Mohammed Naser | f3f59a7 | 2023-01-15 21:02:04 -0500 | [diff] [blame] | 1 | # Licensed under the Apache License, Version 2.0 (the "License"); |
| 2 | # you may not use this file except in compliance with the License. |
| 3 | # You may obtain a copy of the License at |
| 4 | # |
| 5 | # http://www.apache.org/licenses/LICENSE-2.0 |
| 6 | # |
| 7 | # Unless required by applicable law or agreed to in writing, software |
| 8 | # distributed under the License is distributed on an "AS IS" BASIS, |
| 9 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 10 | # See the License for the specific language governing permissions and |
| 11 | # limitations under the License. |
| 12 | |
| 13 | # Default values for keystone. |
| 14 | # This is a YAML-formatted file. |
| 15 | # Declare name/value pairs to be passed into your templates. |
| 16 | # name: value |
| 17 | |
| 18 | --- |
| 19 | labels: |
| 20 | api: |
| 21 | node_selector_key: openstack-control-plane |
| 22 | node_selector_value: enabled |
| 23 | job: |
| 24 | node_selector_key: openstack-control-plane |
| 25 | node_selector_value: enabled |
| 26 | test: |
| 27 | node_selector_key: openstack-control-plane |
| 28 | node_selector_value: enabled |
| 29 | |
| 30 | release_group: null |
| 31 | |
| 32 | # NOTE(gagehugo): the pre-install hook breaks upgrade for helm2 |
| 33 | # Set to false to upgrade using helm2 |
| 34 | helm3_hook: true |
| 35 | |
| 36 | images: |
| 37 | tags: |
Oleksandr K. | 582fd5e | 2024-07-19 04:39:01 +0200 | [diff] [blame] | 38 | bootstrap: docker.io/openstackhelm/heat:2024.1-ubuntu_jammy |
Mohammed Naser | f3f59a7 | 2023-01-15 21:02:04 -0500 | [diff] [blame] | 39 | test: docker.io/xrally/xrally-openstack:2.0.0 |
Oleksandr K. | 582fd5e | 2024-07-19 04:39:01 +0200 | [diff] [blame] | 40 | db_init: docker.io/openstackhelm/heat:2024.1-ubuntu_jammy |
| 41 | keystone_db_sync: docker.io/openstackhelm/keystone:2024.1-ubuntu_jammy |
| 42 | db_drop: docker.io/openstackhelm/heat:2024.1-ubuntu_jammy |
| 43 | ks_user: docker.io/openstackhelm/heat:2024.1-ubuntu_jammy |
| 44 | rabbit_init: docker.io/rabbitmq:3.13-management |
| 45 | keystone_fernet_setup: docker.io/openstackhelm/keystone:2024.1-ubuntu_jammy |
| 46 | keystone_fernet_rotate: docker.io/openstackhelm/keystone:2024.1-ubuntu_jammy |
| 47 | keystone_credential_setup: docker.io/openstackhelm/keystone:2024.1-ubuntu_jammy |
| 48 | keystone_credential_rotate: docker.io/openstackhelm/keystone:2024.1-ubuntu_jammy |
| 49 | keystone_credential_cleanup: docker.io/openstackhelm/heat:2024.1-ubuntu_jammy |
| 50 | keystone_api: docker.io/openstackhelm/keystone:2024.1-ubuntu_jammy |
| 51 | keystone_domain_manage: docker.io/openstackhelm/keystone:2024.1-ubuntu_jammy |
| 52 | dep_check: quay.io/airshipit/kubernetes-entrypoint:latest-ubuntu_focal |
Mohammed Naser | f3f59a7 | 2023-01-15 21:02:04 -0500 | [diff] [blame] | 53 | image_repo_sync: docker.io/docker:17.07.0 |
| 54 | pull_policy: "IfNotPresent" |
| 55 | local_registry: |
| 56 | active: false |
| 57 | exclude: |
| 58 | - dep_check |
| 59 | - image_repo_sync |
| 60 | |
| 61 | bootstrap: |
| 62 | enabled: true |
| 63 | ks_user: admin |
| 64 | script: | |
| 65 | # admin needs the admin role for the default domain |
| 66 | openstack role add \ |
| 67 | --user="${OS_USERNAME}" \ |
| 68 | --domain="${OS_DEFAULT_DOMAIN}" \ |
| 69 | "admin" |
| 70 | |
Mohammed Naser | f3f59a7 | 2023-01-15 21:02:04 -0500 | [diff] [blame] | 71 | network: |
| 72 | api: |
| 73 | ingress: |
| 74 | public: true |
| 75 | classes: |
| 76 | namespace: "nginx" |
| 77 | cluster: "nginx-cluster" |
| 78 | annotations: |
| 79 | nginx.ingress.kubernetes.io/rewrite-target: / |
| 80 | external_policy_local: false |
| 81 | node_port: |
| 82 | enabled: false |
| 83 | port: 30500 |
| 84 | admin: |
| 85 | node_port: |
| 86 | enabled: false |
| 87 | port: 30357 |
| 88 | |
| 89 | dependencies: |
| 90 | dynamic: |
| 91 | common: |
| 92 | local_image_registry: |
| 93 | jobs: |
| 94 | - keystone-image-repo-sync |
| 95 | services: |
| 96 | - endpoint: node |
| 97 | service: local_image_registry |
| 98 | rabbit_init: |
| 99 | services: |
| 100 | - service: oslo_messaging |
| 101 | endpoint: internal |
| 102 | static: |
| 103 | api: |
| 104 | jobs: |
| 105 | - keystone-db-sync |
| 106 | - keystone-credential-setup |
| 107 | - keystone-fernet-setup |
| 108 | services: |
| 109 | - endpoint: internal |
| 110 | service: oslo_cache |
| 111 | - endpoint: internal |
| 112 | service: oslo_db |
| 113 | bootstrap: |
| 114 | jobs: |
| 115 | - keystone-domain-manage |
| 116 | services: |
| 117 | - endpoint: internal |
