# Copyright 2017 The Openstack-Helm Authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # Default values for keystone. # This is a YAML-formatted file. # Declare name/value pairs to be passed into your templates. # name: value labels: api: node_selector_key: openstack-control-plane node_selector_value: enabled job: node_selector_key: openstack-control-plane node_selector_value: enabled release_group: null images: tags: bootstrap: docker.io/openstackhelm/heat:newton test: docker.io/kolla/ubuntu-source-rally:4.0.0 db_init: docker.io/openstackhelm/heat:newton keystone_db_sync: docker.io/openstackhelm/keystone:newton db_drop: docker.io/openstackhelm/heat:newton ks_user: docker.io/openstackhelm/heat:newton rabbit_init: docker.io/rabbitmq:3.7-management keystone_fernet_setup: docker.io/openstackhelm/keystone:newton keystone_fernet_rotate: docker.io/openstackhelm/keystone:newton keystone_credential_setup: docker.io/openstackhelm/keystone:newton keystone_credential_rotate: docker.io/openstackhelm/keystone:newton keystone_api: docker.io/openstackhelm/keystone:newton keystone_domain_manage: docker.io/openstackhelm/keystone:newton dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.3.1 image_repo_sync: docker.io/docker:17.07.0 pull_policy: "IfNotPresent" local_registry: active: false exclude: - dep_check - image_repo_sync bootstrap: enabled: true ks_user: admin script: | openstack role create --or-show _member_ openstack role add \ --user="${OS_USERNAME}" \ --user-domain="${OS_USER_DOMAIN_NAME}" \ --project-domain="${OS_PROJECT_DOMAIN_NAME}" \ --project="${OS_PROJECT_NAME}" \ "_member_" #NOTE(portdirect): required for all users who operate heat stacks openstack role create --or-show heat_stack_owner openstack role add \ --user="${OS_USERNAME}" \ --user-domain="${OS_USER_DOMAIN_NAME}" \ --project-domain="${OS_PROJECT_DOMAIN_NAME}" \ --project="${OS_PROJECT_NAME}" \ "heat_stack_owner" network: api: ingress: public: true classes: namespace: "nginx" cluster: "nginx-cluster" annotations: nginx.ingress.kubernetes.io/rewrite-target: / external_policy_local: false node_port: enabled: false port: 30500 admin: node_port: enabled: false port: 30357 dependencies: dynamic: common: local_image_registry: jobs: - keystone-image-repo-sync services: - endpoint: node service: local_image_registry static: api: jobs: - keystone-db-sync - keystone-credential-setup - keystone-fernet-setup services: - endpoint: internal service: oslo_cache - endpoint: internal service: oslo_db bootstrap: jobs: - keystone-domain-manage services: - endpoint: internal service: identity credential_rotate: jobs: - keystone-credential-setup credential_setup: null db_drop: services: - endpoint: internal service: oslo_db db_init: services: - endpoint: internal service: oslo_db db_sync: jobs: - keystone-db-init - keystone-credential-setup - keystone-fernet-setup services: - endpoint: internal service: oslo_db rabbit_init: services: - service: oslo_messaging endpoint: internal domain_manage: services: - endpoint: internal service: identity fernet_rotate: jobs: - keystone-fernet-setup fernet_setup: null tests: services: - endpoint: internal service: identity image_repo_sync: services: - endpoint: internal service: local_image_registry pod: affinity: anti: type: default: preferredDuringSchedulingIgnoredDuringExecution topologyKey: default: kubernetes.io/hostname mounts: keystone_db_init: init_container: null keystone_db_init: keystone_db_sync: init_container: null keystone_db_sync: keystone_api: init_container: null keystone_api: keystone_tests: init_container: null keystone_tests: keystone_bootstrap: init_container: null keystone_bootstrap: keystone_fernet_setup: init_container: null keystone_fernet_setup: keystone_fernet_rotate: init_container: null keystone_fernet_rotate: keystone_credential_setup: init_container: null keystone_credential_setup: keystone_credential_rotate: init_container: null keystone_credential_rotate: keystone_domain_manage: init_container: null keystone_domain_manage: replicas: api: 1 lifecycle: upgrades: deployments: revision_history: 3 pod_replacement_strategy: RollingUpdate rolling_update: max_unavailable: 1 max_surge: 3 disruption_budget: api: min_available: 0 termination_grace_period: api: timeout: 30 resources: enabled: false api: requests: memory: "128Mi" cpu: "100m" limits: memory: "1024Mi" cpu: "2000m" jobs: bootstrap: requests: memory: "128Mi" cpu: "100m" limits: memory: "1024Mi" cpu: "2000m" domain_manage: requests: memory: "128Mi" cpu: "100m" limits: memory: "1024Mi" cpu: "2000m" db_init: requests: memory: "128Mi" cpu: "100m" limits: memory: "1024Mi" cpu: "2000m" db_sync: requests: memory: "128Mi" cpu: "100m" limits: memory: "1024Mi" cpu: "2000m" db_drop: requests: memory: "128Mi" cpu: "100m" limits: memory: "1024Mi" cpu: "2000m" rabbit_init: requests: memory: "128Mi" cpu: "100m" limits: memory: "1024Mi" cpu: "2000m" tests: requests: memory: "128Mi" cpu: "100m" limits: memory: "1024Mi" cpu: "2000m" fernet_setup: requests: memory: "128Mi" cpu: "100m" limits: memory: "1024Mi" cpu: "2000m" fernet_rotate: requests: memory: "128Mi" cpu: "100m" limits: memory: "1024Mi" cpu: "2000m" credential_setup: requests: memory: "128Mi" cpu: "100m" limits: memory: "1024Mi" cpu: "2000m" credential_rotate: requests: memory: "128Mi" cpu: "100m" limits: memory: "1024Mi" cpu: "2000m" image_repo_sync: requests: memory: "128Mi" cpu: "100m" limits: memory: "1024Mi" cpu: "2000m" jobs: fernet_setup: user: keystone group: keystone fernet_rotate: # weekly cron: "0 0 * * 0" user: keystone group: keystone history: success: 3 failed: 1 credential_setup: user: keystone group: keystone credential_rotate: # monthly cron: "0 0 1 * *" migrate_wait: 120 user: keystone group: keystone history: success: 3 failed: 1 conf: keystone: DEFAULT: max_token_size: 255 token: provider: fernet identity: domain_specific_drivers_enabled: True domain_config_dir: /etc/keystonedomains fernet_tokens: key_repository: /etc/keystone/fernet-keys/ credential: key_repository: /etc/keystone/credential-keys/ database: max_retries: -1 cache: enabled: true backend: dogpile.cache.memcached # NOTE(lamt) We can leverage multiple domains with different # configurations as outlined in # https://docs.openstack.org/keystone/pike/admin/identity-domain-specific-config.html. # A sample of the value override can be found in sample file: # tools/overrides/example/keystone_domain_config.yaml # ks_domains: paste: filter:debug: use: egg:oslo.middleware#debug filter:request_id: use: egg:oslo.middleware#request_id filter:build_auth_context: use: egg:keystone#build_auth_context filter:token_auth: use: egg:keystone#token_auth filter:json_body: use: egg:keystone#json_body filter:cors: use: egg:oslo.middleware#cors oslo_config_project: keystone filter:http_proxy_to_wsgi: use: egg:oslo.middleware#http_proxy_to_wsgi filter:ec2_extension: use: egg:keystone#ec2_extension filter:ec2_extension_v3: use: egg:keystone#ec2_extension_v3 filter:s3_extension: use: egg:keystone#s3_extension filter:url_normalize: use: egg:keystone#url_normalize filter:sizelimit: use: egg:oslo.middleware#sizelimit filter:osprofiler: use: egg:osprofiler#osprofiler app:public_service: use: egg:keystone#public_service app:service_v3: use: egg:keystone#service_v3 app:admin_service: use: egg:keystone#admin_service pipeline:public_api: pipeline: cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id build_auth_context token_auth json_body ec2_extension public_service pipeline:admin_api: pipeline: cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id build_auth_context token_auth json_body ec2_extension s3_extension admin_service pipeline:api_v3: pipeline: cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id build_auth_context token_auth json_body ec2_extension_v3 s3_extension service_v3 app:public_version_service: use: egg:keystone#public_version_service app:admin_version_service: use: egg:keystone#admin_version_service pipeline:public_version_api: pipeline: cors sizelimit osprofiler url_normalize public_version_service pipeline:admin_version_api: pipeline: cors sizelimit osprofiler url_normalize admin_version_service composite:main: use: egg:Paste#urlmap /v2.0: public_api /v3: api_v3 /: public_version_api composite:admin: use: egg:Paste#urlmap /v2.0: admin_api /v3: api_v3 /: admin_version_api policy: admin_required: role:admin or is_admin:1 service_role: role:service service_or_admin: rule:admin_required or rule:service_role owner: user_id:%(user_id)s admin_or_owner: rule:admin_required or rule:owner token_subject: user_id:%(target.token.user_id)s admin_or_token_subject: rule:admin_required or rule:token_subject service_admin_or_token_subject: rule:service_or_admin or rule:token_subject default: rule:admin_required identity:get_region: '' identity:list_regions: '' identity:create_region: rule:admin_required identity:update_region: rule:admin_required identity:delete_region: rule:admin_required identity:get_service: rule:admin_required identity:list_services: rule:admin_required identity:create_service: rule:admin_required identity:update_service: rule:admin_required identity:delete_service: rule:admin_required identity:get_endpoint: rule:admin_required identity:list_endpoints: rule:admin_required identity:create_endpoint: rule:admin_required identity:update_endpoint: rule:admin_required identity:delete_endpoint: rule:admin_required identity:get_domain: rule:admin_required or token.project.domain.id:%(target.domain.id)s identity:list_domains: rule:admin_required identity:create_domain: rule:admin_required identity:update_domain: rule:admin_required identity:delete_domain: rule:admin_required identity:get_project: rule:admin_required or project_id:%(target.project.id)s identity:list_projects: rule:admin_required identity:list_user_projects: rule:admin_or_owner identity:create_project: rule:admin_required identity:update_project: rule:admin_required identity:delete_project: rule:admin_required identity:get_user: rule:admin_or_owner identity:list_users: rule:admin_required identity:create_user: rule:admin_required identity:update_user: rule:admin_required identity:delete_user: rule:admin_required identity:change_password: rule:admin_or_owner identity:get_group: rule:admin_required identity:list_groups: rule:admin_required identity:list_groups_for_user: rule:admin_or_owner identity:create_group: rule:admin_required identity:update_group: rule:admin_required identity:delete_group: rule:admin_required identity:list_users_in_group: rule:admin_required identity:remove_user_from_group: rule:admin_required identity:check_user_in_group: rule:admin_required identity:add_user_to_group: rule:admin_required identity:get_credential: rule:admin_required identity:list_credentials: rule:admin_required identity:create_credential: rule:admin_required identity:update_credential: rule:admin_required identity:delete_credential: rule:admin_required identity:ec2_get_credential: rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s) identity:ec2_list_credentials: rule:admin_or_owner identity:ec2_create_credential: rule:admin_or_owner identity:ec2_delete_credential: rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s) identity:get_role: rule:admin_required identity:list_roles: rule:admin_required identity:create_role: rule:admin_required identity:update_role: rule:admin_required identity:delete_role: rule:admin_required identity:get_domain_role: rule:admin_required identity:list_domain_roles: rule:admin_required identity:create_domain_role: rule:admin_required identity:update_domain_role: rule:admin_required identity:delete_domain_role: rule:admin_required identity:get_implied_role: 'rule:admin_required ' identity:list_implied_roles: rule:admin_required identity:create_implied_role: rule:admin_required identity:delete_implied_role: rule:admin_required identity:list_role_inference_rules: rule:admin_required identity:check_implied_role: rule:admin_required identity:check_grant: rule:admin_required identity:list_grants: rule:admin_required identity:create_grant: rule:admin_required identity:revoke_grant: rule:admin_required identity:list_role_assignments: rule:admin_required identity:list_role_assignments_for_tree: rule:admin_required identity:get_policy: rule:admin_required identity:list_policies: rule:admin_required identity:create_policy: rule:admin_required identity:update_policy: rule:admin_required identity:delete_policy: rule:admin_required identity:check_token: rule:admin_or_token_subject identity:validate_token: rule:service_admin_or_token_subject identity:validate_token_head: rule:service_or_admin identity:revocation_list: rule:service_or_admin identity:revoke_token: rule:admin_or_token_subject identity:create_trust: user_id:%(trust.trustor_user_id)s identity:list_trusts: '' identity:list_roles_for_trust: '' identity:get_role_for_trust: '' identity:delete_trust: '' identity:create_consumer: rule:admin_required identity:get_consumer: rule:admin_required identity:list_consumers: rule:admin_required identity:delete_consumer: rule:admin_required identity:update_consumer: rule:admin_required identity:authorize_request_token: rule:admin_required identity:list_access_token_roles: rule:admin_required identity:get_access_token_role: rule:admin_required identity:list_access_tokens: rule:admin_required identity:get_access_token: rule:admin_required identity:delete_access_token: rule:admin_required identity:list_projects_for_endpoint: rule:admin_required identity:add_endpoint_to_project: rule:admin_required identity:check_endpoint_in_project: rule:admin_required identity:list_endpoints_for_project: rule:admin_required identity:remove_endpoint_from_project: rule:admin_required identity:create_endpoint_group: rule:admin_required identity:list_endpoint_groups: rule:admin_required identity:get_endpoint_group: rule:admin_required identity:update_endpoint_group: rule:admin_required identity:delete_endpoint_group: rule:admin_required identity:list_projects_associated_with_endpoint_group: rule:admin_required identity:list_endpoints_associated_with_endpoint_group: rule:admin_required identity:get_endpoint_group_in_project: rule:admin_required identity:list_endpoint_groups_for_project: rule:admin_required identity:add_endpoint_group_to_project: rule:admin_required identity:remove_endpoint_group_from_project: rule:admin_required identity:create_identity_provider: rule:admin_required identity:list_identity_providers: rule:admin_required identity:get_identity_providers: rule:admin_required identity:update_identity_provider: rule:admin_required identity:delete_identity_provider: rule:admin_required identity:create_protocol: rule:admin_required identity:update_protocol: rule:admin_required identity:get_protocol: rule:admin_required identity:list_protocols: rule:admin_required identity:delete_protocol: rule:admin_required identity:create_mapping: rule:admin_required identity:get_mapping: rule:admin_required identity:list_mappings: rule:admin_required identity:delete_mapping: rule:admin_required identity:update_mapping: rule:admin_required identity:create_service_provider: rule:admin_required identity:list_service_providers: rule:admin_required identity:get_service_provider: rule:admin_required identity:update_service_provider: rule:admin_required identity:delete_service_provider: rule:admin_required identity:get_auth_catalog: '' identity:get_auth_projects: '' identity:get_auth_domains: '' identity:list_projects_for_user: '' identity:list_domains_for_user: '' identity:list_revoke_events: '' identity:create_policy_association_for_endpoint: rule:admin_required identity:check_policy_association_for_endpoint: rule:admin_required identity:delete_policy_association_for_endpoint: rule:admin_required identity:create_policy_association_for_service: rule:admin_required identity:check_policy_association_for_service: rule:admin_required identity:delete_policy_association_for_service: rule:admin_required identity:create_policy_association_for_region_and_service: rule:admin_required identity:check_policy_association_for_region_and_service: rule:admin_required identity:delete_policy_association_for_region_and_service: rule:admin_required identity:get_policy_for_endpoint: rule:admin_required identity:list_endpoints_for_policy: rule:admin_required identity:create_domain_config: rule:admin_required identity:get_domain_config: rule:admin_required identity:update_domain_config: rule:admin_required identity:delete_domain_config: rule:admin_required identity:get_domain_config_default: rule:admin_required rally_tests: run_tempest: false tests: KeystoneBasic.add_and_remove_user_role: - runner: concurrency: 1 times: 1 type: constant sla: failure_rate: max: 0 KeystoneBasic.authenticate_user_and_validate_token: - args: {} runner: concurrency: 1 times: 1 type: constant sla: failure_rate: max: 0 KeystoneBasic.create_add_and_list_user_roles: - runner: concurrency: 1 times: 1 type: constant sla: failure_rate: max: 0 KeystoneBasic.create_and_delete_ec2credential: - runner: concurrency: 1 times: 1 type: constant sla: failure_rate: max: 0 KeystoneBasic.create_and_delete_role: - runner: concurrency: 1 times: 1 type: constant sla: failure_rate: max: 0 KeystoneBasic.create_and_delete_service: - args: description: test_description service_type: Rally_test_type runner: concurrency: 1 times: 1 type: constant sla: failure_rate: max: 0 KeystoneBasic.create_and_get_role: - args: {} runner: concurrency: 1 times: 1 type: constant sla: failure_rate: max: 0 KeystoneBasic.create_and_list_ec2credentials: - runner: concurrency: 1 times: 1 type: constant sla: failure_rate: max: 0 KeystoneBasic.create_and_list_services: - args: description: test_description service_type: Rally_test_type runner: concurrency: 1 times: 1 type: constant sla: failure_rate: max: 0 KeystoneBasic.create_and_list_tenants: - args: {} runner: concurrency: 1 times: 1 type: constant sla: failure_rate: max: 0 KeystoneBasic.create_and_list_users: - args: {} runner: concurrency: 1 times: 1 type: constant sla: failure_rate: max: 0 KeystoneBasic.create_delete_user: - args: {} runner: concurrency: 1 times: 1 type: constant sla: failure_rate: max: 0 KeystoneBasic.create_tenant: - args: {} runner: concurrency: 1 times: 1 type: constant sla: failure_rate: max: 0 KeystoneBasic.create_tenant_with_users: - args: users_per_tenant: 1 runner: concurrency: 1 times: 1 type: constant sla: failure_rate: max: 0 KeystoneBasic.create_update_and_delete_tenant: - args: {} runner: concurrency: 1 times: 1 type: constant sla: failure_rate: max: 0 KeystoneBasic.create_user: - args: {} runner: concurrency: 1 times: 1 type: constant sla: failure_rate: max: 0 KeystoneBasic.create_user_set_enabled_and_delete: - args: enabled: true runner: concurrency: 1 times: 1 type: constant sla: failure_rate: max: 0 - args: enabled: false runner: concurrency: 1 times: 1 type: constant sla: failure_rate: max: 0 KeystoneBasic.create_user_update_password: - args: {} runner: concurrency: 1 times: 1 type: constant sla: failure_rate: max: 0 KeystoneBasic.get_entities: - runner: concurrency: 1 times: 1 type: constant sla: failure_rate: max: 0 mpm_event: override: append: wsgi_keystone: override: append: sso_callback_template: override: append: # Names of secrets used by bootstrap and environmental checks secrets: identity: admin: keystone-keystone-admin test: keystone-keystone-test oslo_db: admin: keystone-db-admin keystone: keystone-db-user oslo_messaging: admin: keystone-rabbitmq-admin keystone: keystone-rabbitmq-user ldap: tls: keystone-ldap-tls # typically overridden by environmental # values, but should include all endpoints # required by this chart endpoints: cluster_domain_suffix: cluster.local local_image_registry: name: docker-registry namespace: docker-registry hosts: default: localhost internal: docker-registry node: localhost host_fqdn_override: default: null port: registry: node: 5000 identity: namespace: null name: keystone auth: admin: region_name: RegionOne username: admin password: password project_name: admin user_domain_name: default project_domain_name: default test: role: admin region_name: RegionOne username: test password: password project_name: test user_domain_name: default project_domain_name: default hosts: default: keystone-api public: keystone host_fqdn_override: default: null path: default: /v3 scheme: default: http port: admin: default: 35357 api: default: 80 oslo_db: namespace: null auth: admin: username: root password: password keystone: username: keystone password: password hosts: default: mariadb host_fqdn_override: default: null path: /keystone scheme: mysql+pymysql port: mysql: default: 3306 oslo_messaging: namespace: null auth: admin: username: rabbitmq password: password keystone: username: keystone password: password hosts: default: rabbitmq host_fqdn_override: default: null path: /keystone scheme: rabbit port: amqp: default: 5672 http: default: 15672 oslo_cache: namespace: null hosts: default: memcached host_fqdn_override: default: null port: memcache: default: 11211 ldap: auth: client: tls: # NOTE(lamt): Specify a CA value here will place a LDAPS certificate at # /etc/certs/tls.ca. To ensure keystone uses LDAPS, the # following key will need to be overrided under section [ldap] or the # correct domain-specific setting, else it will not be enabled: # # use_tls: true # tls_req_cert: allow # Valid values: demand, never, allow # tls_cacertfile: /etc/certs/tls.ca # abs path to the CA cert ca: null manifests: configmap_bin: true configmap_etc: true cron_credential_rotate: true cron_fernet_rotate: true deployment_api: true ingress_api: true job_bootstrap: true job_credential_setup: true job_db_init: true job_db_sync: true job_db_drop: false job_domain_manage: true job_fernet_setup: true job_image_repo_sync: true job_rabbit_init: true pdb_api: true pod_rally_test: true secret_credential_keys: true secret_db: true secret_fernet_keys: true secret_keystone: true secret_rabbitmq: true service_ingress_api: true service_api: true