9bcf0df94c
This PS updates the charts to use the htk function recently introduced to allow oslo.messaging clients ans servers to directly hit their backends rather than using either DNS or K8S svc based routing. Depends-On: I5150a64bd29fa062e30496c1f2127de138322863 Change-Id: I458b4313c57fc50c8181cedeca9919670487926a Signed-off-by: Pete Birley <pete@port.direct>
1302 lines
38 KiB
YAML
1302 lines
38 KiB
YAML
# Copyright 2017 The Openstack-Helm Authors.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
# Default values for keystone.
|
|
# This is a YAML-formatted file.
|
|
# Declare name/value pairs to be passed into your templates.
|
|
# name: value
|
|
|
|
labels:
|
|
api:
|
|
node_selector_key: openstack-control-plane
|
|
node_selector_value: enabled
|
|
job:
|
|
node_selector_key: openstack-control-plane
|
|
node_selector_value: enabled
|
|
|
|
release_group: null
|
|
|
|
images:
|
|
tags:
|
|
bootstrap: docker.io/openstackhelm/heat:ocata-ubuntu_xenial
|
|
test: docker.io/xrally/xrally-openstack:1.3.0
|
|
db_init: docker.io/openstackhelm/heat:ocata-ubuntu_xenial
|
|
keystone_db_sync: docker.io/openstackhelm/keystone:ocata-ubuntu_xenial
|
|
db_drop: docker.io/openstackhelm/heat:ocata-ubuntu_xenial
|
|
ks_user: docker.io/openstackhelm/heat:ocata-ubuntu_xenial
|
|
rabbit_init: docker.io/rabbitmq:3.7-management
|
|
keystone_fernet_setup: docker.io/openstackhelm/keystone:ocata-ubuntu_xenial
|
|
keystone_fernet_rotate: docker.io/openstackhelm/keystone:ocata-ubuntu_xenial
|
|
keystone_credential_setup: docker.io/openstackhelm/keystone:ocata-ubuntu_xenial
|
|
keystone_credential_rotate: docker.io/openstackhelm/keystone:ocata-ubuntu_xenial
|
|
keystone_credential_cleanup: docker.io/openstackhelm/heat:ocata-ubuntu_xenial
|
|
keystone_api: docker.io/openstackhelm/keystone:ocata-ubuntu_xenial
|
|
keystone_domain_manage: docker.io/openstackhelm/keystone:ocata-ubuntu_xenial
|
|
dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.3.1
|
|
image_repo_sync: docker.io/docker:17.07.0
|
|
pull_policy: "IfNotPresent"
|
|
local_registry:
|
|
active: false
|
|
exclude:
|
|
- dep_check
|
|
- image_repo_sync
|
|
|
|
bootstrap:
|
|
enabled: true
|
|
ks_user: admin
|
|
script: |
|
|
#NOTE(gagehugo): As of Rocky, keystone creates a member role by default
|
|
openstack role create --or-show member
|
|
openstack role add \
|
|
--user="${OS_USERNAME}" \
|
|
--user-domain="${OS_USER_DOMAIN_NAME}" \
|
|
--project-domain="${OS_PROJECT_DOMAIN_NAME}" \
|
|
--project="${OS_PROJECT_NAME}" \
|
|
"member"
|
|
|
|
network:
|
|
api:
|
|
ingress:
|
|
public: true
|
|
classes:
|
|
namespace: "nginx"
|
|
cluster: "nginx-cluster"
|
|
annotations:
|
|
nginx.ingress.kubernetes.io/rewrite-target: /
|
|
external_policy_local: false
|
|
node_port:
|
|
enabled: false
|
|
port: 30500
|
|
admin:
|
|
node_port:
|
|
enabled: false
|
|
port: 30357
|
|
|
|
dependencies:
|
|
dynamic:
|
|
common:
|
|
local_image_registry:
|
|
jobs:
|
|
- keystone-image-repo-sync
|
|
services:
|
|
- endpoint: node
|
|
service: local_image_registry
|
|
static:
|
|
api:
|
|
jobs:
|
|
- keystone-db-sync
|
|
- keystone-credential-setup
|
|
- keystone-fernet-setup
|
|
- keystone-rabbit-init
|
|
services:
|
|
- endpoint: internal
|
|
service: oslo_cache
|
|
- endpoint: internal
|
|
service: oslo_db
|
|
bootstrap:
|
|
jobs:
|
|
- keystone-domain-manage
|
|
services:
|
|
- endpoint: internal
|
|
service: identity
|
|
credential_rotate:
|
|
jobs:
|
|
- keystone-credential-setup
|
|
credential_setup: null
|
|
credential_cleanup:
|
|
services:
|
|
- endpoint: internal
|
|
service: oslo_db
|
|
db_drop:
|
|
services:
|
|
- endpoint: internal
|
|
service: oslo_db
|
|
db_init:
|
|
services:
|
|
- endpoint: internal
|
|
service: oslo_db
|
|
db_sync:
|
|
jobs:
|
|
- keystone-db-init
|
|
- keystone-credential-setup
|
|
- keystone-fernet-setup
|
|
- keystone-rabbit-init
|
|
services:
|
|
- endpoint: internal
|
|
service: oslo_db
|
|
rabbit_init:
|
|
services:
|
|
- service: oslo_messaging
|
|
endpoint: internal
|
|
domain_manage:
|
|
services:
|
|
- endpoint: internal
|
|
service: identity
|
|
fernet_rotate:
|
|
jobs:
|
|
- keystone-fernet-setup
|
|
fernet_setup: null
|
|
tests:
|
|
services:
|
|
- endpoint: internal
|
|
service: identity
|
|
image_repo_sync:
|
|
services:
|
|
- endpoint: internal
|
|
service: local_image_registry
|
|
|
|
pod:
|
|
security_context:
|
|
keystone:
|
|
pod:
|
|
runAsUser: 42424
|
|
container:
|
|
keystone_api:
|
|
readOnlyRootFilesystem: true
|
|
allowPrivilegeEscalation: false
|
|
affinity:
|
|
anti:
|
|
type:
|
|
default: preferredDuringSchedulingIgnoredDuringExecution
|
|
topologyKey:
|
|
default: kubernetes.io/hostname
|
|
weight:
|
|
default: 10
