blob: 38070762838c5d695dc5660be312bc5cdb3a399d [file] [log] [blame]
Mohammed Naserf3f59a72023-01-15 21:02:04 -05001# Licensed under the Apache License, Version 2.0 (the "License");
2# you may not use this file except in compliance with the License.
3# You may obtain a copy of the License at
4#
5# http://www.apache.org/licenses/LICENSE-2.0
6#
7# Unless required by applicable law or agreed to in writing, software
8# distributed under the License is distributed on an "AS IS" BASIS,
9# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
10# See the License for the specific language governing permissions and
11# limitations under the License.
12
13# Default values for barbican.
14# This is a YAML-formatted file.
15# Declare name/value pairs to be passed into your templates.
16# name: value
17
18---
19labels:
20 api:
21 node_selector_key: openstack-control-plane
22 node_selector_value: enabled
23 job:
24 node_selector_key: openstack-control-plane
25 node_selector_value: enabled
26 test:
27 node_selector_key: openstack-control-plane
28 node_selector_value: enabled
29
30release_group: null
31
32# NOTE(philsphicas): the pre-install hook breaks upgrade for helm2
33# Set to false to upgrade using helm2
34helm3_hook: true
35
36images:
37 tags:
Oleksandr Kozachenkoa10d7852023-02-02 22:01:16 +010038 bootstrap: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
Mohammed Naserf3f59a72023-01-15 21:02:04 -050039 dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
Oleksandr Kozachenkoa10d7852023-02-02 22:01:16 +010040 scripted_test: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
41 db_init: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
42 barbican_db_sync: docker.io/openstackhelm/barbican:wallaby-ubuntu_focal
43 db_drop: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
44 ks_user: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
45 ks_service: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
46 ks_endpoints: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
47 barbican_api: docker.io/openstackhelm/barbican:wallaby-ubuntu_focal
Mohammed Naserf3f59a72023-01-15 21:02:04 -050048 rabbit_init: docker.io/rabbitmq:3.7-management
49 image_repo_sync: docker.io/docker:17.07.0
50 pull_policy: "IfNotPresent"
51 local_registry:
52 active: false
53 exclude:
54 - dep_check
55 - image_repo_sync
56
57pod:
58 security_context:
59 barbican:
60 pod:
61 runAsUser: 42424
62 container:
63 barbican_api:
64 allowPrivilegeEscalation: false
65 readOnlyRootFilesystem: true
66 test:
67 pod:
68 runAsUser: 42424
69 container:
70 barbican_test:
71 allowPrivilegeEscalation: false
72 readOnlyRootFilesystem: true
73 affinity:
74 anti:
75 type:
76 default: preferredDuringSchedulingIgnoredDuringExecution
77 topologyKey:
78 default: kubernetes.io/hostname
79 weight:
80 default: 10
81 tolerations:
82 barbican:
83 enabled: false
84 tolerations:
85 - key: node-role.kubernetes.io/master
86 operator: Exists
87 effect: NoSchedule
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +020088 - key: node-role.kubernetes.io/control-plane
89 operator: Exists
90 effect: NoSchedule
Mohammed Naserf3f59a72023-01-15 21:02:04 -050091 mounts:
92 barbican_api:
93 init_container: null
94 barbican_api:
95 volumeMounts:
96 volumes:
97 barbican_bootstrap:
98 init_container: null
99 barbican_bootstrap:
100 volumeMounts:
101 volumes:
102 barbican_tests:
103 init_container: null
104 barbican_tests:
105 volumeMounts:
106 volumes:
107 barbican_db_sync:
108 barbican_db_sync:
109 volumeMounts:
110 volumes:
111 replicas:
112 api: 1
113 lifecycle:
114 upgrades:
115 deployments:
116 revision_history: 3
117 pod_replacement_strategy: RollingUpdate
118 rolling_update:
119 max_unavailable: 1
120 max_surge: 3
121 disruption_budget:
122 api:
123 min_available: 0
124 resources:
125 enabled: false
126 api:
127 requests:
128 memory: "128Mi"
129 cpu: "100m"
130 limits:
131 memory: "1024Mi"
132 cpu: "2000m"
133 jobs:
134 bootstrap:
135 requests:
136 memory: "128Mi"
137 cpu: "100m"
138 limits:
139 memory: "1024Mi"
140 cpu: "2000m"
141 db_init:
142 requests:
143 memory: "128Mi"
144 cpu: "100m"
145 limits:
146 memory: "1024Mi"
147 cpu: "2000m"
148 db_sync:
149 requests:
150 memory: "128Mi"
151 cpu: "100m"
152 limits:
153 memory: "1024Mi"
154 cpu: "2000m"
155 db_drop:
156 requests:
157 memory: "128Mi"
158 cpu: "100m"
159 limits:
160 memory: "1024Mi"
161 cpu: "2000m"
162 rabbit_init:
163 requests:
164 memory: "128Mi"
165 cpu: "100m"
166 limits:
167 memory: "1024Mi"
168 cpu: "2000m"
169 ks_endpoints:
170 requests:
171 memory: "128Mi"
172 cpu: "100m"
173 limits:
174 memory: "1024Mi"
175 cpu: "2000m"
176 ks_service:
177 requests:
178 memory: "128Mi"
179 cpu: "100m"
180 limits:
181 memory: "1024Mi"
182 cpu: "2000m"
183 ks_user:
184 requests:
185 memory: "128Mi"
186 cpu: "100m"
187 limits:
188 memory: "1024Mi"
189 cpu: "2000m"
190 tests:
191 requests:
192 memory: "128Mi"
193 cpu: "100m"
194 limits:
195 memory: "1024Mi"
196 cpu: "2000m"
197 image_repo_sync:
198 requests:
199 memory: "128Mi"
200 cpu: "100m"
201 limits:
202 memory: "1024Mi"
203 cpu: "2000m"
204
205network:
206 api:
207 ingress:
208 public: true
209 classes:
210 namespace: "nginx"
211 cluster: "nginx-cluster"
212 annotations:
213 nginx.ingress.kubernetes.io/rewrite-target: /
214 external_policy_local: false
215 node_port:
216 enabled: false
217 port: 30486
218
219network_policy:
220 barbican:
221 ingress:
222 - {}
223 egress:
224 - {}
225
226bootstrap:
227 enabled: false
228 ks_user: barbican
229 script: |
230 openstack token issue
231
232dependencies:
233 dynamic:
234 common:
235 local_image_registry:
236 jobs:
237 - barbican-image-repo-sync
238 services:
239 - endpoint: node
240 service: local_image_registry
241 static:
242 api:
243 jobs:
244 - barbican-db-sync
245 - barbican-ks-user
246 - barbican-ks-endpoints
247 - barbican-rabbit-init
248 services:
249 - endpoint: internal
250 service: oslo_db
251 - endpoint: internal
252 service: identity
253 - endpoint: internal
254 service: oslo_messaging
255 db_drop:
256 services:
257 - endpoint: internal
258 service: oslo_db
259 db_init:
260 services:
261 - endpoint: internal
262 service: oslo_db
263 db_sync:
264 jobs:
265 - barbican-db-init
266 services:
267 - endpoint: internal
268 service: oslo_db
269 image_repo_sync:
270 services:
271 - endpoint: internal
272 service: local_image_registry
273 ks_endpoints:
274 jobs:
275 - barbican-ks-service
276 services:
277 - endpoint: internal
278 service: identity
279 ks_service:
280 services:
281 - endpoint: internal
282 service: identity
283 ks_user:
284 services:
285 - endpoint: internal
286 service: identity
287 rabbit_init:
288 services:
289 - endpoint: internal
290 service: oslo_messaging
291
292conf:
okozachenko12035aa48492023-09-05 19:47:07 +1000293 paste:
294 composite:main:
295 use: egg:Paste#urlmap
296 /: barbican_version
297 /v1: barbican-api-keystone
298 pipeline:barbican_version:
299 pipeline: cors http_proxy_to_wsgi versionapp
300 pipeline:barbican_api:
301 pipeline: cors http_proxy_to_wsgi unauthenticated-context apiapp
302 pipeline:barbican-profile:
303 pipeline: cors http_proxy_to_wsgi unauthenticated-context egg:Paste#cgitb egg:Paste#httpexceptions profile apiapp
304 pipeline:barbican-api-keystone:
305 pipeline: cors http_proxy_to_wsgi authtoken context apiapp
306 pipeline:barbican-api-keystone-audit:
307 pipeline: http_proxy_to_wsgi authtoken context audit apiapp
308 app:apiapp:
309 paste.app_factory: barbican.api.app:create_main_app
310 app:versionapp:
311 paste.app_factory: barbican.api.app:create_version_app
312 filter:simple:
313 paste.filter_factory: barbican.api.middleware.simple:SimpleFilter.factory
314 filter:unauthenticated-context:
315 paste.filter_factory: barbican.api.middleware.context:UnauthenticatedContextMiddleware.factory
