blob: 67bdbbc1a0a46e577ba12179c297ad4017434850 [file] [log] [blame]
Mohammed Naserf3f59a72023-01-15 21:02:04 -05001# Licensed under the Apache License, Version 2.0 (the "License");
2# you may not use this file except in compliance with the License.
3# You may obtain a copy of the License at
4#
5# http://www.apache.org/licenses/LICENSE-2.0
6#
7# Unless required by applicable law or agreed to in writing, software
8# distributed under the License is distributed on an "AS IS" BASIS,
9# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
10# See the License for the specific language governing permissions and
11# limitations under the License.
12
13# Default values for barbican.
14# This is a YAML-formatted file.
15# Declare name/value pairs to be passed into your templates.
16# name: value
17
18---
19labels:
20 api:
21 node_selector_key: openstack-control-plane
22 node_selector_value: enabled
23 job:
24 node_selector_key: openstack-control-plane
25 node_selector_value: enabled
26 test:
27 node_selector_key: openstack-control-plane
28 node_selector_value: enabled
29
30release_group: null
31
32# NOTE(philsphicas): the pre-install hook breaks upgrade for helm2
33# Set to false to upgrade using helm2
34helm3_hook: true
35
36images:
37 tags:
Oleksandr Kozachenkoa10d7852023-02-02 22:01:16 +010038 bootstrap: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
Mohammed Naserf3f59a72023-01-15 21:02:04 -050039 dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
Oleksandr Kozachenkoa10d7852023-02-02 22:01:16 +010040 scripted_test: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
41 db_init: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
42 barbican_db_sync: docker.io/openstackhelm/barbican:wallaby-ubuntu_focal
43 db_drop: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
44 ks_user: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
45 ks_service: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
46 ks_endpoints: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
47 barbican_api: docker.io/openstackhelm/barbican:wallaby-ubuntu_focal
Mohammed Naserf3f59a72023-01-15 21:02:04 -050048 rabbit_init: docker.io/rabbitmq:3.7-management
49 image_repo_sync: docker.io/docker:17.07.0
50 pull_policy: "IfNotPresent"
51 local_registry:
52 active: false
53 exclude:
54 - dep_check
55 - image_repo_sync
56
57pod:
Dong Ma1da7eca2025-02-10 06:32:12 +000058 priorityClassName:
59 barbican_api: null
60 barbican_tests: null
Dong Ma36b89222025-02-13 16:15:52 +000061 bootstrap: null
Dong Ma1da7eca2025-02-10 06:32:12 +000062 db_sync: null
63 runtimeClassName:
64 barbican_api: null
65 barbican_tests: null
Dong Ma36b89222025-02-13 16:15:52 +000066 bootstrap: null
Dong Ma1da7eca2025-02-10 06:32:12 +000067 db_sync: null
Mohammed Naserf3f59a72023-01-15 21:02:04 -050068 security_context:
69 barbican:
70 pod:
71 runAsUser: 42424
72 container:
73 barbican_api:
74 allowPrivilegeEscalation: false
75 readOnlyRootFilesystem: true
76 test:
77 pod:
78 runAsUser: 42424
79 container:
80 barbican_test:
81 allowPrivilegeEscalation: false
82 readOnlyRootFilesystem: true
83 affinity:
84 anti:
85 type:
86 default: preferredDuringSchedulingIgnoredDuringExecution
87 topologyKey:
88 default: kubernetes.io/hostname
89 weight:
90 default: 10
91 tolerations:
92 barbican:
93 enabled: false
94 tolerations:
95 - key: node-role.kubernetes.io/master
96 operator: Exists
97 effect: NoSchedule
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +020098 - key: node-role.kubernetes.io/control-plane
99 operator: Exists
100 effect: NoSchedule
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500101 mounts:
102 barbican_api:
103 init_container: null
104 barbican_api:
105 volumeMounts:
106 volumes:
107 barbican_bootstrap:
108 init_container: null
109 barbican_bootstrap:
110 volumeMounts:
111 volumes:
112 barbican_tests:
113 init_container: null
114 barbican_tests:
115 volumeMounts:
116 volumes:
117 barbican_db_sync:
118 barbican_db_sync:
119 volumeMounts:
120 volumes:
121 replicas:
122 api: 1
123 lifecycle:
