| Mohammed Naser | b7b97d6 | 2022-03-12 16:30:00 -0500 | [diff] [blame] | 1 | # Copyright (c) 2022 VEXXHOST, Inc. |
| 2 | # |
| 3 | # Licensed under the Apache License, Version 2.0 (the "License"); you may |
| 4 | # not use this file except in compliance with the License. You may obtain |
| 5 | # a copy of the License at |
| 6 | # |
| 7 | # http://www.apache.org/licenses/LICENSE-2.0 |
| 8 | # |
| 9 | # Unless required by applicable law or agreed to in writing, software |
| 10 | # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT |
| 11 | # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the |
| 12 | # License for the specific language governing permissions and limitations |
| 13 | # under the License. |
| 14 | |
| Mohammed Naser | 2145fc3 | 2023-01-29 23:23:03 +0000 | [diff] [blame] | 15 | _keystone_helm_values: |
| Mohammed Naser | b7b97d6 | 2022-03-12 16:30:00 -0500 | [diff] [blame] | 16 | endpoints: "{{ openstack_helm_endpoints }}" |
| 17 | images: |
| Michiel Piscaer | 60d09f9 | 2023-01-20 18:58:55 +0100 | [diff] [blame] | 18 | tags: "{{ atmosphere_images | vexxhost.atmosphere.openstack_helm_image_tags('keystone') }}" |
| Mohammed Naser | b7b97d6 | 2022-03-12 16:30:00 -0500 | [diff] [blame] | 19 | pod: |
| Mohammed Naser | b7b97d6 | 2022-03-12 16:30:00 -0500 | [diff] [blame] | 20 | replicas: |
| 21 | api: 3 |
| Oleksandr Kozachenko | b009349 | 2023-09-06 21:43:47 +0200 | [diff] [blame] | 22 | mounts: |
| 23 | keystone_api: |
| 24 | keystone_api: |
| vexxhost-bot | db88658 | 2024-06-05 18:45:24 +0200 | [diff] [blame] | 25 | volumeMounts: "{{ keystone_domains | vexxhost.atmosphere.keystone_domains_to_mounts + [{'name': 'ca-certificates', 'mountPath': '/etc/ssl/certs/ca-certificates.crt', 'readOnly': true}] }}" |
| Oleksandr Kozachenko | b009349 | 2023-09-06 21:43:47 +0200 | [diff] [blame] | 26 | volumes: |
| 27 | - name: keystone-openid-metadata |
| 28 | configMap: |
| 29 | name: keystone-openid-metadata |
| vexxhost-bot | db88658 | 2024-06-05 18:45:24 +0200 | [diff] [blame] | 30 | - name: ca-certificates |
| Mohammed Naser | 7ddb041 | 2024-06-04 11:22:07 -0400 | [diff] [blame] | 31 | hostPath: |
| 32 | path: "{{ defaults_ca_certificates_path }}" |
| Mohammed Naser | b7b97d6 | 2022-03-12 16:30:00 -0500 | [diff] [blame] | 33 | conf: |
| 34 | keystone: |
| 35 | DEFAULT: |
| 36 | log_config_append: null |
| 37 | auth: |
| 38 | methods: password,token,openid,application_credential |
| 39 | cors: |
| 40 | allowed_origins: "*" |
| Mohammed Naser | c6e431b | 2024-03-15 01:21:44 -0400 | [diff] [blame] | 41 | database: |
| 42 | connection_recycle_time: 10 |
| 43 | max_pool_size: 1 |
| Oleksandr Kozachenko | b009349 | 2023-09-06 21:43:47 +0200 | [diff] [blame] | 44 | openid: |
| 45 | remote_id_attribute: HTTP_OIDC_ISS |
| Mohammed Naser | b7b97d6 | 2022-03-12 16:30:00 -0500 | [diff] [blame] | 46 | federation: |
