## Kuryr user information
zun_kuryr_system_user_name: root
zun_kuryr_system_group_name: root
zun_kuryr_system_shell: /bin/false
zun_kuryr_system_comment: kuryr system user
zun_kuryr_system_home_folder: "/var/lib/{{ zun_kuryr_system_user_name }}"
zun_kuryr_log_dir: "/var/log/kuryr"

## Docker setup information
zun_docker_package_version: "{{ _zun_docker_package_version }}"
zun_architecture_mapping:
  x86_64: amd64
  ppc64le: ppc64el
  s390x: s390x
  armv7l: armhf
  aarch64: arm64
zun_containerd_package_version: "{{ _zun_containerd_package_version }}"
zun_kata_package_version: "3.16.0"
zun_kata_package_source: >-
  https://github.com/kata-containers/kata-containers/releases/download/{{ zun_kata_package_version }}/kata-static-{{ zun_kata_package_version }}-{{
    zun_architecture_mapping.get(ansible_facts['architecture']) }}.tar.xz
zun_kata_package_checksum_mapping:
  x86_64: sha256:56cb69a7bb6d3364e92155e06283972e71654a88c70816a55f891f209a8f74db
  ppc64le: sha256:858a95491a6764b95e5540423935e14b39b335287ef7d861a90b046f644d7d8e
  s390x: sha256:b866b73f4af6b7418febb87c0c5d7af825f9e91066c3629dea3196b3b85b0192
  aarch64: sha256:161875f74282015a5f4d86ca9d06f4e47626402eddaf5cccd288a5a3e82d87e0
zun_kata_enabled: "True"

# Set a list of users that are permitted to execute the docker binary.
zun_docker_users:
  - "{{ zun_system_user_name }}"
  - "{{ zun_kuryr_system_user_name }}"

# Set the docker api version. The default is false, which will result in no
# option being set in config for api servers. On compute hosts the docker api
# version will be used as determined by the client version information.
zun_docker_api_version: false

# Set the address for Docker to bind to. Used by the wsproxy console forwarder
zun_docker_bind_host: "{{ openstack_service_bind_address | default('0.0.0.0') }}"
zun_docker_bind_port: 2375

# Should Docker image cache data be periodically cleaned up?
zun_docker_prune_images: false

# Time period for which to clean up old Docker data. The options are hour, day,
# month, or year. (string value)
zun_docker_prune_frequency: hour

## Manually specified zun UID/GID
# Deployers can specify a UID for the zun user as well as the GID for the
# zun group if needed. This is commonly used in environments where shared
# storage is used, such as NFS or GlusterFS, and zun UID/GID values must be
# in sync between multiple servers.
#
# WARNING: Changing these values on an existing deployment can lead to
#          failures, errors, and instability.
#
# zun_system_user_uid = <UID>
# zun_system_group_gid = <GID>

## Database info
zun_db_setup_host: "{{ openstack_db_setup_host | default('localhost') }}"
zun_db_setup_python_interpreter: >-
  {{
    openstack_db_setup_python_interpreter | default((zun_db_setup_host == 'localhost') | ternary(
      ansible_playbook_python, ansible_facts['python']['executable']))
  }}
zun_galera_address: "{{ galera_address | default('127.0.0.1') }}"
zun_galera_user: zun
zun_galera_database: zun
zun_db_max_overflow: "{{ openstack_db_max_overflow | default('50') }}"
zun_db_max_pool_size: "{{ openstack_db_max_pool_size | default('5') }}"
zun_db_pool_timeout: "{{ openstack_db_pool_timeout | default('30') }}"
zun_db_connection_recycle_time: "{{ openstack_db_connection_recycle_time | default('600') }}"
# Toggle whether zun connects via an encrypted connection
zun_galera_use_ssl: "{{ galera_use_ssl | default(False) }}"
# The path where to store the database server CA certificate
zun_galera_ssl_ca_cert: "{{ galera_ssl_ca_cert | default('') }}"
zun_galera_port: "{{ galera_port | default('3306') }}"

