openstack-helm/keystone/values.yaml
Itxaka d4b8f16f26 keystone: default domain fix
Provide the default domain id and assign the admin
role to it on bootstrap.
Currently we cannot provide domain scoped tokens with
the admin user due to it not being assigned the admin
role for the default domain.

This patch makes it so we assign the proper role on bootstrap.

Depends-on: https://review.opendev.org/662992
Change-Id: Ide1918c1ed264ccc2998008b2334542e3d683bfc
2019-06-19 13:05:05 +00:00

1310 lines
38 KiB
YAML

# Copyright 2017 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Default values for keystone.
# This is a YAML-formatted file.
# Declare name/value pairs to be passed into your templates.
# name: value
labels:
api:
node_selector_key: openstack-control-plane
node_selector_value: enabled
job:
node_selector_key: openstack-control-plane
node_selector_value: enabled
release_group: null
images:
tags:
bootstrap: docker.io/openstackhelm/heat:ocata-ubuntu_xenial
test: docker.io/xrally/xrally-openstack:1.3.0
db_init: docker.io/openstackhelm/heat:ocata-ubuntu_xenial
keystone_db_sync: docker.io/openstackhelm/keystone:ocata-ubuntu_xenial
db_drop: docker.io/openstackhelm/heat:ocata-ubuntu_xenial
ks_user: docker.io/openstackhelm/heat:ocata-ubuntu_xenial
rabbit_init: docker.io/rabbitmq:3.7-management
keystone_fernet_setup: docker.io/openstackhelm/keystone:ocata-ubuntu_xenial
keystone_fernet_rotate: docker.io/openstackhelm/keystone:ocata-ubuntu_xenial
keystone_credential_setup: docker.io/openstackhelm/keystone:ocata-ubuntu_xenial
keystone_credential_rotate: docker.io/openstackhelm/keystone:ocata-ubuntu_xenial
keystone_credential_cleanup: docker.io/openstackhelm/heat:ocata-ubuntu_xenial
keystone_api: docker.io/openstackhelm/keystone:ocata-ubuntu_xenial
keystone_domain_manage: docker.io/openstackhelm/keystone:ocata-ubuntu_xenial
dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.3.1
image_repo_sync: docker.io/docker:17.07.0
pull_policy: "IfNotPresent"
local_registry:
active: false
exclude:
- dep_check
- image_repo_sync
bootstrap:
enabled: true
ks_user: admin
script: |
#NOTE(gagehugo): As of Rocky, keystone creates a member role by default
openstack role create --or-show member
openstack role add \
--user="${OS_USERNAME}" \
--user-domain="${OS_USER_DOMAIN_NAME}" \
--project-domain="${OS_PROJECT_DOMAIN_NAME}" \
--project="${OS_PROJECT_NAME}" \
"member"
# admin needs the admin role for the default domain
openstack role add \
--user="${OS_USERNAME}" \
--domain="${OS_DEFAULT_DOMAIN}" \
"admin"
network:
api:
ingress:
public: true
classes:
namespace: "nginx"
cluster: "nginx-cluster"
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
external_policy_local: false
node_port:
enabled: false
port: 30500
admin:
node_port:
enabled: false
port: 30357
dependencies:
dynamic:
common:
local_image_registry:
jobs:
- keystone-image-repo-sync
services:
- endpoint: node
service: local_image_registry
static:
api:
jobs:
- keystone-db-sync
- keystone-credential-setup
- keystone-fernet-setup
- keystone-rabbit-init
services:
- endpoint: internal
service: oslo_cache
- endpoint: internal
service: oslo_db
bootstrap:
jobs:
- keystone-domain-manage
services:
- endpoint: internal
service: identity
credential_rotate:
jobs:
- keystone-credential-setup
credential_setup: null
credential_cleanup:
services:
- endpoint: internal
service: oslo_db
db_drop:
services:
- endpoint: internal
service: oslo_db
db_init:
services:
- endpoint: internal
service: oslo_db
db_sync:
jobs:
- keystone-db-init
- keystone-credential-setup
- keystone-fernet-setup
- keystone-rabbit-init
services:
- endpoint: internal
service: oslo_db
rabbit_init:
services:
- service: oslo_messaging
endpoint: internal
domain_manage:
services:
- endpoint: internal
service: identity
fernet_rotate:
jobs:
- keystone-fernet-setup
fernet_setup: null
tests:
services:
- endpoint: internal
service: identity
image_repo_sync:
services:
- endpoint: internal
service: local_image_registry
pod:
security_context:
keystone:
pod:
runAsUser: 42424
container:
keystone_api:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
