| Mohammed Naser | b7b97d6 | 2022-03-12 16:30:00 -0500 | [diff] [blame] | 1 | # Copyright (c) 2022 VEXXHOST, Inc. |
| 2 | # |
| 3 | # Licensed under the Apache License, Version 2.0 (the "License"); you may |
| 4 | # not use this file except in compliance with the License. You may obtain |
| 5 | # a copy of the License at |
| 6 | # |
| 7 | # http://www.apache.org/licenses/LICENSE-2.0 |
| 8 | # |
| 9 | # Unless required by applicable law or agreed to in writing, software |
| 10 | # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT |
| 11 | # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the |
| 12 | # License for the specific language governing permissions and limitations |
| 13 | # under the License. |
| 14 | |
| Mohammed Naser | 2145fc3 | 2023-01-29 23:23:03 +0000 | [diff] [blame] | 15 | _keystone_helm_values: |
| Mohammed Naser | b7b97d6 | 2022-03-12 16:30:00 -0500 | [diff] [blame] | 16 | endpoints: "{{ openstack_helm_endpoints }}" |
| 17 | images: |
| Michiel Piscaer | 60d09f9 | 2023-01-20 18:58:55 +0100 | [diff] [blame] | 18 | tags: "{{ atmosphere_images | vexxhost.atmosphere.openstack_helm_image_tags('keystone') }}" |
| Mohammed Naser | b7b97d6 | 2022-03-12 16:30:00 -0500 | [diff] [blame] | 19 | pod: |
| Mohammed Naser | b7b97d6 | 2022-03-12 16:30:00 -0500 | [diff] [blame] | 20 | replicas: |
| 21 | api: 3 |
| Oleksandr Kozachenko | b009349 | 2023-09-06 21:43:47 +0200 | [diff] [blame] | 22 | mounts: |
| 23 | keystone_api: |
| 24 | keystone_api: |
| Mohammed Naser | 0824e92 | 2024-06-05 08:47:55 -0400 | [diff] [blame] | 25 | volumeMounts: "{{ keystone_domains | vexxhost.atmosphere.keystone_domains_to_mounts + [{'name': 'ca-certificates', 'mountPath': '/etc/ssl/certs/ca-certificates.crt', 'readOnly': true}] }}" |
| Oleksandr Kozachenko | b009349 | 2023-09-06 21:43:47 +0200 | [diff] [blame] | 26 | volumes: |
| 27 | - name: keystone-openid-metadata |
| 28 | configMap: |
| 29 | name: keystone-openid-metadata |
| Mohammed Naser | 0824e92 | 2024-06-05 08:47:55 -0400 | [diff] [blame] | 30 | - name: ca-certificates |
| Mohammed Naser | 6a8b6ca | 2024-05-30 17:25:30 -0400 | [diff] [blame] | 31 | hostPath: |
| 32 | path: "{{ defaults_ca_certificates_path }}" |
| Mohammed Naser | b7b97d6 | 2022-03-12 16:30:00 -0500 | [diff] [blame] | 33 | conf: |
| 34 | keystone: |
| 35 | DEFAULT: |
| 36 | log_config_append: null |
| 37 | auth: |
| 38 | methods: password,token,openid,application_credential |
| 39 | cors: |
| 40 | allowed_origins: "*" |
| Mohammed Naser | c6e431b | 2024-03-15 01:21:44 -0400 | [diff] [blame] | 41 | database: |
| 42 | connection_recycle_time: 10 |
| 43 | max_pool_size: 1 |
| Oleksandr Kozachenko | b009349 | 2023-09-06 21:43:47 +0200 | [diff] [blame] | 44 | openid: |
| 45 | remote_id_attribute: HTTP_OIDC_ISS |
| Mohammed Naser | b7b97d6 | 2022-03-12 16:30:00 -0500 | [diff] [blame] | 46 | federation: |
| Mohammed Naser | b7b97d6 | 2022-03-12 16:30:00 -0500 | [diff] [blame] | 47 | # TODO(mnaser): Lookup using openstack_helm_endpoints |
