blob: 27e767cfa2f1c6e5062e2313beda157642cbbd3f [file] [log] [blame]
Mohammed Naserf3f59a72023-01-15 21:02:04 -05001# Licensed under the Apache License, Version 2.0 (the "License");
2# you may not use this file except in compliance with the License.
3# You may obtain a copy of the License at
4#
5# http://www.apache.org/licenses/LICENSE-2.0
6#
7# Unless required by applicable law or agreed to in writing, software
8# distributed under the License is distributed on an "AS IS" BASIS,
9# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
10# See the License for the specific language governing permissions and
11# limitations under the License.
12
13# Default values for keystone.
14# This is a YAML-formatted file.
15# Declare name/value pairs to be passed into your templates.
16# name: value
17
18---
19labels:
20 api:
21 node_selector_key: openstack-control-plane
22 node_selector_value: enabled
23 job:
24 node_selector_key: openstack-control-plane
25 node_selector_value: enabled
26 test:
27 node_selector_key: openstack-control-plane
28 node_selector_value: enabled
29
30release_group: null
31
32# NOTE(gagehugo): the pre-install hook breaks upgrade for helm2
33# Set to false to upgrade using helm2
34helm3_hook: true
35
36images:
37 tags:
Oleksandr K.4a0e28f2024-11-21 03:23:41 +010038 bootstrap: docker.io/openstackhelm/heat:2024.1-ubuntu_jammy
Mohammed Naserf3f59a72023-01-15 21:02:04 -050039 test: docker.io/xrally/xrally-openstack:2.0.0
Oleksandr K.4a0e28f2024-11-21 03:23:41 +010040 db_init: docker.io/openstackhelm/heat:2024.1-ubuntu_jammy
41 keystone_db_sync: docker.io/openstackhelm/keystone:2024.1-ubuntu_jammy
42 db_drop: docker.io/openstackhelm/heat:2024.1-ubuntu_jammy
43 ks_user: docker.io/openstackhelm/heat:2024.1-ubuntu_jammy
44 rabbit_init: docker.io/rabbitmq:3.13-management
45 keystone_fernet_setup: docker.io/openstackhelm/keystone:2024.1-ubuntu_jammy
46 keystone_fernet_rotate: docker.io/openstackhelm/keystone:2024.1-ubuntu_jammy
47 keystone_credential_setup: docker.io/openstackhelm/keystone:2024.1-ubuntu_jammy
48 keystone_credential_rotate: docker.io/openstackhelm/keystone:2024.1-ubuntu_jammy
49 keystone_credential_cleanup: docker.io/openstackhelm/heat:2024.1-ubuntu_jammy
50 keystone_api: docker.io/openstackhelm/keystone:2024.1-ubuntu_jammy
51 keystone_domain_manage: docker.io/openstackhelm/keystone:2024.1-ubuntu_jammy
52 dep_check: quay.io/airshipit/kubernetes-entrypoint:latest-ubuntu_focal
Mohammed Naserf3f59a72023-01-15 21:02:04 -050053 image_repo_sync: docker.io/docker:17.07.0
54 pull_policy: "IfNotPresent"
55 local_registry:
56 active: false
57 exclude:
58 - dep_check
59 - image_repo_sync
60
61bootstrap:
62 enabled: true
63 ks_user: admin
64 script: |
65 # admin needs the admin role for the default domain
66 openstack role add \
67 --user="${OS_USERNAME}" \
68 --domain="${OS_DEFAULT_DOMAIN}" \
69 "admin"
70
Mohammed Naserf3f59a72023-01-15 21:02:04 -050071network:
72 api:
73 ingress:
74 public: true
75 classes:
76 namespace: "nginx"
77 cluster: "nginx-cluster"
78 annotations:
79 nginx.ingress.kubernetes.io/rewrite-target: /
80 external_policy_local: false
81 node_port:
82 enabled: false
83 port: 30500
84 admin:
85 node_port:
86 enabled: false
87 port: 30357
88
89dependencies:
90 dynamic:
91 common:
92 local_image_registry:
93 jobs:
94 - keystone-image-repo-sync
95 services:
96 - endpoint: node
97 service: local_image_registry
98 rabbit_init:
99 services:
100 - service: oslo_messaging
101 endpoint: internal
102 static:
103 api:
104 jobs:
105 - keystone-db-sync
106 - keystone-credential-setup
107 - keystone-fernet-setup
108 services:
109 - endpoint: internal
110 service: oslo_cache
