openstack/openstack-helm
Code Issues Proposed changes
6c9b4df6fe
openstack-helm/congress/values.yaml
Pete Birley 40a45b9751 RabbitMQ: Add vHost management and improve security 
This PS adds vhost management to rabbitmq jobs. It also prevents
sensitive information being displayed in the management job, and
removes the 'administrator' tag from service users.

Change-Id: Id337f763c5e4776bce7269676a8a2dc54dc2e5f8
2018-04-19 08:26:45 -05:00

494 lines
13 KiB
YAML
Raw Blame History

# Copyright 2017 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Default values for congress.
labels:
api:
node_selector_key: openstack-control-plane
node_selector_value: enabled
datasource:
node_selector_key: openstack-control-plane
node_selector_value: enabled
job:
node_selector_key: openstack-control-plane
node_selector_value: enabled
policy_engine:
node_selector_key: openstack-control-plane
node_selector_value: enabled
test:
node_selector_key: openstack-control-plane
node_selector_value: enabled
release_group: null
images:
tags:
congress_api: docker.io/openstackhelm/congress:newton
congress_datasource: docker.io/openstackhelm/congress:newton
congress_policy_engine: docker.io/openstackhelm/congress:newton
db_init: docker.io/openstackhelm/heat:newton
congress_db_sync: docker.io/openstackhelm/congress:newton
db_drop: docker.io/openstackhelm/heat:newton
rabbit_init: docker.io/rabbitmq:3.7-management
ks_user: docker.io/openstackhelm/heat:newton
ks_service: docker.io/openstackhelm/heat:newton
ks_endpoints: docker.io/openstackhelm/heat:newton
congress_ds_create: docker.io/openstackhelm/congress:newton
congress_scripted_test: docker.io/openstackhelm/congress:newton
dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.3.0
pull_policy: "IfNotPresent"
network:
api:
ingress:
public: true
classes:
namespace: "nginx"
cluster: "nginx-cluster"
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
node_port:
enabled: false
port: 1789
volume:
class_name: general
size: 2Gi
dependencies:
static:
api:
jobs:
- congress-db-sync
- congress-ks-user
- congress-ks-endpoints
services:
- endpoint: internal
service: oslo_db
- endpoint: internal
service: identity
bootstrap:
jobs:
- congress-db-sync
- congress-ks-user
- congress-ks-endpoints
services:
- endpoint: internal
service: identity
- endpoint: internal
service: image
datasource:
jobs:
- congress-db-sync
- congress-ks-user
- congress-ks-endpoints
services:
- endpoint: internal
service: oslo_db
- endpoint: internal
service: identity
db_drop:
services:
- endpoint: internal
service: oslo_db
db_init:
services:
- endpoint: internal
service: oslo_db
db_sync:
jobs:
- congress-db-init
services:
- endpoint: internal
service: oslo_db
ds_create:
jobs:
- congress-ks-endpoints
services:
- endpoint: internal
service: policy
ks_endpoints:
jobs:
- congress-ks-service
services:
- endpoint: internal
service: identity
ks_service:
services:
- endpoint: internal
service: identity
ks_user:
services:
- endpoint: internal
service: identity
rabbit_init:
services:
- service: oslo_messaging
endpoint: internal
policy_engine:
jobs:
- congress-db-sync
- congress-ks-user
- congress-ks-endpoints
services:
- endpoint: internal
service: oslo_db
- endpoint: internal
service: identity
storage_init:
services: null
tests:
services:
- endpoint: internal
service: oslo_db
- endpoint: internal
service: identity
- endpoint: internal
service: policy
secrets:
identity:
admin: congress-keystone-admin
congress: congress-keystone-user
oslo_db:
admin: congress-db-admin
congress: congress-db-user
rbd: images-rbd-keyring
oslo_messaging:
admin: congress-rabbitmq-admin
congress: congress-rabbitmq-user
bootstrap:
enabled: false
ks_user: congress
script: |
openstack token issue
endpoints:
cluster_domain_suffix: cluster.local
identity:
name: keystone
auth:
admin:
region_name: RegionOne
username: admin
password: password
project_name: admin
user_domain_name: default
project_domain_name: default
congress:
role: admin
region_name: RegionOne
username: congress
password: password
project_name: service
user_domain_name: default
project_domain_name: default
hosts:
default: keystone-api
public: keystone
host_fqdn_override:
default: null
path:
default: /v3
scheme:
default: http
port:
admin:
default: 35357
api:
default: 80
policy:
name: congress
hosts:
default: congress-api
public: congress
host_fqdn_override:
default: null
path:
default: null
scheme:
default: http
port:
api:
default: 1789
public: 80
oslo_db:
auth:
admin:
username: root
password: password
congress:
username: congress
password: password
hosts:
default: mariadb
host_fqdn_override:
default: null
path: /congress
scheme: mysql+pymysql
port:
mysql:
default: 3306
oslo_cache:
auth:
# NOTE(portdirect): this is used to define the value for keystone
# authtoken cache encryption key, if not set it will be populated
# automatically with a random value, but to take advantage of
# this feature all services should be set to use the same key,
# and memcache service.
memcache_secret_key: null
hosts:
default: memcached
host_fqdn_override:
default: null
port:
memcache:
default: 11211
