blob: 216a6821c52705d5bee1b6991870724b4fbeee49 [file] [log] [blame]
#
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
mode: deploy
lean: false
prompt_user: true
openwhisk_home: "{{ lookup('env', 'OPENWHISK_HOME') | default(playbook_dir ~ '/..', true) }}"
openwhisk_cli_home: "{{ lookup('env', 'OPENWHISK_CLI') | default(openwhisk_home ~ '/../openwhisk-cli', true) }}"
exclude_logs_from: []
# This whisk_api_localhost_name_default is used to configure nginx to permit vanity URLs for web actions
# for local deployment. For a public deployment, the specific environment group vars should define
# whisk_api_host_name; this is available to actions and hence must resolve from inside an action container
# specific to the deployment (i.e., it may be an IP address rather than a hostname in some cases).
# For a local deployment, use whisk_api_localhost_name. For a deployment which requires
# different name resolution between the whisk_api_host_name and the whisk_api_local_host_name, both should
# be defined so that the nginx configuration for the server name reflects the public facing naming (of the
# edge router) even if it is different from the API host available to the actions. The precedence order for
# configuring nginx and the SSL certificate generation is:
# whisk_api_localhost_name (first)
# whisk_api_host_name (second)
# whisk_api_localhost_name_default (last)
whisk_api_localhost_name_default: "localhost"
# Type of your environment.
# If you want to deploy everything on your local machine use 'local'.
# If you use a docker-machine on a mac use 'docker-machine'
# If you want to deploy Openwhisk to other machines use 'distributed'
environmentInformation:
type: "{{ environment_type | default('local') }}"
hosts_dir: "{{ inventory_dir | default(env_hosts_dir) }}"
whisk:
version:
date: "{{ansible_date_time.iso8601}}"
feature_flags:
require_api_key_annotation: "{{ require_api_key_annotation | default(true) | lower }}"
##
# configuration parameters related to support runtimes (see org.apache.openwhisk.core.entity.ExecManifest for schema of the manifest).
# briefly the parameters are:
#
# runtimes_registry: optional registry (with trailing slash) where to pull docker images from for default runtimes (in manifest)
# user_images_registry: optional registry (with trailing slash) where to pull docker images from for blackbox images
#
# skip_pull_runtimes: this will skip pulling the images to the invoker (images must exist there somehow)
#
# runtimes_manifest: set of language runtime families grouped by language (e.g., nodejs, python) and blackbox images to pre-pull
#
# runtimes_bypass_pull_for_local_images: optional, if true, allow images with a prefix that matches
# {{ runtimes_local_image_prefix }} to skip docker pull in invoker even if the image is not part of the blackbox set
#
manifestfile: "{{ manifest_file | default('/ansible/files/runtimes.json') }}"
runtimesManifest: "{{ runtimes_manifest | default(lookup('file', openwhisk_home ~ '{{ manifestfile }}') | from_json) }}"
limits:
invocationsPerMinute: "{{ limit_invocations_per_minute | default(60) }}"
concurrentInvocations: "{{ limit_invocations_concurrent | default(30) }}"
firesPerMinute: "{{ limit_fires_per_minute | default(60) }}"
sequenceMaxLength: "{{ limit_sequence_max_length | default(50) }}"
