Gitiles
Code Review Sign In
review.vexxhost.dev / atmosphere / ce3394a9e3e4d295b50b8f0d5ac03d5de0e9412e / . / charts / keystone / values.yaml
blob: c23a4ac0833f81056b09265bab6caf29305be391 [file] [log] [blame]
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1# Licensed under the Apache License, Version 2.0 (the "License");
2# you may not use this file except in compliance with the License.
3# You may obtain a copy of the License at
4#
5# http://www.apache.org/licenses/LICENSE-2.0
6#
7# Unless required by applicable law or agreed to in writing, software
8# distributed under the License is distributed on an "AS IS" BASIS,
9# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
10# See the License for the specific language governing permissions and
11# limitations under the License.
12
13# Default values for keystone.
14# This is a YAML-formatted file.
15# Declare name/value pairs to be passed into your templates.
16# name: value
17
18---
19labels:
20 api:
21 node_selector_key: openstack-control-plane
22 node_selector_value: enabled
23 job:
24 node_selector_key: openstack-control-plane
25 node_selector_value: enabled
26 test:
27 node_selector_key: openstack-control-plane
28 node_selector_value: enabled
29
30release_group: null
31
32# NOTE(gagehugo): the pre-install hook breaks upgrade for helm2
33# Set to false to upgrade using helm2
34helm3_hook: true
35
36images:
37 tags:
Oleksandr K.a61b3b02024-11-19 15:46:06 +0100[diff] [blame]38 bootstrap: docker.io/openstackhelm/heat:2024.1-ubuntu_jammy
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]39 test: docker.io/xrally/xrally-openstack:2.0.0
Oleksandr K.a61b3b02024-11-19 15:46:06 +0100[diff] [blame]40 db_init: docker.io/openstackhelm/heat:2024.1-ubuntu_jammy
41 keystone_db_sync: docker.io/openstackhelm/keystone:2024.1-ubuntu_jammy
42 db_drop: docker.io/openstackhelm/heat:2024.1-ubuntu_jammy
43 ks_user: docker.io/openstackhelm/heat:2024.1-ubuntu_jammy
44 rabbit_init: docker.io/rabbitmq:3.13-management
45 keystone_fernet_setup: docker.io/openstackhelm/keystone:2024.1-ubuntu_jammy
46 keystone_fernet_rotate: docker.io/openstackhelm/keystone:2024.1-ubuntu_jammy
47 keystone_credential_setup: docker.io/openstackhelm/keystone:2024.1-ubuntu_jammy
48 keystone_credential_rotate: docker.io/openstackhelm/keystone:2024.1-ubuntu_jammy
49 keystone_credential_cleanup: docker.io/openstackhelm/heat:2024.1-ubuntu_jammy
50 keystone_api: docker.io/openstackhelm/keystone:2024.1-ubuntu_jammy
51 keystone_domain_manage: docker.io/openstackhelm/keystone:2024.1-ubuntu_jammy
52 dep_check: quay.io/airshipit/kubernetes-entrypoint:latest-ubuntu_focal
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]53 image_repo_sync: docker.io/docker:17.07.0
54 pull_policy: "IfNotPresent"
55 local_registry:
56 active: false
57 exclude:
58 - dep_check
59 - image_repo_sync
60
61bootstrap:
62 enabled: true
63 ks_user: admin
64 script: |
65 # admin needs the admin role for the default domain
66 openstack role add \
67 --user="${OS_USERNAME}" \
68 --domain="${OS_DEFAULT_DOMAIN}" \
69 "admin"
70
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]71network:
72 api:
73 ingress:
74 public: true
75 classes:
76 namespace: "nginx"
77 cluster: "nginx-cluster"
78 annotations:
79 nginx.ingress.kubernetes.io/rewrite-target: /
80 external_policy_local: false
81 node_port:
82 enabled: false
83 port: 30500
84 admin:
85 node_port:
86 enabled: false
87 port: 30357
88
89dependencies:
90 dynamic:
91 common:
92 local_image_registry:
93 jobs:
94 - keystone-image-repo-sync
95 services:
96 - endpoint: node
97 service: local_image_registry
98 rabbit_init:
99 services:
100 - service: oslo_messaging
101 endpoint: internal
102 static:
103 api:
104 jobs:
105 - keystone-db-sync
106 - keystone-credential-setup
107 - keystone-fernet-setup
108 services:
109 - endpoint: internal
110 service: oslo_cache
111 - endpoint: internal
112 service: oslo_db
113 bootstrap:
114 jobs:
115 - keystone-domain-manage
116 services:
117 - endpoint: internal
118 service: identity
119 credential_rotate:
120 jobs:
121 - keystone-credential-setup
122 credential_setup: null
123 credential_cleanup:
124 services:
125 - endpoint: internal
126 service: oslo_db
127 db_drop:
128 services:
129 - endpoint: internal
130 service: oslo_db
131 db_init:
132 services:
133 - endpoint: internal
134 service: oslo_db
135 db_sync:
136 jobs:
137 - keystone-db-init
138 - keystone-credential-setup
139 - keystone-fernet-setup
140 services:
141 - endpoint: internal
142 service: oslo_db
143 domain_manage:
144 services:
145 - endpoint: internal
146 service: identity
147 fernet_rotate:
148 jobs:
149 - keystone-fernet-setup
150 fernet_setup: null
151 tests:
152 services:
153 - endpoint: internal
154 service: identity
155 image_repo_sync:
156 services:
157 - endpoint: internal
158 service: local_image_registry
159
160pod:
Dong Ma88ac73f2025-02-10 14:58:50 +0000[diff] [blame]161 priorityClassName:
162 keystone_api: null
163 keystone_tests: null
164 keystone_credential_rotate: null
165 keystone_fernet_rotate: null
166 db_sync: null
167 runtimeClassName:
168 keystone_api: null
169 keystone_tests: null
170 keystone_credential_rotate: null
171 keystone_fernet_rotate: null
172 db_sync: null
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]173 security_context:
174 keystone:
175 pod:
176 runAsUser: 42424
177 container:
178 keystone_api:
179 readOnlyRootFilesystem: true
180 allowPrivilegeEscalation: false
181 credential_setup:
182 pod:
183 runAsUser: 42424
184 container:
185 keystone_credential_setup:
186 readOnlyRootFilesystem: true
187 allowPrivilegeEscalation: false
188 fernet_setup:
189 pod:
190 runAsUser: 42424
191 container:
192 keystone_fernet_setup:
193 readOnlyRootFilesystem: true
194 allowPrivilegeEscalation: false
195 fernet_rotate:
196 pod:
197 runAsUser: 42424
198 container:
199 keystone_fernet_rotate:
200 readOnlyRootFilesystem: true
201 allowPrivilegeEscalation: false
202 domain_manage:
203 pod:
204 runAsUser: 42424
205 container:
206 keystone_domain_manage_init:
207 readOnlyRootFilesystem: true
208 allowPrivilegeEscalation: false
209 keystone_domain_manage:
210 readOnlyRootFilesystem: true
211 allowPrivilegeEscalation: false
212 test:
213 pod:
214 runAsUser: 42424
215 container:
216 keystone_test_ks_user:
217 readOnlyRootFilesystem: true
218 allowPrivilegeEscalation: false
219 keystone_test:
220 runAsUser: 65500
221 readOnlyRootFilesystem: true
222 allowPrivilegeEscalation: false
223 affinity:
224 anti:
225 type:
226 default: preferredDuringSchedulingIgnoredDuringExecution
227 topologyKey:
228 default: kubernetes.io/hostname
229 weight:
230 default: 10
Oleksandr Kozachenkoa10d7852023-02-02 22:01:16 +0100[diff] [blame]231 tolerations:
232 keystone:
233 enabled: false
234 tolerations:
235 - key: node-role.kubernetes.io/master
236 operator: Exists
237 effect: NoSchedule
