Gitiles
Code Review Sign In
review.vexxhost.dev / atmosphere / 974e0670c1c683f2628e71d9e7b6c913ba392659 / . / charts / keystone / values.yaml
blob: 69546b56b865e3d02a5bb480b49d7210033046c8 [file] [log] [blame]
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1# Licensed under the Apache License, Version 2.0 (the "License");
2# you may not use this file except in compliance with the License.
3# You may obtain a copy of the License at
4#
5# http://www.apache.org/licenses/LICENSE-2.0
6#
7# Unless required by applicable law or agreed to in writing, software
8# distributed under the License is distributed on an "AS IS" BASIS,
9# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
10# See the License for the specific language governing permissions and
11# limitations under the License.
12
13# Default values for keystone.
14# This is a YAML-formatted file.
15# Declare name/value pairs to be passed into your templates.
16# name: value
17
18---
19labels:
20 api:
21 node_selector_key: openstack-control-plane
22 node_selector_value: enabled
23 job:
24 node_selector_key: openstack-control-plane
25 node_selector_value: enabled
26 test:
27 node_selector_key: openstack-control-plane
28 node_selector_value: enabled
29
30release_group: null
31
32# NOTE(gagehugo): the pre-install hook breaks upgrade for helm2
33# Set to false to upgrade using helm2
34helm3_hook: true
35
36images:
37 tags:
38 bootstrap: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
39 test: docker.io/xrally/xrally-openstack:2.0.0
40 db_init: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
41 keystone_db_sync: docker.io/openstackhelm/keystone:wallaby-ubuntu_focal
42 db_drop: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
43 ks_user: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
44 rabbit_init: docker.io/rabbitmq:3.7-management
45 keystone_fernet_setup: docker.io/openstackhelm/keystone:wallaby-ubuntu_focal
46 keystone_fernet_rotate: docker.io/openstackhelm/keystone:wallaby-ubuntu_focal
47 keystone_credential_setup: docker.io/openstackhelm/keystone:wallaby-ubuntu_focal
48 keystone_credential_rotate: docker.io/openstackhelm/keystone:wallaby-ubuntu_focal
49 keystone_credential_cleanup: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
50 keystone_api: docker.io/openstackhelm/keystone:wallaby-ubuntu_focal
51 keystone_domain_manage: docker.io/openstackhelm/keystone:wallaby-ubuntu_focal
52 dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
53 image_repo_sync: docker.io/docker:17.07.0
54 pull_policy: "IfNotPresent"
55 local_registry:
56 active: false
57 exclude:
58 - dep_check
59 - image_repo_sync
60
61bootstrap:
62 enabled: true
63 ks_user: admin
64 script: |
65 # admin needs the admin role for the default domain
66 openstack role add \
67 --user="${OS_USERNAME}" \
68 --domain="${OS_DEFAULT_DOMAIN}" \
69 "admin"
70
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]71network:
72 api:
73 ingress:
74 public: true
75 classes:
76 namespace: "nginx"
77 cluster: "nginx-cluster"
78 annotations:
79 nginx.ingress.kubernetes.io/rewrite-target: /
80 external_policy_local: false
81 node_port:
82 enabled: false
83 port: 30500
84 admin:
85 node_port:
86 enabled: false
87 port: 30357
88
89dependencies:
90 dynamic:
91 common:
92 local_image_registry:
93 jobs:
94 - keystone-image-repo-sync
95 services:
96 - endpoint: node
97 service: local_image_registry
98 rabbit_init:
99 services:
100 - service: oslo_messaging
101 endpoint: internal
102 static:
103 api:
104 jobs:
105 - keystone-db-sync
106 - keystone-credential-setup