## RabbitMQ info

## Configuration for RPC communications
zun_rpc_thread_pool_size: 64
zun_rpc_conn_pool_size: 30
zun_rpc_response_timeout: 60

## Oslo Messaging info

# RPC
zun_oslomsg_rpc_host_group: "{{ oslomsg_rpc_host_group | default('rabbitmq_all') }}"
zun_oslomsg_rpc_setup_host: "{{ (zun_oslomsg_rpc_host_group in groups) | ternary(groups[zun_oslomsg_rpc_host_group][0], 'localhost') }}"
zun_oslomsg_rpc_transport: "{{ oslomsg_rpc_transport | default('rabbit') }}"
zun_oslomsg_rpc_servers: "{{ oslomsg_rpc_servers | default('127.0.0.1') }}"
zun_oslomsg_rpc_port: "{{ oslomsg_rpc_port | default('5672') }}"
zun_oslomsg_rpc_use_ssl: "{{ oslomsg_rpc_use_ssl | default(False) }}"
zun_oslomsg_rpc_userid: zun
# vhost name depends on value of oslomsg_rabbit_quorum_queues. In case quorum queues
# are not used - vhost name will be prefixed with leading `/`.
zun_oslomsg_rpc_vhost:
  - name: /zun
    state: "{{ zun_oslomsg_rabbit_quorum_queues | ternary('absent', 'present') }}"
  - name: zun
    state: "{{ zun_oslomsg_rabbit_quorum_queues | ternary('present', 'absent') }}"
zun_oslomsg_rpc_ssl_version: "{{ oslomsg_rpc_ssl_version | default('TLSv1_2') }}"
zun_oslomsg_rpc_ssl_ca_file: "{{ oslomsg_rpc_ssl_ca_file | default('') }}"
zun_oslomsg_rpc_policies: []

# Notify
zun_oslomsg_notify_configure: "{{ oslomsg_notify_configure | default(zun_ceilometer_enabled or zun_designate_enabled) }}"
zun_oslomsg_notify_host_group: "{{ oslomsg_notify_host_group | default('rabbitmq_all') }}"
zun_oslomsg_notify_setup_host: "{{ (zun_oslomsg_notify_host_group in groups) | ternary(groups[zun_oslomsg_notify_host_group][0], 'localhost') }}"
zun_oslomsg_notify_transport: "{{ oslomsg_notify_transport | default('rabbit') }}"
zun_oslomsg_notify_servers: "{{ oslomsg_notify_servers | default('127.0.0.1') }}"
zun_oslomsg_notify_port: "{{ oslomsg_notify_port | default('5672') }}"
zun_oslomsg_notify_use_ssl: "{{ oslomsg_notify_use_ssl | default(False) }}"
zun_oslomsg_notify_userid: "{{ zun_oslomsg_rpc_userid }}"
zun_oslomsg_notify_password: "{{ zun_oslomsg_rpc_password }}"
zun_oslomsg_notify_vhost: "{{ zun_oslomsg_rpc_vhost }}"
zun_oslomsg_notify_ssl_version: "{{ oslomsg_notify_ssl_version | default('TLSv1_2') }}"
zun_oslomsg_notify_ssl_ca_file: "{{ oslomsg_notify_ssl_ca_file | default('') }}"
zun_oslomsg_notify_policies: []

## RabbitMQ integration
zun_oslomsg_rabbit_quorum_queues: "{{ oslomsg_rabbit_quorum_queues | default(True) }}"
zun_oslomsg_rabbit_stream_fanout: "{{ oslomsg_rabbit_stream_fanout | default(zun_oslomsg_rabbit_quorum_queues) }}"
zun_oslomsg_rabbit_transient_quorum_queues: "{{ oslomsg_rabbit_transient_quorum_queues | default(zun_oslomsg_rabbit_stream_fanout) }}"
zun_oslomsg_rabbit_qos_prefetch_count: "{{ oslomsg_rabbit_qos_prefetch_count | default(zun_oslomsg_rabbit_stream_fanout | ternary(10, 0)) }}"
zun_oslomsg_rabbit_queue_manager: "{{ oslomsg_rabbit_queue_manager | default(zun_oslomsg_rabbit_quorum_queues) }}"
zun_oslomsg_rabbit_quorum_delivery_limit: "{{ oslomsg_rabbit_quorum_delivery_limit | default(0) }}"
zun_oslomsg_rabbit_quorum_max_memory_bytes: "{{ oslomsg_rabbit_quorum_max_memory_bytes | default(0) }}"

