Mohammed Naser | b7b97d6 | 2022-03-12 16:30:00 -0500 | [diff] [blame] | 1 | # Copyright (c) 2022 VEXXHOST, Inc. |
| 2 | # |
| 3 | # Licensed under the Apache License, Version 2.0 (the "License"); you may |
| 4 | # not use this file except in compliance with the License. You may obtain |
| 5 | # a copy of the License at |
| 6 | # |
| 7 | # http://www.apache.org/licenses/LICENSE-2.0 |
| 8 | # |
| 9 | # Unless required by applicable law or agreed to in writing, software |
| 10 | # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT |
| 11 | # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the |
| 12 | # License for the specific language governing permissions and limitations |
| 13 | # under the License. |
| 14 | |
Mohammed Naser | 2145fc3 | 2023-01-29 23:23:03 +0000 | [diff] [blame] | 15 | _keystone_helm_values: |
Mohammed Naser | b7b97d6 | 2022-03-12 16:30:00 -0500 | [diff] [blame] | 16 | endpoints: "{{ openstack_helm_endpoints }}" |
| 17 | images: |
Michiel Piscaer | 60d09f9 | 2023-01-20 18:58:55 +0100 | [diff] [blame] | 18 | tags: "{{ atmosphere_images | vexxhost.atmosphere.openstack_helm_image_tags('keystone') }}" |
Mohammed Naser | b7b97d6 | 2022-03-12 16:30:00 -0500 | [diff] [blame] | 19 | pod: |
Mohammed Naser | b7b97d6 | 2022-03-12 16:30:00 -0500 | [diff] [blame] | 20 | replicas: |
| 21 | api: 3 |
Oleksandr Kozachenko | b009349 | 2023-09-06 21:43:47 +0200 | [diff] [blame] | 22 | mounts: |
| 23 | keystone_api: |
| 24 | keystone_api: |
Mohammed Naser | 0824e92 | 2024-06-05 08:47:55 -0400 | [diff] [blame] | 25 | volumeMounts: "{{ keystone_domains | vexxhost.atmosphere.keystone_domains_to_mounts + [{'name': 'ca-certificates', 'mountPath': '/etc/ssl/certs/ca-certificates.crt', 'readOnly': true}] }}" |
Oleksandr Kozachenko | b009349 | 2023-09-06 21:43:47 +0200 | [diff] [blame] | 26 | volumes: |
| 27 | - name: keystone-openid-metadata |
| 28 | configMap: |
| 29 | name: keystone-openid-metadata |
Mohammed Naser | 0824e92 | 2024-06-05 08:47:55 -0400 | [diff] [blame] | 30 | - name: ca-certificates |
Mohammed Naser | 6a8b6ca | 2024-05-30 17:25:30 -0400 | [diff] [blame] | 31 | hostPath: |
| 32 | path: "{{ defaults_ca_certificates_path }}" |
Mohammed Naser | b7b97d6 | 2022-03-12 16:30:00 -0500 | [diff] [blame] | 33 | conf: |
| 34 | keystone: |
| 35 | DEFAULT: |
| 36 | log_config_append: null |
| 37 | auth: |
| 38 | methods: password,token,openid,application_credential |
| 39 | cors: |
| 40 | allowed_origins: "*" |
Mohammed Naser | c6e431b | 2024-03-15 01:21:44 -0400 | [diff] [blame] | 41 | database: |
Mohammed Naser | 66c3d0e | 2024-08-10 06:01:40 -0700 | [diff] [blame] | 42 | connection_recycle_time: 600 |
| 43 | max_overflow: 50 |
| 44 | max_pool_size: 5 |
| 45 | pool_timeout: 30 |
Oleksandr Kozachenko | b009349 | 2023-09-06 21:43:47 +0200 | [diff] [blame] | 46 | openid: |
| 47 | remote_id_attribute: HTTP_OIDC_ISS |
Mohammed Naser | b7b97d6 | 2022-03-12 16:30:00 -0500 | [diff] [blame] | 48 | federation: |
Mohammed Naser | b7b97d6 | 2022-03-12 16:30:00 -0500 | [diff] [blame] | 49 | # TODO(mnaser): Lookup using openstack_helm_endpoints |
