Gitiles
Code Review Sign In
review.vexxhost.dev / atmosphere / 6f6ddece28701d89203d4289211dd9c7bf670bfb / . / charts / keystone / values.yaml
blob: ab2e1ed0d1c1ddb46bf70ddf133855fd33757436 [file] [log] [blame]
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1# Licensed under the Apache License, Version 2.0 (the "License");
2# you may not use this file except in compliance with the License.
3# You may obtain a copy of the License at
4#
5# http://www.apache.org/licenses/LICENSE-2.0
6#
7# Unless required by applicable law or agreed to in writing, software
8# distributed under the License is distributed on an "AS IS" BASIS,
9# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
10# See the License for the specific language governing permissions and
11# limitations under the License.
12
13# Default values for keystone.
14# This is a YAML-formatted file.
15# Declare name/value pairs to be passed into your templates.
16# name: value
17
18---
19labels:
20 api:
21 node_selector_key: openstack-control-plane
22 node_selector_value: enabled
23 job:
24 node_selector_key: openstack-control-plane
25 node_selector_value: enabled
26 test:
27 node_selector_key: openstack-control-plane
28 node_selector_value: enabled
29
30release_group: null
31
32# NOTE(gagehugo): the pre-install hook breaks upgrade for helm2
33# Set to false to upgrade using helm2
34helm3_hook: true
35
36images:
37 tags:
Oleksandr K.582fd5e2024-07-19 04:39:01 +0200[diff] [blame]38 bootstrap: docker.io/openstackhelm/heat:2024.1-ubuntu_jammy
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]39 test: docker.io/xrally/xrally-openstack:2.0.0
Oleksandr K.582fd5e2024-07-19 04:39:01 +0200[diff] [blame]40 db_init: docker.io/openstackhelm/heat:2024.1-ubuntu_jammy
41 keystone_db_sync: docker.io/openstackhelm/keystone:2024.1-ubuntu_jammy
42 db_drop: docker.io/openstackhelm/heat:2024.1-ubuntu_jammy
43 ks_user: docker.io/openstackhelm/heat:2024.1-ubuntu_jammy
44 rabbit_init: docker.io/rabbitmq:3.13-management
45 keystone_fernet_setup: docker.io/openstackhelm/keystone:2024.1-ubuntu_jammy
46 keystone_fernet_rotate: docker.io/openstackhelm/keystone:2024.1-ubuntu_jammy
47 keystone_credential_setup: docker.io/openstackhelm/keystone:2024.1-ubuntu_jammy
48 keystone_credential_rotate: docker.io/openstackhelm/keystone:2024.1-ubuntu_jammy
49 keystone_credential_cleanup: docker.io/openstackhelm/heat:2024.1-ubuntu_jammy
50 keystone_api: docker.io/openstackhelm/keystone:2024.1-ubuntu_jammy
51 keystone_domain_manage: docker.io/openstackhelm/keystone:2024.1-ubuntu_jammy
52 dep_check: quay.io/airshipit/kubernetes-entrypoint:latest-ubuntu_focal
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]53 image_repo_sync: docker.io/docker:17.07.0
54 pull_policy: "IfNotPresent"
55 local_registry:
56 active: false
57 exclude:
58 - dep_check
59 - image_repo_sync
60
61bootstrap:
62 enabled: true
63 ks_user: admin
64 script: |
65 # admin needs the admin role for the default domain
66 openstack role add \
67 --user="${OS_USERNAME}" \
68 --domain="${OS_DEFAULT_DOMAIN}" \
69 "admin"
70
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]71network:
72 api:
73 ingress:
74 public: true
75 classes:
76 namespace: "nginx"
77 cluster: "nginx-cluster"
78 annotations:
79 nginx.ingress.kubernetes.io/rewrite-target: /
80 external_policy_local: false
81 node_port:
82 enabled: false
83 port: 30500
84 admin:
85 node_port:
86 enabled: false
87 port: 30357
88
89dependencies:
90 dynamic:
91 common:
92 local_image_registry:
93 jobs:
94 - keystone-image-repo-sync
95 services:
96 - endpoint: node
97 service: local_image_registry
98 rabbit_init:
99 services:
100 - service: oslo_messaging
101 endpoint: internal
