forked from apache/openwhisk
-
Notifications
You must be signed in to change notification settings - Fork 1
/
all
422 lines (382 loc) · 19.4 KB
/
all
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
#
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
mode: deploy
lean: false
prompt_user: true
openwhisk_home: "{{ lookup('env', 'OPENWHISK_HOME') | default(playbook_dir ~ '/..', true) }}"
openwhisk_cli_home: "{{ lookup('env', 'OPENWHISK_CLI') | default(openwhisk_home ~ '/../openwhisk-cli', true) }}"
exclude_logs_from: []
# This whisk_api_localhost_name_default is used to configure nginx to permit vanity URLs for web actions
# for local deployment. For a public deployment, the specific environment group vars should define
# whisk_api_host_name; this is available to actions and hence must resolve from inside an action container
# specific to the deployment (i.e., it may be an IP address rather than a hostname in some cases).
# For a local deployment, use whisk_api_localhost_name. For a deployment which requires
# different name resolution between the whisk_api_host_name and the whisk_api_local_host_name, both should
# be defined so that the nginx configuration for the server name reflects the public facing naming (of the
# edge router) even if it is different from the API host available to the actions. The precedence order for
# configuring nginx and the SSL certificate generation is:
# whisk_api_localhost_name (first)
# whisk_api_host_name (second)
# whisk_api_localhost_name_default (last)
whisk_api_localhost_name_default: "localhost"
# Type of your environment.
# If you want to deploy everything on your local machine use 'local'.
# If you use a docker-machine on a mac use 'docker-machine'
# If you want to deploy Openwhisk to other machines use 'distributed'
environmentInformation:
type: "{{ environment_type | default('local') }}"
hosts_dir: "{{ inventory_dir | default(env_hosts_dir) }}"
whisk:
version:
date: "{{ansible_date_time.iso8601}}"
feature_flags:
require_api_key_annotation: "{{ require_api_key_annotation | default(true) | lower }}"
##
# configuration parameters related to support runtimes (see org.apache.openwhisk.core.entity.ExecManifest for schema of the manifest).
# briefly the parameters are:
#
# runtimes_registry: optional registry (with trailing slash) where to pull docker images from for default runtimes (in manifest)
# user_images_registry: optional registry (with trailing slash) where to pull docker images from for blackbox images
#
# skip_pull_runtimes: this will skip pulling the images to the invoker (images must exist there somehow)
#
# runtimes_manifest: set of language runtime families grouped by language (e.g., nodejs, python) and blackbox images to pre-pull
#
# runtimes_bypass_pull_for_local_images: optional, if true, allow images with a prefix that matches
# {{ runtimes_local_image_prefix }} to skip docker pull in invoker even if the image is not part of the blackbox set
#
manifestfile: "{{ manifest_file | default('/ansible/files/runtimes.json') }}"
runtimesManifest: "{{ runtimes_manifest | default(lookup('file', openwhisk_home ~ '{{ manifestfile }}') | from_json) }}"
limits:
invocationsPerMinute: "{{ limit_invocations_per_minute | default(60) }}"
concurrentInvocations: "{{ limit_invocations_concurrent | default(30) }}"
firesPerMinute: "{{ limit_fires_per_minute | default(60) }}"
sequenceMaxLength: "{{ limit_sequence_max_length | default(50) }}"