# If this is not set, then the playbook will try to guess it.
# zun_virt_type: kvm

## Zun Auth
zun_service_region: "{{ service_region | default('RegionOne') }}"
zun_service_project_name: "service"
zun_service_project_domain_id: default
zun_service_user_domain_id: default
zun_service_user_name: "zun"
zun_service_role_names:
  - admin
  - service
zun_service_token_roles:
  - service
zun_service_token_roles_required: "{{ openstack_service_token_roles_required | default(True) }}"

## Zun Auth for kuryr
zun_kuryr_service_username: kuryr

## Keystone authentication middleware
zun_keystone_auth_plugin: password

## Zun WebSocket Proxy
zun_wsproxy_proto: "{{ (openstack_service_publicuri_proto | default('http') == 'https') | ternary('wss', 'ws') }}"
zun_wsproxy_port: 6784
zun_wsproxy_host: "{{ openstack_service_bind_address | default('0.0.0.0') }}"
zun_wsproxy_base_uri: "{{ zun_wsproxy_proto }}://{{ external_lb_vip_address }}:{{ zun_wsproxy_port }}"

## Zun v1
zun_service_name: zun
zun_service_type: container
zun_service_proto: http
zun_service_publicuri_proto: "{{ openstack_service_publicuri_proto | default(zun_service_proto) }}"
zun_service_adminuri_proto: "{{ openstack_service_adminuri_proto | default(zun_service_proto) }}"
zun_service_internaluri_proto: "{{ openstack_service_internaluri_proto | default(zun_service_proto) }}"
zun_service_address: "{{ openstack_service_bind_address | default('0.0.0.0') }}"
zun_service_port: 9517
zun_kuryr_service_address: 127.0.0.1
zun_kuryr_service_port: 23750
zun_service_description: "Zun Compute Service"
zun_service_publicuri: "{{ zun_service_publicuri_proto }}://{{ external_lb_vip_address }}:{{ zun_service_port }}"
zun_service_publicurl: "{{ zun_service_publicuri }}"
zun_service_adminuri: "{{ zun_service_adminuri_proto }}://{{ internal_lb_vip_address }}:{{ zun_service_port }}"
zun_service_adminurl: "{{ zun_service_adminuri }}"
zun_service_internaluri: "{{ zun_service_internaluri_proto }}://{{ internal_lb_vip_address }}:{{ zun_service_port }}"
zun_service_internalurl: "{{ zun_service_internaluri }}"
zun_service_endpoint_type: internalURL

## General Zun configuration
# Select between the 'runc' or 'kata' runtime
zun_container_runtime: runc

# If ``zun_osapi_compute_workers`` is unset the system will use half the number of available VCPUS to
# compute the number of api workers to use.
# zun_osapi_compute_workers: 16

# If ``zun_conductor_workers`` is unset the system will use half the number of available VCPUS to
# compute the number of api workers to use.
# zun_conductor_workers: 16

# If ``zun_metadata_workers`` is unset the system will use half the number of available VCPUS to
# compute the number of api workers to use.
# zun_metadata_workers: 16

## Cap the maximun number of threads / workers when a user value is unspecified.
zun_api_threads_max: 16
zun_api_threads: >-
  {{ [[(ansible_facts['processor_vcpus'] // ansible_facts['processor_threads_per_core']) | default(1), 1] | max * 2, zun_api_threads_max] | min }}

zun_service_in_ldap: "{{ service_ldap_backend_enabled | default(False) }}"

zun_scheduler_default_filters: >-
  AvailabilityZoneFilter,
  ComputeFilter
zun_scheduler_available_filters: zun.scheduler.filters.all_filters
zun_scheduler_driver: filter_scheduler

