Mohammed Naser | f3f59a7 | 2023-01-15 21:02:04 -0500 | [diff] [blame] | 1 | # Licensed under the Apache License, Version 2.0 (the "License"); |
| 2 | # you may not use this file except in compliance with the License. |
| 3 | # You may obtain a copy of the License at |
| 4 | # |
| 5 | # http://www.apache.org/licenses/LICENSE-2.0 |
| 6 | # |
| 7 | # Unless required by applicable law or agreed to in writing, software |
| 8 | # distributed under the License is distributed on an "AS IS" BASIS, |
| 9 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 10 | # See the License for the specific language governing permissions and |
| 11 | # limitations under the License. |
| 12 | |
| 13 | # Default values for keystone. |
| 14 | # This is a YAML-formatted file. |
| 15 | # Declare name/value pairs to be passed into your templates. |
| 16 | # name: value |
| 17 | |
| 18 | --- |
| 19 | labels: |
| 20 | api: |
| 21 | node_selector_key: openstack-control-plane |
| 22 | node_selector_value: enabled |
| 23 | job: |
| 24 | node_selector_key: openstack-control-plane |
| 25 | node_selector_value: enabled |
| 26 | test: |
| 27 | node_selector_key: openstack-control-plane |
| 28 | node_selector_value: enabled |
| 29 | |
| 30 | release_group: null |
| 31 | |
| 32 | # NOTE(gagehugo): the pre-install hook breaks upgrade for helm2 |
| 33 | # Set to false to upgrade using helm2 |
| 34 | helm3_hook: true |
| 35 | |
| 36 | images: |
| 37 | tags: |
Oleksandr K. | 4a0e28f | 2024-11-21 03:23:41 +0100 | [diff] [blame] | 38 | bootstrap: docker.io/openstackhelm/heat:2024.1-ubuntu_jammy |
Mohammed Naser | f3f59a7 | 2023-01-15 21:02:04 -0500 | [diff] [blame] | 39 | test: docker.io/xrally/xrally-openstack:2.0.0 |
Oleksandr K. | 4a0e28f | 2024-11-21 03:23:41 +0100 | [diff] [blame] | 40 | db_init: docker.io/openstackhelm/heat:2024.1-ubuntu_jammy |
| 41 | keystone_db_sync: docker.io/openstackhelm/keystone:2024.1-ubuntu_jammy |
| 42 | db_drop: docker.io/openstackhelm/heat:2024.1-ubuntu_jammy |
| 43 | ks_user: docker.io/openstackhelm/heat:2024.1-ubuntu_jammy |
| 44 | rabbit_init: docker.io/rabbitmq:3.13-management |
| 45 | keystone_fernet_setup: docker.io/openstackhelm/keystone:2024.1-ubuntu_jammy |
| 46 | keystone_fernet_rotate: docker.io/openstackhelm/keystone:2024.1-ubuntu_jammy |
| 47 | keystone_credential_setup: docker.io/openstackhelm/keystone:2024.1-ubuntu_jammy |
| 48 | keystone_credential_rotate: docker.io/openstackhelm/keystone:2024.1-ubuntu_jammy |
| 49 | keystone_credential_cleanup: docker.io/openstackhelm/heat:2024.1-ubuntu_jammy |
| 50 | keystone_api: docker.io/openstackhelm/keystone:2024.1-ubuntu_jammy |
| 51 | keystone_domain_manage: docker.io/openstackhelm/keystone:2024.1-ubuntu_jammy |
| 52 | dep_check: quay.io/airshipit/kubernetes-entrypoint:latest-ubuntu_focal |
Mohammed Naser | f3f59a7 | 2023-01-15 21:02:04 -0500 | [diff] [blame] | 53 | image_repo_sync: docker.io/docker:17.07.0 |
| 54 | pull_policy: "IfNotPresent" |
| 55 | local_registry: |
| 56 | active: false |
| 57 | exclude: |
| 58 | - dep_check |
| 59 | - image_repo_sync |
| 60 | |
| 61 | bootstrap: |
| 62 | enabled: true |
| 63 | ks_user: admin |
| 64 | script: | |
| 65 | # admin needs the admin role for the default domain |
| 66 | openstack role add \ |
| 67 | --user="${OS_USERNAME}" \ |
| 68 | --domain="${OS_DEFAULT_DOMAIN}" \ |
| 69 | "admin" |
| 70 | |
Mohammed Naser | f3f59a7 | 2023-01-15 21:02:04 -0500 | [diff] [blame] | 71 | network: |
| 72 | api: |
| 73 | ingress: |
| 74 | public: true |
| 75 | classes: |
| 76 | namespace: "nginx" |
| 77 | cluster: "nginx-cluster" |
| 78 | annotations: |
| 79 | nginx.ingress.kubernetes.io/rewrite-target: / |
| 80 | external_policy_local: false |
| 81 | node_port: |
| 82 | enabled: false |
| 83 | port: 30500 |
| 84 | admin: |
| 85 | node_port: |
| 86 | enabled: false |
| 87 | port: 30357 |
| 88 | |
| 89 | dependencies: |
| 90 | dynamic: |
| 91 | common: |
| 92 | local_image_registry: |
| 93 | jobs: |
| 94 | - keystone-image-repo-sync |
| 95 | services: |
| 96 | - endpoint: node |
| 97 | service: local_image_registry |
| 98 | rabbit_init: |
| 99 | services: |
| 100 | - service: oslo_messaging |
| 101 | endpoint: internal |
| 102 | static: |
| 103 | api: |
| 104 | jobs: |
| 105 | - keystone-db-sync |
| 106 | - keystone-credential-setup |
| 107 | - keystone-fernet-setup |
| 108 | services: |
| 109 | - endpoint: internal |
| 110 | service: oslo_cache |
