# Copyright 2017 The Openstack-Helm Authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # Default values for keystone. # This is a YAML-formatted file. # Declare name/value pairs to be passed into your templates. # name: value labels: api: node_selector_key: openstack-control-plane node_selector_value: enabled job: node_selector_key: openstack-control-plane node_selector_value: enabled test: node_selector_key: openstack-control-plane node_selector_value: enabled release_group: null images: tags: bootstrap: docker.io/openstackhelm/heat:ocata-ubuntu_xenial test: docker.io/xrally/xrally-openstack:1.3.0 db_init: docker.io/openstackhelm/heat:ocata-ubuntu_xenial keystone_db_sync: docker.io/openstackhelm/keystone:ocata-ubuntu_xenial db_drop: docker.io/openstackhelm/heat:ocata-ubuntu_xenial ks_user: docker.io/openstackhelm/heat:ocata-ubuntu_xenial rabbit_init: docker.io/rabbitmq:3.7-management keystone_fernet_setup: docker.io/openstackhelm/keystone:ocata-ubuntu_xenial keystone_fernet_rotate: docker.io/openstackhelm/keystone:ocata-ubuntu_xenial keystone_credential_setup: docker.io/openstackhelm/keystone:ocata-ubuntu_xenial keystone_credential_rotate: docker.io/openstackhelm/keystone:ocata-ubuntu_xenial keystone_credential_cleanup: docker.io/openstackhelm/heat:ocata-ubuntu_xenial keystone_api: docker.io/openstackhelm/keystone:ocata-ubuntu_xenial keystone_domain_manage: docker.io/openstackhelm/keystone:ocata-ubuntu_xenial dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.3.1 image_repo_sync: docker.io/docker:17.07.0 pull_policy: "IfNotPresent" local_registry: active: false exclude: - dep_check - image_repo_sync bootstrap: enabled: true ks_user: admin script: | #NOTE(gagehugo): As of Rocky, keystone creates a member role by default openstack role create --or-show member openstack role add \ --user="${OS_USERNAME}" \ --user-domain="${OS_USER_DOMAIN_NAME}" \ --project-domain="${OS_PROJECT_DOMAIN_NAME}" \ --project="${OS_PROJECT_NAME}" \ "member" # admin needs the admin role for the default domain openstack role add \ --user="${OS_USERNAME}" \ --domain="${OS_DEFAULT_DOMAIN}" \ "admin" network: api: ingress: public: true classes: namespace: "nginx" cluster: "nginx-cluster" annotations: nginx.ingress.kubernetes.io/rewrite-target: / external_policy_local: false node_port: enabled: false port: 30500 admin: node_port: enabled: false port: 30357 dependencies: dynamic: common: local_image_registry: jobs: - keystone-image-repo-sync services: - endpoint: node service: local_image_registry static: api: jobs: - keystone-db-sync - keystone-credential-setup - keystone-fernet-setup - keystone-rabbit-init services: - endpoint: internal service: oslo_cache - endpoint: internal service: oslo_db bootstrap: jobs: - keystone-domain-manage services: - endpoint: internal service: identity credential_rotate: jobs: - keystone-credential-setup credential_setup: null credential_cleanup: services: - endpoint: internal service: oslo_db db_drop: services: - endpoint: internal service: oslo_db db_init: services: - endpoint: internal service: oslo_db db_sync: jobs: - keystone-db-init - keystone-credential-setup - keystone-fernet-setup services: - endpoint: internal service: oslo_db rabbit_init: services: - service: oslo_messaging endpoint: internal domain_manage: services: - endpoint: internal service: identity fernet_rotate: jobs: - keystone-fernet-setup fernet_setup: null tests: services: - endpoint: internal service: identity image_repo_sync: services: - endpoint: internal service: local_image_registry pod: security_context: keystone: pod: runAsUser: 42424 container: keystone_api: readOnlyRootFilesystem: true allowPrivilegeEscalation: false affinity: anti: type: default: preferredDuringSchedulingIgnoredDuringExecution topologyKey: default: kubernetes.io/hostname weight: default: 10 mounts: keystone_db_init: init_container: null keystone_db_init: volumeMounts: volumes: keystone_db_sync: init_container: null keystone_db_sync: volumeMounts: volumes: keystone_api: init_container: null keystone_api: volumeMounts: volumes: keystone_tests: init_container: null keystone_tests: volumeMounts: volumes: keystone_bootstrap: init_container: null keystone_bootstrap: volumeMounts: volumes: keystone_fernet_setup: init_container: null