openstack/openstack-helm
Code Issues Proposed changes
openstack-helm/keystone/values.yaml
Pete Birley 40a45b9751 RabbitMQ: Add vHost management and improve security 
This PS adds vhost management to rabbitmq jobs. It also prevents
sensitive information being displayed in the management job, and
removes the 'administrator' tag from service users.

Change-Id: Id337f763c5e4776bce7269676a8a2dc54dc2e5f8
2018-04-19 08:26:45 -05:00

888 lines
27 KiB
YAML
Raw Blame History

# Copyright 2017 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Default values for keystone.
# This is a YAML-formatted file.
# Declare name/value pairs to be passed into your templates.
# name: value
labels:
api:
node_selector_key: openstack-control-plane
node_selector_value: enabled
job:
node_selector_key: openstack-control-plane
node_selector_value: enabled
release_group: null
images:
tags:
bootstrap: docker.io/openstackhelm/heat:newton
test: docker.io/kolla/ubuntu-source-rally:4.0.0
db_init: docker.io/openstackhelm/heat:newton
keystone_db_sync: docker.io/openstackhelm/keystone:newton
db_drop: docker.io/openstackhelm/heat:newton
ks_user: docker.io/openstackhelm/heat:newton
rabbit_init: docker.io/rabbitmq:3.7-management
keystone_fernet_setup: docker.io/openstackhelm/keystone:newton
keystone_fernet_rotate: docker.io/openstackhelm/keystone:newton
keystone_credential_setup: docker.io/openstackhelm/keystone:newton
keystone_credential_rotate: docker.io/openstackhelm/keystone:newton
keystone_api: docker.io/openstackhelm/keystone:newton
keystone_domain_manage: docker.io/openstackhelm/keystone:newton
dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.3.0
pull_policy: "IfNotPresent"
bootstrap:
enabled: true
ks_user: admin
script: |
openstack role create --or-show _member_
openstack role add \
--user="${OS_USERNAME}" \
--user-domain="${OS_USER_DOMAIN_NAME}" \
--project-domain="${OS_PROJECT_DOMAIN_NAME}" \
--project="${OS_PROJECT_NAME}" \
"_member_"
#NOTE(portdirect): required for all users who operate heat stacks
openstack role create --or-show heat_stack_owner
openstack role add \
--user="${OS_USERNAME}" \
--user-domain="${OS_USER_DOMAIN_NAME}" \
--project-domain="${OS_PROJECT_DOMAIN_NAME}" \
--project="${OS_PROJECT_NAME}" \
"heat_stack_owner"
network:
api:
ingress:
public: true
classes:
namespace: "nginx"
cluster: "nginx-cluster"
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
external_policy_local: false
node_port:
enabled: false
port: 30500
admin:
node_port:
enabled: false
port: 30357
dependencies:
static:
api:
jobs:
- keystone-db-sync
- keystone-credential-setup
- keystone-fernet-setup
services:
- endpoint: internal
service: oslo_cache
- endpoint: internal
service: oslo_db
bootstrap:
jobs:
- keystone-domain-manage
services:
- endpoint: internal
service: identity
credential_rotate:
jobs:
- keystone-credential-setup
credential_setup: null
db_drop:
services:
- endpoint: internal
service: oslo_db
db_init:
services:
- endpoint: internal
service: oslo_db
db_sync:
jobs:
- keystone-db-init
- keystone-credential-setup
- keystone-fernet-setup
services:
- endpoint: internal
service: oslo_db
rabbit_init:
services:
- service: oslo_messaging
endpoint: internal
domain_manage:
services:
- endpoint: internal
service: identity
fernet_rotate:
jobs:
- keystone-fernet-setup
fernet_setup: null
tests:
services:
- endpoint: internal
service: identity
pod:
affinity:
anti:
type:
default: preferredDuringSchedulingIgnoredDuringExecution
topologyKey:
default: kubernetes.io/hostname
mounts:
keystone_db_init:
init_container: null
keystone_db_init:
keystone_db_sync:
init_container: null
keystone_db_sync:
keystone_api:
init_container: null
keystone_api:
keystone_tests:
init_container: null
keystone_tests:
keystone_bootstrap:
init_container: null
keystone_bootstrap:
keystone_fernet_setup:
init_container: null
keystone_fernet_setup:
keystone_fernet_rotate:
init_container: null
keystone_fernet_rotate:
keystone_credential_setup:
init_container: null
keystone_credential_setup:
keystone_credential_rotate:
init_container: null
keystone_credential_rotate:
keystone_domain_manage:
init_container: null
keystone_domain_manage:
replicas:
api: 1
lifecycle:
upgrades:
deployments:
revision_history: 3
pod_replacement_strategy: RollingUpdate
