8ab6013409
In the Victoria cycle oslo.policy decided to change all default policies to yaml format. Today on openstack-helm we have a mix of json and yaml on projects and, after having a bad time debugging policies that should have beeing mounted somewhere but was being mounted elsewhere, I'm proposing this change so we can unify the delivery method for all policies across components on yaml (that is supported for quite some time). This will also avoid having problems in the future as the services move from json to yaml. [1] https://specs.openstack.org/openstack/oslo-specs/specs/victoria/policy-json-to-yaml.html Signed-off-by: Thiago Brito <thiago.brito@windriver.com> Change-Id: Id170bf184e44fd77cd53929d474582022a5b6d4f
1270 lines
37 KiB
YAML
1270 lines
37 KiB
YAML
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
# Default values for keystone.
|
|
# This is a YAML-formatted file.
|
|
# Declare name/value pairs to be passed into your templates.
|
|
# name: value
|
|
|
|
---
|
|
labels:
|
|
api:
|
|
node_selector_key: openstack-control-plane
|
|
node_selector_value: enabled
|
|
job:
|
|
node_selector_key: openstack-control-plane
|
|
node_selector_value: enabled
|
|
test:
|
|
node_selector_key: openstack-control-plane
|
|
node_selector_value: enabled
|
|
|
|
release_group: null
|
|
|
|
# NOTE(gagehugo): the pre-install hook breaks upgrade for helm2
|
|
# Set to false to upgrade using helm2
|
|
helm3_hook: true
|
|
|
|
images:
|
|
tags:
|
|
bootstrap: docker.io/openstackhelm/heat:stein-ubuntu_bionic
|
|
test: docker.io/xrally/xrally-openstack:2.0.0
|
|
db_init: docker.io/openstackhelm/heat:stein-ubuntu_bionic
|
|
keystone_db_sync: docker.io/openstackhelm/keystone:stein-ubuntu_bionic
|
|
db_drop: docker.io/openstackhelm/heat:stein-ubuntu_bionic
|
|
ks_user: docker.io/openstackhelm/heat:stein-ubuntu_bionic
|
|
rabbit_init: docker.io/rabbitmq:3.7-management
|
|
keystone_fernet_setup: docker.io/openstackhelm/keystone:stein-ubuntu_bionic
|
|
keystone_fernet_rotate: docker.io/openstackhelm/keystone:stein-ubuntu_bionic
|
|
keystone_credential_setup: docker.io/openstackhelm/keystone:stein-ubuntu_bionic
|
|
keystone_credential_rotate: docker.io/openstackhelm/keystone:stein-ubuntu_bionic
|
|
keystone_credential_cleanup: docker.io/openstackhelm/heat:stein-ubuntu_bionic
|
|
keystone_api: docker.io/openstackhelm/keystone:stein-ubuntu_bionic
|
|
keystone_domain_manage: docker.io/openstackhelm/keystone:stein-ubuntu_bionic
|
|
dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
|
|
image_repo_sync: docker.io/docker:17.07.0
|
|
pull_policy: "IfNotPresent"
|
|
local_registry:
|
|
active: false
|
|
exclude:
|
|
- dep_check
|
|
- image_repo_sync
|
|
|
|
bootstrap:
|
|
enabled: true
|
|
ks_user: admin
|
|
script: |
|
|
#NOTE(gagehugo): As of Rocky, keystone creates a member role by default
|
|
openstack role create --or-show member
|
|
openstack role add \
|
|
--user="${OS_USERNAME}" \
|
|
--user-domain="${OS_USER_DOMAIN_NAME}" \
|
|
--project-domain="${OS_PROJECT_DOMAIN_NAME}" \
|
|
--project="${OS_PROJECT_NAME}" \
|
|
"member"
|
|
# admin needs the admin role for the default domain
|
|
openstack role add \
|
|
--user="${OS_USERNAME}" \
|
|
--domain="${OS_DEFAULT_DOMAIN}" \
|
|
"admin"
|
|
|
|
|
|
network:
|
|
api:
|
|
ingress:
|
|
public: true
|
|
classes:
|
|
namespace: "nginx"
|
|
cluster: "nginx-cluster"
|
|
annotations:
|
|
nginx.ingress.kubernetes.io/rewrite-target: /
|
|
external_policy_local: false
|
|
node_port:
|
|
enabled: false
|
|
port: 30500
|
|
admin:
|
|
node_port:
|
|
enabled: false
|
|
port: 30357
|
|
|
|
dependencies:
|
|
dynamic:
|
|
common:
|
|
local_image_registry:
|
|
jobs:
|
|
- keystone-image-repo-sync
|
|
services:
|
|
- endpoint: node
|
|
service: local_image_registry
|
|
rabbit_init:
|
|
services:
|
|
- service: oslo_messaging
|
|
endpoint: internal
|
|
static:
|
|
api:
|
|
jobs:
|
|
- keystone-db-sync
|
|
- keystone-credential-setup
|
|
- keystone-fernet-setup
|
|
services:
|
|
- endpoint: internal
|
|
service: oslo_cache
|
|
- endpoint: internal
|
|
service: oslo_db
|
|
bootstrap:
|
|
jobs:
|
|
- keystone-domain-manage
|
|
services:
|
|
- endpoint: internal
|
|
service: identity
|
|
credential_rotate:
|
|
jobs:
|
|
- keystone-credential-setup
|
|
credential_setup: null
|
|
credential_cleanup:
|
|
services:
|
|
- endpoint: internal
|
|
service: oslo_db
|
|
db_drop:
|
|
services:
|
|
- endpoint: internal
|
|
service: oslo_db
|
|
db_init:
