ansible/group_vars/all

#
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements.  See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License.  You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#

mode: deploy
lean: false
prompt_user: true
openwhisk_home: "{{ lookup('env', 'OPENWHISK_HOME') | default(playbook_dir ~ '/..', true) }}"
openwhisk_cli_home: "{{ lookup('env', 'OPENWHISK_CLI') | default(openwhisk_home ~ '/../openwhisk-cli', true) }}"
exclude_logs_from: []

# This whisk_api_localhost_name_default is used to configure nginx to permit vanity URLs for web actions
# for local deployment. For a public deployment, the specific environment group vars should define
# whisk_api_host_name; this is available to actions and hence must resolve from inside an action container
# specific to the deployment (i.e., it may be an IP address rather than a hostname in some cases).
# For a local deployment, use whisk_api_localhost_name. For a deployment which requires
# different name resolution between the whisk_api_host_name and the whisk_api_local_host_name, both should
# be defined so that the nginx configuration for the server name reflects the public facing naming (of the
# edge router) even if it is different from the API host available to the actions. The precedence order for
# configuring nginx and the SSL certificate generation is:
#   whisk_api_localhost_name (first)
#   whisk_api_host_name (second)
#   whisk_api_localhost_name_default (last)
whisk_api_localhost_name_default: "localhost"

# Type of your environment.
# If you want to deploy everything on your local machine use 'local'.
# If you use a docker-machine on a mac use 'docker-machine'
# If you want to deploy Openwhisk to other machines use 'distributed'
environmentInformation:
  type: "{{ environment_type | default('local') }}"

hosts_dir: "{{ inventory_dir | default(env_hosts_dir) }}"

whisk:
  version:
    date: "{{ansible_date_time.iso8601}}"
  feature_flags:
    require_api_key_annotation: "{{ require_api_key_annotation | default(true) }}"

##
# configuration parameters related to support runtimes (see org.apache.openwhisk.core.entity.ExecManifest for schema of the manifest).
# briefly the parameters are:
#
#   runtimes_registry: optional registry (with trailing slash) where to pull docker images from for default runtimes (in manifest)
#   user_images_registry: optional registry (with trailing slash) where to pull docker images from for blackbox images
#
#   skip_pull_runtimes: this will skip pulling the images to the invoker (images must exist there somehow)
#
#   runtimes_manifest: set of language runtime families grouped by language (e.g., nodejs, python) and blackbox images to pre-pull
#
#   runtimes_bypass_pull_for_local_images: optional, if true, allow images with a prefix that matches
#       {{ runtimes_local_image_prefix }} to skip docker pull in invoker even if the image is not part of the blackbox set
#

manifestfile: "{{ manifest_file | default('/ansible/files/runtimes.json') }}"
runtimesManifest: "{{ runtimes_manifest | default(lookup('file', openwhisk_home ~ '{{ manifestfile }}') | from_json) }}"

limits:
  invocationsPerMinute: "{{ limit_invocations_per_minute | default(60) }}"
  concurrentInvocations: "{{ limit_invocations_concurrent | default(30) }}"
  firesPerMinute: "{{ limit_fires_per_minute | default(60) }}"
  sequenceMaxLength: "{{ limit_sequence_max_length | default(50) }}"

# Moved here to avoid recursions. Please do not use outside of controller-dict.
__controller_ssl_keyPrefix: "controller-"
__controller_blackbox_fraction: 0.10