111 - endpoint: internal
112 service: oslo_db
113 bootstrap:
114 jobs:
115 - keystone-domain-manage
116 services:
117 - endpoint: internal
118 service: identity
119 credential_rotate:
120 jobs:
121 - keystone-credential-setup
122 credential_setup: null
123 credential_cleanup:
124 services:
125 - endpoint: internal
126 service: oslo_db
127 db_drop:
128 services:
129 - endpoint: internal
130 service: oslo_db
131 db_init:
132 services:
133 - endpoint: internal
134 service: oslo_db
135 db_sync:
136 jobs:
137 - keystone-db-init
138 - keystone-credential-setup
139 - keystone-fernet-setup
140 services:
141 - endpoint: internal
142 service: oslo_db
143 domain_manage:
144 services:
145 - endpoint: internal
146 service: identity
147 fernet_rotate:
148 jobs:
149 - keystone-fernet-setup
150 fernet_setup: null
151 tests:
152 services:
153 - endpoint: internal
154 service: identity
155 image_repo_sync:
156 services:
157 - endpoint: internal
158 service: local_image_registry
159
160pod:
161 security_context:
162 keystone:
163 pod:
164 runAsUser: 42424
165 container:
166 keystone_api:
167 readOnlyRootFilesystem: true
168 allowPrivilegeEscalation: false
169 credential_setup:
170 pod:
171 runAsUser: 42424
172 container:
173 keystone_credential_setup:
174 readOnlyRootFilesystem: true
175 allowPrivilegeEscalation: false
176 fernet_setup:
177 pod:
178 runAsUser: 42424
179 container:
180 keystone_fernet_setup:
181 readOnlyRootFilesystem: true
182 allowPrivilegeEscalation: false
183 fernet_rotate:
184 pod:
185 runAsUser: 42424
186 container:
187 keystone_fernet_rotate:
188 readOnlyRootFilesystem: true
189 allowPrivilegeEscalation: false
190 domain_manage:
191 pod:
192 runAsUser: 42424
193 container:
194 keystone_domain_manage_init:
195 readOnlyRootFilesystem: true
196 allowPrivilegeEscalation: false
197 keystone_domain_manage:
198 readOnlyRootFilesystem: true
199 allowPrivilegeEscalation: false
200 test:
201 pod:
202 runAsUser: 42424
203 container:
204 keystone_test_ks_user:
205 readOnlyRootFilesystem: true
206 allowPrivilegeEscalation: false
207 keystone_test:
208 runAsUser: 65500
209 readOnlyRootFilesystem: true
210 allowPrivilegeEscalation: false
211 affinity:
212 anti:
213 type:
214 default: preferredDuringSchedulingIgnoredDuringExecution
215 topologyKey:
216 default: kubernetes.io/hostname
217 weight:
218 default: 10
Oleksandr Kozachenkoa10d7852023-02-02 22:01:16 +0100219 tolerations:
220 keystone:
221 enabled: false
222 tolerations:
223 - key: node-role.kubernetes.io/master
224 operator: Exists
225 effect: NoSchedule
Rico Linc6ac7a12023-11-03 00:25:40 +0800226 - key: node-role.kubernetes.io/control-plane
227 operator: Exists
228 effect: NoSchedule
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500229 mounts:
230 keystone_db_init:
231 init_container: null
232 keystone_db_init:
233 volumeMounts:
234 volumes:
235 keystone_db_sync:
236 init_container: null
237 keystone_db_sync:
238 volumeMounts:
239 volumes:
240 keystone_api:
241 init_container: null
242 keystone_api:
243 volumeMounts:
244 volumes:
245 keystone_tests:
246 init_container: null
247 keystone_tests:
248 volumeMounts:
249 volumes:
250 keystone_bootstrap:
251 init_container: null
252 keystone_bootstrap:
253 volumeMounts:
254 volumes:
255 keystone_fernet_setup:
256 init_container: null
257 keystone_fernet_setup:
258 volumeMounts:
259 volumes:
260 keystone_fernet_rotate:
261 init_container: null
262 keystone_fernet_rotate:
263 volumeMounts:
264 volumes:
265 keystone_credential_setup:
266 init_container: null
267 keystone_credential_setup:
268 volumeMounts:
269 volumes:
270 keystone_credential_rotate:
271 init_container: null
272 keystone_credential_rotate:
273 volumeMounts:
274 volumes:
275 keystone_credential_cleanup:
276 init_container: null
277 keystone_credential_cleanup:
278 volumeMounts:
279 volumes:
280 keystone_domain_manage:
281 init_container: null
282 keystone_domain_manage:
283 volumeMounts:
284 volumes:
285 replicas:
286 api: 1
287 lifecycle:
288 upgrades:
289 deployments:
290 revision_history: 3
291 pod_replacement_strategy: RollingUpdate
292 rolling_update:
293 max_unavailable: 1
294 max_surge: 3
295 disruption_budget:
296 api:
297 min_available: 0
298 termination_grace_period:
299 api:
300 timeout: 30
301 resources:
302 enabled: false
303 api:
304 requests:
305 memory: "128Mi"
306 cpu: "100m"
307 limits:
308 memory: "1024Mi"
309 cpu: "2000m"
310 jobs:
311 bootstrap:
312 requests:
313 memory: "128Mi"
314 cpu: "100m"
315 limits:
316 memory: "1024Mi"
317 cpu: "2000m"
318 domain_manage:
319 requests:
320 memory: "128Mi"
321 cpu: "100m"
322 limits:
323 memory: "1024Mi"
324 cpu: "2000m"
325 db_init:
326 requests:
327 memory: "128Mi"
328 cpu: "100m"
329 limits:
330 memory: "1024Mi"
331 cpu: "2000m"
332 db_sync:
333 requests:
334 memory: "128Mi"
335 cpu: "100m"
336 limits:
337 memory: "1024Mi"
338 cpu: "2000m"
339 db_drop:
340 requests:
341 memory: "128Mi"
342 cpu: "100m"
343 limits:
344 memory: "1024Mi"
345 cpu: "2000m"
346 rabbit_init:
347 requests:
348 memory: "128Mi"
349 cpu: "100m"
350 limits:
351 memory: "1024Mi"
352 cpu: "2000m"
353 tests:
354 requests:
355 memory: "128Mi"
356 cpu: "100m"
357 limits:
358 memory: "1024Mi"
359 cpu: "2000m"
360 fernet_setup:
361 requests:
362 memory: "128Mi"
363 cpu: "100m"
364 limits:
365 memory: "1024Mi"
366 cpu: "2000m"
367 fernet_rotate:
368 requests:
369 memory: "128Mi"
370 cpu: "100m"
371 limits:
372 memory: "1024Mi"
373 cpu: "2000m"
374 credential_setup:
375 requests:
376 memory: "128Mi"
377 cpu: "100m"
378 limits:
379 memory: "1024Mi"
380 cpu: "2000m"
381 credential_rotate:
382 requests:
383 memory: "128Mi"
384 cpu: "100m"
385 limits:
386 memory: "1024Mi"
387 cpu: "2000m"
388 credential_cleanup:
389 requests:
390 memory: "128Mi"
391 cpu: "100m"
392 limits:
393 memory: "1024Mi"
394 cpu: "2000m"
395 image_repo_sync:
396 requests:
397 memory: "128Mi"
398 cpu: "100m"
399 limits:
400 memory: "1024Mi"
401 cpu: "2000m"
402 probes:
403 api:
404 api:
405 readiness:
406 enabled: true
407 params:
408 initialDelaySeconds: 15
409 periodSeconds: 60
410 timeoutSeconds: 15
411 liveness:
412 enabled: true
413 params:
414 initialDelaySeconds: 50
415 periodSeconds: 60
416 timeoutSeconds: 15
417jobs:
418 fernet_setup:
419 user: keystone
420 group: keystone
421 fernet_rotate:
Oleksandr K.4a0e28f2024-11-21 03:23:41 +0100422 # NOTE(rk760n): key rotation frequency, token expiration, active keys, and allow_expired_window should statisfy the formula
423 # max_active_keys = ((token_expiration + allow_expired_window) / rotation_frequency) + 2
424 # As expiration is 12h, max_active_keys is 7 and allow_expired_window is 48h by default,
425 # rotation_frequency need to be adjusted
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500426 # 12 hours
427 cron: "0 */12 * * *"
428 user: keystone
429 group: keystone
430 history:
431 success: 3
432 failed: 1
433 credential_setup:
434 user: keystone
435 group: keystone
436 credential_rotate:
437 # monthly
438 cron: "0 0 1 * *"
439 migrate_wait: 120
440 user: keystone
441 group: keystone
442 history:
443 success: 3
444 failed: 1
445
446network_policy:
447 keystone:
448 ingress:
449 - {}
450 egress:
451 - {}
452
453conf:
454 security: |
455 #
456 # Disable access to the entire file system except for the directories that
457 # are explicitly allowed later.