| 118 | service: identity |
| 119 | credential_rotate: |
| 120 | jobs: |
| 121 | - keystone-credential-setup |
| 122 | credential_setup: null |
| 123 | credential_cleanup: |
| 124 | services: |
| 125 | - endpoint: internal |
| 126 | service: oslo_db |
| 127 | db_drop: |
| 128 | services: |
| 129 | - endpoint: internal |
| 130 | service: oslo_db |
| 131 | db_init: |
| 132 | services: |
| 133 | - endpoint: internal |
| 134 | service: oslo_db |
| 135 | db_sync: |
| 136 | jobs: |
| 137 | - keystone-db-init |
| 138 | - keystone-credential-setup |
| 139 | - keystone-fernet-setup |
| 140 | services: |
| 141 | - endpoint: internal |
| 142 | service: oslo_db |
| 143 | domain_manage: |
| 144 | services: |
| 145 | - endpoint: internal |
| 146 | service: identity |
| 147 | fernet_rotate: |
| 148 | jobs: |
| 149 | - keystone-fernet-setup |
| 150 | fernet_setup: null |
| 151 | tests: |
| 152 | services: |
| 153 | - endpoint: internal |
| 154 | service: identity |
| 155 | image_repo_sync: |
| 156 | services: |
| 157 | - endpoint: internal |
| 158 | service: local_image_registry |
| 159 | |
| 160 | pod: |
Dong Ma | cf2006c | 2025-02-10 14:58:50 +0000 | [diff] [blame] | 161 | priorityClassName: |
| 162 | keystone_api: null |
| 163 | keystone_tests: null |
| 164 | keystone_credential_rotate: null |
| 165 | keystone_fernet_rotate: null |
Dong Ma | 36b8922 | 2025-02-13 16:15:52 +0000 | [diff] [blame] | 166 | keystone_credential_setup: null |
| 167 | keystone_fernet_setup: null |
| 168 | keystone_domain_manage: null |
| 169 | keystone_credential_cleanup: null |
| 170 | bootstrap: null |
| 171 | db_init: null |
Dong Ma | cf2006c | 2025-02-10 14:58:50 +0000 | [diff] [blame] | 172 | db_sync: null |
| 173 | runtimeClassName: |
| 174 | keystone_api: null |
| 175 | keystone_tests: null |
| 176 | keystone_credential_rotate: null |
| 177 | keystone_fernet_rotate: null |
Dong Ma | 36b8922 | 2025-02-13 16:15:52 +0000 | [diff] [blame] | 178 | keystone_credential_setup: null |
| 179 | keystone_fernet_setup: null |
| 180 | keystone_domain_manage: null |
| 181 | keystone_credential_cleanup: null |
| 182 | bootstrap: null |
| 183 | db_init: null |
Dong Ma | cf2006c | 2025-02-10 14:58:50 +0000 | [diff] [blame] | 184 | db_sync: null |
Mohammed Naser | f3f59a7 | 2023-01-15 21:02:04 -0500 | [diff] [blame] | 185 | security_context: |
| 186 | keystone: |
| 187 | pod: |
| 188 | runAsUser: 42424 |
| 189 | container: |
| 190 | keystone_api: |
| 191 | readOnlyRootFilesystem: true |
| 192 | allowPrivilegeEscalation: false |
| 193 | credential_setup: |
| 194 | pod: |
| 195 | runAsUser: 42424 |
| 196 | container: |
| 197 | keystone_credential_setup: |
| 198 | readOnlyRootFilesystem: true |
| 199 | allowPrivilegeEscalation: false |
| 200 | fernet_setup: |
| 201 | pod: |
| 202 | runAsUser: 42424 |
| 203 | container: |
| 204 | keystone_fernet_setup: |
| 205 | readOnlyRootFilesystem: true |
| 206 | allowPrivilegeEscalation: false |
| 207 | fernet_rotate: |
| 208 | pod: |
| 209 | runAsUser: 42424 |
| 210 | container: |
| 211 | keystone_fernet_rotate: |
| 212 | readOnlyRootFilesystem: true |
| 213 | allowPrivilegeEscalation: false |
| 214 | domain_manage: |
| 215 | pod: |
| 216 | runAsUser: 42424 |
| 217 | container: |
| 218 | keystone_domain_manage_init: |
| 219 | readOnlyRootFilesystem: true |
| 220 | allowPrivilegeEscalation: false |
| 221 | keystone_domain_manage: |
| 222 | readOnlyRootFilesystem: true |
| 223 | allowPrivilegeEscalation: false |
| 224 | test: |
| 225 | pod: |
| 226 | runAsUser: 42424 |
| 227 | container: |
| 228 | keystone_test_ks_user: |
| 229 | readOnlyRootFilesystem: true |
| 230 | allowPrivilegeEscalation: false |
| 231 | keystone_test: |
| 232 | runAsUser: 65500 |
| 233 | readOnlyRootFilesystem: true |
| 234 | allowPrivilegeEscalation: false |
| 235 | affinity: |
| 236 | anti: |
| 237 | type: |
| 238 | default: preferredDuringSchedulingIgnoredDuringExecution |
| 239 | topologyKey: |
| 240 | default: kubernetes.io/hostname |
| 241 | weight: |
| 242 | default: 10 |
Oleksandr Kozachenko | a10d785 | 2023-02-02 22:01:16 +0100 | [diff] [blame] | 243 | tolerations: |
| 244 | keystone: |
| 245 | enabled: false |
| 246 | tolerations: |
| 247 | - key: node-role.kubernetes.io/master |
| 248 | operator: Exists |
| 249 | effect: NoSchedule |
Rico Lin | c6ac7a1 | 2023-11-03 00:25:40 +0800 | [diff] [blame] | 250 | - key: node-role.kubernetes.io/control-plane |
| 251 | operator: Exists |
| 252 | effect: NoSchedule |
Mohammed Naser | f3f59a7 | 2023-01-15 21:02:04 -0500 | [diff] [blame] | 253 | mounts: |
| 254 | keystone_db_init: |
