Gitiles
Code Review Sign In
review.vexxhost.dev / atmosphere / refs/heads/main / . / charts / keystone / values.yaml
blob: 65e6f65873b05a7781303ce07289c02e3d3d41e2 [file] [log] [blame]
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1# Licensed under the Apache License, Version 2.0 (the "License");
2# you may not use this file except in compliance with the License.
3# You may obtain a copy of the License at
4#
5# http://www.apache.org/licenses/LICENSE-2.0
6#
7# Unless required by applicable law or agreed to in writing, software
8# distributed under the License is distributed on an "AS IS" BASIS,
9# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
10# See the License for the specific language governing permissions and
11# limitations under the License.
12
13# Default values for keystone.
14# This is a YAML-formatted file.
15# Declare name/value pairs to be passed into your templates.
16# name: value
17
18---
19labels:
20 api:
21 node_selector_key: openstack-control-plane
22 node_selector_value: enabled
23 job:
24 node_selector_key: openstack-control-plane
25 node_selector_value: enabled
26 test:
27 node_selector_key: openstack-control-plane
28 node_selector_value: enabled
29
30release_group: null
31
32# NOTE(gagehugo): the pre-install hook breaks upgrade for helm2
33# Set to false to upgrade using helm2
34helm3_hook: true
35
36images:
37 tags:
Oleksandr K.582fd5e2024-07-19 04:39:01 +0200[diff] [blame]38 bootstrap: docker.io/openstackhelm/heat:2024.1-ubuntu_jammy
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]39 test: docker.io/xrally/xrally-openstack:2.0.0
Oleksandr K.582fd5e2024-07-19 04:39:01 +0200[diff] [blame]40 db_init: docker.io/openstackhelm/heat:2024.1-ubuntu_jammy
41 keystone_db_sync: docker.io/openstackhelm/keystone:2024.1-ubuntu_jammy
42 db_drop: docker.io/openstackhelm/heat:2024.1-ubuntu_jammy
43 ks_user: docker.io/openstackhelm/heat:2024.1-ubuntu_jammy
44 rabbit_init: docker.io/rabbitmq:3.13-management
45 keystone_fernet_setup: docker.io/openstackhelm/keystone:2024.1-ubuntu_jammy
46 keystone_fernet_rotate: docker.io/openstackhelm/keystone:2024.1-ubuntu_jammy
47 keystone_credential_setup: docker.io/openstackhelm/keystone:2024.1-ubuntu_jammy
48 keystone_credential_rotate: docker.io/openstackhelm/keystone:2024.1-ubuntu_jammy
49 keystone_credential_cleanup: docker.io/openstackhelm/heat:2024.1-ubuntu_jammy
50 keystone_api: docker.io/openstackhelm/keystone:2024.1-ubuntu_jammy
51 keystone_domain_manage: docker.io/openstackhelm/keystone:2024.1-ubuntu_jammy
52 dep_check: quay.io/airshipit/kubernetes-entrypoint:latest-ubuntu_focal
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]53 image_repo_sync: docker.io/docker:17.07.0
54 pull_policy: "IfNotPresent"
55 local_registry:
56 active: false
57 exclude:
58 - dep_check
59 - image_repo_sync
60
61bootstrap:
62 enabled: true
63 ks_user: admin
64 script: |
65 # admin needs the admin role for the default domain
66 openstack role add \
67 --user="${OS_USERNAME}" \
68 --domain="${OS_DEFAULT_DOMAIN}" \
69 "admin"
70
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]71network:
72 api:
73 ingress:
74 public: true
75 classes:
76 namespace: "nginx"
77 cluster: "nginx-cluster"
78 annotations:
79 nginx.ingress.kubernetes.io/rewrite-target: /
80 external_policy_local: false
81 node_port:
82 enabled: false
83 port: 30500
84 admin:
85 node_port:
86 enabled: false
87 port: 30357
88
89dependencies:
90 dynamic:
91 common:
92 local_image_registry:
93 jobs:
94 - keystone-image-repo-sync
95 services:
96 - endpoint: node
97 service: local_image_registry