keystone_fernet_setup: volumeMounts: volumes: keystone_fernet_rotate: init_container: null keystone_fernet_rotate: volumeMounts: volumes: keystone_credential_setup: init_container: null keystone_credential_setup: volumeMounts: volumes: keystone_credential_rotate: init_container: null keystone_credential_rotate: volumeMounts: volumes: keystone_credential_cleanup: init_container: null keystone_credential_cleanup: volumeMounts: volumes: keystone_domain_manage: init_container: null keystone_domain_manage: volumeMounts: volumes: replicas: api: 1 lifecycle: upgrades: deployments: revision_history: 3 pod_replacement_strategy: RollingUpdate rolling_update: max_unavailable: 1 max_surge: 3 disruption_budget: api: min_available: 0 termination_grace_period: api: timeout: 30 resources: enabled: false api: requests: memory: "128Mi" cpu: "100m" limits: memory: "1024Mi" cpu: "2000m" jobs: bootstrap: requests: memory: "128Mi" cpu: "100m" limits: memory: "1024Mi" cpu: "2000m" domain_manage: requests: memory: "128Mi" cpu: "100m" limits: memory: "1024Mi" cpu: "2000m" db_init: requests: memory: "128Mi" cpu: "100m" limits: memory: "1024Mi" cpu: "2000m" db_sync: requests: memory: "128Mi" cpu: "100m" limits: memory: "1024Mi" cpu: "2000m" db_drop: requests: memory: "128Mi" cpu: "100m" limits: memory: "1024Mi" cpu: "2000m" rabbit_init: requests: memory: "128Mi" cpu: "100m" limits: memory: "1024Mi" cpu: "2000m" tests: requests: memory: "128Mi" cpu: "100m" limits: memory: "1024Mi" cpu: "2000m" fernet_setup: requests: memory: "128Mi" cpu: "100m" limits: memory: "1024Mi" cpu: "2000m" fernet_rotate: requests: memory: "128Mi" cpu: "100m" limits: memory: "1024Mi" cpu: "2000m" credential_setup: requests: memory: "128Mi" cpu: "100m" limits: memory: "1024Mi" cpu: "2000m" credential_rotate: requests: memory: "128Mi" cpu: "100m" limits: memory: "1024Mi" cpu: "2000m" credential_cleanup: requests: memory: "128Mi" cpu: "100m" limits: memory: "1024Mi" cpu: "2000m" image_repo_sync: requests: memory: "128Mi" cpu: "100m" limits: memory: "1024Mi" cpu: "2000m" jobs: fernet_setup: user: keystone group: keystone fernet_rotate: # NOTE(rk760n): key rotation frequency, token expiration, active keys should statisfy the formula # max_active_keys = (token_expiration / rotation_frequency) + 2 # as expiration is 12h, and max_active_keys set to 3 by default, rotation_frequency need to be adjusted # 12 hours cron: "0 */12 * * *" user: keystone group: keystone history: success: 3 failed: 1 credential_setup: user: keystone group: keystone credential_rotate: # monthly cron: "0 0 1 * *" migrate_wait: 120 user: keystone group: keystone history: success: 3 failed: 1 network_policy: keystone: ingress: - from: - podSelector: matchLabels: application: ceph - podSelector: matchLabels: application: ingress - podSelector: matchLabels: application: keystone - podSelector: matchLabels: application: heat - podSelector: matchLabels: application: glance - podSelector: matchLabels: application: cinder - podSelector: matchLabels: application: congress - podSelector: matchLabels: application: barbican - podSelector: matchLabels: application: ceilometer - podSelector: matchLabels: application: horizon - podSelector: matchLabels: application: ironic - podSelector: matchLabels: application: magnum - podSelector: matchLabels: application: mistral - podSelector: matchLabels: application: nova - podSelector: matchLabels: application: neutron - podSelector: matchLabels: application: senlin - podSelector: matchLabels: application: placement - podSelector: matchLabels: application: prometheus-openstack-exporter ports: - protocol: TCP port: 80 - protocol: TCP port: 443 - protocol: TCP port: 5000 - protocol: TCP port: 35357 egress: - to: - namespaceSelector: matchLabels: name: ceph - to: - podSelector: matchLabels: application: ceph - ports: - port: 53 protocol: UDP - port: 53 protocol: TCP conf: security: | # # Disable access to the entire file system except for the directories that # are explicitly allowed later. # # This currently breaks the configurations that come with some web application # Debian packages. # # # AllowOverride None # Require all denied # # Changing the following options will not really affect the security of the # server, but might make attacks slightly