186769cc05
This patchset implements policy overrides for keystone. It uses the code in charmhelpers. Closed-Bug: #1741723 Change-Id: I187f4493392178d87ef7dbd67de841bbeae0c65d
419 lines
15 KiB
YAML
419 lines
15 KiB
YAML
options:
|
|
debug:
|
|
type: boolean
|
|
default: False
|
|
description: Enable debug logging.
|
|
verbose:
|
|
type: boolean
|
|
default: False
|
|
description: Enable verbose logging.
|
|
log-level:
|
|
type: string
|
|
default: WARNING
|
|
description: Log level (WARNING, INFO, DEBUG, ERROR)
|
|
use-syslog:
|
|
type: boolean
|
|
default: False
|
|
description: |
|
|
Setting this to True will allow supporting services to log to syslog.
|
|
openstack-origin:
|
|
type: string
|
|
default: distro
|
|
description: |
|
|
Repository from which to install. May be one of the following:
|
|
distro (default), ppa:somecustom/ppa, a deb url sources entry,
|
|
or a supported Ubuntu Cloud Archive e.g.
|
|
.
|
|
cloud:<series>-<openstack-release>
|
|
cloud:<series>-<openstack-release>/updates
|
|
cloud:<series>-<openstack-release>/staging
|
|
cloud:<series>-<openstack-release>/proposed
|
|
.
|
|
See https://wiki.ubuntu.com/OpenStack/CloudArchive for info on which
|
|
cloud archives are available and supported.
|
|
.
|
|
NOTE: updating this setting to a source that is known to provide
|
|
a later version of OpenStack will trigger a software upgrade unless
|
|
action-managed-upgrade is set to True.
|
|
NOTE: a corresponding public key from keyserver.ubuntu.com can be used
|
|
when specifying a repository by appending the key separated by a | when
|
|
entering the deb url sources entry, i.e.
|
|
openstack-origin="deb <DEB URL>|<PUB KEY>"
|
|
action-managed-upgrade:
|
|
type: boolean
|
|
default: False
|
|
description: |
|
|
If True enables openstack upgrades for this charm via juju actions.
|
|
You will still need to set openstack-origin to the new repository but
|
|
instead of an upgrade running automatically across all units, it will
|
|
wait for you to execute the openstack-upgrade action for this charm on
|
|
each unit. If False it will revert to existing behavior of upgrading
|
|
all units on config change.
|
|
harden:
|
|
type: string
|
|
default:
|
|
description: |
|
|
Apply system hardening. Supports a space-delimited list of modules
|
|
to run. Supported modules currently include os, ssh, apache and mysql.
|
|
service-port:
|
|
type: int
|
|
default: 5000
|
|
description: Port the bind the API server to.
|
|
admin-port:
|
|
type: int
|
|
default: 35357
|
|
description: Port the bind the Admin API server to.
|
|
keystone-admin-role:
|
|
type: string
|
|
default: "Admin"
|
|
description: Role that allows admin operations (access to all operations).
|
|
keystone-service-admin-role:
|
|
type: string
|
|
default: "KeystoneServiceAdmin"
|
|
description: Role that allows acting as service admin.
|
|
admin-user:
|
|
type: string
|
|
default: admin
|
|
description: Default admin user to create and manage.
|
|
admin-password:
|
|
type: string
|
|
default: None
|
|
description: |
|
|
Admin password. To be used *for testing only*. Randomly generated by
|
|
default. To retreive generated password,
|
|
juju run --unit keystone/0 leader-get admin_passwd
|
|
admin-token:
|
|
type: string
|
|
default: None
|
|
description: |
|
|
Admin token. If set, this token will be used for all services instead of
|
|
being generated per service.
|
|
admin-role:
|
|
type: string
|
|
default: 'Admin'
|
|
description: Admin role to be associated with admin and service users.
|
|
token-provider:
|
|
type: string
|
|
default:
|
|
description: |
|
|
Transitional configuration option to enable migration to Fernet tokens
|
|
prior to upgrade to OpenStack Rocky.
|
|
.