98 rabbit_init:
99 services:
100 - service: oslo_messaging
101 endpoint: internal
102 static:
103 api:
104 jobs:
105 - keystone-db-sync
106 - keystone-credential-setup
107 - keystone-fernet-setup
108 services:
109 - endpoint: internal
110 service: oslo_cache
111 - endpoint: internal
112 service: oslo_db
113 bootstrap:
114 jobs:
115 - keystone-domain-manage
116 services:
117 - endpoint: internal
118 service: identity
119 credential_rotate:
120 jobs:
121 - keystone-credential-setup
122 credential_setup: null
123 credential_cleanup:
124 services:
125 - endpoint: internal
126 service: oslo_db
127 db_drop:
128 services:
129 - endpoint: internal
130 service: oslo_db
131 db_init:
132 services:
133 - endpoint: internal
134 service: oslo_db
135 db_sync:
136 jobs:
137 - keystone-db-init
138 - keystone-credential-setup
139 - keystone-fernet-setup
140 services:
141 - endpoint: internal
142 service: oslo_db
143 domain_manage:
144 services:
145 - endpoint: internal
146 service: identity
147 fernet_rotate:
148 jobs:
149 - keystone-fernet-setup
150 fernet_setup: null
151 tests:
152 services:
153 - endpoint: internal
154 service: identity
155 image_repo_sync:
156 services:
157 - endpoint: internal
158 service: local_image_registry
159
160pod:
Dong Macf2006c2025-02-10 14:58:50 +0000[diff] [blame]161 priorityClassName:
162 keystone_api: null
163 keystone_tests: null
164 keystone_credential_rotate: null
165 keystone_fernet_rotate: null
Dong Ma36b89222025-02-13 16:15:52 +0000[diff] [blame]166 keystone_credential_setup: null
167 keystone_fernet_setup: null
168 keystone_domain_manage: null
169 keystone_credential_cleanup: null
170 bootstrap: null
171 db_init: null
Dong Macf2006c2025-02-10 14:58:50 +0000[diff] [blame]172 db_sync: null
173 runtimeClassName:
174 keystone_api: null
175 keystone_tests: null
176 keystone_credential_rotate: null
177 keystone_fernet_rotate: null
Dong Ma36b89222025-02-13 16:15:52 +0000[diff] [blame]178 keystone_credential_setup: null
179 keystone_fernet_setup: null
180 keystone_domain_manage: null
181 keystone_credential_cleanup: null
182 bootstrap: null
183 db_init: null
Dong Macf2006c2025-02-10 14:58:50 +0000[diff] [blame]184 db_sync: null
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]185 security_context:
186 keystone:
187 pod:
188 runAsUser: 42424
189 container:
190 keystone_api:
191 readOnlyRootFilesystem: true
192 allowPrivilegeEscalation: false
193 credential_setup:
194 pod:
195 runAsUser: 42424
196 container:
197 keystone_credential_setup:
198 readOnlyRootFilesystem: true
199 allowPrivilegeEscalation: false
200 fernet_setup:
201 pod:
202 runAsUser: 42424
203 container:
204 keystone_fernet_setup:
205 readOnlyRootFilesystem: true
206 allowPrivilegeEscalation: false
207 fernet_rotate:
208 pod:
209 runAsUser: 42424
210 container:
211 keystone_fernet_rotate:
212 readOnlyRootFilesystem: true
213 allowPrivilegeEscalation: false
214 domain_manage:
215 pod:
216 runAsUser: 42424
217 container:
218 keystone_domain_manage_init:
219 readOnlyRootFilesystem: true
220 allowPrivilegeEscalation: false
221 keystone_domain_manage:
222 readOnlyRootFilesystem: true
223 allowPrivilegeEscalation: false
224 test:
225 pod:
226 runAsUser: 42424
227 container:
228 keystone_test_ks_user:
229 readOnlyRootFilesystem: true
230 allowPrivilegeEscalation: false
231 keystone_test:
232 runAsUser: 65500
233 readOnlyRootFilesystem: true
234 allowPrivilegeEscalation: false
235 affinity:
236 anti:
237 type:
238 default: preferredDuringSchedulingIgnoredDuringExecution
239 topologyKey:
240 default: kubernetes.io/hostname
241 weight:
242 default: 10
Oleksandr Kozachenkoa10d7852023-02-02 22:01:16 +0100[diff] [blame]243 tolerations:
244 keystone:
245 enabled: false
246 tolerations:
247 - key: node-role.kubernetes.io/master
248 operator: Exists
249 effect: NoSchedule
Rico Linc6ac7a12023-11-03 00:25:40 +0800[diff] [blame]250 - key: node-role.kubernetes.io/control-plane
251 operator: Exists
252 effect: NoSchedule
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]253 mounts:
254 keystone_db_init:
255 init_container: null
256 keystone_db_init:
257 volumeMounts:
258 volumes:
259 keystone_db_sync:
260 init_container: null
261 keystone_db_sync:
262 volumeMounts:
263 volumes:
264 keystone_api:
265 init_container: null
266 keystone_api:
267 volumeMounts:
268 volumes:
269 keystone_tests:
270 init_container: null
271 keystone_tests:
272 volumeMounts:
273 volumes:
274 keystone_bootstrap:
275 init_container: null
276 keystone_bootstrap:
277 volumeMounts:
278 volumes:
279 keystone_fernet_setup:
280 init_container: null
281 keystone_fernet_setup:
282 volumeMounts:
283 volumes:
284 keystone_fernet_rotate:
285 init_container: null
286 keystone_fernet_rotate:
287 volumeMounts:
288 volumes:
289 keystone_credential_setup:
290 init_container: null
291 keystone_credential_setup:
292 volumeMounts:
293 volumes:
294 keystone_credential_rotate:
295 init_container: null
296 keystone_credential_rotate:
297 volumeMounts:
298 volumes:
299 keystone_credential_cleanup:
300 init_container: null
301 keystone_credential_cleanup:
302 volumeMounts:
303 volumes:
304 keystone_domain_manage:
305 init_container: null
306 keystone_domain_manage:
307 volumeMounts:
308 volumes:
309 replicas:
310 api: 1
311 lifecycle:
312 upgrades:
313 deployments:
314 revision_history: 3
315 pod_replacement_strategy: RollingUpdate
316 rolling_update:
317 max_unavailable: 1
318 max_surge: 3
319 disruption_budget:
320 api:
321 min_available: 0
322 termination_grace_period:
323 api:
324 timeout: 30
325 resources:
326 enabled: false
327 api:
328 requests:
329 memory: "128Mi"
330 cpu: "100m"
331 limits:
332 memory: "1024Mi"
333 cpu: "2000m"
334 jobs:
335 bootstrap:
336 requests:
337 memory: "128Mi"
338 cpu: "100m"
339 limits:
340 memory: "1024Mi"
341 cpu: "2000m"
342 domain_manage:
343 requests:
344 memory: "128Mi"
345 cpu: "100m"
346 limits:
347 memory: "1024Mi"
348 cpu: "2000m"
349 db_init:
350 requests:
351 memory: "128Mi"
352 cpu: "100m"
353 limits:
354 memory: "1024Mi"
355 cpu: "2000m"
356 db_sync:
357 requests:
358 memory: "128Mi"
359 cpu: "100m"
360 limits:
361 memory: "1024Mi"
362 cpu: "2000m"
363 db_drop:
364 requests:
365 memory: "128Mi"
366 cpu: "100m"
367 limits:
368 memory: "1024Mi"
369 cpu: "2000m"
370 rabbit_init:
371 requests:
372 memory: "128Mi"
373 cpu: "100m"
374 limits:
375 memory: "1024Mi"
376 cpu: "2000m"
377 tests:
378 requests:
379 memory: "128Mi"
380 cpu: "100m"
381 limits:
382 memory: "1024Mi"
383 cpu: "2000m"
384 fernet_setup:
385 requests:
386 memory: "128Mi"
387 cpu: "100m"
388 limits:
389 memory: "1024Mi"
390 cpu: "2000m"
391 fernet_rotate:
392 requests:
393 memory: "128Mi"
394 cpu: "100m"
395 limits:
396 memory: "1024Mi"
397 cpu: "2000m"
398 credential_setup:
399 requests:
400 memory: "128Mi"
401 cpu: "100m"
402 limits:
403 memory: "1024Mi"
404 cpu: "2000m"
405 credential_rotate:
406 requests:
407 memory: "128Mi"
408 cpu: "100m"
409 limits:
410 memory: "1024Mi"
411 cpu: "2000m"
412 credential_cleanup:
413 requests:
414 memory: "128Mi"
415 cpu: "100m"
416 limits:
417 memory: "1024Mi"
418 cpu: "2000m"
419 image_repo_sync:
420 requests:
421 memory: "128Mi"
422 cpu: "100m"