107 - keystone-fernet-setup
108 services:
109 - endpoint: internal
110 service: oslo_cache
111 - endpoint: internal
112 service: oslo_db
113 bootstrap:
114 jobs:
115 - keystone-domain-manage
116 services:
117 - endpoint: internal
118 service: identity
119 credential_rotate:
120 jobs:
121 - keystone-credential-setup
122 credential_setup: null
123 credential_cleanup:
124 services:
125 - endpoint: internal
126 service: oslo_db
127 db_drop:
128 services:
129 - endpoint: internal
130 service: oslo_db
131 db_init:
132 services:
133 - endpoint: internal
134 service: oslo_db
135 db_sync:
136 jobs:
137 - keystone-db-init
138 - keystone-credential-setup
139 - keystone-fernet-setup
140 services:
141 - endpoint: internal
142 service: oslo_db
143 domain_manage:
144 services:
145 - endpoint: internal
146 service: identity
147 fernet_rotate:
148 jobs:
149 - keystone-fernet-setup
150 fernet_setup: null
151 tests:
152 services:
153 - endpoint: internal
154 service: identity
155 image_repo_sync:
156 services:
157 - endpoint: internal
158 service: local_image_registry
159
160pod:
161 security_context:
162 keystone:
163 pod:
164 runAsUser: 42424
165 container:
166 keystone_api:
167 readOnlyRootFilesystem: true
168 allowPrivilegeEscalation: false
169 credential_setup:
170 pod:
171 runAsUser: 42424
172 container:
173 keystone_credential_setup:
174 readOnlyRootFilesystem: true
175 allowPrivilegeEscalation: false
176 fernet_setup:
177 pod:
178 runAsUser: 42424
179 container:
180 keystone_fernet_setup:
181 readOnlyRootFilesystem: true
182 allowPrivilegeEscalation: false
183 fernet_rotate:
184 pod:
185 runAsUser: 42424
186 container:
187 keystone_fernet_rotate:
188 readOnlyRootFilesystem: true
189 allowPrivilegeEscalation: false
190 domain_manage:
191 pod:
192 runAsUser: 42424
193 container:
194 keystone_domain_manage_init:
195 readOnlyRootFilesystem: true
196 allowPrivilegeEscalation: false
197 keystone_domain_manage:
198 readOnlyRootFilesystem: true
199 allowPrivilegeEscalation: false
200 test:
201 pod:
202 runAsUser: 42424
203 container:
204 keystone_test_ks_user:
205 readOnlyRootFilesystem: true
206 allowPrivilegeEscalation: false
207 keystone_test:
208 runAsUser: 65500
209 readOnlyRootFilesystem: true
210 allowPrivilegeEscalation: false
211 affinity:
212 anti:
213 type:
214 default: preferredDuringSchedulingIgnoredDuringExecution
215 topologyKey:
216 default: kubernetes.io/hostname
217 weight:
218 default: 10
Oleksandr Kozachenkoa10d7852023-02-02 22:01:16 +0100[diff] [blame]219 tolerations:
220 keystone:
221 enabled: false
222 tolerations:
223 - key: node-role.kubernetes.io/master
224 operator: Exists
225 effect: NoSchedule
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]226 mounts:
227 keystone_db_init:
228 init_container: null
229 keystone_db_init:
230 volumeMounts:
231 volumes:
232 keystone_db_sync:
233 init_container: null
234 keystone_db_sync:
235 volumeMounts:
236 volumes:
237 keystone_api:
238 init_container: null
239 keystone_api:
240 volumeMounts:
241 volumes:
242 keystone_tests:
243 init_container: null
244 keystone_tests:
245 volumeMounts:
246 volumes:
247 keystone_bootstrap:
248 init_container: null
249 keystone_bootstrap:
250 volumeMounts:
251 volumes:
252 keystone_fernet_setup:
253 init_container: null
254 keystone_fernet_setup:
255 volumeMounts:
256 volumes:
257 keystone_fernet_rotate:
258 init_container: null
259 keystone_fernet_rotate:
260 volumeMounts:
261 volumes:
262 keystone_credential_setup:
263 init_container: null
264 keystone_credential_setup:
265 volumeMounts:
266 volumes:
