9c13e80492
This change adds the keystonemiddleware audit paste filter[0] and enables it for the heat-api, heat-cfn, and heat-cloudwatch services. This provides the ability to audit API requests for heat. [0] https://docs.openstack.org/keystonemiddleware/latest/audit.html Change-Id: Ib5a7dfd882416553ff6f43aa009e3e67871d7f4c
146 lines
8.3 KiB
YAML
146 lines
8.3 KiB
YAML
{{/*
|
|
Copyright 2017 The Openstack-Helm Authors.
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
you may not use this file except in compliance with the License.
|
|
You may obtain a copy of the License at
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
See the License for the specific language governing permissions and
|
|
limitations under the License.
|
|
*/}}
|
|
|
|
{{- if .Values.manifests.configmap_etc }}
|
|
{{- $envAll := . }}
|
|
|
|
{{- if empty .Values.conf.heat.keystone_authtoken.auth_uri -}}
|
|
{{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set .Values.conf.heat.keystone_authtoken "auth_uri" -}}
|
|
{{- end -}}
|
|
|
|
{{- if empty .Values.conf.heat.keystone_authtoken.auth_url -}}
|
|
{{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set .Values.conf.heat.keystone_authtoken "auth_url" -}}
|
|
{{- end -}}
|
|
|
|
{{- if empty .Values.conf.heat.keystone_authtoken.region_name -}}
|
|
{{- $_ := set .Values.conf.heat.keystone_authtoken "region_name" .Values.endpoints.identity.auth.heat.region_name -}}
|
|
{{- end -}}
|
|
{{- if empty .Values.conf.heat.keystone_authtoken.project_name -}}
|
|
{{- $_ := set .Values.conf.heat.keystone_authtoken "project_name" .Values.endpoints.identity.auth.heat.project_name -}}
|
|
{{- end -}}
|
|
{{- if empty .Values.conf.heat.keystone_authtoken.project_domain_name -}}
|
|
{{- $_ := set .Values.conf.heat.keystone_authtoken "project_domain_name" .Values.endpoints.identity.auth.heat.project_domain_name -}}
|
|
{{- end -}}
|
|
{{- if empty .Values.conf.heat.keystone_authtoken.user_domain_name -}}
|
|
{{- $_ := set .Values.conf.heat.keystone_authtoken "user_domain_name" .Values.endpoints.identity.auth.heat.user_domain_name -}}
|
|
{{- end -}}
|
|
{{- if empty .Values.conf.heat.keystone_authtoken.username -}}
|
|
{{- $_ := set .Values.conf.heat.keystone_authtoken "username" .Values.endpoints.identity.auth.heat.username -}}
|
|
{{- end -}}
|
|
{{- if empty .Values.conf.heat.keystone_authtoken.password -}}
|
|
{{- $_ := set .Values.conf.heat.keystone_authtoken "password" .Values.endpoints.identity.auth.heat.password -}}
|
|
{{- end -}}
|
|
|
|
{{- if empty .Values.conf.heat.trustee.region_name -}}
|
|
{{- $_ := set .Values.conf.heat.trustee "region_name" .Values.endpoints.identity.auth.heat_trustee.region_name -}}
|
|
{{- end -}}
|
|
{{- if empty .Values.conf.heat.trustee.user_domain_name -}}
|
|
{{- $_ := set .Values.conf.heat.trustee "user_domain_name" .Values.endpoints.identity.auth.heat_trustee.user_domain_name -}}
|
|
{{- end -}}
|
|
{{- if empty .Values.conf.heat.trustee.username -}}
|
|
{{- $_ := set .Values.conf.heat.trustee "username" .Values.endpoints.identity.auth.heat_trustee.username -}}
|
|
{{- end -}}
|
|
{{- if empty .Values.conf.heat.trustee.password -}}
|
|
{{- $_ := set .Values.conf.heat.trustee "password" .Values.endpoints.identity.auth.heat_trustee.password -}}
|
|
{{- end -}}
|
|
|
|
{{- if empty .Values.conf.heat.DEFAULT.stack_user_domain_name -}}
|
|
{{- $_ := set .Values.conf.heat.DEFAULT "stack_user_domain_name" .Values.endpoints.identity.auth.heat_stack_user.domain_name -}}
|
|
{{- end -}}
|
|
{{- if empty .Values.conf.heat.DEFAULT.stack_domain_admin -}}
|
|
{{- $_ := set .Values.conf.heat.DEFAULT "stack_domain_admin" .Values.endpoints.identity.auth.heat_stack_user.username -}}
|
|
{{- end -}}
|
|
{{- if empty .Values.conf.heat.DEFAULT.stack_domain_admin_password -}}
|
|
{{- $_ := set .Values.conf.heat.DEFAULT "stack_domain_admin_password" .Values.endpoints.identity.auth.heat_stack_user.password -}}
|
|
{{- end -}}
|
|
|
|
{{- if empty .Values.conf.heat.keystone_authtoken.memcached_servers -}}
|
|
{{- $_ := tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" | set .Values.conf.heat.keystone_authtoken "memcached_servers" -}}
|
|
{{- end -}}
|
|
{{- if empty .Values.conf.heat.keystone_authtoken.memcache_secret_key -}}
|
|
{{- $_ := set .Values.conf.heat.keystone_authtoken "memcache_secret_key" ( default ( randAlphaNum 64 ) .Values.endpoints.oslo_cache.auth.memcache_secret_key ) -}}