458 #
459 # This currently breaks the configurations that come with some web application
460 # Debian packages.
461 #
462 #<Directory />
463 # AllowOverride None
464 # Require all denied
465 #</Directory>
466
467 # Changing the following options will not really affect the security of the
468 # server, but might make attacks slightly more difficult in some cases.
469
470 #
471 # ServerTokens
472 # This directive configures what you return as the Server HTTP response
473 # Header. The default is 'Full' which sends information about the OS-Type
474 # and compiled in modules.
475 # Set to one of: Full | OS | Minimal | Minor | Major | Prod
476 # where Full conveys the most information, and Prod the least.
477 ServerTokens Prod
478
479 #
480 # Optionally add a line containing the server version and virtual host
481 # name to server-generated pages (internal error documents, FTP directory
482 # listings, mod_status and mod_info output etc., but not CGI generated
483 # documents or custom error documents).
484 # Set to "EMail" to also include a mailto: link to the ServerAdmin.
485 # Set to one of: On | Off | EMail
486 ServerSignature Off
487
488 #
489 # Allow TRACE method
490 #
491 # Set to "extended" to also reflect the request body (only for testing and
492 # diagnostic purposes).
493 #
494 # Set to one of: On | Off | extended
495 TraceEnable Off
496
497 #
498 # Forbid access to version control directories
499 #
500 # If you use version control systems in your document root, you should
501 # probably deny access to their directories. For example, for subversion:
502 #
503 #<DirectoryMatch "/\.svn">
504 # Require all denied
505 #</DirectoryMatch>
506
507 #
508 # Setting this header will prevent MSIE from interpreting files as something
509 # else than declared by the content type in the HTTP headers.
510 # Requires mod_headers to be enabled.
511 #
512 #Header set X-Content-Type-Options: "nosniff"
513
514 #
515 # Setting this header will prevent other sites from embedding pages from this
516 # site as frames. This defends against clickjacking attacks.
517 # Requires mod_headers to be enabled.
518 #
519 #Header set X-Frame-Options: "sameorigin"
520 software:
521 apache2:
522 binary: apache2
523 start_parameters: -DFOREGROUND
524 site_dir: /etc/apache2/sites-enable
525 conf_dir: /etc/apache2/conf-enabled
526 mods_dir: /etc/apache2/mods-available
527 a2enmod: null
528 a2dismod: null
529 keystone:
530 DEFAULT:
531 log_config_append: /etc/keystone/logging.conf
532 max_token_size: 255
533 # NOTE(rk760n): if you need auth notifications to be sent, uncomment it
534 # notification_opt_out: ""
535 token:
536 provider: fernet
537 # 12 hours
538 expiration: 43200
539 identity:
540 domain_specific_drivers_enabled: True
541 domain_config_dir: /etc/keystone/domains
542 fernet_tokens:
543 key_repository: /etc/keystone/fernet-keys/
Oleksandr K.4a0e28f2024-11-21 03:23:41 +0100544 max_active_keys: 7
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500545 credential:
546 key_repository: /etc/keystone/credential-keys/
547 database:
548 max_retries: -1
549 cache:
550 enabled: true
551 backend: dogpile.cache.memcached
552 oslo_messaging_notifications:
553 driver: messagingv2
554 oslo_messaging_rabbit:
555 rabbit_ha_queues: true
556 oslo_middleware:
557 enable_proxy_headers_parsing: true
558 oslo_policy:
559 policy_file: /etc/keystone/policy.yaml
560 security_compliance:
561 # NOTE(vdrok): The following two options have effect only for SQL backend
562 lockout_failure_attempts: 5
563 lockout_duration: 1800
564 # NOTE(lamt) We can leverage multiple domains with different
565 # configurations as outlined in
566 # https://docs.openstack.org/keystone/pike/admin/identity-domain-specific-config.html.