|
|
services:
|
|
- endpoint: internal
|
|
service: oslo_db
|
|
db_sync:
|
|
jobs:
|
|
- keystone-db-init
|
|
- keystone-credential-setup
|
|
- keystone-fernet-setup
|
|
services:
|
|
- endpoint: internal
|
|
service: oslo_db
|
|
domain_manage:
|
|
services:
|
|
- endpoint: internal
|
|
service: identity
|
|
fernet_rotate:
|
|
jobs:
|
|
- keystone-fernet-setup
|
|
fernet_setup: null
|
|
tests:
|
|
services:
|
|
- endpoint: internal
|
|
service: identity
|
|
image_repo_sync:
|
|
services:
|
|
- endpoint: internal
|
|
service: local_image_registry
|
|
|
|
pod:
|
|
security_context:
|
|
keystone:
|
|
pod:
|
|
runAsUser: 42424
|
|
container:
|
|
keystone_api:
|
|
readOnlyRootFilesystem: true
|
|
allowPrivilegeEscalation: false
|
|
credential_setup:
|
|
pod:
|
|
runAsUser: 42424
|
|
container:
|
|
keystone_credential_setup:
|
|
readOnlyRootFilesystem: true
|
|
allowPrivilegeEscalation: false
|
|
fernet_setup:
|
|
pod:
|
|
runAsUser: 42424
|
|
container:
|
|
keystone_fernet_setup:
|
|
readOnlyRootFilesystem: true
|
|
allowPrivilegeEscalation: false
|
|
fernet_rotate:
|
|
pod:
|
|
runAsUser: 42424
|
|
container:
|
|
keystone_fernet_rotate:
|
|
readOnlyRootFilesystem: true
|
|
allowPrivilegeEscalation: false
|
|
domain_manage:
|
|
pod:
|
|
runAsUser: 42424
|
|
container:
|
|
keystone_domain_manage_init:
|
|
readOnlyRootFilesystem: true
|
|
allowPrivilegeEscalation: false
|
|
keystone_domain_manage:
|
|
readOnlyRootFilesystem: true
|
|
allowPrivilegeEscalation: false
|
|
test:
|
|
pod:
|
|
runAsUser: 42424
|
|
container:
|
|
keystone_test_ks_user:
|
|
readOnlyRootFilesystem: true
|
|
allowPrivilegeEscalation: false
|
|
keystone_test:
|
|
runAsUser: 65500
|
|
readOnlyRootFilesystem: true
|
|
allowPrivilegeEscalation: false
|
|
affinity:
|
|
anti:
|
|
type:
|
|
default: preferredDuringSchedulingIgnoredDuringExecution
|
|
topologyKey:
|
|
default: kubernetes.io/hostname
|
|
weight:
|
|
default: 10
|
|
mounts:
|
|
keystone_db_init:
|
|
init_container: null
|
|
keystone_db_init:
|
|
volumeMounts:
|
|
volumes:
|
|
keystone_db_sync:
|
|
init_container: null
|
|
keystone_db_sync:
|
|
volumeMounts:
|
|
volumes:
|
|
keystone_api:
|
|
init_container: null
|
|
keystone_api:
|
|
volumeMounts:
|
|
volumes:
|
|
keystone_tests:
|
|
init_container: null
|
|
keystone_tests:
|
|
volumeMounts:
|
|
volumes:
|
|
keystone_bootstrap:
|
|
init_container: null
|
|
keystone_bootstrap:
|
|
volumeMounts:
|
|
volumes:
|
|
keystone_fernet_setup:
|
|
init_container: null
|
|
keystone_fernet_setup:
|
|
volumeMounts:
|
|
volumes:
|
|
keystone_fernet_rotate:
|
|
init_container: null
|
|
keystone_fernet_rotate:
|
|
volumeMounts:
|
|
volumes:
|
|
keystone_credential_setup:
|
|
init_container: null
|
|
keystone_credential_setup:
|
|
volumeMounts:
|
|
volumes:
|
|
keystone_credential_rotate:
|
|
init_container: null
|
|
keystone_credential_rotate:
|
|
volumeMounts:
|
|
volumes:
|
|
keystone_credential_cleanup:
|
|
init_container: null
|
|
keystone_credential_cleanup:
|
|
volumeMounts:
|
|
volumes:
|
|
keystone_domain_manage:
|
|
init_container: null
|
|
keystone_domain_manage:
|
|
volumeMounts:
|
|
volumes:
|
|
replicas:
|
|
api: 1
|
|
lifecycle:
|
|
upgrades:
|
|
deployments:
|
|
revision_history: 3
|
|
pod_replacement_strategy: RollingUpdate
|
|
rolling_update:
|
|
max_unavailable: 1
|
|
max_surge: 3
|
|
disruption_budget:
|
|
api:
|
|
min_available: 0
|
|
termination_grace_period:
|
|
api:
|
|
timeout: 30
|
|
resources:
|
|
enabled: false
|
|
api:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
jobs:
|
|
bootstrap:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
domain_manage:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
db_init:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
db_sync:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
db_drop:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
rabbit_init:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
tests:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
fernet_setup:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
fernet_rotate:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
credential_setup:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
credential_rotate:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
credential_cleanup:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
image_repo_sync:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
probes:
|
|
api:
|
|
api:
|
|