| 111 | - endpoint: internal |
| 112 | service: oslo_db |
| 113 | bootstrap: |
| 114 | jobs: |
| 115 | - keystone-domain-manage |
| 116 | services: |
| 117 | - endpoint: internal |
| 118 | service: identity |
| 119 | credential_rotate: |
| 120 | jobs: |
| 121 | - keystone-credential-setup |
| 122 | credential_setup: null |
| 123 | credential_cleanup: |
| 124 | services: |
| 125 | - endpoint: internal |
| 126 | service: oslo_db |
| 127 | db_drop: |
| 128 | services: |
| 129 | - endpoint: internal |
| 130 | service: oslo_db |
| 131 | db_init: |
| 132 | services: |
| 133 | - endpoint: internal |
| 134 | service: oslo_db |
| 135 | db_sync: |
| 136 | jobs: |
| 137 | - keystone-db-init |
| 138 | - keystone-credential-setup |
| 139 | - keystone-fernet-setup |
| 140 | services: |
| 141 | - endpoint: internal |
| 142 | service: oslo_db |
| 143 | domain_manage: |
| 144 | services: |
| 145 | - endpoint: internal |
| 146 | service: identity |
| 147 | fernet_rotate: |
| 148 | jobs: |
| 149 | - keystone-fernet-setup |
| 150 | fernet_setup: null |
| 151 | tests: |
| 152 | services: |
| 153 | - endpoint: internal |
| 154 | service: identity |
| 155 | image_repo_sync: |
| 156 | services: |
| 157 | - endpoint: internal |
| 158 | service: local_image_registry |
| 159 | |
| 160 | pod: |
| 161 | security_context: |
| 162 | keystone: |
| 163 | pod: |
| 164 | runAsUser: 42424 |
| 165 | container: |
| 166 | keystone_api: |
| 167 | readOnlyRootFilesystem: true |
| 168 | allowPrivilegeEscalation: false |
| 169 | credential_setup: |
| 170 | pod: |
| 171 | runAsUser: 42424 |
| 172 | container: |
| 173 | keystone_credential_setup: |
| 174 | readOnlyRootFilesystem: true |
| 175 | allowPrivilegeEscalation: false |
| 176 | fernet_setup: |
| 177 | pod: |
| 178 | runAsUser: 42424 |
| 179 | container: |
| 180 | keystone_fernet_setup: |
| 181 | readOnlyRootFilesystem: true |
| 182 | allowPrivilegeEscalation: false |
| 183 | fernet_rotate: |
| 184 | pod: |
| 185 | runAsUser: 42424 |
| 186 | container: |
| 187 | keystone_fernet_rotate: |
| 188 | readOnlyRootFilesystem: true |
| 189 | allowPrivilegeEscalation: false |
| 190 | domain_manage: |
| 191 | pod: |
| 192 | runAsUser: 42424 |
| 193 | container: |
| 194 | keystone_domain_manage_init: |
| 195 | readOnlyRootFilesystem: true |
| 196 | allowPrivilegeEscalation: false |
| 197 | keystone_domain_manage: |
| 198 | readOnlyRootFilesystem: true |
| 199 | allowPrivilegeEscalation: false |
| 200 | test: |
| 201 | pod: |
| 202 | runAsUser: 42424 |
| 203 | container: |
| 204 | keystone_test_ks_user: |
| 205 | readOnlyRootFilesystem: true |
| 206 | allowPrivilegeEscalation: false |
| 207 | keystone_test: |
| 208 | runAsUser: 65500 |
| 209 | readOnlyRootFilesystem: true |
| 210 | allowPrivilegeEscalation: false |
| 211 | affinity: |
| 212 | anti: |
| 213 | type: |
| 214 | default: preferredDuringSchedulingIgnoredDuringExecution |
| 215 | topologyKey: |
| 216 | default: kubernetes.io/hostname |
| 217 | weight: |
| 218 | default: 10 |
Oleksandr Kozachenko | a10d785 | 2023-02-02 22:01:16 +0100 | [diff] [blame] | 219 | tolerations: |
| 220 | keystone: |
| 221 | enabled: false |
| 222 | tolerations: |
| 223 | - key: node-role.kubernetes.io/master |
| 224 | operator: Exists |
| 225 | effect: NoSchedule |
Rico Lin | c6ac7a1 | 2023-11-03 00:25:40 +0800 | [diff] [blame] | 226 | - key: node-role.kubernetes.io/control-plane |
| 227 | operator: Exists |
| 228 | effect: NoSchedule |
Mohammed Naser | f3f59a7 | 2023-01-15 21:02:04 -0500 | [diff] [blame] | 229 | mounts: |
| 230 | keystone_db_init: |
| 231 | init_container: null |
| 232 | keystone_db_init: |
| 233 | volumeMounts: |
| 234 | volumes: |
| 235 | keystone_db_sync: |
| 236 | init_container: null |
| 237 | keystone_db_sync: |
| 238 | volumeMounts: |
| 239 | volumes: |
| 240 | keystone_api: |
| 241 | init_container: null |
| 242 | keystone_api: |
| 243 | volumeMounts: |
| 244 | volumes: |
| 245 | keystone_tests: |
| 246 | init_container: null |
| 247 | keystone_tests: |
| 248 | volumeMounts: |
| 249 | volumes: |
| 250 | keystone_bootstrap: |
| 251 | init_container: null |
| 252 | keystone_bootstrap: |
| 253 | volumeMounts: |
| 254 | volumes: |
| 255 | keystone_fernet_setup: |
| 256 | init_container: null |
| 257 | keystone_fernet_setup: |
| 258 | volumeMounts: |
| 259 | volumes: |
| 260 | keystone_fernet_rotate: |
| 261 | init_container: null |
| 262 | keystone_fernet_rotate: |
| 263 | volumeMounts: |