267 keystone_credential_rotate:
268 init_container: null
269 keystone_credential_rotate:
270 volumeMounts:
271 volumes:
272 keystone_credential_cleanup:
273 init_container: null
274 keystone_credential_cleanup:
275 volumeMounts:
276 volumes:
277 keystone_domain_manage:
278 init_container: null
279 keystone_domain_manage:
280 volumeMounts:
281 volumes:
282 replicas:
283 api: 1
284 lifecycle:
285 upgrades:
286 deployments:
287 revision_history: 3
288 pod_replacement_strategy: RollingUpdate
289 rolling_update:
290 max_unavailable: 1
291 max_surge: 3
292 disruption_budget:
293 api:
294 min_available: 0
295 termination_grace_period:
296 api:
297 timeout: 30
298 resources:
299 enabled: false
300 api:
301 requests:
302 memory: "128Mi"
303 cpu: "100m"
304 limits:
305 memory: "1024Mi"
306 cpu: "2000m"
307 jobs:
308 bootstrap:
309 requests:
310 memory: "128Mi"
311 cpu: "100m"
312 limits:
313 memory: "1024Mi"
314 cpu: "2000m"
315 domain_manage:
316 requests:
317 memory: "128Mi"
318 cpu: "100m"
319 limits:
320 memory: "1024Mi"
321 cpu: "2000m"
322 db_init:
323 requests:
324 memory: "128Mi"
325 cpu: "100m"
326 limits:
327 memory: "1024Mi"
328 cpu: "2000m"
329 db_sync:
330 requests:
331 memory: "128Mi"
332 cpu: "100m"
333 limits:
334 memory: "1024Mi"
335 cpu: "2000m"
336 db_drop:
337 requests:
338 memory: "128Mi"
339 cpu: "100m"
340 limits:
341 memory: "1024Mi"
342 cpu: "2000m"
343 rabbit_init:
344 requests:
345 memory: "128Mi"
346 cpu: "100m"
347 limits:
348 memory: "1024Mi"
349 cpu: "2000m"
350 tests:
351 requests:
352 memory: "128Mi"
353 cpu: "100m"
354 limits:
355 memory: "1024Mi"
356 cpu: "2000m"
357 fernet_setup:
358 requests:
359 memory: "128Mi"
360 cpu: "100m"
361 limits:
362 memory: "1024Mi"
363 cpu: "2000m"
364 fernet_rotate:
365 requests:
366 memory: "128Mi"
367 cpu: "100m"
368 limits:
369 memory: "1024Mi"
370 cpu: "2000m"
371 credential_setup:
372 requests:
373 memory: "128Mi"
374 cpu: "100m"
375 limits:
376 memory: "1024Mi"
377 cpu: "2000m"
378 credential_rotate:
379 requests:
380 memory: "128Mi"
381 cpu: "100m"
382 limits:
383 memory: "1024Mi"
384 cpu: "2000m"
385 credential_cleanup:
386 requests:
387 memory: "128Mi"
388 cpu: "100m"
389 limits:
390 memory: "1024Mi"
391 cpu: "2000m"
392 image_repo_sync:
393 requests:
394 memory: "128Mi"
395 cpu: "100m"
396 limits:
397 memory: "1024Mi"
398 cpu: "2000m"
399 probes:
400 api:
401 api:
402 readiness:
403 enabled: true
404 params:
405 initialDelaySeconds: 15
406 periodSeconds: 60
407 timeoutSeconds: 15
408 liveness:
409 enabled: true
410 params:
411 initialDelaySeconds: 50
412 periodSeconds: 60
413 timeoutSeconds: 15
414jobs:
415 fernet_setup:
416 user: keystone
417 group: keystone
418 fernet_rotate:
419 # NOTE(rk760n): key rotation frequency, token expiration, active keys should statisfy the formula
420 # max_active_keys = (token_expiration / rotation_frequency) + 2
421 # as expiration is 12h, and max_active_keys set to 3 by default, rotation_frequency need to be adjusted
422 # 12 hours
423 cron: "0 */12 * * *"
424 user: keystone
425 group: keystone
426 history:
427 success: 3
428 failed: 1
429 credential_setup:
430 user: keystone
431 group: keystone
432 credential_rotate:
433 # monthly
434 cron: "0 0 1 * *"
435 migrate_wait: 120
436 user: keystone
437 group: keystone
438 history:
439 success: 3
440 failed: 1
441
442network_policy:
443 keystone:
444 ingress:
445 - {}
446 egress:
447 - {}
448
449conf:
450 security: |
451 #
452 # Disable access to the entire file system except for the directories that
453 # are explicitly allowed later.
