a4fa122e43
This PS makes the service-specific images for Keystone have explicit names, allowing simple over-riding of images for an entire site. Change-Id: I0b50d07fc0c2e00ab7803dd4c986c8a26e25ea49
615 lines
20 KiB
YAML
615 lines
20 KiB
YAML
# Copyright 2017 The Openstack-Helm Authors.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
# Default values for keystone.
|
|
# This is a YAML-formatted file.
|
|
# Declare name/value pairs to be passed into your templates.
|
|
# name: value
|
|
|
|
labels:
|
|
node_selector_key: openstack-control-plane
|
|
node_selector_value: enabled
|
|
|
|
release_group: null
|
|
|
|
images:
|
|
tags:
|
|
bootstrap: docker.io/kolla/ubuntu-source-heat-engine:3.0.3
|
|
test: docker.io/kolla/ubuntu-source-rally:4.0.0
|
|
db_init: docker.io/kolla/ubuntu-source-heat-engine:3.0.3
|
|
keystone_db_sync: docker.io/kolla/ubuntu-source-keystone:3.0.3
|
|
db_drop: docker.io/kolla/ubuntu-source-heat-engine:3.0.3
|
|
keystone_fernet_setup: docker.io/kolla/ubuntu-source-keystone:3.0.3
|
|
keystone_fernet_rotate: docker.io/kolla/ubuntu-source-keystone:3.0.3
|
|
keystone_credential_setup: docker.io/kolla/ubuntu-source-keystone:3.0.3
|
|
keystone_credential_rotate: docker.io/kolla/ubuntu-source-keystone:3.0.3
|
|
keystone_api: docker.io/kolla/ubuntu-source-keystone:3.0.3
|
|
dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.2.1
|
|
pull_policy: "IfNotPresent"
|
|
|
|
bootstrap:
|
|
enabled: true
|
|
script: |
|
|
openstack role add \
|
|
--user="${OS_USERNAME}" \
|
|
--user-domain="${OS_USER_DOMAIN_NAME}" \
|
|
--project-domain="${OS_PROJECT_DOMAIN_NAME}" \
|
|
--project="${OS_PROJECT_NAME}" \
|
|
"_member_"
|
|
|
|
network:
|
|
api:
|
|
port: 80
|
|
ingress:
|
|
public: true
|
|
external_policy_local: false
|
|
node_port:
|
|
enabled: false
|
|
port: 30500
|
|
admin:
|
|
port: 35357
|
|
node_port:
|
|
enabled: false
|
|
port: 30357
|
|
|
|
dependencies:
|
|
api:
|
|
jobs:
|
|
- keystone-db-sync
|
|
- keystone-credential-setup
|
|
# Comment line below when not running fernet tokens.
|
|
- keystone-fernet-setup
|
|
services:
|
|
- service: oslo_cache
|
|
endpoint: internal
|
|
- service: oslo_db
|
|
endpoint: internal
|
|
db_init:
|
|
services:
|
|
- service: oslo_db
|
|
endpoint: internal
|
|
db_sync:
|
|
jobs:
|
|
- keystone-db-init
|
|
- keystone-credential-setup
|
|
# Comment line below when not running fernet tokens.
|
|
- keystone-fernet-setup
|
|
services:
|
|
- service: oslo_db
|
|
endpoint: internal
|
|
db_drop:
|
|
services:
|
|
- service: oslo_db
|
|
endpoint: internal
|
|
fernet_setup:
|
|
fernet_rotate:
|
|
jobs:
|
|
- keystone-fernet-setup
|
|
credential_setup:
|
|
credential_rotate:
|
|
jobs:
|
|
- keystone-credential-setup
|
|
tests:
|
|
services:
|
|
- service: identity
|
|
endpoint: internal
|
|
bootstrap:
|
|
services:
|
|
- service: identity
|
|
endpoint: internal
|
|
|
|
pod:
|
|
affinity:
|
|
anti:
|
|
type:
|
|
default: preferredDuringSchedulingIgnoredDuringExecution
|
|
topologyKey:
|
|
default: kubernetes.io/hostname
|
|
mounts:
|
|
keystone_db_init:
|
|
init_container: null
|
|
keystone_db_init:
|
|
keystone_db_sync:
|
|
init_container: null
|
|
keystone_db_sync:
|
|
keystone_api:
|
|
init_container: null
|
|
keystone_api:
|
|
keystone_tests:
|
|
init_container: null
|
|
keystone_tests:
|
|
keystone_bootstrap:
|
|
init_container: null
|
|
keystone_bootstrap:
|
|
keystone_fernet_setup:
|
|
init_container: null
|
|
keystone_fernet_setup:
|
|
keystone_fernet_rotate:
|
|
init_container: null
|
|
keystone_fernet_rotate:
|
|
keystone_credential_setup:
|
|
init_container: null
|
|
keystone_credential_setup:
|
|
keystone_credential_rotate:
|
|
init_container: null
|
|
keystone_credential_rotate:
|
|
replicas:
|
|
api: 1
|
|
lifecycle:
|
|
upgrades:
|
|
deployments:
|
|
revision_history: 3
|
|
pod_replacement_strategy: RollingUpdate
|
|
rolling_update:
|
|
max_unavailable: 1
|
|
max_surge: 3
|
|
disruption_budget:
|
|
api:
|
|
min_available: 0
|
|
termination_grace_period:
|
|
api:
|
|
timeout: 30
|
|
resources:
|
|
enabled: false
|
|
api:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
jobs:
|
|
bootstrap:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
db_init:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
db_sync:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
db_drop:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
tests:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
fernet_setup:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
fernet_rotate:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
credential_setup:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
credential_rotate:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
|
|
jobs:
|
|
fernet_setup:
|
|
user: keystone
|
|
group: keystone
|
|
fernet_rotate:
|
|
# weekly
|
|
cron: "0 0 * * 0"
|
|
user: keystone
|
|
group: keystone
|
|
credential_setup:
|
|
user: keystone
|
|
group: keystone
|
|
credential_rotate:
|
|
# monthly
|
|
cron: "0 0 1 * *"
|
|
migrate_wait: 120
|
|
user: keystone
|
|
group: keystone
|
|
|
|
conf:
|
|
keystone:
|
|
DEFAULT:
|
|
max_token_size: 255
|
|
token:
|
|
provider: fernet
|
|
fernet_tokens:
|
|
key_repository: /etc/keystone/fernet-keys/
|
|
credential:
|
|
key_repository: /etc/keystone/credential-keys/
|
|
database:
|
|
max_retries: -1
|
|
cache:
|
|
enabled: true
|
|
backend: dogpile.cache.memcached
|
|
paste:
|
|
filter:debug:
|
|
use: egg:oslo.middleware#debug
|
|
filter:request_id:
|
|
use: egg:oslo.middleware#request_id
|
|
filter:build_auth_context:
|
|
use: egg:keystone#build_auth_context
|
|
filter:token_auth:
|
|
use: egg:keystone#token_auth
|
|
filter:json_body:
|
|
use: egg:keystone#json_body
|
|
filter:cors:
|
|
use: egg:oslo.middleware#cors
|
|
oslo_config_project: keystone
|
|
filter:http_proxy_to_wsgi:
|
|
use: egg:oslo.middleware#http_proxy_to_wsgi
|
|
filter:ec2_extension:
|
|
use: egg:keystone#ec2_extension
|
|
filter:ec2_extension_v3:
|
|
use: egg:keystone#ec2_extension_v3
|
|
filter:s3_extension:
|
|
use: egg:keystone#s3_extension
|
|
filter:url_normalize:
|
|
use: egg:keystone#url_normalize
|
|
filter:sizelimit:
|
|
use: egg:oslo.middleware#sizelimit
|
|
filter:osprofiler:
|
|
use: egg:osprofiler#osprofiler
|
|
app:public_service:
|
|
use: egg:keystone#public_service
|
|
app:service_v3:
|
|
use: egg:keystone#service_v3
|
|
app:admin_service:
|
|
use: egg:keystone#admin_service