# port means outer port
controller:
  dir:
    become: "{{ controller_dir_become | default(false) }}"
  confdir: "{{ config_root_dir }}/controller"
  basePort: 10001
  heap: "{{ controller_heap | default('2g') }}"
  arguments: "{{ controller_arguments | default('') }}"
  managedFraction: "{{ controller_managed_fraction | default(1.0 - (controller_blackbox_fraction | default(__controller_blackbox_fraction))) }}"
  blackboxFraction: "{{ controller_blackbox_fraction | default(__controller_blackbox_fraction) }}"
  timeoutFactor: "{{ controller_timeout_factor | default(2) }}"
  timeoutAddon: "{{ controller_timeout_addon | default('1 m') }}"
  instances: "{{ groups['controllers'] | length }}"
  akka:
    provider: cluster
    cluster:
      basePort: 8000
      host: "{{ groups['controllers'] | map('extract', hostvars, 'ansible_host') | list }}"
      bindPort: 2551
      # at this moment all controllers are seed nodes
      seedNodes: "{{ groups['controllers'] | map('extract', hostvars, 'ansible_host') | list }}"
  loadbalancer:
    spi: "{{ controller_loadbalancer_spi | default('') }}"
  authentication:
    spi: "{{ controller_authentication_spi | default('') }}"
  loglevel: "{{ controller_loglevel | default(whisk_loglevel) | default('INFO') }}"
  entitlement:
    spi: "{{ controller_entitlement_spi | default('') }}"
  protocol: "{{ controller_protocol | default('https') }}"
  ssl:
    cn: openwhisk-controllers
    keyPrefix: "{{ __controller_ssl_keyPrefix }}"
    storeFlavor: PKCS12
    clientAuth: "{{ controller_client_auth | default('true') }}"
    cert: "{{ __controller_ssl_keyPrefix }}openwhisk-server-cert.pem"
    key: "{{ __controller_ssl_keyPrefix }}openwhisk-server-key.pem"
    keystore:
      password: "openwhisk"
      name: "{{ __controller_ssl_keyPrefix }}openwhisk-keystore.p12"
  extraEnv: "{{ controller_extraEnv | default({}) }}"

jmx:
  basePortController: 15000
  rmiBasePortController: 16000
  basePortInvoker: 17000
  rmiBasePortInvoker: 18000
  user: "{{ jmxuser | default('jmxuser') }}"
  pass: "{{ jmxuser | default('jmxpass') }}"
  jvmCommonArgs: "-Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.local.only=false -Dcom.sun.management.jmxremote.authenticate=true -Dcom.sun.management.jmxremote.password.file=/home/owuser/jmxremote.password -Dcom.sun.management.jmxremote.access.file=/home/owuser/jmxremote.access"
  enabled: "{{ jmxremote_enabled | default('true') }}"

transactions:
  header: "{{ transactions_header | default('X-Request-ID') }}"

registry:
  confdir: "{{ config_root_dir }}/registry"

kafka:
  ssl:
    client_authentication: required
    keystore:
      name: kafka-keystore.jks
      password: openwhisk
    cipher_suites:
    - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
    - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
    - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    protocols:
    - TLSv1.2
  protocol: "{{ kafka_protocol_for_setup }}"
  version: 2.12-2.3.1
  port: 9072
  advertisedPort: 9093
  ras:
    port: 8093
  heap: "{{ kafka_heap | default('1g') }}"
  replicationFactor: "{{ kafka_replicationFactor | default((groups['kafkas']|length)|int) }}"
  offsetsTopicReplicationFactor: "{{ kafka_offsetsTopicReplicationFactor | default(kafka_replicationFactor) | default((groups['kafkas']|length)|int) }}"
  # adapt this param for production deployments depending on the number of kafka consumers
  networkThreads: "{{ kafka_network_threads | default(3) }}"

kafka_connect_string: "{% set ret = [] %}\
                       {% for host in groups['kafkas'] %}\
                         {{ ret.append( hostvars[host].ansible_host + ':' + ((kafka.advertisedPort+loop.index-1)|string) ) }}\
                       {% endfor %}\
                       {{ ret | join(',') }}"

kafka_protocol_for_setup: "{{ kafka_protocol | default('PLAINTEXT') }}"

zookeeper:
  version: 3.4
  port: 2181

zookeeper_connect_string: "{% set ret = [] %}\
                           {% for host in groups['zookeepers'] %}\
                             {{ ret.append( hostvars[host].ansible_host + ':' + ((zookeeper.port+loop.index-1)|string) ) }}\
                           {% endfor %}\
                           {{ ret | join(',') }}"

invokerHostnameFromMap: "{{ groups['invokers'] | map('extract', hostvars, 'ansible_host') | list | first }}"
invokerHostname: "{{ invokerHostnameFromMap | default(inventory_hostname) }}"