# Moved here to avoid recursions. Please do not use outside of controller-dict.
__controller_ssl_keyPrefix: "controller-"
__controller_blackbox_fraction: 0.10
# port means outer port
controller:
dir:
become: "{{ controller_dir_become | default(false) }}"
confdir: "{{ config_root_dir }}/controller"
basePort: 10001
heap: "{{ controller_heap | default('2g') }}"
arguments: "{{ controller_arguments | default('') }}"
managedFraction: "{{ controller_managed_fraction | default(1.0 - (controller_blackbox_fraction | default(__controller_blackbox_fraction))) }}"
blackboxFraction: "{{ controller_blackbox_fraction | default(__controller_blackbox_fraction) }}"
timeoutFactor: "{{ controller_timeout_factor | default(2) }}"
timeoutAddon: "{{ controller_timeout_addon | default('1 m') }}"
instances: "{{ groups['controllers'] | length }}"
akka:
provider: cluster
cluster:
basePort: 8000
host: "{{ groups['controllers'] | map('extract', hostvars, 'ansible_host') | list }}"
bindPort: 2551
# at this moment all controllers are seed nodes
seedNodes: "{{ groups['controllers'] | map('extract', hostvars, 'ansible_host') | list }}"
loadbalancer:
spi: "{{ controller_loadbalancer_spi | default('') }}"
authentication:
spi: "{{ controller_authentication_spi | default('') }}"
loglevel: "{{ controller_loglevel | default(whisk_loglevel) | default('INFO') }}"
entitlement:
spi: "{{ controller_entitlement_spi | default('') }}"
protocol: "{{ controller_protocol | default('https') }}"
ssl:
cn: openwhisk-controllers
keyPrefix: "{{ __controller_ssl_keyPrefix }}"
storeFlavor: PKCS12
clientAuth: "{{ controller_client_auth | default('true') }}"
cert: "{{ __controller_ssl_keyPrefix }}openwhisk-server-cert.pem"
key: "{{ __controller_ssl_keyPrefix }}openwhisk-server-key.pem"
keystore:
password: "openwhisk"
name: "{{ __controller_ssl_keyPrefix }}openwhisk-keystore.p12"
extraEnv: "{{ controller_extraEnv | default({}) }}"
jmx:
basePortController: 15000
rmiBasePortController: 16000
basePortInvoker: 17000
rmiBasePortInvoker: 18000
user: "{{ jmxuser | default('jmxuser') }}"
pass: "{{ jmxuser | default('jmxpass') }}"
jvmCommonArgs: "-Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.local.only=false -Dcom.sun.management.jmxremote.authenticate=true -Dcom.sun.management.jmxremote.password.file=/home/owuser/jmxremote.password -Dcom.sun.management.jmxremote.access.file=/home/owuser/jmxremote.access"
enabled: "{{ jmxremote_enabled | default('true') }}"
transactions:
header: "{{ transactions_header | default('X-Request-ID') }}"
registry:
confdir: "{{ config_root_dir }}/registry"
kafka:
ssl:
client_authentication: required
keystore:
name: kafka-keystore.jks
password: openwhisk
cipher_suites:
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
protocols:
- TLSv1.2
protocol: "{{ kafka_protocol_for_setup }}"
version: 2.12-2.3.1
port: 9072
advertisedPort: 9093
ras:
port: 8093
heap: "{{ kafka_heap | default('1g') }}"
replicationFactor: "{{ kafka_replicationFactor | default((groups['kafkas']|length)|int) }}"
offsetsTopicReplicationFactor: "{{ kafka_offsetsTopicReplicationFactor | default(kafka_replicationFactor) | default((groups['kafkas']|length)|int) }}"
# adapt this param for production deployments depending on the number of kafka consumers
networkThreads: "{{ kafka_network_threads | default(3) }}"
kafka_connect_string: "{% set ret = [] %}\
{% for host in groups['kafkas'] %}\
{{ ret.append( hostvars[host].ansible_host + ':' + ((kafka.advertisedPort+loop.index-1)|string) ) }}\
{% endfor %}\
{{ ret | join(',') }}"
kafka_protocol_for_setup: "{{ kafka_protocol | default('PLAINTEXT') }}"
zookeeper:
version: 3.4
port: 2181
zookeeper_connect_string: "{% set ret = [] %}\
{% for host in groups['zookeepers'] %}\
{{ ret.append( hostvars[host].ansible_host + ':' + ((zookeeper.port+loop.index-1)|string) ) }}\
{% endfor %}\
{{ ret | join(',') }}"
invokerHostnameFromMap: "{{ groups['invokers'] | map('extract', hostvars, 'ansible_host') | list | first }}"
invokerHostname: "{{ invokerHostnameFromMap | default(inventory_hostname) }}"