| 255 | init_container: null |
| 256 | keystone_db_init: |
| 257 | volumeMounts: |
| 258 | volumes: |
| 259 | keystone_db_sync: |
| 260 | init_container: null |
| 261 | keystone_db_sync: |
| 262 | volumeMounts: |
| 263 | volumes: |
| 264 | keystone_api: |
| 265 | init_container: null |
| 266 | keystone_api: |
| 267 | volumeMounts: |
| 268 | volumes: |
| 269 | keystone_tests: |
| 270 | init_container: null |
| 271 | keystone_tests: |
| 272 | volumeMounts: |
| 273 | volumes: |
| 274 | keystone_bootstrap: |
| 275 | init_container: null |
| 276 | keystone_bootstrap: |
| 277 | volumeMounts: |
| 278 | volumes: |
| 279 | keystone_fernet_setup: |
| 280 | init_container: null |
| 281 | keystone_fernet_setup: |
| 282 | volumeMounts: |
| 283 | volumes: |
| 284 | keystone_fernet_rotate: |
| 285 | init_container: null |
| 286 | keystone_fernet_rotate: |
| 287 | volumeMounts: |
| 288 | volumes: |
| 289 | keystone_credential_setup: |
| 290 | init_container: null |
| 291 | keystone_credential_setup: |
| 292 | volumeMounts: |
| 293 | volumes: |
| 294 | keystone_credential_rotate: |
| 295 | init_container: null |
| 296 | keystone_credential_rotate: |
| 297 | volumeMounts: |
| 298 | volumes: |
| 299 | keystone_credential_cleanup: |
| 300 | init_container: null |
| 301 | keystone_credential_cleanup: |
| 302 | volumeMounts: |
| 303 | volumes: |
| 304 | keystone_domain_manage: |
| 305 | init_container: null |
| 306 | keystone_domain_manage: |
| 307 | volumeMounts: |
| 308 | volumes: |
| 309 | replicas: |
| 310 | api: 1 |
| 311 | lifecycle: |
| 312 | upgrades: |
| 313 | deployments: |
| 314 | revision_history: 3 |
| 315 | pod_replacement_strategy: RollingUpdate |
| 316 | rolling_update: |
| 317 | max_unavailable: 1 |
| 318 | max_surge: 3 |
| 319 | disruption_budget: |
| 320 | api: |
| 321 | min_available: 0 |
| 322 | termination_grace_period: |
| 323 | api: |
| 324 | timeout: 30 |
| 325 | resources: |
| 326 | enabled: false |
| 327 | api: |
| 328 | requests: |
| 329 | memory: "128Mi" |
| 330 | cpu: "100m" |
| 331 | limits: |
| 332 | memory: "1024Mi" |
| 333 | cpu: "2000m" |
| 334 | jobs: |
| 335 | bootstrap: |
| 336 | requests: |
| 337 | memory: "128Mi" |
| 338 | cpu: "100m" |
| 339 | limits: |
| 340 | memory: "1024Mi" |
| 341 | cpu: "2000m" |
| 342 | domain_manage: |
| 343 | requests: |
| 344 | memory: "128Mi" |
| 345 | cpu: "100m" |
| 346 | limits: |
| 347 | memory: "1024Mi" |
| 348 | cpu: "2000m" |
| 349 | db_init: |
| 350 | requests: |
| 351 | memory: "128Mi" |
| 352 | cpu: "100m" |
| 353 | limits: |
| 354 | memory: "1024Mi" |
| 355 | cpu: "2000m" |
| 356 | db_sync: |
| 357 | requests: |
| 358 | memory: "128Mi" |
| 359 | cpu: "100m" |
| 360 | limits: |
| 361 | memory: "1024Mi" |
| 362 | cpu: "2000m" |
| 363 | db_drop: |
| 364 | requests: |
| 365 | memory: "128Mi" |
| 366 | cpu: "100m" |
| 367 | limits: |
| 368 | memory: "1024Mi" |
| 369 | cpu: "2000m" |
| 370 | rabbit_init: |
| 371 | requests: |
| 372 | memory: "128Mi" |
| 373 | cpu: "100m" |
| 374 | limits: |
| 375 | memory: "1024Mi" |
| 376 | cpu: "2000m" |
| 377 | tests: |
| 378 | requests: |
| 379 | memory: "128Mi" |
| 380 | cpu: "100m" |
| 381 | limits: |
| 382 | memory: "1024Mi" |
| 383 | cpu: "2000m" |
| 384 | fernet_setup: |
| 385 | requests: |
| 386 | memory: "128Mi" |
| 387 | cpu: "100m" |
| 388 | limits: |
| 389 | memory: "1024Mi" |
| 390 | cpu: "2000m" |
| 391 | fernet_rotate: |
| 392 | requests: |
| 393 | memory: "128Mi" |
| 394 | cpu: "100m" |
| 395 | limits: |
| 396 | memory: "1024Mi" |
| 397 | cpu: "2000m" |
| 398 | credential_setup: |
| 399 | requests: |
| 400 | memory: "128Mi" |
| 401 | cpu: "100m" |
| 402 | limits: |
| 403 | memory: "1024Mi" |
| 404 | cpu: "2000m" |
| 405 | credential_rotate: |
| 406 | requests: |
| 407 | memory: "128Mi" |
| 408 | cpu: "100m" |
| 409 | limits: |
| 410 | memory: "1024Mi" |
| 411 | cpu: "2000m" |
| 412 | credential_cleanup: |
| 413 | requests: |
| 414 | memory: "128Mi" |
| 415 | cpu: "100m" |
| 416 | limits: |
| 417 | memory: "1024Mi" |
| 418 | cpu: "2000m" |
| 419 | image_repo_sync: |
| 420 | requests: |
| 421 | memory: "128Mi" |
| 422 | cpu: "100m" |
| 423 | limits: |
| 424 | memory: "1024Mi" |
| 425 | cpu: "2000m" |
| 426 | probes: |
| 427 | api: |
| 428 | api: |
| 429 | readiness: |
| 430 | enabled: true |
| 431 | params: |
| 432 | initialDelaySeconds: 15 |
| 433 | periodSeconds: 60 |
| 434 | timeoutSeconds: 15 |
| 435 | liveness: |
| 436 | enabled: true |
| 437 | params: |
| 438 | initialDelaySeconds: 50 |
| 439 | periodSeconds: 60 |
| 440 | timeoutSeconds: 15 |
| 441 | jobs: |
