Gitiles
Code Review Sign In
review.vexxhost.dev / atmosphere / 98aedb67971be355a2d28c67c9c547afea8934b9 / . / charts / keystone / values.yaml
blob: 301ff6fa84fd68b2e74ad62d0e4d46bc44a1e37a [file] [log] [blame]
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1# Licensed under the Apache License, Version 2.0 (the "License");
2# you may not use this file except in compliance with the License.
3# You may obtain a copy of the License at
4#
5# http://www.apache.org/licenses/LICENSE-2.0
6#
7# Unless required by applicable law or agreed to in writing, software
8# distributed under the License is distributed on an "AS IS" BASIS,
9# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
10# See the License for the specific language governing permissions and
11# limitations under the License.
12
13# Default values for keystone.
14# This is a YAML-formatted file.
15# Declare name/value pairs to be passed into your templates.
16# name: value
17
18---
19labels:
20 api:
21 node_selector_key: openstack-control-plane
22 node_selector_value: enabled
23 job:
24 node_selector_key: openstack-control-plane
25 node_selector_value: enabled
26 test:
27 node_selector_key: openstack-control-plane
28 node_selector_value: enabled
29
30release_group: null
31
32# NOTE(gagehugo): the pre-install hook breaks upgrade for helm2
33# Set to false to upgrade using helm2
34helm3_hook: true
35
36images:
37 tags:
38 bootstrap: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
39 test: docker.io/xrally/xrally-openstack:2.0.0
40 db_init: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
41 keystone_db_sync: docker.io/openstackhelm/keystone:wallaby-ubuntu_focal
42 db_drop: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
43 ks_user: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
44 rabbit_init: docker.io/rabbitmq:3.7-management
45 keystone_fernet_setup: docker.io/openstackhelm/keystone:wallaby-ubuntu_focal
46 keystone_fernet_rotate: docker.io/openstackhelm/keystone:wallaby-ubuntu_focal
47 keystone_credential_setup: docker.io/openstackhelm/keystone:wallaby-ubuntu_focal
48 keystone_credential_rotate: docker.io/openstackhelm/keystone:wallaby-ubuntu_focal
49 keystone_credential_cleanup: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
50 keystone_api: docker.io/openstackhelm/keystone:wallaby-ubuntu_focal
51 keystone_domain_manage: docker.io/openstackhelm/keystone:wallaby-ubuntu_focal
52 dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
53 image_repo_sync: docker.io/docker:17.07.0
54 pull_policy: "IfNotPresent"
55 local_registry:
56 active: false
57 exclude:
58 - dep_check
59 - image_repo_sync
60
61bootstrap:
62 enabled: true
63 ks_user: admin
64 script: |
65 # admin needs the admin role for the default domain
66 openstack role add \
67 --user="${OS_USERNAME}" \
68 --domain="${OS_DEFAULT_DOMAIN}" \
69 "admin"
70
71
72network:
73 api:
74 ingress:
75 public: true
76 classes:
77 namespace: "nginx"
78 cluster: "nginx-cluster"
79 annotations:
80 nginx.ingress.kubernetes.io/rewrite-target: /
81 external_policy_local: false
82 node_port:
83 enabled: false
84 port: 30500
85 admin:
86 node_port:
87 enabled: false
88 port: 30357
89
90dependencies:
91 dynamic:
92 common:
93 local_image_registry:
94 jobs:
95 - keystone-image-repo-sync
96 services:
97 - endpoint: node
98 service: local_image_registry
99 rabbit_init:
100 services:
101 - service: oslo_messaging
102 endpoint: internal
103 static:
104 api:
105 jobs:
106 - keystone-db-sync
107 - keystone-credential-setup
108 - keystone-fernet-setup
109 services:
110 - endpoint: internal
111 service: oslo_cache
112 - endpoint: internal
113 service: oslo_db
114 bootstrap:
115 jobs:
116 - keystone-domain-manage