|
|
pipeline:public_api:
|
|
pipeline: cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id build_auth_context token_auth json_body ec2_extension public_service
|
|
pipeline:admin_api:
|
|
pipeline: cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id build_auth_context token_auth json_body ec2_extension s3_extension admin_service
|
|
pipeline:api_v3:
|
|
pipeline: cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id build_auth_context token_auth json_body ec2_extension_v3 s3_extension service_v3
|
|
app:public_version_service:
|
|
use: egg:keystone#public_version_service
|
|
app:admin_version_service:
|
|
use: egg:keystone#admin_version_service
|
|
pipeline:public_version_api:
|
|
pipeline: cors sizelimit osprofiler url_normalize public_version_service
|
|
pipeline:admin_version_api:
|
|
pipeline: cors sizelimit osprofiler url_normalize admin_version_service
|
|
composite:main:
|
|
use: egg:Paste#urlmap
|
|
/v2.0: public_api
|
|
/v3: api_v3
|
|
/: public_version_api
|
|
composite:admin:
|
|
use: egg:Paste#urlmap
|
|
/v2.0: admin_api
|
|
/v3: api_v3
|
|
/: admin_version_api
|
|
policy:
|
|
admin_required: role:admin or is_admin:1
|
|
service_role: role:service
|
|
service_or_admin: rule:admin_required or rule:service_role
|
|
owner: user_id:%(user_id)s
|
|
admin_or_owner: rule:admin_required or rule:owner
|
|
token_subject: user_id:%(target.token.user_id)s
|
|
admin_or_token_subject: rule:admin_required or rule:token_subject
|
|
service_admin_or_token_subject: rule:service_or_admin or rule:token_subject
|
|
default: rule:admin_required
|
|
identity:get_region: ''
|
|
identity:list_regions: ''
|
|
identity:create_region: rule:admin_required
|
|
identity:update_region: rule:admin_required
|
|
identity:delete_region: rule:admin_required
|
|
identity:get_service: rule:admin_required
|
|
identity:list_services: rule:admin_required
|
|
identity:create_service: rule:admin_required
|
|
identity:update_service: rule:admin_required
|
|
identity:delete_service: rule:admin_required
|
|
identity:get_endpoint: rule:admin_required
|
|
identity:list_endpoints: rule:admin_required
|
|
identity:create_endpoint: rule:admin_required
|
|
identity:update_endpoint: rule:admin_required
|
|
identity:delete_endpoint: rule:admin_required
|
|
identity:get_domain: rule:admin_required or token.project.domain.id:%(target.domain.id)s
|
|
identity:list_domains: rule:admin_required
|
|
identity:create_domain: rule:admin_required
|
|
identity:update_domain: rule:admin_required
|
|
identity:delete_domain: rule:admin_required
|
|
identity:get_project: rule:admin_required or project_id:%(target.project.id)s
|
|
identity:list_projects: rule:admin_required
|
|
identity:list_user_projects: rule:admin_or_owner
|
|
identity:create_project: rule:admin_required
|
|
identity:update_project: rule:admin_required
|
|
identity:delete_project: rule:admin_required
|
|
identity:get_user: rule:admin_or_owner
|
|
identity:list_users: rule:admin_required
|
|
identity:create_user: rule:admin_required
|
|
identity:update_user: rule:admin_required
|
|
identity:delete_user: rule:admin_required
|
|
identity:change_password: rule:admin_or_owner
|
|
identity:get_group: rule:admin_required
|
|
identity:list_groups: rule:admin_required
|
|
identity:list_groups_for_user: rule:admin_or_owner
|
|
identity:create_group: rule:admin_required
|
|
identity:update_group: rule:admin_required
|
|
identity:delete_group: rule:admin_required
|
|
identity:list_users_in_group: rule:admin_required
|
|
identity:remove_user_from_group: rule:admin_required
|
|
identity:check_user_in_group: rule:admin_required
|
|
identity:add_user_to_group: rule:admin_required
|
|
identity:get_credential: rule:admin_required
|
|
identity:list_credentials: rule:admin_required
|
|
identity:create_credential: rule:admin_required
|
|
identity:update_credential: rule:admin_required
|
|
identity:delete_credential: rule:admin_required
|
|
identity:ec2_get_credential: rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)
|
|
identity:ec2_list_credentials: rule:admin_or_owner
|
|
identity:ec2_create_credential: rule:admin_or_owner