rolling_update:
max_unavailable: 1
max_surge: 3
disruption_budget:
api:
min_available: 0
termination_grace_period:
api:
timeout: 30
resources:
enabled: false
api:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
jobs:
bootstrap:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
domain_manage:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
db_init:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
db_sync:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
db_drop:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
rabbit_init:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
tests:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
fernet_setup:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
fernet_rotate:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
credential_setup:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
credential_rotate:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
jobs:
fernet_setup:
user: keystone
group: keystone
fernet_rotate:
# weekly
cron: "0 0 * * 0"
user: keystone
group: keystone
history:
success: 3
failed: 1
credential_setup:
user: keystone
group: keystone
credential_rotate:
# monthly
cron: "0 0 1 * *"
migrate_wait: 120
user: keystone
group: keystone
history:
success: 3
failed: 1
conf:
keystone:
DEFAULT:
max_token_size: 255
token:
provider: fernet
identity:
domain_specific_drivers_enabled: True
domain_config_dir: /etc/keystonedomains
fernet_tokens:
key_repository: /etc/keystone/fernet-keys/
credential:
key_repository: /etc/keystone/credential-keys/
database:
max_retries: -1
cache:
enabled: true
backend: dogpile.cache.memcached
# NOTE(lamt) We can leverage multiple domains with different
# configurations as outlined in
# https://docs.openstack.org/keystone/pike/admin/identity-domain-specific-config.html.
# A sample of the value override can be found in sample file:
# tools/overrides/example/keystone_domain_config.yaml
# ks_domains:
paste:
filter:debug:
use: egg:oslo.middleware#debug
filter:request_id:
use: egg:oslo.middleware#request_id
filter:build_auth_context:
use: egg:keystone#build_auth_context
filter:token_auth:
use: egg:keystone#token_auth
filter:json_body:
use: egg:keystone#json_body
filter:cors:
use: egg:oslo.middleware#cors
oslo_config_project: keystone
filter:http_proxy_to_wsgi:
use: egg:oslo.middleware#http_proxy_to_wsgi
filter:ec2_extension:
use: egg:keystone#ec2_extension
filter:ec2_extension_v3:
use: egg:keystone#ec2_extension_v3
filter:s3_extension:
use: egg:keystone#s3_extension
filter:url_normalize:
use: egg:keystone#url_normalize
filter:sizelimit:
use: egg:oslo.middleware#sizelimit
filter:osprofiler:
use: egg:osprofiler#osprofiler
app:public_service:
use: egg:keystone#public_service
app:service_v3:
use: egg:keystone#service_v3
app:admin_service:
use: egg:keystone#admin_service
pipeline:public_api:
pipeline: cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id build_auth_context token_auth json_body ec2_extension public_service
pipeline:admin_api:
pipeline: cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id build_auth_context token_auth json_body ec2_extension s3_extension admin_service
pipeline:api_v3:
pipeline: cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id build_auth_context token_auth json_body ec2_extension_v3 s3_extension service_v3
app:public_version_service:
use: egg:keystone#public_version_service
app:admin_version_service:
use: egg:keystone#admin_version_service
pipeline:public_version_api:
pipeline: cors sizelimit osprofiler url_normalize public_version_service
pipeline:admin_version_api:
pipeline: cors sizelimit osprofiler url_normalize admin_version_service
composite:main:
use: egg:Paste#urlmap
/v2.0: public_api
/v3: api_v3
/: public_version_api
composite:admin:
use: egg:Paste#urlmap
/v2.0: admin_api
/v3: api_v3
/: admin_version_api
policy:
admin_required: role:admin or is_admin:1
service_role: role:service
service_or_admin: rule:admin_required or rule:service_role
owner: user_id:%(user_id)s
admin_or_owner: rule:admin_required or rule:owner
token_subject: user_id:%(target.token.user_id)s
admin_or_token_subject: rule:admin_required or rule:token_subject
service_admin_or_token_subject: rule:service_or_admin or rule:token_subject