# Moved here to avoid recursions. Please do not use outside of invoker-dict.
__invoker_ssl_keyPrefix: "invoker-"

invoker:
  dir:
    become: "{{ invoker_dir_become | default(false) }}"
  confdir: "{{ config_root_dir }}/invoker"
  port: 12001
  heap: "{{ invoker_heap | default('2g') }}"
  arguments: "{{ invoker_arguments | default('') }}"
  userMemory: "{{ invoker_user_memory | default('2048m') }}"
  # Specify if it is allowed to deploy more than 1 invoker on a single machine.
  allowMultipleInstances: "{{ invoker_allow_multiple_instances | default(false) }}"
  # Specify if it should use docker-runc or docker to pause/unpause containers
  useRunc: "{{ invoker_use_runc | default(true) }}"
  docker:
    become: "{{ invoker_docker_become | default(false) }}"
    runcdir: "{{ invoker_runcdir | default('/run/docker/runtime-runc/moby') }}"
    volumes: "{{ invoker_docker_volumes | default([]) }}"
  loglevel: "{{ invoker_loglevel | default(whisk_loglevel) | default('INFO') }}"
  jmxremote:
    jvmArgs: "{% if inventory_hostname in groups['invokers'] %}
    {{ jmx.jvmCommonArgs }} -Djava.rmi.server.hostname={{ invokerHostname }} -Dcom.sun.management.jmxremote.rmi.port={{ jmx.rmiBasePortInvoker + groups['invokers'].index(inventory_hostname) }} -Dcom.sun.management.jmxremote.port={{ jmx.basePortInvoker + groups['invokers'].index(inventory_hostname) }}
    {% endif %}"
  extraEnv: "{{ invoker_extraEnv | default({}) }}"
  protocol: "{{ invoker_protocol | default('https') }}"
  ssl:
    cn: "openwhisk-invokers"
    keyPrefix: "{{ __invoker_ssl_keyPrefix }}"
    storeFlavor: "PKCS12"
    clientAuth: "{{ invoker_client_auth | default('true') }}"
    cert: "{{ __invoker_ssl_keyPrefix }}openwhisk-server-cert.pem"
    key: "{{ __invoker_ssl_keyPrefix }}openwhisk-server-key.pem"
    keystore:
      password: "{{ invoker_keystore_password | default('openwhisk') }}"
      name: "{{ __invoker_ssl_keyPrefix }}openwhisk-keystore.p12"

userLogs:
  spi: "{{ userLogs_spi | default('org.apache.openwhisk.core.containerpool.logging.DockerToActivationLogStoreProvider') }}"

nginx:
  confdir: "{{ config_root_dir }}/nginx"
  htmldir: "{{ ui_path | default(false) }}"
  dir:
    become: "{{ nginx_dir_become | default(false) }}"
  version: "{{ nginx_version | default('1.17') }}"
  port:
    http: 80
    https: 443
  ssl:
    path: "{{ nginx_ssl_path | default(playbook_dir +'/roles/nginx/files') }}"
    cert: "{{ nginx_ssl_server_cert | default('openwhisk-server-cert.pem') }}"
    key: "{{ nginx_ssl_server_key | default('openwhisk-server-key.pem') }}"
    client_ca_cert: "{{ nginx_ssl_client_ca_cert | default('openwhisk-client-ca-cert.pem') }}"
    verify_client: "{{ nginx_ssl_verify_client | default('off') }}"
    password_file: "{{ nginx_ssl_password_file | default(false) }}"
  wpn:
    router: "{{ nginx_wpn_router | default('1') }}"
  special_users: "{{ nginx_special_users | default('[]') }}"