# Moved here to avoid recursions. Please do not use outside of invoker-dict.
__invoker_ssl_keyPrefix: "invoker-"
invoker:
dir:
become: "{{ invoker_dir_become | default(false) }}"
confdir: "{{ config_root_dir }}/invoker"
port: 12001
heap: "{{ invoker_heap | default('2g') }}"
arguments: "{{ invoker_arguments | default('') }}"
userMemory: "{{ invoker_user_memory | default('2048m') }}"
# Specify if it is allowed to deploy more than 1 invoker on a single machine.
allowMultipleInstances: "{{ invoker_allow_multiple_instances | default(false) }}"
# Specify if it should use docker-runc or docker to pause/unpause containers
useRunc: "{{ invoker_use_runc | default(true) }}"
docker:
become: "{{ invoker_docker_become | default(false) }}"
runcdir: "{{ invoker_runcdir | default('/run/docker/runtime-runc/moby') }}"
volumes: "{{ invoker_docker_volumes | default([]) }}"
loglevel: "{{ invoker_loglevel | default(whisk_loglevel) | default('INFO') }}"
jmxremote:
jvmArgs: "{% if inventory_hostname in groups['invokers'] %}
{{ jmx.jvmCommonArgs }} -Djava.rmi.server.hostname={{ invokerHostname }} -Dcom.sun.management.jmxremote.rmi.port={{ jmx.rmiBasePortInvoker + groups['invokers'].index(inventory_hostname) }} -Dcom.sun.management.jmxremote.port={{ jmx.basePortInvoker + groups['invokers'].index(inventory_hostname) }}
{% endif %}"
extraEnv: "{{ invoker_extraEnv | default({}) }}"
protocol: "{{ invoker_protocol | default('https') }}"
ssl:
cn: "openwhisk-invokers"
keyPrefix: "{{ __invoker_ssl_keyPrefix }}"
storeFlavor: "PKCS12"
clientAuth: "{{ invoker_client_auth | default('true') }}"
cert: "{{ __invoker_ssl_keyPrefix }}openwhisk-server-cert.pem"
key: "{{ __invoker_ssl_keyPrefix }}openwhisk-server-key.pem"
keystore:
password: "{{ invoker_keystore_password | default('openwhisk') }}"
name: "{{ __invoker_ssl_keyPrefix }}openwhisk-keystore.p12"
userLogs:
spi: "{{ userLogs_spi | default('org.apache.openwhisk.core.containerpool.logging.DockerToActivationLogStoreProvider') }}"
nginx:
confdir: "{{ config_root_dir }}/nginx"
htmldir: "{{ ui_path | default(false) }}"
dir:
become: "{{ nginx_dir_become | default(false) }}"
version: "{{ nginx_version | default('1.19') }}"
port:
http: 80
https: 443
ssl:
path: "{{ nginx_ssl_path | default(playbook_dir +'/roles/nginx/files') }}"
cert: "{{ nginx_ssl_server_cert | default('openwhisk-server-cert.pem') }}"
key: "{{ nginx_ssl_server_key | default('openwhisk-server-key.pem') }}"
client_ca_cert: "{{ nginx_ssl_client_ca_cert | default('openwhisk-client-ca-cert.pem') }}"
verify_client: "{{ nginx_ssl_verify_client | default('off') }}"
password_file: "{{ nginx_ssl_password_file | default(false) }}"
wpn:
router: "{{ nginx_wpn_router | default('1') }}"
special_users: "{{ nginx_special_users | default('[]') }}"
# These are the variables to define all database relevant settings.
# The authKeys are the users, that are initially created to use OpenWhisk.
# The keys are stored in ansible/files and will be inserted into the authentication databse.
# The key db.whisk.actions is the name of the database where all artifacts of the user are stored. These artifacts are actions, triggers, rules and packages.
