openstack/openstack-helm
Code Issues Proposed changes
06b127e271
openstack-helm/keystone/values.yaml
portdirect 4746de33f4 Helm-Test: remove user and tenant creation from test context 
This PS removes the user managemnt from the rally driven helm tests
which allows LDAP and other read only sources being used to validate
service functionality, in addition to reducing false -ve results in
the Zuul gates.

Change-Id: I1cc0e99bf74d578648b3cd40eaf60c1804044d88
2018-01-29 02:40:22 +00:00

813 lines
24 KiB
YAML
Raw Blame History

# Copyright 2017 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Default values for keystone.
# This is a YAML-formatted file.
# Declare name/value pairs to be passed into your templates.
# name: value
labels:
node_selector_key: openstack-control-plane
node_selector_value: enabled
release_group: null
images:
tags:
keystone_bootstrap: docker.io/kolla/ubuntu-source-keystone:3.0.3
test: docker.io/kolla/ubuntu-source-rally:4.0.0
db_init: docker.io/kolla/ubuntu-source-heat-engine:3.0.3
keystone_db_sync: docker.io/kolla/ubuntu-source-keystone:3.0.3
db_drop: docker.io/kolla/ubuntu-source-heat-engine:3.0.3
ks_user: docker.io/kolla/ubuntu-source-heat-engine:3.0.3
keystone_fernet_setup: docker.io/kolla/ubuntu-source-keystone:3.0.3
keystone_fernet_rotate: docker.io/kolla/ubuntu-source-keystone:3.0.3
keystone_credential_setup: docker.io/kolla/ubuntu-source-keystone:3.0.3
keystone_credential_rotate: docker.io/kolla/ubuntu-source-keystone:3.0.3
keystone_api: docker.io/kolla/ubuntu-source-keystone:3.0.3
dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.2.1
pull_policy: "IfNotPresent"
bootstrap:
enabled: true
script: |
openstack role add \
--user="${OS_USERNAME}" \
--user-domain="${OS_USER_DOMAIN_NAME}" \
--project-domain="${OS_PROJECT_DOMAIN_NAME}" \
--project="${OS_PROJECT_NAME}" \
"_member_"
network:
api:
port: 80
ingress:
public: true
annotations:
kubernetes.io/ingress.class: "nginx"
nginx.ingress.kubernetes.io/rewrite-target: /
external_policy_local: false
node_port:
enabled: false
port: 30500
admin:
port: 35357
node_port:
enabled: false
port: 30357
dependencies:
api:
jobs:
- keystone-db-sync
- keystone-credential-setup
# Comment line below when not running fernet tokens.
- keystone-fernet-setup
services:
- service: oslo_cache
endpoint: internal
- service: oslo_db
endpoint: internal
db_init:
services:
- service: oslo_db
endpoint: internal
db_sync:
jobs:
- keystone-db-init
- keystone-credential-setup
# Comment line below when not running fernet tokens.
- keystone-fernet-setup
services:
- service: oslo_db
endpoint: internal
db_drop:
services:
- service: oslo_db
endpoint: internal
fernet_setup:
fernet_rotate:
jobs:
- keystone-fernet-setup
credential_setup:
credential_rotate:
jobs:
- keystone-credential-setup
tests:
services:
- service: identity
endpoint: internal
bootstrap:
services:
- service: identity
endpoint: internal
pod:
affinity:
anti:
type:
default: preferredDuringSchedulingIgnoredDuringExecution
topologyKey:
default: kubernetes.io/hostname
mounts:
keystone_db_init:
init_container: null
keystone_db_init:
keystone_db_sync:
init_container: null
keystone_db_sync:
keystone_api:
init_container: null
keystone_api:
keystone_tests:
init_container: null
keystone_tests:
keystone_bootstrap:
init_container: null
keystone_bootstrap:
keystone_fernet_setup:
init_container: null
keystone_fernet_setup:
keystone_fernet_rotate:
init_container: null
keystone_fernet_rotate:
keystone_credential_setup:
init_container: null
keystone_credential_setup:
keystone_credential_rotate:
init_container: null
keystone_credential_rotate:
replicas:
api: 1
lifecycle:
upgrades:
deployments:
revision_history: 3
pod_replacement_strategy: RollingUpdate
rolling_update:
max_unavailable: 1
max_surge: 3
disruption_budget:
api:
min_available: 0
termination_grace_period:
api:
timeout: 30
resources:
enabled: false
api:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
jobs:
bootstrap:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
db_init:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
db_sync:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
db_drop:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
tests:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
fernet_setup:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
fernet_rotate:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
credential_setup:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
credential_rotate:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
jobs:
fernet_setup:
user: keystone
group: keystone
fernet_rotate:
# weekly
cron: "0 0 * * 0"
user: keystone
group: keystone
credential_setup:
user: keystone
group: keystone
credential_rotate:
# monthly
cron: "0 0 1 * *"
migrate_wait: 120
user: keystone
group: keystone
conf:
keystone:
DEFAULT:
max_token_size: 255
token:
provider: fernet
identity:
domain_specific_drivers_enabled: True
domain_config_dir: /etc/keystonedomains
fernet_tokens:
key_repository: /etc/keystone/fernet-keys/
credential:
key_repository: /etc/keystone/credential-keys/
database:
max_retries: -1
cache:
enabled: true
backend: dogpile.cache.memcached
# NOTE(lamt) We can leverage multiple domains with different
# configurations as outlined in
# https://docs.openstack.org/keystone/pike/admin/identity-domain-specific-config.html.
# A sample of the value override can be found in sample file:
# tools/overrides/example/keystone_domain_config.yaml
# ks_domains:
paste:
filter:debug:
use: egg:oslo.middleware#debug
filter:request_id:
use: egg:oslo.middleware#request_id
filter:build_auth_context:
use: egg:keystone#build_auth_context
filter:token_auth:
use: egg:keystone#token_auth
filter:json_body:
use: egg:keystone#json_body
filter:cors:
use: egg:oslo.middleware#cors
oslo_config_project: keystone
filter:http_proxy_to_wsgi:
use: egg:oslo.middleware#http_proxy_to_wsgi
filter:ec2_extension:
use: egg:keystone#ec2_extension
filter:ec2_extension_v3:
use: egg:keystone#ec2_extension_v3
filter:s3_extension:
use: egg:keystone#s3_extension
filter:url_normalize:
use: egg:keystone#url_normalize
filter:sizelimit:
use: egg:oslo.middleware#sizelimit
filter:osprofiler:
use: egg:osprofiler#osprofiler
app:public_service:
use: egg:keystone#public_service
app:service_v3:
use: egg:keystone#service_v3
app:admin_service:
use: egg:keystone#admin_service
pipeline:public_api:
pipeline: cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id build_auth_context token_auth json_body ec2_extension public_service
pipeline:admin_api:
pipeline: cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id build_auth_context token_auth json_body ec2_extension s3_extension admin_service
pipeline:api_v3:
pipeline: cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id build_auth_context token_auth json_body ec2_extension_v3 s3_extension service_v3
app:public_version_service:
use: egg:keystone#public_version_service
app:admin_version_service:
use: egg:keystone#admin_version_service
pipeline:public_version_api:
pipeline: cors sizelimit osprofiler url_normalize public_version_service
pipeline:admin_version_api:
pipeline: cors sizelimit osprofiler url_normalize admin_version_service
composite:main:
use: egg:Paste#urlmap
/v2.0: public_api
/v3: api_v3
/: public_version_api
composite:admin:
use: egg:Paste#urlmap
/v2.0: admin_api
/v3: api_v3
/: admin_version_api
policy:
admin_required: role:admin or is_admin:1
service_role: role:service
service_or_admin: rule:admin_required or rule:service_role
owner: user_id:%(user_id)s
admin_or_owner: rule:admin_required or rule:owner
token_subject: user_id:%(target.token.user_id)s
admin_or_token_subject: rule:admin_required or rule:token_subject
service_admin_or_token_subject: rule:service_or_admin or rule:token_subject
default: rule:admin_required
identity:get_region: ''
identity:list_regions: ''
identity:create_region: rule:admin_required
identity:update_region: rule:admin_required
identity:delete_region: rule:admin_required
identity:get_service: rule:admin_required
identity:list_services: rule:admin_required
identity:create_service: rule:admin_required
identity:update_service: rule:admin_required
identity:delete_service: rule:admin_required
identity:get_endpoint: rule:admin_required
identity:list_endpoints: rule:admin_required
identity:create_endpoint: rule:admin_required
identity:update_endpoint: rule:admin_required
identity:delete_endpoint: rule:admin_required
identity:get_domain: rule:admin_required or token.project.domain.id:%(target.domain.id)s
identity:list_domains: rule:admin_required
identity:create_domain: rule:admin_required
identity:update_domain: rule:admin_required
identity:delete_domain: rule:admin_required
identity:get_project: rule:admin_required or project_id:%(target.project.id)s
identity:list_projects: rule:admin_required
identity:list_user_projects: rule:admin_or_owner
identity:create_project: rule:admin_required
identity:update_project: rule:admin_required
identity:delete_project: rule:admin_required
identity:get_user: rule:admin_or_owner
identity:list_users: rule:admin_required
identity:create_user: rule:admin_required
identity:update_user: rule:admin_required
identity:delete_user: rule:admin_required
identity:change_password: rule:admin_or_owner
identity:get_group: rule:admin_required
identity:list_groups: rule:admin_required
identity:list_groups_for_user: rule:admin_or_owner
identity:create_group: rule:admin_required
identity:update_group: rule:admin_required
identity:delete_group: rule:admin_required
identity:list_users_in_group: rule:admin_required
identity:remove_user_from_group: rule:admin_required
identity:check_user_in_group: rule:admin_required
identity:add_user_to_group: rule:admin_required
identity:get_credential: rule:admin_required
identity:list_credentials: rule:admin_required
identity:create_credential: rule:admin_required
identity:update_credential: rule:admin_required
identity:delete_credential: rule:admin_required
identity:ec2_get_credential: rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)
