29f32a07ac
This patch set updates the gate to by default uses network policy for all components and enforces them in Openstack-helm. Change-Id: I70c90b5808075797f02670f21481a4f968205325 Depends-On: I78e87ef3276e948ae4dd2eb462b4b8012251c8c8 Co-Authored-By: Mike Pham <tp6510@att.com> Signed-off-by: Tin Lam <tin@irrational.io>
679 lines
20 KiB
YAML
679 lines
20 KiB
YAML
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
# Default values for barbican.
|
|
# This is a YAML-formatted file.
|
|
# Declare name/value pairs to be passed into your templates.
|
|
# name: value
|
|
|
|
labels:
|
|
api:
|
|
node_selector_key: openstack-control-plane
|
|
node_selector_value: enabled
|
|
job:
|
|
node_selector_key: openstack-control-plane
|
|
node_selector_value: enabled
|
|
test:
|
|
node_selector_key: openstack-control-plane
|
|
node_selector_value: enabled
|
|
|
|
release_group: null
|
|
|
|
images:
|
|
tags:
|
|
bootstrap: docker.io/openstackhelm/heat:ocata
|
|
dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.3.1
|
|
scripted_test: docker.io/openstackhelm/heat:ocata
|
|
db_init: docker.io/openstackhelm/heat:ocata
|
|
barbican_db_sync: docker.io/openstackhelm/barbican:ocata
|
|
db_drop: docker.io/openstackhelm/heat:ocata
|
|
ks_user: docker.io/openstackhelm/heat:ocata
|
|
ks_service: docker.io/openstackhelm/heat:ocata
|
|
ks_endpoints: docker.io/openstackhelm/heat:ocata
|
|
barbican_api: docker.io/openstackhelm/barbican:ocata
|
|
rabbit_init: docker.io/rabbitmq:3.7-management
|
|
image_repo_sync: docker.io/docker:17.07.0
|
|
pull_policy: "IfNotPresent"
|
|
local_registry:
|
|
active: false
|
|
exclude:
|
|
- dep_check
|
|
- image_repo_sync
|
|
|
|
pod:
|
|
user:
|
|
barbican:
|
|
uid: 42424
|
|
affinity:
|
|
anti:
|
|
type:
|
|
default: preferredDuringSchedulingIgnoredDuringExecution
|
|
topologyKey:
|
|
default: kubernetes.io/hostname
|
|
mounts:
|
|
barbican_api:
|
|
init_container: null
|
|
barbican_api:
|
|
barbican_bootstrap:
|
|
init_container: null
|
|
barbican_bootstrap:
|
|
barbican_tests:
|
|
init_container: null
|
|
barbican_tests:
|
|
replicas:
|
|
api: 1
|
|
lifecycle:
|
|
upgrades:
|
|
deployments:
|
|
revision_history: 3
|
|
pod_replacement_strategy: RollingUpdate
|
|
rolling_update:
|
|
max_unavailable: 1
|
|
max_surge: 3
|
|
disruption_budget:
|
|
api:
|
|
min_available: 0
|
|
resources:
|
|
enabled: false
|
|
api:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
jobs:
|
|
bootstrap:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
db_init:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
db_sync:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
db_drop:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
rabbit_init:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
ks_endpoints:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
ks_service:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
ks_user:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
tests:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
image_repo_sync:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
|
|
network:
|
|
api:
|
|
ingress:
|
|
public: true
|
|
classes:
|
|
namespace: "nginx"
|
|
cluster: "nginx-cluster"
|
|
annotations:
|
|
nginx.ingress.kubernetes.io/rewrite-target: /
|
|
external_policy_local: false
|
|
node_port:
|
|
enabled: false
|
|
port: 39486
|
|
|
|
network_policy:
|
|
barbican:
|
|
ingress:
|
|
- from:
|
|
- podSelector:
|
|
matchLabels:
|
|
application: barbican
|
|
- podSelector:
|
|
matchLabels:
|
|
application: ingress
|
|
- podSelector:
|
|
matchLabels:
|
|
application: horizon
|
|
ports:
|
|
- protocol: TCP
|
|
port: 80
|
|
- protocol: TCP
|
|
port: 9311
|
|
|
|
