openstack/charm-keystone
Code Issues Proposed changes

Merge "Cleanup config.yaml"

Browse Source
This commit is contained in:
Jenkins 2017-06-29 22:33:16 +00:00 committed by Gerrit Code Review
commit 5ff0e3b098
1 changed files with 188 additions and 158 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

346
config.yaml
View File

@ -2,55 +2,53 @@ options:
debug:
type: boolean
default: False
description: Enable verbose logging.
description: Enable debug logging.
verbose:
type: boolean
default: False
description: Enable debug logging.
description: Enable verbose logging.
log-level:
type: string
default: WARNING
description: Log level (WARNING, INFO, DEBUG, ERROR)
use-syslog:
type: boolean
default: False
description: |
Setting this to True will allow supporting services to log to syslog.
openstack-origin:
default: distro
type: string
default: distro
description: |
Repository from which to install. May be one of the following:
Repository from which to install. May be one of the following:
distro (default), ppa:somecustom/ppa, a deb url sources entry,
or a supported Cloud Archive release pocket.
Supported Cloud Archive sources include:
or a supported Ubuntu Cloud Archive e.g.
.
cloud:<series>-<openstack-release>
cloud:<series>-<openstack-release>/updates
cloud:<series>-<openstack-release>/staging
cloud:<series>-<openstack-release>/proposed
For series=Precise we support cloud archives for openstack-release:
* icehouse
For series=Trusty we support cloud archives for openstack-release:
* juno
* kilo
* ...
.
See https://wiki.ubuntu.com/OpenStack/CloudArchive for info on which
cloud archives are available and supported.
.
NOTE: updating this setting to a source that is known to provide
a later version of OpenStack will trigger a software upgrade.
a later version of OpenStack will trigger a software upgrade unless
action-managed-upgrade is set to True.
openstack-origin-git:
default:
type: string
default:
description: |
Specifies a default OpenStack release name, or a YAML dictionary
listing the git repositories to install from.
.
The default Openstack release name may be one of the following, where
the corresponding OpenStack github branch will be used:
* liberty
* mitaka
* newton
* master
.
The YAML must minimally include requirements and keystone repositories,
and may also include repositories for other dependencies:
repositories:
@ -61,127 +59,219 @@ options:
repository: 'git://github.com/openstack/keystone',
branch: master}
release: master
action-managed-upgrade:
type: boolean
default: False
description: |
If True enables openstack upgrades for this charm via juju actions.
You will still need to set openstack-origin to the new repository but
instead of an upgrade running automatically across all units, it will
wait for you to execute the openstack-upgrade action for this charm on
each unit. If False it will revert to existing behavior of upgrading
all units on config change.
harden:
type: string
default:
description: |
Apply system hardening. Supports a space-delimited list of modules
to run. Supported modules currently include os, ssh, apache and mysql.
config-file:
type: string
default: "/etc/keystone/keystone.conf"
type: string
description: "Location of keystone configuration file"
log-level:
default: WARNING
type: string
description: Log level (WARNING, INFO, DEBUG, ERROR)
service-port:
default: 5000
type: int
default: 5000
description: Port the bind the API server to.
admin-port:
default: 35357
type: int
default: 35357
description: Port the bind the Admin API server to.
keystone-admin-role:
default: "Admin"
type: string
default: "Admin"
description: Role that allows admin operations (access to all operations).
keystone-service-admin-role:
default: "KeystoneServiceAdmin"
type: string
default: "KeystoneServiceAdmin"
description: Role that allows acting as service admin.
admin-user:
default: admin
type: string
default: admin
description: Default admin user to create and manage.
admin-password:
default: None
type: string
default: None
description: |
Admin password. To be used *for testing only*. Randomly generated by
default.
admin-token:
default: None
type: string
default: None
description: |
Admin token. If set, this token will be used for all services instead of
being generated per service.
admin-role:
type: string
default: 'Admin'
type: string
description: Admin role to be associated with admin and service users
description: Admin role to be associated with admin and service users.
token-expiration:
default: 3600
type: int
description: Amount of time a token should remain valid (in seconds).
default: 3600
description: Amount of time (in seconds) a token should remain valid.
service-tenant:
default: "services"
type: string
default: "services"
description: Name of tenant to associate service credentials.
service-admin-prefix:
type: string
default:
default:
description: |
When service relations are joined they provide a name used to create a
service admin_username in keystone. The name used may be too crude for
some situations e.g. pre-populated LDAP identity backend. If set, this
option will be prepended to each service admin_username.