124 upgrades:
125 deployments:
126 revision_history: 3
127 pod_replacement_strategy: RollingUpdate
128 rolling_update:
129 max_unavailable: 1
130 max_surge: 3
131 disruption_budget:
132 api:
133 min_available: 0
134 resources:
135 enabled: false
136 api:
137 requests:
138 memory: "128Mi"
139 cpu: "100m"
140 limits:
141 memory: "1024Mi"
142 cpu: "2000m"
143 jobs:
144 bootstrap:
145 requests:
146 memory: "128Mi"
147 cpu: "100m"
148 limits:
149 memory: "1024Mi"
150 cpu: "2000m"
151 db_init:
152 requests:
153 memory: "128Mi"
154 cpu: "100m"
155 limits:
156 memory: "1024Mi"
157 cpu: "2000m"
158 db_sync:
159 requests:
160 memory: "128Mi"
161 cpu: "100m"
162 limits:
163 memory: "1024Mi"
164 cpu: "2000m"
165 db_drop:
166 requests:
167 memory: "128Mi"
168 cpu: "100m"
169 limits:
170 memory: "1024Mi"
171 cpu: "2000m"
172 rabbit_init:
173 requests:
174 memory: "128Mi"
175 cpu: "100m"
176 limits:
177 memory: "1024Mi"
178 cpu: "2000m"
179 ks_endpoints:
180 requests:
181 memory: "128Mi"
182 cpu: "100m"
183 limits:
184 memory: "1024Mi"
185 cpu: "2000m"
186 ks_service:
187 requests:
188 memory: "128Mi"
189 cpu: "100m"
190 limits:
191 memory: "1024Mi"
192 cpu: "2000m"
193 ks_user:
194 requests:
195 memory: "128Mi"
196 cpu: "100m"
197 limits:
198 memory: "1024Mi"
199 cpu: "2000m"
200 tests:
201 requests:
202 memory: "128Mi"
203 cpu: "100m"
204 limits:
205 memory: "1024Mi"
206 cpu: "2000m"
207 image_repo_sync:
208 requests:
209 memory: "128Mi"
210 cpu: "100m"
211 limits:
212 memory: "1024Mi"
213 cpu: "2000m"
214
215network:
216 api:
217 ingress:
218 public: true
219 classes:
220 namespace: "nginx"
221 cluster: "nginx-cluster"
222 annotations:
223 nginx.ingress.kubernetes.io/rewrite-target: /
224 external_policy_local: false
225 node_port:
226 enabled: false
227 port: 30486
228
229network_policy:
230 barbican:
231 ingress:
232 - {}
233 egress:
234 - {}
235
236bootstrap:
237 enabled: false
238 ks_user: barbican
239 script: |
240 openstack token issue
241
242dependencies:
243 dynamic:
244 common:
245 local_image_registry:
246 jobs:
247 - barbican-image-repo-sync
248 services:
249 - endpoint: node
250 service: local_image_registry
251 static:
252 api:
253 jobs:
254 - barbican-db-sync
255 - barbican-ks-user
256 - barbican-ks-endpoints
257 - barbican-rabbit-init
258 services:
259 - endpoint: internal
260 service: oslo_db
261 - endpoint: internal
262 service: identity
263 - endpoint: internal
264 service: oslo_messaging
265 db_drop:
266 services:
267 - endpoint: internal
268 service: oslo_db
269 db_init:
270 services:
271 - endpoint: internal
272 service: oslo_db
273 db_sync:
274 jobs:
275 - barbican-db-init
276 services:
277 - endpoint: internal
278 service: oslo_db
279 image_repo_sync:
280 services:
281 - endpoint: internal
282 service: local_image_registry
283 ks_endpoints:
284 jobs:
285 - barbican-ks-service
286 services:
287 - endpoint: internal
288 service: identity
289 ks_service:
290 services:
291 - endpoint: internal
292 service: identity
293 ks_user:
294 services:
295 - endpoint: internal
296 service: identity
297 rabbit_init:
298 services:
299 - endpoint: internal
300 service: oslo_messaging
301
302conf:
okozachenko12035aa48492023-09-05 19:47:07 +1000303 paste:
304 composite:main:
305 use: egg:Paste#urlmap
306 /: barbican_version
307 /v1: barbican-api-keystone
308 pipeline:barbican_version:
309 pipeline: cors http_proxy_to_wsgi versionapp
310 pipeline:barbican_api:
311 pipeline: cors http_proxy_to_wsgi unauthenticated-context apiapp
312 pipeline:barbican-profile:
313 pipeline: cors http_proxy_to_wsgi unauthenticated-context egg:Paste#cgitb egg:Paste#httpexceptions profile apiapp
314 pipeline:barbican-api-keystone:
315 pipeline: cors http_proxy_to_wsgi authtoken context apiapp
316 pipeline:barbican-api-keystone-audit:
317 pipeline: http_proxy_to_wsgi authtoken context audit apiapp
318 app:apiapp:
319 paste.app_factory: barbican.api.app:create_main_app
320 app:versionapp:
321 paste.app_factory: barbican.api.app:create_version_app
322 filter:simple:
323 paste.filter_factory: barbican.api.middleware.simple:SimpleFilter.factory
324 filter:unauthenticated-context:
325 paste.filter_factory: barbican.api.middleware.context:UnauthenticatedContextMiddleware.factory
326 filter:context:
327 paste.filter_factory: barbican.api.middleware.context:ContextMiddleware.factory
328 filter:audit:
329 paste.filter_factory: keystonemiddleware.audit:filter_factory
330 audit_map_file: /etc/barbican/api_audit_map.conf
331 filter:authtoken:
332 paste.filter_factory: keystonemiddleware.auth_token:filter_factory
333 filter:profile:
334 use: egg:repoze.profile
335 log_filename: myapp.profile
336 cachegrind_filename: cachegrind.out.myapp
337 discard_first_request: true
338 path: /__profile__
339 flush_at_shutdown: true
340 unwind: false
341 filter:cors:
342 paste.filter_factory: oslo_middleware.cors:filter_factory
343 oslo_config_project: barbican
344 filter:http_proxy_to_wsgi:
345 paste.filter_factory: oslo_middleware:HTTPProxyToWSGI.factory
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500346 policy: {}
347 audit_map:
348 DEFAULT:
349 # default target endpoint type
350 # should match the endpoint type defined in service catalog
351 target_endpoint_type: key-manager
352 custom_actions:
353 # map urls ending with specific text to a unique action
354 # Don't need custom mapping for other resource operations
355 # Note: action should match action names defined in CADF taxonomy
356 acl/get: read
357 path_keywords:
358 # path of api requests for CADF target typeURI
359 # Just need to include top resource path to identify class of resources
360 secrets: null
361 containers: null
362 orders: null
363 cas: "None"
364 quotas: null
365 project-quotas: null
366 service_endpoints:
367 # map endpoint type defined in service catalog to CADF typeURI
368 key-manager: service/security/keymanager
Rico Lin36e65de2024-04-22 00:08:06 +0800369 barbican_api_uwsgi:
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500370 uwsgi:
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500371 add-header: "Connection: close"
Rico Lin36e65de2024-04-22 00:08:06 +0800372 buffer-size: 65535
373 chunked-input-limit: "4096000"
374 die-on-term: true
375 enable-threads: true
376 exit-on-reload: false
377 hook-master-start: unix_signal:15 gracefully_kill_them_all
378 http-auto-chunked: true
379 http-raw-body: true
380 lazy-apps: true
381 log-x-forwarded-for: true
382 master: true
383 need-app: true
384 procname-prefix-spaced: "barbiacan-api:"
385 route-user-agent: '^kube-probe.* donotlog:'
386 socket-timeout: 10
387 thunder-lock: true
388 worker-reload-mercy: 80
389 wsgi-file: /var/lib/openstack/bin/barbican-wsgi-api
390 processes: 1
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500391 barbican:
392 DEFAULT:
393 transport_url: null
394 log_config_append: /etc/barbican/logging.conf
395 keystone_authtoken:
396 auth_type: password
397 auth_version: v3
398 memcache_security_strategy: ENCRYPT
399 memcache_secret_key: null
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200400 service_type: key-manager
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500401 database:
402 max_retries: -1
403 barbican_api:
404 # NOTE(portdirect): the bind port should not be defined, and is manipulated
405 # via the endpoints section.
406 bind_port: null
407 oslo_policy:
408 policy_file: /etc/barbican/policy.yaml
409 # When using the simple_crypto_plugin, a kek must be provided as:
410 # .conf.barbican.simple_crypto_plugin.kek
411 # If no kek is provided, barbican will use a well-known default.
412 # If upgrading the chart with a new kek, the old kek must be provided as:
413 # .conf.simple_crypto_plugin_rewrap.old_kek
414 # Please refer to the .conf.simple_crypto_key_rewrap section below.
415 # The barbican defaults are included here as a reference:
416 # secretstore:
417 # enabled_secretstore_plugins:
418 # - store_crypto
419 # crypto:
420 # enabled_crypto_plugins:
421 # - simple_crypto
422 # simple_crypto_plugin:
423 # # The kek should be a 32-byte value which is base64 encoded.