117 services:
118 - endpoint: internal
119 service: identity
120 credential_rotate:
121 jobs:
122 - keystone-credential-setup
123 credential_setup: null
124 credential_cleanup:
125 services:
126 - endpoint: internal
127 service: oslo_db
128 db_drop:
129 services:
130 - endpoint: internal
131 service: oslo_db
132 db_init:
133 services:
134 - endpoint: internal
135 service: oslo_db
136 db_sync:
137 jobs:
138 - keystone-db-init
139 - keystone-credential-setup
140 - keystone-fernet-setup
141 services:
142 - endpoint: internal
143 service: oslo_db
144 domain_manage:
145 services:
146 - endpoint: internal
147 service: identity
148 fernet_rotate:
149 jobs:
150 - keystone-fernet-setup
151 fernet_setup: null
152 tests:
153 services:
154 - endpoint: internal
155 service: identity
156 image_repo_sync:
157 services:
158 - endpoint: internal
159 service: local_image_registry
160
161pod:
162 security_context:
163 keystone:
164 pod:
165 runAsUser: 42424
166 container:
167 keystone_api:
168 readOnlyRootFilesystem: true
169 allowPrivilegeEscalation: false
170 credential_setup:
171 pod:
172 runAsUser: 42424
173 container:
174 keystone_credential_setup:
175 readOnlyRootFilesystem: true
176 allowPrivilegeEscalation: false
177 fernet_setup:
178 pod:
179 runAsUser: 42424
180 container:
181 keystone_fernet_setup:
182 readOnlyRootFilesystem: true
183 allowPrivilegeEscalation: false
184 fernet_rotate:
185 pod:
186 runAsUser: 42424
187 container:
188 keystone_fernet_rotate:
189 readOnlyRootFilesystem: true
190 allowPrivilegeEscalation: false
191 domain_manage:
192 pod:
193 runAsUser: 42424
194 container:
195 keystone_domain_manage_init:
196 readOnlyRootFilesystem: true
197 allowPrivilegeEscalation: false
198 keystone_domain_manage:
199 readOnlyRootFilesystem: true
200 allowPrivilegeEscalation: false
201 test:
202 pod:
203 runAsUser: 42424
204 container:
205 keystone_test_ks_user:
206 readOnlyRootFilesystem: true
207 allowPrivilegeEscalation: false
208 keystone_test:
209 runAsUser: 65500
210 readOnlyRootFilesystem: true
211 allowPrivilegeEscalation: false
212 affinity:
213 anti:
214 type:
215 default: preferredDuringSchedulingIgnoredDuringExecution
216 topologyKey:
217 default: kubernetes.io/hostname
218 weight:
219 default: 10
220 mounts:
221 keystone_db_init:
222 init_container: null
223 keystone_db_init:
224 volumeMounts:
225 volumes:
226 keystone_db_sync:
227 init_container: null
228 keystone_db_sync:
229 volumeMounts:
230 volumes:
231 keystone_api:
232 init_container: null
233 keystone_api:
234 volumeMounts:
235 volumes:
236 keystone_tests:
237 init_container: null
238 keystone_tests:
239 volumeMounts:
240 volumes:
241 keystone_bootstrap:
242 init_container: null
243 keystone_bootstrap:
244 volumeMounts:
245 volumes:
246 keystone_fernet_setup:
247 init_container: null
248 keystone_fernet_setup:
249 volumeMounts:
250 volumes:
251 keystone_fernet_rotate:
252 init_container: null
253 keystone_fernet_rotate:
254 volumeMounts:
255 volumes:
256 keystone_credential_setup:
257 init_container: null
258 keystone_credential_setup:
259 volumeMounts:
260 volumes:
261 keystone_credential_rotate:
262 init_container: null
263 keystone_credential_rotate:
264 volumeMounts:
265 volumes:
266 keystone_credential_cleanup:
267 init_container: null
268 keystone_credential_cleanup:
269 volumeMounts:
270 volumes:
271 keystone_domain_manage:
272 init_container: null
273 keystone_domain_manage:
274 volumeMounts:
275 volumes:
276 replicas:
277 api: 1
278 lifecycle:
279 upgrades:
280 deployments:
281 revision_history: 3
282 pod_replacement_strategy: RollingUpdate
283 rolling_update:
284 max_unavailable: 1
285 max_surge: 3
286 disruption_budget:
287 api:
288 min_available: 0
289 termination_grace_period:
290 api:
291 timeout: 30
292 resources:
293 enabled: false
294 api:
295 requests:
296 memory: "128Mi"
297 cpu: "100m"
298 limits:
299 memory: "1024Mi"
300 cpu: "2000m"
301 jobs:
302 bootstrap:
303 requests:
304 memory: "128Mi"
305 cpu: "100m"
306 limits:
307 memory: "1024Mi"
308 cpu: "2000m"
309 domain_manage:
310 requests:
311 memory: "128Mi"
312 cpu: "100m"
313 limits:
314 memory: "1024Mi"
315 cpu: "2000m"
316 db_init:
317 requests:
318 memory: "128Mi"
319 cpu: "100m"
320 limits:
321 memory: "1024Mi"
322 cpu: "2000m"
323 db_sync:
324 requests:
325 memory: "128Mi"
326 cpu: "100m"
327 limits:
328 memory: "1024Mi"
329 cpu: "2000m"
330 db_drop:
331 requests:
332 memory: "128Mi"
333 cpu: "100m"
334 limits:
335 memory: "1024Mi"
336 cpu: "2000m"
337 rabbit_init:
338 requests:
339 memory: "128Mi"
340 cpu: "100m"
341 limits:
342 memory: "1024Mi"
343 cpu: "2000m"
344 tests:
345 requests:
346 memory: "128Mi"
347 cpu: "100m"
348 limits:
349 memory: "1024Mi"
350 cpu: "2000m"
351 fernet_setup:
352 requests:
353 memory: "128Mi"
354 cpu: "100m"
355 limits:
356 memory: "1024Mi"
357 cpu: "2000m"
358 fernet_rotate:
359 requests:
360 memory: "128Mi"
361 cpu: "100m"
362 limits:
363 memory: "1024Mi"
364 cpu: "2000m"
365 credential_setup:
366 requests:
367 memory: "128Mi"
368 cpu: "100m"
369 limits:
370 memory: "1024Mi"
371 cpu: "2000m"
372 credential_rotate:
373 requests:
374 memory: "128Mi"
375 cpu: "100m"
376 limits:
377 memory: "1024Mi"
378 cpu: "2000m"
379 credential_cleanup:
380 requests:
381 memory: "128Mi"
382 cpu: "100m"
383 limits:
384 memory: "1024Mi"
385 cpu: "2000m"
386 image_repo_sync:
387 requests:
388 memory: "128Mi"
389 cpu: "100m"
390 limits:
391 memory: "1024Mi"
392 cpu: "2000m"
393 probes:
394 api:
395 api:
396 readiness:
397 enabled: true
398 params:
399 initialDelaySeconds: 15
400 periodSeconds: 60
401 timeoutSeconds: 15
402 liveness:
403 enabled: true
404 params:
405 initialDelaySeconds: 50
406 periodSeconds: 60
407 timeoutSeconds: 15
408jobs:
409 fernet_setup:
410 user: keystone
411 group: keystone
412 fernet_rotate:
413 # NOTE(rk760n): key rotation frequency, token expiration, active keys should statisfy the formula
414 # max_active_keys = (token_expiration / rotation_frequency) + 2
415 # as expiration is 12h, and max_active_keys set to 3 by default, rotation_frequency need to be adjusted
416 # 12 hours
417 cron: "0 */12 * * *"
418 user: keystone
419 group: keystone
420 history:
421 success: 3
422 failed: 1
423 credential_setup:
424 user: keystone
425 group: keystone
426 credential_rotate:
427 # monthly
428 cron: "0 0 1 * *"
429 migrate_wait: 120
430 user: keystone
431 group: keystone
432 history:
433 success: 3
434 failed: 1
435
436network_policy:
437 keystone:
438 ingress:
439 - {}
440 egress:
441 - {}
442
443conf:
444 security: |
445 #
446 # Disable access to the entire file system except for the directories that
447 # are explicitly allowed later.
448 #
449 # This currently breaks the configurations that come with some web application
450 # Debian packages.
451 #
452 #<Directory />
453 # AllowOverride None
454 # Require all denied
455 #</Directory>
456
457 # Changing the following options will not really affect the security of the
458 # server, but might make attacks slightly more difficult in some cases.
459
460 #
461 # ServerTokens
462 # This directive configures what you return as the Server HTTP response
463 # Header. The default is 'Full' which sends information about the OS-Type
464 # and compiled in modules.
465 # Set to one of: Full | OS | Minimal | Minor | Major | Prod
466 # where Full conveys the most information, and Prod the least.