affinity:
anti:
type:
default: preferredDuringSchedulingIgnoredDuringExecution
topologyKey:
default: kubernetes.io/hostname
weight:
default: 10
mounts:
keystone_db_init:
init_container: null
keystone_db_init:
volumeMounts:
volumes:
keystone_db_sync:
init_container: null
keystone_db_sync:
volumeMounts:
volumes:
keystone_api:
init_container: null
keystone_api:
volumeMounts:
volumes:
keystone_tests:
init_container: null
keystone_tests:
volumeMounts:
volumes:
keystone_bootstrap:
init_container: null
keystone_bootstrap:
volumeMounts:
volumes:
keystone_fernet_setup:
init_container: null
keystone_fernet_setup:
volumeMounts:
volumes:
keystone_fernet_rotate:
init_container: null
keystone_fernet_rotate:
volumeMounts:
volumes:
keystone_credential_setup:
init_container: null
keystone_credential_setup:
volumeMounts:
volumes:
keystone_credential_rotate:
init_container: null
keystone_credential_rotate:
volumeMounts:
volumes:
keystone_credential_cleanup:
init_container: null
keystone_credential_cleanup:
volumeMounts:
volumes:
keystone_domain_manage:
init_container: null
keystone_domain_manage:
volumeMounts:
volumes:
replicas:
api: 1
lifecycle:
upgrades:
deployments:
revision_history: 3
pod_replacement_strategy: RollingUpdate
rolling_update:
max_unavailable: 1
max_surge: 3
disruption_budget:
api:
min_available: 0
termination_grace_period:
api:
timeout: 30
resources:
enabled: false
api:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
jobs:
bootstrap:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
domain_manage:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
db_init:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
db_sync:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
db_drop:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
rabbit_init:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
tests:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
fernet_setup:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
fernet_rotate:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
credential_setup:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
credential_rotate:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
credential_cleanup:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
image_repo_sync:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
jobs:
fernet_setup:
user: keystone
group: keystone
fernet_rotate:
# NOTE(rk760n): key rotation frequency, token expiration, active keys should statisfy the formula
# max_active_keys = (token_expiration / rotation_frequency) + 2
# as expiration is 12h, and max_active_keys set to 3 by default, rotation_frequency need to be adjusted
# 12 hours
cron: "0 */12 * * *"
user: keystone
group: keystone
history:
success: 3
failed: 1
credential_setup:
user: keystone
group: keystone
credential_rotate:
# monthly
cron: "0 0 1 * *"
migrate_wait: 120
user: keystone
group: keystone
history:
success: 3
failed: 1
network_policy:
keystone:
ingress:
- from:
- podSelector:
matchLabels:
application: ceph
- podSelector:
matchLabels:
application: ingress
- podSelector:
matchLabels:
application: keystone
- podSelector:
matchLabels:
application: heat
- podSelector:
matchLabels:
application: glance
- podSelector:
matchLabels:
application: cinder
- podSelector:
matchLabels:
application: congress
- podSelector:
matchLabels:
application: barbican
- podSelector:
matchLabels:
application: ceilometer
- podSelector:
matchLabels:
application: horizon
- podSelector:
matchLabels:
application: ironic
- podSelector:
matchLabels:
application: magnum
- podSelector:
matchLabels:
application: mistral
- podSelector:
matchLabels:
application: nova
- podSelector:
matchLabels:
application: neutron
- podSelector:
matchLabels:
application: senlin
- podSelector:
matchLabels:
application: placement
- podSelector:
matchLabels:
application: prometheus-openstack-exporter
ports:
- protocol: TCP
port: 80
- protocol: TCP
port: 443
- protocol: TCP
port: 5000
- protocol: TCP
port: 35357
egress:
- to:
- namespaceSelector:
matchLabels:
name: ceph
- to:
- podSelector:
matchLabels:
application: ceph
conf:
security: |
#
# Disable access to the entire file system except for the directories that
# are explicitly allowed later.
#
# This currently breaks the configurations that come with some web application
# Debian packages.
#
#<Directory />
# AllowOverride None
# Require all denied
#</Directory>
# Changing the following options will not really affect the security of the
# server, but might make attacks slightly more difficult in some cases.
#
# ServerTokens
# This directive configures what you return as the Server HTTP response
# Header. The default is 'Full' which sends information about the OS-Type
# and compiled in modules.
# Set to one of: Full | OS | Minimal | Minor | Major | Prod
# where Full conveys the most information, and Prod the least.
ServerTokens Prod
#
# Optionally add a line containing the server version and virtual host
# name to server-generated pages (internal error documents, FTP directory
# listings, mod_status and mod_info output etc., but not CGI generated
# documents or custom error documents).
# Set to "EMail" to also include a mailto: link to the ServerAdmin.
# Set to one of: On | Off | EMail
ServerSignature Off
#
# Allow TRACE method
#
# Set to "extended" to also reflect the request body (only for testing and
# diagnostic purposes).
#
# Set to one of: On | Off | extended
TraceEnable Off
#
# Forbid access to version control directories
#
# If you use version control systems in your document root, you should
# probably deny access to their directories. For example, for subversion:
#
#<DirectoryMatch "/\.svn">
# Require all denied
#</DirectoryMatch>
#
# Setting this header will prevent MSIE from interpreting files as something
# else than declared by the content type in the HTTP headers.
# Requires mod_headers to be enabled.
#
#Header set X-Content-Type-Options: "nosniff"
#
# Setting this header will prevent other sites from embedding pages from this
# site as frames. This defends against clickjacking attacks.
# Requires mod_headers to be enabled.
#
#Header set X-Frame-Options: "sameorigin"
software:
apache2:
binary: apache2
start_parameters: -DFOREGROUND
site_dir: /etc/apache2/sites-enable
conf_dir: /etc/apache2/conf-enabled
mods_dir: /etc/apache2/mods-available
a2enmod: null
a2dismod: null
keystone:
DEFAULT:
log_config_append: /etc/keystone/logging.conf
max_token_size: 255
#NOTE(rk760n): if you need auth notifications to be sent, uncomment it
#notification_opt_out: ""
token:
provider: fernet
# 12 hours
expiration: 43200
identity:
domain_specific_drivers_enabled: True
domain_config_dir: /etc/keystonedomains
fernet_tokens:
key_repository: /etc/keystone/fernet-keys/
credential:
key_repository: /etc/keystone/credential-keys/
database:
max_retries: -1
cache:
enabled: true
backend: dogpile.cache.memcached
oslo_messaging_notifications:
driver: messagingv2
oslo_messaging_rabbit:
rabbit_ha_queues: true
oslo_middleware:
enable_proxy_headers_parsing: true
security_compliance:
# NOTE(vdrok): The following two options have effect only for SQL backend
lockout_failure_attempts: 5
lockout_duration: 1800
# NOTE(lamt) We can leverage multiple domains with different
# configurations as outlined in
# https://docs.openstack.org/keystone/pike/admin/identity-domain-specific-config.html.
# A sample of the value override can be found in sample file:
# tools/overrides/example/keystone_domain_config.yaml
# ks_domains:
paste:
filter:debug:
use: egg:oslo.middleware#debug
filter:request_id:
use: egg:oslo.middleware#request_id
filter:build_auth_context:
use: egg:keystone#build_auth_context
filter:token_auth:
use: egg:keystone#token_auth
filter:json_body:
use: egg:keystone#json_body
filter:cors:
use: egg:oslo.middleware#cors
oslo_config_project: keystone
filter:http_proxy_to_wsgi:
use: egg:oslo.middleware#http_proxy_to_wsgi
filter:ec2_extension:
use: egg:keystone#ec2_extension
filter:ec2_extension_v3:
use: egg:keystone#ec2_extension_v3
filter:s3_extension:
use: egg:keystone#s3_extension
filter:url_normalize:
use: egg:keystone#url_normalize
filter:sizelimit:
use: egg:oslo.middleware#sizelimit
filter:osprofiler:
use: egg:osprofiler#osprofiler
app:public_service:
use: egg:keystone#public_service
app:service_v3:
use: egg:keystone#service_v3
app:admin_service:
use: egg:keystone#admin_service
pipeline:api_v3:
pipeline: cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id build_auth_context token_auth json_body ec2_extension_v3 s3_extension service_v3
app:public_version_service:
use: egg:keystone#public_version_service
app:admin_version_service:
use: egg:keystone#admin_version_service
pipeline:public_version_api:
pipeline: cors sizelimit osprofiler url_normalize public_version_service
pipeline:admin_version_api:
pipeline: cors sizelimit osprofiler url_normalize admin_version_service
composite:main:
use: egg:Paste#urlmap
/v3: api_v3
/: public_version_api
composite:admin:
use: egg:Paste#urlmap
/v3: api_v3
/: admin_version_api
policy:
admin_required: role:admin or is_admin:1
service_role: role:service
service_or_admin: rule:admin_required or rule:service_role
owner: user_id:%(user_id)s
admin_or_owner: rule:admin_required or rule:owner
token_subject: user_id:%(target.token.user_id)s
admin_or_token_subject: rule:admin_required or rule:token_subject
service_admin_or_token_subject: rule:service_or_admin or rule:token_subject
default: rule:admin_required
identity:get_region: ''
identity:list_regions: ''
identity:create_region: rule:admin_required
identity:update_region: rule:admin_required
identity:delete_region: rule:admin_required
identity:get_service: rule:admin_required
identity:list_services: rule:admin_required
identity:create_service: rule:admin_required
identity:update_service: rule:admin_required
identity:delete_service: rule:admin_required
identity:get_endpoint: rule:admin_required
identity:list_endpoints: rule:admin_required
identity:create_endpoint: rule:admin_required
identity:update_endpoint: rule:admin_required
identity:delete_endpoint: rule:admin_required
identity:get_domain: rule:admin_required or token.project.domain.id:%(target.domain.id)s
identity:list_domains: rule:admin_required
identity:create_domain: rule:admin_required
identity:update_domain: rule:admin_required
identity:delete_domain: rule:admin_required
identity:get_project: rule:admin_required or project_id:%(target.project.id)s
identity:list_projects: rule:admin_required
identity:list_user_projects: rule:admin_or_owner
identity:create_project: rule:admin_required
identity:update_project: rule:admin_required
identity:delete_project: rule:admin_required
identity:get_user: rule:admin_or_owner
identity:list_users: rule:admin_required
identity:create_user: rule:admin_required
identity:update_user: rule:admin_required
identity:delete_user: rule:admin_required
identity:change_password: rule:admin_or_owner
identity:get_group: rule:admin_required
identity:list_groups: rule:admin_required
identity:list_groups_for_user: rule:admin_or_owner
identity:create_group: rule:admin_required
identity:update_group: rule:admin_required
identity:delete_group: rule:admin_required
identity:list_users_in_group: rule:admin_required
identity:remove_user_from_group: rule:admin_required
identity:check_user_in_group: rule:admin_required
identity:add_user_to_group: rule:admin_required
identity:get_credential: rule:admin_required
identity:list_credentials: rule:admin_required
identity:create_credential: rule:admin_required
identity:update_credential: rule:admin_required
identity:delete_credential: rule:admin_required
identity:ec2_get_credential: rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)
identity:ec2_list_credentials: rule:admin_or_owner
identity:ec2_create_credential: rule:admin_or_owner