# Moved here to avoid recursions. Please do not use outside of controller-dict.
__controller_ssl_keyPrefix: "controller-"
__controller_blackbox_fraction: 0.10
# port means outer port
controller:
dir:
become: "{{ controller_dir_become | default(false) }}"
confdir: "{{ config_root_dir }}/controller"
basePort: 10001
heap: "{{ controller_heap | default('2g') }}"
arguments: "{{ controller_arguments | default('') }}"
managedFraction: "{{ controller_managed_fraction | default(1.0 - (controller_blackbox_fraction | default(__controller_blackbox_fraction))) }}"
blackboxFraction: "{{ controller_blackbox_fraction | default(__controller_blackbox_fraction) }}"
timeoutFactor: "{{ controller_timeout_factor | default(2) }}"
timeoutAddon: "{{ controller_timeout_addon | default('1 m') }}"
instances: "{{ groups['controllers'] | length }}"
akka:
provider: cluster
cluster:
basePort: 8000
host: "{{ groups['controllers'] | map('extract', hostvars, 'ansible_host') | list }}"
bindPort: 2551
# at this moment all controllers are seed nodes
seedNodes: "{{ groups['controllers'] | map('extract', hostvars, 'ansible_host') | list }}"
loadbalancer:
spi: "{{ controller_loadbalancer_spi | default('') }}"
authentication:
spi: "{{ controller_authentication_spi | default('') }}"
loglevel: "{{ controller_loglevel | default(whisk_loglevel) | default('INFO') }}"
entitlement:
spi: "{{ controller_entitlement_spi | default('') }}"
protocol: "{{ controller_protocol | default('https') }}"
ssl:
cn: openwhisk-controllers
keyPrefix: "{{ __controller_ssl_keyPrefix }}"
storeFlavor: PKCS12
clientAuth: "{{ controller_client_auth | default('true') }}"
cert: "{{ __controller_ssl_keyPrefix }}openwhisk-server-cert.pem"
key: "{{ __controller_ssl_keyPrefix }}openwhisk-server-key.pem"
keystore:
password: "openwhisk"
name: "{{ __controller_ssl_keyPrefix }}openwhisk-keystore.p12"
extraEnv: "{{ controller_extraEnv | default({}) }}"
jmx:
basePortController: 15000
rmiBasePortController: 16000
basePortInvoker: 17000
rmiBasePortInvoker: 18000
user: "{{ jmxuser | default('jmxuser') }}"
pass: "{{ jmxuser | default('jmxpass') }}"
jvmCommonArgs: "-Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.local.only=false -Dcom.sun.management.jmxremote.authenticate=true -Dcom.sun.management.jmxremote.password.file=/home/owuser/jmxremote.password -Dcom.sun.management.jmxremote.access.file=/home/owuser/jmxremote.access"
enabled: "{{ jmxremote_enabled | default('true') }}"
transactions:
header: "{{ transactions_header | default('X-Request-ID') }}"
registry:
confdir: "{{ config_root_dir }}/registry"
kafka:
ssl:
client_authentication: required
keystore:
name: kafka-keystore.jks
password: openwhisk
cipher_suites:
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
protocols:
- TLSv1.2
protocol: "{{ kafka_protocol_for_setup }}"
version: 2.12-2.3.1
port: 9072
advertisedPort: 9093
ras:
port: 8093
heap: "{{ kafka_heap | default('1g') }}"
replicationFactor: "{{ kafka_replicationFactor | default((groups['kafkas']|length)|int) }}"
offsetsTopicReplicationFactor: "{{ kafka_offsetsTopicReplicationFactor | default(kafka_replicationFactor) | default((groups['kafkas']|length)|int) }}"
# adapt this param for production deployments depending on the number of kafka consumers
networkThreads: "{{ kafka_network_threads | default(3) }}"
kafka_connect_string: "{% set ret = [] %}\
{% for host in groups['kafkas'] %}\
{{ ret.append( hostvars[host].ansible_host + ':' + ((kafka.advertisedPort+loop.index-1)|string) ) }}\
{% endfor %}\
{{ ret | join(',') }}"
kafka_protocol_for_setup: "{{ kafka_protocol | default('PLAINTEXT') }}"
zookeeper:
version: 3.4
port: 2181
zookeeper_connect_string: "{% set ret = [] %}\
{% for host in groups['zookeepers'] %}\
{{ ret.append( hostvars[host].ansible_host + ':' + ((zookeeper.port+loop.index-1)|string) ) }}\
{% endfor %}\
{{ ret | join(',') }}"
invokerHostnameFromMap: "{{ groups['invokers'] | map('extract', hostvars, 'ansible_host') | list | first }}"
invokerHostname: "{{ invokerHostnameFromMap | default(inventory_hostname) }}"