467 ServerTokens Prod
468
469 #
470 # Optionally add a line containing the server version and virtual host
471 # name to server-generated pages (internal error documents, FTP directory
472 # listings, mod_status and mod_info output etc., but not CGI generated
473 # documents or custom error documents).
474 # Set to "EMail" to also include a mailto: link to the ServerAdmin.
475 # Set to one of: On | Off | EMail
476 ServerSignature Off
477
478 #
479 # Allow TRACE method
480 #
481 # Set to "extended" to also reflect the request body (only for testing and
482 # diagnostic purposes).
483 #
484 # Set to one of: On | Off | extended
485 TraceEnable Off
486
487 #
488 # Forbid access to version control directories
489 #
490 # If you use version control systems in your document root, you should
491 # probably deny access to their directories. For example, for subversion:
492 #
493 #<DirectoryMatch "/\.svn">
494 # Require all denied
495 #</DirectoryMatch>
496
497 #
498 # Setting this header will prevent MSIE from interpreting files as something
499 # else than declared by the content type in the HTTP headers.
500 # Requires mod_headers to be enabled.
501 #
502 #Header set X-Content-Type-Options: "nosniff"
503
504 #
505 # Setting this header will prevent other sites from embedding pages from this
506 # site as frames. This defends against clickjacking attacks.
507 # Requires mod_headers to be enabled.
508 #
509 #Header set X-Frame-Options: "sameorigin"
510 software:
511 apache2:
512 binary: apache2
513 start_parameters: -DFOREGROUND
514 site_dir: /etc/apache2/sites-enable
515 conf_dir: /etc/apache2/conf-enabled
516 mods_dir: /etc/apache2/mods-available
517 a2enmod: null
518 a2dismod: null
519 keystone:
520 DEFAULT:
521 log_config_append: /etc/keystone/logging.conf
522 max_token_size: 255
523 # NOTE(rk760n): if you need auth notifications to be sent, uncomment it
524 # notification_opt_out: ""
525 token:
526 provider: fernet
527 # 12 hours
528 expiration: 43200
529 identity:
530 domain_specific_drivers_enabled: True
531 domain_config_dir: /etc/keystone/domains
532 fernet_tokens:
533 key_repository: /etc/keystone/fernet-keys/
534 credential:
535 key_repository: /etc/keystone/credential-keys/
536 database:
537 max_retries: -1
538 cache:
539 enabled: true
540 backend: dogpile.cache.memcached
541 oslo_messaging_notifications:
542 driver: messagingv2
543 oslo_messaging_rabbit:
544 rabbit_ha_queues: true
545 oslo_middleware:
546 enable_proxy_headers_parsing: true
547 oslo_policy:
548 policy_file: /etc/keystone/policy.yaml
549 security_compliance:
550 # NOTE(vdrok): The following two options have effect only for SQL backend
551 lockout_failure_attempts: 5
552 lockout_duration: 1800
553 # NOTE(lamt) We can leverage multiple domains with different
554 # configurations as outlined in
555 # https://docs.openstack.org/keystone/pike/admin/identity-domain-specific-config.html.
556 # A sample of the value override can be found in sample file:
557 # tools/overrides/example/keystone_domain_config.yaml
558 # ks_domains:
559 policy: {}
560 access_rules: {}
561 rabbitmq:
562 # NOTE(rk760n): adding rmq policy to mirror messages from notification queues and set expiration time for the ones
563 policies:
564 - vhost: "keystone"
565 name: "ha_ttl_keystone"
566 definition:
567 # mirror messges to other nodes in rmq cluster
568 ha-mode: "all"
569 ha-sync-mode: "automatic"
570 # 70s
571 message-ttl: 70000
572 priority: 0
573 apply-to: all
574 pattern: '^(?!(amq\.|reply_)).*'
575 rally_tests:
576 run_tempest: false
577 tests:
578 KeystoneBasic.add_and_remove_user_role:
579 - runner:
580 concurrency: 1
581 times: 1
582 type: constant
583 sla:
584 failure_rate:
585 max: 0
586 KeystoneBasic.authenticate_user_and_validate_token:
587 - args: {}
588 runner:
589 concurrency: 1
590 times: 1
591 type: constant
592 sla:
593 failure_rate:
594 max: 0
595 KeystoneBasic.create_add_and_list_user_roles:
596 - runner:
597 concurrency: 1
598 times: 1
599 type: constant
600 sla:
601 failure_rate:
602 max: 0
603 KeystoneBasic.create_and_delete_ec2credential:
604 - runner:
605 concurrency: 1
606 times: 1
607 type: constant
608 sla:
609 failure_rate:
610 max: 0
611 KeystoneBasic.create_and_list_ec2credentials:
612 - runner:
613 concurrency: 1
614 times: 1
615 type: constant
616 sla:
617 failure_rate:
618 max: 0
619 KeystoneBasic.create_and_delete_role:
620 - runner:
621 concurrency: 1
622 times: 1
623 type: constant
624 sla:
625 failure_rate:
626 max: 0
627 KeystoneBasic.create_and_delete_service:
628 - args:
629 description: test_description
630 service_type: Rally_test_type
631 runner:
632 concurrency: 1
633 times: 1
634 type: constant
635 sla:
636 failure_rate:
637 max: 0
638 KeystoneBasic.create_and_get_role:
639 - args: {}
640 runner:
641 concurrency: 1
642 times: 1
643 type: constant
644 sla:
645 failure_rate:
646 max: 0
647 KeystoneBasic.create_and_list_services:
648 - args:
649 description: test_description
650 service_type: Rally_test_type
651 runner:
652 concurrency: 1
653 times: 1
654 type: constant
655 sla:
656 failure_rate:
657 max: 0
658 KeystoneBasic.create_and_list_tenants:
659 - args: {}
660 runner:
661 concurrency: 1
662 times: 1
663 type: constant
664 sla:
665 failure_rate:
666 max: 0
667 KeystoneBasic.create_and_list_users:
668 - args: {}
669 runner:
670 concurrency: 1
671 times: 1
672 type: constant
673 sla:
674 failure_rate:
675 max: 0
676 KeystoneBasic.create_delete_user:
677 - args: {}
678 runner:
679 concurrency: 1
680 times: 1
681 type: constant
682 sla:
683 failure_rate:
684 max: 0
685 KeystoneBasic.create_tenant:
686 - args: {}
687 runner:
688 concurrency: 1
689 times: 1
690 type: constant
691 sla:
692 failure_rate:
693 max: 0
694 KeystoneBasic.create_tenant_with_users:
695 - args:
696 users_per_tenant: 1
697 runner:
698 concurrency: 1
699 times: 1
700 type: constant
701 sla:
702 failure_rate:
703 max: 0
704 KeystoneBasic.create_update_and_delete_tenant:
705 - args: {}
706 runner:
707 concurrency: 1
708 times: 1
709 type: constant
710 sla:
711 failure_rate:
712 max: 0
713 KeystoneBasic.create_user:
714 - args: {}
715 runner:
716 concurrency: 1
717 times: 1
718 type: constant
719 sla:
720 failure_rate:
721 max: 0
722 KeystoneBasic.create_user_set_enabled_and_delete:
723 - args:
724 enabled: true
725 runner:
726 concurrency: 1
727 times: 1
728 type: constant
729 sla:
730 failure_rate:
731 max: 0
732 - args:
733 enabled: false
734 runner:
735 concurrency: 1
736 times: 1
737 type: constant
738 sla:
739 failure_rate:
740 max: 0
741 KeystoneBasic.create_user_update_password:
742 - args: {}
743 runner:
744 concurrency: 1
745 times: 1
746 type: constant
747 sla:
748 failure_rate:
749 max: 0
750 KeystoneBasic.get_entities:
751 - runner:
752 concurrency: 1
753 times: 1
754 type: constant
755 sla:
756 failure_rate:
757 max: 0
758 mpm_event: |
759 <IfModule mpm_event_module>
760 ServerLimit 1024
761 StartServers 32
762 MinSpareThreads 32
763 MaxSpareThreads 256
764 ThreadsPerChild 25
765 MaxRequestsPerChild 128
766 ThreadLimit 720
767 </IfModule>
768 wsgi_keystone: |
769 {{- $portInt := tuple "identity" "internal" "api" $ | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