|
|
mounts:
|
|
keystone_db_init:
|
|
init_container: null
|
|
keystone_db_init:
|
|
volumeMounts:
|
|
volumes:
|
|
keystone_db_sync:
|
|
init_container: null
|
|
keystone_db_sync:
|
|
volumeMounts:
|
|
volumes:
|
|
keystone_api:
|
|
init_container: null
|
|
keystone_api:
|
|
volumeMounts:
|
|
volumes:
|
|
keystone_tests:
|
|
init_container: null
|
|
keystone_tests:
|
|
volumeMounts:
|
|
volumes:
|
|
keystone_bootstrap:
|
|
init_container: null
|
|
keystone_bootstrap:
|
|
volumeMounts:
|
|
volumes:
|
|
keystone_fernet_setup:
|
|
init_container: null
|
|
keystone_fernet_setup:
|
|
volumeMounts:
|
|
volumes:
|
|
keystone_fernet_rotate:
|
|
init_container: null
|
|
keystone_fernet_rotate:
|
|
volumeMounts:
|
|
volumes:
|
|
keystone_credential_setup:
|
|
init_container: null
|
|
keystone_credential_setup:
|
|
volumeMounts:
|
|
volumes:
|
|
keystone_credential_rotate:
|
|
init_container: null
|
|
keystone_credential_rotate:
|
|
volumeMounts:
|
|
volumes:
|
|
keystone_credential_cleanup:
|
|
init_container: null
|
|
keystone_credential_cleanup:
|
|
volumeMounts:
|
|
volumes:
|
|
keystone_domain_manage:
|
|
init_container: null
|
|
keystone_domain_manage:
|
|
volumeMounts:
|
|
volumes:
|
|
replicas:
|
|
api: 1
|
|
lifecycle:
|
|
upgrades:
|
|
deployments:
|
|
revision_history: 3
|
|
pod_replacement_strategy: RollingUpdate
|
|
rolling_update:
|
|
max_unavailable: 1
|
|
max_surge: 3
|
|
disruption_budget:
|
|
api:
|
|
min_available: 0
|
|
termination_grace_period:
|
|
api:
|
|
timeout: 30
|
|
resources:
|
|
enabled: false
|
|
api:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
jobs:
|
|
bootstrap:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
domain_manage:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
db_init:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
db_sync:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
db_drop:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
rabbit_init:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
tests:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
fernet_setup:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
fernet_rotate:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
credential_setup:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
credential_rotate:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
credential_cleanup:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
image_repo_sync:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
|
|
jobs:
|
|
fernet_setup:
|
|
user: keystone
|
|
group: keystone
|
|
fernet_rotate:
|
|
# NOTE(rk760n): key rotation frequency, token expiration, active keys should statisfy the formula
|
|
# max_active_keys = (token_expiration / rotation_frequency) + 2
|
|
# as expiration is 12h, and max_active_keys set to 3 by default, rotation_frequency need to be adjusted
|
|
# 12 hours
|
|
cron: "0 */12 * * *"
|
|
user: keystone
|
|
group: keystone
|
|
history:
|
|
success: 3
|
|
failed: 1
|
|
credential_setup:
|
|
user: keystone
|
|
group: keystone
|
|
credential_rotate:
|
|
# monthly
|
|
cron: "0 0 1 * *"
|
|
migrate_wait: 120
|
|
user: keystone
|
|
group: keystone
|
|
history:
|
|
success: 3
|
|
failed: 1
|
|
|
|
network_policy:
|
|
keystone:
|
|
ingress:
|
|
- from:
|
|
- podSelector:
|
|
matchLabels:
|
|
application: ceph
|
|
- podSelector:
|
|
matchLabels:
|
|
application: ingress
|
|
- podSelector:
|
|
matchLabels:
|
|
application: keystone
|
|
- podSelector:
|
|
matchLabels:
|
|
application: heat
|
|
- podSelector:
|
|
matchLabels:
|
|
application: glance
|
|
- podSelector:
|
|
matchLabels:
|
|
application: cinder
|
|
- podSelector:
|
|
matchLabels:
|
|
application: congress
|
|
- podSelector:
|
|
matchLabels:
|
|
application: barbican
|
|
- podSelector:
|
|
matchLabels:
|
|
application: ceilometer
|
|
- podSelector:
|
|
matchLabels:
|
|
application: horizon
|
|
- podSelector:
|
|
matchLabels:
|
|
application: ironic
|
|
- podSelector:
|
|
matchLabels:
|
|
application: magnum
|
|
- podSelector:
|
|
matchLabels:
|
|
application: mistral
|
|
- podSelector:
|
|
matchLabels:
|
|
application: nova
|
|
- podSelector:
|
|
matchLabels:
|
|
application: neutron
|
|
- podSelector:
|
|
matchLabels:
|
|
application: senlin
|
|
- podSelector:
|
|
matchLabels:
|
|
application: placement
|
|
- podSelector:
|
|
matchLabels:
|
|
application: prometheus-openstack-exporter
|
|
ports:
|
|
- protocol: TCP
|
|
port: 80
|
|
- protocol: TCP
|
|
port: 443
|
|
- protocol: TCP
|
|
port: 5000
|
|
- protocol: TCP
|
|
port: 35357
|
|
egress:
|
|
- to:
|
|
- namespaceSelector:
|
|
matchLabels:
|
|
name: ceph
|
|
- to:
|
|
- podSelector:
|
|
matchLabels:
|
|
application: ceph
|
|
|
|
conf:
|
|
security: |
|
|
#
|
|
# Disable access to the entire file system except for the directories that
|
|
# are explicitly allowed later.
|
|
#
|
|
# This currently breaks the configurations that come with some web application
|
|
# Debian packages.
|
|
#
|
|
#<Directory />
|
|
# AllowOverride None
|
|
# Require all denied
|
|
#</Directory>
|
|
|
|
# Changing the following options will not really affect the security of the
|
|
# server, but might make attacks slightly more difficult in some cases.
|
|
|
|
#
|
|
# ServerTokens
|
|
# This directive configures what you return as the Server HTTP response
|
|
# Header. The default is 'Full' which sends information about the OS-Type
|
|
# and compiled in modules.
|
|
# Set to one of: Full | OS | Minimal | Minor | Major | Prod
|
|
# where Full conveys the most information, and Prod the least.
|
|
ServerTokens Prod
|
|
|
|
#
|
|
# Optionally add a line containing the server version and virtual host
|
|
# name to server-generated pages (internal error documents, FTP directory
|
|
# listings, mod_status and mod_info output etc., but not CGI generated
|
|
# documents or custom error documents).
|
|
# Set to "EMail" to also include a mailto: link to the ServerAdmin.
|
|
# Set to one of: On | Off | EMail
|
|
ServerSignature Off
|
|
|
|
#
|
|
# Allow TRACE method
|
|
#
|
|
# Set to "extended" to also reflect the request body (only for testing and
|
|
# diagnostic purposes).
|
|
#
|
|
# Set to one of: On | Off | extended
|
|
TraceEnable Off
|
|
|
|
#
|
|
# Forbid access to version control directories
|
|
#
|
|
# If you use version control systems in your document root, you should
|
|
# probably deny access to their directories. For example, for subversion:
|
|
#
|
|
#<DirectoryMatch "/\.svn">
|
|
# Require all denied
|
|
#</DirectoryMatch>
|
|
|
|
#
|
|
# Setting this header will prevent MSIE from interpreting files as something
|
|
# else than declared by the content type in the HTTP headers.
|
|
# Requires mod_headers to be enabled.
|
|
#
|
|
#Header set X-Content-Type-Options: "nosniff"
|
|
|
|
#
|
|
# Setting this header will prevent other sites from embedding pages from this
|
|
# site as frames. This defends against clickjacking attacks.
|
|
# Requires mod_headers to be enabled.
|
|
#
|
|
#Header set X-Frame-Options: "sameorigin"
|
|
software:
|
|
apache2:
|
|
binary: apache2
|
|
start_parameters: -DFOREGROUND
|
|
site_dir: /etc/apache2/sites-enable
|
|
conf_dir: /etc/apache2/conf-enabled
|
|
mods_dir: /etc/apache2/mods-available
|
|
a2enmod: null
|
|
a2dismod: null
|
|
keystone:
|
|
DEFAULT:
|
|
log_config_append: /etc/keystone/logging.conf
|
|
max_token_size: 255
|
|
#NOTE(rk760n): if you need auth notifications to be sent, uncomment it
|
|
#notification_opt_out: ""
|
|
token:
|
|
provider: fernet
|
|
# 12 hours
|
|
expiration: 43200
|
|
identity:
|
|
domain_specific_drivers_enabled: True
|
|
domain_config_dir: /etc/keystonedomains
|
|
fernet_tokens:
|
|
key_repository: /etc/keystone/fernet-keys/
|
|
credential:
|
|
key_repository: /etc/keystone/credential-keys/
|
|
database:
|
|
max_retries: -1
|
|
cache:
|
|
enabled: true
|
|
backend: dogpile.cache.memcached
|
|
oslo_messaging_notifications:
|
|
driver: messagingv2
|
|
oslo_messaging_rabbit:
|
|
rabbit_ha_queues: true
|
|
oslo_middleware:
|
|
enable_proxy_headers_parsing: true
|
|
security_compliance:
|
|
# NOTE(vdrok): The following two options have effect only for SQL backend
|
|
lockout_failure_attempts: 5
|
|
lockout_duration: 1800
|
|
# NOTE(lamt) We can leverage multiple domains with different
|
|
# configurations as outlined in
|
|
# https://docs.openstack.org/keystone/pike/admin/identity-domain-specific-config.html.
|
|
# A sample of the value override can be found in sample file:
|
|
# tools/overrides/example/keystone_domain_config.yaml
|
|
# ks_domains:
|
|
paste:
|
|
filter:debug:
|
|
use: egg:oslo.middleware#debug
|
|
filter:request_id:
|
|
use: egg:oslo.middleware#request_id
|
|
filter:build_auth_context:
|
|
use: egg:keystone#build_auth_context
|
|
filter:token_auth:
|
|
use: egg:keystone#token_auth
|
|
filter:json_body:
|
|
use: egg:keystone#json_body
|
|
filter:cors:
|
|
use: egg:oslo.middleware#cors
|
|
oslo_config_project: keystone
|
|
filter:http_proxy_to_wsgi:
|
|
use: egg:oslo.middleware#http_proxy_to_wsgi
|
|
filter:ec2_extension:
|
|
use: egg:keystone#ec2_extension
|
|
filter:ec2_extension_v3:
|
|
use: egg:keystone#ec2_extension_v3
|
|
filter:s3_extension:
|
|
use: egg:keystone#s3_extension
|
|
filter:url_normalize:
|
|
use: egg:keystone#url_normalize
|
|
filter:sizelimit:
|
|
use: egg:oslo.middleware#sizelimit
|
|
filter:osprofiler:
|
|
use: egg:osprofiler#osprofiler
|
|
app:public_service:
|
|
use: egg:keystone#public_service
|
|
app:service_v3:
|
|
use: egg:keystone#service_v3
|
|
app:admin_service:
|
|
use: egg:keystone#admin_service
|
|
pipeline:api_v3:
|
|
pipeline: cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id build_auth_context token_auth json_body ec2_extension_v3 s3_extension service_v3
|
|
app:public_version_service:
|
|
use: egg:keystone#public_version_service
|
|
app:admin_version_service:
|
|
use: egg:keystone#admin_version_service
|
|
pipeline:public_version_api:
|
|
pipeline: cors sizelimit osprofiler url_normalize public_version_service
|
|
pipeline:admin_version_api:
|
|
pipeline: cors sizelimit osprofiler url_normalize admin_version_service
|
|
composite:main:
|
|
use: egg:Paste#urlmap
|
|
/v3: api_v3
|
|
/: public_version_api
|
|
composite:admin:
|
|
use: egg:Paste#urlmap
|
|
/v3: api_v3
|
|
/: admin_version_api
|
|
policy:
|
|
admin_required: role:admin or is_admin:1
|
|
service_role: role:service
|
|
service_or_admin: rule:admin_required or rule:service_role
|
|
owner: user_id:%(user_id)s
|
|
admin_or_owner: rule:admin_required or rule:owner
|
|
token_subject: user_id:%(target.token.user_id)s
|
|
admin_or_token_subject: rule:admin_required or rule:token_subject
|
|
service_admin_or_token_subject: rule:service_or_admin or rule:token_subject
|
|
default: rule:admin_required
|
|
identity:get_region: ''
|
|
identity:list_regions: ''
|
|
identity:create_region: rule:admin_required
|
|
identity:update_region: rule:admin_required
|
|
identity:delete_region: rule:admin_required
|
|
identity:get_service: rule:admin_required
|
|
identity:list_services: rule:admin_required
|
|
identity:create_service: rule:admin_required
|
|
identity:update_service: rule:admin_required
|
|
identity:delete_service: rule:admin_required
|
|
identity:get_endpoint: rule:admin_required
|
|
identity:list_endpoints: rule:admin_required
|
|
identity:create_endpoint: rule:admin_required
|
|
identity:update_endpoint: rule:admin_required
|
|
identity:delete_endpoint: rule:admin_required
|
|
identity:get_domain: rule:admin_required or token.project.domain.id:%(target.domain.id)s
|
|
identity:list_domains: rule:admin_required
|
|
identity:create_domain: rule:admin_required
|
|
identity:update_domain: rule:admin_required
|
|
identity:delete_domain: rule:admin_required
|
|
identity:get_project: rule:admin_required or project_id:%(target.project.id)s
|
|
identity:list_projects: rule:admin_required
|
|
identity:list_user_projects: rule:admin_or_owner
|
|
identity:create_project: rule:admin_required
|
|
identity:update_project: rule:admin_required
|
|
identity:delete_project: rule:admin_required
|
|
identity:get_user: rule:admin_or_owner
|
|
identity:list_users: rule:admin_required
|
|
identity:create_user: rule:admin_required
|
|
identity:update_user: rule:admin_required
|
|
identity:delete_user: rule:admin_required
|
|
identity:change_password: rule:admin_or_owner
|
|
identity:get_group: rule:admin_required
|
|
identity:list_groups: rule:admin_required
|
|
identity:list_groups_for_user: rule:admin_or_owner
|
|
identity:create_group: rule:admin_required
|
|
identity:update_group: rule:admin_required
