openstack-helm/panko/values.yaml
Gage Hugo f9dbba7043 Revert "Revert "Keystone Authtoken Cache: allow universal secret key to be set""
This reverts commit 90d070390d.

Change-Id: I017c6e9676b872e1aab21f9dc8aa2f93db58d49f
2020-02-21 11:16:55 -06:00

625 lines
15 KiB
YAML

# Copyright 2019 Wind River Systems, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Default values for panko.
# This is a YAML-formatted file.
# Declare name/value pairs to be passed into your templates.
# name: value
release_group: null
labels:
api:
node_selector_key: openstack-control-plane
node_selector_value: enabled
job:
node_selector_key: openstack-control-plane
node_selector_value: enabled
test:
node_selector_key: openstack-control-plane
node_selector_value: enabled
images:
tags:
test: docker.io/xrally/xrally-openstack:1.3.0
dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
db_init: docker.io/openstackhelm/heat:ocata-ubuntu_xenial
db_drop: docker.io/openstackhelm/heat:ocata-ubuntu_xenial
bootstrap: docker.io/openstackhelm/heat:ocata-ubuntu_xenial
panko_db_sync: docker.io/kolla/ubuntu-source-panko-api:ocata
ks_user: docker.io/openstackhelm/heat:ocata-ubuntu_xenial
ks_service: docker.io/openstackhelm/heat:ocata-ubuntu_xenial
ks_endpoints: docker.io/openstackhelm/heat:ocata-ubuntu_xenial
panko_api: docker.io/kolla/ubuntu-source-panko-api:ocata
panko_events_cleaner: docker.io/kolla/ubuntu-source-panko-base:ocata
image_repo_sync: docker.io/docker:17.07.0
pull_policy: "IfNotPresent"
local_registry:
active: false
exclude:
- dep_check
- image_repo_sync
jobs:
events_cleaner:
# hourly
cron: "0 * * * *"
history:
success: 3
failed: 1
network:
api:
ingress:
public: true
classes:
namespace: "nginx"
cluster: "nginx-cluster"
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
external_policy_local: false
node_port:
enabled: false
port: 8977
dependencies:
dynamic:
common:
local_image_registry:
jobs:
- panko-image-repo-sync
services:
- endpoint: node
service: local_image_registry
static:
api:
jobs:
- panko-db-sync
- panko-ks-user
- panko-ks-endpoints
services:
- endpoint: internal
service: oslo_db
- endpoint: internal
service: identity
events_cleaner:
jobs:
- panko-db-sync
- panko-ks-user
- panko-ks-endpoints
services:
- endpoint: internal
service: oslo_db
- endpoint: internal
service: identity
bootstrap:
services:
- endpoint: internal
service: identity
db_init:
services:
- endpoint: internal
service: oslo_db
db_sync:
jobs:
- panko-db-init
services:
- endpoint: internal
service: oslo_db
db_drop:
services:
- endpoint: internal
service: oslo_db
ks_endpoints:
jobs:
- panko-ks-service
services:
- endpoint: internal
service: identity
ks_service:
services:
- endpoint: internal
service: identity
ks_user:
services:
- endpoint: internal
service: identity
image_repo_sync:
services:
- endpoint: internal
service: local_image_registry
tests:
jobs:
- panko-db-sync
services:
- endpoint: internal
service: identity
- endpoint: internal
service: oslo_db
- endpoint: internal
service: event
# Names of secrets used by bootstrap and environmental checks
secrets:
identity:
admin: panko-keystone-admin
panko: panko-keystone-user
test: panko-keystone-test
oslo_db:
admin: panko-db-admin
panko: panko-db-user
tls:
event:
api:
public: panko-tls-public
bootstrap:
enabled: false
ks_user: panko
script: |
openstack token issue
conf:
rally_tests:
run_tempest: false
tests:
CeilometerEvents.create_user_and_get_event:
- runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
CeilometerEvents.create_user_and_list_event_types:
- runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
CeilometerEvents.create_user_and_list_events:
- runner:
concurrency: 1
times: 1
type: constant
sla:
failure_rate:
max: 0
wsgi_panko: |
Listen 0.0.0.0:{{ tuple "event" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy
SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
CustomLog /dev/stdout combined env=!forwarded
CustomLog /dev/stdout proxy env=forwarded
<VirtualHost *:{{ tuple "event" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}>
WSGIDaemonProcess panko processes=2 threads=1 user=panko group=panko display-name=%{GROUP}
WSGIProcessGroup panko
WSGIScriptAlias / /var/www/cgi-bin/panko/panko-api
WSGIApplicationGroup %{GLOBAL}
<IfVersion >= 2.4>
ErrorLogFormat "%{cu}t %M"
</IfVersion>
ErrorLog /dev/stdout
SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
CustomLog /dev/stdout combined env=!forwarded
CustomLog /dev/stdout proxy env=forwarded
</VirtualHost>
paste:
pipeline:main:
pipeline: cors http_proxy_to_wsgi request_id authtoken audit api-server
app:api-server:
paste.app_factory: panko.api.app:app_factory
filter:authtoken:
paste.filter_factory: keystonemiddleware.auth_token:filter_factory
oslo_config_project: panko
filter:request_id:
paste.filter_factory: oslo_middleware:RequestId.factory
filter:cors:
paste.filter_factory: oslo_middleware.cors:filter_factory
oslo_config_project: panko
filter:http_proxy_to_wsgi:
paste.filter_factory: oslo_middleware.http_proxy_to_wsgi:HTTPProxyToWSGI.factory
oslo_config_project: panko
filter:audit:
paste.filter_factory: keystonemiddleware.audit:filter_factory
audit_map_file: /etc/panko/api_audit_map.conf
policy:
context_is_admin: role:admin
segregation: rule:context_is_admin
telemetry:events:index: ''
telemetry:events:show: ''
panko:
DEFAULT:
debug: false
log_config_append: /etc/panko/logging.conf
oslo_middleware:
enable_proxy_headers_parsing: true
database:
event_time_to_live: 86400
max_retries: -1
keystone_authtoken:
auth_version: v3
auth_type: password
memcache_security_strategy: ENCRYPT
logging:
loggers:
keys:
- root
- panko
handlers:
keys:
- stdout
- stderr
- "null"
formatters:
keys:
- context
- default
logger_root:
level: WARNING
handlers: 'null'
logger_panko:
level: INFO
handlers:
- stdout
qualname: panko
logger_amqp:
level: WARNING
handlers: stderr
qualname: amqp
logger_amqplib:
level: WARNING
handlers: stderr
qualname: amqplib
logger_eventletwsgi:
level: WARNING
handlers: stderr
qualname: eventlet.wsgi.server
logger_sqlalchemy:
level: WARNING
handlers: stderr
qualname: sqlalchemy
logger_boto:
level: WARNING
handlers: stderr
qualname: boto
handler_null:
class: logging.NullHandler
formatter: default
args: ()
handler_stdout:
class: StreamHandler
args: (sys.stdout,)
formatter: context
handler_stderr:
class: StreamHandler
args: (sys.stderr,)
formatter: context
formatter_context:
class: oslo_log.formatters.ContextFormatter
formatter_default:
format: "%(message)s"
api_audit_map:
DEFAULT:
target_endpoint_type: event
path_keywords:
events: message_id
capabilities: None
event_types: event_type
traits: event_type
service_endpoints:
event: service/event
# typically overriden by environmental
# values, but should include all endpoints
# required by this chart
endpoints:
cluster_domain_suffix: cluster.local
local_image_registry:
name: docker-registry
namespace: docker-registry
hosts:
default: localhost
internal: docker-registry
node: localhost
host_fqdn_override:
default: null
port:
registry:
node: 5000
identity:
name: keystone
auth:
admin:
region_name: RegionOne
username: admin
password: password
project_name: admin
user_domain_name: default
project_domain_name: default
panko:
role: admin
region_name: RegionOne
username: panko
password: password
project_name: service
user_domain_name: service
project_domain_name: service
test:
role: admin
region_name: RegionOne
username: test
password: password
project_name: test
user_domain_name: service
project_domain_name: service
hosts:
default: keystone
internal: keystone-api
host_fqdn_override:
default: null
path:
default: /v3
scheme:
default: 'http'
port:
api:
default: 80
internal: 5000
event:
name: panko
hosts:
default: panko-api
public: panko
host_fqdn_override:
default: null
# NOTE: this chart supports TLS for fqdn over-ridden public
# endpoints using the following format:
# public:
# host: null
# tls:
# crt: null
# key: null
path:
default: null
scheme:
default: 'http'
port:
api:
default: 8977
public: 80
oslo_db:
auth:
admin:
username: root
password: password
panko:
username: panko
password: password
hosts:
default: mariadb
host_fqdn_override:
default: null
path: /panko
scheme: mysql+pymysql
port:
mysql:
default: 3306
oslo_cache:
auth:
# NOTE: this is used to define the value for keystone
# authtoken cache encryption key, if not set it will be populated
# automatically with a random value, but to take advantage of
# this feature all services should be set to use the same key,
# and memcache service.
memcache_secret_key: null
hosts:
default: memcached
host_fqdn_override:
default: null
port:
memcache:
default: 11211
fluentd:
namespace: null
name: fluentd
hosts:
default: fluentd-logging
host_fqdn_override:
default: null
path:
default: null
scheme: 'http'
port:
service:
default: 24224
metrics:
default: 24220
network_policy:
panko:
ingress:
- {}
egress:
- {}
pod:
security_context:
panko:
pod:
runAsUser: 42438
container:
panko_api:
runAsUser: 0
affinity:
anti:
type:
default: preferredDuringSchedulingIgnoredDuringExecution
topologyKey:
default: kubernetes.io/hostname
weight:
default: 10
mounts:
panko_api:
init_container: null
panko_api:
volumeMounts:
volumes:
panko_events_cleaner:
init_container: null
panko_events_cleaner:
volumeMounts:
volumes:
panko_bootstrap:
init_container: null
panko_bootstrap:
volumeMounts:
volumes:
panko_tests:
init_container: null
panko_tests:
volumeMounts:
volumes:
panko_db_sync:
panko_db_sync:
volumeMounts:
volumes:
replicas:
api: 1
lifecycle:
upgrades:
deployments:
revision_history: 3
pod_replacement_strategy: RollingUpdate
rolling_update:
max_unavailable: 1
max_surge: 3
disruption_budget:
api:
min_available: 0
termination_grace_period:
api:
timeout: 600
resources:
enabled: false
api:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
jobs:
bootstrap:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
db_sync:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
db_init:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
ks_user:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
ks_service:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
ks_endpoints:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
events_cleaner:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
db_drop:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
tests:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
image_repo_sync:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
manifests:
configmap_bin: true
configmap_etc: true
cron_job_events_cleaner: true
deployment_api: true
ingress_api: true
job_bootstrap: true
job_db_drop: false
job_db_init: true
job_image_repo_sync: true
job_db_sync: true
job_ks_endpoints: true
job_ks_service: true
job_ks_user: true
network_policy: false
pdb_api: true
pod_rally_test: true
secret_db: true
secret_keystone: true
secret_ingress_tls: true
service_api: true
service_ingress_api: true