fe6107cf76
This PS updates the values file layout for images to allow simple parsing of the images in use by charts, allowing them to be queried and modified much more simply. By moving the image tags to a 'tags' key, we can extend the options used simply to accomodate extra options simply (eg prefixing the tag for use with an internal registry) or pre-pulling the images to reduce chart deploy failure. Change-Id: I9ec1dbb00d997ab6cb021bf0b698f7aae740e95d
614 lines
19 KiB
YAML
614 lines
19 KiB
YAML
# Copyright 2017 The Openstack-Helm Authors.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
# Default values for keystone.
|
|
# This is a YAML-formatted file.
|
|
# Declare name/value pairs to be passed into your templates.
|
|
# name: value
|
|
|
|
labels:
|
|
node_selector_key: openstack-control-plane
|
|
node_selector_value: enabled
|
|
|
|
release_group: null
|
|
|
|
images:
|
|
tags:
|
|
bootstrap: docker.io/kolla/ubuntu-source-heat-engine:3.0.3
|
|
test: docker.io/kolla/ubuntu-source-rally:4.0.0
|
|
db_init: docker.io/kolla/ubuntu-source-heat-engine:3.0.3
|
|
db_sync: docker.io/kolla/ubuntu-source-keystone:3.0.3
|
|
db_drop: docker.io/kolla/ubuntu-source-heat-engine:3.0.3
|
|
fernet_setup: docker.io/kolla/ubuntu-source-keystone:3.0.3
|
|
fernet_rotate: docker.io/kolla/ubuntu-source-keystone:3.0.3
|
|
credential_setup: docker.io/kolla/ubuntu-source-keystone:3.0.3
|
|
credential_rotate: docker.io/kolla/ubuntu-source-keystone:3.0.3
|
|
api: docker.io/kolla/ubuntu-source-keystone:3.0.3
|
|
dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.2.1
|
|
pull_policy: "IfNotPresent"
|
|
|
|
bootstrap:
|
|
enabled: true
|
|
script: |
|
|
openstack role add \
|
|
--user="${OS_USERNAME}" \
|
|
--user-domain="${OS_USER_DOMAIN_NAME}" \
|
|
--project-domain="${OS_PROJECT_DOMAIN_NAME}" \
|
|
--project="${OS_PROJECT_NAME}" \
|
|
"_member_"
|
|
|
|
network:
|
|
api:
|
|
port: 80
|
|
ingress:
|
|
public: true
|
|
node_port:
|
|
enabled: false
|
|
port: 30500
|
|
admin:
|
|
port: 35357
|
|
node_port:
|
|
enabled: false
|
|
port: 30357
|
|
|
|
dependencies:
|
|
api:
|
|
jobs:
|
|
- keystone-db-sync
|
|
- keystone-credential-setup
|
|
# Comment line below when not running fernet tokens.
|
|
- keystone-fernet-setup
|
|
services:
|
|
- service: oslo_cache
|
|
endpoint: internal
|
|
- service: oslo_db
|
|
endpoint: internal
|
|
db_init:
|
|
services:
|
|
- service: oslo_db
|
|
endpoint: internal
|
|
db_sync:
|
|
jobs:
|
|
- keystone-db-init
|
|
- keystone-credential-setup
|
|
# Comment line below when not running fernet tokens.
|
|
- keystone-fernet-setup
|
|
services:
|
|
- service: oslo_db
|
|
endpoint: internal
|
|
db_drop:
|
|
services:
|
|
- service: oslo_db
|
|
endpoint: internal
|
|
fernet_setup:
|
|
fernet_rotate:
|
|
jobs:
|
|
- keystone-fernet-setup
|
|
credential_setup:
|
|
credential_rotate:
|
|
jobs:
|
|
- keystone-credential-setup
|
|
tests:
|
|
services:
|
|
- service: identity
|
|
endpoint: internal
|
|
bootstrap:
|
|
services:
|
|
- service: identity
|
|
endpoint: internal
|
|
|
|
pod:
|
|
affinity:
|
|
anti:
|
|
type:
|
|
default: preferredDuringSchedulingIgnoredDuringExecution
|
|
topologyKey:
|
|
default: kubernetes.io/hostname
|
|
mounts:
|
|
keystone_db_init:
|
|
init_container: null
|
|
keystone_db_init:
|
|
keystone_db_sync:
|
|
init_container: null
|
|
keystone_db_sync:
|
|
keystone_api:
|
|
init_container: null
|
|
keystone_api:
|
|
keystone_tests:
|
|
init_container: null
|
|
keystone_tests:
|
|
keystone_bootstrap:
|
|
init_container: null
|
|
keystone_bootstrap:
|
|
keystone_fernet_setup:
|
|
init_container: null
|
|
keystone_fernet_setup:
|
|
keystone_fernet_rotate:
|
|
init_container: null
|
|
keystone_fernet_rotate:
|
|
keystone_credential_setup:
|
|
init_container: null
|
|
keystone_credential_setup:
|
|
keystone_credential_rotate:
|
|
init_container: null
|
|
keystone_credential_rotate:
|
|
replicas:
|
|
api: 1
|
|
lifecycle:
|
|
upgrades:
|
|
deployments:
|
|
revision_history: 3
|
|
pod_replacement_strategy: RollingUpdate
|
|
rolling_update:
|
|
max_unavailable: 1
|
|
max_surge: 3
|
|
disruption_budget:
|
|
api:
|
|
min_available: 0
|
|
termination_grace_period:
|
|
api:
|
|
timeout: 30
|
|
resources:
|
|
enabled: false
|
|
api:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
jobs:
|
|
bootstrap:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
db_init:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
db_sync:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
db_drop:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
tests:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
fernet_setup:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
fernet_rotate:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
credential_setup:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
credential_rotate:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
|
|
jobs:
|
|
fernet_setup:
|
|
user: keystone
|
|
group: keystone
|
|
fernet_rotate:
|
|
# weekly
|
|
cron: "0 0 * * 0"
|
|
user: keystone
|
|
group: keystone
|
|
credential_setup:
|
|
user: keystone
|
|
group: keystone
|
|
credential_rotate:
|
|
# monthly
|
|
cron: "0 0 1 * *"
|
|
migrate_wait: 120
|
|
user: keystone
|
|
group: keystone
|
|
|
|
conf:
|
|
keystone:
|
|
DEFAULT:
|
|
max_token_size: 255
|
|
token:
|
|
provider: fernet
|
|
fernet_tokens:
|
|
key_repository: /etc/keystone/fernet-keys/
|
|
credential:
|
|
key_repository: /etc/keystone/credential-keys/
|
|
database:
|
|
max_retries: -1
|
|
cache:
|
|
enabled: true
|
|
backend: dogpile.cache.memcached
|
|
paste:
|
|
filter:debug:
|
|
use: egg:oslo.middleware#debug
|
|
filter:request_id:
|
|
use: egg:oslo.middleware#request_id
|
|
filter:build_auth_context:
|
|
use: egg:keystone#build_auth_context
|
|
filter:token_auth:
|
|
use: egg:keystone#token_auth
|
|
filter:json_body:
|
|
use: egg:keystone#json_body
|
|
filter:cors:
|
|
use: egg:oslo.middleware#cors
|
|
oslo_config_project: keystone
|
|
filter:http_proxy_to_wsgi:
|
|
use: egg:oslo.middleware#http_proxy_to_wsgi
|
|
filter:ec2_extension:
|
|
use: egg:keystone#ec2_extension
|
|
filter:ec2_extension_v3:
|
|
use: egg:keystone#ec2_extension_v3
|
|
filter:s3_extension:
|
|
use: egg:keystone#s3_extension
|
|
filter:url_normalize:
|
|
use: egg:keystone#url_normalize
|
|
filter:sizelimit:
|
|
use: egg:oslo.middleware#sizelimit
|
|
filter:osprofiler:
|
|
use: egg:osprofiler#osprofiler
|
|
app:public_service:
|
|
use: egg:keystone#public_service
|
|
app:service_v3:
|
|
use: egg:keystone#service_v3
|
|
app:admin_service:
|
|
use: egg:keystone#admin_service