| 264 | volumes: |
| 265 | keystone_credential_setup: |
| 266 | init_container: null |
| 267 | keystone_credential_setup: |
| 268 | volumeMounts: |
| 269 | volumes: |
| 270 | keystone_credential_rotate: |
| 271 | init_container: null |
| 272 | keystone_credential_rotate: |
| 273 | volumeMounts: |
| 274 | volumes: |
| 275 | keystone_credential_cleanup: |
| 276 | init_container: null |
| 277 | keystone_credential_cleanup: |
| 278 | volumeMounts: |
| 279 | volumes: |
| 280 | keystone_domain_manage: |
| 281 | init_container: null |
| 282 | keystone_domain_manage: |
| 283 | volumeMounts: |
| 284 | volumes: |
| 285 | replicas: |
| 286 | api: 1 |
| 287 | lifecycle: |
| 288 | upgrades: |
| 289 | deployments: |
| 290 | revision_history: 3 |
| 291 | pod_replacement_strategy: RollingUpdate |
| 292 | rolling_update: |
| 293 | max_unavailable: 1 |
| 294 | max_surge: 3 |
| 295 | disruption_budget: |
| 296 | api: |
| 297 | min_available: 0 |
| 298 | termination_grace_period: |
| 299 | api: |
| 300 | timeout: 30 |
| 301 | resources: |
| 302 | enabled: false |
| 303 | api: |
| 304 | requests: |
| 305 | memory: "128Mi" |
| 306 | cpu: "100m" |
| 307 | limits: |
| 308 | memory: "1024Mi" |
| 309 | cpu: "2000m" |
| 310 | jobs: |
| 311 | bootstrap: |
| 312 | requests: |
| 313 | memory: "128Mi" |
| 314 | cpu: "100m" |
| 315 | limits: |
| 316 | memory: "1024Mi" |
| 317 | cpu: "2000m" |
| 318 | domain_manage: |
| 319 | requests: |
| 320 | memory: "128Mi" |
| 321 | cpu: "100m" |
| 322 | limits: |
| 323 | memory: "1024Mi" |
| 324 | cpu: "2000m" |
| 325 | db_init: |
| 326 | requests: |
| 327 | memory: "128Mi" |
| 328 | cpu: "100m" |
| 329 | limits: |
| 330 | memory: "1024Mi" |
| 331 | cpu: "2000m" |
| 332 | db_sync: |
| 333 | requests: |
| 334 | memory: "128Mi" |
| 335 | cpu: "100m" |
| 336 | limits: |
| 337 | memory: "1024Mi" |
| 338 | cpu: "2000m" |
| 339 | db_drop: |
| 340 | requests: |
| 341 | memory: "128Mi" |
| 342 | cpu: "100m" |
| 343 | limits: |
| 344 | memory: "1024Mi" |
| 345 | cpu: "2000m" |
| 346 | rabbit_init: |
| 347 | requests: |
| 348 | memory: "128Mi" |
| 349 | cpu: "100m" |
| 350 | limits: |
| 351 | memory: "1024Mi" |
| 352 | cpu: "2000m" |
| 353 | tests: |
| 354 | requests: |
| 355 | memory: "128Mi" |
| 356 | cpu: "100m" |
| 357 | limits: |
| 358 | memory: "1024Mi" |
| 359 | cpu: "2000m" |
| 360 | fernet_setup: |
| 361 | requests: |
| 362 | memory: "128Mi" |
| 363 | cpu: "100m" |
| 364 | limits: |
| 365 | memory: "1024Mi" |
| 366 | cpu: "2000m" |
| 367 | fernet_rotate: |
| 368 | requests: |
| 369 | memory: "128Mi" |
| 370 | cpu: "100m" |
| 371 | limits: |
| 372 | memory: "1024Mi" |
| 373 | cpu: "2000m" |
| 374 | credential_setup: |
| 375 | requests: |
| 376 | memory: "128Mi" |
| 377 | cpu: "100m" |
| 378 | limits: |
| 379 | memory: "1024Mi" |
| 380 | cpu: "2000m" |
| 381 | credential_rotate: |
| 382 | requests: |
| 383 | memory: "128Mi" |
| 384 | cpu: "100m" |
| 385 | limits: |
| 386 | memory: "1024Mi" |
| 387 | cpu: "2000m" |
| 388 | credential_cleanup: |
| 389 | requests: |
| 390 | memory: "128Mi" |
| 391 | cpu: "100m" |
| 392 | limits: |
| 393 | memory: "1024Mi" |
| 394 | cpu: "2000m" |
| 395 | image_repo_sync: |
| 396 | requests: |
| 397 | memory: "128Mi" |
| 398 | cpu: "100m" |
| 399 | limits: |
| 400 | memory: "1024Mi" |
| 401 | cpu: "2000m" |
| 402 | probes: |
| 403 | api: |
| 404 | api: |
| 405 | readiness: |
| 406 | enabled: true |
| 407 | params: |
| 408 | initialDelaySeconds: 15 |
| 409 | periodSeconds: 60 |
| 410 | timeoutSeconds: 15 |
| 411 | liveness: |
| 412 | enabled: true |
| 413 | params: |
| 414 | initialDelaySeconds: 50 |
| 415 | periodSeconds: 60 |
| 416 | timeoutSeconds: 15 |
| 417 | jobs: |
| 418 | fernet_setup: |
| 419 | user: keystone |
| 420 | group: keystone |
| 421 | fernet_rotate: |
Oleksandr K. | 4a0e28f | 2024-11-21 03:23:41 +0100 | [diff] [blame] | 422 | # NOTE(rk760n): key rotation frequency, token expiration, active keys, and allow_expired_window should statisfy the formula |
| 423 | # max_active_keys = ((token_expiration + allow_expired_window) / rotation_frequency) + 2 |
| 424 | # As expiration is 12h, max_active_keys is 7 and allow_expired_window is 48h by default, |
| 425 | # rotation_frequency need to be adjusted |
Mohammed Naser | f3f59a7 | 2023-01-15 21:02:04 -0500 | [diff] [blame] | 426 | # 12 hours |
| 427 | cron: "0 */12 * * *" |
| 428 | user: keystone |
| 429 | group: keystone |
| 430 | history: |