567 # A sample of the value override can be found in sample file:
568 # tools/overrides/example/keystone_domain_config.yaml
569 # ks_domains:
570 policy: {}
571 access_rules: {}
572 rabbitmq:
573 # NOTE(rk760n): adding rmq policy to mirror messages from notification queues and set expiration time for the ones
574 policies:
575 - vhost: "keystone"
576 name: "ha_ttl_keystone"
577 definition:
578 # mirror messges to other nodes in rmq cluster
579 ha-mode: "all"
580 ha-sync-mode: "automatic"
581 # 70s
582 message-ttl: 70000
583 priority: 0
584 apply-to: all
585 pattern: '^(?!(amq\.|reply_)).*'
586 rally_tests:
587 run_tempest: false
588 tests:
589 KeystoneBasic.add_and_remove_user_role:
590 - runner:
591 concurrency: 1
592 times: 1
593 type: constant
594 sla:
595 failure_rate:
596 max: 0
597 KeystoneBasic.authenticate_user_and_validate_token:
598 - args: {}
599 runner:
600 concurrency: 1
601 times: 1
602 type: constant
603 sla:
604 failure_rate:
605 max: 0
606 KeystoneBasic.create_add_and_list_user_roles:
607 - runner:
608 concurrency: 1
609 times: 1
610 type: constant
611 sla:
612 failure_rate:
613 max: 0
614 KeystoneBasic.create_and_delete_ec2credential:
615 - runner:
616 concurrency: 1
617 times: 1
618 type: constant
619 sla:
620 failure_rate:
621 max: 0
622 KeystoneBasic.create_and_list_ec2credentials:
623 - runner:
624 concurrency: 1
625 times: 1
626 type: constant
627 sla:
628 failure_rate:
629 max: 0
630 KeystoneBasic.create_and_delete_role:
631 - runner:
632 concurrency: 1
633 times: 1
634 type: constant
635 sla:
636 failure_rate:
637 max: 0
638 KeystoneBasic.create_and_delete_service:
639 - args:
640 description: test_description
641 service_type: Rally_test_type
642 runner:
643 concurrency: 1
644 times: 1
645 type: constant
646 sla:
647 failure_rate:
648 max: 0
649 KeystoneBasic.create_and_get_role:
650 - args: {}
651 runner:
652 concurrency: 1
653 times: 1
654 type: constant
655 sla:
656 failure_rate:
657 max: 0
658 KeystoneBasic.create_and_list_services:
659 - args:
660 description: test_description
661 service_type: Rally_test_type
662 runner:
663 concurrency: 1
664 times: 1
665 type: constant
666 sla:
667 failure_rate:
668 max: 0
669 KeystoneBasic.create_and_list_tenants:
670 - args: {}
671 runner:
672 concurrency: 1
673 times: 1
674 type: constant
675 sla:
676 failure_rate:
677 max: 0
678 KeystoneBasic.create_and_list_users:
679 - args: {}
680 runner:
681 concurrency: 1
682 times: 1
683 type: constant
684 sla:
685 failure_rate:
686 max: 0
687 KeystoneBasic.create_delete_user:
688 - args: {}
689 runner:
690 concurrency: 1
691 times: 1
692 type: constant
693 sla:
694 failure_rate:
695 max: 0
696 KeystoneBasic.create_tenant:
697 - args: {}
698 runner:
699 concurrency: 1
700 times: 1
701 type: constant
702 sla:
703 failure_rate:
704 max: 0
705 KeystoneBasic.create_tenant_with_users:
706 - args:
707 users_per_tenant: 1
708 runner:
709 concurrency: 1
710 times: 1
711 type: constant
712 sla:
713 failure_rate:
714 max: 0
715 KeystoneBasic.create_update_and_delete_tenant:
716 - args: {}
717 runner:
718 concurrency: 1
719 times: 1
720 type: constant
721 sla:
722 failure_rate:
723 max: 0
724 KeystoneBasic.create_user:
725 - args: {}
726 runner:
727 concurrency: 1
728 times: 1
729 type: constant
730 sla:
731 failure_rate:
732 max: 0
733 KeystoneBasic.create_user_set_enabled_and_delete:
734 - args:
735 enabled: true
736 runner:
737 concurrency: 1
738 times: 1
739 type: constant
740 sla:
741 failure_rate:
742 max: 0
743 - args:
744 enabled: false
745 runner:
746 concurrency: 1
747 times: 1
748 type: constant
749 sla:
750 failure_rate:
751 max: 0
752 KeystoneBasic.create_user_update_password:
753 - args: {}
754 runner:
755 concurrency: 1
756 times: 1
757 type: constant
758 sla:
759 failure_rate:
760 max: 0
761 KeystoneBasic.get_entities:
762 - runner:
763 concurrency: 1
764 times: 1
765 type: constant
766 sla:
767 failure_rate:
768 max: 0
769 mpm_event: |
770 <IfModule mpm_event_module>
771 ServerLimit 1024
772 StartServers 32
773 MinSpareThreads 32
774 MaxSpareThreads 256
775 ThreadsPerChild 25
776 MaxRequestsPerChild 128
777 ThreadLimit 720
778 </IfModule>
779 wsgi_keystone: |
Oleksandr Kozachenkoa10d7852023-02-02 22:01:16 +0100780 {{- $portInt := tuple "identity" "service" "api" $ | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500781