| 442 | fernet_setup: |
| 443 | user: keystone |
| 444 | group: keystone |
| 445 | fernet_rotate: |
Oleksandr K. | 3b80011 | 2024-11-12 06:44:15 +0100 | [diff] [blame] | 446 | # NOTE(rk760n): key rotation frequency, token expiration, active keys, and allow_expired_window should statisfy the formula |
| 447 | # max_active_keys = ((token_expiration + allow_expired_window) / rotation_frequency) + 2 |
| 448 | # As expiration is 12h, max_active_keys is 7 and allow_expired_window is 48h by default, |
| 449 | # rotation_frequency need to be adjusted |
Mohammed Naser | f3f59a7 | 2023-01-15 21:02:04 -0500 | [diff] [blame] | 450 | # 12 hours |
| 451 | cron: "0 */12 * * *" |
| 452 | user: keystone |
| 453 | group: keystone |
| 454 | history: |
| 455 | success: 3 |
| 456 | failed: 1 |
| 457 | credential_setup: |
| 458 | user: keystone |
| 459 | group: keystone |
| 460 | credential_rotate: |
| 461 | # monthly |
| 462 | cron: "0 0 1 * *" |
| 463 | migrate_wait: 120 |
| 464 | user: keystone |
| 465 | group: keystone |
| 466 | history: |
| 467 | success: 3 |
| 468 | failed: 1 |
| 469 | |
| 470 | network_policy: |
| 471 | keystone: |
| 472 | ingress: |
| 473 | - {} |
| 474 | egress: |
| 475 | - {} |
| 476 | |
| 477 | conf: |
| 478 | security: | |
| 479 | # |
| 480 | # Disable access to the entire file system except for the directories that |
| 481 | # are explicitly allowed later. |
| 482 | # |
| 483 | # This currently breaks the configurations that come with some web application |
| 484 | # Debian packages. |
| 485 | # |
| 486 | #<Directory /> |
| 487 | # AllowOverride None |
| 488 | # Require all denied |
| 489 | #</Directory> |
| 490 | |
| 491 | # Changing the following options will not really affect the security of the |
| 492 | # server, but might make attacks slightly more difficult in some cases. |
| 493 | |
| 494 | # |
| 495 | # ServerTokens |
| 496 | # This directive configures what you return as the Server HTTP response |
| 497 | # Header. The default is 'Full' which sends information about the OS-Type |
| 498 | # and compiled in modules. |
| 499 | # Set to one of: Full | OS | Minimal | Minor | Major | Prod |
| 500 | # where Full conveys the most information, and Prod the least. |
| 501 | ServerTokens Prod |
| 502 | |
| 503 | # |
| 504 | # Optionally add a line containing the server version and virtual host |
| 505 | # name to server-generated pages (internal error documents, FTP directory |
| 506 | # listings, mod_status and mod_info output etc., but not CGI generated |
| 507 | # documents or custom error documents). |
| 508 | # Set to "EMail" to also include a mailto: link to the ServerAdmin. |
| 509 | # Set to one of: On | Off | EMail |
| 510 | ServerSignature Off |
| 511 | |
| 512 | # |
| 513 | # Allow TRACE method |
| 514 | # |
| 515 | # Set to "extended" to also reflect the request body (only for testing and |
| 516 | # diagnostic purposes). |
| 517 | # |
| 518 | # Set to one of: On | Off | extended |
| 519 | TraceEnable Off |
| 520 | |
| 521 | # |
| 522 | # Forbid access to version control directories |
| 523 | # |
| 524 | # If you use version control systems in your document root, you should |
| 525 | # probably deny access to their directories. For example, for subversion: |
| 526 | # |
| 527 | #<DirectoryMatch "/\.svn"> |
| 528 | # Require all denied |
| 529 | #</DirectoryMatch> |
| 530 | |
| 531 | # |
| 532 | # Setting this header will prevent MSIE from interpreting files as something |
| 533 | # else than declared by the content type in the HTTP headers. |
| 534 | # Requires mod_headers to be enabled. |
| 535 | # |
| 536 | #Header set X-Content-Type-Options: "nosniff" |
| 537 | |
| 538 | # |
| 539 | # Setting this header will prevent other sites from embedding pages from this |
| 540 | # site as frames. This defends against clickjacking attacks. |
| 541 | # Requires mod_headers to be enabled. |
| 542 | # |
| 543 | #Header set X-Frame-Options: "sameorigin" |
| 544 | software: |
| 545 | apache2: |
| 546 | binary: apache2 |
| 547 | start_parameters: -DFOREGROUND |
| 548 | site_dir: /etc/apache2/sites-enable |
| 549 | conf_dir: /etc/apache2/conf-enabled |
| 550 | mods_dir: /etc/apache2/mods-available |
| 551 | a2enmod: null |
| 552 | a2dismod: null |
| 553 | keystone: |
| 554 | DEFAULT: |
| 555 | log_config_append: /etc/keystone/logging.conf |
| 556 | max_token_size: 255 |
| 557 | # NOTE(rk760n): if you need auth notifications to be sent, uncomment it |
| 558 | # notification_opt_out: "" |
| 559 | token: |
| 560 | provider: fernet |
| 561 | # 12 hours |
| 562 | expiration: 43200 |
| 563 | identity: |