|
|
identity:delete_group: rule:admin_required
|
|
identity:list_users_in_group: rule:admin_required
|
|
identity:remove_user_from_group: rule:admin_required
|
|
identity:check_user_in_group: rule:admin_required
|
|
identity:add_user_to_group: rule:admin_required
|
|
identity:get_credential: rule:admin_required
|
|
identity:list_credentials: rule:admin_required
|
|
identity:create_credential: rule:admin_required
|
|
identity:update_credential: rule:admin_required
|
|
identity:delete_credential: rule:admin_required
|
|
identity:ec2_get_credential: rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)
|
|
identity:ec2_list_credentials: rule:admin_or_owner
|
|
identity:ec2_create_credential: rule:admin_or_owner
|
|
identity:ec2_delete_credential: rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)
|
|
identity:get_role: rule:admin_required
|
|
identity:list_roles: rule:admin_required
|
|
identity:create_role: rule:admin_required
|
|
identity:update_role: rule:admin_required
|
|
identity:delete_role: rule:admin_required
|
|
identity:get_domain_role: rule:admin_required
|
|
identity:list_domain_roles: rule:admin_required
|
|
identity:create_domain_role: rule:admin_required
|
|
identity:update_domain_role: rule:admin_required
|
|
identity:delete_domain_role: rule:admin_required
|
|
identity:get_implied_role: 'rule:admin_required '
|
|
identity:list_implied_roles: rule:admin_required
|
|
identity:create_implied_role: rule:admin_required
|
|
identity:delete_implied_role: rule:admin_required
|
|
identity:list_role_inference_rules: rule:admin_required
|
|
identity:check_implied_role: rule:admin_required
|
|
identity:check_grant: rule:admin_required
|
|
identity:list_grants: rule:admin_required
|
|
identity:create_grant: rule:admin_required
|
|
identity:revoke_grant: rule:admin_required
|
|
identity:list_role_assignments: rule:admin_required
|
|
identity:list_role_assignments_for_tree: rule:admin_required
|
|
identity:get_policy: rule:admin_required
|
|
identity:list_policies: rule:admin_required
|
|
identity:create_policy: rule:admin_required
|
|
identity:update_policy: rule:admin_required
|
|
identity:delete_policy: rule:admin_required
|
|
identity:check_token: rule:admin_or_token_subject
|
|
identity:validate_token: rule:service_admin_or_token_subject
|
|
identity:validate_token_head: rule:service_or_admin
|
|
identity:revocation_list: rule:service_or_admin
|
|
identity:revoke_token: rule:admin_or_token_subject
|
|
identity:create_trust: user_id:%(trust.trustor_user_id)s
|
|
identity:list_trusts: ''
|
|
identity:list_roles_for_trust: ''
|
|
identity:get_role_for_trust: ''
|
|
identity:delete_trust: ''
|
|
identity:create_consumer: rule:admin_required
|
|
identity:get_consumer: rule:admin_required
|
|
identity:list_consumers: rule:admin_required
|
|
identity:delete_consumer: rule:admin_required
|
|
identity:update_consumer: rule:admin_required
|
|
identity:authorize_request_token: rule:admin_required
|
|
identity:list_access_token_roles: rule:admin_required
|
|
identity:get_access_token_role: rule:admin_required
|
|
identity:list_access_tokens: rule:admin_required
|
|
identity:get_access_token: rule:admin_required
|
|
identity:delete_access_token: rule:admin_required
|
|
identity:list_projects_for_endpoint: rule:admin_required
|
|
identity:add_endpoint_to_project: rule:admin_required
|
|
identity:check_endpoint_in_project: rule:admin_required
|
|
identity:list_endpoints_for_project: rule:admin_required
|
|
identity:remove_endpoint_from_project: rule:admin_required
|
|
identity:create_endpoint_group: rule:admin_required
|
|
identity:list_endpoint_groups: rule:admin_required
|
|
identity:get_endpoint_group: rule:admin_required
|
|
identity:update_endpoint_group: rule:admin_required
|
|
identity:delete_endpoint_group: rule:admin_required
|
|
identity:list_projects_associated_with_endpoint_group: rule:admin_required
|
|
identity:list_endpoints_associated_with_endpoint_group: rule:admin_required
|
|
identity:get_endpoint_group_in_project: rule:admin_required
|
|
identity:list_endpoint_groups_for_project: rule:admin_required
|
|
identity:add_endpoint_group_to_project: rule:admin_required
|
|
identity:remove_endpoint_group_from_project: rule:admin_required
|
|
identity:create_identity_provider: rule:admin_required
|
|
identity:list_identity_providers: rule:admin_required
|
|
identity:get_identity_provider: rule:admin_required
|
|
identity:update_identity_provider: rule:admin_required
|
|