bootstrap:
|
|
enabled: false
|
|
ks_user: barbican
|
|
script: |
|
|
openstack token issue
|
|
|
|
dependencies:
|
|
dynamic:
|
|
common:
|
|
local_image_registry:
|
|
jobs:
|
|
- barbican-image-repo-sync
|
|
services:
|
|
- endpoint: node
|
|
service: local_image_registry
|
|
static:
|
|
api:
|
|
jobs:
|
|
- barbican-db-sync
|
|
- barbican-ks-user
|
|
- barbican-ks-endpoints
|
|
- barbican-rabbit-init
|
|
services:
|
|
- endpoint: internal
|
|
service: oslo_db
|
|
- endpoint: internal
|
|
service: identity
|
|
- endpoint: internal
|
|
service: oslo_messaging
|
|
db_drop:
|
|
services:
|
|
- endpoint: internal
|
|
service: oslo_db
|
|
db_init:
|
|
services:
|
|
- endpoint: internal
|
|
service: oslo_db
|
|
db_sync:
|
|
jobs:
|
|
- barbican-db-init
|
|
services:
|
|
- endpoint: internal
|
|
service: oslo_db
|
|
image_repo_sync:
|
|
services:
|
|
- endpoint: internal
|
|
service: local_image_registry
|
|
ks_endpoints:
|
|
jobs:
|
|
- barbican-ks-service
|
|
services:
|
|
- endpoint: internal
|
|
service: identity
|
|
ks_service:
|
|
services:
|
|
- endpoint: internal
|
|
service: identity
|
|
ks_user:
|
|
services:
|
|
- endpoint: internal
|
|
service: identity
|
|
rabbit_init:
|
|
services:
|
|
- endpoint: internal
|
|
service: oslo_messaging
|
|
|
|
conf:
|
|
paste:
|
|
composite:main:
|
|
use: egg:Paste#urlmap
|
|
/: barbican_version
|
|
/v1: barbican-api-keystone
|
|
pipeline:barbican_version:
|
|
pipeline: cors http_proxy_to_wsgi versionapp
|
|
pipeline:barbican_api:
|
|
pipeline: cors http_proxy_to_wsgi unauthenticated-context apiapp
|
|
pipeline:barbican-profile:
|
|
pipeline: cors http_proxy_to_wsgi unauthenticated-context egg:Paste#cgitb egg:Paste#httpexceptions profile apiapp
|
|
pipeline:barbican-api-keystone:
|
|
pipeline: cors http_proxy_to_wsgi authtoken context apiapp
|
|
pipeline:barbican-api-keystone-audit:
|
|
pipeline: http_proxy_to_wsgi authtoken context audit apiapp
|
|
app:apiapp:
|
|
paste.app_factory: barbican.api.app:create_main_app
|
|
app:versionapp:
|
|
paste.app_factory: barbican.api.app:create_version_app
|
|
filter:simple:
|
|
paste.filter_factory: barbican.api.middleware.simple:SimpleFilter.factory
|
|
filter:unauthenticated-context:
|
|
paste.filter_factory: barbican.api.middleware.context:UnauthenticatedContextMiddleware.factory
|
|
filter:context:
|
|
paste.filter_factory: barbican.api.middleware.context:ContextMiddleware.factory
|
|
filter:audit:
|
|
paste.filter_factory: keystonemiddleware.audit:filter_factory
|
|
audit_map_file: /etc/barbican/api_audit_map.conf
|
|
filter:authtoken:
|
|
paste.filter_factory: keystonemiddleware.auth_token:filter_factory
|
|
filter:profile:
|
|
use: egg:repoze.profile
|
|
log_filename: myapp.profile
|
|
cachegrind_filename: cachegrind.out.myapp
|
|
discard_first_request: true
|
|
path: /__profile__
|
|
flush_at_shutdown: true
|
|
unwind: false
|
|
filter:cors:
|
|
paste.filter_factory: oslo_middleware.cors:filter_factory
|
|
oslo_config_project: barbican
|
|
filter:http_proxy_to_wsgi:
|
|
paste.filter_factory: oslo_middleware:HTTPProxyToWSGI.factory
|
|
policy:
|
|
admin: role:admin
|
|
observer: role:observer
|
|
creator: role:creator
|
|
audit: role:audit
|
|
service_admin: role:key-manager:service-admin
|
|
admin_or_user_does_not_work: project_id:%(project_id)s
|
|
admin_or_user: rule:admin or project_id:%(project_id)s
|
|
admin_or_creator: rule:admin or rule:creator
|
|
all_but_audit: rule:admin or rule:observer or rule:creator
|
|
all_users: rule:admin or rule:observer or rule:creator or rule:audit or rule:service_admin
|
|
secret_project_match: project:%(target.secret.project_id)s
|
|
secret_acl_read: "'read':%(target.secret.read)s"
|
|