| 564 | domain_specific_drivers_enabled: True |
| 565 | domain_config_dir: /etc/keystone/domains |
| 566 | fernet_tokens: |
| 567 | key_repository: /etc/keystone/fernet-keys/ |
Oleksandr K. | 3b80011 | 2024-11-12 06:44:15 +0100 | [diff] [blame] | 568 | max_active_keys: 7 |
Mohammed Naser | f3f59a7 | 2023-01-15 21:02:04 -0500 | [diff] [blame] | 569 | credential: |
| 570 | key_repository: /etc/keystone/credential-keys/ |
| 571 | database: |
| 572 | max_retries: -1 |
| 573 | cache: |
| 574 | enabled: true |
| 575 | backend: dogpile.cache.memcached |
| 576 | oslo_messaging_notifications: |
| 577 | driver: messagingv2 |
| 578 | oslo_messaging_rabbit: |
| 579 | rabbit_ha_queues: true |
| 580 | oslo_middleware: |
| 581 | enable_proxy_headers_parsing: true |
| 582 | oslo_policy: |
| 583 | policy_file: /etc/keystone/policy.yaml |
| 584 | security_compliance: |
| 585 | # NOTE(vdrok): The following two options have effect only for SQL backend |
| 586 | lockout_failure_attempts: 5 |
| 587 | lockout_duration: 1800 |
| 588 | # NOTE(lamt) We can leverage multiple domains with different |
| 589 | # configurations as outlined in |
| 590 | # https://docs.openstack.org/keystone/pike/admin/identity-domain-specific-config.html. |
| 591 | # A sample of the value override can be found in sample file: |
| 592 | # tools/overrides/example/keystone_domain_config.yaml |
| 593 | # ks_domains: |
| 594 | policy: {} |
| 595 | access_rules: {} |
| 596 | rabbitmq: |
| 597 | # NOTE(rk760n): adding rmq policy to mirror messages from notification queues and set expiration time for the ones |
| 598 | policies: |
| 599 | - vhost: "keystone" |
| 600 | name: "ha_ttl_keystone" |
| 601 | definition: |
| 602 | # mirror messges to other nodes in rmq cluster |
| 603 | ha-mode: "all" |
| 604 | ha-sync-mode: "automatic" |
| 605 | # 70s |
| 606 | message-ttl: 70000 |
| 607 | priority: 0 |
| 608 | apply-to: all |
| 609 | pattern: '^(?!(amq\.|reply_)).*' |
| 610 | rally_tests: |
| 611 | run_tempest: false |
| 612 | tests: |
| 613 | KeystoneBasic.add_and_remove_user_role: |
| 614 | - runner: |
| 615 | concurrency: 1 |
| 616 | times: 1 |
| 617 | type: constant |
| 618 | sla: |
| 619 | failure_rate: |
| 620 | max: 0 |
| 621 | KeystoneBasic.authenticate_user_and_validate_token: |
| 622 | - args: {} |
| 623 | runner: |
| 624 | concurrency: 1 |
| 625 | times: 1 |
| 626 | type: constant |
| 627 | sla: |
| 628 | failure_rate: |
| 629 | max: 0 |
| 630 | KeystoneBasic.create_add_and_list_user_roles: |
| 631 | - runner: |
| 632 | concurrency: 1 |
| 633 | times: 1 |
| 634 | type: constant |
| 635 | sla: |
| 636 | failure_rate: |
| 637 | max: 0 |
| 638 | KeystoneBasic.create_and_delete_ec2credential: |
| 639 | - runner: |
| 640 | concurrency: 1 |
| 641 | times: 1 |
| 642 | type: constant |
| 643 | sla: |
| 644 | failure_rate: |
| 645 | max: 0 |
| 646 | KeystoneBasic.create_and_list_ec2credentials: |
| 647 | - runner: |
| 648 | concurrency: 1 |
| 649 | times: 1 |
| 650 | type: constant |
| 651 | sla: |
| 652 | failure_rate: |
| 653 | max: 0 |
| 654 | KeystoneBasic.create_and_delete_role: |
| 655 | - runner: |
| 656 | concurrency: 1 |
| 657 | times: 1 |
| 658 | type: constant |
| 659 | sla: |
| 660 | failure_rate: |
| 661 | max: 0 |
| 662 | KeystoneBasic.create_and_delete_service: |
| 663 | - args: |
| 664 | description: test_description |
| 665 | service_type: Rally_test_type |
| 666 | runner: |
| 667 | concurrency: 1 |
| 668 | times: 1 |
| 669 | type: constant |
| 670 | sla: |
| 671 | failure_rate: |
| 672 | max: 0 |
| 673 | KeystoneBasic.create_and_get_role: |
| 674 | - args: {} |
| 675 | runner: |
| 676 | concurrency: 1 |
| 677 | times: 1 |
| 678 | type: constant |
| 679 | sla: |
| 680 | failure_rate: |
| 681 | max: 0 |
| 682 | KeystoneBasic.create_and_list_services: |
| 683 | - args: |
| 684 | description: test_description |
| 685 | service_type: Rally_test_type |
| 686 | runner: |
| 687 | concurrency: 1 |
| 688 | times: 1 |
| 689 | type: constant |
| 690 | sla: |
| 691 | failure_rate: |
| 692 | max: 0 |
| 693 | KeystoneBasic.create_and_list_tenants: |
| 694 | - args: {} |
| 695 | runner: |
| 696 | concurrency: 1 |
| 697 | times: 1 |
| 698 | type: constant |
| 699 | sla: |
| 700 | failure_rate: |
| 701 | max: 0 |
| 702 | KeystoneBasic.create_and_list_users: |
| 703 | - args: {} |
| 704 | runner: |
| 705 | concurrency: 1 |
| 706 | times: 1 |
| 707 | type: constant |
| 708 | sla: |
| 709 | failure_rate: |
| 710 | max: 0 |
| 711 | KeystoneBasic.create_delete_user: |
| 712 | - args: {} |
| 713 | runner: |
| 714 | concurrency: 1 |
| 715 | times: 1 |
