"base URL for repo with helm charts & other binaries"
default: "https://binary.mirantis.com"
"base URL for docker images"
default: "mirantis.azurecr.io"
settings passed to every helm chart
list of helm chart repositories
symbolic name to reference this repo
helm charts repo url
JSON of values passed to all charts
Additional Properties of any type are allowed.
Type: objectversion of charts to install for infra components
JSON of values passed to all infra charts
Additional Properties of any type are allowed.
Type: objectversion of charts to install for openstack components
JSON of values passed to all openstack charts
Additional Properties of any type are allowed.
Type: objecttrigger to process osdpl resource
default: false
Specifies the app role ID
The name of secret key to get data from.
The name of secret to get data from.
Specifies the secret ID created for the app role
The name of secret key to get data from.
The name of secret to get data from.
Indicates if simple_crypto backend is enabled
default: false
Mountpoint of KV store in Vault to use.
Vault Namespace to use for all requests to Vault.
This is available only in Vault Enterprise and
is supported only since OpenStack Victoria release.
The path to CA cert file
The name of secret key to get data from.
The name of secret to get data from.
Specifies whether to use SSL
URL of the Vault server
Backends to perform backup to. Could be: ceph, s3. Default is ceph.
No Additional PropertiesAll property whose name matches the following regular expression must respect the following conditions
Property name regular expression:.* Backup backend name.
No Additional PropertiesIf the conditions in the "If" tab are respected, then the conditions in the "Then" tab should be respected. Otherwise, the conditions in the "Else" tab should be respected.
"s3" If the conditions in the "If" tab are respected, then the conditions in the "Then" tab should be respected. Otherwise, the conditions in the "Else" tab should be respected.
"nfs" The url where the S3 server is listening
The S3 query token access key.
No Additional PropertiesThe name of secret key to get data from.
The name of secret to get data from.
The S3 bucket to be used to store the Cinder backup data
The S3 query token secret key.
No Additional PropertiesThe name of secret key to get data from.
The name of secret to get data from.
Enable cinder backup service. Disable for cephless deployment.
default: true
Custom additional Cinder backend configuration
No Additional PropertiesAll property whose name matches the following regular expression must respect the following conditions
Property name regular expression:.* Backend name
No Additional PropertiesEnable automatic volume type creation for this backend
default: True
Enable additional Cinder backend to deploy
default: True
Additional Properties of any type are allowed.
Type: objectAdditional Properties of any type are allowed.
Type: objectAdditional Properties of any type are allowed.
Type: objectAdditional Properties of any type are allowed.
Type: objectFlag to enable main cinder volume running as statefulset.
When enabled openstack-controller will wait for ceph deployment
provided by MOSK Ceph controller. Disable for cephless deployment.
default true
Defines parameters of openstack resources discovery and targets generation for cloudprober.
No Additional PropertiesDefault interval in seconds between runs of openstack resources discovery. default: 600.
Backend to perform backup to. Could be: pvc, pv_nfs, hostpath. Default is pvc.
Type of backup. Possible values: incremental or full.
incremental: If newest full backup is older then fullbackupcycle seconds,
perform full backup, else perform incremental backup to the newest full.
full: perform always only full backup. Default is incremental.
How many full backups to keep.
Indicates whether cron job will launch backup jobs. When set to true suspend
flag in cron job will be switched to false.
default: false
Whether to encrypt backup content.
Number of seconds that defines a period between 2 full backups.
During this period incremental backups will be performed. The parameter
is taken into account only if backuptype is set to 'incremental', otherwise
it is ignored. For example with fullbackup_cycle set to 604800 seconds full
backup will be taken every week and if cron is set to 0 0 * * *, incremental backup
will be performed on daily basis.
Path to the nfs share on the server.
Ip address or domain name of nfs server
Unix style cron expression indicates how often to run backup
cron job. Default is '0 1 * * *' - every day at 01:00.
Whether to enable syncing backups to/from remote.