more difficult in some cases. # # ServerTokens # This directive configures what you return as the Server HTTP response # Header. The default is 'Full' which sends information about the OS-Type # and compiled in modules. # Set to one of: Full | OS | Minimal | Minor | Major | Prod # where Full conveys the most information, and Prod the least. ServerTokens Prod # # Optionally add a line containing the server version and virtual host # name to server-generated pages (internal error documents, FTP directory # listings, mod_status and mod_info output etc., but not CGI generated # documents or custom error documents). # Set to "EMail" to also include a mailto: link to the ServerAdmin. # Set to one of: On | Off | EMail ServerSignature Off # # Allow TRACE method # # Set to "extended" to also reflect the request body (only for testing and # diagnostic purposes). # # Set to one of: On | Off | extended TraceEnable Off # # Forbid access to version control directories # # If you use version control systems in your document root, you should # probably deny access to their directories. For example, for subversion: # # # Require all denied # # # Setting this header will prevent MSIE from interpreting files as something # else than declared by the content type in the HTTP headers. # Requires mod_headers to be enabled. # #Header set X-Content-Type-Options: "nosniff" # # Setting this header will prevent other sites from embedding pages from this # site as frames. This defends against clickjacking attacks. # Requires mod_headers to be enabled. # #Header set X-Frame-Options: "sameorigin" software: apache2: binary: apache2 start_parameters: -DFOREGROUND site_dir: /etc/apache2/sites-enable conf_dir: /etc/apache2/conf-enabled mods_dir: /etc/apache2/mods-available a2enmod: null a2dismod: null keystone: DEFAULT: log_config_append: /etc/keystone/logging.conf max_token_size: 255 #NOTE(rk760n): if you need auth notifications to be sent, uncomment it #notification_opt_out: "" token: provider: fernet # 12 hours expiration: 43200 identity: domain_specific_drivers_enabled: True domain_config_dir: /etc/keystonedomains fernet_tokens: key_repository: /etc/keystone/fernet-keys/ credential: key_repository: /etc/keystone/credential-keys/ database: max_retries: -1 cache: enabled: true backend: dogpile.cache.memcached oslo_messaging_notifications: driver: messagingv2 oslo_messaging_rabbit: rabbit_ha_queues: true oslo_middleware: enable_proxy_headers_parsing: true security_compliance: # NOTE(vdrok): The following two options have effect only for SQL backend lockout_failure_attempts: 5 lockout_duration: 1800 # NOTE(lamt) We can leverage multiple domains with different # configurations as outlined in # https://docs.openstack.org/keystone/pike/admin/identity-domain-specific-config.html. # A sample of the value override can be found in sample file: # tools/overrides/example/keystone_domain_config.yaml # ks_domains: paste: filter:debug: use: egg:oslo.middleware#debug filter:request_id: use: egg:oslo.middleware#request_id filter:build_auth_context: use: egg:keystone#build_auth_context filter:token_auth: use: egg:keystone#token_auth filter:json_body: use: egg:keystone#json_body filter:cors: use: egg:oslo.middleware#cors oslo_config_project: keystone filter:http_proxy_to_wsgi: use: egg:oslo.middleware#http_proxy_to_wsgi filter:ec2_extension: use: egg:keystone#ec2_extension filter:ec2_extension_v3: use: egg:keystone#ec2_extension_v3 filter:s3_extension: use: egg:keystone#s3_extension filter:url_normalize: use: egg:keystone#url_normalize filter:sizelimit: use: egg:oslo.middleware#sizelimit filter:osprofiler: use: egg:osprofiler#osprofiler app:public_service: use: egg:keystone#public_service app:service_v3: use: egg:keystone#service_v3 app:admin_service: use: egg:keystone#admin_service pipeline:api_v3: pipeline: cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id build_auth_context token_auth json_body ec2_extension_v3 s3_extension service_v3 app:public_version_service: use: egg:keystone#public_version_service app:admin_version_service: use: egg:keystone#admin_version_service pipeline:public_version_api: pipeline: cors sizelimit osprofiler url_normalize public_version_service pipeline:admin_version_api: pipeline: cors sizelimit