## uWSGI setup
zun_wsgi_threads: 1
zun_wsgi_processes_max: 16
zun_wsgi_processes: "{{ [[ansible_facts['processor_vcpus'] | default(1), 1] | max * 2, zun_wsgi_processes_max] | min }}"

## Service Name-Group Mapping
zun_services:
  kuryr-libnetwork:
    group: zun_compute
    service_name: kuryr-libnetwork
    condition: "{{ inventory_hostname in groups['zun_compute'] }}"
    init_config_overrides: "{{ zun_kuryr_init_defaults | combine(zun_kuryr_init_overrides, recursive=True) }}"
    start_order: 3
    wsgi_app: true
    wsgi: kuryr_libnetwork.server:app
    uwsgi_bind_address: "{{ zun_kuryr_service_address }}"
    uwsgi_port: "{{ zun_kuryr_service_port }}"
    uwsgi_overrides: "{{ zun_kuryr_uwsgi_conf_overrides }}"
    uwsgi_uid: "{{ zun_kuryr_system_user_name }}"
    uwsgi_guid: "{{ zun_kuryr_system_group_name }}"
  zun-api:
    group: zun_api
    service_name: zun-api
    init_config_overrides: "{{ zun_api_init_overrides }}"
    start_order: 1
    wsgi_app: true
    wsgi: "zun.wsgi.api:application"
    uwsgi_bind_address: "{{ zun_service_address }}"
    uwsgi_port: "{{ zun_service_port }}"
    uwsgi_overrides: "{{ zun_uwsgi_conf_overrides }}"
    uwsgi_uid: "{{ zun_system_user_name }}"
    uwsgi_guid: "{{ zun_system_group_name }}"
    uwsgi_tls: "{{ zun_backend_ssl | ternary(zun_uwsgi_tls, {}) }}"
  zun-compute:
    group: zun_compute
    service_name: zun-compute
    init_config_overrides: "{{ zun_compute_init_overrides }}"
    start_order: 5
    execstarts: "{{ zun_bin }}/zun-compute --config-dir /etc/zun"
  zun-wsproxy:
    group: zun_api
    service_name: zun-wsproxy
    init_config_overrides: "{{ zun_wsproxy_init_overrides }}"
    start_order: 2
    execstarts: "{{ zun_bin }}/zun-wsproxy --config-dir /etc/zun"
  zun-docker-cleanup:
    group: zun_compute
    service_name: zun-docker-cleanup
    init_config_overrides: "{{ zun_docker_cleanup_init_overrides }}"
    start_order: 6
    execstarts: "{{ zun_bin }}/zun-docker-cleanup"
    timer:
      state: started
      options:
        OnBootSec: 30min
        OnCalendar: "{{ (zun_docker_prune_frequency == 'day') | ternary('daily', zun_docker_prune_frequency + 'ly') }}"
        Persistent: true
  docker:
    group: zun_compute
    service_name: docker
    init_config_overrides: {}
    start_order: 4
    systemd_overrides_only: true
    systemd_overrides: "{{ zun_docker_init_defaults | combine(zun_docker_init_overrides, recursive=True) }}"

# Common pip packages
zun_pip_packages:
  - "git+{{ zun_git_repo }}@{{ zun_git_install_branch }}#egg=zun"
  - "git+{{ zun_kuryr_lib_git_repo }}@{{ zun_kuryr_lib_git_install_branch }}#egg=kuryr-lib"
  - "git+{{ zun_kuryr_git_repo }}@{{ zun_kuryr_git_install_branch }}#egg=kuryr-libnetwork"
  - oslo_rootwrap
  - osprofiler
  - python-memcached
  - pymemcache
  - python-zunclient
  - pymysql
  - systemd-python

zun_memcached_servers: "{{ memcached_servers }}"

