# Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. labels: node_selector_key: openstack-control-plane node_selector_value: enabled release_group: null images: bootstrap: docker.io/kolla/ubuntu-source-heat-engine:3.0.3 dep_check: docker.io/kolla/ubuntu-source-kubernetes-entrypoint:4.0.0 test: docker.io/kolla/ubuntu-source-heat-engine:3.0.3 db_init: docker.io/kolla/ubuntu-source-heat-engine:3.0.3 db_sync: docker.io/kolla/ubuntu-source-barbican-api:3.0.3 ks_user: docker.io/kolla/ubuntu-source-heat-engine:3.0.3 ks_service: docker.io/kolla/ubuntu-source-heat-engine:3.0.3 ks_endpoints: docker.io/kolla/ubuntu-source-heat-engine:3.0.3 api: docker.io/kolla/ubuntu-source-barbican-api:3.0.3 pull_policy: "IfNotPresent" pod: user: barbican: uid: 1000 affinity: anti: type: default: preferredDuringSchedulingIgnoredDuringExecution topologyKey: default: kubernetes.io/hostname mounts: barbican_api: init_container: null barbican_api: barbican_bootstrap: init_container: null barbican_bootstrap: barbican_tests: init_container: null barbican_tests: replicas: api: 1 lifecycle: upgrades: deployments: revision_history: 3 pod_replacement_strategy: RollingUpdate rolling_update: max_unavailable: 1 max_surge: 3 disruption_budget: api: min_available: 0 resources: enabled: false api: requests: memory: "128Mi" cpu: "100m" limits: memory: "1024Mi" cpu: "2000m" jobs: bootstrap: requests: memory: "128Mi" cpu: "100m" limits: memory: "1024Mi" cpu: "2000m" db_init: requests: memory: "128Mi" cpu: "100m" limits: memory: "1024Mi" cpu: "2000m" db_sync: requests: memory: "128Mi" cpu: "100m" limits: memory: "1024Mi" cpu: "2000m" ks_endpoints: requests: memory: "128Mi" cpu: "100m" limits: memory: "1024Mi" cpu: "2000m" ks_service: requests: memory: "128Mi" cpu: "100m" limits: memory: "1024Mi" cpu: "2000m" ks_user: requests: memory: "128Mi" cpu: "100m" limits: memory: "1024Mi" cpu: "2000m" tests: requests: memory: "128Mi" cpu: "100m" limits: memory: "1024Mi" cpu: "2000m" network: api: ingress: public: true node_port: enabled: false port: 39486 bootstrap: enabled: false script: | openstack token issue dependencies: db_init: services: - service: oslo_db endpoint: internal db_sync: jobs: - barbican-db-init services: - service: oslo_db endpoint: internal ks_user: services: - service: identity endpoint: internal ks_service: services: - service: identity endpoint: internal ks_endpoints: jobs: - barbican-ks-service services: - service: identity endpoint: internal api: jobs: - barbican-db-sync - barbican-ks-user - barbican-ks-endpoints services: - service: oslo_db endpoint: internal - service: identity endpoint: internal conf: paste: override: append: policy: admin: role:admin observer: role:observer creator: role:creator audit: role:audit service_admin: role:key-manager:service-admin admin_or_user_does_not_work: project_id:%(project_id)s admin_or_user: rule:admin or project_id:%(project_id)s admin_or_creator: rule:admin or rule:creator all_but_audit: rule:admin or rule:observer or rule:creator all_users: rule:admin or rule:observer or rule:creator or rule:audit or rule:service_admin secret_project_match: project:%(target.secret.project_id)s secret_acl_read: "'read':%(target.secret.read)s" secret_private_read: "'False':%(target.secret.read_project_access)s" secret_creator_user: user:%(target.secret.creator_id)s container_project_match: project:%(target.container.project_id)s container_acl_read: "'read':%(target.container.read)s" container_private_read: "'False':%(target.container.read_project_access)s" container_creator_user: user:%(target.container.creator_id)s secret_non_private_read: rule:all_users and rule:secret_project_match and not rule:secret_private_read secret_decrypt_non_private_read: rule:all_but_audit and rule:secret_project_match and not rule:secret_private_read container_non_private_read: rule:all_users and rule:container_project_match and not rule:container_private_read secret_project_admin: rule:admin and rule:secret_project_match secret_project_creator: rule:creator and rule:secret_project_match and rule:secret_creator_user container_project_admin: rule:admin and rule:container_project_match container_project_creator: rule:creator and rule:container_project_match and rule:container_creator_user version:get: "@" secret:decrypt: rule:secret_decrypt_non_private_read or rule:secret_project_creator or rule:secret_project_admin or rule:secret_acl_read secret:get: rule:secret_non_private_read or rule:secret_project_creator or rule:secret_project_admin or rule:secret_acl_read secret:put: rule:admin_or_creator and rule:secret_project_match secret:delete: rule:secret_project_admin or rule:secret_project_creator secrets:post: rule:admin_or_creator secrets:get: rule:all_but_audit orders:post: rule:admin_or_creator orders:get: rule:all_but_audit order:get: rule:all_users order:put: rule:admin_or_creator order:delete: rule:admin consumer:get: rule:admin or rule:observer or rule:creator or rule:audit or rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read consumers:get: rule:admin or rule:observer or rule:creator or rule:audit or rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read consumers:post: rule:admin or rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read consumers:delete: rule:admin or rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read containers:post: rule:admin_or_creator containers:get: rule:all_but_audit container:get: rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read container:delete: rule:container_project_admin or rule:container_project_creator container_secret:post: rule:admin container_secret:delete: rule:admin transport_key:get: rule:all_users transport_key:delete: rule:admin transport_keys:get: rule:all_users transport_keys:post: rule:admin certificate_authorities:get_limited: rule:all_users certificate_authorities:get_all: rule:admin certificate_authorities:post: rule:admin certificate_authorities:get_preferred_ca: rule:all_users certificate_authorities:get_global_preferred_ca: rule:service_admin certificate_authorities:unset_global_preferred: rule:service_admin certificate_authority:delete: rule:admin certificate_authority:get: rule:all_users certificate_authority:get_cacert: rule:all_users certificate_authority:get_ca_cert_chain: rule:all_users certificate_authority:get_projects: rule:service_admin certificate_authority:add_to_project: rule:admin certificate_authority:remove_from_project: rule:admin certificate_authority:set_preferred: rule:admin certificate_authority:set_global_preferred: rule:service_admin secret_acls:put_patch: rule:secret_project_admin or rule:secret_project_creator secret_acls:delete: rule:secret_project_admin or rule:secret_project_creator secret_acls:get: rule:all_but_audit and rule:secret_project_match container_acls:put_patch: rule:container_project_admin or rule:container_project_creator container_acls:delete: rule:container_project_admin or rule:container_project_creator container_acls:get: rule:all_but_audit and rule:container_project_match quotas:get: rule:all_users project_quotas:get: rule:service_admin project_quotas:put: rule:service_admin project_quotas:delete: rule:service_admin secret_meta:get: rule:all_but_audit secret_meta:post: rule:admin_or_creator secret_meta:put: rule:admin_or_creator secret_meta:delete: rule:admin_or_creator secretstores:get: rule:admin secretstores:get_global_default: rule:admin secretstores:get_preferred: rule:admin secretstore_preferred:post: rule:admin secretstore_preferred:delete: rule:admin secretstore:get: rule:admin audit_map: override: append: barbican_api: override: append: barbican: override: append: keystone_authtoken: keystonemiddleware: auth_token: auth_type: password auth_version: v3 memcache_security_strategy: ENCRYPT database: oslo: db: max_retries: -1 barbican_api: barbican: config: bind_port: 9311 # Names of secrets used by bootstrap and environmental checks secrets: identity: admin: barbican-keystone-admin user: barbican-keystone-user oslo_db: admin: barbican-db-admin user: barbican-db-user endpoints: cluster_domain_suffix: cluster.local identity: name: keystone auth: admin: region_name: RegionOne username: admin password: password project_name: admin user_domain_name: default project_domain_name: default user: role: admin region_name: RegionOne username: barbican password: password project_name: service user_domain_name: default project_domain_name: default hosts: default: keystone-api public: keystone host_fqdn_overide: default: null path: default: /v3 scheme: default: http port: admin: default: 35357 api: default: 80 key-manager: name: barbican hosts: default: barbican-api public: barbican host_fqdn_overide: default: null path: default: /v1 scheme: default: http port: api: default: 9311 public: 80 oslo_db: auth: admin: username: root password: password user: username: barbican password: password hosts: default: mariadb host_fqdn_overide: default: null path: /barbican scheme: mysql+pymysql port: mysql: default: 3306 oslo_messaging: auth: admin: username: admin password: password user: username: rabbitmq password: password hosts: default: rabbitmq host_fqdn_overide: default: null path: / scheme: rabbit port: amqp: default: 5672 oslo_cache: hosts: default: memcached host_fqdn_overide: default: null port: memcache: default: 11211 manifests: configmap_bin: true configmap_etc: true deployment_api: true ingress_api: true job_bootstrap: true job_db_init: true job_db_sync: true job_ks_endpoints: true job_ks_service: true job_ks_user: true pdb_api: true secret_db: true secret_keystone: true service_ingress_api: true service_api: true