454 #
455 # This currently breaks the configurations that come with some web application
456 # Debian packages.
457 #
458 #<Directory />
459 # AllowOverride None
460 # Require all denied
461 #</Directory>
462
463 # Changing the following options will not really affect the security of the
464 # server, but might make attacks slightly more difficult in some cases.
465
466 #
467 # ServerTokens
468 # This directive configures what you return as the Server HTTP response
469 # Header. The default is 'Full' which sends information about the OS-Type
470 # and compiled in modules.
471 # Set to one of: Full | OS | Minimal | Minor | Major | Prod
472 # where Full conveys the most information, and Prod the least.
473 ServerTokens Prod
474
475 #
476 # Optionally add a line containing the server version and virtual host
477 # name to server-generated pages (internal error documents, FTP directory
478 # listings, mod_status and mod_info output etc., but not CGI generated
479 # documents or custom error documents).
480 # Set to "EMail" to also include a mailto: link to the ServerAdmin.
481 # Set to one of: On | Off | EMail
482 ServerSignature Off
483
484 #
485 # Allow TRACE method
486 #
487 # Set to "extended" to also reflect the request body (only for testing and
488 # diagnostic purposes).
489 #
490 # Set to one of: On | Off | extended
491 TraceEnable Off
492
493 #
494 # Forbid access to version control directories
495 #
496 # If you use version control systems in your document root, you should
497 # probably deny access to their directories. For example, for subversion:
498 #
499 #<DirectoryMatch "/\.svn">
500 # Require all denied
501 #</DirectoryMatch>
502
503 #
504 # Setting this header will prevent MSIE from interpreting files as something
505 # else than declared by the content type in the HTTP headers.
506 # Requires mod_headers to be enabled.
507 #
508 #Header set X-Content-Type-Options: "nosniff"
509
510 #
511 # Setting this header will prevent other sites from embedding pages from this
512 # site as frames. This defends against clickjacking attacks.
513 # Requires mod_headers to be enabled.
514 #
515 #Header set X-Frame-Options: "sameorigin"
516 software:
517 apache2:
518 binary: apache2
519 start_parameters: -DFOREGROUND
520 site_dir: /etc/apache2/sites-enable
521 conf_dir: /etc/apache2/conf-enabled
522 mods_dir: /etc/apache2/mods-available
523 a2enmod: null
524 a2dismod: null
525 keystone:
526 DEFAULT:
527 log_config_append: /etc/keystone/logging.conf
528 max_token_size: 255
529 # NOTE(rk760n): if you need auth notifications to be sent, uncomment it
530 # notification_opt_out: ""
531 token:
532 provider: fernet
533 # 12 hours
534 expiration: 43200
535 identity:
536 domain_specific_drivers_enabled: True
537 domain_config_dir: /etc/keystone/domains
538 fernet_tokens:
539 key_repository: /etc/keystone/fernet-keys/
540 credential:
541 key_repository: /etc/keystone/credential-keys/
542 database:
543 max_retries: -1
544 cache:
545 enabled: true
546 backend: dogpile.cache.memcached
547 oslo_messaging_notifications:
548 driver: messagingv2
549 oslo_messaging_rabbit:
550 rabbit_ha_queues: true
551 oslo_middleware:
552 enable_proxy_headers_parsing: true
553 oslo_policy:
554 policy_file: /etc/keystone/policy.yaml
555 security_compliance:
556 # NOTE(vdrok): The following two options have effect only for SQL backend
557 lockout_failure_attempts: 5
558 lockout_duration: 1800
559 # NOTE(lamt) We can leverage multiple domains with different
560 # configurations as outlined in
561 # https://docs.openstack.org/keystone/pike/admin/identity-domain-specific-config.html.