readiness:
|
|
enabled: true
|
|
params:
|
|
initialDelaySeconds: 15
|
|
periodSeconds: 10
|
|
liveness:
|
|
enabled: true
|
|
params:
|
|
initialDelaySeconds: 50
|
|
periodSeconds: 20
|
|
timeoutSeconds: 5
|
|
jobs:
|
|
fernet_setup:
|
|
user: keystone
|
|
group: keystone
|
|
fernet_rotate:
|
|
# NOTE(rk760n): key rotation frequency, token expiration, active keys should statisfy the formula
|
|
# max_active_keys = (token_expiration / rotation_frequency) + 2
|
|
# as expiration is 12h, and max_active_keys set to 3 by default, rotation_frequency need to be adjusted
|
|
# 12 hours
|
|
cron: "0 */12 * * *"
|
|
user: keystone
|
|
group: keystone
|
|
history:
|
|
success: 3
|
|
failed: 1
|
|
credential_setup:
|
|
user: keystone
|
|
group: keystone
|
|
credential_rotate:
|
|
# monthly
|
|
cron: "0 0 1 * *"
|
|
migrate_wait: 120
|
|
user: keystone
|
|
group: keystone
|
|
history:
|
|
success: 3
|
|
failed: 1
|
|
|
|
network_policy:
|
|
keystone:
|
|
ingress:
|
|
- {}
|
|
egress:
|
|
- {}
|
|
|
|
conf:
|
|
security: |
|
|
#
|
|
# Disable access to the entire file system except for the directories that
|
|
# are explicitly allowed later.
|
|
#
|
|
# This currently breaks the configurations that come with some web application
|
|
# Debian packages.
|
|
#
|
|
#<Directory />
|
|
# AllowOverride None
|
|
# Require all denied
|
|
#</Directory>
|
|
|
|
# Changing the following options will not really affect the security of the
|
|
# server, but might make attacks slightly more difficult in some cases.
|
|
|
|
#
|
|
# ServerTokens
|
|
# This directive configures what you return as the Server HTTP response
|
|
# Header. The default is 'Full' which sends information about the OS-Type
|
|
# and compiled in modules.
|
|
# Set to one of: Full | OS | Minimal | Minor | Major | Prod
|
|
# where Full conveys the most information, and Prod the least.
|
|
ServerTokens Prod
|
|
|
|
#
|
|
# Optionally add a line containing the server version and virtual host
|
|
# name to server-generated pages (internal error documents, FTP directory
|
|
# listings, mod_status and mod_info output etc., but not CGI generated
|
|
# documents or custom error documents).
|
|
# Set to "EMail" to also include a mailto: link to the ServerAdmin.
|
|
# Set to one of: On | Off | EMail
|
|
ServerSignature Off
|
|
|
|
#
|
|
# Allow TRACE method
|
|
#
|
|
# Set to "extended" to also reflect the request body (only for testing and
|
|
# diagnostic purposes).
|
|
#
|
|
# Set to one of: On | Off | extended
|
|
TraceEnable Off
|
|
|
|
#
|
|
# Forbid access to version control directories
|
|
#
|
|
# If you use version control systems in your document root, you should
|
|
# probably deny access to their directories. For example, for subversion:
|
|
#
|
|
#<DirectoryMatch "/\.svn">
|
|
# Require all denied
|
|
#</DirectoryMatch>
|
|
|
|
#
|
|
# Setting this header will prevent MSIE from interpreting files as something
|
|
# else than declared by the content type in the HTTP headers.
|
|
# Requires mod_headers to be enabled.
|
|
#
|
|
#Header set X-Content-Type-Options: "nosniff"
|
|
|
|
#
|
|
# Setting this header will prevent other sites from embedding pages from this
|
|
# site as frames. This defends against clickjacking attacks.
|
|
# Requires mod_headers to be enabled.
|
|
#
|
|
#Header set X-Frame-Options: "sameorigin"
|
|
software:
|
|
apache2:
|
|
binary: apache2
|
|
start_parameters: -DFOREGROUND
|
|
site_dir: /etc/apache2/sites-enable
|
|
conf_dir: /etc/apache2/conf-enabled
|
|
mods_dir: /etc/apache2/mods-available
|
|
a2enmod: null
|
|
a2dismod: null
|
|
keystone:
|
|
DEFAULT:
|
|
log_config_append: /etc/keystone/logging.conf
|
|
max_token_size: 255
|
|
# NOTE(rk760n): if you need auth notifications to be sent, uncomment it
|
|
# notification_opt_out: ""
|
|
token:
|
|
provider: fernet
|
|
# 12 hours
|
|
expiration: 43200
|
|
identity:
|
|
domain_specific_drivers_enabled: True
|
|
domain_config_dir: /etc/keystonedomains
|
|
fernet_tokens:
|
|
key_repository: /etc/keystone/fernet-keys/
|
|
credential:
|
|
key_repository: /etc/keystone/credential-keys/
|
|
database:
|
|
max_retries: -1
|
|
cache:
|
|
enabled: true
|
|
backend: dogpile.cache.memcached
|
|
oslo_messaging_notifications:
|
|
driver: messagingv2
|
|
oslo_messaging_rabbit:
|
|
rabbit_ha_queues: true
|
|
oslo_middleware:
|
|
enable_proxy_headers_parsing: true
|
|
oslo_policy:
|
|
policy_file: /etc/keystone/policy.yaml
|
|
security_compliance:
|
|
# NOTE(vdrok): The following two options have effect only for SQL backend
|
|
lockout_failure_attempts: 5
|
|
lockout_duration: 1800
|
|
# NOTE(lamt) We can leverage multiple domains with different
|
|
# configurations as outlined in
|
|
# https://docs.openstack.org/keystone/pike/admin/identity-domain-specific-config.html.
|
|
# A sample of the value override can be found in sample file:
|
|
# tools/overrides/example/keystone_domain_config.yaml
|
|
# ks_domains:
|
|
policy:
|
|
admin_required: role:admin or is_admin:1
|
|
service_role: role:service
|
|
service_or_admin: rule:admin_required or rule:service_role
|
|
owner: user_id:%(user_id)s
|
|
admin_or_owner: rule:admin_required or rule:owner
|
|
token_subject: user_id:%(target.token.user_id)s
|
|
admin_or_token_subject: rule:admin_required or rule:token_subject
|
|
service_admin_or_token_subject: rule:service_or_admin or rule:token_subject
|
|
default: rule:admin_required
|
|
identity:get_region: ''
|
|
identity:list_regions: ''
|
|
identity:create_region: rule:admin_required
|
|
identity:update_region: rule:admin_required
|
|
identity:delete_region: rule:admin_required
|
|
identity:get_service: rule:admin_required
|
|
identity:list_services: rule:admin_required
|
|
identity:create_service: rule:admin_required
|
|
identity:update_service: rule:admin_required
|
|
identity:delete_service: rule:admin_required
|
|
identity:get_endpoint: rule:admin_required
|
|
identity:list_endpoints: rule:admin_required
|
|
identity:create_endpoint: rule:admin_required
|
|
identity:update_endpoint: rule:admin_required
|
|
identity:delete_endpoint: rule:admin_required
|
|
identity:get_domain: rule:admin_required or token.project.domain.id:%(target.domain.id)s
|
|
identity:list_domains: rule:admin_required
|
|
identity:create_domain: rule:admin_required
|
|
identity:update_domain: rule:admin_required
|
|
identity:delete_domain: rule:admin_required
|
|
identity:get_project: rule:admin_required or project_id:%(target.project.id)s
|
|
identity:list_projects: rule:admin_required
|
|
identity:list_user_projects: rule:admin_or_owner
|
|
identity:create_project: rule:admin_required
|
|
identity:update_project: rule:admin_required
|
|
identity:delete_project: rule:admin_required
|
|
identity:get_user: rule:admin_or_owner
|
|
identity:list_users: rule:admin_required
|
|
identity:create_user: rule:admin_required
|
|
identity:update_user: rule:admin_required
|
|
identity:delete_user: rule:admin_required
|
|
identity:change_password: rule:admin_or_owner
|
|
identity:get_group: rule:admin_required
|
|
identity:list_groups: rule:admin_required
|
|
identity:list_groups_for_user: rule:admin_or_owner
|
|
identity:create_group: rule:admin_required
|
|
identity:update_group: rule:admin_required
|
|
identity:delete_group: rule:admin_required
|
|
identity:list_users_in_group: rule:admin_required
|
|
identity:remove_user_from_group: rule:admin_required
|
|
identity:check_user_in_group: rule:admin_required
|
|
identity:add_user_to_group: rule:admin_required
|
|
identity:get_credential: rule:admin_required
|
|
identity:list_credentials: rule:admin_required
|
|
identity:create_credential: rule:admin_required
|
|
identity:update_credential: rule:admin_required
|
|
identity:delete_credential: rule:admin_required
|
|
identity:ec2_get_credential: rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)
|
|
identity:ec2_list_credentials: rule:admin_or_owner
|
|
identity:ec2_create_credential: rule:admin_or_owner
|
|
identity:ec2_delete_credential: rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)
|
|
identity:get_role: rule:admin_required
|
|
identity:list_roles: rule:admin_required
|
|
identity:create_role: rule:admin_required
|
|
identity:update_role: rule:admin_required
|
|
identity:delete_role: rule:admin_required
|
|
identity:get_domain_role: rule:admin_required
|
|
identity:list_domain_roles: rule:admin_required
|
|
identity:create_domain_role: rule:admin_required
|
|
identity:update_domain_role: rule:admin_required
|
|
identity:delete_domain_role: rule:admin_required
|
|
identity:get_implied_role: 'rule:admin_required '
|
|
identity:list_implied_roles: rule:admin_required
|
|
identity:create_implied_role: rule:admin_required
|
|
identity:delete_implied_role: rule:admin_required
|
|
identity:list_role_inference_rules: rule:admin_required
|
|
identity:check_implied_role: rule:admin_required
|
|
identity:check_grant: rule:admin_required
|
|
identity:list_grants: rule:admin_required
|
|