102 static:
103 api:
104 jobs:
105 - keystone-db-sync
106 - keystone-credential-setup
107 - keystone-fernet-setup
108 services:
109 - endpoint: internal
110 service: oslo_cache
111 - endpoint: internal
112 service: oslo_db
113 bootstrap:
114 jobs:
115 - keystone-domain-manage
116 services:
117 - endpoint: internal
118 service: identity
119 credential_rotate:
120 jobs:
121 - keystone-credential-setup
122 credential_setup: null
123 credential_cleanup:
124 services:
125 - endpoint: internal
126 service: oslo_db
127 db_drop:
128 services:
129 - endpoint: internal
130 service: oslo_db
131 db_init:
132 services:
133 - endpoint: internal
134 service: oslo_db
135 db_sync:
136 jobs:
137 - keystone-db-init
138 - keystone-credential-setup
139 - keystone-fernet-setup
140 services:
141 - endpoint: internal
142 service: oslo_db
143 domain_manage:
144 services:
145 - endpoint: internal
146 service: identity
147 fernet_rotate:
148 jobs:
149 - keystone-fernet-setup
150 fernet_setup: null
151 tests:
152 services:
153 - endpoint: internal
154 service: identity
155 image_repo_sync:
156 services:
157 - endpoint: internal
158 service: local_image_registry
159
160pod:
161 security_context:
162 keystone:
163 pod:
164 runAsUser: 42424
165 container:
166 keystone_api:
167 readOnlyRootFilesystem: true
168 allowPrivilegeEscalation: false
169 credential_setup:
170 pod:
171 runAsUser: 42424
172 container:
173 keystone_credential_setup:
174 readOnlyRootFilesystem: true
175 allowPrivilegeEscalation: false
176 fernet_setup:
177 pod:
178 runAsUser: 42424
179 container:
180 keystone_fernet_setup:
181 readOnlyRootFilesystem: true
182 allowPrivilegeEscalation: false
183 fernet_rotate:
184 pod:
185 runAsUser: 42424
186 container:
187 keystone_fernet_rotate:
188 readOnlyRootFilesystem: true
189 allowPrivilegeEscalation: false
190 domain_manage:
191 pod:
192 runAsUser: 42424
193 container:
194 keystone_domain_manage_init:
195 readOnlyRootFilesystem: true
196 allowPrivilegeEscalation: false
197 keystone_domain_manage:
198 readOnlyRootFilesystem: true
199 allowPrivilegeEscalation: false
200 test:
201 pod:
202 runAsUser: 42424
203 container:
204 keystone_test_ks_user:
205 readOnlyRootFilesystem: true
206 allowPrivilegeEscalation: false
207 keystone_test:
208 runAsUser: 65500
209 readOnlyRootFilesystem: true
210 allowPrivilegeEscalation: false
211 affinity:
212 anti:
213 type:
214 default: preferredDuringSchedulingIgnoredDuringExecution
215 topologyKey:
216 default: kubernetes.io/hostname
217 weight:
218 default: 10
Oleksandr Kozachenkoa10d7852023-02-02 22:01:16 +0100[diff] [blame]219 tolerations:
220 keystone:
221 enabled: false
222 tolerations:
223 - key: node-role.kubernetes.io/master
224 operator: Exists
225 effect: NoSchedule
Rico Linc6ac7a12023-11-03 00:25:40 +0800[diff] [blame]226 - key: node-role.kubernetes.io/control-plane
227 operator: Exists
228 effect: NoSchedule
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]229 mounts:
230 keystone_db_init:
231 init_container: null
232 keystone_db_init:
233 volumeMounts:
234 volumes:
235 keystone_db_sync:
236 init_container: null
237 keystone_db_sync:
238 volumeMounts:
239 volumes:
240 keystone_api:
241 init_container: null
242 keystone_api:
243 volumeMounts:
244 volumes:
245 keystone_tests:
246 init_container: null
247 keystone_tests:
248 volumeMounts:
249 volumes:
250 keystone_bootstrap:
251 init_container: null
252 keystone_bootstrap:
253 volumeMounts:
254 volumes:
255 keystone_fernet_setup:
256 init_container: null
257 keystone_fernet_setup:
258 volumeMounts:
259 volumes:
260 keystone_fernet_rotate:
261 init_container: null
262 keystone_fernet_rotate:
263 volumeMounts:
264 volumes:
265 keystone_credential_setup:
266 init_container: null
267 keystone_credential_setup:
268 volumeMounts:
269 volumes:
270 keystone_credential_rotate:
271 init_container: null
272 keystone_credential_rotate:
273 volumeMounts:
274 volumes:
275 keystone_credential_cleanup:
276 init_container: null
277 keystone_credential_cleanup:
278 volumeMounts:
279 volumes:
280 keystone_domain_manage:
281 init_container: null
282 keystone_domain_manage:
283 volumeMounts:
284 volumes:
285 replicas:
286 api: 1
287 lifecycle:
288 upgrades:
289 deployments:
290 revision_history: 3
291 pod_replacement_strategy: RollingUpdate
292 rolling_update:
293 max_unavailable: 1
294 max_surge: 3
295 disruption_budget:
296 api:
297 min_available: 0
298 termination_grace_period:
299 api:
300 timeout: 30
301 resources:
302 enabled: false
303 api:
304 requests:
305 memory: "128Mi"
306 cpu: "100m"
307 limits:
308 memory: "1024Mi"
309 cpu: "2000m"
310 jobs:
311 bootstrap:
312 requests:
313 memory: "128Mi"
314 cpu: "100m"
315 limits:
316 memory: "1024Mi"
317 cpu: "2000m"
318 domain_manage:
319 requests:
320 memory: "128Mi"
321 cpu: "100m"
322 limits:
323 memory: "1024Mi"
324 cpu: "2000m"
325 db_init:
326 requests:
327 memory: "128Mi"
328 cpu: "100m"
329 limits:
330 memory: "1024Mi"
331 cpu: "2000m"
332 db_sync:
333 requests:
334 memory: "128Mi"
335 cpu: "100m"
336 limits:
337 memory: "1024Mi"
338 cpu: "2000m"
339 db_drop:
340 requests:
341 memory: "128Mi"
342 cpu: "100m"
343 limits:
344 memory: "1024Mi"
345 cpu: "2000m"
346 rabbit_init:
347 requests:
348 memory: "128Mi"
349 cpu: "100m"
350 limits:
351 memory: "1024Mi"
352 cpu: "2000m"
353 tests:
354 requests:
355 memory: "128Mi"
356 cpu: "100m"
357 limits:
358 memory: "1024Mi"
359 cpu: "2000m"
360 fernet_setup:
361 requests:
362 memory: "128Mi"
363 cpu: "100m"
364 limits:
365 memory: "1024Mi"
366 cpu: "2000m"
367 fernet_rotate:
368 requests:
369 memory: "128Mi"
370 cpu: "100m"
371 limits:
372 memory: "1024Mi"
373 cpu: "2000m"
374 credential_setup:
375 requests:
376 memory: "128Mi"
377 cpu: "100m"
378 limits:
379 memory: "1024Mi"
380 cpu: "2000m"
381 credential_rotate:
382 requests:
383 memory: "128Mi"
384 cpu: "100m"
385 limits:
386 memory: "1024Mi"
387 cpu: "2000m"
388 credential_cleanup:
389 requests:
390 memory: "128Mi"
391 cpu: "100m"
392 limits:
393 memory: "1024Mi"
394 cpu: "2000m"
395 image_repo_sync:
396 requests:
397 memory: "128Mi"
398 cpu: "100m"
399 limits:
400 memory: "1024Mi"
401 cpu: "2000m"
402 probes:
403 api:
404 api:
405 readiness:
406 enabled: true
407 params:
408 initialDelaySeconds: 15
409 periodSeconds: 60
410 timeoutSeconds: 15
411 liveness:
412 enabled: true
413 params:
414 initialDelaySeconds: 50
415 periodSeconds: 60
416 timeoutSeconds: 15
417jobs:
418 fernet_setup:
419 user: keystone
420 group: keystone
421 fernet_rotate:
422 # NOTE(rk760n): key rotation frequency, token expiration, active keys should statisfy the formula
423 # max_active_keys = (token_expiration / rotation_frequency) + 2
424 # as expiration is 12h, and max_active_keys set to 3 by default, rotation_frequency need to be adjusted
425 # 12 hours
426 cron: "0 */12 * * *"
427 user: keystone
428 group: keystone
429 history:
430 success: 3
431 failed: 1
432 credential_setup:
433 user: keystone
434 group: keystone
435 credential_rotate:
436 # monthly
437 cron: "0 0 1 * *"
438 migrate_wait: 120
439 user: keystone
440 group: keystone
441 history:
442 success: 3
443 failed: 1
444
445network_policy:
446 keystone:
447 ingress:
448 - {}
449 egress:
450 - {}
451
452conf:
453 security: |
454 #
455 # Disable access to the entire file system except for the directories that
456 # are explicitly allowed later.