Dictionary with remotes configuration in format:
path: "
conf:
Currently configuration of only 1 remote is allowed.
Additional Properties of any type are allowed.
Type: objectNumber of days that alarm histories are kept in the database for (<= 0 means forever)
Enable periodic cleanup of expired alarm history data for Aodh
default: true
Cron schedule for periodic cleanup
default: "1 6 * * 1"
Number of days to keep deleted entries. When set to 0 all entries from shadow tables
are deleted.
default: 30
Enable periodic cleanup of database for Barbican.
default: true
Cron schedule for periodic cleanup.
default: "1 4 * * 1"
Number of days to keep deleted entries. When set to 0 all entries from shadow tables
are deleted.
default: 30
Enable periodic cleanup of database for Cinder.
default: true
Cron schedule for periodic cleanup.
default: "1 0 * * 1"
Number of days to keep deleted entries. When set to 0 all entries from shadow tables
are deleted.
default: 30
The batch size for each iteration.
Note that setting it to non-default value will
quite probably fail the DB cleanup.
default: -1
Enable periodic cleanup of database for Glance.
default: true
Cron schedule for periodic cleanup.
default: "1 2 * * 1"
Number of days to keep deleted entries. When set to 0 all entries from shadow tables
are deleted.
default: 30
Number of stacks to delete at a time (per transaction).
default: 10
Enable periodic cleanup of database for Heat.
default: true
Cron schedule for periodic cleanup.
default: "1 5 * * 1"
Number of days to keep deleted entries. When set to 0 all entries from shadow tables
are deleted.
default: 30
Enable periodic cleanup of database for Manila.
default: true
Cron schedule for periodic cleanup.
default: "1 7 * * 1"
Number of days to keep deleted entries. When set to 0 all entries from shadow tables
are deleted.
default: 30
The batch size for each iteration.
default: 1000
Enable periodic cleanup of database for Masakari.
default: true
Cron schedule for periodic cleanup.
default: "1 3 * * 1"
Number of days to keep deleted entries. When set to 0 all entries from shadow tables
are deleted.
default: 30
The batch size for each iteration.
default: 1000
Enable periodic cleanup of database for Nova.
default: true
Cron schedule for periodic cleanup.
default: "1 1 * * 1"
Optional field to define IP address for LoadBalancer service.
Protocol for Designate backend in Kubernetes Service. Could be udp|tcp|tcp+udp.
default: udp
Type of the backend for Designate. For example: powerdns.
default: powerdns
Set of backeds are going to be used by glance as multi backends.
No Additional PropertiesAll property whose name matches the following regular expression must respect the following conditions
Property name regular expression:.* Section to configure cinder backends.
Make backend default. Only one backend may be marked as default.
Additional Properties of any type are allowed.
Type: objectAll property whose name matches the following regular expression must respect the following conditions
Property name regular expression:.* Make backend default. Only one backend may be marked as default.
Size of PVC to create.
The name of storage clas to use for glance file backend. Should support multiattach.
All property whose name matches the following regular expression must respect the following conditions
Property name regular expression:.* Section to configure rbd (Ceph) backends
Make backend default. Only one backend may be marked as default.
Additional Properties of any type are allowed.
Type: objectEnable certificate validation when verifying signatures.
default: false
Enforce signature validation for images on upload. Upload of images without signature
metadata is rejected. When image signature is not valid compute service will not allow
to start instance and block storage service will not allow to create volumes.
The default theme name.
default: "default"
Message of the Day files to show to users
No Additional PropertiesAll property whose name matches the following regular expression must respect the following conditions
Property name regular expression:.* Theme description showed to user
Custom theme name
The sha256 checksumm of arhive with theme
Link to archive with theme
base URL for ironic agent images
default: "https://binary.mirantis.com/openstack/bin/ironic/tinyipa"
name of baremetal provisioning/cleaning network
default: true
the MTU for cleaning network
name of baremetal network
default: "baremetal"
type of provisioning/cleaning baremetal network
default: "vlan"
name of physical network to associate
default: "ironic"
the vlan number of cleaning network in case of VLAN segmentation is used
the gateway for baremetal network
baremetal subnet name
the end range of allocation pool for baremetal network
the start range of allocation pool for baremetal network
the cidr of baremetal network
name of physical interface to bind PXE services
default: "ironic-pxe"
ks_domains instead.