Rico Linc6ac7a12023-11-03 00:25:40 +0800[diff] [blame]238 - key: node-role.kubernetes.io/control-plane
239 operator: Exists
240 effect: NoSchedule
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]241 mounts:
242 keystone_db_init:
243 init_container: null
244 keystone_db_init:
245 volumeMounts:
246 volumes:
247 keystone_db_sync:
248 init_container: null
249 keystone_db_sync:
250 volumeMounts:
251 volumes:
252 keystone_api:
253 init_container: null
254 keystone_api:
255 volumeMounts:
256 volumes:
257 keystone_tests:
258 init_container: null
259 keystone_tests:
260 volumeMounts:
261 volumes:
262 keystone_bootstrap:
263 init_container: null
264 keystone_bootstrap:
265 volumeMounts:
266 volumes:
267 keystone_fernet_setup:
268 init_container: null
269 keystone_fernet_setup:
270 volumeMounts:
271 volumes:
272 keystone_fernet_rotate:
273 init_container: null
274 keystone_fernet_rotate:
275 volumeMounts:
276 volumes:
277 keystone_credential_setup:
278 init_container: null
279 keystone_credential_setup:
280 volumeMounts:
281 volumes:
282 keystone_credential_rotate:
283 init_container: null
284 keystone_credential_rotate:
285 volumeMounts:
286 volumes:
287 keystone_credential_cleanup:
288 init_container: null
289 keystone_credential_cleanup:
290 volumeMounts:
291 volumes:
292 keystone_domain_manage:
293 init_container: null
294 keystone_domain_manage:
295 volumeMounts:
296 volumes:
297 replicas:
298 api: 1
299 lifecycle:
300 upgrades:
301 deployments:
302 revision_history: 3
303 pod_replacement_strategy: RollingUpdate
304 rolling_update:
305 max_unavailable: 1
306 max_surge: 3
307 disruption_budget:
308 api:
309 min_available: 0
310 termination_grace_period:
311 api:
312 timeout: 30
313 resources:
314 enabled: false
315 api:
316 requests:
317 memory: "128Mi"
318 cpu: "100m"
319 limits:
320 memory: "1024Mi"
321 cpu: "2000m"
322 jobs:
323 bootstrap:
324 requests:
325 memory: "128Mi"
326 cpu: "100m"
327 limits:
328 memory: "1024Mi"
329 cpu: "2000m"
330 domain_manage:
331 requests:
332 memory: "128Mi"
333 cpu: "100m"
334 limits:
335 memory: "1024Mi"
336 cpu: "2000m"
337 db_init:
338 requests:
339 memory: "128Mi"
340 cpu: "100m"
341 limits:
342 memory: "1024Mi"
343 cpu: "2000m"
344 db_sync:
345 requests:
346 memory: "128Mi"
347 cpu: "100m"
348 limits:
349 memory: "1024Mi"
350 cpu: "2000m"
351 db_drop:
352 requests:
353 memory: "128Mi"
354 cpu: "100m"
355 limits:
356 memory: "1024Mi"
357 cpu: "2000m"
358 rabbit_init:
359 requests:
360 memory: "128Mi"
361 cpu: "100m"
362 limits:
363 memory: "1024Mi"
364 cpu: "2000m"
365 tests:
366 requests:
367 memory: "128Mi"
368 cpu: "100m"
369 limits:
370 memory: "1024Mi"
371 cpu: "2000m"
372 fernet_setup:
373 requests:
374 memory: "128Mi"
375 cpu: "100m"
376 limits:
377 memory: "1024Mi"
378 cpu: "2000m"
379 fernet_rotate:
380 requests:
381 memory: "128Mi"
382 cpu: "100m"
383 limits:
384 memory: "1024Mi"
385 cpu: "2000m"
386 credential_setup:
387 requests:
388 memory: "128Mi"
389 cpu: "100m"
390 limits:
391 memory: "1024Mi"
392 cpu: "2000m"
393 credential_rotate:
394 requests:
395 memory: "128Mi"
396 cpu: "100m"
397 limits:
398 memory: "1024Mi"
399 cpu: "2000m"
400 credential_cleanup:
401 requests:
402 memory: "128Mi"
403 cpu: "100m"
404 limits:
405 memory: "1024Mi"
406 cpu: "2000m"
407 image_repo_sync:
408 requests:
409 memory: "128Mi"
410 cpu: "100m"
411 limits:
412 memory: "1024Mi"
413 cpu: "2000m"
414 probes:
415 api:
416 api:
417 readiness:
418 enabled: true
419 params:
420 initialDelaySeconds: 15
421 periodSeconds: 60
422 timeoutSeconds: 15
423 liveness:
424 enabled: true
425 params:
426 initialDelaySeconds: 50
427 periodSeconds: 60
428 timeoutSeconds: 15
429jobs:
430 fernet_setup:
431 user: keystone
432 group: keystone
433 fernet_rotate:
Oleksandr K.a61b3b02024-11-19 15:46:06 +0100[diff] [blame]434 # NOTE(rk760n): key rotation frequency, token expiration, active keys, and allow_expired_window should statisfy the formula
435 # max_active_keys = ((token_expiration + allow_expired_window) / rotation_frequency) + 2
436 # As expiration is 12h, max_active_keys is 7 and allow_expired_window is 48h by default,
437 # rotation_frequency need to be adjusted
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]438 # 12 hours
439 cron: "0 */12 * * *"
440 user: keystone
441 group: keystone
442 history:
443 success: 3
444 failed: 1
445 credential_setup:
446 user: keystone
447 group: keystone
448 credential_rotate:
449 # monthly
450 cron: "0 0 1 * *"
451 migrate_wait: 120
452 user: keystone
453 group: keystone
454 history:
455 success: 3
456 failed: 1
457
458network_policy:
459 keystone:
460 ingress:
461 - {}
462 egress:
463 - {}
464
465conf:
466 security: |
467 #
468 # Disable access to the entire file system except for the directories that
469 # are explicitly allowed later.
470 #
471 # This currently breaks the configurations that come with some web application
472 # Debian packages.
473 #
474 #<Directory />
475 # AllowOverride None
476 # Require all denied
477 #</Directory>
478
479 # Changing the following options will not really affect the security of the
480 # server, but might make attacks slightly more difficult in some cases.
481
482 #
483 # ServerTokens
484 # This directive configures what you return as the Server HTTP response
485 # Header. The default is 'Full' which sends information about the OS-Type
486 # and compiled in modules.
487 # Set to one of: Full | OS | Minimal | Minor | Major | Prod
488 # where Full conveys the most information, and Prod the least.
489 ServerTokens Prod
490
491 #
492 # Optionally add a line containing the server version and virtual host
493 # name to server-generated pages (internal error documents, FTP directory
494 # listings, mod_status and mod_info output etc., but not CGI generated
495 # documents or custom error documents).
496 # Set to "EMail" to also include a mailto: link to the ServerAdmin.
497 # Set to one of: On | Off | EMail
498 ServerSignature Off
499
500 #
501 # Allow TRACE method
502 #
503 # Set to "extended" to also reflect the request body (only for testing and
504 # diagnostic purposes).
505 #
506 # Set to one of: On | Off | extended
507 TraceEnable Off
508
509 #
510 # Forbid access to version control directories
511 #
512 # If you use version control systems in your document root, you should
513 # probably deny access to their directories. For example, for subversion:
514 #
515 #<DirectoryMatch "/\.svn">
516 # Require all denied
517 #</DirectoryMatch>
518
519 #
520 # Setting this header will prevent MSIE from interpreting files as something
521 # else than declared by the content type in the HTTP headers.
522 # Requires mod_headers to be enabled.
523 #
524 #Header set X-Content-Type-Options: "nosniff"
525
526 #
527 # Setting this header will prevent other sites from embedding pages from this
528 # site as frames. This defends against clickjacking attacks.
529 # Requires mod_headers to be enabled.