secret_private_read: "'False':%(target.secret.read_project_access)s"
|
|
secret_creator_user: user:%(target.secret.creator_id)s
|
|
container_project_match: project:%(target.container.project_id)s
|
|
container_acl_read: "'read':%(target.container.read)s"
|
|
container_private_read: "'False':%(target.container.read_project_access)s"
|
|
container_creator_user: user:%(target.container.creator_id)s
|
|
secret_non_private_read: rule:all_users and rule:secret_project_match and not rule:secret_private_read
|
|
secret_decrypt_non_private_read: rule:all_but_audit and rule:secret_project_match
|
|
and not rule:secret_private_read
|
|
container_non_private_read: rule:all_users and rule:container_project_match and not
|
|
rule:container_private_read
|
|
secret_project_admin: rule:admin and rule:secret_project_match
|
|
secret_project_creator: rule:creator and rule:secret_project_match and rule:secret_creator_user
|
|
container_project_admin: rule:admin and rule:container_project_match
|
|
container_project_creator: rule:creator and rule:container_project_match and rule:container_creator_user
|
|
version:get: "@"
|
|
secret:decrypt: rule:secret_decrypt_non_private_read or rule:secret_project_creator
|
|
or rule:secret_project_admin or rule:secret_acl_read
|
|
secret:get: rule:secret_non_private_read or rule:secret_project_creator or rule:secret_project_admin
|
|
or rule:secret_acl_read
|
|
secret:put: rule:admin_or_creator and rule:secret_project_match
|
|
secret:delete: rule:secret_project_admin or rule:secret_project_creator
|
|
secrets:post: rule:admin_or_creator
|
|
secrets:get: rule:all_but_audit
|
|
orders:post: rule:admin_or_creator
|
|
orders:get: rule:all_but_audit
|
|
order:get: rule:all_users
|
|
order:put: rule:admin_or_creator
|
|
order:delete: rule:admin
|
|
consumer:get: rule:admin or rule:observer or rule:creator or rule:audit or rule:container_non_private_read
|
|
or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read
|
|
consumers:get: rule:admin or rule:observer or rule:creator or rule:audit or rule:container_non_private_read
|
|
or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read
|
|
consumers:post: rule:admin or rule:container_non_private_read or rule:container_project_creator
|
|
or rule:container_project_admin or rule:container_acl_read
|
|
consumers:delete: rule:admin or rule:container_non_private_read or rule:container_project_creator
|
|
or rule:container_project_admin or rule:container_acl_read
|
|
containers:post: rule:admin_or_creator
|
|
containers:get: rule:all_but_audit
|
|
container:get: rule:container_non_private_read or rule:container_project_creator or
|
|
rule:container_project_admin or rule:container_acl_read
|
|
container:delete: rule:container_project_admin or rule:container_project_creator
|
|
container_secret:post: rule:admin
|
|
container_secret:delete: rule:admin
|
|
transport_key:get: rule:all_users
|
|
transport_key:delete: rule:admin
|
|
transport_keys:get: rule:all_users
|
|
transport_keys:post: rule:admin
|
|
certificate_authorities:get_limited: rule:all_users
|
|
certificate_authorities:get_all: rule:admin
|
|
certificate_authorities:post: rule:admin
|
|
certificate_authorities:get_preferred_ca: rule:all_users
|
|
certificate_authorities:get_global_preferred_ca: rule:service_admin
|
|
certificate_authorities:unset_global_preferred: rule:service_admin
|
|
certificate_authority:delete: rule:admin
|
|
certificate_authority:get: rule:all_users
|
|
certificate_authority:get_cacert: rule:all_users
|
|
certificate_authority:get_ca_cert_chain: rule:all_users
|
|
certificate_authority:get_projects: rule:service_admin
|
|
certificate_authority:add_to_project: rule:admin
