# Copyright 2017 The Openstack-Helm Authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # Default values for keystone. # This is a YAML-formatted file. # Declare name/value pairs to be passed into your templates. # name: value labels: node_selector_key: openstack-control-plane node_selector_value: enabled release_group: null images: tags: bootstrap: docker.io/kolla/ubuntu-source-heat-engine:3.0.3 test: docker.io/kolla/ubuntu-source-rally:4.0.0 db_init: docker.io/kolla/ubuntu-source-heat-engine:3.0.3 keystone_db_sync: docker.io/kolla/ubuntu-source-keystone:3.0.3 db_drop: docker.io/kolla/ubuntu-source-heat-engine:3.0.3 keystone_fernet_setup: docker.io/kolla/ubuntu-source-keystone:3.0.3 keystone_fernet_rotate: docker.io/kolla/ubuntu-source-keystone:3.0.3 keystone_credential_setup: docker.io/kolla/ubuntu-source-keystone:3.0.3 keystone_credential_rotate: docker.io/kolla/ubuntu-source-keystone:3.0.3 keystone_api: docker.io/kolla/ubuntu-source-keystone:3.0.3 dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.2.1 pull_policy: "IfNotPresent" bootstrap: enabled: true script: | openstack role add \ --user="${OS_USERNAME}" \ --user-domain="${OS_USER_DOMAIN_NAME}" \ --project-domain="${OS_PROJECT_DOMAIN_NAME}" \ --project="${OS_PROJECT_NAME}" \ "_member_" network: api: port: 80 ingress: public: true annotations: kubernetes.io/ingress.class: "nginx" ingress.kubernetes.io/rewrite-target: / external_policy_local: false node_port: enabled: false port: 30500 admin: port: 35357 node_port: enabled: false port: 30357 dependencies: api: jobs: - keystone-db-sync - keystone-credential-setup # Comment line below when not running fernet tokens. - keystone-fernet-setup services: - service: oslo_cache endpoint: internal - service: oslo_db endpoint: internal db_init: services: - service: oslo_db endpoint: internal db_sync: jobs: - keystone-db-init - keystone-credential-setup # Comment line below when not running fernet tokens. - keystone-fernet-setup services: - service: oslo_db endpoint: internal db_drop: services: - service: oslo_db endpoint: internal fernet_setup: fernet_rotate: jobs: - keystone-fernet-setup credential_setup: credential_rotate: jobs: - keystone-credential-setup tests: services: - service: identity endpoint: internal bootstrap: services: - service: identity endpoint: internal pod: affinity: anti: type: default: preferredDuringSchedulingIgnoredDuringExecution topologyKey: default: kubernetes.io/hostname mounts: keystone_db_init: init_container: null keystone_db_init: keystone_db_sync: init_container: null keystone_db_sync: keystone_api: init_container: null keystone_api: keystone_tests: init_container: null keystone_tests: keystone_bootstrap: init_container: null keystone_bootstrap: keystone_fernet_setup: init_container: null keystone_fernet_setup: keystone_fernet_rotate: init_container: null keystone_fernet_rotate: keystone_credential_setup: init_container: null keystone_credential_setup: keystone_credential_rotate: init_container: null keystone_credential_rotate: replicas: api: 1 lifecycle: upgrades: deployments: revision_history: 3 pod_replacement_strategy: RollingUpdate rolling_update: max_unavailable: 1 max_surge: 3 disruption_budget: api: min_available: 0 termination_grace_period: api: timeout: 30 resources: enabled: false api: requests: memory: "128Mi" cpu: "100m" limits: memory: "1024Mi" cpu: "2000m" jobs: bootstrap: requests: memory: "128Mi" cpu: "100m" limits: memory: "1024Mi" cpu: "2000m" db_init: requests: memory: "128Mi" cpu: "100m" limits: memory: "1024Mi" cpu: "2000m" db_sync: requests: memory: "128Mi" cpu: "100m" limits: memory: "1024Mi" cpu: "2000m" db_drop: requests: memory: "128Mi" cpu: "100m" limits: memory: "1024Mi" cpu: "2000m" tests: requests: memory: "128Mi" cpu: "100m" limits: memory: "1024Mi" cpu: "2000m" fernet_setup: requests: memory: "128Mi" cpu: "100m" limits: memory: "1024Mi" cpu: "2000m" fernet_rotate: requests: memory: "128Mi" cpu: "100m" limits: memory: "1024Mi" cpu: "2000m" credential_setup: requests: memory: "128Mi" cpu: "100m" limits: memory: "1024Mi" cpu: "2000m" credential_rotate: requests: memory: "128Mi" cpu: "100m" limits: memory: "1024Mi" cpu: "2000m" jobs: fernet_setup: user: keystone group: keystone fernet_rotate: # weekly cron: "0 0 * * 0" user: keystone group: keystone credential_setup: user: keystone group: keystone credential_rotate: # monthly cron: "0 0 1 * *" migrate_wait: 120 user: keystone group: keystone conf: keystone: DEFAULT: max_token_size: 255 token: provider: fernet fernet_tokens: key_repository: /etc/keystone/fernet-keys/ credential: key_repository: /etc/keystone/credential-keys/ database: max_retries: -1 cache: enabled: true backend: dogpile.cache.memcached paste: filter:debug: use: egg:oslo.middleware#debug filter:request_id: use: egg:oslo.middleware#request_id filter:build_auth_context: use: egg:keystone#build_auth_context filter:token_auth: use: egg:keystone#token_auth filter:json_body: use: egg:keystone#json_body filter:cors: use: egg:oslo.middleware#cors oslo_config_project: keystone filter:http_proxy_to_wsgi: use: egg:oslo.middleware#http_proxy_to_wsgi filter:ec2_extension: use: egg:keystone#ec2_extension filter:ec2_extension_v3: use: egg:keystone#ec2_extension_v3 filter:s3_extension: use: egg:keystone#s3_extension filter:url_normalize: use: egg:keystone#url_normalize filter:sizelimit: use: egg:oslo.middleware#sizelimit filter:osprofiler: use: egg:osprofiler#osprofiler app:public_service: use: egg:keystone#public_service app:service_v3: use: egg:keystone#service_v3 app:admin_service: use: egg:keystone#admin_service pipeline:public_api: pipeline: cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id build_auth_context token_auth json_body ec2_extension public_service pipeline:admin_api: pipeline: cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id build_auth_context token_auth json_body ec2_extension s3_extension admin_service pipeline:api_v3: pipeline: cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id build_auth_context token_auth json_body ec2_extension_v3 s3_extension service_v3 app:public_version_service: use: egg:keystone#public_version_service app:admin_version_service: use: egg:keystone#admin_version_service pipeline:public_version_api: pipeline: cors sizelimit osprofiler url_normalize public_version_service pipeline:admin_version_api: pipeline: cors sizelimit osprofiler url_normalize admin_version_service composite:main: use: egg:Paste#urlmap /v2.0: public_api /v3: api_v3 /: public_version_api composite:admin: use: egg:Paste#urlmap /v2.0: admin_api /v3: api_v3 /: admin_version_api policy: admin_required: role:admin or is_admin:1 service_role: role:service service_or_admin: rule:admin_required or rule:service_role owner: user_id:%(user_id)s admin_or_owner: rule:admin_required or rule:owner token_subject: user_id:%(target.token.user_id)s admin_or_token_subject: rule:admin_required or rule:token_subject service_admin_or_token_subject: rule:service_or_admin or rule:token_subject default: rule:admin_required identity:get_region: '' identity:list_regions: '' identity:create_region: rule:admin_required identity:update_region: rule:admin_required identity:delete_region: rule:admin_required identity:get_service: rule:admin_required identity:list_services: rule:admin_required identity:create_service: rule:admin_required identity:update_service: rule:admin_required identity:delete_service: rule:admin_required identity:get_endpoint: rule:admin_required identity:list_endpoints: rule:admin_required identity:create_endpoint: rule:admin_required identity:update_endpoint: rule:admin_required identity:delete_endpoint: rule:admin_required identity:get_domain: rule:admin_required or token.project.domain.id:%(target.domain.id)s identity:list_domains: rule:admin_required identity:create_domain: rule:admin_required identity:update_domain: rule:admin_required identity:delete_domain: rule:admin_required identity:get_project: rule:admin_required or project_id:%(target.project.id)s identity:list_projects: rule:admin_required identity:list_user_projects: rule:admin_or_owner identity:create_project: rule:admin_required identity:update_project: rule:admin_required identity:delete_project: rule:admin_required identity:get_user: rule:admin_or_owner identity:list_users: rule:admin_required