# The key db.whisk.activation is the name of the database where all activations are stored.
# The key db.whisk.auth is the name of the authentication database where all keys of all users are stored.
# The db_prefix is defined for each environment on its own. The CouchDb credentials are also defined for each environment on its own.
db:
provider: "{{ db_provider | default(lookup('ini', 'db_provider section=db_creds file={{ playbook_dir }}/db_local.ini')) }}"
protocol: "{{ db_protocol | default(lookup('ini', 'db_protocol section=db_creds file={{ playbook_dir }}/db_local.ini')) }}"
port: "{{ db_port | default(lookup('ini', 'db_port section=db_creds file={{ playbook_dir }}/db_local.ini')) }}"
host: "{{ db_host | default(lookup('ini', 'db_host section=db_creds file={{ playbook_dir }}/db_local.ini')) }}"
persist_path: "{{ db_persist_path | default(false) }}"
instances: "{{ groups['db'] | length }}"
authkeys:
- guest
- whisk.system
whisk:
actions: "{{ db_prefix }}whisks"
activations: "{{ db_prefix }}activations"
auth: "{{ db_prefix }}subjects"
credentials:
admin:
user: "{{ db_username | default(lookup('ini', 'db_username section=db_creds file={{ playbook_dir }}/db_local.ini')) }}"
pass: "{{ db_password | default(lookup('ini', 'db_password section=db_creds file={{ playbook_dir }}/db_local.ini')) }}"
controller:
user: "{{ db_controller_user | default(lookup('ini', 'db_username section=controller file={{ playbook_dir }}/db_local.ini')) }}"
pass: "{{ db_controller_pass | default(lookup('ini', 'db_password section=controller file={{ playbook_dir }}/db_local.ini')) }}"
invoker:
user: "{{ db_invoker_user | default(lookup('ini', 'db_username section=invoker file={{ playbook_dir }}/db_local.ini')) }}"
pass: "{{ db_invoker_pass | default(lookup('ini', 'db_password section=invoker file={{ playbook_dir }}/db_local.ini')) }}"
activation_store:
backend: "{{ db_activation_backend | default('CouchDB') }}"
elasticsearch:
protocol: "{{ elastic_protocol | default('http') }}"
port: 9200
index_pattern: "{{ elastic_index_pattern | default('openwhisk-%s') }}"
base_transport_port: 9300
confdir: "{{ config_root_dir }}/elasticsearch"
dir:
become: "{{ elastic_dir_become | default(false) }}"
base_volume: "{{ elastic_base_volume | default('esdata') }}"
cluster_name: "{{ elastic_cluster_name | default('openwhisk') }}"
java_opts: "{{ elastic_java_opts | default('-Xms1g -Xmx1g') }}"
loglevel: "{{ elastic_loglevel | default('INFO') }}"
# the user id of elasticsearch process, default is 1000, if you have enabled user namespace
# for docker daemon, this need to be changed correspondingly
uid: "{{ elastic_uid | default(1000) }}"
auth:
admin:
username: "{{ elastic_username | default('admin') }}"
password: "{{ elastic_password | default('admin') }}"
apigateway:
port:
api: 9000
mgmt: 9001
# Default to 'nightly', which tracks the head revision of the master branch of apigateway's gitrepo
version: nightly
redis:
version: 4.0
port: 6379
password: openwhisk
linux:
version: 4.4.0-31
couchdb:
version: 2.3
elasticsearch:
version: 6.7.2
elasticsearch_connect_string: "{% set ret = [] %}\
{% for host in groups['elasticsearch'] %}\
{{ ret.append( hostvars[host].ansible_host + ':' + ((db.elasticsearch.port+loop.index-1)|string) ) }}\
{% endfor %}\
{{ ret | join(',') }}"
docker:
# The user to install docker for. Defaults to the ansible user if not set. This will be the user who is able to run
# docker commands on a machine setup with prereq_build.yml
#user:
image:
prefix: "{{ docker_image_prefix | default('whisk') }}"
tag: "{{ docker_image_tag | default('latest') }}"
version: 1.12.0-0~trusty
storagedriver: overlay
port: 4243
restart:
policy: always
pull:
retries: 10
delay: 10
timezone: "{{ docker_timezone | default('UTC') }}"
cli:
path: "{{ openwhisk_home }}/bin/wsk"
# The default name space is /whisk.system. The catalog namespace must begin with a slash "/".
catalog_namespace: "/whisk.system"