770
771 Listen 0.0.0.0:{{ $portInt }}
772
773 LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
774 LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy
775
776 SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
777 CustomLog /dev/stdout combined env=!forwarded
778 CustomLog /dev/stdout proxy env=forwarded
779
780 <VirtualHost *:{{ $portInt }}>
781 WSGIDaemonProcess keystone-public processes=1 threads=1 user=keystone group=keystone display-name=%{GROUP}
782 WSGIProcessGroup keystone-public
783 WSGIScriptAlias / /var/www/cgi-bin/keystone/keystone-wsgi-public
784 WSGIApplicationGroup %{GLOBAL}
785 WSGIPassAuthorization On
786 <IfVersion >= 2.4>
787 ErrorLogFormat "%{cu}t %M"
788 </IfVersion>
789 ErrorLog /dev/stdout
790
791 SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
792 CustomLog /dev/stdout combined env=!forwarded
793 CustomLog /dev/stdout proxy env=forwarded
794 </VirtualHost>
795 sso_callback_template: |
796 <!DOCTYPE html>
797 <html xmlns="http://www.w3.org/1999/xhtml">
798 <head>
799 <title>Keystone WebSSO redirect</title>
800 </head>
801 <body>
802 <form id="sso" name="sso" action="$host" method="post">
803 Please wait...
804 <br/>
805 <input type="hidden" name="token" id="token" value="$token"/>
806 <noscript>
807 <input type="submit" name="submit_no_javascript" id="submit_no_javascript"
808 value="If your JavaScript is disabled, please click to continue"/>
809 </noscript>
810 </form>
811 <script type="text/javascript">
812 window.onload = function() {
813 document.forms['sso'].submit();
814 }
815 </script>
816 </body>
817 </html>
818 logging:
819 loggers:
820 keys:
821 - root
822 - keystone
823 handlers:
824 keys:
825 - stdout
826 - stderr
827 - "null"
828 formatters:
829 keys:
830 - context
831 - default
832 logger_root:
833 level: WARNING
834 handlers: 'null'
835 logger_keystone:
836 level: INFO
837 handlers:
838 - stdout
839 qualname: keystone
840 logger_amqp:
841 level: WARNING
842 handlers: stderr
843 qualname: amqp
844 logger_amqplib:
845 level: WARNING
846 handlers: stderr
847 qualname: amqplib
848 logger_eventletwsgi:
849 level: WARNING
850 handlers: stderr
851 qualname: eventlet.wsgi.server
852 logger_sqlalchemy:
853 level: WARNING
854 handlers: stderr
855 qualname: sqlalchemy
856 logger_boto:
857 level: WARNING
858 handlers: stderr
859 qualname: boto
860 handler_null:
861 class: logging.NullHandler
862 formatter: default
863 args: ()
864 handler_stdout:
865 class: StreamHandler
866 args: (sys.stdout,)
867 formatter: context
868 handler_stderr:
869 class: StreamHandler
870 args: (sys.stderr,)
871 formatter: context
872 formatter_context:
873 class: oslo_log.formatters.ContextFormatter
874 datefmt: "%Y-%m-%d %H:%M:%S"
875 formatter_default:
876 format: "%(message)s"
877 datefmt: "%Y-%m-%d %H:%M:%S"
878
879# Names of secrets used by bootstrap and environmental checks
880secrets:
881 identity:
882 admin: keystone-keystone-admin
883 test: keystone-keystone-test
884 oslo_db:
885 admin: keystone-db-admin
886 keystone: keystone-db-user
887 oslo_messaging:
888 admin: keystone-rabbitmq-admin
889 keystone: keystone-rabbitmq-user
890 ldap:
891 tls: keystone-ldap-tls
892 tls:
893 identity:
894 api:
895 public: keystone-tls-public
896 internal: keystone-tls-api
897
898# typically overridden by environmental
899# values, but should include all endpoints
900# required by this chart
901endpoints:
902 cluster_domain_suffix: cluster.local
903 local_image_registry:
904 name: docker-registry
905 namespace: docker-registry
906 hosts:
907 default: localhost
908 internal: docker-registry
909 node: localhost
910 host_fqdn_override:
911 default: null
912 port:
913 registry:
914 node: 5000
915 identity:
916 namespace: null
917 name: keystone
918 auth:
919 admin:
920 region_name: RegionOne
921 username: admin
922 password: password
923 project_name: admin
924 user_domain_name: default
925 project_domain_name: default
926 default_domain_id: default
927 test:
928 role: admin
929 region_name: RegionOne
930 username: keystone-test
931 password: password
932 project_name: test
933 user_domain_name: default
934 project_domain_name: default
935 default_domain_id: default
936 hosts:
937 default: keystone
938 internal: keystone-api
939 host_fqdn_override:
940 default: null
941 # NOTE(portdirect): this chart supports TLS for fqdn over-ridden public
942 # endpoints using the following format:
943 # public:
944 # host: null
945 # tls:
946 # crt: null
947 # key: null
948 path:
949 default: /v3
950 scheme:
951 default: http
952 port:
953 api:
954 default: 80
955 # NOTE(portdirect): to retain portability across images, and allow
956 # running under a unprivileged user simply, we default to a port > 1000.