default: rule:admin_required
identity:get_region: ''
identity:list_regions: ''
identity:create_region: rule:admin_required
identity:update_region: rule:admin_required
identity:delete_region: rule:admin_required
identity:get_service: rule:admin_required
identity:list_services: rule:admin_required
identity:create_service: rule:admin_required
identity:update_service: rule:admin_required
identity:delete_service: rule:admin_required
identity:get_endpoint: rule:admin_required
identity:list_endpoints: rule:admin_required
identity:create_endpoint: rule:admin_required
identity:update_endpoint: rule:admin_required
identity:delete_endpoint: rule:admin_required
identity:get_domain: rule:admin_required or token.project.domain.id:%(target.domain.id)s
identity:list_domains: rule:admin_required
identity:create_domain: rule:admin_required
identity:update_domain: rule:admin_required
identity:delete_domain: rule:admin_required
identity:get_project: rule:admin_required or project_id:%(target.project.id)s
identity:list_projects: rule:admin_required
identity:list_user_projects: rule:admin_or_owner
identity:create_project: rule:admin_required
identity:update_project: rule:admin_required
identity:delete_project: rule:admin_required
identity:get_user: rule:admin_or_owner
identity:list_users: rule:admin_required
identity:create_user: rule:admin_required
identity:update_user: rule:admin_required
identity:delete_user: rule:admin_required
identity:change_password: rule:admin_or_owner
identity:get_group: rule:admin_required
identity:list_groups: rule:admin_required
identity:list_groups_for_user: rule:admin_or_owner
identity:create_group: rule:admin_required
identity:update_group: rule:admin_required
identity:delete_group: rule:admin_required
identity:list_users_in_group: rule:admin_required
identity:remove_user_from_group: rule:admin_required
identity:check_user_in_group: rule:admin_required
identity:add_user_to_group: rule:admin_required
identity:get_credential: rule:admin_required
identity:list_credentials: rule:admin_required
identity:create_credential: rule:admin_required
identity:update_credential: rule:admin_required
identity:delete_credential: rule:admin_required
identity:ec2_get_credential: rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)
identity:ec2_list_credentials: rule:admin_or_owner
identity:ec2_create_credential: rule:admin_or_owner
identity:ec2_delete_credential: rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)
identity:get_role: rule:admin_required
identity:list_roles: rule:admin_required
identity:create_role: rule:admin_required
identity:update_role: rule:admin_required
identity:delete_role: rule:admin_required
identity:get_domain_role: rule:admin_required
identity:list_domain_roles: rule:admin_required
identity:create_domain_role: rule:admin_required
identity:update_domain_role: rule:admin_required
identity:delete_domain_role: rule:admin_required
identity:get_implied_role: 'rule:admin_required '
identity:list_implied_roles: rule:admin_required
identity:create_implied_role: rule:admin_required
identity:delete_implied_role: rule:admin_required
identity:list_role_inference_rules: rule:admin_required
identity:check_implied_role: rule:admin_required
identity:check_grant: rule:admin_required
identity:list_grants: rule:admin_required
identity:create_grant: rule:admin_required
identity:revoke_grant: rule:admin_required
identity:list_role_assignments: rule:admin_required
identity:list_role_assignments_for_tree: rule:admin_required
identity:get_policy: rule:admin_required
identity:list_policies: rule:admin_required
identity:create_policy: rule:admin_required
identity:update_policy: rule:admin_required
identity:delete_policy: rule:admin_required
identity:check_token: rule:admin_or_token_subject
identity:validate_token: rule:service_admin_or_token_subject
identity:validate_token_head: rule:service_or_admin
identity:revocation_list: rule:service_or_admin
identity:revoke_token: rule:admin_or_token_subject
identity:create_trust: user_id:%(trust.trustor_user_id)s
identity:list_trusts: ''
identity:list_roles_for_trust: ''
identity:get_role_for_trust: ''
identity:delete_trust: ''
identity:create_consumer: rule:admin_required
identity:get_consumer: rule:admin_required