316 filter:context:
317 paste.filter_factory: barbican.api.middleware.context:ContextMiddleware.factory
318 filter:audit:
319 paste.filter_factory: keystonemiddleware.audit:filter_factory
320 audit_map_file: /etc/barbican/api_audit_map.conf
321 filter:authtoken:
322 paste.filter_factory: keystonemiddleware.auth_token:filter_factory
323 filter:profile:
324 use: egg:repoze.profile
325 log_filename: myapp.profile
326 cachegrind_filename: cachegrind.out.myapp
327 discard_first_request: true
328 path: /__profile__
329 flush_at_shutdown: true
330 unwind: false
331 filter:cors:
332 paste.filter_factory: oslo_middleware.cors:filter_factory
333 oslo_config_project: barbican
334 filter:http_proxy_to_wsgi:
335 paste.filter_factory: oslo_middleware:HTTPProxyToWSGI.factory
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500336 policy: {}
337 audit_map:
338 DEFAULT:
339 # default target endpoint type
340 # should match the endpoint type defined in service catalog
341 target_endpoint_type: key-manager
342 custom_actions:
343 # map urls ending with specific text to a unique action
344 # Don't need custom mapping for other resource operations
345 # Note: action should match action names defined in CADF taxonomy
346 acl/get: read
347 path_keywords:
348 # path of api requests for CADF target typeURI
349 # Just need to include top resource path to identify class of resources
350 secrets: null
351 containers: null
352 orders: null
353 cas: "None"
354 quotas: null
355 project-quotas: null
356 service_endpoints:
357 # map endpoint type defined in service catalog to CADF typeURI
358 key-manager: service/security/keymanager
Mohammed Naserd8d1b3b2024-04-21 17:33:04 -0400359 barbican_api_uwsgi:
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500360 uwsgi:
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500361 add-header: "Connection: close"
Mohammed Naserd8d1b3b2024-04-21 17:33:04 -0400362 buffer-size: 65535
363 chunked-input-limit: "4096000"
364 die-on-term: true
365 enable-threads: true
366 exit-on-reload: false
367 hook-master-start: unix_signal:15 gracefully_kill_them_all
368 http-auto-chunked: true
369 http-raw-body: true
370 lazy-apps: true
371 log-x-forwarded-for: true
372 master: true
373 need-app: true
374 procname-prefix-spaced: "barbiacan-api:"
375 route-user-agent: '^kube-probe.* donotlog:'
376 socket-timeout: 10
377 thunder-lock: true
378 worker-reload-mercy: 80
379 wsgi-file: /var/lib/openstack/bin/barbican-wsgi-api
380 processes: 1
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500381 barbican:
382 DEFAULT:
383 transport_url: null
384 log_config_append: /etc/barbican/logging.conf
385 keystone_authtoken:
386 auth_type: password
387 auth_version: v3
388 memcache_security_strategy: ENCRYPT
389 memcache_secret_key: null
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200390 service_type: key-manager
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500391 database:
392 max_retries: -1
393 barbican_api:
394 # NOTE(portdirect): the bind port should not be defined, and is manipulated
395 # via the endpoints section.
396 bind_port: null
397 oslo_policy:
398 policy_file: /etc/barbican/policy.yaml
399 # When using the simple_crypto_plugin, a kek must be provided as:
400 # .conf.barbican.simple_crypto_plugin.kek
401 # If no kek is provided, barbican will use a well-known default.
402 # If upgrading the chart with a new kek, the old kek must be provided as:
403 # .conf.simple_crypto_plugin_rewrap.old_kek
404 # Please refer to the .conf.simple_crypto_key_rewrap section below.
405 # The barbican defaults are included here as a reference:
406 # secretstore:
407 # enabled_secretstore_plugins:
408 # - store_crypto
409 # crypto:
410 # enabled_crypto_plugins:
411 # - simple_crypto
412 # simple_crypto_plugin:
413 # # The kek should be a 32-byte value which is base64 encoded.