identity:ec2_delete_credential: rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)
identity:get_role: rule:admin_required
identity:list_roles: rule:admin_required
identity:create_role: rule:admin_required
identity:update_role: rule:admin_required
identity:delete_role: rule:admin_required
identity:get_domain_role: rule:admin_required
identity:list_domain_roles: rule:admin_required
identity:create_domain_role: rule:admin_required
identity:update_domain_role: rule:admin_required
identity:delete_domain_role: rule:admin_required
identity:get_implied_role: 'rule:admin_required '
identity:list_implied_roles: rule:admin_required
identity:create_implied_role: rule:admin_required
identity:delete_implied_role: rule:admin_required
identity:list_role_inference_rules: rule:admin_required
identity:check_implied_role: rule:admin_required
identity:check_grant: rule:admin_required
identity:list_grants: rule:admin_required
identity:create_grant: rule:admin_required
identity:revoke_grant: rule:admin_required
identity:list_role_assignments: rule:admin_required
identity:list_role_assignments_for_tree: rule:admin_required
identity:get_policy: rule:admin_required
identity:list_policies: rule:admin_required
identity:create_policy: rule:admin_required
identity:update_policy: rule:admin_required
identity:delete_policy: rule:admin_required
identity:check_token: rule:admin_or_token_subject
identity:validate_token: rule:service_admin_or_token_subject
identity:validate_token_head: rule:service_or_admin
identity:revocation_list: rule:service_or_admin
identity:revoke_token: rule:admin_or_token_subject
identity:create_trust: user_id:%(trust.trustor_user_id)s
identity:list_trusts: ''
identity:list_roles_for_trust: ''
identity:get_role_for_trust: ''
identity:delete_trust: ''
identity:create_consumer: rule:admin_required
identity:get_consumer: rule:admin_required
identity:list_consumers: rule:admin_required
identity:delete_consumer: rule:admin_required
identity:update_consumer: rule:admin_required
identity:authorize_request_token: rule:admin_required
identity:list_access_token_roles: rule:admin_required
identity:get_access_token_role: rule:admin_required
identity:list_access_tokens: rule:admin_required
identity:get_access_token: rule:admin_required
identity:delete_access_token: rule:admin_required
identity:list_projects_for_endpoint: rule:admin_required
identity:add_endpoint_to_project: rule:admin_required
identity:check_endpoint_in_project: rule:admin_required
identity:list_endpoints_for_project: rule:admin_required
identity:remove_endpoint_from_project: rule:admin_required
identity:create_endpoint_group: rule:admin_required
identity:list_endpoint_groups: rule:admin_required
identity:get_endpoint_group: rule:admin_required
identity:update_endpoint_group: rule:admin_required
identity:delete_endpoint_group: rule:admin_required
identity:list_projects_associated_with_endpoint_group: rule:admin_required
identity:list_endpoints_associated_with_endpoint_group: rule:admin_required
identity:get_endpoint_group_in_project: rule:admin_required
identity:list_endpoint_groups_for_project: rule:admin_required
identity:add_endpoint_group_to_project: rule:admin_required
identity:remove_endpoint_group_from_project: rule:admin_required
identity:create_identity_provider: rule:admin_required
identity:list_identity_providers: rule:admin_required
identity:get_identity_provider: rule:admin_required
identity:update_identity_provider: rule:admin_required
identity:delete_identity_provider: rule:admin_required
identity:create_protocol: rule:admin_required
identity:update_protocol: rule:admin_required
identity:get_protocol: rule:admin_required
identity:list_protocols: rule:admin_required
identity:delete_protocol: rule:admin_required
identity:create_mapping: rule:admin_required
identity:get_mapping: rule:admin_required
identity:list_mappings: rule:admin_required
identity:delete_mapping: rule:admin_required
identity:update_mapping: rule:admin_required
identity:create_service_provider: rule:admin_required
identity:list_service_providers: rule:admin_required
identity:get_service_provider: rule:admin_required
identity:update_service_provider: rule:admin_required
identity:delete_service_provider: rule:admin_required
identity:get_auth_catalog: ''
identity:get_auth_projects: ''
identity:get_auth_domains: ''
identity:list_projects_for_user: ''
identity:list_domains_for_user: ''
identity:list_revoke_events: ''
identity:create_policy_association_for_endpoint: rule:admin_required
identity:check_policy_association_for_endpoint: rule:admin_required
identity:delete_policy_association_for_endpoint: rule:admin_required
identity:create_policy_association_for_service: rule:admin_required
identity:check_policy_association_for_service: rule:admin_required
identity:delete_policy_association_for_service: rule:admin_required