457 #
458 # This currently breaks the configurations that come with some web application
459 # Debian packages.
460 #
461 #<Directory />
462 # AllowOverride None
463 # Require all denied
464 #</Directory>
465
466 # Changing the following options will not really affect the security of the
467 # server, but might make attacks slightly more difficult in some cases.
468
469 #
470 # ServerTokens
471 # This directive configures what you return as the Server HTTP response
472 # Header. The default is 'Full' which sends information about the OS-Type
473 # and compiled in modules.
474 # Set to one of: Full | OS | Minimal | Minor | Major | Prod
475 # where Full conveys the most information, and Prod the least.
476 ServerTokens Prod
477
478 #
479 # Optionally add a line containing the server version and virtual host
480 # name to server-generated pages (internal error documents, FTP directory
481 # listings, mod_status and mod_info output etc., but not CGI generated
482 # documents or custom error documents).
483 # Set to "EMail" to also include a mailto: link to the ServerAdmin.
484 # Set to one of: On | Off | EMail
485 ServerSignature Off
486
487 #
488 # Allow TRACE method
489 #
490 # Set to "extended" to also reflect the request body (only for testing and
491 # diagnostic purposes).
492 #
493 # Set to one of: On | Off | extended
494 TraceEnable Off
495
496 #
497 # Forbid access to version control directories
498 #
499 # If you use version control systems in your document root, you should
500 # probably deny access to their directories. For example, for subversion:
501 #
502 #<DirectoryMatch "/\.svn">
503 # Require all denied
504 #</DirectoryMatch>
505
506 #
507 # Setting this header will prevent MSIE from interpreting files as something
508 # else than declared by the content type in the HTTP headers.
509 # Requires mod_headers to be enabled.
510 #
511 #Header set X-Content-Type-Options: "nosniff"
512
513 #
514 # Setting this header will prevent other sites from embedding pages from this
515 # site as frames. This defends against clickjacking attacks.
516 # Requires mod_headers to be enabled.
517 #
518 #Header set X-Frame-Options: "sameorigin"
519 software:
520 apache2:
521 binary: apache2
522 start_parameters: -DFOREGROUND
523 site_dir: /etc/apache2/sites-enable
524 conf_dir: /etc/apache2/conf-enabled
525 mods_dir: /etc/apache2/mods-available
526 a2enmod: null
527 a2dismod: null
528 keystone:
529 DEFAULT:
530 log_config_append: /etc/keystone/logging.conf
531 max_token_size: 255
532 # NOTE(rk760n): if you need auth notifications to be sent, uncomment it
533 # notification_opt_out: ""
534 token:
535 provider: fernet
536 # 12 hours
537 expiration: 43200
538 identity:
539 domain_specific_drivers_enabled: True
540 domain_config_dir: /etc/keystone/domains
541 fernet_tokens:
542 key_repository: /etc/keystone/fernet-keys/
543 credential:
544 key_repository: /etc/keystone/credential-keys/
545 database:
546 max_retries: -1
547 cache:
548 enabled: true
549 backend: dogpile.cache.memcached
550 oslo_messaging_notifications:
551 driver: messagingv2
552 oslo_messaging_rabbit:
553 rabbit_ha_queues: true
554 oslo_middleware:
555 enable_proxy_headers_parsing: true
556 oslo_policy:
557 policy_file: /etc/keystone/policy.yaml
558 security_compliance:
559 # NOTE(vdrok): The following two options have effect only for SQL backend
560 lockout_failure_attempts: 5
561 lockout_duration: 1800
562 # NOTE(lamt) We can leverage multiple domains with different
563 # configurations as outlined in
564 # https://docs.openstack.org/keystone/pike/admin/identity-domain-specific-config.html.