identity:delete_identity_provider: rule:admin_required
|
|
identity:create_protocol: rule:admin_required
|
|
identity:update_protocol: rule:admin_required
|
|
identity:get_protocol: rule:admin_required
|
|
identity:list_protocols: rule:admin_required
|
|
identity:delete_protocol: rule:admin_required
|
|
identity:create_mapping: rule:admin_required
|
|
identity:get_mapping: rule:admin_required
|
|
identity:list_mappings: rule:admin_required
|
|
identity:delete_mapping: rule:admin_required
|
|
identity:update_mapping: rule:admin_required
|
|
identity:create_service_provider: rule:admin_required
|
|
identity:list_service_providers: rule:admin_required
|
|
identity:get_service_provider: rule:admin_required
|
|
identity:update_service_provider: rule:admin_required
|
|
identity:delete_service_provider: rule:admin_required
|
|
identity:get_auth_catalog: ''
|
|
identity:get_auth_projects: ''
|
|
identity:get_auth_domains: ''
|
|
identity:list_projects_for_user: ''
|
|
identity:list_domains_for_user: ''
|
|
identity:list_revoke_events: ''
|
|
identity:create_policy_association_for_endpoint: rule:admin_required
|
|
identity:check_policy_association_for_endpoint: rule:admin_required
|
|
identity:delete_policy_association_for_endpoint: rule:admin_required
|
|
identity:create_policy_association_for_service: rule:admin_required
|
|
identity:check_policy_association_for_service: rule:admin_required
|
|
identity:delete_policy_association_for_service: rule:admin_required
|
|
identity:create_policy_association_for_region_and_service: rule:admin_required
|
|
identity:check_policy_association_for_region_and_service: rule:admin_required
|
|
identity:delete_policy_association_for_region_and_service: rule:admin_required
|
|
identity:get_policy_for_endpoint: rule:admin_required
|
|
identity:list_endpoints_for_policy: rule:admin_required
|
|
identity:create_domain_config: rule:admin_required
|
|
identity:get_domain_config: rule:admin_required
|
|
identity:update_domain_config: rule:admin_required
|
|
identity:delete_domain_config: rule:admin_required
|
|
identity:get_domain_config_default: rule:admin_required
|
|
rabbitmq:
|
|
#NOTE(rk760n): adding rmq policy to mirror messages from notification queues and set expiration time for the ones
|
|
policies:
|
|
- vhost: "keystone"
|
|
name: "ha_ttl_keystone"
|
|
definition:
|
|
#mirror messges to other nodes in rmq cluster
|
|
ha-mode: "all"
|
|
ha-sync-mode: "automatic"
|
|
#70s
|
|
message-ttl: 70000
|
|
priority: 0
|
|
apply-to: all
|
|
pattern: '^(?!amq\.).*'
|
|
rally_tests:
|
|
run_tempest: false
|
|
tests:
|
|
KeystoneBasic.add_and_remove_user_role:
|
|
- runner:
|
|
concurrency: 1
|
|
times: 1
|
|
type: constant
|
|
sla:
|
|
failure_rate:
|
|
max: 0
|
|
KeystoneBasic.authenticate_user_and_validate_token:
|
|
- args: {}
|
|
runner:
|
|
concurrency: 1
|
|
times: 1
|
|
type: constant
|
|
sla:
|
|
failure_rate:
|
|
max: 0
|
|
KeystoneBasic.create_add_and_list_user_roles:
|
|
- runner:
|
|
concurrency: 1
|
|
times: 1
|
|
type: constant
|
|
sla:
|
|
failure_rate:
|
|
max: 0
|
|
KeystoneBasic.create_and_delete_ec2credential:
|
|
- runner:
|
|
concurrency: 1
|
|
times: 1
|
|
type: constant
|
|
sla:
|
|
failure_rate:
|
|
max: 0
|
|
KeystoneBasic.create_and_list_ec2credentials:
|
|
- runner:
|
|
concurrency: 1
|
|
times: 1
|
|
type: constant
|
|
sla:
|
|
failure_rate:
|
|
max: 0
|
|
KeystoneBasic.create_and_delete_role:
|
|
- runner:
|
|
concurrency: 1
|
|
times: 1
|
|
type: constant
|
|
sla:
|
|
failure_rate:
|
|
max: 0
|
|
KeystoneBasic.create_and_delete_service:
|
|
- args:
|
|
description: test_description
|
|
service_type: Rally_test_type
|
|
runner:
|
|
concurrency: 1
|
|
times: 1
|
|
type: constant
|
|
sla:
|
|
failure_rate:
|
|
max: 0
|
|
KeystoneBasic.create_and_get_role:
|
|
- args: {}
|
|
runner:
|
|
concurrency: 1
|
|
times: 1
|
|
type: constant
|
|
sla:
|
|
failure_rate:
|
|
max: 0
|
|
KeystoneBasic.create_and_list_services:
|
|
- args:
|
|
description: test_description
|
|
service_type: Rally_test_type
|
|
runner:
|
|
concurrency: 1
|
|
times: 1
|
|
type: constant
|
|
sla:
|
|
failure_rate:
|
|
max: 0
|
|
KeystoneBasic.create_and_list_tenants:
|
|
- args: {}
|
|
runner:
|
|
concurrency: 1
|
|
times: 1
|
|
type: constant
|
|
sla:
|
|
failure_rate:
|
|
max: 0
|
|
KeystoneBasic.create_and_list_users:
|
|
- args: {}
|
|
runner:
|
|
concurrency: 1
|
|
times: 1
|
|
type: constant
|
|
sla:
|
|
failure_rate:
|
|
max: 0
|
|
KeystoneBasic.create_delete_user:
|
|
- args: {}
|
|
runner:
|
|
concurrency: 1
|
|
times: 1
