openstack/openstack-helm
Code Issues Proposed changes
openstack-helm/senlin/values.yaml
Pete Birley 40a45b9751 RabbitMQ: Add vHost management and improve security 
This PS adds vhost management to rabbitmq jobs. It also prevents
sensitive information being displayed in the management job, and
removes the 'administrator' tag from service users.

Change-Id: Id337f763c5e4776bce7269676a8a2dc54dc2e5f8
2018-04-19 08:26:45 -05:00

465 lines
11 KiB
YAML
Raw Blame History

# Copyright 2017 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Default values for keystone.
# This is a YAML-formatted file.
# Declare name/value pairs to be passed into your templates.
# name: value
labels:
api:
node_selector_key: openstack-control-plane
node_selector_value: enabled
engine:
node_selector_key: openstack-control-plane
node_selector_value: enabled
job:
node_selector_key: openstack-control-plane
node_selector_value: enabled
release_group: null
images:
tags:
bootstrap: docker.io/openstackhelm/heat:newton
db_init: docker.io/openstackhelm/heat:newton
senlin_db_sync: docker.io/openstackhelm/senlin:newton
db_drop: docker.io/openstackhelm/heat:newton
rabbit_init: docker.io/rabbitmq:3.7-management
ks_user: docker.io/openstackhelm/heat:newton
ks_service: docker.io/openstackhelm/heat:newton
ks_endpoints: docker.io/openstackhelm/heat:newton
senlin_api: docker.io/openstackhelm/senlin:newton
senlin_engine: docker.io/openstackhelm/senlin:newton
dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.3.0
pull_policy: "IfNotPresent"
conf:
paste:
pipeline:senlin-api:
pipeline: request_id faultwrap ssl versionnegotiation webhook authtoken context trust apiv1app
app:apiv1app:
paste.app_factory: senlin.api.common.wsgi:app_factory
senlin.app_factory: senlin.api.openstack.v1.router:API
filter:request_id:
paste.filter_factory: oslo_middleware.request_id:RequestId.factory
filter:faultwrap:
paste.filter_factory: senlin.api.common.wsgi:filter_factory
senlin.filter_factory: senlin.api.middleware:fault_filter
filter:context:
paste.filter_factory: senlin.api.common.wsgi:filter_factory
senlin.filter_factory: senlin.api.middleware:context_filter
filter:ssl:
paste.filter_factory: oslo_middleware.ssl:SSLMiddleware.factory
filter:versionnegotiation:
paste.filter_factory: senlin.api.common.wsgi:filter_factory
senlin.filter_factory: senlin.api.middleware:version_filter
filter:trust:
paste.filter_factory: senlin.api.common.wsgi:filter_factory
senlin.filter_factory: senlin.api.middleware:trust_filter
filter:webhook:
paste.filter_factory: senlin.api.common.wsgi:filter_factory
senlin.filter_factory: senlin.api.middleware:webhook_filter
filter:authtoken:
paste.filter_factory: keystonemiddleware.auth_token:filter_factory
policy:
context_is_admin: role:admin
deny_everybody: "!"
build_info:build_info: ''
profile_types:index: ''
profile_types:get: ''
policy_types:index: ''
policy_types:get: ''
clusters:index: ''
clusters:create: ''
clusters:delete: ''
clusters:get: ''
clusters:action: ''
clusters:update: ''
clusters:collect: ''
profiles:index: ''
profiles:create: ''
profiles:get: ''
profiles:delete: ''
profiles:update: ''
profiles:validate: ''
nodes:index: ''
nodes:create: ''
nodes:get: ''
nodes:action: ''
nodes:update: ''
nodes:delete: ''
policies:index: ''
policies:create: ''
policies:get: ''
policies:update: ''
policies:delete: ''
policies:validate: ''
cluster_policies:index: ''
cluster_policies:attach: ''
cluster_policies:detach: ''
cluster_policies:update: ''
cluster_policies:get: ''
receivers:index: ''
receivers:create: ''
receivers:get: ''
receivers:delete: ''
actions:index: ''
actions:get: ''
events:index: ''
events:get: ''
webhooks:trigger: ''
senlin:
DEFAULT:
transport_url: null
database:
max_retries: -1
keystone_authtoken:
auth_type: password
auth_version: v3
memcache_security_strategy: ENCRYPT
senlin_api:
# NOTE(portdirect): the bind port should not be defined, and is manipulated
# via the endpoints section.
bind_port: null
network:
api:
ingress:
public: true
classes:
namespace: "nginx"
cluster: "nginx-cluster"
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
node_port:
enabled: false
port: 30778
bootstrap:
enabled: false
ks_user: senlin
script: |
openstack token issue
dependencies:
static:
api:
jobs:
- senlin-db-sync
- senlin-ks-user
- senlin-ks-endpoints
services:
- endpoint: internal
service: oslo_db