identity:list_consumers: rule:admin_required
identity:delete_consumer: rule:admin_required
identity:update_consumer: rule:admin_required
identity:authorize_request_token: rule:admin_required
identity:list_access_token_roles: rule:admin_required
identity:get_access_token_role: rule:admin_required
identity:list_access_tokens: rule:admin_required
identity:get_access_token: rule:admin_required
identity:delete_access_token: rule:admin_required
identity:list_projects_for_endpoint: rule:admin_required
identity:add_endpoint_to_project: rule:admin_required
identity:check_endpoint_in_project: rule:admin_required
identity:list_endpoints_for_project: rule:admin_required
identity:remove_endpoint_from_project: rule:admin_required
identity:create_endpoint_group: rule:admin_required
identity:list_endpoint_groups: rule:admin_required
identity:get_endpoint_group: rule:admin_required
identity:update_endpoint_group: rule:admin_required
identity:delete_endpoint_group: rule:admin_required
identity:list_projects_associated_with_endpoint_group: rule:admin_required
identity:list_endpoints_associated_with_endpoint_group: rule:admin_required
identity:get_endpoint_group_in_project: rule:admin_required
identity:list_endpoint_groups_for_project: rule:admin_required
identity:add_endpoint_group_to_project: rule:admin_required
identity:remove_endpoint_group_from_project: rule:admin_required
identity:create_identity_provider: rule:admin_required
identity:list_identity_providers: rule:admin_required
identity:get_identity_providers: rule:admin_required
identity:update_identity_provider: rule:admin_required
identity:delete_identity_provider: rule:admin_required
identity:create_protocol: rule:admin_required
identity:update_protocol: rule:admin_required
identity:get_protocol: rule:admin_required
identity:list_protocols: rule:admin_required
identity:delete_protocol: rule:admin_required
identity:create_mapping: rule:admin_required
identity:get_mapping: rule:admin_required
identity:list_mappings: rule:admin_required
identity:delete_mapping: rule:admin_required
identity:update_mapping: rule:admin_required
identity:create_service_provider: rule:admin_required
identity:list_service_providers: rule:admin_required
identity:get_service_provider: rule:admin_required
identity:update_service_provider: rule:admin_required
identity:delete_service_provider: rule:admin_required
identity:get_auth_catalog: ''
identity:get_auth_projects: ''
identity:get_auth_domains: ''
identity:list_projects_for_user: ''
identity:list_domains_for_user: ''
identity:list_revoke_events: ''
identity:create_policy_association_for_endpoint: rule:admin_required
identity:check_policy_association_for_endpoint: rule:admin_required
identity:delete_policy_association_for_endpoint: rule:admin_required
identity:create_policy_association_for_service: rule:admin_required
identity:check_policy_association_for_service: rule:admin_required
identity:delete_policy_association_for_service: rule:admin_required
identity:create_policy_association_for_region_and_service: rule:admin_required
identity:check_policy_association_for_region_and_service: rule:admin_required
identity:delete_policy_association_for_region_and_service: rule:admin_required
identity:get_policy_for_endpoint: rule:admin_required
identity:list_endpoints_for_policy: rule:admin_required
identity:create_domain_config: rule:admin_required
identity:get_domain_config: rule:admin_required
identity:update_domain_config: rule:admin_required
identity:delete_domain_config: rule:admin_required
identity:get_domain_config_default: rule:admin_required
rally_tests:
run_tempest: false
tests:
KeystoneBasic.add_and_remove_user_role:
- runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
KeystoneBasic.authenticate_user_and_validate_token:
- args: {}
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
KeystoneBasic.create_add_and_list_user_roles:
- runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
KeystoneBasic.create_and_delete_ec2credential:
- runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
KeystoneBasic.create_and_delete_role:
- runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
KeystoneBasic.create_and_delete_service:
- args:
description: test_description