|
|
{{- end -}}
|
|
|
|
{{- if empty .Values.conf.heat.database.connection -}}
|
|
{{- $_ := tuple "oslo_db" "internal" "heat" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup"| set .Values.conf.heat.database "connection" -}}
|
|
{{- end -}}
|
|
|
|
{{- if empty .Values.conf.heat.DEFAULT.transport_url -}}
|
|
{{- $_ := tuple "oslo_messaging" "internal" "heat" "amqp" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | set .Values.conf.heat.DEFAULT "transport_url" -}}
|
|
{{- end -}}
|
|
|
|
{{- if empty .Values.conf.heat.DEFAULT.heat_metadata_server_url -}}
|
|
{{- $_ := tuple "cloudformation" "public" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | trimSuffix .Values.endpoints.cloudformation.path.default | set .Values.conf.heat.DEFAULT "heat_metadata_server_url" -}}
|
|
{{- end -}}
|
|
|
|
{{- if empty .Values.conf.heat.DEFAULT.heat_waitcondition_server_url -}}
|
|
{{- $_ := cat (tuple "cloudformation" "public" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup") "waitcondition" | replace " " "/" | set .Values.conf.heat.DEFAULT "heat_waitcondition_server_url" -}}
|
|
{{- end -}}
|
|
|
|
{{- if empty .Values.conf.heat.DEFAULT.heat_watch_server_url -}}
|
|
{{- $_ := tuple "cloudwatch" "public" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | trimSuffix "/" | set .Values.conf.heat.DEFAULT "heat_watch_server_url" -}}
|
|
{{- end -}}
|
|
|
|
{{- if empty .Values.conf.heat.clients_keystone.auth_uri -}}
|
|
{{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | trimSuffix .Values.endpoints.identity.path.default | set .Values.conf.heat.clients_keystone "auth_uri" -}}
|
|
{{- end -}}
|
|
|
|
{{- if empty .Values.conf.heat.trustee.auth_url -}}
|
|
{{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | trimSuffix .Values.endpoints.identity.path.default | set .Values.conf.heat.trustee "auth_url" -}}
|
|
{{- end -}}
|
|
|
|
{{- if empty .Values.conf.heat.heat_api.bind_port -}}
|
|
{{- $_ := tuple "orchestration" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | set .Values.conf.heat.heat_api "bind_port" -}}
|
|
{{- end -}}
|
|
|
|
{{- if empty .Values.conf.heat.heat_api_cloudwatch.bind_port -}}
|
|
{{- $_ := tuple "cloudwatch" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | set .Values.conf.heat.heat_api_cloudwatch "bind_port" -}}
|
|
{{- end -}}
|
|
|
|
{{- if empty .Values.conf.heat.heat_api_cfn.bind_port -}}
|
|
{{- $_ := tuple "cloudformation" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | set .Values.conf.heat.heat_api_cfn "bind_port" -}}
|
|
{{- end -}}
|
|
|
|
{{- if and (empty .Values.conf.logging.handler_fluent) (has "fluent" .Values.conf.logging.handlers.keys) -}}
|
|
{{- $fluentd_host := tuple "fluentd" "internal" $envAll | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
|
|
{{- $fluentd_port := tuple "fluentd" "internal" "service" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
|
|
{{- $fluent_args := printf "('%s.%s', '%s', %s)" .Release.Namespace .Release.Name $fluentd_host $fluentd_port }}
|
|
{{- $handler_fluent := dict "class" "fluent.handler.FluentHandler" "formatter" "fluent" "args" $fluent_args -}}
|
|
{{- $_ := set .Values.conf.logging "handler_fluent" $handler_fluent -}}
|
|
{{- end -}}
|
|
|
|
{{- if and (empty .Values.conf.logging.formatter_fluent) (has "fluent" .Values.conf.logging.formatters.keys) -}}
|
|
{{- $formatter_fluent := dict "class" "oslo_log.formatters.FluentFormatter" -}}
|
|
{{- $_ := set .Values.conf.logging "formatter_fluent" $formatter_fluent -}}
|
|
{{- end -}}
|
|
---
|
|
apiVersion: v1
|
|
kind: Secret
|
|
metadata:
|
|
name: heat-etc
|
|
type: Opaque
|
|
data:
|
|
rally_tests.yaml: {{ toYaml .Values.conf.rally_tests.tests | b64enc }}
|
|
heat.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.heat | b64enc }}
|
|
logging.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.logging | b64enc }}
|
|
api-paste.ini: {{ include "helm-toolkit.utils.to_ini" .Values.conf.paste | b64enc }}
|
|
policy.json: {{ toJson .Values.conf.policy | b64enc }}
|
|
api_audit_map.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.api_audit_map | b64enc }}
|
|
{{- range $key, $value := $envAll.Values.conf.rally_tests.templates }}
|
|
{{ printf "test_template_%d" $key }}: {{ $value.template | b64enc }}
|
|
{{- end }}
|
|
{{- end }}
|