identity:create_policy_association_for_region_and_service: rule:admin_required
identity:check_policy_association_for_region_and_service: rule:admin_required
identity:delete_policy_association_for_region_and_service: rule:admin_required
identity:get_policy_for_endpoint: rule:admin_required
identity:list_endpoints_for_policy: rule:admin_required
identity:create_domain_config: rule:admin_required
identity:get_domain_config: rule:admin_required
identity:update_domain_config: rule:admin_required
identity:delete_domain_config: rule:admin_required
identity:get_domain_config_default: rule:admin_required
rabbitmq:
#NOTE(rk760n): adding rmq policy to mirror messages from notification queues and set expiration time for the ones
policies:
- vhost: "keystone"
name: "ha_ttl_keystone"
definition:
#mirror messges to other nodes in rmq cluster
ha-mode: "all"
ha-sync-mode: "automatic"
#70s
message-ttl: 70000
priority: 0
apply-to: all
pattern: '^(?!amq\.).*'
rally_tests:
run_tempest: false
tests:
KeystoneBasic.add_and_remove_user_role:
- runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
KeystoneBasic.authenticate_user_and_validate_token:
- args: {}
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
KeystoneBasic.create_add_and_list_user_roles:
- runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
KeystoneBasic.create_and_delete_ec2credential:
- runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
KeystoneBasic.create_and_list_ec2credentials:
- runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
KeystoneBasic.create_and_delete_role:
- runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
KeystoneBasic.create_and_delete_service:
- args:
description: test_description
service_type: Rally_test_type
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
KeystoneBasic.create_and_get_role:
- args: {}
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
KeystoneBasic.create_and_list_services:
- args:
description: test_description
service_type: Rally_test_type
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
KeystoneBasic.create_and_list_tenants:
- args: {}
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
KeystoneBasic.create_and_list_users:
- args: {}
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
KeystoneBasic.create_delete_user:
- args: {}
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
KeystoneBasic.create_tenant:
- args: {}
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
KeystoneBasic.create_tenant_with_users:
- args:
users_per_tenant: 1
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
KeystoneBasic.create_update_and_delete_tenant:
- args: {}
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
KeystoneBasic.create_user:
- args: {}
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
KeystoneBasic.create_user_set_enabled_and_delete:
- args:
enabled: true
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
- args:
enabled: false
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
KeystoneBasic.create_user_update_password:
- args: {}
runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
KeystoneBasic.get_entities:
- runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
mpm_event: |
<IfModule mpm_event_module>
ServerLimit 1024
StartServers 32
MinSpareThreads 32
MaxSpareThreads 256
ThreadsPerChild 25
MaxRequestsPerChild 128
ThreadLimit 720
</IfModule>
wsgi_keystone: |
{{- $portInt := tuple "identity" "internal" "api" $ | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
Listen 0.0.0.0:{{ $portInt }}
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy
SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
CustomLog /dev/stdout combined env=!forwarded
CustomLog /dev/stdout proxy env=forwarded
<VirtualHost *:{{ $portInt }}>
WSGIDaemonProcess keystone-public processes=1 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-public
WSGIScriptAlias / /var/www/cgi-bin/keystone/keystone-wsgi-public
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
<IfVersion >= 2.4>
ErrorLogFormat "%{cu}t %M"
</IfVersion>
ErrorLog /dev/stdout
SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
CustomLog /dev/stdout combined env=!forwarded
CustomLog /dev/stdout proxy env=forwarded
</VirtualHost>
sso_callback_template: |
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Keystone WebSSO redirect</title>
</head>
<body>
<form id="sso" name="sso" action="$host" method="post">
Please wait...
<br/>
<input type="hidden" name="token" id="token" value="$token"/>
<noscript>
<input type="submit" name="submit_no_javascript" id="submit_no_javascript"
value="If your JavaScript is disabled, please click to continue"/>
</noscript>
</form>
<script type="text/javascript">
window.onload = function() {
document.forms['sso'].submit();
}
</script>