oslo_messaging:
auth:
admin:
username: rabbitmq
password: password
congress:
username: congress
password: password
hosts:
default: rabbitmq
host_fqdn_override:
default: null
path: /congress
scheme: rabbit
port:
amqp:
default: 5672
http:
default: 15672
policy:
datasource_services:
- neutronv2
- glancev2
- keystonev3
- swift
- heat
- nova
poll_time: 120
conf:
congress:
DEFAULT:
#NOTE(portdirect): the bind port should not be defined, and is manipulated
# via the endpoints section.
bind_port: null
drivers: congress.datasources.neutronv2_driver.NeutronV2Driver,congress.datasources.glancev2_driver.GlanceV2Driver,congress.datasources.nova_driver.NovaDriver,congress.datasources.keystonev3_driver.KeystoneV3Driver,congress.datasources.cinder_driver.CinderDriver,congress.datasources.swift_driver.SwiftDriver,congress.datasources.plexxi_driver.PlexxiDriver,congress.datasources.vCenter_driver.VCenterDriver,congress.datasources.murano_driver.MuranoDriver,congress.datasources.ironic_driver.IronicDriver,congress.datasources.heatv1_driver.HeatV1Driver,congress.datasources.doctor_driver.DoctorDriver,congress.datasources.ceilometer_driver.CeilometerDriver
replicated_policy_engine: False
datasource_sync_period: 30
auth_strategy: keystone
debug: False
logging_exception_prefix: '%(color)s%(asctime)s.%(msecs)03d TRACE %(name)s %(instance)s'
logging_debug_format_suffix: 'from (pid=%(process)d) %(funcName)s %(pathname)s:%(lineno)d'
logging_default_format_string: '%(asctime)s.%(msecs)03d %(color)s%(levelname)s %(name)s [-%(color)s] %(instance)s%(color)s%(message)s'
logging_context_format_string: '%(asctime)s.%(msecs)03d %(color)s%(levelname)s %(name)s [%(request_id)s %(project_name)s %(user_name)s%(color)s] %(instance)s%(color)s%(message)s'
oslo_policy:
policy_file: /etc/congress/policy.json
database:
max_retries: -1
keystone_authtoken:
auth_type: password
paste:
composite:congress:
use: egg:Paste#urlmap
/: congressversions
/v1: congress_api_v1
pipeline:congressversions:
pipeline: cors http_proxy_to_wsgi catch_errors congressversionapp
app:congressversionapp:
paste.app_factory: congress.api.versions:Versions.factory
composite:congress_api_v1:
use: call:congress.auth:pipeline_factory
keystone: cors http_proxy_to_wsgi request_id catch_errors authtoken keystonecontext congress_api
noauth: cors http_proxy_to_wsgi request_id catch_errors congress_api
app:congress_api:
paste.app_factory: congress.service:congress_app_factory
filter:request_id:
paste.filter_factory: oslo_middleware:RequestId.factory
filter:catch_errors:
paste.filter_factory: oslo_middleware:CatchErrors.factory
filter:keystonecontext:
paste.filter_factory: congress.auth:CongressKeystoneContext.factory
filter:authtoken:
paste.filter_factory: keystonemiddleware.auth_token:filter_factory
filter:cors:
paste.filter_factory: oslo_middleware.cors:filter_factory
oslo_config_project: congress
filter:http_proxy_to_wsgi:
paste.filter_factory: oslo_middleware.http_proxy_to_wsgi:HTTPProxyToWSGI.factory
oslo_config_project: congress
policy:
context_is_admin: role:admin
admin_only: rule:context_is_admin
regular_user: ""
default: rule:admin_only
pod:
user:
congress:
uid: 42424
affinity:
anti:
type:
default: preferredDuringSchedulingIgnoredDuringExecution
topologyKey:
default: kubernetes.io/hostname
replicas:
api: 1
policy_engine: 1
# dont scale out ds node
# only one node per environment should be in active state
# https://docs.openstack.org/congress/latest/admin/ha-overview.html#ha-overview
datasource: 1
lifecycle:
upgrades:
deployments:
revision_history: 3
pod_replacement_strategy: RollingUpdate
rolling_update:
max_unavailable: 1
max_surge: 3
disruption_budget:
api:
min_available: 0
datasource:
min_available: 0
policy_engine:
min_available: 0
termination_grace_period:
api:
timeout: 600
datasource:
timeout: 600
policy_engine:
timeout: 600
resources:
enabled: false
api:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
registry:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
jobs:
storage_init:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
db_sync:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
db_init:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
db_drop:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
rabbit_init:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
ks_user:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
ks_service:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
ks_endpoints:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
bootstrap:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
tests:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
manifests:
configmap_bin: true
configmap_etc: true
deployment_api: true
deployment_datasource: true
deployment_policy_engine: true
ingress_api: true
job_bootstrap: true
job_db_drop: false
job_db_init: true
job_db_sync: true
job_ds_create: true
job_rabbit_init: true
job_ks_endpoints: true
job_ks_service: true
job_ks_user: true
secret_db: true
secret_keystone: true
service_api: true
service_ingress_api: true
secret_rabbitmq: true
View Git Blame Copy Permalink