identity:create_grant: rule:admin_required
|
|
identity:revoke_grant: rule:admin_required
|
|
identity:list_role_assignments: rule:admin_required
|
|
identity:list_role_assignments_for_tree: rule:admin_required
|
|
identity:get_policy: rule:admin_required
|
|
identity:list_policies: rule:admin_required
|
|
identity:create_policy: rule:admin_required
|
|
identity:update_policy: rule:admin_required
|
|
identity:delete_policy: rule:admin_required
|
|
identity:check_token: rule:admin_or_token_subject
|
|
identity:validate_token: rule:service_admin_or_token_subject
|
|
identity:validate_token_head: rule:service_or_admin
|
|
identity:revocation_list: rule:service_or_admin
|
|
identity:revoke_token: rule:admin_or_token_subject
|
|
identity:create_trust: user_id:%(trust.trustor_user_id)s
|
|
identity:list_trusts: ''
|
|
identity:list_roles_for_trust: ''
|
|
identity:get_role_for_trust: ''
|
|
identity:delete_trust: ''
|
|
identity:create_consumer: rule:admin_required
|
|
identity:get_consumer: rule:admin_required
|
|
identity:list_consumers: rule:admin_required
|
|
identity:delete_consumer: rule:admin_required
|
|
identity:update_consumer: rule:admin_required
|
|
identity:authorize_request_token: rule:admin_required
|
|
identity:list_access_token_roles: rule:admin_required
|
|
identity:get_access_token_role: rule:admin_required
|
|
identity:list_access_tokens: rule:admin_required
|
|
identity:get_access_token: rule:admin_required
|
|
identity:delete_access_token: rule:admin_required
|
|
identity:list_projects_for_endpoint: rule:admin_required
|
|
identity:add_endpoint_to_project: rule:admin_required
|
|
identity:check_endpoint_in_project: rule:admin_required
|
|
identity:list_endpoints_for_project: rule:admin_required
|
|
identity:remove_endpoint_from_project: rule:admin_required
|
|
identity:create_endpoint_group: rule:admin_required
|
|
identity:list_endpoint_groups: rule:admin_required
|
|
identity:get_endpoint_group: rule:admin_required
|
|
identity:update_endpoint_group: rule:admin_required
|
|
identity:delete_endpoint_group: rule:admin_required
|
|
identity:list_projects_associated_with_endpoint_group: rule:admin_required
|
|
identity:list_endpoints_associated_with_endpoint_group: rule:admin_required
|
|
identity:get_endpoint_group_in_project: rule:admin_required
|
|
identity:list_endpoint_groups_for_project: rule:admin_required
|
|
identity:add_endpoint_group_to_project: rule:admin_required
|
|
identity:remove_endpoint_group_from_project: rule:admin_required
|
|
identity:create_identity_provider: rule:admin_required
|
|
identity:list_identity_providers: rule:admin_required
|
|
identity:get_identity_provider: rule:admin_required
|
|
identity:update_identity_provider: rule:admin_required
|
|
identity:delete_identity_provider: rule:admin_required
|
|
identity:create_protocol: rule:admin_required
|
|
identity:update_protocol: rule:admin_required
|
|
identity:get_protocol: rule:admin_required
|
|
identity:list_protocols: rule:admin_required
|
|
identity:delete_protocol: rule:admin_required
|
|
identity:create_mapping: rule:admin_required
|
|
identity:get_mapping: rule:admin_required
|
|
identity:list_mappings: rule:admin_required
|
|
identity:delete_mapping: rule:admin_required
|
|
identity:update_mapping: rule:admin_required
|
|
identity:create_service_provider: rule:admin_required
|
|
identity:list_service_providers: rule:admin_required
|
|
identity:get_service_provider: rule:admin_required
|
|
identity:update_service_provider: rule:admin_required
|
|
identity:delete_service_provider: rule:admin_required
|
|
identity:get_auth_catalog: ''
|
|
identity:get_auth_projects: ''
|
|
identity:get_auth_domains: ''
|
|
identity:list_projects_for_user: ''
|
|
identity:list_domains_for_user: ''
|
|
identity:list_revoke_events: ''
|
|
identity:create_policy_association_for_endpoint: rule:admin_required
|
|
identity:check_policy_association_for_endpoint: rule:admin_required
|
|
identity:delete_policy_association_for_endpoint: rule:admin_required
|
|
identity:create_policy_association_for_service: rule:admin_required
|
|
identity:check_policy_association_for_service: rule:admin_required
|
|
identity:delete_policy_association_for_service: rule:admin_required
|
|
identity:create_policy_association_for_region_and_service: rule:admin_required
|
|
identity:check_policy_association_for_region_and_service: rule:admin_required
|
|
identity:delete_policy_association_for_region_and_service: rule:admin_required
|
|
identity:get_policy_for_endpoint: rule:admin_required