</body>
</html>
logging:
loggers:
keys:
- root
- keystone
handlers:
keys:
- stdout
- stderr
- "null"
formatters:
keys:
- context
- default
logger_root:
level: WARNING
handlers: stdout
logger_keystone:
level: INFO
handlers:
- stdout
qualname: keystone
logger_amqp:
level: WARNING
handlers: stderr
qualname: amqp
logger_amqplib:
level: WARNING
handlers: stderr
qualname: amqplib
logger_eventletwsgi:
level: WARNING
handlers: stderr
qualname: eventlet.wsgi.server
logger_sqlalchemy:
level: WARNING
handlers: stderr
qualname: sqlalchemy
logger_boto:
level: WARNING
handlers: stderr
qualname: boto
handler_null:
class: logging.NullHandler
formatter: default
args: ()
handler_stdout:
class: StreamHandler
args: (sys.stdout,)
formatter: context
handler_stderr:
class: StreamHandler
args: (sys.stderr,)
formatter: context
formatter_context:
class: oslo_log.formatters.ContextFormatter
datefmt: "%Y-%m-%d %H:%M:%S"
formatter_default:
format: "%(message)s"
datefmt: "%Y-%m-%d %H:%M:%S"
# Names of secrets used by bootstrap and environmental checks
secrets:
identity:
admin: keystone-keystone-admin
test: keystone-keystone-test
oslo_db:
admin: keystone-db-admin
keystone: keystone-db-user
oslo_messaging:
admin: keystone-rabbitmq-admin
keystone: keystone-rabbitmq-user
ldap:
tls: keystone-ldap-tls
tls:
identity:
api:
public: keystone-tls-public
# typically overridden by environmental
# values, but should include all endpoints
# required by this chart
endpoints:
cluster_domain_suffix: cluster.local
local_image_registry:
name: docker-registry
namespace: docker-registry
hosts:
default: localhost
internal: docker-registry
node: localhost
host_fqdn_override:
default: null
port:
registry:
node: 5000
identity:
namespace: null
name: keystone
auth:
admin:
region_name: RegionOne
username: admin
password: password
project_name: admin
user_domain_name: default
project_domain_name: default
default_domain_id: default
test:
role: admin
region_name: RegionOne
username: keystone-test
password: password
project_name: test
user_domain_name: default
project_domain_name: default
default_domain_id: default
hosts:
default: keystone
internal: keystone-api
host_fqdn_override:
default: null
# NOTE(portdirect): this chart supports TLS for fqdn over-ridden public
# endpoints using the following format:
# public:
# host: null
# tls:
# crt: null
# key: null
path:
default: /v3
scheme:
default: http
port:
api:
default: 80
# NOTE(portdirect): to retain portability across images, and allow
# running under a unprivileged user simply, we default to a port > 1000.
internal: 5000
oslo_db:
namespace: null
auth:
admin:
username: root
password: password
keystone:
username: keystone
password: password
hosts:
default: mariadb
host_fqdn_override:
default: null
path: /keystone
scheme: mysql+pymysql
port:
mysql:
default: 3306
oslo_messaging:
namespace: null
auth:
admin:
username: rabbitmq
password: password
keystone:
username: keystone
password: password
statefulset:
replicas: 2
name: rabbitmq-rabbitmq
hosts:
default: rabbitmq
host_fqdn_override:
default: null
path: /keystone
scheme: rabbit
port:
amqp:
default: 5672
http:
default: 15672
oslo_cache:
namespace: null
hosts:
default: memcached
host_fqdn_override:
default: null
port:
memcache:
default: 11211
ldap:
auth:
client:
tls:
# NOTE(lamt): Specify a CA value here will place a LDAPS certificate at
# /etc/certs/tls.ca. To ensure keystone uses LDAPS, the
# following key will need to be overrided under section [ldap] or the
# correct domain-specific setting, else it will not be enabled:
#
# use_tls: true
# tls_req_cert: allow # Valid values: demand, never, allow
# tls_cacertfile: /etc/certs/tls.ca # abs path to the CA cert
ca: null
fluentd:
namespace: null
name: fluentd
hosts:
default: fluentd-logging
host_fqdn_override:
default: null
path:
default: null
scheme: 'http'
port:
service:
default: 24224
metrics:
default: 24220
#NOTE(tp6510): these endpoints allow for things like DNS lookups and apiserver access.
# They are using to enable the Egress K8s network policy.
k8s:
port:
api:
default: 6443
internal: 5000
default:
namespace: default
kube_system:
namespace: kube-system
kube_public:
namespace: kube-public
manifests:
configmap_bin: true
configmap_etc: true
cron_credential_rotate: true
cron_fernet_rotate: true
deployment_api: true
ingress_api: true
job_bootstrap: true
job_credential_cleanup: true
job_credential_setup: true
job_db_init: true
job_db_sync: true
job_db_drop: false
job_domain_manage: true
job_fernet_setup: true
job_image_repo_sync: true
job_rabbit_init: true
pdb_api: true
pod_rally_test: true
network_policy: false
secret_credential_keys: true
secret_db: true
secret_fernet_keys: true
secret_ingress_tls: true
secret_keystone: true
secret_rabbitmq: true
service_ingress_api: true
service_api: true