# Database settings used to request access via shared-db-relation-* relations
database:
default: "keystone"
worker-multiplier:
type: float
default:
description: |
The CPU core multiplier to use when configuring worker processes for
Keystone. By default, the number of workers for each daemon is set to
twice the number of CPU cores a service unit has. When deployed in
a LXD container, this default value will be capped to 4 workers
unless this configuration option is set.
enable-pki:
type: string
default: "false"
description: Enable PKI token signing.
preferred-api-version:
type: int
default: 2
description: |
Use this keystone api version for keystone endpoints and advertise this
version to identity client charms.
haproxy-server-timeout:
type: int
default:
description: |
Server timeout configuration in ms for haproxy, used in HA
configurations. If not provided, default value of 30000ms is used.
haproxy-client-timeout:
type: int
default:
description: |
Client timeout configuration in ms for haproxy, used in HA
configurations. If not provided, default value of 30000ms is used.
haproxy-queue-timeout:
type: int
default:
description: |
Queue timeout configuration in ms for haproxy, used in HA
configurations. If not provided, default value of 5000ms is used.
haproxy-connect-timeout:
type: int
default:
description: |
Connect timeout configuration in ms for haproxy, used in HA
configurations. If not provided, default value of 5000ms is used.
database:
type: string
default: "keystone"
description: Keystone database name.
database-user:
default: "keystone"
type: string
default: "keystone"
description: Username used for connecting to the Keystone database.
region:
default: RegionOne
type: string
default: RegionOne
description: |
Space-separated list of Openstack regions.
identity-backend:
type: string
default: "sql"
description: |
Keystone identity backend, valid options are: sql, ldap, kvs, pam.
Keystone identity backend, valid options are: sql, ldap, pam.
.
NOTE: this option should no longer be used to configure ldap. Instead
the cs:keystone-ldap subordinate charm should be used to configure ldap
backends.
assignment-backend:
type: string
default: "sql"
description: |
Keystone assignment backend, valid options are sql, ldap, kvs.
Keystone assignment backend, valid options are sql, ldap.
.
[DEPRECATED] this option should no longer be used to configure ldap.
Instead the cs:keystone-ldap subordinate charm should be used to
configure ldap backends. This option will be removed in the next release.
ldap-server:
type: string
default: None
description: Ldap server address for keystone identity backend.
description: |
Ldap server address for keystone identity backend.
.
[DEPRECATED] this option should no longer be used to configure ldap.
Instead the cs:keystone-ldap subordinate charm should be used to
configure ldap backends. This option will be removed in the next release.
ldap-user:
type: string
default: None
description: Username of the ldap identity server.
description: |
Username of the ldap identity server.
.
[DEPRECATED] this option should no longer be used to configure ldap.
Instead the cs:keystone-ldap subordinate charm should be used to
configure ldap backends. This option will be removed in the next release.
ldap-password:
type: string
default: None
description: Password of the ldap identity server.
description: |
Password of the ldap identity server.
.
[DEPRECATED] this option should no longer be used to configure ldap.
Instead the cs:keystone-ldap subordinate charm should be used to
configure ldap backends. This option will be removed in the next release.
ldap-suffix:
type: string
default: None
description: Ldap server suffix to be used by keystone.
description: |
Ldap server suffix to be used by keystone.
.
[DEPRECATED] this option should no longer be used to configure ldap.
Instead the cs:keystone-ldap subordinate charm should be used to
configure ldap backends. This option will be removed in the next release.
ldap-config-flags:
type: string
default: None
description: comma sperated options for ldap configuration.
description: |
Comma-separated options for ldap configuration.
.
[DEPRECATED] this option should no longer be used to configure ldap.
Instead the cs:keystone-ldap subordinate charm should be used to
configure ldap backends. This option will be removed in the next release.
ldap-readonly:
type: boolean
default: True
description: Ldap identity server backend readonly to keystone.
description: |
Ldap identity server backend readonly to keystone.
.
[DEPRECATED] this option should no longer be used to configure ldap.
Instead the cs:keystone-ldap subordinate charm should be used to
configure ldap backends. This option will be removed in the next release.
# HA configuration settings
dns-ha:
type: boolean
default: False
description: |
Use DNS HA with MAAS 2.0. Note if this is set do not set vip
settings below.
Use DNS HA with MAAS 2.0. Note if this is set do not set vip settings
below.
vip:
type: string
default:
description: |
Virtual IP(s) to use to front API services in HA configuration.
.
If multiple networks are being used, a VIP should be provided for each
network, separated by spaces.
vip_iface:
@ -208,46 +298,12 @@ options:
description: |
Default multicast port number that will be used to communicate between
HA Cluster nodes.
# PKI enablement and configuration (Grizzly and beyond)
enable-pki:
default: "false"
type: string
description: Enable PKI token signing (>= Grizzly).
https-service-endpoints:
default: "False"
type: string
description: Manage SSL certificates for all service endpoints.
use-https:
default: "no"
type: string
description: Use SSL for Keystone itself. Set to 'yes' to enable it.
ssl_cert:
type: string
default:
description: |
base64-encoded SSL certificate to install and use for API ports. Setting
this value and ssl_key will enable reverse proxying, point Keystone's
entry in the Keystone catalog to use https, and override any certficiate
and key issued by Keystone (if it is configured to do so).
ssl_key:
type: string
default:
description: base64-encoded SSL key to use with certificate specified as
ssl_cert.
ssl_ca:
type: string
default:
description: |
base64-encoded SSL CA to use with the certificate and key provided -
this is only required if you are providing a privately signed ssl_cert
and ssl_key.