# Moved here to avoid recursions. Please do not use outside of invoker-dict.
__invoker_ssl_keyPrefix: "invoker-"
invoker:
dir:
become: "{{ invoker_dir_become | default(false) }}"
confdir: "{{ config_root_dir }}/invoker"
port: 12001
heap: "{{ invoker_heap | default('2g') }}"
arguments: "{{ invoker_arguments | default('') }}"
userMemory: "{{ invoker_user_memory | default('2048m') }}"
# Specify if it is allowed to deploy more than 1 invoker on a single machine.
allowMultipleInstances: "{{ invoker_allow_multiple_instances | default(false) }}"
# Specify if it should use docker-runc or docker to pause/unpause containers
useRunc: "{{ invoker_use_runc | default(true) }}"
docker:
become: "{{ invoker_docker_become | default(false) }}"
runcdir: "{{ invoker_runcdir | default('/run/docker/runtime-runc/moby') }}"
volumes: "{{ invoker_docker_volumes | default([]) }}"
loglevel: "{{ invoker_loglevel | default(whisk_loglevel) | default('INFO') }}"
jmxremote:
jvmArgs: "{% if inventory_hostname in groups['invokers'] %}
{{ jmx.jvmCommonArgs }} -Djava.rmi.server.hostname={{ invokerHostname }} -Dcom.sun.management.jmxremote.rmi.port={{ jmx.rmiBasePortInvoker + groups['invokers'].index(inventory_hostname) }} -Dcom.sun.management.jmxremote.port={{ jmx.basePortInvoker + groups['invokers'].index(inventory_hostname) }}
{% endif %}"
extraEnv: "{{ invoker_extraEnv | default({}) }}"
protocol: "{{ invoker_protocol | default('https') }}"
ssl:
cn: "openwhisk-invokers"
keyPrefix: "{{ __invoker_ssl_keyPrefix }}"
storeFlavor: "PKCS12"
clientAuth: "{{ invoker_client_auth | default('true') }}"
cert: "{{ __invoker_ssl_keyPrefix }}openwhisk-server-cert.pem"
key: "{{ __invoker_ssl_keyPrefix }}openwhisk-server-key.pem"
keystore:
password: "{{ invoker_keystore_password | default('openwhisk') }}"
name: "{{ __invoker_ssl_keyPrefix }}openwhisk-keystore.p12"
userLogs:
spi: "{{ userLogs_spi | default('org.apache.openwhisk.core.containerpool.logging.DockerToActivationLogStoreProvider') }}"
nginx:
confdir: "{{ config_root_dir }}/nginx"
htmldir: "{{ ui_path | default(false) }}"
dir:
become: "{{ nginx_dir_become | default(false) }}"
version: "{{ nginx_version | default('1.17') }}"
port:
http: 80
https: 443
ssl:
path: "{{ nginx_ssl_path | default(playbook_dir +'/roles/nginx/files') }}"
cert: "{{ nginx_ssl_server_cert | default('openwhisk-server-cert.pem') }}"
key: "{{ nginx_ssl_server_key | default('openwhisk-server-key.pem') }}"
client_ca_cert: "{{ nginx_ssl_client_ca_cert | default('openwhisk-client-ca-cert.pem') }}"
verify_client: "{{ nginx_ssl_verify_client | default('off') }}"
password_file: "{{ nginx_ssl_password_file | default(false) }}"
wpn:
router: "{{ nginx_wpn_router | default('1') }}"
special_users: "{{ nginx_special_users | default('[]') }}"
# These are the variables to define all database relevant settings.
# The authKeys are the users, that are initially created to use OpenWhisk.
# The keys are stored in ansible/files and will be inserted into the authentication databse.
# The key db.whisk.actions is the name of the database where all artifacts of the user are stored. These artifacts are actions, triggers, rules and packages.