423 limits:
424 memory: "1024Mi"
425 cpu: "2000m"
426 probes:
427 api:
428 api:
429 readiness:
430 enabled: true
431 params:
432 initialDelaySeconds: 15
433 periodSeconds: 60
434 timeoutSeconds: 15
435 liveness:
436 enabled: true
437 params:
438 initialDelaySeconds: 50
439 periodSeconds: 60
440 timeoutSeconds: 15
441jobs:
442 fernet_setup:
443 user: keystone
444 group: keystone
445 fernet_rotate:
Oleksandr K.3b800112024-11-12 06:44:15 +0100[diff] [blame]446 # NOTE(rk760n): key rotation frequency, token expiration, active keys, and allow_expired_window should statisfy the formula
447 # max_active_keys = ((token_expiration + allow_expired_window) / rotation_frequency) + 2
448 # As expiration is 12h, max_active_keys is 7 and allow_expired_window is 48h by default,
449 # rotation_frequency need to be adjusted
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]450 # 12 hours
451 cron: "0 */12 * * *"
452 user: keystone
453 group: keystone
454 history:
455 success: 3
456 failed: 1
457 credential_setup:
458 user: keystone
459 group: keystone
460 credential_rotate:
461 # monthly
462 cron: "0 0 1 * *"
463 migrate_wait: 120
464 user: keystone
465 group: keystone
466 history:
467 success: 3
468 failed: 1
469
470network_policy:
471 keystone:
472 ingress:
473 - {}
474 egress:
475 - {}
476
477conf:
478 security: |
479 #
480 # Disable access to the entire file system except for the directories that
481 # are explicitly allowed later.
482 #
483 # This currently breaks the configurations that come with some web application
484 # Debian packages.
485 #
486 #<Directory />
487 # AllowOverride None
488 # Require all denied
489 #</Directory>
490
491 # Changing the following options will not really affect the security of the
492 # server, but might make attacks slightly more difficult in some cases.
493
494 #
495 # ServerTokens
496 # This directive configures what you return as the Server HTTP response
497 # Header. The default is 'Full' which sends information about the OS-Type
498 # and compiled in modules.
499 # Set to one of: Full | OS | Minimal | Minor | Major | Prod
500 # where Full conveys the most information, and Prod the least.
501 ServerTokens Prod
502
503 #
504 # Optionally add a line containing the server version and virtual host
505 # name to server-generated pages (internal error documents, FTP directory
506 # listings, mod_status and mod_info output etc., but not CGI generated
507 # documents or custom error documents).
508 # Set to "EMail" to also include a mailto: link to the ServerAdmin.
509 # Set to one of: On | Off | EMail
510 ServerSignature Off
511
512 #
513 # Allow TRACE method
514 #
515 # Set to "extended" to also reflect the request body (only for testing and
516 # diagnostic purposes).
517 #
518 # Set to one of: On | Off | extended
519 TraceEnable Off
520
521 #
522 # Forbid access to version control directories
523 #
524 # If you use version control systems in your document root, you should
525 # probably deny access to their directories. For example, for subversion:
526 #
527 #<DirectoryMatch "/\.svn">
528 # Require all denied
529 #</DirectoryMatch>
530
531 #
532 # Setting this header will prevent MSIE from interpreting files as something
533 # else than declared by the content type in the HTTP headers.
534 # Requires mod_headers to be enabled.
535 #
536 #Header set X-Content-Type-Options: "nosniff"
537
538 #
539 # Setting this header will prevent other sites from embedding pages from this
540 # site as frames. This defends against clickjacking attacks.
541 # Requires mod_headers to be enabled.