| 716 | type: constant |
| 717 | sla: |
| 718 | failure_rate: |
| 719 | max: 0 |
| 720 | KeystoneBasic.create_tenant: |
| 721 | - args: {} |
| 722 | runner: |
| 723 | concurrency: 1 |
| 724 | times: 1 |
| 725 | type: constant |
| 726 | sla: |
| 727 | failure_rate: |
| 728 | max: 0 |
| 729 | KeystoneBasic.create_tenant_with_users: |
| 730 | - args: |
| 731 | users_per_tenant: 1 |
| 732 | runner: |
| 733 | concurrency: 1 |
| 734 | times: 1 |
| 735 | type: constant |
| 736 | sla: |
| 737 | failure_rate: |
| 738 | max: 0 |
| 739 | KeystoneBasic.create_update_and_delete_tenant: |
| 740 | - args: {} |
| 741 | runner: |
| 742 | concurrency: 1 |
| 743 | times: 1 |
| 744 | type: constant |
| 745 | sla: |
| 746 | failure_rate: |
| 747 | max: 0 |
| 748 | KeystoneBasic.create_user: |
| 749 | - args: {} |
| 750 | runner: |
| 751 | concurrency: 1 |
| 752 | times: 1 |
| 753 | type: constant |
| 754 | sla: |
| 755 | failure_rate: |
| 756 | max: 0 |
| 757 | KeystoneBasic.create_user_set_enabled_and_delete: |
| 758 | - args: |
| 759 | enabled: true |
| 760 | runner: |
| 761 | concurrency: 1 |
| 762 | times: 1 |
| 763 | type: constant |
| 764 | sla: |
| 765 | failure_rate: |
| 766 | max: 0 |
| 767 | - args: |
| 768 | enabled: false |
| 769 | runner: |
| 770 | concurrency: 1 |
| 771 | times: 1 |
| 772 | type: constant |
| 773 | sla: |
| 774 | failure_rate: |
| 775 | max: 0 |
| 776 | KeystoneBasic.create_user_update_password: |
| 777 | - args: {} |
| 778 | runner: |
| 779 | concurrency: 1 |
| 780 | times: 1 |
| 781 | type: constant |
| 782 | sla: |
| 783 | failure_rate: |
| 784 | max: 0 |
| 785 | KeystoneBasic.get_entities: |
| 786 | - runner: |
| 787 | concurrency: 1 |
| 788 | times: 1 |
| 789 | type: constant |
| 790 | sla: |
| 791 | failure_rate: |
| 792 | max: 0 |
| 793 | mpm_event: | |
| 794 | <IfModule mpm_event_module> |
| 795 | ServerLimit 1024 |
| 796 | StartServers 32 |
| 797 | MinSpareThreads 32 |
| 798 | MaxSpareThreads 256 |
| 799 | ThreadsPerChild 25 |
| 800 | MaxRequestsPerChild 128 |
| 801 | ThreadLimit 720 |
| 802 | </IfModule> |
| 803 | wsgi_keystone: | |
Oleksandr Kozachenko | a10d785 | 2023-02-02 22:01:16 +0100 | [diff] [blame] | 804 | {{- $portInt := tuple "identity" "service" "api" $ | include "helm-toolkit.endpoints.endpoint_port_lookup" }} |
Mohammed Naser | f3f59a7 | 2023-01-15 21:02:04 -0500 | [diff] [blame] | 805 | |
| 806 | Listen 0.0.0.0:{{ $portInt }} |
| 807 | |
| 808 | LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined |
| 809 | LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy |
| 810 | |
| 811 | SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded |
| 812 | CustomLog /dev/stdout combined env=!forwarded |
| 813 | CustomLog /dev/stdout proxy env=forwarded |
| 814 | |
| 815 | <VirtualHost *:{{ $portInt }}> |
| 816 | WSGIDaemonProcess keystone-public processes=1 threads=1 user=keystone group=keystone display-name=%{GROUP} |
| 817 | WSGIProcessGroup keystone-public |
| 818 | WSGIScriptAlias / /var/www/cgi-bin/keystone/keystone-wsgi-public |
| 819 | WSGIApplicationGroup %{GLOBAL} |
| 820 | WSGIPassAuthorization On |
| 821 | <IfVersion >= 2.4> |
| 822 | ErrorLogFormat "%{cu}t %M" |
| 823 | </IfVersion> |
| 824 | ErrorLog /dev/stdout |
| 825 | |
| 826 | SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded |
| 827 | CustomLog /dev/stdout combined env=!forwarded |
| 828 | CustomLog /dev/stdout proxy env=forwarded |
| 829 | </VirtualHost> |
| 830 | sso_callback_template: | |
| 831 | <!DOCTYPE html> |
| 832 | <html xmlns="http://www.w3.org/1999/xhtml"> |
| 833 | <head> |
| 834 | <title>Keystone WebSSO redirect</title> |
| 835 | </head> |
| 836 | <body> |
| 837 | <form id="sso" name="sso" action="$host" method="post"> |
| 838 | Please wait... |
| 839 | <br/> |
| 840 | <input type="hidden" name="token" id="token" value="$token"/> |
| 841 | <noscript> |
| 842 | <input type="submit" name="submit_no_javascript" id="submit_no_javascript" |
| 843 | value="If your JavaScript is disabled, please click to continue"/> |
| 844 | </noscript> |
| 845 | </form> |
| 846 | <script type="text/javascript"> |
| 847 | window.onload = function() { |
| 848 | document.forms['sso'].submit(); |
| 849 | } |
| 850 | </script> |
| 851 | </body> |
| 852 | </html> |
| 853 | logging: |
| 854 | loggers: |
| 855 | keys: |
| 856 | - root |
| 857 | - keystone |
| 858 | handlers: |
| 859 | keys: |
| 860 | - stdout |
| 861 | - stderr |
| 862 | - "null" |
| 863 | formatters: |
| 864 | keys: |
| 865 | - context |
| 866 | - default |
| 867 | logger_root: |
| 868 | level: WARNING |
| 869 | handlers: 'null' |