# The key db.whisk.activation is the name of the database where all activations are stored.
# The key db.whisk.auth is the name of the authentication database where all keys of all users are stored.
# The db_prefix is defined for each environment on its own. The CouchDb credentials are also defined for each environment on its own.
db:
provider: "{{ db_provider | default(lookup('ini', 'db_provider section=db_creds file={{ playbook_dir }}/db_local.ini')) }}"
protocol: "{{ db_protocol | default(lookup('ini', 'db_protocol section=db_creds file={{ playbook_dir }}/db_local.ini')) }}"
port: "{{ db_port | default(lookup('ini', 'db_port section=db_creds file={{ playbook_dir }}/db_local.ini')) }}"
host: "{{ db_host | default(lookup('ini', 'db_host section=db_creds file={{ playbook_dir }}/db_local.ini')) }}"
persist_path: "{{ db_persist_path | default(false) }}"
instances: "{{ groups['db'] | length }}"
authkeys:
- guest
- whisk.system
whisk:
actions: "{{ db_prefix }}whisks"
activations: "{{ db_prefix }}activations"
auth: "{{ db_prefix }}subjects"
credentials:
admin:
user: "{{ db_username | default(lookup('ini', 'db_username section=db_creds file={{ playbook_dir }}/db_local.ini')) }}"
pass: "{{ db_password | default(lookup('ini', 'db_password section=db_creds file={{ playbook_dir }}/db_local.ini')) }}"
controller:
user: "{{ db_controller_user | default(lookup('ini', 'db_username section=controller file={{ playbook_dir }}/db_local.ini')) }}"
pass: "{{ db_controller_pass | default(lookup('ini', 'db_password section=controller file={{ playbook_dir }}/db_local.ini')) }}"
invoker:
user: "{{ db_invoker_user | default(lookup('ini', 'db_username section=invoker file={{ playbook_dir }}/db_local.ini')) }}"
pass: "{{ db_invoker_pass | default(lookup('ini', 'db_password section=invoker file={{ playbook_dir }}/db_local.ini')) }}"
activation_store:
backend: "{{ db_activation_backend | default('CouchDB') }}"
elasticsearch:
protocol: "{{ elastic_protocol | default('http') }}"
port: 9200
index_pattern: "{{ elastic_index_pattern | default('openwhisk-%s') }}"
base_transport_port: 9300
confdir: "{{ config_root_dir }}/elasticsearch"
dir:
become: "{{ elastic_dir_become | default(false) }}"
base_volume: "{{ elastic_base_volume | default('esdata') }}"
cluster_name: "{{ elastic_cluster_name | default('openwhisk') }}"
java_opts: "{{ elastic_java_opts | default('-Xms1g -Xmx1g') }}"
loglevel: "{{ elastic_loglevel | default('INFO') }}"
# the user id of elasticsearch process, default is 1000, if you have enabled user namespace
# for docker daemon, this need to be changed correspondingly
uid: "{{ elastic_uid | default(1000) }}"
auth:
admin:
username: "{{ elastic_username | default('admin') }}"
password: "{{ elastic_password | default('admin') }}"
apigateway:
port:
api: 9000
mgmt: 9001
# Default to 'nightly', which tracks the head revision of the master branch of apigateway's gitrepo
version: nightly
redis:
version: 4.0
port: 6379
password: openwhisk
linux:
version: 4.4.0-31
couchdb:
version: 2.3
elasticsearch:
version: 6.7.2
elasticsearch_connect_string: "{% set ret = [] %}\
{% for host in groups['elasticsearch'] %}\
{{ ret.append( hostvars[host].ansible_host + ':' + ((db.elasticsearch.port+loop.index-1)|string) ) }}\
{% endfor %}\
{{ ret | join(',') }}"
docker:
# The user to install docker for. Defaults to the ansible user if not set. This will be the user who is able to run
# docker commands on a machine setup with prereq_build.yml
#user:
image:
prefix: "{{ docker_image_prefix | default('whisk') }}"
tag: "{{ docker_image_tag | default('latest') }}"
version: 1.12.0-0~trusty
storagedriver: overlay
port: 4243
restart:
policy: always
pull:
retries: 10
delay: 10
timezone: "{{ docker_timezone | default('UTC') }}"
cli:
path: "{{ openwhisk_home }}/bin/wsk"
# The default name space is /whisk.system. The catalog namespace must begin with a slash "/".
catalog_namespace: "/whisk.system"