542 #
543 #Header set X-Frame-Options: "sameorigin"
544 software:
545 apache2:
546 binary: apache2
547 start_parameters: -DFOREGROUND
548 site_dir: /etc/apache2/sites-enable
549 conf_dir: /etc/apache2/conf-enabled
550 mods_dir: /etc/apache2/mods-available
551 a2enmod: null
552 a2dismod: null
553 keystone:
554 DEFAULT:
555 log_config_append: /etc/keystone/logging.conf
556 max_token_size: 255
557 # NOTE(rk760n): if you need auth notifications to be sent, uncomment it
558 # notification_opt_out: ""
559 token:
560 provider: fernet
561 # 12 hours
562 expiration: 43200
563 identity:
564 domain_specific_drivers_enabled: True
565 domain_config_dir: /etc/keystone/domains
566 fernet_tokens:
567 key_repository: /etc/keystone/fernet-keys/
Oleksandr K.3b800112024-11-12 06:44:15 +0100[diff] [blame]568 max_active_keys: 7
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]569 credential:
570 key_repository: /etc/keystone/credential-keys/
571 database:
572 max_retries: -1
573 cache:
574 enabled: true
575 backend: dogpile.cache.memcached
576 oslo_messaging_notifications:
577 driver: messagingv2
578 oslo_messaging_rabbit:
579 rabbit_ha_queues: true
580 oslo_middleware:
581 enable_proxy_headers_parsing: true
582 oslo_policy:
583 policy_file: /etc/keystone/policy.yaml
584 security_compliance:
585 # NOTE(vdrok): The following two options have effect only for SQL backend
586 lockout_failure_attempts: 5
587 lockout_duration: 1800
588 # NOTE(lamt) We can leverage multiple domains with different
589 # configurations as outlined in
590 # https://docs.openstack.org/keystone/pike/admin/identity-domain-specific-config.html.
591 # A sample of the value override can be found in sample file:
592 # tools/overrides/example/keystone_domain_config.yaml
593 # ks_domains:
594 policy: {}
595 access_rules: {}
596 rabbitmq:
597 # NOTE(rk760n): adding rmq policy to mirror messages from notification queues and set expiration time for the ones
598 policies:
599 - vhost: "keystone"
600 name: "ha_ttl_keystone"
601 definition:
602 # mirror messges to other nodes in rmq cluster
603 ha-mode: "all"
604 ha-sync-mode: "automatic"
605 # 70s
606 message-ttl: 70000
607 priority: 0
608 apply-to: all
609 pattern: '^(?!(amq\.|reply_)).*'
610 rally_tests:
611 run_tempest: false
612 tests:
613 KeystoneBasic.add_and_remove_user_role:
614 - runner:
615 concurrency: 1
616 times: 1
617 type: constant
618 sla:
619 failure_rate:
620 max: 0
621 KeystoneBasic.authenticate_user_and_validate_token:
622 - args: {}
623 runner:
624 concurrency: 1
625 times: 1
626 type: constant
627 sla:
628 failure_rate:
629 max: 0
630 KeystoneBasic.create_add_and_list_user_roles:
631 - runner:
632 concurrency: 1
633 times: 1
634 type: constant
635 sla:
636 failure_rate:
637 max: 0
638 KeystoneBasic.create_and_delete_ec2credential:
639 - runner:
640 concurrency: 1
641 times: 1
642 type: constant
643 sla:
644 failure_rate:
645 max: 0
646 KeystoneBasic.create_and_list_ec2credentials:
647 - runner:
648 concurrency: 1