|
|
Supported values are 'uuid' and 'fernet'.
|
|
.
|
|
NOTE: This configuration option is honoured on OpenStack versions Ocata
|
|
through Queens. For OpenStack Rocky it is a unconfigurable default.
|
|
Silently ignored for all other versions.
|
|
token-expiration:
|
|
type: int
|
|
default: 3600
|
|
description: Amount of time (in seconds) a token should remain valid.
|
|
fernet-max-active-keys:
|
|
type: int
|
|
default: 3
|
|
description: |
|
|
This is the maximum number of active keys when `token-provider` is set to
|
|
"fernet". If has a minimum of 3, which includes the spare and staging
|
|
keys. When set to 3, the rotation time for the keys is the same as the
|
|
token expiration time. When set to a higher value, the rotation time is
|
|
less than the `token-expiration` time as calculated by:
|
|
.
|
|
rotation-time = token-expiration / (fernet-max-active-keys - 2)
|
|
.
|
|
Please see the charm documentation for further details about how to use
|
|
the Fernet token parameters to achieve a key strategy appropriate for the
|
|
system in question.
|
|
service-tenant:
|
|
type: string
|
|
default: "services"
|
|
description: Name of tenant to associate service credentials.
|
|
service-admin-prefix:
|
|
type: string
|
|
default:
|
|
description: |
|
|
When service relations are joined they provide a name used to create a
|
|
service admin_username in keystone. The name used may be too crude for
|
|
some situations e.g. pre-populated LDAP identity backend. If set, this
|
|
option will be prepended to each service admin_username.
|
|
worker-multiplier:
|
|
type: float
|
|
default:
|
|
description: |
|
|
The CPU core multiplier to use when configuring worker processes for
|
|
Keystone. By default, the number of workers for each daemon is set to
|
|
twice the number of CPU cores a service unit has. When deployed in
|
|
a LXD container, this default value will be capped to 4 workers
|
|
unless this configuration option is set.
|
|
preferred-api-version:
|
|
type: int
|
|
default:
|
|
description: |
|
|
Use this keystone api version for keystone endpoints and advertise this
|
|
version to identity client charms. For OpenStack releases < Queens this
|
|
option defaults to 2; for Queens or later it defaults to 3.
|
|
haproxy-server-timeout:
|
|
type: int
|
|
default:
|
|
description: |
|
|
Server timeout configuration in ms for haproxy, used in HA
|
|
configurations. If not provided, default value of 90000ms is used.
|
|
haproxy-client-timeout:
|
|
type: int
|
|
default:
|
|
description: |
|
|
Client timeout configuration in ms for haproxy, used in HA
|
|
configurations. If not provided, default value of 90000ms is used.
|
|
haproxy-queue-timeout:
|
|
type: int
|
|
default:
|
|
description: |
|
|
Queue timeout configuration in ms for haproxy, used in HA
|
|
configurations. If not provided, default value of 9000ms is used.
|
|
haproxy-connect-timeout:
|
|
type: int
|
|
default:
|
|
description: |
|
|
Connect timeout configuration in ms for haproxy, used in HA
|
|
configurations. If not provided, default value of 9000ms is used.
|
|
database:
|
|
type: string
|
|
default: "keystone"
|
|
description: Keystone database name.
|
|
database-user:
|
|
type: string
|
|
default: "keystone"
|
|
description: Username used for connecting to the Keystone database.
|
|
region:
|
|
type: string
|
|
default: RegionOne
|
|
description: |
|
|
Space-separated list of Openstack regions.
|
|
identity-backend:
|
|
type: string
|
|
default: "sql"
|
|
description: |
|
|
Keystone identity backend, valid options are: sql, ldap, pam.
|
|
.
|
|
NOTE: this option should no longer be used to configure ldap. Instead
|
|
the cs:keystone-ldap subordinate charm should be used to configure ldap
|
|
backends.
|
|
assignment-backend:
|
|
type: string
|
|
default: "sql"
|
|
description: |
|
|
Keystone assignment backend, valid options are sql, ldap.
|
|
.