# These are the variables to define all database relevant settings.
# The authKeys are the users, that are initially created to use OpenWhisk.
# The keys are stored in ansible/files and will be inserted into the authentication databse.
# The key db.whisk.actions is the name of the database where all artifacts of the user are stored. These artifacts are actions, triggers, rules and packages.
# The key db.whisk.activation is the name of the database where all activations are stored.
# The key db.whisk.auth is the name of the authentication database where all keys of all users are stored.
# The db_prefix is defined for each environment on its own. The CouchDb credentials are also defined for each environment on its own.
db:
  provider: "{{ db_provider | default(lookup('ini', 'db_provider section=db_creds file={{ playbook_dir }}/db_local.ini')) }}"
  protocol: "{{ db_protocol | default(lookup('ini', 'db_protocol section=db_creds file={{ playbook_dir }}/db_local.ini')) }}"
  port: "{{ db_port | default(lookup('ini', 'db_port section=db_creds file={{ playbook_dir }}/db_local.ini')) }}"
  host: "{{ db_host | default(lookup('ini', 'db_host section=db_creds file={{ playbook_dir }}/db_local.ini')) }}"
  persist_path: "{{ db_persist_path | default(false) }}"
  instances: "{{ groups['db'] | length }}"
  authkeys:
  - guest
  - whisk.system
  whisk:
    actions: "{{ db_prefix }}whisks"
    activations: "{{ db_prefix }}activations"
    auth: "{{ db_prefix }}subjects"
  credentials:
    admin:
      user: "{{ db_username | default(lookup('ini', 'db_username section=db_creds file={{ playbook_dir }}/db_local.ini')) }}"
      pass: "{{ db_password | default(lookup('ini', 'db_password section=db_creds file={{ playbook_dir }}/db_local.ini')) }}"
    controller:
      user: "{{ db_controller_user | default(lookup('ini', 'db_username section=controller file={{ playbook_dir }}/db_local.ini')) }}"
      pass: "{{ db_controller_pass | default(lookup('ini', 'db_password section=controller file={{ playbook_dir }}/db_local.ini')) }}"
    invoker:
      user: "{{ db_invoker_user | default(lookup('ini', 'db_username section=invoker file={{ playbook_dir }}/db_local.ini')) }}"
      pass: "{{ db_invoker_pass | default(lookup('ini', 'db_password section=invoker file={{ playbook_dir }}/db_local.ini')) }}"
  activation_store:
    backend: "{{ db_activation_backend | default('CouchDB') }}"
  elasticsearch:
    protocol: "{{ elastic_protocol | default('http') }}"
    port: 9200
    index_pattern: "{{ elastic_index_pattern | default('openwhisk-%s') }}"
    base_transport_port: 9300
    confdir: "{{ config_root_dir }}/elasticsearch"
    dir:
      become: "{{ elastic_dir_become | default(false) }}"
    base_volume: "{{ elastic_base_volume | default('esdata') }}"
    cluster_name: "{{ elastic_cluster_name | default('openwhisk') }}"
    java_opts: "{{ elastic_java_opts | default('-Xms1g -Xmx1g') }}"
    loglevel: "{{ elastic_loglevel | default('INFO') }}"
    # the user id of elasticsearch process, default is 1000, if you have enabled user namespace
    # for docker daemon, this need to be changed correspondingly
    uid: "{{ elastic_uid | default(1000) }}"
    auth:
      admin:
        username: "{{ elastic_username | default('admin') }}"
        password: "{{ elastic_password | default('admin') }}"

apigateway:
  port:
    api: 9000
    mgmt: 9001
  # Default to 'nightly', which tracks the head revision of the master branch of apigateway's gitrepo
  version: nightly

redis:
  version: 4.0
  port: 6379
  password: openwhisk

linux:
  version: 4.4.0-31

couchdb:
  version: 2.3

elasticsearch:
  version: 6.7.2

elasticsearch_connect_string: "{% set ret = [] %}\
                               {% for host in groups['elasticsearch'] %}\
                               {{ ret.append( hostvars[host].ansible_host + ':' + ((db.elasticsearch.port+loop.index-1)|string) ) }}\
                               {% endfor %}\
                               {{ ret | join(',') }}"

docker:
  # The user to install docker for. Defaults to the ansible user if not set. This will be the user who is able to run
  # docker commands on a machine setup with prereq_build.yml
  #user:
  image:
    prefix: "{{ docker_image_prefix | default('whisk') }}"
    tag: "{{ docker_image_tag | default('latest') }}"
  version: 1.12.0-0~trusty
  storagedriver: overlay
  port: 4243
  restart:
    policy: always
  pull:
    retries: 10
    delay: 10
  timezone: "{{ docker_timezone | default('UTC') }}"

cli:
  path: "{{ openwhisk_home }}/bin/wsk"