Giovanni Tirloni | cb04108 | 2024-06-20 20:16:07 -0300 | [diff] [blame] | 50 | trusted_dashboard: |
| 51 | type: multistring |
| 52 | values: |
| 53 | - "http://localhost:9990/auth/websso/" |
| 54 | - "https://{{ openstack_helm_endpoints_horizon_api_host }}/auth/websso/" |
ricolin | 2d8dd48 | 2022-07-07 06:55:02 +0800 | [diff] [blame] | 55 | oslo_messaging_notifications: |
| 56 | driver: noop |
Oleksandr Kozachenko | b009349 | 2023-09-06 21:43:47 +0200 | [diff] [blame] | 57 | wsgi_keystone: | |
| 58 | LoadModule headers_module /usr/lib/apache2/modules/mod_headers.so |
| 59 | Listen 0.0.0.0:5000 |
| 60 | TransferLog /dev/stdout |
| 61 | ErrorLog /dev/stderr |
| 62 | <VirtualHost *:5000> |
| 63 | # WSGI |
| 64 | WSGIDaemonProcess keystone-public processes=4 threads=1 user=keystone group=keystone display-name=%{GROUP} |
| 65 | WSGIProcessGroup keystone-public |
| 66 | WSGIScriptAlias / /var/www/cgi-bin/keystone/keystone-wsgi-public |
| 67 | WSGIApplicationGroup %{GLOBAL} |
| 68 | WSGIPassAuthorization On |
| 69 | # NOTE(mnaser): This is to by-pass large header limits for large tokens |
| 70 | LimitRequestFieldSize 16384 |
| 71 | # OIDC |
| 72 | OIDCClaimPrefix "OIDC-" |
| 73 | OIDCMetadataDir /var/lib/apache2/oidc |
| 74 | OIDCSSLValidateServer "{{ keystone_oidc_ssl_validate_server }}" |
| 75 | OIDCCryptoPassphrase {{ keystone_oidc_crypto_passphrase }} |
| 76 | OIDCRedirectURI {{ keystone_oidc_redirect_uri }} |
| 77 | OIDCRedirectURLsAllowed {{ keystone_oidc_redirect_urls_allowed | join(' ') }} |
| 78 | # NOTE(mnaser): These are Atmosphere specific settings. |
| 79 | OIDCSessionType client-cookie:store_id_token |
| 80 | OIDCXForwardedHeaders X-Forwarded-Host X-Forwarded-Proto |
| 81 | <Location /v3/auth/OS-FEDERATION/identity_providers/redirect> |
| 82 | AuthType openid-connect |
| 83 | Require valid-user |
| 84 | </Location> |
| 85 | <Location /v3/auth/OS-FEDERATION/websso/openid> |
| 86 | Require valid-user |
| 87 | AuthType openid-connect |
| 88 | </Location> |
| 89 | {% for domain in keystone_domains %} |
| 90 | <Location /v3/OS-FEDERATION/identity_providers/{{ domain.name }}/protocols/openid/auth> |
| 91 | Require valid-user |
| 92 | AuthType oauth20 |
| 93 | </Location> |
| 94 | <Location /v3/auth/OS-FEDERATION/identity_providers/{{ domain.name }}/protocols/openid/websso> |
| 95 | Require valid-user |
| 96 | AuthType openid-connect |
Michiel Piscaer | 1f65085 | 2023-09-11 17:28:44 +0200 | [diff] [blame] | 97 | OIDCDiscoverURL {{ keystone_oidc_redirect_uri }}?iss={{ domain | vexxhost.atmosphere.urlencoded_issuer_from_domain }} |
Oleksandr Kozachenko | b009349 | 2023-09-06 21:43:47 +0200 | [diff] [blame] | 98 | </Location> |
| 99 | {% endfor %} |
| 100 | </VirtualHost> |
| 101 | ks_domains: "{{ keystone_domains | vexxhost.atmosphere.to_ks_domains }}" |
Mohammed Naser | b7b97d6 | 2022-03-12 16:30:00 -0500 | [diff] [blame] | 102 | manifests: |
| 103 | job_credential_cleanup: false |
| 104 | ingress_api: false |
| 105 | service_ingress_api: false |