|
|
pipeline:public_api:
|
|
pipeline: cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id build_auth_context token_auth json_body ec2_extension public_service
|
|
pipeline:admin_api:
|
|
pipeline: cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id build_auth_context token_auth json_body ec2_extension s3_extension admin_service
|
|
pipeline:api_v3:
|
|
pipeline: cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id build_auth_context token_auth json_body ec2_extension_v3 s3_extension service_v3
|
|
app:public_version_service:
|
|
use: egg:keystone#public_version_service
|
|
app:admin_version_service:
|
|
use: egg:keystone#admin_version_service
|
|
pipeline:public_version_api:
|
|
pipeline: cors sizelimit osprofiler url_normalize public_version_service
|
|
pipeline:admin_version_api:
|
|
pipeline: cors sizelimit osprofiler url_normalize admin_version_service
|
|
composite:main:
|
|
use: egg:Paste#urlmap
|
|
/v2.0: public_api
|
|
/v3: api_v3
|
|
/: public_version_api
|
|
composite:admin:
|
|
use: egg:Paste#urlmap
|
|
/v2.0: admin_api
|
|
/v3: api_v3
|
|
/: admin_version_api
|
|
policy:
|
|
admin_required: role:admin or is_admin:1
|
|
service_role: role:service
|
|
service_or_admin: rule:admin_required or rule:service_role
|
|
owner: user_id:%(user_id)s
|
|
admin_or_owner: rule:admin_required or rule:owner
|
|
token_subject: user_id:%(target.token.user_id)s
|
|
admin_or_token_subject: rule:admin_required or rule:token_subject
|
|
service_admin_or_token_subject: rule:service_or_admin or rule:token_subject
|
|
default: rule:admin_required
|
|
identity:get_region: ''
|
|
identity:list_regions: ''
|
|
identity:create_region: rule:admin_required
|
|
identity:update_region: rule:admin_required
|
|
identity:delete_region: rule:admin_required
|
|
identity:get_service: rule:admin_required
|
|
identity:list_services: rule:admin_required
|
|
identity:create_service: rule:admin_required
|
|
identity:update_service: rule:admin_required
|
|
identity:delete_service: rule:admin_required
|
|
identity:get_endpoint: rule:admin_required
|
|
identity:list_endpoints: rule:admin_required
|
|
identity:create_endpoint: rule:admin_required
|
|
identity:update_endpoint: rule:admin_required
|
|
identity:delete_endpoint: rule:admin_required
|
|
identity:get_domain: rule:admin_required or token.project.domain.id:%(target.domain.id)s
|
|
identity:list_domains: rule:admin_required
|
|
identity:create_domain: rule:admin_required
|
|
identity:update_domain: rule:admin_required
|
|
identity:delete_domain: rule:admin_required
|
|
identity:get_project: rule:admin_required or project_id:%(target.project.id)s
|
|
identity:list_projects: rule:admin_required
|
|
identity:list_user_projects: rule:admin_or_owner
|
|
identity:create_project: rule:admin_required
|
|
identity:update_project: rule:admin_required
|
|
identity:delete_project: rule:admin_required
|
|
identity:get_user: rule:admin_or_owner
|
|
identity:list_users: rule:admin_required
|
|
identity:create_user: rule:admin_required
|
|
identity:update_user: rule:admin_required
|
|
identity:delete_user: rule:admin_required
|
|
identity:change_password: rule:admin_or_owner
|
|
identity:get_group: rule:admin_required
|
|
identity:list_groups: rule:admin_required
|
|
identity:list_groups_for_user: rule:admin_or_owner
|
|
identity:create_group: rule:admin_required
|
|
identity:update_group: rule:admin_required
|
|
identity:delete_group: rule:admin_required
|
|
identity:list_users_in_group: rule:admin_required
|
|
identity:remove_user_from_group: rule:admin_required
|
|
identity:check_user_in_group: rule:admin_required
|
|
identity:add_user_to_group: rule:admin_required
|
|
identity:get_credential: rule:admin_required
|
|
identity:list_credentials: rule:admin_required
|
|
identity:create_credential: rule:admin_required
|
|
identity:update_credential: rule:admin_required
|
|
identity:delete_credential: rule:admin_required
|
|
identity:ec2_get_credential: rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)
|
|
identity:ec2_list_credentials: rule:admin_or_owner
|
|
identity:ec2_create_credential: rule:admin_or_owner
