openstack/openstack-helm
Code Issues Proposed changes
56d4657561
openstack-helm/barbican/values.yaml
Hyunsun Moon 0808cf5198 Add option to set external policy to local for openstack services 
External traffic policy "local" would be preffered when openstack
service is accessed from external via node port. This option has an
effect only when service node port is enabled.

Change-Id: Ic68cfc59dc39dc842d4790deffa70efe433dd7a6
2017-11-02 15:07:21 +09:00

491 lines
15 KiB
YAML
Raw Blame History

# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
labels:
node_selector_key: openstack-control-plane
node_selector_value: enabled
release_group: null
images:
tags:
bootstrap: docker.io/kolla/ubuntu-source-heat-engine:3.0.3
dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.2.1
scripted_test: docker.io/kolla/ubuntu-source-heat-engine:3.0.3
db_init: docker.io/kolla/ubuntu-source-heat-engine:3.0.3
barbican_db_sync: docker.io/kolla/ubuntu-source-barbican-api:3.0.3
db_drop: docker.io/kolla/ubuntu-source-heat-engine:3.0.3
ks_user: docker.io/kolla/ubuntu-source-heat-engine:3.0.3
ks_service: docker.io/kolla/ubuntu-source-heat-engine:3.0.3
ks_endpoints: docker.io/kolla/ubuntu-source-heat-engine:3.0.3
barbican_api: docker.io/kolla/ubuntu-source-barbican-api:3.0.3
pull_policy: "IfNotPresent"
pod:
user:
barbican:
uid: 1000
affinity:
anti:
type:
default: preferredDuringSchedulingIgnoredDuringExecution
topologyKey:
default: kubernetes.io/hostname
mounts:
barbican_api:
init_container: null
barbican_api:
barbican_bootstrap:
init_container: null
barbican_bootstrap:
barbican_tests:
init_container: null
barbican_tests:
replicas:
api: 1
lifecycle:
upgrades:
deployments:
revision_history: 3
pod_replacement_strategy: RollingUpdate
rolling_update:
max_unavailable: 1
max_surge: 3
disruption_budget:
api:
min_available: 0
resources:
enabled: false
api:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
jobs:
bootstrap:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
db_init:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
db_sync:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
db_drop:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
ks_endpoints:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
ks_service:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
ks_user:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
tests:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
network:
api:
ingress:
public: true
external_policy_local: false
node_port:
enabled: false
port: 39486
bootstrap:
enabled: false
script: |
openstack token issue
dependencies:
db_init:
services:
- service: oslo_db
endpoint: internal
db_sync:
jobs:
- barbican-db-init
services:
- service: oslo_db
endpoint: internal
db_drop:
services:
- service: oslo_db
endpoint: internal
ks_user:
services:
- service: identity
endpoint: internal
ks_service:
services:
- service: identity
endpoint: internal
ks_endpoints:
jobs:
- barbican-ks-service
services:
- service: identity
endpoint: internal
api:
jobs:
- barbican-db-sync
- barbican-ks-user
- barbican-ks-endpoints
services:
- service: oslo_db
endpoint: internal
- service: identity
endpoint: internal
conf:
paste:
composite:main:
use: egg:Paste#urlmap
/: barbican_version
/v1: barbican-api-keystone
pipeline:barbican_version:
pipeline: cors http_proxy_to_wsgi versionapp
pipeline:barbican_api:
pipeline: cors http_proxy_to_wsgi unauthenticated-context apiapp
pipeline:barbican-profile:
pipeline: cors http_proxy_to_wsgi unauthenticated-context egg:Paste#cgitb egg:Paste#httpexceptions profile apiapp
pipeline:barbican-api-keystone:
pipeline: cors http_proxy_to_wsgi authtoken context apiapp
pipeline:barbican-api-keystone-audit:
pipeline: http_proxy_to_wsgi authtoken context audit apiapp
app:apiapp:
paste.app_factory: barbican.api.app:create_main_app
app:versionapp:
paste.app_factory: barbican.api.app:create_version_app
filter:simple:
paste.filter_factory: barbican.api.middleware.simple:SimpleFilter.factory
filter:unauthenticated-context:
paste.filter_factory: barbican.api.middleware.context:UnauthenticatedContextMiddleware.factory
filter:context:
paste.filter_factory: barbican.api.middleware.context:ContextMiddleware.factory
filter:audit:
paste.filter_factory: keystonemiddleware.audit:filter_factory