782 Listen 0.0.0.0:{{ $portInt }}
783
784 LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
785 LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy
786
787 SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
788 CustomLog /dev/stdout combined env=!forwarded
789 CustomLog /dev/stdout proxy env=forwarded
790
791 <VirtualHost *:{{ $portInt }}>
792 WSGIDaemonProcess keystone-public processes=1 threads=1 user=keystone group=keystone display-name=%{GROUP}
793 WSGIProcessGroup keystone-public
794 WSGIScriptAlias / /var/www/cgi-bin/keystone/keystone-wsgi-public
795 WSGIApplicationGroup %{GLOBAL}
796 WSGIPassAuthorization On
797 <IfVersion >= 2.4>
798 ErrorLogFormat "%{cu}t %M"
799 </IfVersion>
800 ErrorLog /dev/stdout
801
802 SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
803 CustomLog /dev/stdout combined env=!forwarded
804 CustomLog /dev/stdout proxy env=forwarded
805 </VirtualHost>
806 sso_callback_template: |
807 <!DOCTYPE html>
808 <html xmlns="http://www.w3.org/1999/xhtml">
809 <head>
810 <title>Keystone WebSSO redirect</title>
811 </head>
812 <body>
813 <form id="sso" name="sso" action="$host" method="post">
814 Please wait...
815 <br/>
816 <input type="hidden" name="token" id="token" value="$token"/>
817 <noscript>
818 <input type="submit" name="submit_no_javascript" id="submit_no_javascript"
819 value="If your JavaScript is disabled, please click to continue"/>
820 </noscript>
821 </form>
822 <script type="text/javascript">
823 window.onload = function() {
824 document.forms['sso'].submit();
825 }
826 </script>
827 </body>
828 </html>
829 logging:
830 loggers:
831 keys:
832 - root
833 - keystone
834 handlers:
835 keys:
836 - stdout
837 - stderr
838 - "null"
839 formatters:
840 keys:
841 - context
842 - default
843 logger_root:
844 level: WARNING
845 handlers: 'null'
846 logger_keystone:
847 level: INFO
848 handlers:
849 - stdout
850 qualname: keystone
851 logger_amqp:
852 level: WARNING
853 handlers: stderr
854 qualname: amqp
855 logger_amqplib:
856 level: WARNING
857 handlers: stderr
858 qualname: amqplib
859 logger_eventletwsgi:
860 level: WARNING
861 handlers: stderr
862 qualname: eventlet.wsgi.server
863 logger_sqlalchemy:
864 level: WARNING
865 handlers: stderr
866 qualname: sqlalchemy
867 logger_boto:
868 level: WARNING
869 handlers: stderr
870 qualname: boto
871 handler_null:
872 class: logging.NullHandler
873 formatter: default
874 args: ()
875 handler_stdout:
876 class: StreamHandler
877 args: (sys.stdout,)
878 formatter: context
879 handler_stderr:
880 class: StreamHandler
881 args: (sys.stderr,)
882 formatter: context
883 formatter_context:
884 class: oslo_log.formatters.ContextFormatter
885 datefmt: "%Y-%m-%d %H:%M:%S"