| 431 | success: 3 |
| 432 | failed: 1 |
| 433 | credential_setup: |
| 434 | user: keystone |
| 435 | group: keystone |
| 436 | credential_rotate: |
| 437 | # monthly |
| 438 | cron: "0 0 1 * *" |
| 439 | migrate_wait: 120 |
| 440 | user: keystone |
| 441 | group: keystone |
| 442 | history: |
| 443 | success: 3 |
| 444 | failed: 1 |
| 445 | |
| 446 | network_policy: |
| 447 | keystone: |
| 448 | ingress: |
| 449 | - {} |
| 450 | egress: |
| 451 | - {} |
| 452 | |
| 453 | conf: |
| 454 | security: | |
| 455 | # |
| 456 | # Disable access to the entire file system except for the directories that |
| 457 | # are explicitly allowed later. |
| 458 | # |
| 459 | # This currently breaks the configurations that come with some web application |
| 460 | # Debian packages. |
| 461 | # |
| 462 | #<Directory /> |
| 463 | # AllowOverride None |
| 464 | # Require all denied |
| 465 | #</Directory> |
| 466 | |
| 467 | # Changing the following options will not really affect the security of the |
| 468 | # server, but might make attacks slightly more difficult in some cases. |
| 469 | |
| 470 | # |
| 471 | # ServerTokens |
| 472 | # This directive configures what you return as the Server HTTP response |
| 473 | # Header. The default is 'Full' which sends information about the OS-Type |
| 474 | # and compiled in modules. |
| 475 | # Set to one of: Full | OS | Minimal | Minor | Major | Prod |
| 476 | # where Full conveys the most information, and Prod the least. |
| 477 | ServerTokens Prod |
| 478 | |
| 479 | # |
| 480 | # Optionally add a line containing the server version and virtual host |
| 481 | # name to server-generated pages (internal error documents, FTP directory |
| 482 | # listings, mod_status and mod_info output etc., but not CGI generated |
| 483 | # documents or custom error documents). |
| 484 | # Set to "EMail" to also include a mailto: link to the ServerAdmin. |
| 485 | # Set to one of: On | Off | EMail |
| 486 | ServerSignature Off |
| 487 | |
| 488 | # |
| 489 | # Allow TRACE method |
| 490 | # |
| 491 | # Set to "extended" to also reflect the request body (only for testing and |
| 492 | # diagnostic purposes). |
| 493 | # |
| 494 | # Set to one of: On | Off | extended |
| 495 | TraceEnable Off |
| 496 | |
| 497 | # |
| 498 | # Forbid access to version control directories |
| 499 | # |
| 500 | # If you use version control systems in your document root, you should |
| 501 | # probably deny access to their directories. For example, for subversion: |
| 502 | # |
| 503 | #<DirectoryMatch "/\.svn"> |
| 504 | # Require all denied |
| 505 | #</DirectoryMatch> |
| 506 | |
| 507 | # |
| 508 | # Setting this header will prevent MSIE from interpreting files as something |
| 509 | # else than declared by the content type in the HTTP headers. |
| 510 | # Requires mod_headers to be enabled. |
| 511 | # |
| 512 | #Header set X-Content-Type-Options: "nosniff" |
| 513 | |
| 514 | # |
| 515 | # Setting this header will prevent other sites from embedding pages from this |
| 516 | # site as frames. This defends against clickjacking attacks. |
| 517 | # Requires mod_headers to be enabled. |
| 518 | # |
| 519 | #Header set X-Frame-Options: "sameorigin" |
| 520 | software: |
| 521 | apache2: |
| 522 | binary: apache2 |
| 523 | start_parameters: -DFOREGROUND |
| 524 | site_dir: /etc/apache2/sites-enable |
| 525 | conf_dir: /etc/apache2/conf-enabled |
| 526 | mods_dir: /etc/apache2/mods-available |
| 527 | a2enmod: null |
| 528 | a2dismod: null |
| 529 | keystone: |
| 530 | DEFAULT: |
| 531 | log_config_append: /etc/keystone/logging.conf |
| 532 | max_token_size: 255 |
| 533 | # NOTE(rk760n): if you need auth notifications to be sent, uncomment it |
| 534 | # notification_opt_out: "" |
| 535 | token: |
| 536 | provider: fernet |
| 537 | # 12 hours |
| 538 | expiration: 43200 |
| 539 | identity: |
| 540 | domain_specific_drivers_enabled: True |
| 541 | domain_config_dir: /etc/keystone/domains |
| 542 | fernet_tokens: |
| 543 | key_repository: /etc/keystone/fernet-keys/ |
Oleksandr K. | 4a0e28f | 2024-11-21 03:23:41 +0100 | [diff] [blame] | 544 | max_active_keys: 7 |
Mohammed Naser | f3f59a7 | 2023-01-15 21:02:04 -0500 | [diff] [blame] | 545 | credential: |
| 546 | key_repository: /etc/keystone/credential-keys/ |
| 547 | database: |
| 548 | max_retries: -1 |
| 549 | cache: |
| 550 | enabled: true |
| 551 | backend: dogpile.cache.memcached |
| 552 | oslo_messaging_notifications: |