562 # A sample of the value override can be found in sample file:
563 # tools/overrides/example/keystone_domain_config.yaml
564 # ks_domains:
565 policy: {}
566 access_rules: {}
567 rabbitmq:
568 # NOTE(rk760n): adding rmq policy to mirror messages from notification queues and set expiration time for the ones
569 policies:
570 - vhost: "keystone"
571 name: "ha_ttl_keystone"
572 definition:
573 # mirror messges to other nodes in rmq cluster
574 ha-mode: "all"
575 ha-sync-mode: "automatic"
576 # 70s
577 message-ttl: 70000
578 priority: 0
579 apply-to: all
580 pattern: '^(?!(amq\.|reply_)).*'
581 rally_tests:
582 run_tempest: false
583 tests:
584 KeystoneBasic.add_and_remove_user_role:
585 - runner:
586 concurrency: 1
587 times: 1
588 type: constant
589 sla:
590 failure_rate:
591 max: 0
592 KeystoneBasic.authenticate_user_and_validate_token:
593 - args: {}
594 runner:
595 concurrency: 1
596 times: 1
597 type: constant
598 sla:
599 failure_rate:
600 max: 0
601 KeystoneBasic.create_add_and_list_user_roles:
602 - runner:
603 concurrency: 1
604 times: 1
605 type: constant
606 sla:
607 failure_rate:
608 max: 0
609 KeystoneBasic.create_and_delete_ec2credential:
610 - runner:
611 concurrency: 1
612 times: 1
613 type: constant
614 sla:
615 failure_rate:
616 max: 0
617 KeystoneBasic.create_and_list_ec2credentials:
618 - runner:
619 concurrency: 1
620 times: 1
621 type: constant
622 sla:
623 failure_rate:
624 max: 0
625 KeystoneBasic.create_and_delete_role:
626 - runner:
627 concurrency: 1
628 times: 1
629 type: constant
630 sla:
631 failure_rate:
632 max: 0
633 KeystoneBasic.create_and_delete_service:
634 - args:
635 description: test_description
636 service_type: Rally_test_type
637 runner:
638 concurrency: 1
639 times: 1
640 type: constant
641 sla:
642 failure_rate:
643 max: 0
644 KeystoneBasic.create_and_get_role:
645 - args: {}
646 runner:
647 concurrency: 1
648 times: 1
649 type: constant
650 sla:
651 failure_rate:
652 max: 0
653 KeystoneBasic.create_and_list_services:
654 - args:
655 description: test_description
656 service_type: Rally_test_type
657 runner:
658 concurrency: 1
659 times: 1
660 type: constant
661 sla:
662 failure_rate:
663 max: 0
664 KeystoneBasic.create_and_list_tenants:
665 - args: {}
666 runner:
667 concurrency: 1
668 times: 1
669 type: constant
670 sla:
671 failure_rate:
672 max: 0
673 KeystoneBasic.create_and_list_users:
674 - args: {}
675 runner:
676 concurrency: 1
677 times: 1
678 type: constant
679 sla:
680 failure_rate:
681 max: 0
682 KeystoneBasic.create_delete_user:
683 - args: {}
684 runner:
685 concurrency: 1
686 times: 1
687 type: constant
688 sla:
689 failure_rate:
690 max: 0
691 KeystoneBasic.create_tenant:
692 - args: {}
693 runner:
694 concurrency: 1
695 times: 1
696 type: constant
697 sla:
698 failure_rate:
699 max: 0
700 KeystoneBasic.create_tenant_with_users:
701 - args:
702 users_per_tenant: 1
703 runner:
704 concurrency: 1
705 times: 1
706 type: constant
707 sla:
708 failure_rate:
709 max: 0
710 KeystoneBasic.create_update_and_delete_tenant:
711 - args: {}
712 runner:
713 concurrency: 1
714 times: 1
715 type: constant
716 sla:
717 failure_rate:
718 max: 0
719 KeystoneBasic.create_user:
720 - args: {}
721 runner:
722 concurrency: 1
723 times: 1
724 type: constant
725 sla:
726 failure_rate:
727 max: 0
728 KeystoneBasic.create_user_set_enabled_and_delete:
729 - args:
730 enabled: true
731 runner:
732 concurrency: 1
733 times: 1
734 type: constant
735 sla:
736 failure_rate:
737 max: 0
738 - args:
739 enabled: false
740 runner:
741 concurrency: 1
742 times: 1
743 type: constant
744 sla:
745 failure_rate:
746 max: 0
747 KeystoneBasic.create_user_update_password:
748 - args: {}
749 runner:
750 concurrency: 1
751 times: 1
752 type: constant
753 sla:
754 failure_rate:
755 max: 0
756 KeystoneBasic.get_entities:
757 - runner:
758 concurrency: 1
759 times: 1
760 type: constant
761 sla:
762 failure_rate:
763 max: 0
764 mpm_event: |
765 <IfModule mpm_event_module>
766 ServerLimit 1024
767 StartServers 32
768 MinSpareThreads 32
769 MaxSpareThreads 256
770 ThreadsPerChild 25
771 MaxRequestsPerChild 128
772 ThreadLimit 720
773 </IfModule>
774 wsgi_keystone: |
Oleksandr Kozachenkoa10d7852023-02-02 22:01:16 +0100[diff] [blame]775 {{- $portInt := tuple "identity" "service" "api" $ | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]776