886 formatter_default:
887 format: "%(message)s"
888 datefmt: "%Y-%m-%d %H:%M:%S"
889
890# Names of secrets used by bootstrap and environmental checks
891secrets:
892 identity:
893 admin: keystone-keystone-admin
894 test: keystone-keystone-test
895 oslo_db:
896 admin: keystone-db-admin
897 keystone: keystone-db-user
898 oslo_messaging:
899 admin: keystone-rabbitmq-admin
900 keystone: keystone-rabbitmq-user
901 ldap:
902 tls: keystone-ldap-tls
903 tls:
904 identity:
905 api:
906 public: keystone-tls-public
907 internal: keystone-tls-api
Oleksandr Kozachenkoa10d7852023-02-02 22:01:16 +0100908 oci_image_registry:
909 keystone: keystone-oci-image-registry
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500910
911# typically overridden by environmental
912# values, but should include all endpoints
913# required by this chart
914endpoints:
915 cluster_domain_suffix: cluster.local
916 local_image_registry:
917 name: docker-registry
918 namespace: docker-registry
919 hosts:
920 default: localhost
921 internal: docker-registry
922 node: localhost
923 host_fqdn_override:
924 default: null
925 port:
926 registry:
927 node: 5000
Oleksandr Kozachenkoa10d7852023-02-02 22:01:16 +0100928 oci_image_registry:
929 name: oci-image-registry
930 namespace: oci-image-registry
931 auth:
932 enabled: false
933 keystone:
934 username: keystone
935 password: password
936 hosts:
937 default: localhost
938 host_fqdn_override:
939 default: null
940 port:
941 registry:
942 default: null
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500943 identity:
944 namespace: null
945 name: keystone
946 auth:
947 admin:
948 region_name: RegionOne
949 username: admin
950 password: password
951 project_name: admin
952 user_domain_name: default
953 project_domain_name: default
954 default_domain_id: default
955 test:
956 role: admin
957 region_name: RegionOne
958 username: keystone-test
959 password: password
960 project_name: test
961 user_domain_name: default
962 project_domain_name: default
963 default_domain_id: default
964 hosts:
965 default: keystone
966 internal: keystone-api
967 host_fqdn_override:
968 default: null
969 # NOTE(portdirect): this chart supports TLS for fqdn over-ridden public
970 # endpoints using the following format:
971 # public:
972 # host: null
973 # tls:
974 # crt: null
975 # key: null
976 path:
977 default: /v3
978 scheme:
979 default: http
Oleksandr Kozachenkoa10d7852023-02-02 22:01:16 +0100980 service: http
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500981 port:
982 api:
983 default: 80
984 # NOTE(portdirect): to retain portability across images, and allow
985 # running under a unprivileged user simply, we default to a port > 1000.