- endpoint: internal
service: identity
db_drop:
services:
- endpoint: internal
service: oslo_db
db_init:
services:
- endpoint: internal
service: oslo_db
db_sync:
jobs:
- senlin-db-init
services:
- endpoint: internal
service: oslo_db
engine:
jobs:
- senlin-db-sync
- senlin-ks-user
- senlin-ks-endpoints
servics:
- endpoint: internal
service: oslo_db
- endpoint: internal
service: identity
ks_endpoints:
jobs:
- senlin-ks-service
services:
- endpoint: internal
service: identity
ks_service:
services:
- endpoint: internal
service: identity
ks_user:
services:
- endpoint: internal
service: identity
rabbit_init:
services:
- service: oslo_messaging
endpoint: internal
# Names of secrets used by bootstrap and environmental checks
secrets:
identity:
admin: senlin-keystone-admin
senlin: senlin-keystone-user
oslo_db:
admin: senlin-db-admin
senlin: senlin-db-user
oslo_messaging:
admin: senlin-rabbitmq-admin
senlin: senlin-rabbitmq-user
# typically overridden by environmental
# values, but should include all endpoints
# required by this chart
endpoints:
cluster_domain_suffix: cluster.local
identity:
name: keystone
auth:
admin:
region_name: RegionOne
username: admin
password: password
project_name: admin
user_domain_name: default
project_domain_name: default
senlin:
role: admin
region_name: RegionOne
username: senlin
password: password
project_name: service
user_domain_name: default
project_domain_name: default
hosts:
default: keystone-api
public: keystone
host_fqdn_override:
default: null
path:
default: /v3
scheme:
default: http
port:
admin:
default: 35357
api:
default: 80
clustering:
name: senlin
hosts:
default: senlin-api
public: senlin
host_fqdn_override:
default: null
path:
default: null
scheme:
default: http
port:
api:
default: 8778
public: 80
oslo_db:
auth:
admin:
username: root
password: password
senlin:
username: senlin
password: password
hosts:
default: mariadb
host_fqdn_override:
default: null
path: /senlin
scheme: mysql+pymysql
port:
mysql:
default: 3306
oslo_cache:
auth:
# NOTE(portdirect): this is used to define the value for keystone
# authtoken cache encryption key, if not set it will be populated
# automatically with a random value, but to take advantage of
# this feature all services should be set to use the same key,
# and memcache service.
memcache_secret_key: null
hosts:
default: memcached
host_fqdn_override:
default: null
port:
memcache:
default: 11211
oslo_messaging:
auth:
admin:
username: rabbitmq
password: password
senlin:
username: senlin
password: password
hosts:
default: rabbitmq
host_fqdn_override:
default: null
path: /senlin
scheme: rabbit
port:
amqp:
default: 5672
http:
default: 15672
pod:
user:
senlin:
uid: 42424
affinity:
anti:
type:
default: preferredDuringSchedulingIgnoredDuringExecution
topologyKey:
default: kubernetes.io/hostname
mounts:
senlin_api:
init_container: null
senlin_api:
senlin_engine:
init_container: null
senlin_engine:
senlin_bootstrap:
init_container: null
senlin_bootstrap:
replicas:
api: 1
engine: 1
lifecycle:
upgrades:
deployments:
revision_history: 3
pod_replacement_strategy: RollingUpdate
rolling_update:
max_unavailable: 1
max_surge: 3
disruption_budget:
api:
min_available: 0
termination_grace_period:
api:
timeout: 30
resources:
enabled: false
api:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
engine:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
jobs:
bootstrap:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
db_init:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
db_sync:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
db_drop:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
ks_endpoints:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
ks_service:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
ks_user:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
rabbit_init:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
tests:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
manifests:
configmap_bin: true
configmap_etc: true
deployment_api: true
ingress_api: true
job_bootstrap: true
job_db_init: true
job_db_sync: true
job_db_drop: false
job_ks_endpoints: true
job_ks_service: true
job_ks_user: true
job_rabbit_init: true
pdb_api: true
secret_db: true
secret_keystone: true
secret_rabbitmq: true
service_ingress_api: true
service_api: true
statefulset_engine: true
View Git Blame Copy Permalink