identity:ec2_list_credentials: rule:admin_or_owner
identity:ec2_create_credential: rule:admin_or_owner
identity:ec2_delete_credential: rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)
identity:get_role: rule:admin_required
identity:list_roles: rule:admin_required
identity:create_role: rule:admin_required
identity:update_role: rule:admin_required
identity:delete_role: rule:admin_required
identity:get_domain_role: rule:admin_required
identity:list_domain_roles: rule:admin_required
identity:create_domain_role: rule:admin_required
identity:update_domain_role: rule:admin_required
identity:delete_domain_role: rule:admin_required
identity:get_implied_role: 'rule:admin_required '
identity:list_implied_roles: rule:admin_required
identity:create_implied_role: rule:admin_required
identity:delete_implied_role: rule:admin_required
identity:list_role_inference_rules: rule:admin_required
identity:check_implied_role: rule:admin_required
identity:check_grant: rule:admin_required
identity:list_grants: rule:admin_required
identity:create_grant: rule:admin_required
identity:revoke_grant: rule:admin_required
identity:list_role_assignments: rule:admin_required
identity:list_role_assignments_for_tree: rule:admin_required
identity:get_policy: rule:admin_required
identity:list_policies: rule:admin_required
identity:create_policy: rule:admin_required
identity:update_policy: rule:admin_required
identity:delete_policy: rule:admin_required
identity:check_token: rule:admin_or_token_subject
identity:validate_token: rule:service_admin_or_token_subject
identity:validate_token_head: rule:service_or_admin
identity:revocation_list: rule:service_or_admin
identity:revoke_token: rule:admin_or_token_subject
identity:create_trust: user_id:%(trust.trustor_user_id)s
identity:list_trusts: ''
identity:list_roles_for_trust: ''
identity:get_role_for_trust: ''
identity:delete_trust: ''
identity:create_consumer: rule:admin_required
identity:get_consumer: rule:admin_required
identity:list_consumers: rule:admin_required
identity:delete_consumer: rule:admin_required
identity:update_consumer: rule:admin_required
identity:authorize_request_token: rule:admin_required
identity:list_access_token_roles: rule:admin_required
identity:get_access_token_role: rule:admin_required
identity:list_access_tokens: rule:admin_required
identity:get_access_token: rule:admin_required
identity:delete_access_token: rule:admin_required
identity:list_projects_for_endpoint: rule:admin_required
identity:add_endpoint_to_project: rule:admin_required
identity:check_endpoint_in_project: rule:admin_required
identity:list_endpoints_for_project: rule:admin_required
identity:remove_endpoint_from_project: rule:admin_required
identity:create_endpoint_group: rule:admin_required
identity:list_endpoint_groups: rule:admin_required
identity:get_endpoint_group: rule:admin_required
identity:update_endpoint_group: rule:admin_required
identity:delete_endpoint_group: rule:admin_required
identity:list_projects_associated_with_endpoint_group: rule:admin_required
identity:list_endpoints_associated_with_endpoint_group: rule:admin_required
identity:get_endpoint_group_in_project: rule:admin_required
identity:list_endpoint_groups_for_project: rule:admin_required
identity:add_endpoint_group_to_project: rule:admin_required
identity:remove_endpoint_group_from_project: rule:admin_required
identity:create_identity_provider: rule:admin_required
identity:list_identity_providers: rule:admin_required
identity:get_identity_providers: rule:admin_required
identity:update_identity_provider: rule:admin_required
identity:delete_identity_provider: rule:admin_required
identity:create_protocol: rule:admin_required
identity:update_protocol: rule:admin_required
identity:get_protocol: rule:admin_required
identity:list_protocols: rule:admin_required
identity:delete_protocol: rule:admin_required
identity:create_mapping: rule:admin_required
identity:get_mapping: rule:admin_required
identity:list_mappings: rule:admin_required
identity:delete_mapping: rule:admin_required
identity:update_mapping: rule:admin_required
identity:create_service_provider: rule:admin_required
identity:list_service_providers: rule:admin_required
identity:get_service_provider: rule:admin_required
identity:update_service_provider: rule:admin_required
identity:delete_service_provider: rule:admin_required
identity:get_auth_catalog: ''
identity:get_auth_projects: ''
identity:get_auth_domains: ''
identity:list_projects_for_user: ''
identity:list_domains_for_user: ''
identity:list_revoke_events: ''
identity:create_policy_association_for_endpoint: rule:admin_required
identity:check_policy_association_for_endpoint: rule:admin_required
identity:delete_policy_association_for_endpoint: rule:admin_required
identity:create_policy_association_for_service: rule:admin_required
identity:check_policy_association_for_service: rule:admin_required