530 #
531 #Header set X-Frame-Options: "sameorigin"
532 software:
533 apache2:
534 binary: apache2
535 start_parameters: -DFOREGROUND
536 site_dir: /etc/apache2/sites-enable
537 conf_dir: /etc/apache2/conf-enabled
538 mods_dir: /etc/apache2/mods-available
539 a2enmod: null
540 a2dismod: null
541 keystone:
542 DEFAULT:
543 log_config_append: /etc/keystone/logging.conf
544 max_token_size: 255
545 # NOTE(rk760n): if you need auth notifications to be sent, uncomment it
546 # notification_opt_out: ""
547 token:
548 provider: fernet
549 # 12 hours
550 expiration: 43200
551 identity:
552 domain_specific_drivers_enabled: True
553 domain_config_dir: /etc/keystone/domains
554 fernet_tokens:
555 key_repository: /etc/keystone/fernet-keys/
Oleksandr K.a61b3b02024-11-19 15:46:06 +0100[diff] [blame]556 max_active_keys: 7
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]557 credential:
558 key_repository: /etc/keystone/credential-keys/
559 database:
560 max_retries: -1
561 cache:
562 enabled: true
563 backend: dogpile.cache.memcached
564 oslo_messaging_notifications:
565 driver: messagingv2
566 oslo_messaging_rabbit:
567 rabbit_ha_queues: true
568 oslo_middleware:
569 enable_proxy_headers_parsing: true
570 oslo_policy:
571 policy_file: /etc/keystone/policy.yaml
572 security_compliance:
573 # NOTE(vdrok): The following two options have effect only for SQL backend
574 lockout_failure_attempts: 5
575 lockout_duration: 1800
576 # NOTE(lamt) We can leverage multiple domains with different
577 # configurations as outlined in
578 # https://docs.openstack.org/keystone/pike/admin/identity-domain-specific-config.html.
579 # A sample of the value override can be found in sample file:
580 # tools/overrides/example/keystone_domain_config.yaml
581 # ks_domains:
582 policy: {}
583 access_rules: {}
584 rabbitmq:
585 # NOTE(rk760n): adding rmq policy to mirror messages from notification queues and set expiration time for the ones
586 policies:
587 - vhost: "keystone"
588 name: "ha_ttl_keystone"
589 definition:
590 # mirror messges to other nodes in rmq cluster
591 ha-mode: "all"
592 ha-sync-mode: "automatic"
593 # 70s
594 message-ttl: 70000
595 priority: 0
596 apply-to: all
597 pattern: '^(?!(amq\.|reply_)).*'
598 rally_tests:
599 run_tempest: false
600 tests:
601 KeystoneBasic.add_and_remove_user_role:
602 - runner:
603 concurrency: 1
604 times: 1
605 type: constant
606 sla:
607 failure_rate:
608 max: 0
609 KeystoneBasic.authenticate_user_and_validate_token:
610 - args: {}
611 runner:
612 concurrency: 1
613 times: 1
614 type: constant
615 sla:
616 failure_rate:
617 max: 0
618 KeystoneBasic.create_add_and_list_user_roles:
619 - runner:
620 concurrency: 1
621 times: 1
622 type: constant
623 sla:
624 failure_rate:
625 max: 0
626 KeystoneBasic.create_and_delete_ec2credential:
627 - runner:
628 concurrency: 1
629 times: 1
630 type: constant
631 sla:
632 failure_rate:
633 max: 0
634 KeystoneBasic.create_and_list_ec2credentials:
635 - runner:
636 concurrency: 1