565 # A sample of the value override can be found in sample file:
566 # tools/overrides/example/keystone_domain_config.yaml
567 # ks_domains:
568 policy: {}
569 access_rules: {}
570 rabbitmq:
571 # NOTE(rk760n): adding rmq policy to mirror messages from notification queues and set expiration time for the ones
572 policies:
573 - vhost: "keystone"
574 name: "ha_ttl_keystone"
575 definition:
576 # mirror messges to other nodes in rmq cluster
577 ha-mode: "all"
578 ha-sync-mode: "automatic"
579 # 70s
580 message-ttl: 70000
581 priority: 0
582 apply-to: all
583 pattern: '^(?!(amq\.|reply_)).*'
584 rally_tests:
585 run_tempest: false
586 tests:
587 KeystoneBasic.add_and_remove_user_role:
588 - runner:
589 concurrency: 1
590 times: 1
591 type: constant
592 sla:
593 failure_rate:
594 max: 0
595 KeystoneBasic.authenticate_user_and_validate_token:
596 - args: {}
597 runner:
598 concurrency: 1
599 times: 1
600 type: constant
601 sla:
602 failure_rate:
603 max: 0
604 KeystoneBasic.create_add_and_list_user_roles:
605 - runner:
606 concurrency: 1
607 times: 1
608 type: constant
609 sla:
610 failure_rate:
611 max: 0
612 KeystoneBasic.create_and_delete_ec2credential:
613 - runner:
614 concurrency: 1
615 times: 1
616 type: constant
617 sla:
618 failure_rate:
619 max: 0
620 KeystoneBasic.create_and_list_ec2credentials:
621 - runner:
622 concurrency: 1
623 times: 1
624 type: constant
625 sla:
626 failure_rate:
627 max: 0
628 KeystoneBasic.create_and_delete_role:
629 - runner:
630 concurrency: 1
631 times: 1
632 type: constant
633 sla:
634 failure_rate:
635 max: 0
636 KeystoneBasic.create_and_delete_service:
637 - args:
638 description: test_description
639 service_type: Rally_test_type
640 runner:
641 concurrency: 1
642 times: 1
643 type: constant
644 sla:
645 failure_rate:
646 max: 0
647 KeystoneBasic.create_and_get_role:
648 - args: {}
649 runner:
650 concurrency: 1
651 times: 1
652 type: constant
653 sla:
654 failure_rate:
655 max: 0
656 KeystoneBasic.create_and_list_services:
657 - args:
658 description: test_description
659 service_type: Rally_test_type
660 runner:
661 concurrency: 1
662 times: 1
663 type: constant
664 sla:
665 failure_rate:
666 max: 0
667 KeystoneBasic.create_and_list_tenants:
668 - args: {}
669 runner:
670 concurrency: 1
671 times: 1
672 type: constant
673 sla:
674 failure_rate:
675 max: 0
676 KeystoneBasic.create_and_list_users:
677 - args: {}
678 runner:
679 concurrency: 1
680 times: 1
681 type: constant
682 sla:
683 failure_rate:
684 max: 0
685 KeystoneBasic.create_delete_user:
686 - args: {}
687 runner:
688 concurrency: 1
689 times: 1
690 type: constant
691 sla:
692 failure_rate:
693 max: 0
694 KeystoneBasic.create_tenant:
695 - args: {}
696 runner:
697 concurrency: 1
698 times: 1
699 type: constant
700 sla:
701 failure_rate:
702 max: 0
703 KeystoneBasic.create_tenant_with_users:
704 - args:
705 users_per_tenant: 1
706 runner:
707 concurrency: 1
708 times: 1
709 type: constant
710 sla:
711 failure_rate:
712 max: 0
713 KeystoneBasic.create_update_and_delete_tenant:
714 - args: {}
715 runner:
716 concurrency: 1
717 times: 1
718 type: constant
719 sla:
720 failure_rate:
721 max: 0
722 KeystoneBasic.create_user:
723 - args: {}
724 runner:
725 concurrency: 1
726 times: 1
727 type: constant
728 sla:
729 failure_rate:
730 max: 0
731 KeystoneBasic.create_user_set_enabled_and_delete:
732 - args:
733 enabled: true
734 runner:
735 concurrency: 1
736 times: 1
737 type: constant
738 sla:
739 failure_rate:
740 max: 0
741 - args:
742 enabled: false
743 runner:
744 concurrency: 1
745 times: 1
746 type: constant
747 sla:
748 failure_rate:
749 max: 0
750 KeystoneBasic.create_user_update_password:
751 - args: {}
752 runner:
753 concurrency: 1
754 times: 1
755 type: constant
756 sla:
757 failure_rate:
758 max: 0
759 KeystoneBasic.get_entities:
760 - runner:
761 concurrency: 1
762 times: 1
763 type: constant
764 sla:
765 failure_rate:
766 max: 0
767 mpm_event: |
768 <IfModule mpm_event_module>
769 ServerLimit 1024
770 StartServers 32
771 MinSpareThreads 32
772 MaxSpareThreads 256
773 ThreadsPerChild 25
774 MaxRequestsPerChild 128
775 ThreadLimit 720
776 </IfModule>
777 wsgi_keystone: |
Oleksandr Kozachenkoa10d7852023-02-02 22:01:16 +0100[diff] [blame]778 {{- $portInt := tuple "identity" "service" "api" $ | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]779