|
|
identity:ec2_delete_credential: rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)
|
|
identity:get_role: rule:admin_required
|
|
identity:list_roles: rule:admin_required
|
|
identity:create_role: rule:admin_required
|
|
identity:update_role: rule:admin_required
|
|
identity:delete_role: rule:admin_required
|
|
identity:get_domain_role: rule:admin_required
|
|
identity:list_domain_roles: rule:admin_required
|
|
identity:create_domain_role: rule:admin_required
|
|
identity:update_domain_role: rule:admin_required
|
|
identity:delete_domain_role: rule:admin_required
|
|
identity:get_implied_role: 'rule:admin_required '
|
|
identity:list_implied_roles: rule:admin_required
|
|
identity:create_implied_role: rule:admin_required
|
|
identity:delete_implied_role: rule:admin_required
|
|
identity:list_role_inference_rules: rule:admin_required
|
|
identity:check_implied_role: rule:admin_required
|
|
identity:check_grant: rule:admin_required
|
|
identity:list_grants: rule:admin_required
|
|
identity:create_grant: rule:admin_required
|
|
identity:revoke_grant: rule:admin_required
|
|
identity:list_role_assignments: rule:admin_required
|
|
identity:list_role_assignments_for_tree: rule:admin_required
|
|
identity:get_policy: rule:admin_required
|
|
identity:list_policies: rule:admin_required
|
|
identity:create_policy: rule:admin_required
|
|
identity:update_policy: rule:admin_required
|
|
identity:delete_policy: rule:admin_required
|
|
identity:check_token: rule:admin_or_token_subject
|
|
identity:validate_token: rule:service_admin_or_token_subject
|
|
identity:validate_token_head: rule:service_or_admin
|
|
identity:revocation_list: rule:service_or_admin
|
|
identity:revoke_token: rule:admin_or_token_subject
|
|
identity:create_trust: user_id:%(trust.trustor_user_id)s
|
|
identity:list_trusts: ''
|
|
identity:list_roles_for_trust: ''
|
|
identity:get_role_for_trust: ''
|
|
identity:delete_trust: ''
|
|
identity:create_consumer: rule:admin_required
|
|
identity:get_consumer: rule:admin_required
|
|
identity:list_consumers: rule:admin_required
|
|
identity:delete_consumer: rule:admin_required
|
|
identity:update_consumer: rule:admin_required
|
|
identity:authorize_request_token: rule:admin_required
|
|
identity:list_access_token_roles: rule:admin_required
|
|
identity:get_access_token_role: rule:admin_required
|
|
identity:list_access_tokens: rule:admin_required
|
|
identity:get_access_token: rule:admin_required
|
|
identity:delete_access_token: rule:admin_required
|
|
identity:list_projects_for_endpoint: rule:admin_required
|
|
identity:add_endpoint_to_project: rule:admin_required
|
|
identity:check_endpoint_in_project: rule:admin_required
|
|
identity:list_endpoints_for_project: rule:admin_required
|
|
identity:remove_endpoint_from_project: rule:admin_required
|
|
identity:create_endpoint_group: rule:admin_required
|
|
identity:list_endpoint_groups: rule:admin_required
|
|
identity:get_endpoint_group: rule:admin_required
|
|
identity:update_endpoint_group: rule:admin_required
|
|
identity:delete_endpoint_group: rule:admin_required
|
|
identity:list_projects_associated_with_endpoint_group: rule:admin_required
|
|
identity:list_endpoints_associated_with_endpoint_group: rule:admin_required
|
|
identity:get_endpoint_group_in_project: rule:admin_required
|
|
identity:list_endpoint_groups_for_project: rule:admin_required
|
|
identity:add_endpoint_group_to_project: rule:admin_required
|
|
identity:remove_endpoint_group_from_project: rule:admin_required
|
|
identity:create_identity_provider: rule:admin_required
|
|
identity:list_identity_providers: rule:admin_required
|
|
identity:get_identity_providers: rule:admin_required
|
|
identity:update_identity_provider: rule:admin_required
|
|
identity:delete_identity_provider: rule:admin_required
|
|
identity:create_protocol: rule:admin_required
|
|
identity:update_protocol: rule:admin_required
|
|
identity:get_protocol: rule:admin_required
|
|
identity:list_protocols: rule:admin_required
|
|
identity:delete_protocol: rule:admin_required
|
|
identity:create_mapping: rule:admin_required
|
|