|
|
certificate_authority:remove_from_project: rule:admin
|
|
certificate_authority:set_preferred: rule:admin
|
|
certificate_authority:set_global_preferred: rule:service_admin
|
|
secret_acls:put_patch: rule:secret_project_admin or rule:secret_project_creator
|
|
secret_acls:delete: rule:secret_project_admin or rule:secret_project_creator
|
|
secret_acls:get: rule:all_but_audit and rule:secret_project_match
|
|
container_acls:put_patch: rule:container_project_admin or rule:container_project_creator
|
|
container_acls:delete: rule:container_project_admin or rule:container_project_creator
|
|
container_acls:get: rule:all_but_audit and rule:container_project_match
|
|
quotas:get: rule:all_users
|
|
project_quotas:get: rule:service_admin
|
|
project_quotas:put: rule:service_admin
|
|
project_quotas:delete: rule:service_admin
|
|
secret_meta:get: rule:all_but_audit
|
|
secret_meta:post: rule:admin_or_creator
|
|
secret_meta:put: rule:admin_or_creator
|
|
secret_meta:delete: rule:admin_or_creator
|
|
secretstores:get: rule:admin
|
|
secretstores:get_global_default: rule:admin
|
|
secretstores:get_preferred: rule:admin
|
|
secretstore_preferred:post: rule:admin
|
|
secretstore_preferred:delete: rule:admin
|
|
secretstore:get: rule:admin
|
|
audit_map:
|
|
DEFAULT:
|
|
# default target endpoint type
|
|
# should match the endpoint type defined in service catalog
|
|
target_endpoint_type: key-manager
|
|
custom_actions:
|
|
# map urls ending with specific text to a unique action
|
|
# Don't need custom mapping for other resource operations
|
|
# Note: action should match action names defined in CADF taxonomy
|
|
acl/get: read
|
|
path_keywords:
|
|
# path of api requests for CADF target typeURI
|
|
# Just need to include top resource path to identify class of resources
|
|
secrets: null
|
|
containers: null
|
|
orders: null
|
|
cas: "None"
|
|
quotas: null
|
|
project-quotas: null
|
|
service_endpoints:
|
|
# map endpoint type defined in service catalog to CADF typeURI
|
|
key-manager: service/security/keymanager
|
|
barbican_api:
|
|
uwsgi:
|
|
socket: null
|
|
protocol: http
|
|
processes: 1
|
|
lazy: true
|
|
vacuum: true
|
|
no-default-app: true
|
|
memory-report: true
|
|
plugins: python
|
|
paste: "config:/etc/barbican/barbican-api-paste.ini"
|
|
add-header: "Connection: close"
|
|
barbican:
|
|
DEFAULT:
|
|
transport_url: null
|
|
log_config_append: /etc/barbican/logging.conf
|
|
keystone_authtoken:
|
|
auth_type: password
|
|
auth_version: v3
|
|
memcache_security_strategy: ENCRYPT
|
|
memcache_secret_key: null
|
|
database:
|
|
max_retries: -1
|
|
barbican_api:
|
|
#NOTE(portdirect): the bind port should not be defined, and is manipulated
|
|
# via the endpoints section.
|
|
bind_port: null
|
|
logging:
|
|
loggers:
|
|
keys:
|
|
- root
|
|
- barbican
|
|
handlers:
|
|
keys:
|
|
- stdout
|
|
- stderr
|
|
- "null"
|
|
formatters:
|
|
keys:
|
|
- context
|
|
- default
|
|
logger_root:
|
|
level: WARNING
|
|
handlers: 'null'
|
|
logger_barbican:
|
|
level: INFO
|
|
handlers:
|
|
- stdout
|
|
qualname: barbican
|
|
logger_amqp:
|
|
level: WARNING
|
|
handlers: stderr
|
|
qualname: amqp
|
|
logger_amqplib:
|
|
level: WARNING
|
|
handlers: stderr
|
|
qualname: amqplib
|
|
logger_eventletwsgi:
|
|
level: WARNING
|
|
handlers: stderr
|
|
qualname: eventlet.wsgi.server
|
|
logger_sqlalchemy:
|
|
level: WARNING
|
|
handlers: stderr
|
|
qualname: sqlalchemy
|
|
logger_boto:
|
|
level: WARNING
|
|
handlers: stderr
|
|
qualname: boto
|
|
handler_null:
|
|
class: logging.NullHandler
|
|
formatter: default
|
|
args: ()
|
|
handler_stdout:
|
|
class: StreamHandler
|
|
args: (sys.stdout,)
|
|
formatter: context
|
|