414 # kek: "dGhpcnR5X3R3b19ieXRlX2tleWJsYWhibGFoYmxhaGg="
415 # KEK rotation for the simple_crypto plugin
416 simple_crypto_kek_rewrap:
417
418 # To allow for chart upgrades when modifying the Key Encryption Key, the
419 # db-sync job can rewrap the existing project keys with the new kek, leaving
420 # each secret’s encrypted data unchanged.
421
422 # This feature is enabled automatically, if a kek is specified at:
423 # .conf.barbican.simple_crypto_plugin.kek
424 # and the previous kek is also specified at:
425 # .conf.simple_crypto_kek_rewrap.old_kek
426
427 # The project keys are decrypted with 'old_kek' and re-encrypted with the
428 # target kek (as defined in barbican.conf).
429 # This resembles the lightweight rotation described here, which was never
430 # implemented for the simple crypto plugin:
431 # https://specs.openstack.org/openstack/barbican-specs/specs/liberty/add-crypto-mkek-rotation-support-lightweight.html
432
433 # The KEK value "dGhpcnR5X3R3b19ieXRlX2tleWJsYWhibGFoYmxhaGg=" matches the
434 # plugin default, and is retained here for convenience, in case the chart was
435 # previously installed without explicitly specifying a kek.
436 old_kek: "dGhpcnR5X3R3b19ieXRlX2tleWJsYWhibGFoYmxhaGg="
437 logging:
438 loggers:
439 keys:
440 - root
441 - barbican
442 handlers:
443 keys:
444 - stdout
445 - stderr
446 - "null"
447 formatters:
448 keys:
449 - context
450 - default
451 logger_root:
452 level: WARNING
453 handlers: 'null'
454 logger_barbican:
455 level: INFO
456 handlers:
457 - stdout
458 qualname: barbican
459 logger_amqp:
460 level: WARNING
461 handlers: stderr
462 qualname: amqp
463 logger_amqplib:
464 level: WARNING
465 handlers: stderr
466 qualname: amqplib
467 logger_eventletwsgi:
468 level: WARNING
469 handlers: stderr
470 qualname: eventlet.wsgi.server
471 logger_sqlalchemy:
472 level: WARNING
473 handlers: stderr
474 qualname: sqlalchemy
475 logger_boto:
476 level: WARNING
477 handlers: stderr
478 qualname: boto
479 handler_null:
480 class: logging.NullHandler
481 formatter: default
482 args: ()
483 handler_stdout:
484 class: StreamHandler
485 args: (sys.stdout,)
486 formatter: context
487 handler_stderr:
488 class: StreamHandler
489 args: (sys.stderr,)
490 formatter: context
491 formatter_context:
492 class: oslo_log.formatters.ContextFormatter
493 datefmt: "%Y-%m-%d %H:%M:%S"
494 formatter_default:
495 format: "%(message)s"
496 datefmt: "%Y-%m-%d %H:%M:%S"
497
498# Names of secrets used by bootstrap and environmental checks
499secrets:
500 identity:
501 admin: barbican-keystone-admin
502 barbican: barbican-keystone-user
503 oslo_db:
504 admin: barbican-db-admin
505 barbican: barbican-db-user
506 oslo_messaging:
507 admin: barbican-rabbitmq-admin
508 barbican: barbican-rabbitmq-user
509 tls:
510 key_manager:
511 api:
512 public: barbican-tls-public
Oleksandr Kozachenkoa10d7852023-02-02 22:01:16 +0100513 internal: barbican-tls-internal
514 oci_image_registry:
515 barbican: barbican-oci-image-registry
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500516
517endpoints:
518 cluster_domain_suffix: cluster.local
519 local_image_registry:
520 name: docker-registry
521 namespace: docker-registry
522 hosts:
523 default: localhost
524 internal: docker-registry
525 node: localhost
526 host_fqdn_override:
527 default: null
528 port:
529 registry:
530 node: 5000
Oleksandr Kozachenkoa10d7852023-02-02 22:01:16 +0100531 oci_image_registry:
532 name: oci-image-registry
533 namespace: oci-image-registry
534 auth:
535 enabled: false
536 barbican:
537 username: barbican
538 password: password
539 hosts:
540 default: localhost
541 host_fqdn_override:
542 default: null
543 port:
544 registry:
545 default: null
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500546 identity:
547 name: keystone
548 auth:
549 admin:
550 region_name: RegionOne
551 username: admin
552 password: password
553 project_name: admin
554 user_domain_name: default
555 project_domain_name: default