service_type: Rally_test_type
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
KeystoneBasic.create_and_get_role:
- args: {}
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
KeystoneBasic.create_and_list_ec2credentials:
- runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
KeystoneBasic.create_and_list_services:
- args:
description: test_description
service_type: Rally_test_type
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
KeystoneBasic.create_and_list_tenants:
- args: {}
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
KeystoneBasic.create_and_list_users:
- args: {}
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
KeystoneBasic.create_delete_user:
- args: {}
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
KeystoneBasic.create_tenant:
- args: {}
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
KeystoneBasic.create_tenant_with_users:
- args:
users_per_tenant: 1
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
KeystoneBasic.create_update_and_delete_tenant:
- args: {}
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
KeystoneBasic.create_user:
- args: {}
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
KeystoneBasic.create_user_set_enabled_and_delete:
- args:
enabled: true
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
- args:
enabled: false
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
KeystoneBasic.create_user_update_password:
- args: {}
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
KeystoneBasic.get_entities:
- runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
mpm_event:
override:
append:
wsgi_keystone:
override:
append:
sso_callback_template:
override:
append:
# Names of secrets used by bootstrap and environmental checks
secrets:
identity:
admin: keystone-keystone-admin
test: keystone-keystone-test
oslo_db:
admin: keystone-db-admin
keystone: keystone-db-user
oslo_messaging:
admin: keystone-rabbitmq-admin
keystone: keystone-rabbitmq-user
ldap:
tls: keystone-ldap-tls
# typically overridden by environmental
# values, but should include all endpoints
# required by this chart
endpoints:
cluster_domain_suffix: cluster.local
identity:
namespace: null
name: keystone
auth:
admin:
region_name: RegionOne
username: admin
password: password
project_name: admin
user_domain_name: default
project_domain_name: default
test:
role: admin
region_name: RegionOne
username: test
password: password
project_name: test
user_domain_name: default
project_domain_name: default
hosts:
default: keystone-api
public: keystone
host_fqdn_override:
default: null
path:
default: /v3
scheme:
default: http
port:
admin:
default: 35357
api:
default: 80
oslo_db:
namespace: null
auth:
admin:
username: root
password: password
keystone:
username: keystone
password: password
hosts:
default: mariadb
host_fqdn_override:
default: null
path: /keystone
scheme: mysql+pymysql
port:
mysql:
default: 3306
oslo_messaging:
namespace: null
auth:
admin:
username: rabbitmq
password: password
keystone:
username: keystone
password: password
hosts:
default: rabbitmq
host_fqdn_override:
default: null
path: /keystone
scheme: rabbit
port:
amqp:
default: 5672
http:
default: 15672
oslo_cache:
namespace: null
hosts:
default: memcached
host_fqdn_override:
default: null
port:
memcache:
default: 11211
ldap:
auth:
client:
tls:
# NOTE(lamt): Specify a CA value here will place a LDAPS certificate at
# /etc/certs/tls.ca. To ensure keystone uses LDAPS, the
# following key will need to be overrided under section [ldap] or the
# correct domain-specific setting, else it will not be enabled:
#
# use_tls: true
# tls_req_cert: allow # Valid values: demand, never, allow
# tls_cacertfile: /etc/certs/tls.ca # abs path to the CA cert
ca: null
manifests:
configmap_bin: true
configmap_etc: true
cron_credential_rotate: true
cron_fernet_rotate: true
deployment_api: true
ingress_api: true
job_bootstrap: true
job_credential_setup: true
job_db_init: true
job_db_sync: true
job_db_drop: false
job_domain_manage: true
job_fernet_setup: true
job_rabbit_init: true
pdb_api: true
pod_rally_test: true
secret_credential_keys: true
secret_db: true
secret_fernet_keys: true
secret_keystone: true
secret_rabbitmq: true
service_ingress_api: true
service_api: true
View Git Blame Copy Permalink