424 # kek: "dGhpcnR5X3R3b19ieXRlX2tleWJsYWhibGFoYmxhaGg="
425 # KEK rotation for the simple_crypto plugin
426 simple_crypto_kek_rewrap:
427
428 # To allow for chart upgrades when modifying the Key Encryption Key, the
429 # db-sync job can rewrap the existing project keys with the new kek, leaving
430 # each secret’s encrypted data unchanged.
431
432 # This feature is enabled automatically, if a kek is specified at:
433 # .conf.barbican.simple_crypto_plugin.kek
434 # and the previous kek is also specified at:
435 # .conf.simple_crypto_kek_rewrap.old_kek
436
437 # The project keys are decrypted with 'old_kek' and re-encrypted with the
438 # target kek (as defined in barbican.conf).
439 # This resembles the lightweight rotation described here, which was never
440 # implemented for the simple crypto plugin:
441 # https://specs.openstack.org/openstack/barbican-specs/specs/liberty/add-crypto-mkek-rotation-support-lightweight.html
442
443 # The KEK value "dGhpcnR5X3R3b19ieXRlX2tleWJsYWhibGFoYmxhaGg=" matches the
444 # plugin default, and is retained here for convenience, in case the chart was
445 # previously installed without explicitly specifying a kek.
446 old_kek: "dGhpcnR5X3R3b19ieXRlX2tleWJsYWhibGFoYmxhaGg="
447 logging:
448 loggers:
449 keys:
450 - root
451 - barbican
452 handlers:
453 keys:
454 - stdout
455 - stderr
456 - "null"
457 formatters:
458 keys:
459 - context
460 - default
461 logger_root:
462 level: WARNING
463 handlers: 'null'
464 logger_barbican:
465 level: INFO
466 handlers:
467 - stdout
468 qualname: barbican
469 logger_amqp:
470 level: WARNING
471 handlers: stderr
472 qualname: amqp
473 logger_amqplib:
474 level: WARNING
475 handlers: stderr
476 qualname: amqplib
477 logger_eventletwsgi:
478 level: WARNING
479 handlers: stderr
480 qualname: eventlet.wsgi.server
481 logger_sqlalchemy:
482 level: WARNING
483 handlers: stderr
484 qualname: sqlalchemy
485 logger_boto:
486 level: WARNING
487 handlers: stderr
488 qualname: boto
489 handler_null:
490 class: logging.NullHandler
491 formatter: default
492 args: ()
493 handler_stdout:
494 class: StreamHandler
495 args: (sys.stdout,)
496 formatter: context
497 handler_stderr:
498 class: StreamHandler
499 args: (sys.stderr,)
500 formatter: context
501 formatter_context:
502 class: oslo_log.formatters.ContextFormatter
503 datefmt: "%Y-%m-%d %H:%M:%S"
504 formatter_default:
505 format: "%(message)s"
506 datefmt: "%Y-%m-%d %H:%M:%S"
507
508# Names of secrets used by bootstrap and environmental checks
509secrets:
510 identity:
511 admin: barbican-keystone-admin
512 barbican: barbican-keystone-user
513 oslo_db:
514 admin: barbican-db-admin
515 barbican: barbican-db-user
516 oslo_messaging:
517 admin: barbican-rabbitmq-admin
518 barbican: barbican-rabbitmq-user
519 tls:
520 key_manager:
521 api:
522 public: barbican-tls-public
Oleksandr Kozachenkoa10d7852023-02-02 22:01:16 +0100523 internal: barbican-tls-internal
524 oci_image_registry:
525 barbican: barbican-oci-image-registry
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500526
527endpoints:
528 cluster_domain_suffix: cluster.local
529 local_image_registry:
530 name: docker-registry
531 namespace: docker-registry
532 hosts:
533 default: localhost
534 internal: docker-registry
535 node: localhost
536 host_fqdn_override:
537 default: null
538 port:
539 registry:
540 node: 5000
Oleksandr Kozachenkoa10d7852023-02-02 22:01:16 +0100541 oci_image_registry:
542 name: oci-image-registry
543 namespace: oci-image-registry
544 auth:
545 enabled: false
546 barbican:
547 username: barbican
548 password: password
549 hosts:
550 default: localhost
551 host_fqdn_override:
552 default: null
553 port:
554 registry:
555 default: null
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500556 identity:
557 name: keystone
558 auth:
559 admin:
560 region_name: RegionOne
561 username: admin
562 password: password
563 project_name: admin
564 user_domain_name: default
565 project_domain_name: default
566 barbican:
567 role: admin
568 region_name: RegionOne
569 username: barbican