|
|
[DEPRECATED] this option should no longer be used to configure ldap.
|
|
Instead the cs:keystone-ldap subordinate charm should be used to
|
|
configure ldap backends. This option will be removed in the next release.
|
|
ldap-server:
|
|
type: string
|
|
default: None
|
|
description: |
|
|
Ldap server address for keystone identity backend.
|
|
.
|
|
[DEPRECATED] this option should no longer be used to configure ldap.
|
|
Instead the cs:keystone-ldap subordinate charm should be used to
|
|
configure ldap backends. This option will be removed in the next release.
|
|
ldap-user:
|
|
type: string
|
|
default: None
|
|
description: |
|
|
Username of the ldap identity server.
|
|
.
|
|
[DEPRECATED] this option should no longer be used to configure ldap.
|
|
Instead the cs:keystone-ldap subordinate charm should be used to
|
|
configure ldap backends. This option will be removed in the next release.
|
|
ldap-password:
|
|
type: string
|
|
default: None
|
|
description: |
|
|
Password of the ldap identity server.
|
|
.
|
|
[DEPRECATED] this option should no longer be used to configure ldap.
|
|
Instead the cs:keystone-ldap subordinate charm should be used to
|
|
configure ldap backends. This option will be removed in the next release.
|
|
ldap-suffix:
|
|
type: string
|
|
default: None
|
|
description: |
|
|
Ldap server suffix to be used by keystone.
|
|
.
|
|
[DEPRECATED] this option should no longer be used to configure ldap.
|
|
Instead the cs:keystone-ldap subordinate charm should be used to
|
|
configure ldap backends. This option will be removed in the next release.
|
|
ldap-config-flags:
|
|
type: string
|
|
default: None
|
|
description: |
|
|
Comma-separated options for ldap configuration.
|
|
.
|
|
[DEPRECATED] this option should no longer be used to configure ldap.
|
|
Instead the cs:keystone-ldap subordinate charm should be used to
|
|
configure ldap backends. This option will be removed in the next release.
|
|
ldap-readonly:
|
|
type: boolean
|
|
default: True
|
|
description: |
|
|
Ldap identity server backend readonly to keystone.
|
|
.
|
|
[DEPRECATED] this option should no longer be used to configure ldap.
|
|
Instead the cs:keystone-ldap subordinate charm should be used to
|
|
configure ldap backends. This option will be removed in the next release.
|
|
# HA configuration settings
|
|
dns-ha:
|
|
type: boolean
|
|
default: False
|
|
description: |
|
|
Use DNS HA with MAAS 2.0. Note if this is set do not set vip settings
|
|
below.
|
|
vip:
|
|
type: string
|
|
default:
|
|
description: |
|
|
Virtual IP(s) to use to front API services in HA configuration.
|
|
.
|
|
If multiple networks are being used, a VIP should be provided for each
|
|
network, separated by spaces.
|
|
vip_iface:
|
|
type: string
|
|
default: eth0
|
|
description: |
|
|
Default network interface to use for HA vip when it cannot be
|
|
automatically determined.
|
|
vip_cidr:
|
|
type: int
|
|
default: 24
|
|
description: |
|
|
Default CIDR netmask to use for HA vip when it cannot be automatically
|
|
determined.
|
|
ha-bindiface:
|
|
type: string
|
|
default: eth0
|
|
description: |
|
|
Default network interface on which HA cluster will bind to communication
|
|
with the other members of the HA Cluster.
|
|
ha-mcastport:
|
|
type: int
|
|
default: 5434
|
|
description: |
|
|
Default multicast port number that will be used to communicate between
|
|
HA Cluster nodes.
|
|
# Network config (by default all access is over 'private-address')
|
|
os-admin-network:
|
|
type: string
|
|
default:
|
|
description: |
|
|
The IP address and netmask of the OpenStack Admin network (e.g.
|
|
192.168.0.0/24)
|
|
.
|
|
This network will be used for admin endpoints.
|
|
os-internal-network:
|
|
type: string
|
|
default:
|
|
description: |
|
|
The IP address and netmask of the OpenStack Internal network (e.g.
