OpenStack cloud configuration reference guide - Installing on OpenStack | Installing

OpenStack cloud provider options

A cloud provider configuration controls how OKD interacts with OpenStack. Use the following parameters in a cloud-provider configuration manifest file to configure your cluster.

OpenStack cloud provider options

The cloud provider configuration, typically stored as a file named cloud.conf, controls how OKD interacts with Red Hat OpenStack Platform (RHOSP).

You can create a valid cloud.conf file by specifying the following options in it.

Global options

The following options are used for OpenStack CCM authentication with the OpenStack Identity service, also known as Keystone. They are similiar to the global options that you can set by using the openstack cli.

Option Description

Option	Description
`auth-url`	The OpenStack Identity service URL. For example, `http://128.110.154.166/identity`.
`ca-file`	Optional. The CA certificate bundle file for communication with the OpenStack Identity service. If you use the HTTPS protocol with The Identity service URL, this option is required.
`domain-id`	The Identity service user domain ID. Leave this option unset if you are using Identity service application credentials.
`domain-name`	The Identity service user domain name. This option is not required if you set `domain-id`.
`tenant-id`	The Identity service project ID. Leave this option unset if you are using Identity service application credentials. In version 3 of the Identity API, which changed the identifier `tenant` to `project`, the value of `tenant-id` is automatically mapped to the project construct in the API.
`tenant-name`	The Identity service project name.
`username`	The Identity service user name. Leave this option unset if you are using Identity service application credentials.
`password`	The Identity service user password. Leave this option unset if you are using Identity service application credentials.
`region`	The Identity service region name.
`trust-id`	The Identity service trust ID. A trust represents the authorization of a user, or trustor, to delegate roles to another user, or trustee. Optionally, a trust authorizes the trustee to impersonate the trustor. You can find available trusts by querying the `/v3/OS-TRUST/trusts` endpoint of the Identity service API.

auth-url

The OpenStack Identity service URL. For example, http://128.110.154.166/identity.

ca-file

Optional. The CA certificate bundle file for communication with the OpenStack Identity service. If you use the HTTPS protocol with The Identity service URL, this option is required.

domain-id

The Identity service user domain ID.

Leave this option unset if you are using Identity service application credentials.

domain-name

The Identity service user domain name.

This option is not required if you set domain-id.

tenant-id

The Identity service project ID. Leave this option unset if you are using Identity service application credentials.

In version 3 of the Identity API, which changed the identifier tenant to project, the value of tenant-id is automatically mapped to the project construct in the API.

tenant-name

The Identity service project name.

username

The Identity service user name.

Leave this option unset if you are using Identity service application credentials.

password

The Identity service user password.

Leave this option unset if you are using Identity service application credentials.

region

The Identity service region name.

trust-id

The Identity service trust ID. A trust represents the authorization of a user, or trustor, to delegate roles to another user, or trustee. Optionally, a trust authorizes the trustee to impersonate the trustor. You can find available trusts by querying the /v3/OS-TRUST/trusts endpoint of the Identity service API.

Load balancer options

The cloud provider supports several load balancer options for deployments that use Octavia.