identity:delete_policy_association_for_service: rule:admin_required
identity:create_policy_association_for_region_and_service: rule:admin_required
identity:check_policy_association_for_region_and_service: rule:admin_required
identity:delete_policy_association_for_region_and_service: rule:admin_required
identity:get_policy_for_endpoint: rule:admin_required
identity:list_endpoints_for_policy: rule:admin_required
identity:create_domain_config: rule:admin_required
identity:get_domain_config: rule:admin_required
identity:update_domain_config: rule:admin_required
identity:delete_domain_config: rule:admin_required
identity:get_domain_config_default: rule:admin_required
rally_tests:
run_tempest: false
tests:
KeystoneBasic.add_and_remove_user_role:
- runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
KeystoneBasic.authenticate_user_and_validate_token:
- args: {}
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
KeystoneBasic.create_add_and_list_user_roles:
- runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
KeystoneBasic.create_and_delete_ec2credential:
- runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
KeystoneBasic.create_and_delete_role:
- runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
KeystoneBasic.create_and_delete_service:
- args:
description: test_description
service_type: Rally_test_type
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
KeystoneBasic.create_and_get_role:
- args: {}
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
KeystoneBasic.create_and_list_ec2credentials:
- runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
KeystoneBasic.create_and_list_services:
- args:
description: test_description
service_type: Rally_test_type
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
KeystoneBasic.create_and_list_tenants:
- args: {}
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
KeystoneBasic.create_and_list_users:
- args: {}
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
KeystoneBasic.create_delete_user:
- args: {}
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
KeystoneBasic.create_tenant:
- args: {}
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
KeystoneBasic.create_tenant_with_users:
- args:
users_per_tenant: 1
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
KeystoneBasic.create_update_and_delete_tenant:
- args: {}
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
KeystoneBasic.create_user:
- args: {}
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
KeystoneBasic.create_user_set_enabled_and_delete:
- args:
enabled: true
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
- args:
enabled: false
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
KeystoneBasic.create_user_update_password:
- args: {}
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
KeystoneBasic.get_entities:
- runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
mpm_event:
override:
append:
wsgi_keystone:
override:
append:
sso_callback_template:
override:
append:
# Names of secrets used by bootstrap and environmental checks
secrets:
identity:
admin: keystone-keystone-admin
test: keystone-keystone-test
oslo_db:
admin: keystone-db-admin
keystone: keystone-db-user
# typically overriden by environmental
# values, but should include all endpoints
# required by this chart
endpoints:
cluster_domain_suffix: cluster.local
identity:
namespace: null
name: keystone
auth:
admin:
region_name: RegionOne
username: admin
password: password
project_name: admin
user_domain_name: default
project_domain_name: default
test:
role: admin
region_name: RegionOne
username: test
password: password
project_name: test
user_domain_name: default
project_domain_name: default
hosts:
default: keystone-api
public: keystone
host_fqdn_override:
default: null
path:
default: /v3
scheme:
default: http
port:
admin:
default: 35357
api:
default: 80
oslo_db:
namespace: null
auth:
admin:
username: root
password: password
keystone:
username: keystone
password: password
hosts:
default: mariadb
host_fqdn_override:
default: null
path: /keystone
scheme: mysql+pymysql
port:
mysql:
default: 3306
oslo_messaging:
namespace: null
auth:
keystone:
username: rabbitmq
password: password
hosts:
default: rabbitmq
host_fqdn_override:
default: null
path: /openstack
scheme: rabbit
port:
amqp:
default: 5672
oslo_cache:
namespace: null
hosts:
default: memcached
host_fqdn_override:
default: null
port:
memcache:
default: 11211
manifests:
configmap_bin: true
configmap_etc: true
cron_credential_rotate: true
cron_fernet_rotate: true
deployment_api: true
ingress_api: true
job_bootstrap: true
job_credential_setup: true
job_db_init: true
job_db_sync: true
job_db_drop: false
job_fernet_setup: true
pdb_api: true
pod_rally_test: true
secret_credential_keys: true
secret_db: true
secret_fernet_keys: true
secret_keystone: true
service_ingress_api: true
service_api: true
View Git Blame Copy Permalink