637 times: 1
638 type: constant
639 sla:
640 failure_rate:
641 max: 0
642 KeystoneBasic.create_and_delete_role:
643 - runner:
644 concurrency: 1
645 times: 1
646 type: constant
647 sla:
648 failure_rate:
649 max: 0
650 KeystoneBasic.create_and_delete_service:
651 - args:
652 description: test_description
653 service_type: Rally_test_type
654 runner:
655 concurrency: 1
656 times: 1
657 type: constant
658 sla:
659 failure_rate:
660 max: 0
661 KeystoneBasic.create_and_get_role:
662 - args: {}
663 runner:
664 concurrency: 1
665 times: 1
666 type: constant
667 sla:
668 failure_rate:
669 max: 0
670 KeystoneBasic.create_and_list_services:
671 - args:
672 description: test_description
673 service_type: Rally_test_type
674 runner:
675 concurrency: 1
676 times: 1
677 type: constant
678 sla:
679 failure_rate:
680 max: 0
681 KeystoneBasic.create_and_list_tenants:
682 - args: {}
683 runner:
684 concurrency: 1
685 times: 1
686 type: constant
687 sla:
688 failure_rate:
689 max: 0
690 KeystoneBasic.create_and_list_users:
691 - args: {}
692 runner:
693 concurrency: 1
694 times: 1
695 type: constant
696 sla:
697 failure_rate:
698 max: 0
699 KeystoneBasic.create_delete_user:
700 - args: {}
701 runner:
702 concurrency: 1
703 times: 1
704 type: constant
705 sla:
706 failure_rate:
707 max: 0
708 KeystoneBasic.create_tenant:
709 - args: {}
710 runner:
711 concurrency: 1
712 times: 1
713 type: constant
714 sla:
715 failure_rate:
716 max: 0
717 KeystoneBasic.create_tenant_with_users:
718 - args:
719 users_per_tenant: 1
720 runner:
721 concurrency: 1
722 times: 1
723 type: constant
724 sla:
725 failure_rate:
726 max: 0
727 KeystoneBasic.create_update_and_delete_tenant:
728 - args: {}
729 runner:
730 concurrency: 1
731 times: 1
732 type: constant
733 sla:
734 failure_rate:
735 max: 0
736 KeystoneBasic.create_user:
737 - args: {}
738 runner:
739 concurrency: 1
740 times: 1
741 type: constant
742 sla:
743 failure_rate:
744 max: 0
745 KeystoneBasic.create_user_set_enabled_and_delete:
746 - args:
747 enabled: true
748 runner:
749 concurrency: 1
750 times: 1
751 type: constant
752 sla:
753 failure_rate:
754 max: 0
755 - args:
756 enabled: false
757 runner:
758 concurrency: 1
759 times: 1
760 type: constant
761 sla:
762 failure_rate:
763 max: 0
764 KeystoneBasic.create_user_update_password:
765 - args: {}
766 runner:
767 concurrency: 1
768 times: 1
769 type: constant
770 sla:
771 failure_rate:
772 max: 0
773 KeystoneBasic.get_entities:
774 - runner:
775 concurrency: 1
776 times: 1
777 type: constant
778 sla:
779 failure_rate:
780 max: 0
781 mpm_event: |
782 <IfModule mpm_event_module>
783 ServerLimit 1024
784 StartServers 32
785 MinSpareThreads 32
786 MaxSpareThreads 256
787 ThreadsPerChild 25
788 MaxRequestsPerChild 128
789 ThreadLimit 720
790 </IfModule>
791 wsgi_keystone: |
Oleksandr Kozachenkoa10d7852023-02-02 22:01:16 +0100[diff] [blame]792 {{- $portInt := tuple "identity" "service" "api" $ | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]793