| 553 | driver: messagingv2 |
| 554 | oslo_messaging_rabbit: |
| 555 | rabbit_ha_queues: true |
| 556 | oslo_middleware: |
| 557 | enable_proxy_headers_parsing: true |
| 558 | oslo_policy: |
| 559 | policy_file: /etc/keystone/policy.yaml |
| 560 | security_compliance: |
| 561 | # NOTE(vdrok): The following two options have effect only for SQL backend |
| 562 | lockout_failure_attempts: 5 |
| 563 | lockout_duration: 1800 |
| 564 | # NOTE(lamt) We can leverage multiple domains with different |
| 565 | # configurations as outlined in |
| 566 | # https://docs.openstack.org/keystone/pike/admin/identity-domain-specific-config.html. |
| 567 | # A sample of the value override can be found in sample file: |
| 568 | # tools/overrides/example/keystone_domain_config.yaml |
| 569 | # ks_domains: |
| 570 | policy: {} |
| 571 | access_rules: {} |
| 572 | rabbitmq: |
| 573 | # NOTE(rk760n): adding rmq policy to mirror messages from notification queues and set expiration time for the ones |
| 574 | policies: |
| 575 | - vhost: "keystone" |
| 576 | name: "ha_ttl_keystone" |
| 577 | definition: |
| 578 | # mirror messges to other nodes in rmq cluster |
| 579 | ha-mode: "all" |
| 580 | ha-sync-mode: "automatic" |
| 581 | # 70s |
| 582 | message-ttl: 70000 |
| 583 | priority: 0 |
| 584 | apply-to: all |
| 585 | pattern: '^(?!(amq\.|reply_)).*' |
| 586 | rally_tests: |
| 587 | run_tempest: false |
| 588 | tests: |
| 589 | KeystoneBasic.add_and_remove_user_role: |
| 590 | - runner: |
| 591 | concurrency: 1 |
| 592 | times: 1 |
| 593 | type: constant |
| 594 | sla: |
| 595 | failure_rate: |
| 596 | max: 0 |
| 597 | KeystoneBasic.authenticate_user_and_validate_token: |
| 598 | - args: {} |
| 599 | runner: |
| 600 | concurrency: 1 |
| 601 | times: 1 |
| 602 | type: constant |
| 603 | sla: |
| 604 | failure_rate: |
| 605 | max: 0 |
| 606 | KeystoneBasic.create_add_and_list_user_roles: |
| 607 | - runner: |
| 608 | concurrency: 1 |
| 609 | times: 1 |
| 610 | type: constant |
| 611 | sla: |
| 612 | failure_rate: |
| 613 | max: 0 |
| 614 | KeystoneBasic.create_and_delete_ec2credential: |
| 615 | - runner: |
| 616 | concurrency: 1 |
| 617 | times: 1 |
| 618 | type: constant |
| 619 | sla: |
| 620 | failure_rate: |
| 621 | max: 0 |
| 622 | KeystoneBasic.create_and_list_ec2credentials: |
| 623 | - runner: |
| 624 | concurrency: 1 |
| 625 | times: 1 |
| 626 | type: constant |
| 627 | sla: |
| 628 | failure_rate: |
| 629 | max: 0 |
| 630 | KeystoneBasic.create_and_delete_role: |
| 631 | - runner: |
| 632 | concurrency: 1 |
| 633 | times: 1 |
| 634 | type: constant |
| 635 | sla: |
| 636 | failure_rate: |
| 637 | max: 0 |
| 638 | KeystoneBasic.create_and_delete_service: |
| 639 | - args: |
| 640 | description: test_description |
| 641 | service_type: Rally_test_type |
| 642 | runner: |
| 643 | concurrency: 1 |
| 644 | times: 1 |
| 645 | type: constant |
| 646 | sla: |
| 647 | failure_rate: |
| 648 | max: 0 |
| 649 | KeystoneBasic.create_and_get_role: |
| 650 | - args: {} |
| 651 | runner: |
| 652 | concurrency: 1 |
| 653 | times: 1 |
| 654 | type: constant |
| 655 | sla: |
| 656 | failure_rate: |
| 657 | max: 0 |
| 658 | KeystoneBasic.create_and_list_services: |
| 659 | - args: |
| 660 | description: test_description |
| 661 | service_type: Rally_test_type |
| 662 | runner: |
| 663 | concurrency: 1 |
| 664 | times: 1 |
| 665 | type: constant |
| 666 | sla: |
| 667 | failure_rate: |
| 668 | max: 0 |
| 669 | KeystoneBasic.create_and_list_tenants: |
| 670 | - args: {} |
| 671 | runner: |
| 672 | concurrency: 1 |
| 673 | times: 1 |
| 674 | type: constant |
| 675 | sla: |
| 676 | failure_rate: |
| 677 | max: 0 |
| 678 | KeystoneBasic.create_and_list_users: |
| 679 | - args: {} |
| 680 | runner: |
| 681 | concurrency: 1 |
| 682 | times: 1 |
| 683 | type: constant |
| 684 | sla: |
| 685 | failure_rate: |
| 686 | max: 0 |
| 687 | KeystoneBasic.create_delete_user: |
| 688 | - args: {} |
| 689 | runner: |
| 690 | concurrency: 1 |
| 691 | times: 1 |
| 692 | type: constant |
| 693 | sla: |
| 694 | failure_rate: |
| 695 | max: 0 |
| 696 | KeystoneBasic.create_tenant: |
| 697 | - args: {} |
| 698 | runner: |
| 699 | concurrency: 1 |
| 700 | times: 1 |
| 701 | type: constant |
| 702 | sla: |
| 703 | failure_rate: |
| 704 | max: 0 |
| 705 | KeystoneBasic.create_tenant_with_users: |
| 706 | - args: |
| 707 | users_per_tenant: 1 |
| 708 | runner: |
| 709 | concurrency: 1 |