|
|
identity:ec2_delete_credential: rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)
|
|
identity:get_role: rule:admin_required
|
|
identity:list_roles: rule:admin_required
|
|
identity:create_role: rule:admin_required
|
|
identity:update_role: rule:admin_required
|
|
identity:delete_role: rule:admin_required
|
|
identity:get_domain_role: rule:admin_required
|
|
identity:list_domain_roles: rule:admin_required
|
|
identity:create_domain_role: rule:admin_required
|
|
identity:update_domain_role: rule:admin_required
|
|
identity:delete_domain_role: rule:admin_required
|
|
identity:get_implied_role: 'rule:admin_required '
|
|
identity:list_implied_roles: rule:admin_required
|
|
identity:create_implied_role: rule:admin_required
|
|
identity:delete_implied_role: rule:admin_required
|
|
identity:list_role_inference_rules: rule:admin_required
|
|
identity:check_implied_role: rule:admin_required
|
|
identity:check_grant: rule:admin_required
|
|
identity:list_grants: rule:admin_required
|
|
identity:create_grant: rule:admin_required
|
|
identity:revoke_grant: rule:admin_required
|
|
identity:list_role_assignments: rule:admin_required
|
|
identity:list_role_assignments_for_tree: rule:admin_required
|
|
identity:get_policy: rule:admin_required
|
|
identity:list_policies: rule:admin_required
|
|
identity:create_policy: rule:admin_required
|
|
identity:update_policy: rule:admin_required
|
|
identity:delete_policy: rule:admin_required
|
|
identity:check_token: rule:admin_or_token_subject
|
|
identity:validate_token: rule:service_admin_or_token_subject
|
|
identity:validate_token_head: rule:service_or_admin
|
|
identity:revocation_list: rule:service_or_admin
|
|
identity:revoke_token: rule:admin_or_token_subject
|
|
identity:create_trust: user_id:%(trust.trustor_user_id)s
|
|
identity:list_trusts: ''
|
|
identity:list_roles_for_trust: ''
|
|
identity:get_role_for_trust: ''
|
|
identity:delete_trust: ''
|
|
identity:create_consumer: rule:admin_required
|
|
identity:get_consumer: rule:admin_required
|
|
identity:list_consumers: rule:admin_required
|
|
identity:delete_consumer: rule:admin_required
|
|
identity:update_consumer: rule:admin_required
|
|
identity:authorize_request_token: rule:admin_required
|
|
identity:list_access_token_roles: rule:admin_required
|
|
identity:get_access_token_role: rule:admin_required
|
|
identity:list_access_tokens: rule:admin_required
|
|
identity:get_access_token: rule:admin_required
|
|
identity:delete_access_token: rule:admin_required
|
|
identity:list_projects_for_endpoint: rule:admin_required
|
|
identity:add_endpoint_to_project: rule:admin_required
|
|
identity:check_endpoint_in_project: rule:admin_required
|
|
identity:list_endpoints_for_project: rule:admin_required
|
|
identity:remove_endpoint_from_project: rule:admin_required
|
|
identity:create_endpoint_group: rule:admin_required
|
|
identity:list_endpoint_groups: rule:admin_required
|
|
identity:get_endpoint_group: rule:admin_required
|
|
identity:update_endpoint_group: rule:admin_required
|
|
identity:delete_endpoint_group: rule:admin_required
|
|
identity:list_projects_associated_with_endpoint_group: rule:admin_required
|
|
identity:list_endpoints_associated_with_endpoint_group: rule:admin_required
|
|
identity:get_endpoint_group_in_project: rule:admin_required
|
|
identity:list_endpoint_groups_for_project: rule:admin_required
|
|
identity:add_endpoint_group_to_project: rule:admin_required
|
|
identity:remove_endpoint_group_from_project: rule:admin_required
|
|
identity:create_identity_provider: rule:admin_required
|
|
identity:list_identity_providers: rule:admin_required
|
|
identity:get_identity_providers: rule:admin_required
|
|
identity:update_identity_provider: rule:admin_required
|
|
identity:delete_identity_provider: rule:admin_required
|
|
identity:create_protocol: rule:admin_required
|
|
identity:update_protocol: rule:admin_required
|
|
identity:get_protocol: rule:admin_required
|
|
identity:list_protocols: rule:admin_required
|
|
identity:delete_protocol: rule:admin_required
|
|
identity:create_mapping: rule:admin_required
|
|