|
|
identity:list_endpoints_for_policy: rule:admin_required
|
|
identity:create_domain_config: rule:admin_required
|
|
identity:get_domain_config: rule:admin_required
|
|
identity:update_domain_config: rule:admin_required
|
|
identity:delete_domain_config: rule:admin_required
|
|
identity:get_domain_config_default: rule:admin_required
|
|
access_rules: {}
|
|
rabbitmq:
|
|
# NOTE(rk760n): adding rmq policy to mirror messages from notification queues and set expiration time for the ones
|
|
policies:
|
|
- vhost: "keystone"
|
|
name: "ha_ttl_keystone"
|
|
definition:
|
|
# mirror messges to other nodes in rmq cluster
|
|
ha-mode: "all"
|
|
ha-sync-mode: "automatic"
|
|
# 70s
|
|
message-ttl: 70000
|
|
priority: 0
|
|
apply-to: all
|
|
pattern: '^(?!(amq\.|reply_)).*'
|
|
rally_tests:
|
|
run_tempest: false
|
|
tests:
|
|
KeystoneBasic.add_and_remove_user_role:
|
|
- runner:
|
|
concurrency: 1
|
|
times: 1
|
|
type: constant
|
|
sla:
|
|
failure_rate:
|
|
max: 0
|
|
KeystoneBasic.authenticate_user_and_validate_token:
|
|
- args: {}
|
|
runner:
|
|
concurrency: 1
|
|
times: 1
|
|
type: constant
|
|
sla:
|
|
failure_rate:
|
|
max: 0
|
|
KeystoneBasic.create_add_and_list_user_roles:
|
|
- runner:
|
|
concurrency: 1
|
|
times: 1
|
|
type: constant
|
|
sla:
|
|
failure_rate:
|
|
max: 0
|
|
KeystoneBasic.create_and_delete_ec2credential:
|
|
- runner:
|
|
concurrency: 1
|
|
times: 1
|
|
type: constant
|
|
sla:
|
|
failure_rate:
|
|
max: 0
|
|
KeystoneBasic.create_and_list_ec2credentials:
|
|
- runner:
|
|
concurrency: 1
|
|
times: 1
|
|
type: constant
|
|
sla:
|
|
failure_rate:
|
|
max: 0
|
|
KeystoneBasic.create_and_delete_role:
|
|
- runner:
|
|
concurrency: 1
|
|
times: 1
|
|
type: constant
|
|
sla:
|
|
failure_rate:
|
|
max: 0
|
|
KeystoneBasic.create_and_delete_service:
|
|
- args:
|
|
description: test_description
|
|
service_type: Rally_test_type
|
|
runner:
|
|
concurrency: 1
|
|
times: 1
|
|
type: constant
|
|
sla:
|
|
failure_rate:
|
|
max: 0
|
|
KeystoneBasic.create_and_get_role:
|
|
- args: {}
|
|
runner:
|
|
concurrency: 1
|
|
times: 1
|
|
type: constant
|
|
sla:
|
|
failure_rate:
|
|
max: 0
|
|
KeystoneBasic.create_and_list_services:
|
|
- args:
|
|
description: test_description
|
|
service_type: Rally_test_type
|
|
runner:
|
|
concurrency: 1
|
|
times: 1
|
|
type: constant
|
|
sla:
|
|
failure_rate:
|
|
max: 0
|
|
KeystoneBasic.create_and_list_tenants:
|
|
- args: {}
|
|
runner:
|
|
concurrency: 1
|
|
times: 1
|
|
type: constant
|
|
sla:
|
|
failure_rate:
|
|
max: 0
|
|
KeystoneBasic.create_and_list_users:
|
|
- args: {}
|
|
runner:
|
|
concurrency: 1
|
|
times: 1
|
|
type: constant
|
|
sla:
|
|
failure_rate:
|
|
max: 0
|
|
KeystoneBasic.create_delete_user:
|
|
- args: {}
|
|
runner:
|
|
concurrency: 1
|
|
times: 1
|
|
type: constant
|
|
sla:
|
|
failure_rate:
|
|
max: 0
|
|
KeystoneBasic.create_tenant:
|
|
- args: {}
|
|
runner:
|
|
concurrency: 1
|
|
times: 1
|
|
type: constant
|
|
sla:
|
|
failure_rate:
|
|
max: 0
|
|
KeystoneBasic.create_tenant_with_users:
|
|
- args:
|
|
users_per_tenant: 1
|
|
runner:
|
|
concurrency: 1
|
|
times: 1
|
|
type: constant
|
|
sla:
|
|
failure_rate:
|
|
max: 0
|
|
KeystoneBasic.create_update_and_delete_tenant:
|
|
- args: {}
|
|
runner:
|
|
concurrency: 1
|
|
times: 1
|
|
type: constant
|
|
sla:
|
|
failure_rate:
|
|
max: 0
|
|
KeystoneBasic.create_user:
|
|
- args: {}
|
|
runner:
|
|
concurrency: 1
|
|
times: 1
|
|
type: constant
|
|
sla:
|
|
failure_rate:
|
|
max: 0
|
|
KeystoneBasic.create_user_set_enabled_and_delete:
|
|
- args:
|
|
enabled: true
|
|
runner:
|
|
concurrency: 1
|
|
times: 1
|
|
type: constant
|
|
sla:
|
|
failure_rate:
|
|
max: 0
|
|
- args:
|
|
enabled: false
|
|
runner:
|
|
concurrency: 1
|
|
times: 1
|
|
type: constant
|
|
sla:
|
|
failure_rate:
|
|
max: 0
|
|
KeystoneBasic.create_user_update_password:
|
|
- args: {}
|
|
runner:
|
|
concurrency: 1
|
|
times: 1
|
|
type: constant
|
|
sla:
|
|
failure_rate:
|
|
max: 0
|
|
KeystoneBasic.get_entities:
|
|
- runner:
|
|
concurrency: 1
|
|
times: 1
|
|
type: constant
|
|
sla:
|
|
failure_rate:
|
|
max: 0
|
|
mpm_event: |
|
|
<IfModule mpm_event_module>
|
|
ServerLimit 1024
|
|
StartServers 32
|
|
MinSpareThreads 32
|
|
MaxSpareThreads 256
|
|
ThreadsPerChild 25
|
|
MaxRequestsPerChild 128
|
|
ThreadLimit 720
|
|
</IfModule>
|
|
wsgi_keystone: |
|
|
{{- $portInt := tuple "identity" "internal" "api" $ | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
|
|
|
|
Listen 0.0.0.0:{{ $portInt }}