986 internal: 5000
Oleksandr Kozachenkoa10d7852023-02-02 22:01:16 +0100987 service: 5000
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500988 oslo_db:
989 namespace: null
990 auth:
991 admin:
992 username: root
993 password: password
994 secret:
995 tls:
996 internal: mariadb-tls-direct
997 keystone:
998 username: keystone
999 password: password
1000 hosts:
1001 default: mariadb
1002 host_fqdn_override:
1003 default: null
1004 path: /keystone
1005 scheme: mysql+pymysql
1006 port:
1007 mysql:
1008 default: 3306
1009 oslo_messaging:
1010 namespace: null
1011 auth:
1012 admin:
1013 username: rabbitmq
1014 password: password
1015 secret:
1016 tls:
1017 internal: rabbitmq-tls-direct
1018 keystone:
1019 username: keystone
1020 password: password
1021 statefulset:
1022 replicas: 2
1023 name: rabbitmq-rabbitmq
1024 hosts:
1025 default: rabbitmq
1026 host_fqdn_override:
1027 default: null
1028 path: /keystone
1029 scheme: rabbit
1030 port:
1031 amqp:
1032 default: 5672
1033 http:
1034 default: 15672
1035 oslo_cache:
1036 namespace: null
1037 hosts:
1038 default: memcached
1039 host_fqdn_override:
1040 default: null
1041 port:
1042 memcache:
1043 default: 11211
1044 ldap:
1045 auth:
1046 client:
1047 tls:
1048 # NOTE(lamt): Specify a CA value here will place a LDAPS certificate at
1049 # /etc/certs/tls.ca. To ensure keystone uses LDAPS, the
1050 # following key will need to be overrided under section [ldap] or the
1051 # correct domain-specific setting, else it will not be enabled:
1052 #
1053 # use_tls: true
1054 # tls_req_cert: allow # Valid values: demand, never, allow
1055 # tls_cacertfile: /etc/certs/tls.ca # abs path to the CA cert
1056 ca: null
1057 fluentd:
1058 namespace: null
1059 name: fluentd
1060 hosts:
1061 default: fluentd-logging
1062 host_fqdn_override:
1063 default: null
1064 path:
1065 default: null
1066 scheme: 'http'
1067 port:
1068 service:
1069 default: 24224
1070 metrics:
1071 default: 24220
1072 # NOTE(tp6510): these endpoints allow for things like DNS lookups and ingress
1073 # They are using to enable the Egress K8s network policy.
1074 kube_dns:
1075 namespace: kube-system
1076 name: kubernetes-dns
1077 hosts:
1078 default: kube-dns
1079 host_fqdn_override:
1080 default: null
1081 path:
1082 default: null
1083 scheme: http
1084 port:
1085 dns:
1086 default: 53
1087 protocol: UDP
1088 ingress:
1089 namespace: null
1090 name: ingress
1091 hosts:
1092 default: ingress
1093 port:
1094 ingress:
1095 default: 80
1096
Oleksandr Kozachenkoa10d7852023-02-02 22:01:16 +01001097tls:
1098 identity: false
1099 oslo_messaging: false
1100 oslo_db: false
1101
Mohammed Naserf3f59a72023-01-15 21:02:04 -05001102manifests:
1103 certificates: false
1104 configmap_bin: true
1105 configmap_etc: true
1106 cron_credential_rotate: true
1107 cron_fernet_rotate: true
1108 deployment_api: true
1109 ingress_api: true
1110 job_bootstrap: true
1111 job_credential_cleanup: true
1112 job_credential_setup: true
1113 job_db_init: true
1114 job_db_sync: true
1115 job_db_drop: false
1116 job_domain_manage: true
1117 job_fernet_setup: true
1118 job_image_repo_sync: true
1119 job_rabbit_init: true
1120 pdb_api: true
1121 pod_rally_test: true
1122 network_policy: false
1123 secret_credential_keys: true
1124 secret_db: true
1125 secret_fernet_keys: true
1126 secret_ingress_tls: true
1127 secret_keystone: true
1128 secret_rabbitmq: true
Oleksandr Kozachenkoa10d7852023-02-02 22:01:16 +01001129 secret_registry: true
Mohammed Naserf3f59a72023-01-15 21:02:04 -05001130 service_ingress_api: true
1131 service_api: true
1132...