handler_stderr:
|
|
class: StreamHandler
|
|
args: (sys.stderr,)
|
|
formatter: context
|
|
formatter_context:
|
|
class: oslo_log.formatters.ContextFormatter
|
|
formatter_default:
|
|
format: "%(message)s"
|
|
|
|
# Names of secrets used by bootstrap and environmental checks
|
|
secrets:
|
|
identity:
|
|
admin: barbican-keystone-admin
|
|
barbican: barbican-keystone-user
|
|
oslo_db:
|
|
admin: barbican-db-admin
|
|
barbican: barbican-db-user
|
|
oslo_messaging:
|
|
admin: barbican-rabbitmq-admin
|
|
barbican: barbican-rabbitmq-user
|
|
tls:
|
|
key_manager:
|
|
api:
|
|
public: barbican-tls-public
|
|
|
|
endpoints:
|
|
cluster_domain_suffix: cluster.local
|
|
local_image_registry:
|
|
name: docker-registry
|
|
namespace: docker-registry
|
|
hosts:
|
|
default: localhost
|
|
internal: docker-registry
|
|
node: localhost
|
|
host_fqdn_override:
|
|
default: null
|
|
port:
|
|
registry:
|
|
node: 5000
|
|
identity:
|
|
name: keystone
|
|
auth:
|
|
admin:
|
|
region_name: RegionOne
|
|
username: admin
|
|
password: password
|
|
project_name: admin
|
|
user_domain_name: default
|
|
project_domain_name: default
|
|
barbican:
|
|
role: admin
|
|
region_name: RegionOne
|
|
username: barbican
|
|
password: password
|
|
project_name: service
|
|
user_domain_name: service
|
|
project_domain_name: service
|
|
hosts:
|
|
default: keystone
|
|
internal: keystone-api
|
|
host_fqdn_override:
|
|
default: null
|
|
path:
|
|
default: /v3
|
|
scheme:
|
|
default: http
|
|
port:
|
|
api:
|
|
default: 80
|
|
internal: 5000
|
|
key_manager:
|
|
name: barbican
|
|
hosts:
|
|
default: barbican-api
|
|
public: barbican
|
|
host_fqdn_override:
|
|
default: null
|
|
path:
|
|
default: /
|
|
scheme:
|
|
default: http
|
|
port:
|
|
api:
|
|
default: 9311
|
|
public: 80
|
|
oslo_db:
|
|
auth:
|
|
admin:
|
|
username: root
|
|
password: password
|
|
barbican:
|
|
username: barbican
|
|
password: password
|
|
hosts:
|
|
default: mariadb
|
|
host_fqdn_override:
|
|
default: null
|
|
path: /barbican
|
|
scheme: mysql+pymysql
|
|
port:
|
|
mysql:
|
|
default: 3306
|
|
oslo_messaging:
|
|
auth:
|
|
admin:
|
|
username: rabbitmq
|
|
password: password
|
|
barbican:
|
|
username: barbican
|
|
password: password
|
|
hosts:
|
|
default: rabbitmq
|
|
host_fqdn_override:
|
|
default: null
|
|
path: /barbican
|
|
scheme: rabbit
|
|
port:
|
|
amqp:
|
|
default: 5672
|
|
http:
|
|
default: 15672
|
|
oslo_cache:
|
|
auth:
|
|
# NOTE(portdirect): this is used to define the value for keystone
|
|
# authtoken cache encryption key, if not set it will be populated
|
|
# automatically with a random value, but to take advantage of
|
|
# this feature all services should be set to use the same key,
|
|
# and memcache service.
|
|
memcache_secret_key: null
|
|
hosts:
|
|
default: memcached
|
|
host_fqdn_override:
|
|
default: null
|
|
port:
|
|
memcache:
|
|
default: 11211
|
|
fluentd:
|
|
namespace: null
|
|
name: fluentd
|
|
hosts:
|
|
default: fluentd-logging
|
|
host_fqdn_override:
|
|
default: null
|
|
path:
|
|
default: null
|
|
scheme: 'http'
|
|
port:
|
|
service:
|
|
default: 24224
|
|
metrics:
|
|
default: 24220
|
|
|
|
manifests:
|
|
configmap_bin: true
|
|
configmap_etc: true
|
|
deployment_api: true
|
|
ingress_api: true
|
|
job_bootstrap: true
|
|
job_db_init: true
|
|
job_db_sync: true
|
|
job_db_drop: false
|
|
job_image_repo_sync: true
|
|
job_rabbit_init: true
|
|
job_ks_endpoints: true
|
|
job_ks_service: true
|
|
job_ks_user: true
|
|
pdb_api: true
|
|
pod_test: true
|
|
secret_db: true
|
|
network_policy: false
|
|
secret_ingress_tls: true
|
|
secret_keystone: true
|
|
secret_rabbitmq: true
|
|
service_ingress_api: true
|
|
service_api: true
|