|
|
type: constant
|
|
sla:
|
|
failure_rate:
|
|
max: 0
|
|
KeystoneBasic.create_tenant:
|
|
- args: {}
|
|
runner:
|
|
concurrency: 1
|
|
times: 1
|
|
type: constant
|
|
sla:
|
|
failure_rate:
|
|
max: 0
|
|
KeystoneBasic.create_tenant_with_users:
|
|
- args:
|
|
users_per_tenant: 1
|
|
runner:
|
|
concurrency: 1
|
|
times: 1
|
|
type: constant
|
|
sla:
|
|
failure_rate:
|
|
max: 0
|
|
KeystoneBasic.create_update_and_delete_tenant:
|
|
- args: {}
|
|
runner:
|
|
concurrency: 1
|
|
times: 1
|
|
type: constant
|
|
sla:
|
|
failure_rate:
|
|
max: 0
|
|
KeystoneBasic.create_user:
|
|
- args: {}
|
|
runner:
|
|
concurrency: 1
|
|
times: 1
|
|
type: constant
|
|
sla:
|
|
failure_rate:
|
|
max: 0
|
|
KeystoneBasic.create_user_set_enabled_and_delete:
|
|
- args:
|
|
enabled: true
|
|
runner:
|
|
concurrency: 1
|
|
times: 1
|
|
type: constant
|
|
sla:
|
|
failure_rate:
|
|
max: 0
|
|
- args:
|
|
enabled: false
|
|
runner:
|
|
concurrency: 1
|
|
times: 1
|
|
type: constant
|
|
sla:
|
|
failure_rate:
|
|
max: 0
|
|
KeystoneBasic.create_user_update_password:
|
|
- args: {}
|
|
runner:
|
|
concurrency: 1
|
|
times: 1
|
|
type: constant
|
|
sla:
|
|
failure_rate:
|
|
max: 0
|
|
KeystoneBasic.get_entities:
|
|
- runner:
|
|
concurrency: 1
|
|
times: 1
|
|
type: constant
|
|
sla:
|
|
failure_rate:
|
|
max: 0
|
|
mpm_event: |
|
|
<IfModule mpm_event_module>
|
|
ServerLimit 1024
|
|
StartServers 32
|
|
MinSpareThreads 32
|
|
MaxSpareThreads 256
|
|
ThreadsPerChild 25
|
|
MaxRequestsPerChild 128
|
|
ThreadLimit 720
|
|
</IfModule>
|
|
wsgi_keystone: |
|
|
{{- $portInt := tuple "identity" "internal" "api" $ | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
|
|
|
|
Listen 0.0.0.0:{{ $portInt }}
|
|
|
|
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
|
|
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy
|
|
|
|
SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
|
|
CustomLog /dev/stdout combined env=!forwarded
|
|
CustomLog /dev/stdout proxy env=forwarded
|
|
|
|
<VirtualHost *:{{ $portInt }}>
|
|
WSGIDaemonProcess keystone-public processes=1 threads=1 user=keystone group=keystone display-name=%{GROUP}
|
|
WSGIProcessGroup keystone-public
|
|
WSGIScriptAlias / /var/www/cgi-bin/keystone/keystone-wsgi-public
|
|
WSGIApplicationGroup %{GLOBAL}
|
|
WSGIPassAuthorization On
|
|
<IfVersion >= 2.4>
|
|
ErrorLogFormat "%{cu}t %M"
|
|
</IfVersion>
|
|
ErrorLog /dev/stdout
|
|
|
|
SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
|
|
CustomLog /dev/stdout combined env=!forwarded
|
|
CustomLog /dev/stdout proxy env=forwarded
|
|
</VirtualHost>
|
|
sso_callback_template: |
|
|
<!DOCTYPE html>
|
|
<html xmlns="http://www.w3.org/1999/xhtml">
|
|
<head>
|
|
<title>Keystone WebSSO redirect</title>
|
|
</head>
|
|
<body>
|
|
<form id="sso" name="sso" action="$host" method="post">
|
|
Please wait...
|
|
<br/>
|
|
<input type="hidden" name="token" id="token" value="$token"/>
|
|
<noscript>
|
|
<input type="submit" name="submit_no_javascript" id="submit_no_javascript"
|
|
value="If your JavaScript is disabled, please click to continue"/>
|
|
</noscript>
|
|
</form>
|
|
<script type="text/javascript">
|
|
window.onload = function() {
|
|
document.forms['sso'].submit();
|
|
}
|
|
</script>
|
|
</body>
|
|
</html>
|
|
logging:
|
|
loggers:
|
|
keys:
|
|
- root
|
|
- keystone
|
|
handlers:
|
|
keys:
|
|
- stdout
|
|
- stderr
|
|
- "null"
|
|
formatters:
|
|
keys:
|
|
- context
|
|
- default
|
|
logger_root:
|
|
level: WARNING
|
|
handlers: stdout
|
|
logger_keystone:
|
|
level: INFO
|
|
handlers:
|
|
- stdout
|
|
qualname: keystone
|
|
logger_amqp:
|
|
level: WARNING
|
|
handlers: stderr
|
|
qualname: amqp
|
|
logger_amqplib:
|
|
level: WARNING
|
|
handlers: stderr
|
|
qualname: amqplib
|
|
logger_eventletwsgi:
|
|
level: WARNING
|
|
handlers: stderr
|
|
qualname: eventlet.wsgi.server
|
|
logger_sqlalchemy:
|
|
level: WARNING
|
|
handlers: stderr
|
|
qualname: sqlalchemy
|
|
logger_boto:
|
|
level: WARNING
|
|
handlers: stderr
|
|
qualname: boto
|
|
handler_null:
|
|
class: logging.NullHandler
|
|
formatter: default
|
|
args: ()
|
|
handler_stdout:
|
|
class: StreamHandler
|
|
args: (sys.stdout,)
|
|
formatter: context
|
|
handler_stderr:
|
|
class: StreamHandler
|
|
args: (sys.stderr,)
|
|
formatter: context
|
|
formatter_context:
|
|
class: oslo_log.formatters.ContextFormatter
|
|
datefmt: "%Y-%m-%d %H:%M:%S"
|
|
formatter_default:
|
|
format: "%(message)s"
|
|
datefmt: "%Y-%m-%d %H:%M:%S"
|
|
|
|