780 Listen 0.0.0.0:{{ $portInt }}
781
782 LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
783 LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy
784
785 SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
786 CustomLog /dev/stdout combined env=!forwarded
787 CustomLog /dev/stdout proxy env=forwarded
788
789 <VirtualHost *:{{ $portInt }}>
790 WSGIDaemonProcess keystone-public processes=1 threads=1 user=keystone group=keystone display-name=%{GROUP}
791 WSGIProcessGroup keystone-public
792 WSGIScriptAlias / /var/www/cgi-bin/keystone/keystone-wsgi-public
793 WSGIApplicationGroup %{GLOBAL}
794 WSGIPassAuthorization On
795 <IfVersion >= 2.4>
796 ErrorLogFormat "%{cu}t %M"
797 </IfVersion>
798 ErrorLog /dev/stdout
799
800 SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
801 CustomLog /dev/stdout combined env=!forwarded
802 CustomLog /dev/stdout proxy env=forwarded
803 </VirtualHost>
804 sso_callback_template: |
805 <!DOCTYPE html>
806 <html xmlns="http://www.w3.org/1999/xhtml">
807 <head>
808 <title>Keystone WebSSO redirect</title>
809 </head>
810 <body>
811 <form id="sso" name="sso" action="$host" method="post">
812 Please wait...
813 <br/>
814 <input type="hidden" name="token" id="token" value="$token"/>
815 <noscript>
816 <input type="submit" name="submit_no_javascript" id="submit_no_javascript"
817 value="If your JavaScript is disabled, please click to continue"/>
818 </noscript>
819 </form>
820 <script type="text/javascript">
821 window.onload = function() {
822 document.forms['sso'].submit();
823 }
824 </script>
825 </body>
826 </html>
827 logging:
828 loggers:
829 keys:
830 - root
831 - keystone
832 handlers:
833 keys:
834 - stdout
835 - stderr
836 - "null"
837 formatters:
838 keys:
839 - context
840 - default
841 logger_root:
842 level: WARNING
843 handlers: 'null'
844 logger_keystone:
845 level: INFO
846 handlers:
847 - stdout
848 qualname: keystone
849 logger_amqp:
850 level: WARNING
851 handlers: stderr
852 qualname: amqp
853 logger_amqplib:
854 level: WARNING
855 handlers: stderr
856 qualname: amqplib
857 logger_eventletwsgi:
858 level: WARNING
859 handlers: stderr
860 qualname: eventlet.wsgi.server
861 logger_sqlalchemy:
862 level: WARNING
863 handlers: stderr
864 qualname: sqlalchemy
865 logger_boto:
866 level: WARNING
867 handlers: stderr
868 qualname: boto
869 handler_null:
870 class: logging.NullHandler
871 formatter: default
872 args: ()
873 handler_stdout:
874 class: StreamHandler
875 args: (sys.stdout,)
876 formatter: context
877 handler_stderr:
878 class: StreamHandler
879 args: (sys.stderr,)
880 formatter: context
881 formatter_context:
882 class: oslo_log.formatters.ContextFormatter
883 datefmt: "%Y-%m-%d %H:%M:%S"