| 710 | times: 1 |
| 711 | type: constant |
| 712 | sla: |
| 713 | failure_rate: |
| 714 | max: 0 |
| 715 | KeystoneBasic.create_update_and_delete_tenant: |
| 716 | - args: {} |
| 717 | runner: |
| 718 | concurrency: 1 |
| 719 | times: 1 |
| 720 | type: constant |
| 721 | sla: |
| 722 | failure_rate: |
| 723 | max: 0 |
| 724 | KeystoneBasic.create_user: |
| 725 | - args: {} |
| 726 | runner: |
| 727 | concurrency: 1 |
| 728 | times: 1 |
| 729 | type: constant |
| 730 | sla: |
| 731 | failure_rate: |
| 732 | max: 0 |
| 733 | KeystoneBasic.create_user_set_enabled_and_delete: |
| 734 | - args: |
| 735 | enabled: true |
| 736 | runner: |
| 737 | concurrency: 1 |
| 738 | times: 1 |
| 739 | type: constant |
| 740 | sla: |
| 741 | failure_rate: |
| 742 | max: 0 |
| 743 | - args: |
| 744 | enabled: false |
| 745 | runner: |
| 746 | concurrency: 1 |
| 747 | times: 1 |
| 748 | type: constant |
| 749 | sla: |
| 750 | failure_rate: |
| 751 | max: 0 |
| 752 | KeystoneBasic.create_user_update_password: |
| 753 | - args: {} |
| 754 | runner: |
| 755 | concurrency: 1 |
| 756 | times: 1 |
| 757 | type: constant |
| 758 | sla: |
| 759 | failure_rate: |
| 760 | max: 0 |
| 761 | KeystoneBasic.get_entities: |
| 762 | - runner: |
| 763 | concurrency: 1 |
| 764 | times: 1 |
| 765 | type: constant |
| 766 | sla: |
| 767 | failure_rate: |
| 768 | max: 0 |
| 769 | mpm_event: | |
| 770 | <IfModule mpm_event_module> |
| 771 | ServerLimit 1024 |
| 772 | StartServers 32 |
| 773 | MinSpareThreads 32 |
| 774 | MaxSpareThreads 256 |
| 775 | ThreadsPerChild 25 |
| 776 | MaxRequestsPerChild 128 |
| 777 | ThreadLimit 720 |
| 778 | </IfModule> |
| 779 | wsgi_keystone: | |
Oleksandr Kozachenko | a10d785 | 2023-02-02 22:01:16 +0100 | [diff] [blame] | 780 | {{- $portInt := tuple "identity" "service" "api" $ | include "helm-toolkit.endpoints.endpoint_port_lookup" }} |
Mohammed Naser | f3f59a7 | 2023-01-15 21:02:04 -0500 | [diff] [blame] | 781 | |
| 782 | Listen 0.0.0.0:{{ $portInt }} |
| 783 | |
| 784 | LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined |
| 785 | LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy |
| 786 | |
| 787 | SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded |
| 788 | CustomLog /dev/stdout combined env=!forwarded |
| 789 | CustomLog /dev/stdout proxy env=forwarded |
| 790 | |
| 791 | <VirtualHost *:{{ $portInt }}> |
| 792 | WSGIDaemonProcess keystone-public processes=1 threads=1 user=keystone group=keystone display-name=%{GROUP} |
| 793 | WSGIProcessGroup keystone-public |
| 794 | WSGIScriptAlias / /var/www/cgi-bin/keystone/keystone-wsgi-public |
| 795 | WSGIApplicationGroup %{GLOBAL} |
| 796 | WSGIPassAuthorization On |
| 797 | <IfVersion >= 2.4> |
| 798 | ErrorLogFormat "%{cu}t %M" |
| 799 | </IfVersion> |
| 800 | ErrorLog /dev/stdout |
| 801 | |
| 802 | SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded |
| 803 | CustomLog /dev/stdout combined env=!forwarded |
| 804 | CustomLog /dev/stdout proxy env=forwarded |
| 805 | </VirtualHost> |
| 806 | sso_callback_template: | |
| 807 | <!DOCTYPE html> |
| 808 | <html xmlns="http://www.w3.org/1999/xhtml"> |
| 809 | <head> |
| 810 | <title>Keystone WebSSO redirect</title> |
| 811 | </head> |
| 812 | <body> |
| 813 | <form id="sso" name="sso" action="$host" method="post"> |
| 814 | Please wait... |
| 815 | <br/> |
| 816 | <input type="hidden" name="token" id="token" value="$token"/> |
| 817 | <noscript> |
| 818 | <input type="submit" name="submit_no_javascript" id="submit_no_javascript" |
| 819 | value="If your JavaScript is disabled, please click to continue"/> |
| 820 | </noscript> |
| 821 | </form> |
| 822 | <script type="text/javascript"> |
| 823 | window.onload = function() { |
| 824 | document.forms['sso'].submit(); |
| 825 | } |
| 826 | </script> |
| 827 | </body> |
| 828 | </html> |
| 829 | logging: |
| 830 | loggers: |
| 831 | keys: |
| 832 | - root |
| 833 | - keystone |
| 834 | handlers: |
| 835 | keys: |
| 836 | - stdout |
| 837 | - stderr |
| 838 | - "null" |
| 839 | formatters: |
| 840 | keys: |
| 841 | - context |
| 842 | - default |
| 843 | logger_root: |
| 844 | level: WARNING |
| 845 | handlers: 'null' |
| 846 | logger_keystone: |
| 847 | level: INFO |
| 848 | handlers: |
| 849 | - stdout |
| 850 | qualname: keystone |
| 851 | logger_amqp: |
| 852 | level: WARNING |
| 853 | handlers: stderr |
| 854 | qualname: amqp |
| 855 | logger_amqplib: |
| 856 | level: WARNING |