556 barbican:
557 role: admin
558 region_name: RegionOne
559 username: barbican
560 password: password
561 project_name: service
562 user_domain_name: service
563 project_domain_name: service
564 hosts:
565 default: keystone
566 internal: keystone-api
567 host_fqdn_override:
568 default: null
569 path:
570 default: /v3
571 scheme:
572 default: http
573 port:
574 api:
575 default: 80
576 internal: 5000
577 key_manager:
578 name: barbican
579 hosts:
580 default: barbican-api
581 public: barbican
582 host_fqdn_override:
583 default: null
584 path:
585 default: /
586 scheme:
587 default: http
Oleksandr Kozachenkoa10d7852023-02-02 22:01:16 +0100588 service: http
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500589 port:
590 api:
591 default: 9311
592 public: 80
Oleksandr Kozachenkoa10d7852023-02-02 22:01:16 +0100593 service: 9311
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500594 oslo_db:
595 auth:
596 admin:
597 username: root
598 password: password
599 secret:
600 tls:
601 internal: mariadb-tls-direct
602 barbican:
603 username: barbican
604 password: password
605 hosts:
606 default: mariadb
607 host_fqdn_override:
608 default: null
609 path: /barbican
610 scheme: mysql+pymysql
611 port:
612 mysql:
613 default: 3306
614 oslo_messaging:
615 auth:
616 admin:
617 username: rabbitmq
618 password: password
Oleksandr Kozachenkoa10d7852023-02-02 22:01:16 +0100619 secret:
620 tls:
621 internal: rabbitmq-tls-direct
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500622 barbican:
623 username: barbican
624 password: password
625 statefulset:
626 replicas: 2
627 name: rabbitmq-rabbitmq
628 hosts:
629 default: rabbitmq
630 host_fqdn_override:
631 default: null
632 path: /barbican
633 scheme: rabbit
634 port:
635 amqp:
636 default: 5672
637 http:
638 default: 15672
639 oslo_cache:
640 auth:
641 # NOTE(portdirect): this is used to define the value for keystone
642 # authtoken cache encryption key, if not set it will be populated
643 # automatically with a random value, but to take advantage of
644 # this feature all services should be set to use the same key,
645 # and memcache service.
646 memcache_secret_key: null
647 hosts:
648 default: memcached
649 host_fqdn_override:
650 default: null
651 port:
652 memcache:
653 default: 11211
654 fluentd:
655 namespace: null
656 name: fluentd
657 hosts:
658 default: fluentd-logging
659 host_fqdn_override:
660 default: null
661 path:
662 default: null
663 scheme: 'http'
664 port:
665 service:
666 default: 24224
667 metrics:
668 default: 24220
669 # NOTE(tp6510): these endpoints allow for things like DNS lookups and ingress
670 # They are using to enable the Egress K8s network policy.
671 kube_dns:
672 namespace: kube-system
673 name: kubernetes-dns
674 hosts:
675 default: kube-dns
676 host_fqdn_override:
677 default: null
678 path:
679 default: null
680 scheme: http
681 port:
682 dns:
683 default: 53
684 protocol: UDP
685 ingress:
686 namespace: null
687 name: ingress
688 hosts:
689 default: ingress
690 port:
691 ingress:
692 default: 80
693
Oleksandr Kozachenkoa10d7852023-02-02 22:01:16 +0100694tls:
695 identity: false
696 oslo_messaging: false
697 oslo_db: false
698
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500699manifests:
700 certificates: false
701 configmap_bin: true
702 configmap_etc: true
703 deployment_api: true
704 ingress_api: true
705 job_bootstrap: true
706 job_db_init: true
707 job_db_sync: true
708 job_db_drop: false
709 job_image_repo_sync: true
710 job_rabbit_init: true
711 job_ks_endpoints: true
712 job_ks_service: true
713 job_ks_user: true
714 pdb_api: true
715 pod_test: true
716 secret_db: true
717 network_policy: false
718 secret_ingress_tls: true
719 secret_keystone: true
720 secret_rabbitmq: true
Oleksandr Kozachenkoa10d7852023-02-02 22:01:16 +0100721 secret_registry: true
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500722 service_ingress_api: true
723 service_api: true
724...