identity:get_mapping: rule:admin_required
|
|
identity:list_mappings: rule:admin_required
|
|
identity:delete_mapping: rule:admin_required
|
|
identity:update_mapping: rule:admin_required
|
|
identity:create_service_provider: rule:admin_required
|
|
identity:list_service_providers: rule:admin_required
|
|
identity:get_service_provider: rule:admin_required
|
|
identity:update_service_provider: rule:admin_required
|
|
identity:delete_service_provider: rule:admin_required
|
|
identity:get_auth_catalog: ''
|
|
identity:get_auth_projects: ''
|
|
identity:get_auth_domains: ''
|
|
identity:list_projects_for_user: ''
|
|
identity:list_domains_for_user: ''
|
|
identity:list_revoke_events: ''
|
|
identity:create_policy_association_for_endpoint: rule:admin_required
|
|
identity:check_policy_association_for_endpoint: rule:admin_required
|
|
identity:delete_policy_association_for_endpoint: rule:admin_required
|
|
identity:create_policy_association_for_service: rule:admin_required
|
|
identity:check_policy_association_for_service: rule:admin_required
|
|
identity:delete_policy_association_for_service: rule:admin_required
|
|
identity:create_policy_association_for_region_and_service: rule:admin_required
|
|
identity:check_policy_association_for_region_and_service: rule:admin_required
|
|
identity:delete_policy_association_for_region_and_service: rule:admin_required
|
|
identity:get_policy_for_endpoint: rule:admin_required
|
|
identity:list_endpoints_for_policy: rule:admin_required
|
|
identity:create_domain_config: rule:admin_required
|
|
identity:get_domain_config: rule:admin_required
|
|
identity:update_domain_config: rule:admin_required
|
|
identity:delete_domain_config: rule:admin_required
|
|
identity:get_domain_config_default: rule:admin_required
|
|
rally_tests:
|
|
run_tempest: false
|
|
override:
|
|
append:
|
|
mpm_event:
|
|
override:
|
|
append:
|
|
wsgi_keystone:
|
|
override:
|
|
append:
|
|
sso_callback_template:
|
|
override:
|
|
append:
|
|
|
|
# Names of secrets used by bootstrap and environmental checks
|
|
secrets:
|
|
identity:
|
|
admin: keystone-keystone-admin
|
|
oslo_db:
|
|
admin: keystone-db-admin
|
|
user: keystone-db-user
|
|
|
|
# typically overriden by environmental
|
|
# values, but should include all endpoints
|
|
# required by this chart
|
|
endpoints:
|
|
cluster_domain_suffix: cluster.local
|
|
identity:
|
|
namespace: null
|
|
name: keystone
|
|
auth:
|
|
admin:
|
|
region_name: RegionOne
|
|
username: admin
|
|
password: password
|
|
project_name: admin
|
|
user_domain_name: default
|
|
project_domain_name: default
|
|
hosts:
|
|
default: keystone-api
|
|
public: keystone
|
|
host_fqdn_override:
|
|
default: null
|
|
path:
|
|
default: /v3
|
|
scheme:
|
|
default: http
|
|
port:
|
|
admin:
|
|
default: 35357
|
|
api:
|
|
default: 80
|
|
oslo_db:
|
|
namespace: null
|
|
auth:
|
|
admin:
|
|
username: root
|
|
password: password
|
|
user:
|
|
username: keystone
|
|
password: password
|
|
hosts:
|
|
default: mariadb
|
|
host_fqdn_override:
|
|
default: null
|
|
path: /keystone
|
|
scheme: mysql+pymysql
|
|
port:
|
|
mysql:
|
|
default: 3306
|
|
oslo_messaging:
|
|
namespace: null
|
|
auth:
|
|
admin:
|
|
username: admin
|
|
password: password
|
|
user:
|
|
username: keystone
|
|
password: password
|
|
hosts:
|
|
default: rabbitmq
|
|
host_fqdn_override:
|
|
default: null
|
|
path: /openstack
|
|
scheme: rabbit
|
|
port:
|
|
amqp:
|
|
default: 5672
|
|
oslo_cache:
|
|
namespace: null
|
|
hosts:
|
|
default: memcached
|
|
host_fqdn_override:
|
|
default: null
|
|
port:
|
|
memcache:
|
|
default: 11211
|
|
|
|
manifests:
|
|
configmap_bin: true
|
|
configmap_etc: true
|
|
cron_credential_rotate: true
|
|
cron_fernet_rotate: true
|
|
deployment_api: true
|
|
ingress_api: true
|
|
job_bootstrap: true
|
|
job_credential_setup: true
|
|
job_db_init: true
|
|
job_db_sync: true
|
|
job_db_drop: false
|
|
job_fernet_setup: true
|
|
pdb_api: true
|
|
pod_rally_test: true
|
|
secret_credential_keys: true
|
|
secret_db: true
|
|
secret_fernet_keys: true
|
|
secret_keystone: true
|
|
service_ingress_api: true
|
|
service_api: true
|