| Mohammed Naser | b7b97d6 | 2022-03-12 16:30:00 -0500 | [diff] [blame] | 47 | # TODO(mnaser): Lookup using openstack_helm_endpoints |
| 48 | trusted_dashboard: "https://{{ openstack_helm_endpoints_horizon_api_host }}/auth/websso/" |
| ricolin | 2d8dd48 | 2022-07-07 06:55:02 +0800 | [diff] [blame] | 49 | oslo_messaging_notifications: |
| 50 | driver: noop |
| Oleksandr Kozachenko | b009349 | 2023-09-06 21:43:47 +0200 | [diff] [blame] | 51 | wsgi_keystone: | |
| 52 | LoadModule headers_module /usr/lib/apache2/modules/mod_headers.so |
| 53 | Listen 0.0.0.0:5000 |
| 54 | TransferLog /dev/stdout |
| 55 | ErrorLog /dev/stderr |
| 56 | <VirtualHost *:5000> |
| 57 | # WSGI |
| 58 | WSGIDaemonProcess keystone-public processes=4 threads=1 user=keystone group=keystone display-name=%{GROUP} |
| 59 | WSGIProcessGroup keystone-public |
| 60 | WSGIScriptAlias / /var/www/cgi-bin/keystone/keystone-wsgi-public |
| 61 | WSGIApplicationGroup %{GLOBAL} |
| 62 | WSGIPassAuthorization On |
| 63 | # NOTE(mnaser): This is to by-pass large header limits for large tokens |
| 64 | LimitRequestFieldSize 16384 |
| 65 | # OIDC |
| 66 | OIDCClaimPrefix "OIDC-" |
| 67 | OIDCMetadataDir /var/lib/apache2/oidc |
| 68 | OIDCSSLValidateServer "{{ keystone_oidc_ssl_validate_server }}" |
| 69 | OIDCCryptoPassphrase {{ keystone_oidc_crypto_passphrase }} |
| 70 | OIDCRedirectURI {{ keystone_oidc_redirect_uri }} |
| 71 | OIDCRedirectURLsAllowed {{ keystone_oidc_redirect_urls_allowed | join(' ') }} |
| 72 | # NOTE(mnaser): These are Atmosphere specific settings. |
| 73 | OIDCSessionType client-cookie:store_id_token |
| 74 | OIDCXForwardedHeaders X-Forwarded-Host X-Forwarded-Proto |
| 75 | <Location /v3/auth/OS-FEDERATION/identity_providers/redirect> |
| 76 | AuthType openid-connect |
| 77 | Require valid-user |
| 78 | </Location> |
| 79 | <Location /v3/auth/OS-FEDERATION/websso/openid> |
| 80 | Require valid-user |
| 81 | AuthType openid-connect |
| 82 | </Location> |
| 83 | {% for domain in keystone_domains %} |
| 84 | <Location /v3/OS-FEDERATION/identity_providers/{{ domain.name }}/protocols/openid/auth> |
| 85 | Require valid-user |
| 86 | AuthType oauth20 |
| 87 | </Location> |
| 88 | <Location /v3/auth/OS-FEDERATION/identity_providers/{{ domain.name }}/protocols/openid/websso> |
| 89 | Require valid-user |
| 90 | AuthType openid-connect |
| Michiel Piscaer | 1f65085 | 2023-09-11 17:28:44 +0200 | [diff] [blame] | 91 | OIDCDiscoverURL {{ keystone_oidc_redirect_uri }}?iss={{ domain | vexxhost.atmosphere.urlencoded_issuer_from_domain }} |
| Oleksandr Kozachenko | b009349 | 2023-09-06 21:43:47 +0200 | [diff] [blame] | 92 | </Location> |
| 93 | {% endfor %} |
| 94 | </VirtualHost> |
| 95 | ks_domains: "{{ keystone_domains | vexxhost.atmosphere.to_ks_domains }}" |
| Mohammed Naser | b7b97d6 | 2022-03-12 16:30:00 -0500 | [diff] [blame] | 96 | manifests: |
| 97 | job_credential_cleanup: false |
| 98 | ingress_api: false |
| 99 | service_ingress_api: false |