osprofiler url_normalize admin_version_service composite:main: use: egg:Paste#urlmap /v3: api_v3 /: public_version_api composite:admin: use: egg:Paste#urlmap /v3: api_v3 /: admin_version_api policy: admin_required: role:admin or is_admin:1 service_role: role:service service_or_admin: rule:admin_required or rule:service_role owner: user_id:%(user_id)s admin_or_owner: rule:admin_required or rule:owner token_subject: user_id:%(target.token.user_id)s admin_or_token_subject: rule:admin_required or rule:token_subject service_admin_or_token_subject: rule:service_or_admin or rule:token_subject default: rule:admin_required identity:get_region: '' identity:list_regions: '' identity:create_region: rule:admin_required identity:update_region: rule:admin_required identity:delete_region: rule:admin_required identity:get_service: rule:admin_required identity:list_services: rule:admin_required identity:create_service: rule:admin_required identity:update_service: rule:admin_required identity:delete_service: rule:admin_required identity:get_endpoint: rule:admin_required identity:list_endpoints: rule:admin_required identity:create_endpoint: rule:admin_required identity:update_endpoint: rule:admin_required identity:delete_endpoint: rule:admin_required identity:get_domain: rule:admin_required or token.project.domain.id:%(target.domain.id)s identity:list_domains: rule:admin_required identity:create_domain: rule:admin_required identity:update_domain: rule:admin_required identity:delete_domain: rule:admin_required identity:get_project: rule:admin_required or project_id:%(target.project.id)s identity:list_projects: rule:admin_required identity:list_user_projects: rule:admin_or_owner identity:create_project: rule:admin_required identity:update_project: rule:admin_required identity:delete_project: rule:admin_required identity:get_user: rule:admin_or_owner identity:list_users: rule:admin_required identity:create_user: rule:admin_required identity:update_user: rule:admin_required identity:delete_user: rule:admin_required identity:change_password: rule:admin_or_owner identity:get_group: rule:admin_required identity:list_groups: rule:admin_required identity:list_groups_for_user: rule:admin_or_owner identity:create_group: rule:admin_required identity:update_group: rule:admin_required identity:delete_group: rule:admin_required identity:list_users_in_group: rule:admin_required identity:remove_user_from_group: rule:admin_required identity:check_user_in_group: rule:admin_required identity:add_user_to_group: rule:admin_required identity:get_credential: rule:admin_required identity:list_credentials: rule:admin_required identity:create_credential: rule:admin_required identity:update_credential: rule:admin_required identity:delete_credential: rule:admin_required identity:ec2_get_credential: rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s) identity:ec2_list_credentials: rule:admin_or_owner identity:ec2_create_credential: rule:admin_or_owner identity:ec2_delete_credential: rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s) identity:get_role: rule:admin_required identity:list_roles: rule:admin_required identity:create_role: rule:admin_required identity:update_role: rule:admin_required identity:delete_role: rule:admin_required identity:get_domain_role: rule:admin_required identity:list_domain_roles: rule:admin_required identity:create_domain_role: rule:admin_required identity:update_domain_role: rule:admin_required identity:delete_domain_role: rule:admin_required identity:get_implied_role: 'rule:admin_required ' identity:list_implied_roles: rule:admin_required identity:create_implied_role: rule:admin_required identity:delete_implied_role: rule:admin_required identity:list_role_inference_rules: rule:admin_required identity:check_implied_role: rule:admin_required identity:check_grant: rule:admin_required identity:list_grants: rule:admin_required identity:create_grant: rule:admin_required identity:revoke_grant: rule:admin_required identity:list_role_assignments: rule:admin_required identity:list_role_assignments_for_tree: rule:admin_required identity:get_policy: rule:admin_required identity:list_policies: rule:admin_required identity:create_policy: rule:admin_required identity:update_policy: rule:admin_required