957 internal: 5000
958 oslo_db:
959 namespace: null
960 auth:
961 admin:
962 username: root
963 password: password
964 secret:
965 tls:
966 internal: mariadb-tls-direct
967 keystone:
968 username: keystone
969 password: password
970 hosts:
971 default: mariadb
972 host_fqdn_override:
973 default: null
974 path: /keystone
975 scheme: mysql+pymysql
976 port:
977 mysql:
978 default: 3306
979 oslo_messaging:
980 namespace: null
981 auth:
982 admin:
983 username: rabbitmq
984 password: password
985 secret:
986 tls:
987 internal: rabbitmq-tls-direct
988 keystone:
989 username: keystone
990 password: password
991 statefulset:
992 replicas: 2
993 name: rabbitmq-rabbitmq
994 hosts:
995 default: rabbitmq
996 host_fqdn_override:
997 default: null
998 path: /keystone
999 scheme: rabbit
1000 port:
1001 amqp:
1002 default: 5672
1003 http:
1004 default: 15672
1005 oslo_cache:
1006 namespace: null
1007 hosts:
1008 default: memcached
1009 host_fqdn_override:
1010 default: null
1011 port:
1012 memcache:
1013 default: 11211
1014 ldap:
1015 auth:
1016 client:
1017 tls:
1018 # NOTE(lamt): Specify a CA value here will place a LDAPS certificate at
1019 # /etc/certs/tls.ca. To ensure keystone uses LDAPS, the
1020 # following key will need to be overrided under section [ldap] or the
1021 # correct domain-specific setting, else it will not be enabled:
1022 #
1023 # use_tls: true
1024 # tls_req_cert: allow # Valid values: demand, never, allow
1025 # tls_cacertfile: /etc/certs/tls.ca # abs path to the CA cert
1026 ca: null
1027 fluentd:
1028 namespace: null
1029 name: fluentd
1030 hosts:
1031 default: fluentd-logging
1032 host_fqdn_override:
1033 default: null
1034 path:
1035 default: null
1036 scheme: 'http'
1037 port:
1038 service:
1039 default: 24224
1040 metrics:
1041 default: 24220
1042 # NOTE(tp6510): these endpoints allow for things like DNS lookups and ingress
1043 # They are using to enable the Egress K8s network policy.
1044 kube_dns:
1045 namespace: kube-system
1046 name: kubernetes-dns
1047 hosts:
1048 default: kube-dns
1049 host_fqdn_override:
1050 default: null
1051 path:
1052 default: null
1053 scheme: http
1054 port:
1055 dns:
1056 default: 53
1057 protocol: UDP
1058 ingress:
1059 namespace: null
1060 name: ingress
1061 hosts:
1062 default: ingress
1063 port:
1064 ingress:
1065 default: 80
1066
1067manifests:
1068 certificates: false
1069 configmap_bin: true
1070 configmap_etc: true
1071 cron_credential_rotate: true
1072 cron_fernet_rotate: true
1073 deployment_api: true
1074 ingress_api: true
1075 job_bootstrap: true
1076 job_credential_cleanup: true
1077 job_credential_setup: true
1078 job_db_init: true
1079 job_db_sync: true
1080 job_db_drop: false
1081 job_domain_manage: true
1082 job_fernet_setup: true
1083 job_image_repo_sync: true
1084 job_rabbit_init: true
1085 pdb_api: true
1086 pod_rally_test: true
1087 network_policy: false
1088 secret_credential_keys: true
1089 secret_db: true
1090 secret_fernet_keys: true
1091 secret_ingress_tls: true
1092 secret_keystone: true
1093 secret_rabbitmq: true
1094 service_ingress_api: true
1095 service_api: true
1096...