649 times: 1
650 type: constant
651 sla:
652 failure_rate:
653 max: 0
654 KeystoneBasic.create_and_delete_role:
655 - runner:
656 concurrency: 1
657 times: 1
658 type: constant
659 sla:
660 failure_rate:
661 max: 0
662 KeystoneBasic.create_and_delete_service:
663 - args:
664 description: test_description
665 service_type: Rally_test_type
666 runner:
667 concurrency: 1
668 times: 1
669 type: constant
670 sla:
671 failure_rate:
672 max: 0
673 KeystoneBasic.create_and_get_role:
674 - args: {}
675 runner:
676 concurrency: 1
677 times: 1
678 type: constant
679 sla:
680 failure_rate:
681 max: 0
682 KeystoneBasic.create_and_list_services:
683 - args:
684 description: test_description
685 service_type: Rally_test_type
686 runner:
687 concurrency: 1
688 times: 1
689 type: constant
690 sla:
691 failure_rate:
692 max: 0
693 KeystoneBasic.create_and_list_tenants:
694 - args: {}
695 runner:
696 concurrency: 1
697 times: 1
698 type: constant
699 sla:
700 failure_rate:
701 max: 0
702 KeystoneBasic.create_and_list_users:
703 - args: {}
704 runner:
705 concurrency: 1
706 times: 1
707 type: constant
708 sla:
709 failure_rate:
710 max: 0
711 KeystoneBasic.create_delete_user:
712 - args: {}
713 runner:
714 concurrency: 1
715 times: 1
716 type: constant
717 sla:
718 failure_rate:
719 max: 0
720 KeystoneBasic.create_tenant:
721 - args: {}
722 runner:
723 concurrency: 1
724 times: 1
725 type: constant
726 sla:
727 failure_rate:
728 max: 0
729 KeystoneBasic.create_tenant_with_users:
730 - args:
731 users_per_tenant: 1
732 runner:
733 concurrency: 1
734 times: 1
735 type: constant
736 sla:
737 failure_rate:
738 max: 0
739 KeystoneBasic.create_update_and_delete_tenant:
740 - args: {}
741 runner:
742 concurrency: 1
743 times: 1
744 type: constant
745 sla:
746 failure_rate:
747 max: 0
748 KeystoneBasic.create_user:
749 - args: {}
750 runner:
751 concurrency: 1
752 times: 1
753 type: constant
754 sla:
755 failure_rate:
756 max: 0
757 KeystoneBasic.create_user_set_enabled_and_delete:
758 - args:
759 enabled: true
760 runner:
761 concurrency: 1
762 times: 1
763 type: constant
764 sla:
765 failure_rate:
766 max: 0
767 - args:
768 enabled: false
769 runner:
770 concurrency: 1
771 times: 1
772 type: constant
773 sla:
774 failure_rate:
775 max: 0
776 KeystoneBasic.create_user_update_password:
777 - args: {}
778 runner:
779 concurrency: 1
780 times: 1
781 type: constant
782 sla:
783 failure_rate:
784 max: 0
785 KeystoneBasic.get_entities:
786 - runner:
787 concurrency: 1
788 times: 1
789 type: constant
790 sla:
791 failure_rate:
792 max: 0
793 mpm_event: |
794 <IfModule mpm_event_module>
795 ServerLimit 1024
796 StartServers 32
797 MinSpareThreads 32
798 MaxSpareThreads 256
799 ThreadsPerChild 25
800 MaxRequestsPerChild 128
801 ThreadLimit 720
802 </IfModule>
803 wsgi_keystone: |
Oleksandr Kozachenkoa10d7852023-02-02 22:01:16 +0100[diff] [blame]804 {{- $portInt := tuple "identity" "service" "api" $ | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]805