| vexxhost-bot | 6f0fef5 | 2024-06-21 06:53:51 +0200 | [diff] [blame] | 48 | trusted_dashboard: |
| 49 | type: multistring |
| 50 | values: |
| 51 | - "http://localhost:9990/auth/websso/" |
| 52 | - "https://{{ openstack_helm_endpoints_horizon_api_host }}/auth/websso/" |
| ricolin | 2d8dd48 | 2022-07-07 06:55:02 +0800 | [diff] [blame] | 53 | oslo_messaging_notifications: |
| 54 | driver: noop |
| Oleksandr Kozachenko | b009349 | 2023-09-06 21:43:47 +0200 | [diff] [blame] | 55 | wsgi_keystone: | |
| 56 | LoadModule headers_module /usr/lib/apache2/modules/mod_headers.so |
| 57 | Listen 0.0.0.0:5000 |
| 58 | TransferLog /dev/stdout |
| 59 | ErrorLog /dev/stderr |
| 60 | <VirtualHost *:5000> |
| 61 | # WSGI |
| 62 | WSGIDaemonProcess keystone-public processes=4 threads=1 user=keystone group=keystone display-name=%{GROUP} |
| 63 | WSGIProcessGroup keystone-public |
| 64 | WSGIScriptAlias / /var/www/cgi-bin/keystone/keystone-wsgi-public |
| 65 | WSGIApplicationGroup %{GLOBAL} |
| 66 | WSGIPassAuthorization On |
| 67 | # NOTE(mnaser): This is to by-pass large header limits for large tokens |
| 68 | LimitRequestFieldSize 16384 |
| 69 | # OIDC |
| 70 | OIDCClaimPrefix "OIDC-" |
| 71 | OIDCMetadataDir /var/lib/apache2/oidc |
| 72 | OIDCSSLValidateServer "{{ keystone_oidc_ssl_validate_server }}" |
| 73 | OIDCCryptoPassphrase {{ keystone_oidc_crypto_passphrase }} |
| 74 | OIDCRedirectURI {{ keystone_oidc_redirect_uri }} |
| 75 | OIDCRedirectURLsAllowed {{ keystone_oidc_redirect_urls_allowed | join(' ') }} |
| 76 | # NOTE(mnaser): These are Atmosphere specific settings. |
| 77 | OIDCSessionType client-cookie:store_id_token |
| 78 | OIDCXForwardedHeaders X-Forwarded-Host X-Forwarded-Proto |
| 79 | <Location /v3/auth/OS-FEDERATION/identity_providers/redirect> |
| 80 | AuthType openid-connect |
| 81 | Require valid-user |
| 82 | </Location> |
| 83 | <Location /v3/auth/OS-FEDERATION/websso/openid> |
| 84 | Require valid-user |
| 85 | AuthType openid-connect |
| 86 | </Location> |
| 87 | {% for domain in keystone_domains %} |
| 88 | <Location /v3/OS-FEDERATION/identity_providers/{{ domain.name }}/protocols/openid/auth> |
| 89 | Require valid-user |
| 90 | AuthType oauth20 |
| 91 | </Location> |
| 92 | <Location /v3/auth/OS-FEDERATION/identity_providers/{{ domain.name }}/protocols/openid/websso> |
| 93 | Require valid-user |
| 94 | AuthType openid-connect |
| Michiel Piscaer | 1f65085 | 2023-09-11 17:28:44 +0200 | [diff] [blame] | 95 | OIDCDiscoverURL {{ keystone_oidc_redirect_uri }}?iss={{ domain | vexxhost.atmosphere.urlencoded_issuer_from_domain }} |
| Oleksandr Kozachenko | b009349 | 2023-09-06 21:43:47 +0200 | [diff] [blame] | 96 | </Location> |
| 97 | {% endfor %} |
| 98 | </VirtualHost> |
| 99 | ks_domains: "{{ keystone_domains | vexxhost.atmosphere.to_ks_domains }}" |
| Mohammed Naser | b7b97d6 | 2022-03-12 16:30:00 -0500 | [diff] [blame] | 100 | manifests: |
| 101 | job_credential_cleanup: false |
| 102 | ingress_api: false |
| 103 | service_ingress_api: false |