777 Listen 0.0.0.0:{{ $portInt }}
778
779 LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
780 LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy
781
782 SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
783 CustomLog /dev/stdout combined env=!forwarded
784 CustomLog /dev/stdout proxy env=forwarded
785
786 <VirtualHost *:{{ $portInt }}>
787 WSGIDaemonProcess keystone-public processes=1 threads=1 user=keystone group=keystone display-name=%{GROUP}
788 WSGIProcessGroup keystone-public
789 WSGIScriptAlias / /var/www/cgi-bin/keystone/keystone-wsgi-public
790 WSGIApplicationGroup %{GLOBAL}
791 WSGIPassAuthorization On
792 <IfVersion >= 2.4>
793 ErrorLogFormat "%{cu}t %M"
794 </IfVersion>
795 ErrorLog /dev/stdout
796
797 SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
798 CustomLog /dev/stdout combined env=!forwarded
799 CustomLog /dev/stdout proxy env=forwarded
800 </VirtualHost>
801 sso_callback_template: |
802 <!DOCTYPE html>
803 <html xmlns="http://www.w3.org/1999/xhtml">
804 <head>
805 <title>Keystone WebSSO redirect</title>
806 </head>
807 <body>
808 <form id="sso" name="sso" action="$host" method="post">
809 Please wait...
810 <br/>
811 <input type="hidden" name="token" id="token" value="$token"/>
812 <noscript>
813 <input type="submit" name="submit_no_javascript" id="submit_no_javascript"
814 value="If your JavaScript is disabled, please click to continue"/>
815 </noscript>
816 </form>
817 <script type="text/javascript">
818 window.onload = function() {
819 document.forms['sso'].submit();
820 }
821 </script>
822 </body>
823 </html>
824 logging:
825 loggers:
826 keys:
827 - root
828 - keystone
829 handlers:
830 keys:
831 - stdout
832 - stderr
833 - "null"
834 formatters:
835 keys:
836 - context
837 - default
838 logger_root:
839 level: WARNING
840 handlers: 'null'
841 logger_keystone:
842 level: INFO
843 handlers:
844 - stdout
845 qualname: keystone
846 logger_amqp:
847 level: WARNING
848 handlers: stderr
849 qualname: amqp
850 logger_amqplib:
851 level: WARNING
852 handlers: stderr
853 qualname: amqplib
854 logger_eventletwsgi:
855 level: WARNING
856 handlers: stderr
857 qualname: eventlet.wsgi.server
858 logger_sqlalchemy:
859 level: WARNING
860 handlers: stderr
861 qualname: sqlalchemy
862 logger_boto:
863 level: WARNING
864 handlers: stderr
865 qualname: boto
866 handler_null:
867 class: logging.NullHandler
868 formatter: default
869 args: ()
870 handler_stdout:
871 class: StreamHandler
872 args: (sys.stdout,)
873 formatter: context
874 handler_stderr:
875 class: StreamHandler
876 args: (sys.stderr,)
877 formatter: context
878 formatter_context:
879 class: oslo_log.formatters.ContextFormatter
880 datefmt: "%Y-%m-%d %H:%M:%S"