Domain specific configuration options.
Additional Properties of any type are allowed.
Type: objectEnable domain specific keystone configuration
Domain name
Enable domain specific keystone configuration
Domain specific configuration
Additional Properties of any type are allowed.
Type: objectTrigger to enable federation providers in keystone.
default: true
Additional Properties of any type are allowed.
Type: objectAuthenticaion type used by Apache to validate OAuth2.0
access tokens. To configure multiple providers should be
switched to oauth2. The oauth20 will be removed in next releases.
default: oauth20
All property whose name matches the following regular expression must respect the following conditions
Property name regular expression:.* The description of provider to show on horizon web page.
Trigger to enable specific provider.
default: true
Provider issuer url
Keystone mapping to use for provider
Additional Properties of any type are allowed.
Type: objectAdditional Properties of any type are allowed.
Type: objectAdditional Properties of any type are allowed.
Type: objectURL to well know properties of provider
Specific OAuth2 module parameters
Additional Properties of any type are allowed.
Type: objectCA bundle to connect to certificate
Trigger to enable keycloak integration
default: false
The delimiter to use when setting multi-valued claims (openid-connect or oauth20) in the HTTP
headers/environment variables.
Client identifier used in calls to the statically configured OpenID Connect Provider
default: "os"
Require a valid SSL server certificate when communicating with the Authorization Server
Override for URL where OpenID Connect Provider metadata can be found
The redirect_uri for this OpenID Connect client
Define one or more regular expressions that specify URLs (or domains) allowed for post logout and
other redirects such as the "return_to" value on refresh token requests
Require a valid SSL server certificate when communicating with the OP
Used to request specific scopes
default: "openid email profile"
Interval in seconds after which the session will be invalidated when no interaction has occurred.
default: 1800
Url for keycloak
Domain ID for admin of OpenStack deployment
default: "default"
Project domain name for admin of OpenStack deployment
default: "default"
Project name for admin of OpenStack deployment
default: "admin"
Domain name for admin of OpenStack deployment
default: "default"
Service logging level
default: "INFO"
Service logging level
default: "INFO"
List of drivers to handle sending audit notifications
default: messagingv2
Enable CADF audit notifications
default: false
Service logging level
default: "INFO"
Service logging level
default: "INFO"
Service logging level
default: "INFO"
Service logging level
default: "INFO"
Service logging level
default: "INFO"
Service logging level
default: "INFO"
Service logging level
default: "INFO"
Service logging level
default: "INFO"
Service logging level
default: "INFO"
Service logging level
default: "INFO"
Service logging level
default: "INFO"
Service logging level
default: "INFO"
Service logging level
default: "INFO"
Service logging level
default: "INFO"
Service logging level
default: "INFO"
Array of components need to be set up with dedicated rabbitmq server for migration
enable RabbitMQ external endpoints
default: false
List of RabbitMQ external topics
Trigger network policy enforcement for OpenStack related pods.
Only ingress policies are applied. By default is True for OpenStack
Yoga or newer. For previous OpenStack versions the default value is False
Neutron backend
default: "ml2"
Netmiko device type
IP address of switch
Switch name
Credential password
The name of secret key to get data from.
The name of secret to get data from.
RAW config for device.
Additional Properties of any type are allowed.
Type: objectEnable secret
The name of secret key to get data from.
The name of secret to get data from.
SSH private key for switch.
The name of secret key to get data from.
The name of secret to get data from.
Credential username
The name of secret key to get data from.
The name of secret to get data from.
Additional Properties of any type are allowed.