|
|
|
|
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
|
|
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy
|
|
|
|
SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
|
|
CustomLog /dev/stdout combined env=!forwarded
|
|
CustomLog /dev/stdout proxy env=forwarded
|
|
|
|
<VirtualHost *:{{ $portInt }}>
|
|
WSGIDaemonProcess keystone-public processes=1 threads=1 user=keystone group=keystone display-name=%{GROUP}
|
|
WSGIProcessGroup keystone-public
|
|
WSGIScriptAlias / /var/www/cgi-bin/keystone/keystone-wsgi-public
|
|
WSGIApplicationGroup %{GLOBAL}
|
|
WSGIPassAuthorization On
|
|
<IfVersion >= 2.4>
|
|
ErrorLogFormat "%{cu}t %M"
|
|
</IfVersion>
|
|
ErrorLog /dev/stdout
|
|
|
|
SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
|
|
CustomLog /dev/stdout combined env=!forwarded
|
|
CustomLog /dev/stdout proxy env=forwarded
|
|
</VirtualHost>
|
|
sso_callback_template: |
|
|
<!DOCTYPE html>
|
|
<html xmlns="http://www.w3.org/1999/xhtml">
|
|
<head>
|
|
<title>Keystone WebSSO redirect</title>
|
|
</head>
|
|
<body>
|
|
<form id="sso" name="sso" action="$host" method="post">
|
|
Please wait...
|
|
<br/>
|
|
<input type="hidden" name="token" id="token" value="$token"/>
|
|
<noscript>
|
|
<input type="submit" name="submit_no_javascript" id="submit_no_javascript"
|
|
value="If your JavaScript is disabled, please click to continue"/>
|
|
</noscript>
|
|
</form>
|
|
<script type="text/javascript">
|
|
window.onload = function() {
|
|
document.forms['sso'].submit();
|
|
}
|
|
</script>
|
|
</body>
|
|
</html>
|
|
logging:
|
|
loggers:
|
|
keys:
|
|
- root
|
|
- keystone
|
|
handlers:
|
|
keys:
|
|
- stdout
|
|
- stderr
|
|
- "null"
|
|
formatters:
|
|
keys:
|
|
- context
|
|
- default
|
|
logger_root:
|
|
level: WARNING
|
|
handlers: 'null'
|
|
logger_keystone:
|
|
level: INFO
|
|
handlers:
|
|
- stdout
|
|
qualname: keystone
|
|
logger_amqp:
|
|
level: WARNING
|
|
handlers: stderr
|
|
qualname: amqp
|
|
logger_amqplib:
|
|
level: WARNING
|
|
handlers: stderr
|
|
qualname: amqplib
|
|
logger_eventletwsgi:
|
|
level: WARNING
|
|
handlers: stderr
|
|
qualname: eventlet.wsgi.server
|
|
logger_sqlalchemy:
|
|
level: WARNING
|
|
handlers: stderr
|
|
qualname: sqlalchemy
|
|
logger_boto:
|
|
level: WARNING
|
|
handlers: stderr
|
|
qualname: boto
|
|
handler_null:
|
|
class: logging.NullHandler
|
|
formatter: default
|
|
args: ()
|
|
handler_stdout:
|
|
class: StreamHandler
|
|
args: (sys.stdout,)
|
|
formatter: context
|
|
handler_stderr:
|
|
class: StreamHandler
|
|
args: (sys.stderr,)
|
|
formatter: context
|
|
formatter_context:
|
|
class: oslo_log.formatters.ContextFormatter
|
|
datefmt: "%Y-%m-%d %H:%M:%S"
|
|
formatter_default:
|
|
format: "%(message)s"
|
|
datefmt: "%Y-%m-%d %H:%M:%S"
|
|
|
|
# Names of secrets used by bootstrap and environmental checks
|
|
secrets:
|
|
identity:
|
|
admin: keystone-keystone-admin
|
|
test: keystone-keystone-test
|
|
oslo_db:
|
|
admin: keystone-db-admin
|
|
keystone: keystone-db-user
|
|
oslo_messaging:
|
|
admin: keystone-rabbitmq-admin
|
|
keystone: keystone-rabbitmq-user
|
|
ldap:
|
|
tls: keystone-ldap-tls
|
|
tls:
|
|
identity:
|
|
api:
|
|
public: keystone-tls-public
|
|
internal: keystone-tls-api
|
|
|
|
# typically overridden by environmental
|
|
# values, but should include all endpoints
|
|
# required by this chart
|
|
endpoints:
|
|
cluster_domain_suffix: cluster.local
|
|
local_image_registry:
|
|
name: docker-registry
|
|
namespace: docker-registry
|
|
hosts:
|
|
default: localhost
|
|
internal: docker-registry
|
|
node: localhost
|
|
host_fqdn_override:
|
|
default: null
|
|
port:
|
|
registry:
|
|
node: 5000
|
|
identity:
|
|
namespace: null
|
|
name: keystone
|
|
auth:
|
|
admin:
|
|
region_name: RegionOne
|
|
username: admin
|
|
password: password
|
|
project_name: admin
|
|
user_domain_name: default
|
|
project_domain_name: default
|
|
default_domain_id: default
|
|
test:
|
|
role: admin
|
|
region_name: RegionOne
|
|
username: keystone-test
|
|
password: password
|
|
project_name: test
|
|
user_domain_name: default
|
|
project_domain_name: default
|
|
default_domain_id: default
|
|
hosts:
|
|
default: keystone
|
|
internal: keystone-api
|
|
host_fqdn_override:
|
|
default: null
|
|
# NOTE(portdirect): this chart supports TLS for fqdn over-ridden public
|
|
# endpoints using the following format:
|
|
# public:
|
|
# host: null
|
|
# tls:
|
|
# crt: null
|
|
# key: null
|
|
path:
|
|
default: /v3
|
|
scheme:
|
|
default: http
|
|
port:
|
|
api:
|
|
default: 80
|
|
# NOTE(portdirect): to retain portability across images, and allow
|
|
# running under a unprivileged user simply, we default to a port > 1000.
|
|
internal: 5000
|
|
oslo_db:
|
|
namespace: null
|
|
auth:
|
|
admin:
|
|
username: root
|
|
password: password
|
|
secret:
|
|
tls:
|
|
internal: mariadb-tls-direct
|
|
keystone:
|
|
username: keystone
|
|
password: password
|
|
hosts:
|
|
default: mariadb
|
|
host_fqdn_override:
|
|
default: null
|
|
path: /keystone
|
|
scheme: mysql+pymysql
|
|
port:
|
|
mysql:
|
|
default: 3306
|
|
oslo_messaging:
|
|
namespace: null
|
|
auth:
|
|
admin:
|
|
username: rabbitmq
|
|
password: password
|
|
secret:
|
|
tls:
|
|
internal: rabbitmq-tls-direct
|
|
keystone:
|
|
username: keystone
|
|
password: password
|
|
statefulset:
|
|
replicas: 2
|
|
name: rabbitmq-rabbitmq
|
|
hosts:
|
|
default: rabbitmq
|
|
host_fqdn_override:
|
|
default: null
|
|
path: /keystone
|
|
scheme: rabbit
|
|
port:
|
|
amqp:
|
|
default: 5672
|
|
http:
|
|
default: 15672
|
|
oslo_cache:
|
|
namespace: null
|
|
hosts:
|
|
default: memcached
|
|
host_fqdn_override:
|
|
default: null
|
|
port:
|
|
memcache:
|
|
default: 11211
|
|
ldap:
|
|
auth:
|
|
client:
|
|
tls:
|
|
# NOTE(lamt): Specify a CA value here will place a LDAPS certificate at
|
|
# /etc/certs/tls.ca. To ensure keystone uses LDAPS, the
|
|
# following key will need to be overrided under section [ldap] or the
|
|
# correct domain-specific setting, else it will not be enabled:
|
|
#
|
|
# use_tls: true
|
|
# tls_req_cert: allow # Valid values: demand, never, allow
|
|
# tls_cacertfile: /etc/certs/tls.ca # abs path to the CA cert
|
|
ca: null
|
|
fluentd:
|
|
namespace: null
|
|
name: fluentd
|
|
hosts:
|
|
default: fluentd-logging
|
|
host_fqdn_override:
|
|
default: null
|
|
path:
|
|
default: null
|
|
scheme: 'http'
|
|
port:
|
|
service:
|
|
default: 24224
|
|
metrics:
|
|
default: 24220
|
|
# NOTE(tp6510): these endpoints allow for things like DNS lookups and ingress
|
|
# They are using to enable the Egress K8s network policy.
|
|
kube_dns:
|
|
namespace: kube-system
|
|
name: kubernetes-dns
|
|
hosts:
|
|
default: kube-dns
|
|
host_fqdn_override:
|
|
default: null
|
|
path:
|
|
default: null
|
|
scheme: http
|
|
port:
|
|
dns:
|
|
default: 53
|
|
protocol: UDP
|
|
ingress:
|
|
namespace: null
|
|
name: ingress
|
|
hosts:
|
|
default: ingress
|
|
port:
|
|
ingress:
|
|
default: 80
|
|
|
|
manifests:
|
|
certificates: false
|
|
configmap_bin: true
|
|
configmap_etc: true
|
|
cron_credential_rotate: true
|
|
cron_fernet_rotate: true
|
|
deployment_api: true
|
|
ingress_api: true
|
|
job_bootstrap: true
|
|
job_credential_cleanup: true
|
|
job_credential_setup: true
|
|
job_db_init: true
|
|
job_db_sync: true
|
|
job_db_drop: false
|
|
job_domain_manage: true
|
|
job_fernet_setup: true
|
|
job_image_repo_sync: true
|
|
job_rabbit_init: true
|
|
pdb_api: true
|
|
pod_rally_test: true
|
|
network_policy: false
|
|
secret_credential_keys: true
|
|
secret_db: true
|
|
secret_fernet_keys: true
|
|
secret_ingress_tls: true
|
|
secret_keystone: true
|
|
secret_rabbitmq: true
|
|
service_ingress_api: true
|
|
service_api: true
|
|
...
|