# The catalog_auth_key is used to determine the secret key to authenticate the openwhisk service.
# The value for this variable can be set to either the secret key itself or the file, which
# saves the secret key.
# By default, we take the key from ansible/files/auth.whisk.system.
catalog_auth_key: "{{ playbook_dir }}/files/auth.whisk.system"
# The catalog_repos is used to specify all the catalog names and repository URLs,
# so that openwhisk knows where to download the catalog and install them. The key
# specifies the catalog name and the url saves the URL of the repository. The location
# specifies the location to save the code of the catalog. The version specifies the hash
# of the commit to be cloned. If it is omit or set to HEAD, the latest commit will be
# selected. The repo_update specifies whether to retrieve new revisions from the origin
# repository and the default value is yes, meaning that it will retrieve the new
# revisions. The keys url and location are mandatory and the keys version and repo_update
# are optional. To add a new repository, please follow the template by adding:
#
# catalog_repos:
# ...
# <catalog-name>:
# url: <URL of repository>, mandatory.
# location: <local location to save the catalog>, mandatory.
# version: <hash of the commit>, optional, default to HEAD.
# repo_update: <whether to retrieve new revisions from the origin repository>,
# optional, default to no. Yes means to retrieve the new revisions, and
# no means not to retrieve the new revisions.
#
catalog_repos:
openwhisk-catalog:
url: https://github.com/apache/openwhisk-catalog.git
# Set the local location as the same level as openwhisk home, but it can be changed.
location: "{{ openwhisk_home }}/../openwhisk-catalog"
version: "HEAD"
repo_update: "no"
# The openwhisk_cli is used to determine how to install the OpenWhisk CLI. The
# installation_mode can be specified into two modes: remote and local.
# The mode remote means to download the available binaries from the releases page
# of the official openwhisk cli repository. The mode local means to build the binaries
# locally in a directory and get them from the local directory. The default value
# for openwhisk is local.
#
# The name specifies the package name of the binaries in remote mode.
#
# The dest_name specifies the package name of the binaries in Nginx in remote mode.
#
# The location specifies the official website where Openwhisk CLI is hosted in
# remote mode or location to save the binaries of the OpenWhisk CLI in local mode.
openwhisk_cli_tag: "{{ cli_tag | default(lookup('ini', 'git_tag section=openwhisk-cli file=' ~ openwhisk_home ~ '/ansible/files/package-versions.ini')) }}"
openwhisk_cli:
installation_mode: "{{ cli_installation_mode | default(lookup('env', 'OPENWHISK_CLI_MODE')) | default('remote', true) }}"
archive_name: OpenWhisk_CLI
nginxdir:
name: "{{ nginx.confdir }}/cli/go/download"
become: "{{ cli_dir_become | default(false) }}"
local:
location: "{{ openwhisk_cli_home }}/build"
remote:
location: "https://github.com/apache/openwhisk-cli/releases/download/{{ openwhisk_cli_tag }}"
# Controls access to log directories
logs:
dir:
become: "{{ logs_dir_become | default(false) }}"
# Metrics Configuration
metrics:
log:
enabled: "{{ metrics_log | default(true) }}"
kamon:
enabled: "{{ metrics_kamon | default(false) }}"
tags: "{{ metrics_kamon_tags | default(false) }}"
host: "{{ metrics_kamon_statsd_host | default('') }}"
port: "{{ metrics_kamon_statsd_port | default('8125') }}"
user_events: "{{ user_events_enabled | default(false) | lower }}"