# Network configuration options
# by default all access is over 'private-address'
# Network config (by default all access is over 'private-address')
os-admin-network:
type: string
default:
description: |
The IP address and netmask of the OpenStack Admin network (e.g.,
The IP address and netmask of the OpenStack Admin network (e.g.
192.168.0.0/24)
.
This network will be used for admin endpoints.
@ -255,7 +311,7 @@ options:
type: string
default:
description: |
The IP address and netmask of the OpenStack Internal network (e.g.,
The IP address and netmask of the OpenStack Internal network (e.g.
192.168.0.0/24)
.
This network will be used for internal endpoints.
@ -263,7 +319,7 @@ options:
type: string
default:
description: |
The IP address and netmask of the OpenStack Public network (e.g.,
The IP address and netmask of the OpenStack Public network (e.g.
192.168.0.0/24)
.
This network will be used for public endpoints.
@ -287,8 +343,8 @@ options:
in the keystone identity provider (itself).
.
This value will be used for internal endpoints. For example, an
os-internal-hostname set to 'keystone.internal.example.com' with ssl enabled will
create a internal endpoint for keystone as:
os-internal-hostname set to 'keystone.internal.example.com' with ssl
enabled will create a internal endpoint for keystone as:
.
https://keystone.internal.example.com:5000/v2.0
os-admin-hostname:
@ -299,8 +355,8 @@ options:
in the keystone identity provider (itself).
.
This value will be used for admin endpoints. For example, an
os-admin-hostname set to 'keystone.admin.example.com' with ssl enabled will
create a admin endpoint for keystone as:
os-admin-hostname set to 'keystone.admin.example.com' with ssl enabled
will create a admin endpoint for keystone as:
.
https://keystone.admin.example.com:5000/v2.0
prefer-ipv6:
@ -315,74 +371,48 @@ options:
order for this charm to function correctly, the privacy extension must be
disabled and a non-temporary address must be configured/available on
your network interface.
worker-multiplier:
type: float
https-service-endpoints:
type: string
default: "False"
description: Manage SSL certificates for all service endpoints.
use-https:
type: string
default: "no"
description: Use SSL for Keystone itself. Set to 'yes' to enable it.
ssl_cert:
type: string
default:
description: |
The CPU core multiplier to use when configuring worker processes for
Keystone. By default, the number of workers for each daemon is set to
twice the number of CPU cores a service unit has. When deployed in
a LXD container, this default value will be capped to 4 workers
unless this configuration option is set.
nagios_context:
default: "juju"
base64-encoded SSL certificate to install and use for API ports. Setting
this value and ssl_key will enable reverse proxying, point Keystone's
entry in the Keystone catalog to use https, and override any certificate
and key issued by Keystone (if it is configured to do so).
ssl_key:
type: string
default:
description: |
Used by the nrpe-external-master subordinate charm.
A string that will be prepended to instance name to set the host name
in nagios. So for instance the hostname would be something like:
juju-myservice-0
If you're running multiple environments with the same services in them
base64-encoded SSL key to use with certificate specified as ssl_cert.
ssl_ca:
type: string
default:
description: |
base64-encoded SSL CA to use with the certificate and key provided -
this is only required if you are providing a privately signed ssl_cert
and ssl_key.
# Monitoring config
nagios_context:
type: string
default: "juju"
description: |
Used by the nrpe-external-master subordinate charm. A string that will
be prepended to instance name to set the host name in nagios. So for
instance the hostname would be something like 'juju-myservice-0'. If
you are running multiple environments with the same services in them
this allows you to differentiate between them.
nagios_servicegroups:
default: ""
type: string
default: ""
description: |
A comma-separated list of nagios servicegroups.
If left empty, the nagios_context will be used as the servicegroup
preferred-api-version:
default: 2
type: int
description: |
Use this keystone api version for keystone endpoints and advertise this
version to identity client charms
action-managed-upgrade:
type: boolean
default: False
description: |
If True enables openstack upgrades for this charm via juju actions.
You will still need to set openstack-origin to the new repository but
instead of an upgrade running automatically across all units, it will
wait for you to execute the openstack-upgrade action for this charm on
each unit. If False it will revert to existing behavior of upgrading
all units on config change.
haproxy-server-timeout:
type: int
default:
description: |
Server timeout configuration in ms for haproxy, used in HA
configurations. If not provided, default value of 30000ms is used.
haproxy-client-timeout:
type: int
default:
description: |
Client timeout configuration in ms for haproxy, used in HA
configurations. If not provided, default value of 30000ms is used.
haproxy-queue-timeout:
type: int
default:
description: |
Queue timeout configuration in ms for haproxy, used in HA
configurations. If not provided, default value of 5000ms is used.
haproxy-connect-timeout:
type: int
default:
description: |
Connect timeout configuration in ms for haproxy, used in HA
configurations. If not provided, default value of 5000ms is used.
harden:
default:
type: string
description: |
Apply system hardening. Supports a space-delimited list of modules
to run. Supported modules currently include os, ssh, apache and mysql.