## Default service options used within all systemd unit files.
zun_service_defaults: {}

## Tunable overrides for services
zun_zun_conf_overrides: {}
zun_rootwrap_conf_overrides: {}
zun_kuryr_conf_overrides: {}
zun_docker_config_overrides: {}
zun_kuryr_config_overrides: {}
zun_uwsgi_conf_overrides: {}
zun_kuryr_uwsgi_conf_overrides:
  uwsgi:
    pyargv: --config-file /etc/kuryr/kuryr.conf
zun_uwsgi_tls:
  crt: "{{ zun_ssl_cert }}"
  key: "{{ zun_ssl_key }}"

## Default zun+kuryr options used within the systemd unit file.
zun_kuryr_init_defaults:
  Unit:
    Before: docker.service
    After: network-online.target
    Wants: network-online.target
  Service:
    CapabilityBoundingSet: CAP_NET_ADMIN
    AmbientCapabilities: CAP_NET_ADMIN
    Group: "{{ zun_kuryr_system_group_name }}"
    User: "{{ zun_kuryr_system_user_name }}"

## Default zun+docker options used within the systemd unit file.
zun_docker_init_defaults:
  Service:
    ExecStart:
      - ""
      - "/usr/bin/dockerd --group {{ zun_system_group_name }} -H tcp://{{ zun_docker_bind_host }}:{{ zun_docker_bind_port }} -H unix:///var/run/docker.sock{% if zun_kata_enabled %} --add-runtime kata=/opt/kata/bin/kata-runtime{% endif %}" # noqa: yaml[line-length]

## Tunable overrides for service unit files.
zun_api_paste_ini_overrides: {}
zun_api_init_overrides: {}
zun_wsproxy_init_overrides: {}
zun_compute_init_overrides: {}
zun_kuryr_init_overrides: {}
zun_docker_init_overrides: {}
zun_docker_cleanup_init_overrides: {}
zun_policy_overrides: {}

###
### Backend TLS
###

# Define if communication between haproxy and service backends should be
# encrypted with TLS.
zun_backend_ssl: "{{ openstack_service_backend_ssl | default(False) }}"

# Storage location for SSL certificate authority
zun_pki_dir: "{{ openstack_pki_dir | default('/etc/openstack_deploy/pki') }}"

# Delegated host for operating the certificate authority
zun_pki_setup_host: "{{ openstack_pki_setup_host | default('localhost') }}"

# zun server certificate
zun_pki_keys_path: "{{ zun_pki_dir ~ '/certs/private/' }}"
zun_pki_certs_path: "{{ zun_pki_dir ~ '/certs/certs/' }}"
zun_pki_intermediate_cert_name: "{{ openstack_pki_service_intermediate_cert_name | default('ExampleCorpIntermediate') }}"
zun_pki_regen_cert: ""
zun_pki_san: "{{ openstack_pki_san | default('DNS:' ~ ansible_facts['hostname'] ~ ',IP:' ~ management_address) }}"
zun_pki_certificates:
  - name: "zun_{{ ansible_facts['hostname'] }}"
    provider: ownca
    cn: "{{ ansible_facts['hostname'] }}"
    san: "{{ zun_pki_san }}"
    signed_by: "{{ zun_pki_intermediate_cert_name }}"

# zun destination files for SSL certificates
zun_ssl_cert: /etc/zun/zun.pem
zun_ssl_key: /etc/zun/zun.key

# Installation details for SSL certificates
zun_pki_install_certificates:
  - src: "{{ zun_user_ssl_cert | default(zun_pki_certs_path ~ 'zun_' ~ ansible_facts['hostname'] ~ '-chain.crt') }}"
    dest: "{{ zun_ssl_cert }}"
    owner: "{{ zun_system_user_name }}"
    group: "{{ zun_system_user_name }}"
    mode: "0644"
  - src: "{{ zun_user_ssl_key | default(zun_pki_keys_path ~ 'zun_' ~ ansible_facts['hostname'] ~ '.key.pem') }}"
    dest: "{{ zun_ssl_key }}"
    owner: "{{ zun_system_user_name }}"
    group: "{{ zun_system_user_name }}"
    mode: "0600"

# Define user-provided SSL certificates
# zun_user_ssl_cert: <path to cert on ansible deployment host>
# zun_user_ssl_key: <path to cert on ansible deployment host>