794 Listen 0.0.0.0:{{ $portInt }}
795
796 LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
797 LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy
798
799 SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
800 CustomLog /dev/stdout combined env=!forwarded
801 CustomLog /dev/stdout proxy env=forwarded
802
803 <VirtualHost *:{{ $portInt }}>
804 WSGIDaemonProcess keystone-public processes=1 threads=1 user=keystone group=keystone display-name=%{GROUP}
805 WSGIProcessGroup keystone-public
806 WSGIScriptAlias / /var/www/cgi-bin/keystone/keystone-wsgi-public
807 WSGIApplicationGroup %{GLOBAL}
808 WSGIPassAuthorization On
809 <IfVersion >= 2.4>
810 ErrorLogFormat "%{cu}t %M"
811 </IfVersion>
812 ErrorLog /dev/stdout
813
814 SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
815 CustomLog /dev/stdout combined env=!forwarded
816 CustomLog /dev/stdout proxy env=forwarded
817 </VirtualHost>
818 sso_callback_template: |
819 <!DOCTYPE html>
820 <html xmlns="http://www.w3.org/1999/xhtml">
821 <head>
822 <title>Keystone WebSSO redirect</title>
823 </head>
824 <body>
825 <form id="sso" name="sso" action="$host" method="post">
826 Please wait...
827 <br/>
828 <input type="hidden" name="token" id="token" value="$token"/>
829 <noscript>
830 <input type="submit" name="submit_no_javascript" id="submit_no_javascript"
831 value="If your JavaScript is disabled, please click to continue"/>
832 </noscript>
833 </form>
834 <script type="text/javascript">
835 window.onload = function() {
836 document.forms['sso'].submit();
837 }
838 </script>
839 </body>
840 </html>
841 logging:
842 loggers:
843 keys:
844 - root
845 - keystone
846 handlers:
847 keys:
848 - stdout
849 - stderr
850 - "null"
851 formatters:
852 keys:
853 - context
854 - default
855 logger_root:
856 level: WARNING
857 handlers: 'null'
858 logger_keystone:
859 level: INFO
860 handlers:
861 - stdout
862 qualname: keystone
863 logger_amqp:
864 level: WARNING
865 handlers: stderr
866 qualname: amqp
867 logger_amqplib:
868 level: WARNING
869 handlers: stderr
870 qualname: amqplib
871 logger_eventletwsgi:
872 level: WARNING
873 handlers: stderr
874 qualname: eventlet.wsgi.server
875 logger_sqlalchemy:
876 level: WARNING
877 handlers: stderr
878 qualname: sqlalchemy
879 logger_boto:
880 level: WARNING
881 handlers: stderr
882 qualname: boto
883 handler_null:
884 class: logging.NullHandler
885 formatter: default
886 args: ()
887 handler_stdout:
888 class: StreamHandler
889 args: (sys.stdout,)
890 formatter: context
891 handler_stderr:
892 class: StreamHandler
893 args: (sys.stderr,)
894 formatter: context
895 formatter_context:
896 class: oslo_log.formatters.ContextFormatter
897 datefmt: "%Y-%m-%d %H:%M:%S"
898 formatter_default:
899 format: "%(message)s"
900 datefmt: "%Y-%m-%d %H:%M:%S"
901
902# Names of secrets used by bootstrap and environmental checks
903secrets:
904 identity:
905 admin: keystone-keystone-admin
906 test: keystone-keystone-test
907 oslo_db:
908 admin: keystone-db-admin
909 keystone: keystone-db-user
910 oslo_messaging:
911 admin: keystone-rabbitmq-admin
912 keystone: keystone-rabbitmq-user
913 ldap:
914 tls: keystone-ldap-tls
915 tls:
916 identity:
917 api:
918 public: keystone-tls-public
919 internal: keystone-tls-api
Oleksandr Kozachenkoa10d7852023-02-02 22:01:16 +0100[diff] [blame]920 oci_image_registry:
921 keystone: keystone-oci-image-registry
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]922
923# typically overridden by environmental
924# values, but should include all endpoints
925# required by this chart
926endpoints:
927 cluster_domain_suffix: cluster.local
928 local_image_registry:
929 name: docker-registry
930 namespace: docker-registry
931 hosts:
932 default: localhost
933 internal: docker-registry
934 node: localhost
935 host_fqdn_override:
936 default: null
937 port:
938 registry:
939 node: 5000
Oleksandr Kozachenkoa10d7852023-02-02 22:01:16 +0100[diff] [blame]940 oci_image_registry:
941 name: oci-image-registry
942 namespace: oci-image-registry
943 auth:
944 enabled: false
945 keystone:
946 username: keystone
947 password: password
948 hosts:
949 default: localhost
950 host_fqdn_override:
951 default: null
952 port:
953 registry:
954 default: null
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]955 identity:
956 namespace: null
957 name: keystone
958 auth:
959 admin:
960 region_name: RegionOne
961 username: admin
962 password: password
963 project_name: admin
964 user_domain_name: default
965 project_domain_name: default
966 default_domain_id: default
967 test:
968 role: admin
969 region_name: RegionOne
970 username: keystone-test
971 password: password
972 project_name: test
973 user_domain_name: default
974 project_domain_name: default
975 default_domain_id: default
976 hosts:
977 default: keystone
978 internal: keystone-api
979 host_fqdn_override:
980 default: null
981 # NOTE(portdirect): this chart supports TLS for fqdn over-ridden public
982 # endpoints using the following format:
983 # public:
984 # host: null
985 # tls:
986 # crt: null
987 # key: null
988 path:
989 default: /v3
990 scheme:
991 default: http
Oleksandr Kozachenkoa10d7852023-02-02 22:01:16 +0100[diff] [blame]992 service: http
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]993 port:
994 api:
995 default: 80
996 # NOTE(portdirect): to retain portability across images, and allow
997 # running under a unprivileged user simply, we default to a port > 1000.