884 formatter_default:
885 format: "%(message)s"
886 datefmt: "%Y-%m-%d %H:%M:%S"
887
888# Names of secrets used by bootstrap and environmental checks
889secrets:
890 identity:
891 admin: keystone-keystone-admin
892 test: keystone-keystone-test
893 oslo_db:
894 admin: keystone-db-admin
895 keystone: keystone-db-user
896 oslo_messaging:
897 admin: keystone-rabbitmq-admin
898 keystone: keystone-rabbitmq-user
899 ldap:
900 tls: keystone-ldap-tls
901 tls:
902 identity:
903 api:
904 public: keystone-tls-public
905 internal: keystone-tls-api
Oleksandr Kozachenkoa10d7852023-02-02 22:01:16 +0100[diff] [blame]906 oci_image_registry:
907 keystone: keystone-oci-image-registry
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]908
909# typically overridden by environmental
910# values, but should include all endpoints
911# required by this chart
912endpoints:
913 cluster_domain_suffix: cluster.local
914 local_image_registry:
915 name: docker-registry
916 namespace: docker-registry
917 hosts:
918 default: localhost
919 internal: docker-registry
920 node: localhost
921 host_fqdn_override:
922 default: null
923 port:
924 registry:
925 node: 5000
Oleksandr Kozachenkoa10d7852023-02-02 22:01:16 +0100[diff] [blame]926 oci_image_registry:
927 name: oci-image-registry
928 namespace: oci-image-registry
929 auth:
930 enabled: false
931 keystone:
932 username: keystone
933 password: password
934 hosts:
935 default: localhost
936 host_fqdn_override:
937 default: null
938 port:
939 registry:
940 default: null
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]941 identity:
942 namespace: null
943 name: keystone
944 auth:
945 admin:
946 region_name: RegionOne
947 username: admin
948 password: password
949 project_name: admin
950 user_domain_name: default
951 project_domain_name: default
952 default_domain_id: default
953 test:
954 role: admin
955 region_name: RegionOne
956 username: keystone-test
957 password: password
958 project_name: test
959 user_domain_name: default
960 project_domain_name: default
961 default_domain_id: default
962 hosts:
963 default: keystone
964 internal: keystone-api
965 host_fqdn_override:
966 default: null
967 # NOTE(portdirect): this chart supports TLS for fqdn over-ridden public
968 # endpoints using the following format:
969 # public:
970 # host: null
971 # tls:
972 # crt: null
973 # key: null
974 path:
975 default: /v3
976 scheme:
977 default: http
Oleksandr Kozachenkoa10d7852023-02-02 22:01:16 +0100[diff] [blame]978 service: http
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]979 port:
980 api:
981 default: 80
982 # NOTE(portdirect): to retain portability across images, and allow
983 # running under a unprivileged user simply, we default to a port > 1000.