Type: objectAutonomous System number
IP address or interface used for BGP peerings
IP address or interface used to send VPN traffic
[Technology Preview] Enable BGPVPN plugin/service
default: false
UDP port toward which send VXLAN traffic
IP addresses of BGP peers, when not specified will be picked from secret
The object describes RouteReflector settings
No Additional PropertiesEnable BGPVPN route reflector on controller nodes
BGP sessions allowed from neighbors in this subnet
The list with the IP addresses of DNS servers reachable from Virtual Networks
Enable distributed routers
default: false
[Technology Preview] Enable BGP Dynamic Routing plugin/service
default: false
[Technology Preview] Enable PortProber monitoring extension
default: false
Enable Trunk extension
default: true for Antelope and newer OS releases and false for the rest
[Technology Preview] Enable VPNaaS plugin/service
default: false
OVS bridge name to map with physnet.
Physical interface mapped with physnet
Network types allowed on particular physnet
Neutron physnet name
default: "physnet1"
Range of vlans allowed on physnet
enable floating network creation
default: false
The name of floating network
default: "public"
network physical mechanism
name of physical network to associate
"The name of public router"
default: "r1"
vlan id for vlan networks
IP address of subnet gateway
"The name of floating subnet"
default: "public-subnet"
end IP address ie: 1.2.3.200
start IP address ie: 1.2.3.100
IP address range ie: 1.2.3.0/24
Enable IPsec authentication and encryption of tenant traffic
default: false
Ordered list of network_types to allocate as tenant networks
Physical interface used for tunnel traffic
Defines allowed compute resource overconsumption. For Queens and Rocky - these values are constantly enforced. For Stein and later - these values are set once for new compute nodes, further changes should be done via the Placement API.
No Additional PropertiesEnable VNC console feature
default: true
Enable TLS for VNC console between libvirt and VNCProxy
Enable SPICE console feature
default: false
Cipher-mode string to be used.
default: "aes-xts-plain64"
Enable ephemeral disk encryption, only available with lvm backend.
default: false
Encryption key length in bits.
default: 256
Volume group used when images backend is lvm. Default to nova-vol
Enabled libvirt to listen on tls and secure live migration with QEMU-native TLS
Physical interface used for live migration.
Default provider driver used for loadbalancers.
end IP address ie: 1.2.3.200
start IP address ie: 1.2.3.100
IP address range ie: 1.2.3.0/24
Values of policies to override.
Additional Properties of any type are allowed.
Type: objectValues of policies to override.
Additional Properties of any type are allowed.
Type: objectValues of policies to override.
Additional Properties of any type are allowed.
Type: objectValues of policies to override.
Additional Properties of any type are allowed.
Type: objectValues of policies to override.
Additional Properties of any type are allowed.
Type: objectValues of policies to override.
Additional Properties of any type are allowed.
Type: objectValues of policies to override.
Additional Properties of any type are allowed.
Type: objectValues of policies to override.
Additional Properties of any type are allowed.
Type: objectValues of policies to override.
Additional Properties of any type are allowed.
Type: objectValues of policies to override.
Additional Properties of any type are allowed.
Type: objectValues of policies to override.
Additional Properties of any type are allowed.
Type: objectValues of policies to override.
Additional Properties of any type are allowed.
Type: objectValues of policies to override.
Additional Properties of any type are allowed.
Type: objectValues of policies to override.
Additional Properties of any type are allowed.
Type: objectValues of policies to override.
Additional Properties of any type are allowed.
Type: objectValues of policies to override.
Additional Properties of any type are allowed.
Type: objectTrigger additional policies that enforce stricter global admin definition of
role 'admin' in 'admin' project of 'Default' domain, or role 'service'.
This option is available for OpenStack Yoga or newer.
List of enabled openstack and auxiliary services
API server certificate
The name of secret key to get data from.
The name of secret to get data from.
API server private key
The name of secret key to get data from.
The name of secret to get data from.
CA certificate
The name of secret key to get data from.
The name of secret to get data from.
Enable FIPS compliant TLS proxy for public endpoints.
