Gitiles
Code Review Sign In
review.vexxhost.dev / atmosphere / refs/heads/main / . / roles / keystone / vars / main.yml
blob: df86c62d6ccf9671b90c5339e44e799cf27916ca [file] [log] [blame]
Mohammed Naserb7b97d62022-03-12 16:30:00 -0500[diff] [blame]1# Copyright (c) 2022 VEXXHOST, Inc.
2#
3# Licensed under the Apache License, Version 2.0 (the "License"); you may
4# not use this file except in compliance with the License. You may obtain
5# a copy of the License at
6#
7# http://www.apache.org/licenses/LICENSE-2.0
8#
9# Unless required by applicable law or agreed to in writing, software
10# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
11# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
12# License for the specific language governing permissions and limitations
13# under the License.
14
Mohammed Naser2145fc32023-01-29 23:23:03 +0000[diff] [blame]15_keystone_helm_values:
Mohammed Naserb7b97d62022-03-12 16:30:00 -0500[diff] [blame]16 endpoints: "{{ openstack_helm_endpoints }}"
17 images:
Michiel Piscaer60d09f92023-01-20 18:58:55 +0100[diff] [blame]18 tags: "{{ atmosphere_images | vexxhost.atmosphere.openstack_helm_image_tags('keystone') }}"
Mohammed Naserb7b97d62022-03-12 16:30:00 -0500[diff] [blame]19 pod:
Mohammed Naserb7b97d62022-03-12 16:30:00 -0500[diff] [blame]20 replicas:
21 api: 3
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200[diff] [blame]22 mounts:
23 keystone_api:
24 keystone_api:
Mohammed Naser0824e922024-06-05 08:47:55 -0400[diff] [blame]25 volumeMounts: "{{ keystone_domains | vexxhost.atmosphere.keystone_domains_to_mounts + [{'name': 'ca-certificates', 'mountPath': '/etc/ssl/certs/ca-certificates.crt', 'readOnly': true}] }}"
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200[diff] [blame]26 volumes:
27 - name: keystone-openid-metadata
28 configMap:
29 name: keystone-openid-metadata
Mohammed Naser0824e922024-06-05 08:47:55 -0400[diff] [blame]30 - name: ca-certificates
Mohammed Naser6a8b6ca2024-05-30 17:25:30 -0400[diff] [blame]31 hostPath:
32 path: "{{ defaults_ca_certificates_path }}"
Mohammed Naserb7b97d62022-03-12 16:30:00 -0500[diff] [blame]33 conf:
34 keystone:
35 DEFAULT:
36 log_config_append: null
37 auth:
38 methods: password,token,openid,application_credential
39 cors:
40 allowed_origins: "*"
Mohammed Naserc6e431b2024-03-15 01:21:44 -0400[diff] [blame]41 database:
Mohammed Naser66c3d0e2024-08-10 06:01:40 -0700[diff] [blame]42 connection_recycle_time: 600
43 max_overflow: 50
44 max_pool_size: 5
45 pool_timeout: 30
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200[diff] [blame]46 openid:
47 remote_id_attribute: HTTP_OIDC_ISS
Mohammed Naserb7b97d62022-03-12 16:30:00 -0500[diff] [blame]48 federation:
Mohammed Naserb7b97d62022-03-12 16:30:00 -0500[diff] [blame]49 # TODO(mnaser): Lookup using openstack_helm_endpoints
Giovanni Tirlonicb041082024-06-20 20:16:07 -0300[diff] [blame]50 trusted_dashboard:
51 type: multistring
52 values:
53 - "http://localhost:9990/auth/websso/"
54 - "https://{{ openstack_helm_endpoints_horizon_api_host }}/auth/websso/"
ricolin2d8dd482022-07-07 06:55:02 +0800[diff] [blame]55 oslo_messaging_notifications:
56 driver: noop
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200[diff] [blame]57 wsgi_keystone: |
58 LoadModule headers_module /usr/lib/apache2/modules/mod_headers.so
59 Listen 0.0.0.0:5000
60 TransferLog /dev/stdout
61 ErrorLog /dev/stderr
62 <VirtualHost *:5000>
63 # WSGI
64 WSGIDaemonProcess keystone-public processes=4 threads=1 user=keystone group=keystone display-name=%{GROUP}
65 WSGIProcessGroup keystone-public
66 WSGIScriptAlias / /var/www/cgi-bin/keystone/keystone-wsgi-public
67 WSGIApplicationGroup %{GLOBAL}
68 WSGIPassAuthorization On
69 # NOTE(mnaser): This is to by-pass large header limits for large tokens
70 LimitRequestFieldSize 16384
71 # OIDC
72 OIDCClaimPrefix "OIDC-"
73 OIDCMetadataDir /var/lib/apache2/oidc
74 OIDCSSLValidateServer "{{ keystone_oidc_ssl_validate_server }}"
75 OIDCCryptoPassphrase {{ keystone_oidc_crypto_passphrase }}
76 OIDCRedirectURI {{ keystone_oidc_redirect_uri }}
77 OIDCRedirectURLsAllowed {{ keystone_oidc_redirect_urls_allowed | join(' ') }}
78 # NOTE(mnaser): These are Atmosphere specific settings.
79 OIDCSessionType client-cookie:store_id_token
80 OIDCXForwardedHeaders X-Forwarded-Host X-Forwarded-Proto
81 <Location /v3/auth/OS-FEDERATION/identity_providers/redirect>
82 AuthType openid-connect
83 Require valid-user
84 </Location>
85 <Location /v3/auth/OS-FEDERATION/websso/openid>
86 Require valid-user
87 AuthType openid-connect
88 </Location>
89 {% for domain in keystone_domains %}
90 <Location /v3/OS-FEDERATION/identity_providers/{{ domain.name }}/protocols/openid/auth>
91 Require valid-user
92 AuthType oauth20
93 </Location>
94 <Location /v3/auth/OS-FEDERATION/identity_providers/{{ domain.name }}/protocols/openid/websso>
95 Require valid-user
96 AuthType openid-connect
Michiel Piscaer1f650852023-09-11 17:28:44 +0200[diff] [blame]97 OIDCDiscoverURL {{ keystone_oidc_redirect_uri }}?iss={{ domain | vexxhost.atmosphere.urlencoded_issuer_from_domain }}
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200[diff] [blame]98 </Location>
99 {% endfor %}
100 </VirtualHost>
101 ks_domains: "{{ keystone_domains | vexxhost.atmosphere.to_ks_domains }}"
Mohammed Naserb7b97d62022-03-12 16:30:00 -0500[diff] [blame]102 manifests:
103 job_credential_cleanup: false
104 ingress_api: false
105 service_ingress_api: false