| 870 | logger_keystone: |
| 871 | level: INFO |
| 872 | handlers: |
| 873 | - stdout |
| 874 | qualname: keystone |
| 875 | logger_amqp: |
| 876 | level: WARNING |
| 877 | handlers: stderr |
| 878 | qualname: amqp |
| 879 | logger_amqplib: |
| 880 | level: WARNING |
| 881 | handlers: stderr |
| 882 | qualname: amqplib |
| 883 | logger_eventletwsgi: |
| 884 | level: WARNING |
| 885 | handlers: stderr |
| 886 | qualname: eventlet.wsgi.server |
| 887 | logger_sqlalchemy: |
| 888 | level: WARNING |
| 889 | handlers: stderr |
| 890 | qualname: sqlalchemy |
| 891 | logger_boto: |
| 892 | level: WARNING |
| 893 | handlers: stderr |
| 894 | qualname: boto |
| 895 | handler_null: |
| 896 | class: logging.NullHandler |
| 897 | formatter: default |
| 898 | args: () |
| 899 | handler_stdout: |
| 900 | class: StreamHandler |
| 901 | args: (sys.stdout,) |
| 902 | formatter: context |
| 903 | handler_stderr: |
| 904 | class: StreamHandler |
| 905 | args: (sys.stderr,) |
| 906 | formatter: context |
| 907 | formatter_context: |
| 908 | class: oslo_log.formatters.ContextFormatter |
| 909 | datefmt: "%Y-%m-%d %H:%M:%S" |
| 910 | formatter_default: |
| 911 | format: "%(message)s" |
| 912 | datefmt: "%Y-%m-%d %H:%M:%S" |
| 913 | |
| 914 | # Names of secrets used by bootstrap and environmental checks |
| 915 | secrets: |
| 916 | identity: |
| 917 | admin: keystone-keystone-admin |
| 918 | test: keystone-keystone-test |
| 919 | oslo_db: |
| 920 | admin: keystone-db-admin |
| 921 | keystone: keystone-db-user |
| 922 | oslo_messaging: |
| 923 | admin: keystone-rabbitmq-admin |
| 924 | keystone: keystone-rabbitmq-user |
| 925 | ldap: |
| 926 | tls: keystone-ldap-tls |
| 927 | tls: |
| 928 | identity: |
| 929 | api: |
| 930 | public: keystone-tls-public |
| 931 | internal: keystone-tls-api |
Oleksandr Kozachenko | a10d785 | 2023-02-02 22:01:16 +0100 | [diff] [blame] | 932 | oci_image_registry: |
| 933 | keystone: keystone-oci-image-registry |
Mohammed Naser | f3f59a7 | 2023-01-15 21:02:04 -0500 | [diff] [blame] | 934 | |
| 935 | # typically overridden by environmental |
| 936 | # values, but should include all endpoints |
| 937 | # required by this chart |
| 938 | endpoints: |
| 939 | cluster_domain_suffix: cluster.local |
| 940 | local_image_registry: |
| 941 | name: docker-registry |
| 942 | namespace: docker-registry |
| 943 | hosts: |
| 944 | default: localhost |
| 945 | internal: docker-registry |
| 946 | node: localhost |
| 947 | host_fqdn_override: |
| 948 | default: null |
| 949 | port: |
| 950 | registry: |
| 951 | node: 5000 |
Oleksandr Kozachenko | a10d785 | 2023-02-02 22:01:16 +0100 | [diff] [blame] | 952 | oci_image_registry: |
| 953 | name: oci-image-registry |
| 954 | namespace: oci-image-registry |
| 955 | auth: |
| 956 | enabled: false |
| 957 | keystone: |
| 958 | username: keystone |
| 959 | password: password |
| 960 | hosts: |
| 961 | default: localhost |
| 962 | host_fqdn_override: |
| 963 | default: null |
| 964 | port: |
| 965 | registry: |
| 966 | default: null |
Mohammed Naser | f3f59a7 | 2023-01-15 21:02:04 -0500 | [diff] [blame] | 967 | identity: |
| 968 | namespace: null |
| 969 | name: keystone |
| 970 | auth: |
| 971 | admin: |
| 972 | region_name: RegionOne |
| 973 | username: admin |
| 974 | password: password |
| 975 | project_name: admin |
| 976 | user_domain_name: default |
| 977 | project_domain_name: default |
| 978 | default_domain_id: default |
| 979 | test: |
| 980 | role: admin |
| 981 | region_name: RegionOne |
| 982 | username: keystone-test |
| 983 | password: password |
| 984 | project_name: test |
| 985 | user_domain_name: default |
| 986 | project_domain_name: default |
| 987 | default_domain_id: default |
| 988 | hosts: |
| 989 | default: keystone |
| 990 | internal: keystone-api |
| 991 | host_fqdn_override: |
| 992 | default: null |
| 993 | # NOTE(portdirect): this chart supports TLS for fqdn over-ridden public |
| 994 | # endpoints using the following format: |
| 995 | # public: |
| 996 | # host: null |
| 997 | # tls: |
| 998 | # crt: null |
| 999 | # key: null |
| 1000 | path: |
| 1001 | default: /v3 |
| 1002 | scheme: |
| 1003 | default: http |
Oleksandr Kozachenko | a10d785 | 2023-02-02 22:01:16 +0100 | [diff] [blame] | 1004 | service: http |
Mohammed Naser | f3f59a7 | 2023-01-15 21:02:04 -0500 | [diff] [blame] | 1005 | port: |
| 1006 | api: |
| 1007 | default: 80 |
| 1008 | # NOTE(portdirect): to retain portability across images, and allow |
| 1009 | # running under a unprivileged user simply, we default to a port > 1000. |
| 1010 | internal: 5000 |