984 internal: 5000
Oleksandr Kozachenkoa10d7852023-02-02 22:01:16 +0100[diff] [blame]985 service: 5000
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]986 oslo_db:
987 namespace: null
988 auth:
989 admin:
990 username: root
991 password: password
992 secret:
993 tls:
994 internal: mariadb-tls-direct
995 keystone:
996 username: keystone
997 password: password
998 hosts:
999 default: mariadb
1000 host_fqdn_override:
1001 default: null
1002 path: /keystone
1003 scheme: mysql+pymysql
1004 port:
1005 mysql:
1006 default: 3306
1007 oslo_messaging:
1008 namespace: null
1009 auth:
1010 admin:
1011 username: rabbitmq
1012 password: password
1013 secret:
1014 tls:
1015 internal: rabbitmq-tls-direct
1016 keystone:
1017 username: keystone
1018 password: password
1019 statefulset:
1020 replicas: 2
1021 name: rabbitmq-rabbitmq
1022 hosts:
1023 default: rabbitmq
1024 host_fqdn_override:
1025 default: null
1026 path: /keystone
1027 scheme: rabbit
1028 port:
1029 amqp:
1030 default: 5672
1031 http:
1032 default: 15672
1033 oslo_cache:
1034 namespace: null
1035 hosts:
1036 default: memcached
1037 host_fqdn_override:
1038 default: null
1039 port:
1040 memcache:
1041 default: 11211
1042 ldap:
1043 auth:
1044 client:
1045 tls:
1046 # NOTE(lamt): Specify a CA value here will place a LDAPS certificate at
1047 # /etc/certs/tls.ca. To ensure keystone uses LDAPS, the
1048 # following key will need to be overrided under section [ldap] or the
1049 # correct domain-specific setting, else it will not be enabled:
1050 #
1051 # use_tls: true
1052 # tls_req_cert: allow # Valid values: demand, never, allow
1053 # tls_cacertfile: /etc/certs/tls.ca # abs path to the CA cert
1054 ca: null
1055 fluentd:
1056 namespace: null
1057 name: fluentd
1058 hosts:
1059 default: fluentd-logging
1060 host_fqdn_override:
1061 default: null
1062 path:
1063 default: null
1064 scheme: 'http'
1065 port:
1066 service:
1067 default: 24224
1068 metrics:
1069 default: 24220
1070 # NOTE(tp6510): these endpoints allow for things like DNS lookups and ingress
1071 # They are using to enable the Egress K8s network policy.
1072 kube_dns:
1073 namespace: kube-system
1074 name: kubernetes-dns
1075 hosts:
1076 default: kube-dns
1077 host_fqdn_override:
1078 default: null
1079 path:
1080 default: null
1081 scheme: http
1082 port:
1083 dns:
1084 default: 53
1085 protocol: UDP
1086 ingress:
1087 namespace: null
1088 name: ingress
1089 hosts:
1090 default: ingress
1091 port:
1092 ingress:
1093 default: 80
1094
Oleksandr Kozachenkoa10d7852023-02-02 22:01:16 +0100[diff] [blame]1095tls:
1096 identity: false
1097 oslo_messaging: false
1098 oslo_db: false
1099
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1100manifests:
1101 certificates: false
1102 configmap_bin: true
1103 configmap_etc: true
1104 cron_credential_rotate: true
1105 cron_fernet_rotate: true
1106 deployment_api: true
1107 ingress_api: true
1108 job_bootstrap: true
1109 job_credential_cleanup: true
1110 job_credential_setup: true
1111 job_db_init: true
1112 job_db_sync: true
1113 job_db_drop: false
1114 job_domain_manage: true
1115 job_fernet_setup: true
1116 job_image_repo_sync: true
1117 job_rabbit_init: true
1118 pdb_api: true
1119 pod_rally_test: true
1120 network_policy: false
1121 secret_credential_keys: true
1122 secret_db: true
1123 secret_fernet_keys: true
1124 secret_ingress_tls: true
1125 secret_keystone: true
1126 secret_rabbitmq: true
Oleksandr Kozachenkoa10d7852023-02-02 22:01:16 +0100[diff] [blame]1127 secret_registry: true
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1128 service_ingress_api: true
1129 service_api: true
1130...