570 password: password
571 project_name: service
572 user_domain_name: service
573 project_domain_name: service
574 hosts:
575 default: keystone
576 internal: keystone-api
577 host_fqdn_override:
578 default: null
579 path:
580 default: /v3
581 scheme:
582 default: http
583 port:
584 api:
585 default: 80
586 internal: 5000
587 key_manager:
588 name: barbican
589 hosts:
590 default: barbican-api
591 public: barbican
592 host_fqdn_override:
Rico Linf19da962024-04-20 03:13:27 +0800593 default:
594 tls:
595 secretName: barbican-tls-internal
596 issuerRef:
597 kind: ClusterIssuer
598 name: ca-clusterissuer
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500599 path:
600 default: /
601 scheme:
602 default: http
Oleksandr Kozachenkoa10d7852023-02-02 22:01:16 +0100603 service: http
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500604 port:
605 api:
606 default: 9311
607 public: 80
Oleksandr Kozachenkoa10d7852023-02-02 22:01:16 +0100608 service: 9311
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500609 oslo_db:
610 auth:
611 admin:
612 username: root
613 password: password
614 secret:
615 tls:
616 internal: mariadb-tls-direct
617 barbican:
618 username: barbican
619 password: password
620 hosts:
621 default: mariadb
622 host_fqdn_override:
623 default: null
624 path: /barbican
625 scheme: mysql+pymysql
626 port:
627 mysql:
628 default: 3306
629 oslo_messaging:
630 auth:
631 admin:
632 username: rabbitmq
633 password: password
Oleksandr Kozachenkoa10d7852023-02-02 22:01:16 +0100634 secret:
635 tls:
636 internal: rabbitmq-tls-direct
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500637 barbican:
638 username: barbican
639 password: password
640 statefulset:
641 replicas: 2
642 name: rabbitmq-rabbitmq
643 hosts:
644 default: rabbitmq
645 host_fqdn_override:
646 default: null
647 path: /barbican
648 scheme: rabbit
649 port:
650 amqp:
651 default: 5672
652 http:
653 default: 15672
654 oslo_cache:
655 auth:
656 # NOTE(portdirect): this is used to define the value for keystone
657 # authtoken cache encryption key, if not set it will be populated
658 # automatically with a random value, but to take advantage of
659 # this feature all services should be set to use the same key,
660 # and memcache service.
661 memcache_secret_key: null
662 hosts:
663 default: memcached
664 host_fqdn_override:
665 default: null
666 port:
667 memcache:
668 default: 11211
669 fluentd:
670 namespace: null
671 name: fluentd
672 hosts:
673 default: fluentd-logging
674 host_fqdn_override:
675 default: null
676 path:
677 default: null
678 scheme: 'http'
679 port:
680 service:
681 default: 24224
682 metrics:
683 default: 24220
684 # NOTE(tp6510): these endpoints allow for things like DNS lookups and ingress
685 # They are using to enable the Egress K8s network policy.
686 kube_dns:
687 namespace: kube-system
688 name: kubernetes-dns
689 hosts:
690 default: kube-dns
691 host_fqdn_override:
692 default: null
693 path:
694 default: null
695 scheme: http
696 port:
697 dns:
698 default: 53
699 protocol: UDP
700 ingress:
701 namespace: null
702 name: ingress
703 hosts:
704 default: ingress
705 port:
706 ingress:
707 default: 80
708
Oleksandr Kozachenkoa10d7852023-02-02 22:01:16 +0100709tls:
710 identity: false
711 oslo_messaging: false
712 oslo_db: false
713
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500714manifests:
715 certificates: false
716 configmap_bin: true
717 configmap_etc: true
718 deployment_api: true
719 ingress_api: true
720 job_bootstrap: true
721 job_db_init: true
722 job_db_sync: true
723 job_db_drop: false
724 job_image_repo_sync: true
725 job_rabbit_init: true
726 job_ks_endpoints: true
727 job_ks_service: true
728 job_ks_user: true
729 pdb_api: true
730 pod_test: true
731 secret_db: true
732 network_policy: false
733 secret_ingress_tls: true
734 secret_keystone: true
735 secret_rabbitmq: true
Oleksandr Kozachenkoa10d7852023-02-02 22:01:16 +0100736 secret_registry: true
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500737 service_ingress_api: true
738 service_api: true
739...