881 formatter_default:
882 format: "%(message)s"
883 datefmt: "%Y-%m-%d %H:%M:%S"
884
885# Names of secrets used by bootstrap and environmental checks
886secrets:
887 identity:
888 admin: keystone-keystone-admin
889 test: keystone-keystone-test
890 oslo_db:
891 admin: keystone-db-admin
892 keystone: keystone-db-user
893 oslo_messaging:
894 admin: keystone-rabbitmq-admin
895 keystone: keystone-rabbitmq-user
896 ldap:
897 tls: keystone-ldap-tls
898 tls:
899 identity:
900 api:
901 public: keystone-tls-public
902 internal: keystone-tls-api
Oleksandr Kozachenkoa10d7852023-02-02 22:01:16 +0100[diff] [blame]903 oci_image_registry:
904 keystone: keystone-oci-image-registry
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]905
906# typically overridden by environmental
907# values, but should include all endpoints
908# required by this chart
909endpoints:
910 cluster_domain_suffix: cluster.local
911 local_image_registry:
912 name: docker-registry
913 namespace: docker-registry
914 hosts:
915 default: localhost
916 internal: docker-registry
917 node: localhost
918 host_fqdn_override:
919 default: null
920 port:
921 registry:
922 node: 5000
Oleksandr Kozachenkoa10d7852023-02-02 22:01:16 +0100[diff] [blame]923 oci_image_registry:
924 name: oci-image-registry
925 namespace: oci-image-registry
926 auth:
927 enabled: false
928 keystone:
929 username: keystone
930 password: password
931 hosts:
932 default: localhost
933 host_fqdn_override:
934 default: null
935 port:
936 registry:
937 default: null
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]938 identity:
939 namespace: null
940 name: keystone
941 auth:
942 admin:
943 region_name: RegionOne
944 username: admin
945 password: password
946 project_name: admin
947 user_domain_name: default
948 project_domain_name: default
949 default_domain_id: default
950 test:
951 role: admin
952 region_name: RegionOne
953 username: keystone-test
954 password: password
955 project_name: test
956 user_domain_name: default
957 project_domain_name: default
958 default_domain_id: default
959 hosts:
960 default: keystone
961 internal: keystone-api
962 host_fqdn_override:
963 default: null
964 # NOTE(portdirect): this chart supports TLS for fqdn over-ridden public
965 # endpoints using the following format:
966 # public:
967 # host: null
968 # tls:
969 # crt: null
970 # key: null
971 path:
972 default: /v3
973 scheme:
974 default: http
Oleksandr Kozachenkoa10d7852023-02-02 22:01:16 +0100[diff] [blame]975 service: http
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]976 port:
977 api:
978 default: 80
979 # NOTE(portdirect): to retain portability across images, and allow
980 # running under a unprivileged user simply, we default to a port > 1000.