identity:delete_policy: rule:admin_required identity:check_token: rule:admin_or_token_subject identity:validate_token: rule:service_admin_or_token_subject identity:validate_token_head: rule:service_or_admin identity:revocation_list: rule:service_or_admin identity:revoke_token: rule:admin_or_token_subject identity:create_trust: user_id:%(trust.trustor_user_id)s identity:list_trusts: '' identity:list_roles_for_trust: '' identity:get_role_for_trust: '' identity:delete_trust: '' identity:create_consumer: rule:admin_required identity:get_consumer: rule:admin_required identity:list_consumers: rule:admin_required identity:delete_consumer: rule:admin_required identity:update_consumer: rule:admin_required identity:authorize_request_token: rule:admin_required identity:list_access_token_roles: rule:admin_required identity:get_access_token_role: rule:admin_required identity:list_access_tokens: rule:admin_required identity:get_access_token: rule:admin_required identity:delete_access_token: rule:admin_required identity:list_projects_for_endpoint: rule:admin_required identity:add_endpoint_to_project: rule:admin_required identity:check_endpoint_in_project: rule:admin_required identity:list_endpoints_for_project: rule:admin_required identity:remove_endpoint_from_project: rule:admin_required identity:create_endpoint_group: rule:admin_required identity:list_endpoint_groups: rule:admin_required identity:get_endpoint_group: rule:admin_required identity:update_endpoint_group: rule:admin_required identity:delete_endpoint_group: rule:admin_required identity:list_projects_associated_with_endpoint_group: rule:admin_required identity:list_endpoints_associated_with_endpoint_group: rule:admin_required identity:get_endpoint_group_in_project: rule:admin_required identity:list_endpoint_groups_for_project: rule:admin_required identity:add_endpoint_group_to_project: rule:admin_required identity:remove_endpoint_group_from_project: rule:admin_required identity:create_identity_provider: rule:admin_required identity:list_identity_providers: rule:admin_required identity:get_identity_provider: rule:admin_required identity:update_identity_provider: rule:admin_required identity:delete_identity_provider: rule:admin_required identity:create_protocol: rule:admin_required identity:update_protocol: rule:admin_required identity:get_protocol: rule:admin_required identity:list_protocols: rule:admin_required identity:delete_protocol: rule:admin_required identity:create_mapping: rule:admin_required identity:get_mapping: rule:admin_required identity:list_mappings: rule:admin_required identity:delete_mapping: rule:admin_required identity:update_mapping: rule:admin_required identity:create_service_provider: rule:admin_required identity:list_service_providers: rule:admin_required identity:get_service_provider: rule:admin_required identity:update_service_provider: rule:admin_required identity:delete_service_provider: rule:admin_required identity:get_auth_catalog: '' identity:get_auth_projects: '' identity:get_auth_domains: '' identity:list_projects_for_user: '' identity:list_domains_for_user: '' identity:list_revoke_events: '' identity:create_policy_association_for_endpoint: rule:admin_required identity:check_policy_association_for_endpoint: rule:admin_required identity:delete_policy_association_for_endpoint: rule:admin_required identity:create_policy_association_for_service: rule:admin_required identity:check_policy_association_for_service: rule:admin_required identity:delete_policy_association_for_service: rule:admin_required identity:create_policy_association_for_region_and_service: rule:admin_required identity:check_policy_association_for_region_and_service: rule:admin_required identity:delete_policy_association_for_region_and_service: rule:admin_required identity:get_policy_for_endpoint: rule:admin_required identity:list_endpoints_for_policy: rule:admin_required identity:create_domain_config: rule:admin_required identity:get_domain_config: rule:admin_required identity:update_domain_config: rule:admin_required identity:delete_domain_config: rule:admin_required identity:get_domain_config_default: rule:admin_required rabbitmq: #NOTE(rk760n): adding rmq policy to mirror messages from notification queues and set expiration time for the ones policies: - vhost: "keystone" name: "ha_ttl_keystone" definition: #mirror messges to other nodes in rmq cluster ha-mode: "all" ha-sync-mode: "automatic" #70s message-ttl: 70000 priority: 0 apply-to: all pattern: '^(?!