openstack/openstack-helm
Code Issues Proposed changes
3af7c353df
openstack-helm/magnum/values.yaml
Pete Birley 40a45b9751 RabbitMQ: Add vHost management and improve security 
This PS adds vhost management to rabbitmq jobs. It also prevents
sensitive information being displayed in the management job, and
removes the 'administrator' tag from service users.

Change-Id: Id337f763c5e4776bce7269676a8a2dc54dc2e5f8
2018-04-19 08:26:45 -05:00

452 lines
11 KiB
YAML
Raw Blame History

# Copyright 2017 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Default values for keystone.
# This is a YAML-formatted file.
# Declare name/value pairs to be passed into your templates.
# name: value
release_group: null
labels:
api:
node_selector_key: openstack-control-plane
node_selector_value: enabled
conductor:
node_selector_key: openstack-control-plane
node_selector_value: enabled
job:
node_selector_key: openstack-control-plane
node_selector_value: enabled
images:
tags:
bootstrap: docker.io/openstackhelm/heat:newton
db_init: docker.io/openstackhelm/heat:newton
magnum_db_sync: docker.io/openstackhelm/magnum:newton
db_drop: docker.io/openstackhelm/heat:newton
rabbit_init: docker.io/rabbitmq:3.7-management
ks_user: docker.io/openstackhelm/heat:newton
ks_service: docker.io/openstackhelm/heat:newton
ks_endpoints: docker.io/openstackhelm/heat:newton
magnum_api: docker.io/openstackhelm/magnum:newton
magnum_conductor: docker.io/openstackhelm/magnum:newton
dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.3.0
pull_policy: "IfNotPresent"
conf:
paste:
pipeline:main:
pipeline: cors healthcheck request_id authtoken api_v1
app:api_v1:
paste.app_factory: magnum.api.app:app_factory
filter:authtoken:
acl_public_routes: /, /v1
paste.filter_factory: magnum.api.middleware.auth_token:AuthTokenMiddleware.factory
filter:request_id:
paste.filter_factory: oslo_middleware:RequestId.factory
filter:cors:
paste.filter_factory: oslo_middleware.cors:filter_factory
oslo_config_project: magnum
filter:healthcheck:
paste.filter_factory: oslo_middleware:Healthcheck.factory
backends: disable_by_file
disable_by_file_path: /etc/magnum/healthcheck_disable
policy:
context_is_admin: role:admin
admin_or_owner: is_admin:True or project_id:%(project_id)s
default: rule:admin_or_owner
admin_api: rule:context_is_admin
admin_or_user: is_admin:True or user_id:%(user_id)s
cluster_user: user_id:%(trustee_user_id)s
deny_cluster_user: not domain_id:%(trustee_domain_id)s
bay:create: rule:deny_cluster_user
bay:delete: rule:deny_cluster_user
bay:detail: rule:deny_cluster_user
bay:get: rule:deny_cluster_user
bay:get_all: rule:deny_cluster_user
bay:update: rule:deny_cluster_user
baymodel:create: rule:deny_cluster_user
baymodel:delete: rule:deny_cluster_user
baymodel:detail: rule:deny_cluster_user
baymodel:get: rule:deny_cluster_user
baymodel:get_all: rule:deny_cluster_user
baymodel:update: rule:deny_cluster_user
baymodel:publish: rule:admin_or_owner
cluster:create: rule:deny_cluster_user
cluster:delete: rule:deny_cluster_user
cluster:detail: rule:deny_cluster_user
cluster:get: rule:deny_cluster_user
cluster:get_all: rule:deny_cluster_user
cluster:update: rule:deny_cluster_user
clustertemplate:create: rule:deny_cluster_user
clustertemplate:delete: rule:deny_cluster_user
clustertemplate:detail: rule:deny_cluster_user
clustertemplate:get: rule:deny_cluster_user
clustertemplate:get_all: rule:deny_cluster_user
clustertemplate:update: rule:deny_cluster_user
clustertemplate:publish: rule:admin_or_owner
rc:create: rule:default
rc:delete: rule:default
rc:detail: rule:default
rc:get: rule:default
rc:get_all: rule:default
rc:update: rule:default
certificate:create: rule:admin_or_user or rule:cluster_user
certificate:get: rule:admin_or_user or rule:cluster_user
magnum-service:get_all: rule:admin_api
magnum:
DEFAULT:
transport_url: null
database:
max_retries: -1
keystone_authtoken:
auth_type: password
auth_version: v3
memcache_security_strategy: ENCRYPT
api:
# NOTE(portdirect): the bind port should not be defined, and is manipulated
# via the endpoints section.
port: null
host: 0.0.0.0
network:
api:
ingress:
public: true
classes:
namespace: "nginx"
cluster: "nginx-cluster"
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
external_policy_local: false
node_port:
enabled: false
port: 30511
bootstrap:
enabled: false
ks_user: magnum
script: |
openstack token issue
dependencies:
static:
api:
jobs:
- magnum-db-sync
- magnum-ks-user