# Names of secrets used by bootstrap and environmental checks
|
|
secrets:
|
|
identity:
|
|
admin: keystone-keystone-admin
|
|
test: keystone-keystone-test
|
|
oslo_db:
|
|
admin: keystone-db-admin
|
|
keystone: keystone-db-user
|
|
oslo_messaging:
|
|
admin: keystone-rabbitmq-admin
|
|
keystone: keystone-rabbitmq-user
|
|
ldap:
|
|
tls: keystone-ldap-tls
|
|
tls:
|
|
identity:
|
|
api:
|
|
public: keystone-tls-public
|
|
|
|
# typically overridden by environmental
|
|
# values, but should include all endpoints
|
|
# required by this chart
|
|
endpoints:
|
|
cluster_domain_suffix: cluster.local
|
|
local_image_registry:
|
|
name: docker-registry
|
|
namespace: docker-registry
|
|
hosts:
|
|
default: localhost
|
|
internal: docker-registry
|
|
node: localhost
|
|
host_fqdn_override:
|
|
default: null
|
|
port:
|
|
registry:
|
|
node: 5000
|
|
identity:
|
|
namespace: null
|
|
name: keystone
|
|
auth:
|
|
admin:
|
|
region_name: RegionOne
|
|
username: admin
|
|
password: password
|
|
project_name: admin
|
|
user_domain_name: default
|
|
project_domain_name: default
|
|
test:
|
|
role: admin
|
|
region_name: RegionOne
|
|
username: keystone-test
|
|
password: password
|
|
project_name: test
|
|
user_domain_name: default
|
|
project_domain_name: default
|
|
hosts:
|
|
default: keystone
|
|
internal: keystone-api
|
|
host_fqdn_override:
|
|
default: null
|
|
# NOTE(portdirect): this chart supports TLS for fqdn over-ridden public
|
|
# endpoints using the following format:
|
|
# public:
|
|
# host: null
|
|
# tls:
|
|
# crt: null
|
|
# key: null
|
|
path:
|
|
default: /v3
|
|
scheme:
|
|
default: http
|
|
port:
|
|
api:
|
|
default: 80
|
|
# NOTE(portdirect): to retain portability across images, and allow
|
|
# running under a unprivileged user simply, we default to a port > 1000.
|
|
internal: 5000
|
|
oslo_db:
|
|
namespace: null
|
|
auth:
|
|
admin:
|
|
username: root
|
|
password: password
|
|
keystone:
|
|
username: keystone
|
|
password: password
|
|
hosts:
|
|
default: mariadb
|
|
host_fqdn_override:
|
|
default: null
|
|
path: /keystone
|
|
scheme: mysql+pymysql
|
|
port:
|
|
mysql:
|
|
default: 3306
|
|
oslo_messaging:
|
|
namespace: null
|
|
auth:
|
|
admin:
|
|
username: rabbitmq
|
|
password: password
|
|
keystone:
|
|
username: keystone
|
|
password: password
|
|
statefulset:
|
|
replicas: 2
|
|
name: rabbitmq-rabbitmq
|
|
hosts:
|
|
default: rabbitmq
|
|
host_fqdn_override:
|
|
default: null
|
|
path: /keystone
|
|
scheme: rabbit
|
|
port:
|
|
amqp:
|
|
default: 5672
|
|
http:
|
|
default: 15672
|
|
oslo_cache:
|
|
namespace: null
|
|
hosts:
|
|
default: memcached
|
|
host_fqdn_override:
|
|
default: null
|
|
port:
|
|
memcache:
|
|
default: 11211
|
|
ldap:
|
|
auth:
|
|
client:
|
|
tls:
|
|
# NOTE(lamt): Specify a CA value here will place a LDAPS certificate at
|
|
# /etc/certs/tls.ca. To ensure keystone uses LDAPS, the
|
|
# following key will need to be overrided under section [ldap] or the
|
|
# correct domain-specific setting, else it will not be enabled:
|
|
#
|
|
# use_tls: true
|
|
# tls_req_cert: allow # Valid values: demand, never, allow
|
|
# tls_cacertfile: /etc/certs/tls.ca # abs path to the CA cert
|
|
ca: null
|
|
fluentd:
|
|
namespace: null
|
|
name: fluentd
|
|
hosts:
|
|
default: fluentd-logging
|
|
host_fqdn_override:
|
|
default: null
|
|
path:
|
|
default: null
|
|
scheme: 'http'
|
|
port:
|
|
service:
|
|
default: 24224
|
|
metrics:
|
|
default: 24220
|
|
#NOTE(tp6510): these endpoints allow for things like DNS lookups and apiserver access.
|
|
# They are using to enable the Egress K8s network policy.
|
|
k8s:
|
|
port:
|
|
api:
|
|
default: 6443
|
|
internal: 5000
|
|
default:
|
|
namespace: default
|
|
kube_system:
|
|
namespace: kube-system
|
|
kube_public:
|
|
namespace: kube-public
|
|
|
|
manifests:
|
|
configmap_bin: true
|
|
configmap_etc: true
|
|
cron_credential_rotate: true
|
|
cron_fernet_rotate: true
|
|
deployment_api: true
|
|
ingress_api: true
|
|
job_bootstrap: true
|
|
job_credential_cleanup: true
|
|
job_credential_setup: true
|
|
job_db_init: true
|
|
job_db_sync: true
|
|
job_db_drop: false
|
|
job_domain_manage: true
|
|
job_fernet_setup: true
|
|
job_image_repo_sync: true
|
|
job_rabbit_init: true
|
|
pdb_api: true
|
|
pod_rally_test: true
|
|
network_policy: false
|
|
secret_credential_keys: true
|
|
secret_db: true
|
|
secret_fernet_keys: true
|
|
secret_ingress_tls: true
|
|
secret_keystone: true
|
|
secret_rabbitmq: true
|
|
service_ingress_api: true
|
|
service_api: true
|