| 857 | handlers: stderr |
| 858 | qualname: amqplib |
| 859 | logger_eventletwsgi: |
| 860 | level: WARNING |
| 861 | handlers: stderr |
| 862 | qualname: eventlet.wsgi.server |
| 863 | logger_sqlalchemy: |
| 864 | level: WARNING |
| 865 | handlers: stderr |
| 866 | qualname: sqlalchemy |
| 867 | logger_boto: |
| 868 | level: WARNING |
| 869 | handlers: stderr |
| 870 | qualname: boto |
| 871 | handler_null: |
| 872 | class: logging.NullHandler |
| 873 | formatter: default |
| 874 | args: () |
| 875 | handler_stdout: |
| 876 | class: StreamHandler |
| 877 | args: (sys.stdout,) |
| 878 | formatter: context |
| 879 | handler_stderr: |
| 880 | class: StreamHandler |
| 881 | args: (sys.stderr,) |
| 882 | formatter: context |
| 883 | formatter_context: |
| 884 | class: oslo_log.formatters.ContextFormatter |
| 885 | datefmt: "%Y-%m-%d %H:%M:%S" |
| 886 | formatter_default: |
| 887 | format: "%(message)s" |
| 888 | datefmt: "%Y-%m-%d %H:%M:%S" |
| 889 | |
| 890 | # Names of secrets used by bootstrap and environmental checks |
| 891 | secrets: |
| 892 | identity: |
| 893 | admin: keystone-keystone-admin |
| 894 | test: keystone-keystone-test |
| 895 | oslo_db: |
| 896 | admin: keystone-db-admin |
| 897 | keystone: keystone-db-user |
| 898 | oslo_messaging: |
| 899 | admin: keystone-rabbitmq-admin |
| 900 | keystone: keystone-rabbitmq-user |
| 901 | ldap: |
| 902 | tls: keystone-ldap-tls |
| 903 | tls: |
| 904 | identity: |
| 905 | api: |
| 906 | public: keystone-tls-public |
| 907 | internal: keystone-tls-api |
Oleksandr Kozachenko | a10d785 | 2023-02-02 22:01:16 +0100 | [diff] [blame] | 908 | oci_image_registry: |
| 909 | keystone: keystone-oci-image-registry |
Mohammed Naser | f3f59a7 | 2023-01-15 21:02:04 -0500 | [diff] [blame] | 910 | |
| 911 | # typically overridden by environmental |
| 912 | # values, but should include all endpoints |
| 913 | # required by this chart |
| 914 | endpoints: |
| 915 | cluster_domain_suffix: cluster.local |
| 916 | local_image_registry: |
| 917 | name: docker-registry |
| 918 | namespace: docker-registry |
| 919 | hosts: |
| 920 | default: localhost |
| 921 | internal: docker-registry |
| 922 | node: localhost |
| 923 | host_fqdn_override: |
| 924 | default: null |
| 925 | port: |
| 926 | registry: |
| 927 | node: 5000 |
Oleksandr Kozachenko | a10d785 | 2023-02-02 22:01:16 +0100 | [diff] [blame] | 928 | oci_image_registry: |
| 929 | name: oci-image-registry |
| 930 | namespace: oci-image-registry |
| 931 | auth: |
| 932 | enabled: false |
| 933 | keystone: |
| 934 | username: keystone |
| 935 | password: password |
| 936 | hosts: |
| 937 | default: localhost |
| 938 | host_fqdn_override: |
| 939 | default: null |
| 940 | port: |
| 941 | registry: |
| 942 | default: null |
Mohammed Naser | f3f59a7 | 2023-01-15 21:02:04 -0500 | [diff] [blame] | 943 | identity: |
| 944 | namespace: null |
| 945 | name: keystone |
| 946 | auth: |
| 947 | admin: |
| 948 | region_name: RegionOne |
| 949 | username: admin |
| 950 | password: password |
| 951 | project_name: admin |
| 952 | user_domain_name: default |
| 953 | project_domain_name: default |
| 954 | default_domain_id: default |
| 955 | test: |
| 956 | role: admin |
| 957 | region_name: RegionOne |
| 958 | username: keystone-test |
| 959 | password: password |
| 960 | project_name: test |
| 961 | user_domain_name: default |
| 962 | project_domain_name: default |
| 963 | default_domain_id: default |
| 964 | hosts: |
| 965 | default: keystone |
| 966 | internal: keystone-api |
| 967 | host_fqdn_override: |
| 968 | default: null |
| 969 | # NOTE(portdirect): this chart supports TLS for fqdn over-ridden public |
| 970 | # endpoints using the following format: |
| 971 | # public: |
| 972 | # host: null |
| 973 | # tls: |
| 974 | # crt: null |
| 975 | # key: null |
| 976 | path: |
| 977 | default: /v3 |
| 978 | scheme: |
| 979 | default: http |
Oleksandr Kozachenko | a10d785 | 2023-02-02 22:01:16 +0100 | [diff] [blame] | 980 | service: http |
Mohammed Naser | f3f59a7 | 2023-01-15 21:02:04 -0500 | [diff] [blame] | 981 | port: |
| 982 | api: |
| 983 | default: 80 |
| 984 | # NOTE(portdirect): to retain portability across images, and allow |
| 985 | # running under a unprivileged user simply, we default to a port > 1000. |
| 986 | internal: 5000 |
Oleksandr Kozachenko | a10d785 | 2023-02-02 22:01:16 +0100 | [diff] [blame] | 987 | service: 5000 |