identity:create_user: rule:admin_required identity:update_user: rule:admin_required identity:delete_user: rule:admin_required identity:change_password: rule:admin_or_owner identity:get_group: rule:admin_required identity:list_groups: rule:admin_required identity:list_groups_for_user: rule:admin_or_owner identity:create_group: rule:admin_required identity:update_group: rule:admin_required identity:delete_group: rule:admin_required identity:list_users_in_group: rule:admin_required identity:remove_user_from_group: rule:admin_required identity:check_user_in_group: rule:admin_required identity:add_user_to_group: rule:admin_required identity:get_credential: rule:admin_required identity:list_credentials: rule:admin_required identity:create_credential: rule:admin_required identity:update_credential: rule:admin_required identity:delete_credential: rule:admin_required identity:ec2_get_credential: rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s) identity:ec2_list_credentials: rule:admin_or_owner identity:ec2_create_credential: rule:admin_or_owner identity:ec2_delete_credential: rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s) identity:get_role: rule:admin_required identity:list_roles: rule:admin_required identity:create_role: rule:admin_required identity:update_role: rule:admin_required identity:delete_role: rule:admin_required identity:get_domain_role: rule:admin_required identity:list_domain_roles: rule:admin_required identity:create_domain_role: rule:admin_required identity:update_domain_role: rule:admin_required identity:delete_domain_role: rule:admin_required identity:get_implied_role: 'rule:admin_required ' identity:list_implied_roles: rule:admin_required identity:create_implied_role: rule:admin_required identity:delete_implied_role: rule:admin_required identity:list_role_inference_rules: rule:admin_required identity:check_implied_role: rule:admin_required identity:check_grant: rule:admin_required identity:list_grants: rule:admin_required identity:create_grant: rule:admin_required identity:revoke_grant: rule:admin_required identity:list_role_assignments: rule:admin_required identity:list_role_assignments_for_tree: rule:admin_required identity:get_policy: rule:admin_required identity:list_policies: rule:admin_required identity:create_policy: rule:admin_required identity:update_policy: rule:admin_required identity:delete_policy: rule:admin_required identity:check_token: rule:admin_or_token_subject identity:validate_token: rule:service_admin_or_token_subject identity:validate_token_head: rule:service_or_admin identity:revocation_list: rule:service_or_admin identity:revoke_token: rule:admin_or_token_subject identity:create_trust: user_id:%(trust.trustor_user_id)s identity:list_trusts: '' identity:list_roles_for_trust: '' identity:get_role_for_trust: '' identity:delete_trust: '' identity:create_consumer: rule:admin_required identity:get_consumer: rule:admin_required identity:list_consumers: rule:admin_required identity:delete_consumer: rule:admin_required identity:update_consumer: rule:admin_required identity:authorize_request_token: rule:admin_required identity:list_access_token_roles: rule:admin_required identity:get_access_token_role: rule:admin_required identity:list_access_tokens: rule:admin_required identity:get_access_token: rule:admin_required identity:delete_access_token: rule:admin_required identity:list_projects_for_endpoint: rule:admin_required identity:add_endpoint_to_project: rule:admin_required identity:check_endpoint_in_project: rule:admin_required identity:list_endpoints_for_project: rule:admin_required identity:remove_endpoint_from_project: rule:admin_required identity:create_endpoint_group: rule:admin_required identity:list_endpoint_groups: rule:admin_required identity:get_endpoint_group: rule:admin_required identity:update_endpoint_group: rule:admin_required identity:delete_endpoint_group: rule:admin_required identity:list_projects_associated_with_endpoint_group: rule:admin_required identity:list_endpoints_associated_with_endpoint_group: rule:admin_required identity:get_endpoint_group_in_project: rule:admin_required identity:list_endpoint_groups_for_project: rule:admin_required identity:add_endpoint_group_to_project: rule:admin_required identity:remove_endpoint_group_from_project: rule:admin_required identity:create_identity_provider: rule:admin_required identity:list_identity_providers: rule:admin_required identity:get_identity_providers: rule:admin_required identity:update_identity_provider: rule:admin_required identity:delete_identity_provider: rule:admin_required identity:create_protocol: rule:admin_required identity:update_protocol: rule:admin_required identity:get_protocol: rule:admin_required identity:list_protocols: rule:admin_required identity:delete_protocol: rule:admin_required identity:create_mapping: rule:admin_required identity:get_mapping: rule:admin_required identity:list_mappings: rule:admin_required identity:delete_mapping: rule:admin_required identity:update_mapping: rule:admin_required identity:create_service_provider: rule:admin_required identity:list_service_providers: rule:admin_required identity:get_service_provider: rule:admin_required identity:update_service_provider: rule:admin_required identity:delete_service_provider: rule:admin_required identity:get_auth_catalog: '' identity:get_auth_projects: '' identity:get_auth_domains: '' identity:list_projects_for_user: '' identity:list_domains_for_user: '' identity:list_revoke_events: '' identity:create_policy_association_for_endpoint: rule:admin_required identity:check_policy_association_for_endpoint: rule:admin_required identity:delete_policy_association_for_endpoint: rule:admin_required identity:create_policy_association_for_service: rule:admin_required identity:check_policy_association_for_service: rule:admin_required identity:delete_policy_association_for_service: rule:admin_required identity:create_policy_association_for_region_and_service: rule:admin_required identity:check_policy_association_for_region_and_service: rule:admin_required identity:delete_policy_association_for_region_and_service: rule:admin_required identity:get_policy_for_endpoint: rule:admin_required identity:list_endpoints_for_policy: rule:admin_required identity:create_domain_config: rule:admin_required identity:get_domain_config: rule:admin_required identity:update_domain_config: rule:admin_required identity:delete_domain_config: rule:admin_required identity:get_domain_config_default: rule:admin_required rally_tests: run_tempest: false override: append: mpm_event: override: append: wsgi_keystone: override: append: sso_callback_template: override: append: # Names of secrets used by bootstrap and environmental checks secrets: identity: admin: keystone-keystone-admin oslo_db: admin: keystone-db-admin user: keystone-db-user # typically overriden by environmental # values, but should include all endpoints # required by this chart endpoints: cluster_domain_suffix: cluster.local identity: namespace: null name: keystone auth: admin: region_name: RegionOne username: admin password: password project_name: admin user_domain_name: default project_domain_name: default hosts: default: keystone-api public: keystone host_fqdn_override: default: null path: default: /v3 scheme: default: http port: admin: default: 35357 api: default: 80 oslo_db: namespace: null auth: admin: username: root password: password user: username: keystone password: password hosts: default: mariadb host_fqdn_override: default: null path: /keystone scheme: mysql+pymysql port: mysql: default: 3306 oslo_messaging: namespace: null auth: user: username: keystone password: password hosts: default: rabbitmq host_fqdn_override: default: null path: /openstack scheme: rabbit port: amqp: default: 5672 oslo_cache: namespace: null hosts: default: memcached host_fqdn_override: default: null port: memcache: default: 11211 manifests: configmap_bin: true configmap_etc: true cron_credential_rotate: true cron_fernet_rotate: true deployment_api: true ingress_api: true job_bootstrap: true job_credential_setup: true job_db_init: true job_db_sync: true job_db_drop: false job_fernet_setup: true pdb_api: true pod_rally_test: true secret_credential_keys: true secret_db: true secret_fernet_keys: true secret_keystone: true service_ingress_api: true service_api: true