(amq\.|reply_)).*' rally_tests: run_tempest: false tests: KeystoneBasic.add_and_remove_user_role: - runner: concurrency: 1 times: 1 type: constant sla: failure_rate: max: 0 KeystoneBasic.authenticate_user_and_validate_token: - args: {} runner: concurrency: 1 times: 1 type: constant sla: failure_rate: max: 0 KeystoneBasic.create_add_and_list_user_roles: - runner: concurrency: 1 times: 1 type: constant sla: failure_rate: max: 0 KeystoneBasic.create_and_delete_ec2credential: - runner: concurrency: 1 times: 1 type: constant sla: failure_rate: max: 0 KeystoneBasic.create_and_list_ec2credentials: - runner: concurrency: 1 times: 1 type: constant sla: failure_rate: max: 0 KeystoneBasic.create_and_delete_role: - runner: concurrency: 1 times: 1 type: constant sla: failure_rate: max: 0 KeystoneBasic.create_and_delete_service: - args: description: test_description service_type: Rally_test_type runner: concurrency: 1 times: 1 type: constant sla: failure_rate: max: 0 KeystoneBasic.create_and_get_role: - args: {} runner: concurrency: 1 times: 1 type: constant sla: failure_rate: max: 0 KeystoneBasic.create_and_list_services: - args: description: test_description service_type: Rally_test_type runner: concurrency: 1 times: 1 type: constant sla: failure_rate: max: 0 KeystoneBasic.create_and_list_tenants: - args: {} runner: concurrency: 1 times: 1 type: constant sla: failure_rate: max: 0 KeystoneBasic.create_and_list_users: - args: {} runner: concurrency: 1 times: 1 type: constant sla: failure_rate: max: 0 KeystoneBasic.create_delete_user: - args: {} runner: concurrency: 1 times: 1 type: constant sla: failure_rate: max: 0 KeystoneBasic.create_tenant: - args: {} runner: concurrency: 1 times: 1 type: constant sla: failure_rate: max: 0 KeystoneBasic.create_tenant_with_users: - args: users_per_tenant: 1 runner: concurrency: 1 times: 1 type: constant sla: failure_rate: max: 0 KeystoneBasic.create_update_and_delete_tenant: - args: {} runner: concurrency: 1 times: 1 type: constant sla: failure_rate: max: 0 KeystoneBasic.create_user: - args: {} runner: concurrency: 1 times: 1 type: constant sla: failure_rate: max: 0 KeystoneBasic.create_user_set_enabled_and_delete: - args: enabled: true runner: concurrency: 1 times: 1 type: constant sla: failure_rate: max: 0 - args: enabled: false runner: concurrency: 1 times: 1 type: constant sla: failure_rate: max: 0 KeystoneBasic.create_user_update_password: - args: {} runner: concurrency: 1 times: 1 type: constant sla: failure_rate: max: 0 KeystoneBasic.get_entities: - runner: concurrency: 1 times: 1 type: constant sla: failure_rate: max: 0 mpm_event: | ServerLimit 1024 StartServers 32 MinSpareThreads 32 MaxSpareThreads 256 ThreadsPerChild 25 MaxRequestsPerChild 128 ThreadLimit 720 wsgi_keystone: | {{- $portInt := tuple "identity" "internal" "api" $ | include "helm-toolkit.endpoints.endpoint_port_lookup" }} Listen 0.0.0.0:{{ $portInt }} LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded CustomLog /dev/stdout combined env=!forwarded CustomLog /dev/stdout proxy env=forwarded WSGIDaemonProcess keystone-public processes=1 threads=1 user=keystone group=keystone display-name=%{GROUP} WSGIProcessGroup keystone-public WSGIScriptAlias / /var/www/cgi-bin/keystone/keystone-wsgi-public WSGIApplicationGroup %{GLOBAL} WSGIPassAuthorization On = 2.4> ErrorLogFormat "%{cu}t %M" ErrorLog /dev/stdout SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded CustomLog /dev/stdout combined env=!forwarded CustomLog /dev/stdout proxy env=forwarded sso_callback_template: | Keystone WebSSO redirect
Please wait...