identity:get_mapping: rule:admin_required
|
|
identity:list_mappings: rule:admin_required
|
|
identity:delete_mapping: rule:admin_required
|
|
identity:update_mapping: rule:admin_required
|
|
identity:create_service_provider: rule:admin_required
|
|
identity:list_service_providers: rule:admin_required
|
|
identity:get_service_provider: rule:admin_required
|
|
identity:update_service_provider: rule:admin_required
|
|
identity:delete_service_provider: rule:admin_required
|
|
identity:get_auth_catalog: ''
|
|
identity:get_auth_projects: ''
|
|
identity:get_auth_domains: ''
|
|
identity:list_projects_for_user: ''
|
|
identity:list_domains_for_user: ''
|
|
identity:list_revoke_events: ''
|
|
identity:create_policy_association_for_endpoint: rule:admin_required
|
|
identity:check_policy_association_for_endpoint: rule:admin_required
|
|
identity:delete_policy_association_for_endpoint: rule:admin_required
|
|
identity:create_policy_association_for_service: rule:admin_required
|
|
identity:check_policy_association_for_service: rule:admin_required
|
|
identity:delete_policy_association_for_service: rule:admin_required
|
|
identity:create_policy_association_for_region_and_service: rule:admin_required
|
|
identity:check_policy_association_for_region_and_service: rule:admin_required
|
|
identity:delete_policy_association_for_region_and_service: rule:admin_required
|
|
identity:get_policy_for_endpoint: rule:admin_required
|
|
identity:list_endpoints_for_policy: rule:admin_required
|
|
identity:create_domain_config: rule:admin_required
|
|
identity:get_domain_config: rule:admin_required
|
|
identity:update_domain_config: rule:admin_required
|
|
identity:delete_domain_config: rule:admin_required
|
|
identity:get_domain_config_default: rule:admin_required
|
|
rally_tests:
|
|
run_tempest: false
|
|
override:
|
|
append:
|
|
mpm_event:
|
|
override:
|
|
append:
|
|
wsgi_keystone:
|
|
override:
|
|
append:
|
|
sso_callback_template:
|
|
override:
|
|
append:
|
|
|
|
# Names of secrets used by bootstrap and environmental checks
|
|
secrets:
|
|
identity:
|
|
admin: keystone-keystone-admin
|
|
oslo_db:
|
|
admin: keystone-db-admin
|
|
user: keystone-db-user
|
|
|
|
# typically overriden by environmental
|
|
# values, but should include all endpoints
|
|
# required by this chart
|
|
endpoints:
|
|
cluster_domain_suffix: cluster.local
|
|
identity:
|
|
namespace: null
|
|
name: keystone
|
|
auth:
|
|
admin:
|
|
region_name: RegionOne
|
|
username: admin
|
|
password: password
|
|
project_name: admin
|
|
user_domain_name: default
|
|
project_domain_name: default
|
|
hosts:
|
|
default: keystone-api
|
|
public: keystone
|
|
host_fqdn_override:
|
|
default: null
|
|
path:
|
|
default: /v3
|
|
scheme:
|
|
default: http
|
|
port:
|
|
admin:
|
|
default: 35357
|
|
api:
|
|
default: 80
|
|
oslo_db:
|
|
namespace: null
|
|
auth:
|
|
admin:
|
|
username: root
|
|
password: password
|
|
user:
|
|
username: keystone
|
|
password: password
|
|
hosts:
|
|
default: mariadb
|
|
host_fqdn_override:
|
|
default: null
|
|
path: /keystone
|
|
scheme: mysql+pymysql
|
|
port:
|
|
mysql:
|
|
default: 3306
|
|
oslo_messaging:
|
|
namespace: null
|
|
auth:
|
|
admin:
|
|
username: admin
|
|
password: password
|
|
user:
|
|
username: keystone
|
|
password: password
|
|
hosts:
|
|
default: rabbitmq
|
|
host_fqdn_override:
|
|
default: null
|
|
path: /openstack
|
|
scheme: rabbit
|
|
port:
|
|
amqp:
|
|
default: 5672
|
|
oslo_cache:
|
|
namespace: null
|
|
hosts:
|
|
default: memcached
|
|
host_fqdn_override:
|
|
default: null
|
|
port:
|
|
memcache:
|
|
default: 11211
|
|
|
|
manifests:
|
|
configmap_bin: true
|
|
configmap_etc: true
|
|
cron_credential_rotate: true
|
|
cron_fernet_rotate: true
|
|
deployment_api: true
|
|
ingress_api: true
|
|
job_bootstrap: true
|
|
job_credential_setup: true
|
|
job_db_init: true
|
|
job_db_sync: true
|
|
job_db_drop: false
|
|
job_fernet_setup: true
|
|
pdb_api: true
|
|
pod_rally_test: true
|
|
secret_credential_keys: true
|
|
secret_db: true
|
|
secret_fernet_keys: true
|
|
secret_keystone: true
|
|
service_ingress_api: true
|
|
service_api: true
|