- magnum-ks-endpoints
services:
- endpoint: internal
service: oslo_db
- endpoint: internal
service: identity
conductor:
jobs:
- magnum-db-sync
- magnum-ks-user
- magnum-ks-endpoints
services:
- endpoint: internal
service: oslo_db
- endpoint: internal
service: identity
db_drop:
services:
- endpoint: internal
service: oslo_db
db_init:
services:
- endpoint: internal
service: oslo_db
db_sync:
jobs:
- magnum-db-init
services:
- endpoint: internal
service: oslo_db
ks_endpoints:
jobs:
- magnum-ks-service
services:
- endpoint: internal
service: identity
ks_service:
services:
- endpoint: internal
service: identity
ks_user:
services:
- endpoint: internal
service: identity
rabbit_init:
services:
- service: oslo_messaging
endpoint: internal
# Names of secrets used by bootstrap and environmental checks
secrets:
identity:
admin: magnum-keystone-admin
magnum: magnum-keystone-user
oslo_db:
admin: magnum-db-admin
magnum: magnum-db-user
oslo_messaging:
admin: magnum-rabbitmq-admin
magnum: magnum-rabbitmq-user
# typically overridden by environmental
# values, but should include all endpoints
# required by this chart
endpoints:
cluster_domain_suffix: cluster.local
identity:
name: keystone
auth:
admin:
region_name: RegionOne
username: admin
password: password
project_name: admin
user_domain_name: default
project_domain_name: default
magnum:
role: admin
region_name: RegionOne
username: magnum
password: password
project_name: service
user_domain_name: default
project_domain_name: default
hosts:
default: keystone-api
public: keystone
host_fqdn_override:
default: null
path:
default: /v3
scheme:
default: http
port:
admin:
default: 35357
api:
default: 80
container_infra:
name: magnum
hosts:
default: magnum-api
public: magnum
host_fqdn_override:
default: null
path:
default: /v1
scheme:
default: http
port:
api:
default: 9511
public: 80
oslo_db:
auth:
admin:
username: root
password: password
magnum:
username: magnum
password: password
hosts:
default: mariadb
host_fqdn_override:
default: null
path: /magnum
scheme: mysql+pymysql
port:
mysql:
default: 3306
oslo_cache:
auth:
# NOTE(portdirect): this is used to define the value for keystone
# authtoken cache encryption key, if not set it will be populated
# automatically with a random value, but to take advantage of
# this feature all services should be set to use the same key,
# and memcache service.
memcache_secret_key: null
hosts:
default: memcached
host_fqdn_override:
default: null
port:
memcache:
default: 11211
oslo_messaging:
auth:
admin:
username: rabbitmq
password: password
magnum:
username: magnum
password: password
hosts:
default: rabbitmq
host_fqdn_override:
default: null
path: /magnum
scheme: rabbit
port:
amqp:
default: 5672
http:
default: 15672
pod:
user:
magnum:
uid: 42424
affinity:
anti:
type:
default: preferredDuringSchedulingIgnoredDuringExecution
topologyKey:
default: kubernetes.io/hostname
mounts:
magnum_api:
init_container: null
magnum_api:
magnum_conductor:
init_container: null
magnum_conductor:
magnum_bootstrap:
init_container: null
magnum_bootstrap:
replicas:
api: 1
conductor: 1
lifecycle:
upgrades:
deployments:
revision_history: 3
pod_replacement_strategy: RollingUpdate
rolling_update:
max_unavailable: 1
max_surge: 3
disruption_budget:
api:
min_available: 0
termination_grace_period:
api:
timeout: 30
resources:
enabled: false
api:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
conductor:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
jobs:
bootstrap:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
db_init:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
db_sync:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
db_drop:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
ks_endpoints:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
ks_service:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
ks_user:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
rabbit_init:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
tests:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
manifests:
configmap_bin: true
configmap_etc: true
deployment_api: true
ingress_api: true
job_bootstrap: true
job_db_init: true
job_db_sync: true
job_db_drop: false
job_ks_endpoints: true
job_ks_service: true
job_ks_user: true
job_rabbit_init: true
pdb_api: true
secret_db: true
secret_keystone: true
secret_rabbitmq: true
service_api: true
service_ingress_api: true
statefulset_conductor: true
View Git Blame Copy Permalink