Mohammed Naser | f3f59a7 | 2023-01-15 21:02:04 -0500 | [diff] [blame] | 988 | oslo_db: |
| 989 | namespace: null |
| 990 | auth: |
| 991 | admin: |
| 992 | username: root |
| 993 | password: password |
| 994 | secret: |
| 995 | tls: |
| 996 | internal: mariadb-tls-direct |
| 997 | keystone: |
| 998 | username: keystone |
| 999 | password: password |
| 1000 | hosts: |
| 1001 | default: mariadb |
| 1002 | host_fqdn_override: |
| 1003 | default: null |
| 1004 | path: /keystone |
| 1005 | scheme: mysql+pymysql |
| 1006 | port: |
| 1007 | mysql: |
| 1008 | default: 3306 |
| 1009 | oslo_messaging: |
| 1010 | namespace: null |
| 1011 | auth: |
| 1012 | admin: |
| 1013 | username: rabbitmq |
| 1014 | password: password |
| 1015 | secret: |
| 1016 | tls: |
| 1017 | internal: rabbitmq-tls-direct |
| 1018 | keystone: |
| 1019 | username: keystone |
| 1020 | password: password |
| 1021 | statefulset: |
| 1022 | replicas: 2 |
| 1023 | name: rabbitmq-rabbitmq |
| 1024 | hosts: |
| 1025 | default: rabbitmq |
| 1026 | host_fqdn_override: |
| 1027 | default: null |
| 1028 | path: /keystone |
| 1029 | scheme: rabbit |
| 1030 | port: |
| 1031 | amqp: |
| 1032 | default: 5672 |
| 1033 | http: |
| 1034 | default: 15672 |
| 1035 | oslo_cache: |
| 1036 | namespace: null |
| 1037 | hosts: |
| 1038 | default: memcached |
| 1039 | host_fqdn_override: |
| 1040 | default: null |
| 1041 | port: |
| 1042 | memcache: |
| 1043 | default: 11211 |
| 1044 | ldap: |
| 1045 | auth: |
| 1046 | client: |
| 1047 | tls: |
| 1048 | # NOTE(lamt): Specify a CA value here will place a LDAPS certificate at |
| 1049 | # /etc/certs/tls.ca. To ensure keystone uses LDAPS, the |
| 1050 | # following key will need to be overrided under section [ldap] or the |
| 1051 | # correct domain-specific setting, else it will not be enabled: |
| 1052 | # |
| 1053 | # use_tls: true |
| 1054 | # tls_req_cert: allow # Valid values: demand, never, allow |
| 1055 | # tls_cacertfile: /etc/certs/tls.ca # abs path to the CA cert |
| 1056 | ca: null |
| 1057 | fluentd: |
| 1058 | namespace: null |
| 1059 | name: fluentd |
| 1060 | hosts: |
| 1061 | default: fluentd-logging |
| 1062 | host_fqdn_override: |
| 1063 | default: null |
| 1064 | path: |
| 1065 | default: null |
| 1066 | scheme: 'http' |
| 1067 | port: |
| 1068 | service: |
| 1069 | default: 24224 |
| 1070 | metrics: |
| 1071 | default: 24220 |
| 1072 | # NOTE(tp6510): these endpoints allow for things like DNS lookups and ingress |
| 1073 | # They are using to enable the Egress K8s network policy. |
| 1074 | kube_dns: |
| 1075 | namespace: kube-system |
| 1076 | name: kubernetes-dns |
| 1077 | hosts: |
| 1078 | default: kube-dns |
| 1079 | host_fqdn_override: |
| 1080 | default: null |
| 1081 | path: |
| 1082 | default: null |
| 1083 | scheme: http |
| 1084 | port: |
| 1085 | dns: |
| 1086 | default: 53 |
| 1087 | protocol: UDP |
| 1088 | ingress: |
| 1089 | namespace: null |
| 1090 | name: ingress |
| 1091 | hosts: |
| 1092 | default: ingress |
| 1093 | port: |
| 1094 | ingress: |
| 1095 | default: 80 |
| 1096 | |
Oleksandr Kozachenko | a10d785 | 2023-02-02 22:01:16 +0100 | [diff] [blame] | 1097 | tls: |
| 1098 | identity: false |
| 1099 | oslo_messaging: false |
| 1100 | oslo_db: false |
| 1101 | |
Mohammed Naser | f3f59a7 | 2023-01-15 21:02:04 -0500 | [diff] [blame] | 1102 | manifests: |
| 1103 | certificates: false |
| 1104 | configmap_bin: true |
| 1105 | configmap_etc: true |
| 1106 | cron_credential_rotate: true |
| 1107 | cron_fernet_rotate: true |
| 1108 | deployment_api: true |
| 1109 | ingress_api: true |
| 1110 | job_bootstrap: true |
| 1111 | job_credential_cleanup: true |
| 1112 | job_credential_setup: true |
| 1113 | job_db_init: true |
| 1114 | job_db_sync: true |
| 1115 | job_db_drop: false |
| 1116 | job_domain_manage: true |
| 1117 | job_fernet_setup: true |
| 1118 | job_image_repo_sync: true |
| 1119 | job_rabbit_init: true |
| 1120 | pdb_api: true |
| 1121 | pod_rally_test: true |
| 1122 | network_policy: false |
| 1123 | secret_credential_keys: true |
| 1124 | secret_db: true |
| 1125 | secret_fernet_keys: true |
| 1126 | secret_ingress_tls: true |
| 1127 | secret_keystone: true |
| 1128 | secret_rabbitmq: true |
Oleksandr Kozachenko | a10d785 | 2023-02-02 22:01:16 +0100 | [diff] [blame] | 1129 | secret_registry: true |
Mohammed Naser | f3f59a7 | 2023-01-15 21:02:04 -0500 | [diff] [blame] | 1130 | service_ingress_api: true |
| 1131 | service_api: true |
| 1132 | ... |