806 Listen 0.0.0.0:{{ $portInt }}
807
808 LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
809 LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy
810
811 SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
812 CustomLog /dev/stdout combined env=!forwarded
813 CustomLog /dev/stdout proxy env=forwarded
814
815 <VirtualHost *:{{ $portInt }}>
816 WSGIDaemonProcess keystone-public processes=1 threads=1 user=keystone group=keystone display-name=%{GROUP}
817 WSGIProcessGroup keystone-public
818 WSGIScriptAlias / /var/www/cgi-bin/keystone/keystone-wsgi-public
819 WSGIApplicationGroup %{GLOBAL}
820 WSGIPassAuthorization On
821 <IfVersion >= 2.4>
822 ErrorLogFormat "%{cu}t %M"
823 </IfVersion>
824 ErrorLog /dev/stdout
825
826 SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
827 CustomLog /dev/stdout combined env=!forwarded
828 CustomLog /dev/stdout proxy env=forwarded
829 </VirtualHost>
830 sso_callback_template: |
831 <!DOCTYPE html>
832 <html xmlns="http://www.w3.org/1999/xhtml">
833 <head>
834 <title>Keystone WebSSO redirect</title>
835 </head>
836 <body>
837 <form id="sso" name="sso" action="$host" method="post">
838 Please wait...
839 <br/>
840 <input type="hidden" name="token" id="token" value="$token"/>
841 <noscript>
842 <input type="submit" name="submit_no_javascript" id="submit_no_javascript"
843 value="If your JavaScript is disabled, please click to continue"/>
844 </noscript>
845 </form>
846 <script type="text/javascript">
847 window.onload = function() {
848 document.forms['sso'].submit();
849 }
850 </script>
851 </body>
852 </html>
853 logging:
854 loggers:
855 keys:
856 - root
857 - keystone
858 handlers:
859 keys:
860 - stdout
861 - stderr
862 - "null"
863 formatters:
864 keys:
865 - context
866 - default
867 logger_root:
868 level: WARNING
869 handlers: 'null'
870 logger_keystone:
871 level: INFO
872 handlers:
873 - stdout
874 qualname: keystone
875 logger_amqp:
876 level: WARNING
877 handlers: stderr
878 qualname: amqp
879 logger_amqplib:
880 level: WARNING
881 handlers: stderr
882 qualname: amqplib
883 logger_eventletwsgi:
884 level: WARNING
885 handlers: stderr
886 qualname: eventlet.wsgi.server
887 logger_sqlalchemy:
888 level: WARNING
889 handlers: stderr
890 qualname: sqlalchemy
891 logger_boto:
892 level: WARNING
893 handlers: stderr
894 qualname: boto
895 handler_null:
896 class: logging.NullHandler
897 formatter: default
898 args: ()
899 handler_stdout:
900 class: StreamHandler
901 args: (sys.stdout,)
902 formatter: context
903 handler_stderr:
904 class: StreamHandler
905 args: (sys.stderr,)
906 formatter: context
907 formatter_context:
908 class: oslo_log.formatters.ContextFormatter
909 datefmt: "%Y-%m-%d %H:%M:%S"
910 formatter_default:
911 format: "%(message)s"
912 datefmt: "%Y-%m-%d %H:%M:%S"
913
914# Names of secrets used by bootstrap and environmental checks
915secrets:
916 identity:
917 admin: keystone-keystone-admin
918 test: keystone-keystone-test
919 oslo_db:
920 admin: keystone-db-admin
921 keystone: keystone-db-user
922 oslo_messaging:
923 admin: keystone-rabbitmq-admin
924 keystone: keystone-rabbitmq-user
925 ldap:
926 tls: keystone-ldap-tls
927 tls:
928 identity:
929 api:
930 public: keystone-tls-public
931 internal: keystone-tls-api
Oleksandr Kozachenkoa10d7852023-02-02 22:01:16 +0100[diff] [blame]932 oci_image_registry:
933 keystone: keystone-oci-image-registry
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]934
935# typically overridden by environmental
936# values, but should include all endpoints
937# required by this chart
938endpoints:
939 cluster_domain_suffix: cluster.local
940 local_image_registry:
941 name: docker-registry
942 namespace: docker-registry
943 hosts:
944 default: localhost
945 internal: docker-registry
946 node: localhost
947 host_fqdn_override:
948 default: null
949 port:
950 registry:
951 node: 5000
Oleksandr Kozachenkoa10d7852023-02-02 22:01:16 +0100[diff] [blame]952 oci_image_registry:
953 name: oci-image-registry
954 namespace: oci-image-registry
955 auth:
956 enabled: false
957 keystone:
958 username: keystone
959 password: password
960 hosts:
961 default: localhost
962 host_fqdn_override:
963 default: null
964 port:
965 registry:
966 default: null
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]967 identity:
968 namespace: null
969 name: keystone
970 auth:
971 admin:
972 region_name: RegionOne
973 username: admin
974 password: password
975 project_name: admin
976 user_domain_name: default
977 project_domain_name: default
978 default_domain_id: default
979 test:
980 role: admin
981 region_name: RegionOne
982 username: keystone-test
983 password: password
984 project_name: test
985 user_domain_name: default
986 project_domain_name: default
987 default_domain_id: default
988 hosts:
989 default: keystone
990 internal: keystone-api
991 host_fqdn_override:
992 default: null
993 # NOTE(portdirect): this chart supports TLS for fqdn over-ridden public
994 # endpoints using the following format:
995 # public:
996 # host: null
997 # tls:
998 # crt: null
999 # key: null
1000 path:
1001 default: /v3
1002 scheme:
1003 default: http
Oleksandr Kozachenkoa10d7852023-02-02 22:01:16 +0100[diff] [blame]1004 service: http
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1005 port:
1006 api:
1007 default: 80
1008 # NOTE(portdirect): to retain portability across images, and allow
1009 # running under a unprivileged user simply, we default to a port > 1000.