audit_map_file: /etc/barbican/api_audit_map.conf
filter:authtoken:
paste.filter_factory: keystonemiddleware.auth_token:filter_factory
filter:profile:
use: egg:repoze.profile
log_filename: myapp.profile
cachegrind_filename: cachegrind.out.myapp
discard_first_request: true
path: /__profile__
flush_at_shutdown: true
unwind: false
filter:cors:
paste.filter_factory: oslo_middleware.cors:filter_factory
oslo_config_project: barbican
filter:http_proxy_to_wsgi:
paste.filter_factory: oslo_middleware:HTTPProxyToWSGI.factory
policy:
admin: role:admin
observer: role:observer
creator: role:creator
audit: role:audit
service_admin: role:key-manager:service-admin
admin_or_user_does_not_work: project_id:%(project_id)s
admin_or_user: rule:admin or project_id:%(project_id)s
admin_or_creator: rule:admin or rule:creator
all_but_audit: rule:admin or rule:observer or rule:creator
all_users: rule:admin or rule:observer or rule:creator or rule:audit or rule:service_admin
secret_project_match: project:%(target.secret.project_id)s
secret_acl_read: "'read':%(target.secret.read)s"
secret_private_read: "'False':%(target.secret.read_project_access)s"
secret_creator_user: user:%(target.secret.creator_id)s
container_project_match: project:%(target.container.project_id)s
container_acl_read: "'read':%(target.container.read)s"
container_private_read: "'False':%(target.container.read_project_access)s"
container_creator_user: user:%(target.container.creator_id)s
secret_non_private_read: rule:all_users and rule:secret_project_match and not rule:secret_private_read
secret_decrypt_non_private_read: rule:all_but_audit and rule:secret_project_match
and not rule:secret_private_read
container_non_private_read: rule:all_users and rule:container_project_match and not
rule:container_private_read
secret_project_admin: rule:admin and rule:secret_project_match
secret_project_creator: rule:creator and rule:secret_project_match and rule:secret_creator_user
container_project_admin: rule:admin and rule:container_project_match
container_project_creator: rule:creator and rule:container_project_match and rule:container_creator_user
version:get: "@"
secret:decrypt: rule:secret_decrypt_non_private_read or rule:secret_project_creator
or rule:secret_project_admin or rule:secret_acl_read
secret:get: rule:secret_non_private_read or rule:secret_project_creator or rule:secret_project_admin
or rule:secret_acl_read
secret:put: rule:admin_or_creator and rule:secret_project_match
secret:delete: rule:secret_project_admin or rule:secret_project_creator
secrets:post: rule:admin_or_creator
secrets:get: rule:all_but_audit
orders:post: rule:admin_or_creator
orders:get: rule:all_but_audit
order:get: rule:all_users
order:put: rule:admin_or_creator
order:delete: rule:admin
consumer:get: rule:admin or rule:observer or rule:creator or rule:audit or rule:container_non_private_read
or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read
consumers:get: rule:admin or rule:observer or rule:creator or rule:audit or rule:container_non_private_read
or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read
consumers:post: rule:admin or rule:container_non_private_read or rule:container_project_creator
or rule:container_project_admin or rule:container_acl_read
consumers:delete: rule:admin or rule:container_non_private_read or rule:container_project_creator
or rule:container_project_admin or rule:container_acl_read
containers:post: rule:admin_or_creator
containers:get: rule:all_but_audit
container:get: rule:container_non_private_read or rule:container_project_creator or
rule:container_project_admin or rule:container_acl_read
container:delete: rule:container_project_admin or rule:container_project_creator
container_secret:post: rule:admin
container_secret:delete: rule:admin
transport_key:get: rule:all_users
transport_key:delete: rule:admin
transport_keys:get: rule:all_users
transport_keys:post: rule:admin
certificate_authorities:get_limited: rule:all_users
certificate_authorities:get_all: rule:admin
certificate_authorities:post: rule:admin
certificate_authorities:get_preferred_ca: rule:all_users
certificate_authorities:get_global_preferred_ca: rule:service_admin
certificate_authorities:unset_global_preferred: rule:service_admin
certificate_authority:delete: rule:admin
certificate_authority:get: rule:all_users