981 internal: 5000
Oleksandr Kozachenkoa10d7852023-02-02 22:01:16 +0100[diff] [blame]982 service: 5000
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]983 oslo_db:
984 namespace: null
985 auth:
986 admin:
987 username: root
988 password: password
989 secret:
990 tls:
991 internal: mariadb-tls-direct
992 keystone:
993 username: keystone
994 password: password
995 hosts:
996 default: mariadb
997 host_fqdn_override:
998 default: null
999 path: /keystone
1000 scheme: mysql+pymysql
1001 port:
1002 mysql:
1003 default: 3306
1004 oslo_messaging:
1005 namespace: null
1006 auth:
1007 admin:
1008 username: rabbitmq
1009 password: password
1010 secret:
1011 tls:
1012 internal: rabbitmq-tls-direct
1013 keystone:
1014 username: keystone
1015 password: password
1016 statefulset:
1017 replicas: 2
1018 name: rabbitmq-rabbitmq
1019 hosts:
1020 default: rabbitmq
1021 host_fqdn_override:
1022 default: null
1023 path: /keystone
1024 scheme: rabbit
1025 port:
1026 amqp:
1027 default: 5672
1028 http:
1029 default: 15672
1030 oslo_cache:
1031 namespace: null
1032 hosts:
1033 default: memcached
1034 host_fqdn_override:
1035 default: null
1036 port:
1037 memcache:
1038 default: 11211
1039 ldap:
1040 auth:
1041 client:
1042 tls:
1043 # NOTE(lamt): Specify a CA value here will place a LDAPS certificate at
1044 # /etc/certs/tls.ca. To ensure keystone uses LDAPS, the
1045 # following key will need to be overrided under section [ldap] or the
1046 # correct domain-specific setting, else it will not be enabled:
1047 #
1048 # use_tls: true
1049 # tls_req_cert: allow # Valid values: demand, never, allow
1050 # tls_cacertfile: /etc/certs/tls.ca # abs path to the CA cert
1051 ca: null
1052 fluentd:
1053 namespace: null
1054 name: fluentd
1055 hosts:
1056 default: fluentd-logging
1057 host_fqdn_override:
1058 default: null
1059 path:
1060 default: null
1061 scheme: 'http'
1062 port:
1063 service:
1064 default: 24224
1065 metrics:
1066 default: 24220
1067 # NOTE(tp6510): these endpoints allow for things like DNS lookups and ingress
1068 # They are using to enable the Egress K8s network policy.
1069 kube_dns:
1070 namespace: kube-system
1071 name: kubernetes-dns
1072 hosts:
1073 default: kube-dns
1074 host_fqdn_override:
1075 default: null
1076 path:
1077 default: null
1078 scheme: http
1079 port:
1080 dns:
1081 default: 53
1082 protocol: UDP
1083 ingress:
1084 namespace: null
1085 name: ingress
1086 hosts:
1087 default: ingress
1088 port:
1089 ingress:
1090 default: 80
1091
Oleksandr Kozachenkoa10d7852023-02-02 22:01:16 +0100[diff] [blame]1092tls:
1093 identity: false
1094 oslo_messaging: false
1095 oslo_db: false
1096
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1097manifests:
1098 certificates: false
1099 configmap_bin: true
1100 configmap_etc: true
1101 cron_credential_rotate: true
1102 cron_fernet_rotate: true
1103 deployment_api: true
1104 ingress_api: true
1105 job_bootstrap: true
1106 job_credential_cleanup: true
1107 job_credential_setup: true
1108 job_db_init: true
1109 job_db_sync: true
1110 job_db_drop: false
1111 job_domain_manage: true
1112 job_fernet_setup: true
1113 job_image_repo_sync: true
1114 job_rabbit_init: true
1115 pdb_api: true
1116 pod_rally_test: true
1117 network_policy: false
1118 secret_credential_keys: true
1119 secret_db: true
1120 secret_fernet_keys: true
1121 secret_ingress_tls: true
1122 secret_keystone: true
1123 secret_rabbitmq: true
Oleksandr Kozachenkoa10d7852023-02-02 22:01:16 +0100[diff] [blame]1124 secret_registry: true
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1125 service_ingress_api: true
1126 service_api: true
1127...