998 internal: 5000
Oleksandr Kozachenkoa10d7852023-02-02 22:01:16 +0100[diff] [blame]999 service: 5000
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1000 oslo_db:
1001 namespace: null
1002 auth:
1003 admin:
1004 username: root
1005 password: password
1006 secret:
1007 tls:
1008 internal: mariadb-tls-direct
1009 keystone:
1010 username: keystone
1011 password: password
1012 hosts:
1013 default: mariadb
1014 host_fqdn_override:
1015 default: null
1016 path: /keystone
1017 scheme: mysql+pymysql
1018 port:
1019 mysql:
1020 default: 3306
1021 oslo_messaging:
1022 namespace: null
1023 auth:
1024 admin:
1025 username: rabbitmq
1026 password: password
1027 secret:
1028 tls:
1029 internal: rabbitmq-tls-direct
1030 keystone:
1031 username: keystone
1032 password: password
1033 statefulset:
1034 replicas: 2
1035 name: rabbitmq-rabbitmq
1036 hosts:
1037 default: rabbitmq
1038 host_fqdn_override:
1039 default: null
1040 path: /keystone
1041 scheme: rabbit
1042 port:
1043 amqp:
1044 default: 5672
1045 http:
1046 default: 15672
1047 oslo_cache:
1048 namespace: null
1049 hosts:
1050 default: memcached
1051 host_fqdn_override:
1052 default: null
1053 port:
1054 memcache:
1055 default: 11211
1056 ldap:
1057 auth:
1058 client:
1059 tls:
1060 # NOTE(lamt): Specify a CA value here will place a LDAPS certificate at
1061 # /etc/certs/tls.ca. To ensure keystone uses LDAPS, the
1062 # following key will need to be overrided under section [ldap] or the
1063 # correct domain-specific setting, else it will not be enabled:
1064 #
1065 # use_tls: true
1066 # tls_req_cert: allow # Valid values: demand, never, allow
1067 # tls_cacertfile: /etc/certs/tls.ca # abs path to the CA cert
1068 ca: null
1069 fluentd:
1070 namespace: null
1071 name: fluentd
1072 hosts:
1073 default: fluentd-logging
1074 host_fqdn_override:
1075 default: null
1076 path:
1077 default: null
1078 scheme: 'http'
1079 port:
1080 service:
1081 default: 24224
1082 metrics:
1083 default: 24220
1084 # NOTE(tp6510): these endpoints allow for things like DNS lookups and ingress
1085 # They are using to enable the Egress K8s network policy.
1086 kube_dns:
1087 namespace: kube-system
1088 name: kubernetes-dns
1089 hosts:
1090 default: kube-dns
1091 host_fqdn_override:
1092 default: null
1093 path:
1094 default: null
1095 scheme: http
1096 port:
1097 dns:
1098 default: 53
1099 protocol: UDP
1100 ingress:
1101 namespace: null
1102 name: ingress
1103 hosts:
1104 default: ingress
1105 port:
1106 ingress:
1107 default: 80
1108
Oleksandr Kozachenkoa10d7852023-02-02 22:01:16 +0100[diff] [blame]1109tls:
1110 identity: false
1111 oslo_messaging: false
1112 oslo_db: false
1113
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1114manifests:
1115 certificates: false
1116 configmap_bin: true
1117 configmap_etc: true
1118 cron_credential_rotate: true
1119 cron_fernet_rotate: true
1120 deployment_api: true
1121 ingress_api: true
1122 job_bootstrap: true
1123 job_credential_cleanup: true
1124 job_credential_setup: true
1125 job_db_init: true
1126 job_db_sync: true
1127 job_db_drop: false
1128 job_domain_manage: true
1129 job_fernet_setup: true
1130 job_image_repo_sync: true
1131 job_rabbit_init: true
1132 pdb_api: true
1133 pod_rally_test: true
1134 network_policy: false
1135 secret_credential_keys: true
1136 secret_db: true
1137 secret_fernet_keys: true
1138 secret_ingress_tls: true
1139 secret_keystone: true
1140 secret_rabbitmq: true
Oleksandr Kozachenkoa10d7852023-02-02 22:01:16 +0100[diff] [blame]1141 secret_registry: true
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1142 service_ingress_api: true
1143 service_api: true
1144...