certificate_authority:get_cacert: rule:all_users
certificate_authority:get_ca_cert_chain: rule:all_users
certificate_authority:get_projects: rule:service_admin
certificate_authority:add_to_project: rule:admin
certificate_authority:remove_from_project: rule:admin
certificate_authority:set_preferred: rule:admin
certificate_authority:set_global_preferred: rule:service_admin
secret_acls:put_patch: rule:secret_project_admin or rule:secret_project_creator
secret_acls:delete: rule:secret_project_admin or rule:secret_project_creator
secret_acls:get: rule:all_but_audit and rule:secret_project_match
container_acls:put_patch: rule:container_project_admin or rule:container_project_creator
container_acls:delete: rule:container_project_admin or rule:container_project_creator
container_acls:get: rule:all_but_audit and rule:container_project_match
quotas:get: rule:all_users
project_quotas:get: rule:service_admin
project_quotas:put: rule:service_admin
project_quotas:delete: rule:service_admin
secret_meta:get: rule:all_but_audit
secret_meta:post: rule:admin_or_creator
secret_meta:put: rule:admin_or_creator
secret_meta:delete: rule:admin_or_creator
secretstores:get: rule:admin
secretstores:get_global_default: rule:admin
secretstores:get_preferred: rule:admin
secretstore_preferred:post: rule:admin
secretstore_preferred:delete: rule:admin
secretstore:get: rule:admin
audit_map:
DEFAULT:
# default target endpoint type
# should match the endpoint type defined in service catalog
target_endpoint_type: key-manager
custom_actions:
# map urls ending with specific text to a unique action
# Don't need custom mapping for other resource operations
# Note: action should match action names defined in CADF taxonomy
acl/get: read
path_keywords:
# path of api requests for CADF target typeURI
# Just need to include top resource path to identify class of resources
secrets: null
containers: null
orders: null
cas: "None"
quotas: null
project-quotas: null
service_endpoints:
# map endpoint type defined in service catalog to CADF typeURI
key-manager: service/security/keymanager
barbican_api:
uwsgi:
socket: null
protocol: http
processes: 1
lazy: true
vacuum: true
no-default-app: true
memory-report: true
plugins: python
paste: "config:/etc/barbican/barbican-api-paste.ini"
add-header: "Connection: close"
barbican:
DEFAULT:
transport_url: null
keystone_authtoken:
auth_type: password
auth_version: v3
memcache_security_strategy: ENCRYPT
database:
max_retries: -1
barbican_api:
bind_port: 9311
# Names of secrets used by bootstrap and environmental checks
secrets:
identity:
admin: barbican-keystone-admin
user: barbican-keystone-user
oslo_db:
admin: barbican-db-admin
user: barbican-db-user
endpoints:
cluster_domain_suffix: cluster.local
identity:
name: keystone
auth:
admin:
region_name: RegionOne
username: admin
password: password
project_name: admin
user_domain_name: default
project_domain_name: default
user:
role: admin
region_name: RegionOne
username: barbican
password: password
project_name: service
user_domain_name: default
project_domain_name: default
hosts:
default: keystone-api
public: keystone
host_fqdn_override:
default: null
path:
default: /v3
scheme:
default: http
port:
admin:
default: 35357
api:
default: 80
key_manager:
name: barbican
hosts:
default: barbican-api
public: barbican
host_fqdn_override:
default: null
path:
default: /v1
scheme:
default: http
port:
api:
default: 9311
public: 80
oslo_db:
auth:
admin:
username: root
password: password
user:
username: barbican
password: password
hosts:
default: mariadb
host_fqdn_override:
default: null
path: /barbican
scheme: mysql+pymysql
port:
mysql:
default: 3306
oslo_messaging:
auth:
admin:
username: admin
password: password
user:
username: rabbitmq
password: password
hosts:
default: rabbitmq
host_fqdn_override:
default: null
path: /
scheme: rabbit
port:
amqp:
default: 5672
oslo_cache:
hosts:
default: memcached
host_fqdn_override:
default: null
port:
memcache:
default: 11211
manifests:
configmap_bin: true
configmap_etc: true
deployment_api: true
ingress_api: true
job_bootstrap: true
job_db_init: true
job_db_sync: true
job_db_drop: false
job_ks_endpoints: true
job_ks_service: true
job_ks_user: true
pdb_api: true
secret_db: true
secret_keystone: true
service_ingress_api: true
service_api: true
View Git Blame Copy Permalink