|
|
192.168.0.0/24)
|
|
.
|
|
This network will be used for internal endpoints.
|
|
os-public-network:
|
|
type: string
|
|
default:
|
|
description: |
|
|
The IP address and netmask of the OpenStack Public network (e.g.
|
|
192.168.0.0/24)
|
|
.
|
|
This network will be used for public endpoints.
|
|
os-public-hostname:
|
|
type: string
|
|
default:
|
|
description: |
|
|
The hostname or address of the public endpoints created for keystone
|
|
in the keystone identity provider (itself).
|
|
.
|
|
This value will be used for public endpoints. For example, an
|
|
os-public-hostname set to 'keystone.example.com' with ssl enabled will
|
|
create a public endpoint for keystone as:
|
|
.
|
|
https://keystone.example.com:5000/v2.0
|
|
os-internal-hostname:
|
|
type: string
|
|
default:
|
|
description: |
|
|
The hostname or address of the internal endpoints created for keystone
|
|
in the keystone identity provider (itself).
|
|
.
|
|
This value will be used for internal endpoints. For example, an
|
|
os-internal-hostname set to 'keystone.internal.example.com' with ssl
|
|
enabled will create a internal endpoint for keystone as:
|
|
.
|
|
https://keystone.internal.example.com:5000/v2.0
|
|
os-admin-hostname:
|
|
type: string
|
|
default:
|
|
description: |
|
|
The hostname or address of the admin endpoints created for keystone
|
|
in the keystone identity provider (itself).
|
|
.
|
|
This value will be used for admin endpoints. For example, an
|
|
os-admin-hostname set to 'keystone.admin.example.com' with ssl enabled
|
|
will create a admin endpoint for keystone as:
|
|
.
|
|
https://keystone.admin.example.com:5000/v2.0
|
|
prefer-ipv6:
|
|
type: boolean
|
|
default: False
|
|
description: |
|
|
If True enables IPv6 support. The charm will expect network interfaces
|
|
to be configured with an IPv6 address. If set to False (default) IPv4
|
|
is expected.
|
|
.
|
|
NOTE: these charms do not currently support IPv6 privacy extension. In
|
|
order for this charm to function correctly, the privacy extension must be
|
|
disabled and a non-temporary address must be configured/available on
|
|
your network interface.
|
|
ssl_cert:
|
|
type: string
|
|
default:
|
|
description: |
|
|
base64-encoded SSL certificate to install and use for API ports. Setting
|
|
this value and ssl_key will enable reverse proxying, point Keystone's
|
|
entry in the Keystone catalog to use https, and override any certificate
|
|
and key issued by Keystone (if it is configured to do so).
|
|
ssl_key:
|
|
type: string
|
|
default:
|
|
description: |
|
|
base64-encoded SSL key to use with certificate specified as ssl_cert.
|
|
ssl_ca:
|
|
type: string
|
|
default:
|
|
description: |
|
|
base64-encoded SSL CA to use with the certificate and key provided -
|
|
this is only required if you are providing a privately signed ssl_cert
|
|
and ssl_key.
|
|
# Monitoring config
|
|
nagios_context:
|
|
type: string
|
|
default: "juju"
|
|
description: |
|
|
Used by the nrpe-external-master subordinate charm. A string that will
|
|
be prepended to instance name to set the host name in nagios. So for
|
|
instance the hostname would be something like 'juju-myservice-0'. If
|
|
you are running multiple environments with the same services in them
|
|
this allows you to differentiate between them.
|
|
nagios_servicegroups:
|
|
type: string
|
|
default: ""
|
|
description: |
|
|
A comma-separated list of nagios servicegroups.
|
|
If left empty, the nagios_context will be used as the servicegroup
|
|
use-policyd-override:
|
|
type: boolean
|
|
default: False
|
|
description: |
|
|
If True then use the resource file named 'policyd-override' to install
|
|
override YAML files in the service's policy.d directory. The resource
|
|
file should be a ZIP file containing at least one yaml file with a .yaml
|
|
or .yml extension. If False then remove the overrides.
|