Oleksandr Kozachenko | a10d785 | 2023-02-02 22:01:16 +0100 | [diff] [blame] | 1011 | service: 5000 |
Mohammed Naser | f3f59a7 | 2023-01-15 21:02:04 -0500 | [diff] [blame] | 1012 | oslo_db: |
| 1013 | namespace: null |
| 1014 | auth: |
| 1015 | admin: |
| 1016 | username: root |
| 1017 | password: password |
| 1018 | secret: |
| 1019 | tls: |
| 1020 | internal: mariadb-tls-direct |
| 1021 | keystone: |
| 1022 | username: keystone |
| 1023 | password: password |
| 1024 | hosts: |
| 1025 | default: mariadb |
| 1026 | host_fqdn_override: |
| 1027 | default: null |
| 1028 | path: /keystone |
| 1029 | scheme: mysql+pymysql |
| 1030 | port: |
| 1031 | mysql: |
| 1032 | default: 3306 |
| 1033 | oslo_messaging: |
| 1034 | namespace: null |
| 1035 | auth: |
| 1036 | admin: |
| 1037 | username: rabbitmq |
| 1038 | password: password |
| 1039 | secret: |
| 1040 | tls: |
| 1041 | internal: rabbitmq-tls-direct |
| 1042 | keystone: |
| 1043 | username: keystone |
| 1044 | password: password |
| 1045 | statefulset: |
| 1046 | replicas: 2 |
| 1047 | name: rabbitmq-rabbitmq |
| 1048 | hosts: |
| 1049 | default: rabbitmq |
| 1050 | host_fqdn_override: |
| 1051 | default: null |
| 1052 | path: /keystone |
| 1053 | scheme: rabbit |
| 1054 | port: |
| 1055 | amqp: |
| 1056 | default: 5672 |
| 1057 | http: |
| 1058 | default: 15672 |
| 1059 | oslo_cache: |
| 1060 | namespace: null |
| 1061 | hosts: |
| 1062 | default: memcached |
| 1063 | host_fqdn_override: |
| 1064 | default: null |
| 1065 | port: |
| 1066 | memcache: |
| 1067 | default: 11211 |
| 1068 | ldap: |
| 1069 | auth: |
| 1070 | client: |
| 1071 | tls: |
| 1072 | # NOTE(lamt): Specify a CA value here will place a LDAPS certificate at |
| 1073 | # /etc/certs/tls.ca. To ensure keystone uses LDAPS, the |
| 1074 | # following key will need to be overrided under section [ldap] or the |
| 1075 | # correct domain-specific setting, else it will not be enabled: |
| 1076 | # |
| 1077 | # use_tls: true |
| 1078 | # tls_req_cert: allow # Valid values: demand, never, allow |
| 1079 | # tls_cacertfile: /etc/certs/tls.ca # abs path to the CA cert |
| 1080 | ca: null |
| 1081 | fluentd: |
| 1082 | namespace: null |
| 1083 | name: fluentd |
| 1084 | hosts: |
| 1085 | default: fluentd-logging |
| 1086 | host_fqdn_override: |
| 1087 | default: null |
| 1088 | path: |
| 1089 | default: null |
| 1090 | scheme: 'http' |
| 1091 | port: |
| 1092 | service: |
| 1093 | default: 24224 |
| 1094 | metrics: |
| 1095 | default: 24220 |
| 1096 | # NOTE(tp6510): these endpoints allow for things like DNS lookups and ingress |
| 1097 | # They are using to enable the Egress K8s network policy. |
| 1098 | kube_dns: |
| 1099 | namespace: kube-system |
| 1100 | name: kubernetes-dns |
| 1101 | hosts: |
| 1102 | default: kube-dns |
| 1103 | host_fqdn_override: |
| 1104 | default: null |
| 1105 | path: |
| 1106 | default: null |
| 1107 | scheme: http |
| 1108 | port: |
| 1109 | dns: |
| 1110 | default: 53 |
| 1111 | protocol: UDP |
| 1112 | ingress: |
| 1113 | namespace: null |
| 1114 | name: ingress |
| 1115 | hosts: |
| 1116 | default: ingress |
| 1117 | port: |
| 1118 | ingress: |
| 1119 | default: 80 |
| 1120 | |
Oleksandr Kozachenko | a10d785 | 2023-02-02 22:01:16 +0100 | [diff] [blame] | 1121 | tls: |
| 1122 | identity: false |
| 1123 | oslo_messaging: false |
| 1124 | oslo_db: false |
| 1125 | |
Mohammed Naser | f3f59a7 | 2023-01-15 21:02:04 -0500 | [diff] [blame] | 1126 | manifests: |
| 1127 | certificates: false |
| 1128 | configmap_bin: true |
| 1129 | configmap_etc: true |
| 1130 | cron_credential_rotate: true |
| 1131 | cron_fernet_rotate: true |
| 1132 | deployment_api: true |
| 1133 | ingress_api: true |
| 1134 | job_bootstrap: true |
| 1135 | job_credential_cleanup: true |
| 1136 | job_credential_setup: true |
| 1137 | job_db_init: true |
| 1138 | job_db_sync: true |
| 1139 | job_db_drop: false |
| 1140 | job_domain_manage: true |
| 1141 | job_fernet_setup: true |
| 1142 | job_image_repo_sync: true |
| 1143 | job_rabbit_init: true |
| 1144 | pdb_api: true |
| 1145 | pod_rally_test: true |
| 1146 | network_policy: false |
| 1147 | secret_credential_keys: true |
| 1148 | secret_db: true |
| 1149 | secret_fernet_keys: true |
| 1150 | secret_ingress_tls: true |
| 1151 | secret_keystone: true |
| 1152 | secret_rabbitmq: true |
Oleksandr Kozachenko | a10d785 | 2023-02-02 22:01:16 +0100 | [diff] [blame] | 1153 | secret_registry: true |
Mohammed Naser | f3f59a7 | 2023-01-15 21:02:04 -0500 | [diff] [blame] | 1154 | service_ingress_api: true |
| 1155 | service_api: true |
| 1156 | ... |