1010 internal: 5000
Oleksandr Kozachenkoa10d7852023-02-02 22:01:16 +0100[diff] [blame]1011 service: 5000
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1012 oslo_db:
1013 namespace: null
1014 auth:
1015 admin:
1016 username: root
1017 password: password
1018 secret:
1019 tls:
1020 internal: mariadb-tls-direct
1021 keystone:
1022 username: keystone
1023 password: password
1024 hosts:
1025 default: mariadb
1026 host_fqdn_override:
1027 default: null
1028 path: /keystone
1029 scheme: mysql+pymysql
1030 port:
1031 mysql:
1032 default: 3306
1033 oslo_messaging:
1034 namespace: null
1035 auth:
1036 admin:
1037 username: rabbitmq
1038 password: password
1039 secret:
1040 tls:
1041 internal: rabbitmq-tls-direct
1042 keystone:
1043 username: keystone
1044 password: password
1045 statefulset:
1046 replicas: 2
1047 name: rabbitmq-rabbitmq
1048 hosts:
1049 default: rabbitmq
1050 host_fqdn_override:
1051 default: null
1052 path: /keystone
1053 scheme: rabbit
1054 port:
1055 amqp:
1056 default: 5672
1057 http:
1058 default: 15672
1059 oslo_cache:
1060 namespace: null
1061 hosts:
1062 default: memcached
1063 host_fqdn_override:
1064 default: null
1065 port:
1066 memcache:
1067 default: 11211
1068 ldap:
1069 auth:
1070 client:
1071 tls:
1072 # NOTE(lamt): Specify a CA value here will place a LDAPS certificate at
1073 # /etc/certs/tls.ca. To ensure keystone uses LDAPS, the
1074 # following key will need to be overrided under section [ldap] or the
1075 # correct domain-specific setting, else it will not be enabled:
1076 #
1077 # use_tls: true
1078 # tls_req_cert: allow # Valid values: demand, never, allow
1079 # tls_cacertfile: /etc/certs/tls.ca # abs path to the CA cert
1080 ca: null
1081 fluentd:
1082 namespace: null
1083 name: fluentd
1084 hosts:
1085 default: fluentd-logging
1086 host_fqdn_override:
1087 default: null
1088 path:
1089 default: null
1090 scheme: 'http'
1091 port:
1092 service:
1093 default: 24224
1094 metrics:
1095 default: 24220
1096 # NOTE(tp6510): these endpoints allow for things like DNS lookups and ingress
1097 # They are using to enable the Egress K8s network policy.
1098 kube_dns:
1099 namespace: kube-system
1100 name: kubernetes-dns
1101 hosts:
1102 default: kube-dns
1103 host_fqdn_override:
1104 default: null
1105 path:
1106 default: null
1107 scheme: http
1108 port:
1109 dns:
1110 default: 53
1111 protocol: UDP
1112 ingress:
1113 namespace: null
1114 name: ingress
1115 hosts:
1116 default: ingress
1117 port:
1118 ingress:
1119 default: 80
1120
Oleksandr Kozachenkoa10d7852023-02-02 22:01:16 +0100[diff] [blame]1121tls:
1122 identity: false
1123 oslo_messaging: false
1124 oslo_db: false
1125
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1126manifests:
1127 certificates: false
1128 configmap_bin: true
1129 configmap_etc: true
1130 cron_credential_rotate: true
1131 cron_fernet_rotate: true
1132 deployment_api: true
1133 ingress_api: true
1134 job_bootstrap: true
1135 job_credential_cleanup: true
1136 job_credential_setup: true
1137 job_db_init: true
1138 job_db_sync: true
1139 job_db_drop: false
1140 job_domain_manage: true
1141 job_fernet_setup: true
1142 job_image_repo_sync: true
1143 job_rabbit_init: true
1144 pdb_api: true
1145 pod_rally_test: true
1146 network_policy: false
1147 secret_credential_keys: true
1148 secret_db: true
1149 secret_fernet_keys: true
1150 secret_ingress_tls: true
1151 secret_keystone: true
1152 secret_rabbitmq: true
Oleksandr Kozachenkoa10d7852023-02-02 22:01:16 +0100[diff] [blame]1153 secret_registry: true
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1154 service_ingress_api: true
1155 service_api: true
1156...