# The catalog_auth_key is used to determine the secret key to authenticate the openwhisk service.
# The value for this variable can be set to either the secret key itself or the file, which
# saves the secret key.
# By default, we take the key from ansible/files/auth.whisk.system.
catalog_auth_key: "{{ playbook_dir }}/files/auth.whisk.system"
# The catalog_repos is used to specify all the catalog names and repository URLs,
# so that openwhisk knows where to download the catalog and install them. The key
# specifies the catalog name and the url saves the URL of the repository. The location
# specifies the location to save the code of the catalog. The version specifies the hash
# of the commit to be cloned. If it is omit or set to HEAD, the latest commit will be
# selected. The repo_update specifies whether to retrieve new revisions from the origin
# repository and the default value is yes, meaning that it will retrieve the new
# revisions. The keys url and location are mandatory and the keys version and repo_update
# are optional. To add a new repository, please follow the template by adding:
#
# catalog_repos:
# ...
# <catalog-name>:
# url: <URL of repository>, mandatory.
# location: <local location to save the catalog>, mandatory.
# version: <hash of the commit>, optional, default to HEAD.
# repo_update: <whether to retrieve new revisions from the origin repository>,
# optional, default to no. Yes means to retrieve the new revisions, and
# no means not to retrieve the new revisions.
#
catalog_repos:
openwhisk-catalog:
url: https://github.com/apache/openwhisk-catalog.git
# Set the local location as the same level as openwhisk home, but it can be changed.
location: "{{ openwhisk_home }}/../openwhisk-catalog"
version: "HEAD"
repo_update: "no"
# The openwhisk_cli is used to determine how to install the OpenWhisk CLI. The
# installation_mode can be specified into two modes: remote and local.
# The mode remote means to download the available binaries from the releases page
# of the official openwhisk cli repository. The mode local means to build the binaries
# locally in a directory and get them from the local directory. The default value
# for openwhisk is local.
#
# The name specifies the package name of the binaries in remote mode.
#
# The dest_name specifies the package name of the binaries in Nginx in remote mode.
#
# The location specifies the official website where Openwhisk CLI is hosted in
# remote mode or location to save the binaries of the OpenWhisk CLI in local mode.
openwhisk_cli_tag: "{{ cli_tag | default(lookup('ini', 'git_tag section=openwhisk-cli file=' ~ openwhisk_home ~ '/ansible/files/package-versions.ini')) }}"
openwhisk_cli:
installation_mode: "{{ cli_installation_mode | default(lookup('env', 'OPENWHISK_CLI_MODE')) | default('remote', true) }}"
archive_name: OpenWhisk_CLI
nginxdir:
name: "{{ nginx.confdir }}/cli/go/download"
become: "{{ cli_dir_become | default(false) }}"
local:
location: "{{ openwhisk_cli_home }}/build"
remote:
location: "https://github.com/apache/openwhisk-cli/releases/download/{{ openwhisk_cli_tag }}"
# Controls access to log directories
logs:
dir:
become: "{{ logs_dir_become | default(false) }}"
# Metrics Configuration
metrics:
log:
enabled: "{{ metrics_log | default(true) }}"
kamon:
enabled: "{{ metrics_kamon | default(false) }}"
tags: "{{ metrics_kamon_tags | default(false) }}"
host: "{{ metrics_kamon_statsd_host | default('') }}"
port: "{{ metrics_kamon_statsd_port | default('8125') }}"
user_events: "{{ user_events_enabled | default(false) | lower }}"