Default: true
enable StackLight operations support system
The option is no longer handled, the password is autogenerated.
The name of secret key to get data from.
The name of secret to get data from.
The option is no longer handled, the username is autogenerated.
The name of secret key to get data from.
The name of secret to get data from.
Which telemetry mode is going to be used for telemetry.
internal k8s domain name
default: "cluster.local"
Default storage class with local volumes, used by services with built in clustering
mechanism like mariadb, etcd, redis.
default: "openstack-operator-bind-mounts"
this is arbitrary JSON of parameters for migration
Additional Properties of any type are allowed.
Type: objectAll property whose name matches the following regular expression must respect the following conditions
Property name regular expression:.*::.* All property whose name matches the following regular expression must respect the following conditions
Property name regular expression:.* Volume group used by lvm backend. Default to cinder-vol
Additional Properties of any type are allowed.
Type: objectAdditional Properties of any type are allowed.
Type: objectEnable BGPVPN plugin/service
Additional Properties of any type are allowed.
Type: objectThe name of bridge to plug bond.
The name of dpdk bond.
The name of ovs port created for corresponding NIC
The PCI id of NIC
Bond openvswitch options, for example bond_mode=active-backup
IP address to assign to the bridge.
The name of dpdk bridge
The dpdk driver to use for NICs
Trigger to enable dpdk on the node.
The amount of hugepages, default 1Gi
The page size to use, default 2Mi
The name of bridge to plug NIC
The name of ovs port created for corresponding NIC
The PCI id of NIC
Memory to allocate for numa node, default: 1024 MB to first numa node
Additional Properties of any type are allowed.
Type: objectTrigger to enable sriov on the node.
Additional Properties of any type are allowed.
Type: objectThe name of sriov NIC
The pre init hooks
Each additional property must conform to the following schema
Type: objectThe init hook for specific NIC.
The NIC MTU
The number of VF to activate
The name of neutron physnet for SRIOV NIC.
Enable trusted mode on sriov VIF
Physical interface used for tunnel traffic
Defines allowed compute resource overconsumption. For Queens and Rocky - these values are constantly enforced. For Stein and later - these values are set once for new compute nodes, further changes should be done via the Placement API.
No Additional PropertiesCipher-mode string to be used.
Enable ephemeral disk encryption, only available with lvm backend.
Encryption key length in bits.
Volume group used when images backend is lvm. Default to nova-vol
Physical interface used for live migration.
cpu mode and model to create instances with
All property whose name matches the following regular expression must respect the following conditions
Property name regular expression:.* Additional Properties of any type are allowed.
Type: objectAll property whose name matches the following regular expression must respect the following conditions
Property name regular expression:.* Additional Properties of any type are allowed.
Type: objectAll property whose name matches the following regular expression must respect the following conditions
Property name regular expression:.* Additional Properties of any type are allowed.
Type: objectAll property whose name matches the following regular expression must respect the following conditions
Property name regular expression:.* Additional Properties of any type are allowed.
Type: objectAll property whose name matches the following regular expression must respect the following conditions
Property name regular expression:.* Additional Properties of any type are allowed.
Type: objectAll property whose name matches the following regular expression must respect the following conditions
Property name regular expression:.* Additional Properties of any type are allowed.
Type: objectAll property whose name matches the following regular expression must respect the following conditions
Property name regular expression:.* Additional Properties of any type are allowed.
Type: objectversion of OpenStack to deploy
Default storage class with persistence, for example ceph. Used by services that require
persistence on filesystem level like backups for mariadb.
Preset of features to deploy
domain name used for public endpoints
default: "it.just.works"
The name of region.
this is arbitrary JSON
Additional Properties of any type are allowed.
Type: objecttimeout and sizing parameters
Number of seconds between readiness attempts.
default: 10
Number of seconds to wait for application becomes ready.
default: 1200
Number of seconds between readiness attempts.
default: 10
Number of seconds to wait for application becomes ready.
default: 1200