logging: loggers: keys: - root - keystone handlers: keys: - stdout - stderr - "null" formatters: keys: - context - default logger_root: level: WARNING handlers: stdout logger_keystone: level: INFO handlers: - stdout qualname: keystone logger_amqp: level: WARNING handlers: stderr qualname: amqp logger_amqplib: level: WARNING handlers: stderr qualname: amqplib logger_eventletwsgi: level: WARNING handlers: stderr qualname: eventlet.wsgi.server logger_sqlalchemy: level: WARNING handlers: stderr qualname: sqlalchemy logger_boto: level: WARNING handlers: stderr qualname: boto handler_null: class: logging.NullHandler formatter: default args: () handler_stdout: class: StreamHandler args: (sys.stdout,) formatter: context handler_stderr: class: StreamHandler args: (sys.stderr,) formatter: context formatter_context: class: oslo_log.formatters.ContextFormatter datefmt: "%Y-%m-%d %H:%M:%S" formatter_default: format: "%(message)s" datefmt: "%Y-%m-%d %H:%M:%S" # Names of secrets used by bootstrap and environmental checks secrets: identity: admin: keystone-keystone-admin test: keystone-keystone-test oslo_db: admin: keystone-db-admin keystone: keystone-db-user oslo_messaging: admin: keystone-rabbitmq-admin keystone: keystone-rabbitmq-user ldap: tls: keystone-ldap-tls tls: identity: api: public: keystone-tls-public # typically overridden by environmental # values, but should include all endpoints # required by this chart endpoints: cluster_domain_suffix: cluster.local local_image_registry: name: docker-registry namespace: docker-registry hosts: default: localhost internal: docker-registry node: localhost host_fqdn_override: default: null port: registry: node: 5000 identity: namespace: null name: keystone auth: admin: region_name: RegionOne username: admin password: password project_name: admin user_domain_name: default project_domain_name: default default_domain_id: default test: role: admin region_name: RegionOne username: keystone-test password: password project_name: test user_domain_name: default project_domain_name: default default_domain_id: default hosts: default: keystone internal: keystone-api host_fqdn_override: default: null # NOTE(portdirect): this chart supports TLS for fqdn over-ridden public # endpoints using the following format: # public: # host: null # tls: # crt: null # key: null path: default: /v3 scheme: default: http port: api: default: 80 # NOTE(portdirect): to retain portability across images, and allow # running under a unprivileged user simply, we default to a port > 1000. internal: 5000 oslo_db: namespace: null auth: admin: username: root password: password keystone: username: keystone password: password hosts: default: mariadb host_fqdn_override: default: null path: /keystone scheme: mysql+pymysql port: mysql: default: 3306 oslo_messaging: namespace: null auth: admin: username: rabbitmq password: password keystone: username: keystone password: password statefulset: replicas: 2 name: rabbitmq-rabbitmq hosts: default: rabbitmq host_fqdn_override: default: null path: /keystone scheme: rabbit port: amqp: default: 5672 http: default: 15672 oslo_cache: namespace: null hosts: default: memcached host_fqdn_override: default: null port: memcache: default: 11211 ldap: auth: client: tls: # NOTE(lamt): Specify a CA value here will place a LDAPS certificate at # /etc/certs/tls.ca. To ensure keystone uses LDAPS, the # following key will need to be overrided under section [ldap] or the # correct domain-specific setting, else it will not be enabled: # # use_tls: true # tls_req_cert: allow # Valid values: demand, never, allow # tls_cacertfile: /etc/certs/tls.ca # abs path to the CA cert ca: null fluentd: namespace: null name: fluentd hosts: default: fluentd-logging host_fqdn_override: default: null path: default: null scheme: 'http' port: service: default: 24224 metrics: default: 24220 #NOTE(tp6510): these endpoints allow for things like DNS lookups and apiserver access. # They are using to enable the Egress K8s network policy. k8s: port: api: default: 6443 internal: 5000 default: namespace: default kube_system: namespace: kube-system kube_public: namespace: kube-public manifests: configmap_bin: true configmap_etc: true cron_credential_rotate: true cron_fernet_rotate: true deployment_api: true ingress_api: true job_bootstrap: true job_credential_cleanup: true job_credential_setup: true job_db_init: true job_db_sync: true job_db_drop: false job_domain_manage: true job_fernet_setup: true job_image_repo_sync: true job_rabbit_init: true pdb_api: true pod_rally_test: true network_policy: false secret_credential_keys: true secret_db: true secret_fernet_keys: true secret_ingress_tls: true secret_keystone: true secret_rabbitmq: true service_ingress_api: true service_api: true