# The default name space is /whisk.system. The catalog namespace must begin with a slash "/".
catalog_namespace: "/whisk.system"

# The catalog_auth_key is used to determine the secret key to authenticate the openwhisk service.
# The value for this variable can be set to either the secret key itself or the file, which
# saves the secret key.
# By default, we take the key from ansible/files/auth.whisk.system.
catalog_auth_key: "{{ playbook_dir }}/files/auth.whisk.system"

# The catalog_repos is used to specify all the catalog names and repository URLs,
# so that openwhisk knows where to download the catalog and install them. The key
# specifies the catalog name and the url saves the URL of the repository. The location
# specifies the location to save the code of the catalog. The version specifies the hash
# of the commit to be cloned. If it is omit or set to HEAD, the latest commit will be
# selected. The repo_update specifies whether to retrieve new revisions from the origin
# repository and the default value is yes, meaning that it will retrieve the new
# revisions. The keys url and location are mandatory and the keys version and repo_update
# are optional. To add a new repository, please follow the template by adding:
#
# catalog_repos:
#   ...
#   <catalog-name>:
#     url: <URL of repository>, mandatory.
#     location: <local location to save the catalog>, mandatory.
#     version: <hash of the commit>, optional, default to HEAD.
#     repo_update: <whether to retrieve new revisions from the origin repository>,
#                  optional, default to no. Yes means to retrieve the new revisions, and
#                  no means not to retrieve the new revisions.
#
catalog_repos:
  openwhisk-catalog:
    url: https://github.com/apache/openwhisk-catalog.git
    # Set the local location as the same level as openwhisk home, but it can be changed.
    location: "{{ openwhisk_home }}/../openwhisk-catalog"
    version: "HEAD"
    repo_update: "no"

# The openwhisk_cli is used to determine how to install the OpenWhisk CLI. The
# installation_mode can be specified into two modes: remote and local.
# The mode remote means to download the available binaries from the releases page
# of the official openwhisk cli repository. The mode local means to build the binaries
# locally in a directory and get them from the local directory. The default value
# for openwhisk is local.
#
# The name specifies the package name of the binaries in remote mode.
#
# The dest_name specifies the package name of the binaries in Nginx in remote mode.
#
# The location specifies the official website where Openwhisk CLI is hosted in
# remote mode or location to save the binaries of the OpenWhisk CLI in local mode.

openwhisk_cli_tag: "{{ cli_tag | default(lookup('ini', 'git_tag section=openwhisk-cli file=' ~ openwhisk_home ~ '/ansible/files/package-versions.ini')) }}"
openwhisk_cli:
  installation_mode: "{{ cli_installation_mode | default(lookup('env', 'OPENWHISK_CLI_MODE')) | default('remote', true) }}"
  archive_name: OpenWhisk_CLI
  nginxdir:
    name: "{{ nginx.confdir }}/cli/go/download"
    become: "{{ cli_dir_become | default(false) }}"
  local:
    location: "{{ openwhisk_cli_home }}/build"
  remote:
    location: "https://github.com/apache/openwhisk-cli/releases/download/{{ openwhisk_cli_tag }}"

# Controls access to log directories
logs:
  dir:
    become: "{{ logs_dir_become | default(false) }}"

# Metrics Configuration
metrics:
  log:
    enabled: "{{ metrics_log | default(true) }}"
  kamon:
    enabled: "{{ metrics_kamon | default(false) }}"
    tags: "{{ metrics_kamon_tags | default(false) }}"
    host: "{{ metrics_kamon_statsd_host | default('') }}"
    port: "{{ metrics_kamon_statsd_port | default('8125') }}"

user_events: "{{ user_events_enabled | default(false) }}"