Option Description

Option	Description
`use-octavia`	Whether or not to use Octavia for the `LoadBalancer` type of the service implementation rather than Neutron-LBaaS. The default value is `true`.
`floating-network-id`	Optional. The external network used to create floating IP addresses for load balancer virtual IP addresses (VIPs). If there are multiple external networks in the cloud, this option must be set or the user must specify `loadbalancer.openstack.org/floating-network-id` in the service annotation.
`lb-method`	The load balancing algorithm used to create the load balancer pool. For the Amphora provider the value can be `ROUND_ROBIN`, `LEAST_CONNECTIONS`, or `SOURCE_IP`. The default value is `ROUND_ROBIN`. For the OVN provider, only the `SOURCE_IP_PORT` algorithm is supported. For the Amphora provider, if using the `LEAST_CONNECTIONS` or `SOURCE_IP` methods, configure the `create-monitor` option as `true` in the `cloud-provider-config` config map on the `openshift-config` namespace and `ETP:Local` on the load-balancer type service to allow balancing algorithm enforcement in the client to service endpoint connections.
`lb-provider`	Optional. Used to specify the provider of the load balancer, for example, `amphora` or `octavia`. Only the Amphora and Octavia providers are supported.
`lb-version`	Optional. The load balancer API version. Only `"v2"` is supported.
`subnet-id`	The ID of the Networking service subnet on which load balancer VIPs are created.
`create-monitor`	Whether or not to create a health monitor for the service load balancer. A health monitor is required for services that declare `externalTrafficPolicy: Local`. The default value is `false`. This option is unsupported if you use OpenStack earlier than version 17 with the `ovn` provider.
`monitor-delay`	The interval in seconds by which probes are sent to members of the load balancer. The default value is `5`.
`monitor-max-retries`	The number of successful checks that are required to change the operating status of a load balancer member to `ONLINE`. The valid range is `1` to `10`, and the default value is `1`.
`monitor-timeout`	The time in seconds that a monitor waits to connect to the back end before it times out. The default value is `3`.

use-octavia

Whether or not to use Octavia for the LoadBalancer type of the service implementation rather than Neutron-LBaaS. The default value is true.

floating-network-id

Optional. The external network used to create floating IP addresses for load balancer virtual IP addresses (VIPs). If there are multiple external networks in the cloud, this option must be set or the user must specify loadbalancer.openstack.org/floating-network-id in the service annotation.

lb-method

The load balancing algorithm used to create the load balancer pool. For the Amphora provider the value can be ROUND_ROBIN, LEAST_CONNECTIONS, or SOURCE_IP. The default value is ROUND_ROBIN.

For the OVN provider, only the SOURCE_IP_PORT algorithm is supported.

For the Amphora provider, if using the LEAST_CONNECTIONS or SOURCE_IP methods, configure the create-monitor option as true in the cloud-provider-config config map on the openshift-config namespace and ETP:Local on the load-balancer type service to allow balancing algorithm enforcement in the client to service endpoint connections.

lb-provider

Optional. Used to specify the provider of the load balancer, for example, amphora or octavia. Only the Amphora and Octavia providers are supported.

lb-version

Optional. The load balancer API version. Only "v2" is supported.

subnet-id

The ID of the Networking service subnet on which load balancer VIPs are created.

create-monitor

Whether or not to create a health monitor for the service load balancer. A health monitor is required for services that declare externalTrafficPolicy: Local. The default value is false.

This option is unsupported if you use OpenStack earlier than version 17 with the ovn provider.

monitor-delay

The interval in seconds by which probes are sent to members of the load balancer. The default value is 5.

monitor-max-retries

The number of successful checks that are required to change the operating status of a load balancer member to ONLINE. The valid range is 1 to 10, and the default value is 1.

monitor-timeout

The time in seconds that a monitor waits to connect to the back end before it times out. The default value is 3.

Metadata options

Option Description

Option	Description
`search-order`	This configuration key affects the way that the provider retrieves metadata that relates to the instances in which it runs. The default value of `configDrive,metadataService` results in the provider retrieving instance metadata from the configuration drive first if available, and then the metadata service. Alternative values are: `configDrive`: Only retrieve instance metadata from the configuration drive. `metadataService`: Only retrieve instance metadata from the metadata service. `metadataService,configDrive`: Retrieve instance metadata from the metadata service first if available, and then retrieve instance metadata from the configuration drive.

search-order

This configuration key affects the way that the provider retrieves metadata that relates to the instances in which it runs. The default value of configDrive,metadataService results in the provider retrieving instance metadata from the configuration drive first if available, and then the metadata service. Alternative values are:

configDrive: Only retrieve instance metadata from the configuration drive.
metadataService: Only retrieve instance metadata from the metadata service.
metadataService,configDrive: Retrieve instance metadata from the metadata service first if available, and then retrieve instance metadata from the configuration drive.