openstack/openstack-helm
Code Issues Proposed changes
b180d28618
openstack-helm/barbican/values.yaml
portdirect b180d28618 Auth: Update credential keys to reference service specifically 
This PS moves all credentials for OpenStack services from 'user' to
the service name. This allows a single yaml snippet to articulate
the credentials for a deployment.

Change-Id: Ic720109f2ba854561b23767cb480bcae91f74b6b
2018-01-15 18:54:13 +00:00

491 lines
15 KiB
YAML
Raw Blame History

# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
labels:
node_selector_key: openstack-control-plane
node_selector_value: enabled
release_group: null
images:
tags:
bootstrap: docker.io/kolla/ubuntu-source-heat-engine:3.0.3
dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.2.1
scripted_test: docker.io/kolla/ubuntu-source-heat-engine:3.0.3
db_init: docker.io/kolla/ubuntu-source-heat-engine:3.0.3
barbican_db_sync: docker.io/kolla/ubuntu-source-barbican-api:3.0.3
db_drop: docker.io/kolla/ubuntu-source-heat-engine:3.0.3
ks_user: docker.io/kolla/ubuntu-source-heat-engine:3.0.3
ks_service: docker.io/kolla/ubuntu-source-heat-engine:3.0.3
ks_endpoints: docker.io/kolla/ubuntu-source-heat-engine:3.0.3
barbican_api: docker.io/kolla/ubuntu-source-barbican-api:3.0.3
pull_policy: "IfNotPresent"
pod:
user:
barbican:
uid: 1000
affinity:
anti:
type:
default: preferredDuringSchedulingIgnoredDuringExecution
topologyKey:
default: kubernetes.io/hostname
mounts:
barbican_api:
init_container: null
barbican_api:
barbican_bootstrap:
init_container: null
barbican_bootstrap:
barbican_tests:
init_container: null
barbican_tests:
replicas:
api: 1
lifecycle:
upgrades:
deployments:
revision_history: 3
pod_replacement_strategy: RollingUpdate
rolling_update:
max_unavailable: 1
max_surge: 3
disruption_budget:
api:
min_available: 0
resources:
enabled: false
api:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
jobs:
bootstrap:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
db_init:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
db_sync:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
db_drop:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
ks_endpoints:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
ks_service:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
ks_user:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
tests:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
network:
api:
ingress:
public: true
annotations:
kubernetes.io/ingress.class: "nginx"
nginx.ingress.kubernetes.io/rewrite-target: /
external_policy_local: false
node_port:
enabled: false
port: 39486
bootstrap:
enabled: false
script: |
openstack token issue
dependencies:
db_init:
services:
- service: oslo_db
endpoint: internal
db_sync:
jobs:
- barbican-db-init
services:
- service: oslo_db
endpoint: internal
db_drop:
services:
- service: oslo_db
endpoint: internal
ks_user:
services:
- service: identity
endpoint: internal
ks_service:
services:
- service: identity
endpoint: internal
ks_endpoints:
jobs:
- barbican-ks-service
services:
- service: identity
endpoint: internal
api:
jobs:
- barbican-db-sync
- barbican-ks-user
- barbican-ks-endpoints
services:
- service: oslo_db
endpoint: internal
- service: identity
endpoint: internal
conf:
paste:
composite:main:
use: egg:Paste#urlmap
/: barbican_version
/v1: barbican-api-keystone
pipeline:barbican_version:
pipeline: cors http_proxy_to_wsgi versionapp
pipeline:barbican_api:
pipeline: cors http_proxy_to_wsgi unauthenticated-context apiapp
pipeline:barbican-profile:
pipeline: cors http_proxy_to_wsgi unauthenticated-context egg:Paste#cgitb egg:Paste#httpexceptions profile apiapp
pipeline:barbican-api-keystone:
pipeline: cors http_proxy_to_wsgi authtoken context apiapp
pipeline:barbican-api-keystone-audit:
pipeline: http_proxy_to_wsgi authtoken context audit apiapp
app:apiapp:
paste.app_factory: barbican.api.app:create_main_app
app:versionapp:
paste.app_factory: barbican.api.app:create_version_app
filter:simple:
paste.filter_factory: barbican.api.middleware.simple:SimpleFilter.factory
filter:unauthenticated-context:
paste.filter_factory: barbican.api.middleware.context:UnauthenticatedContextMiddleware.factory
filter:context:
paste.filter_factory: barbican.api.middleware.context:ContextMiddleware.factory
filter:audit:
paste.filter_factory: keystonemiddleware.audit:filter_factory
audit_map_file: /etc/barbican/api_audit_map.conf
filter:authtoken:
paste.filter_factory: keystonemiddleware.auth_token:filter_factory
filter:profile:
use: egg:repoze.profile
log_filename: myapp.profile
cachegrind_filename: cachegrind.out.myapp
discard_first_request: true
path: /__profile__
flush_at_shutdown: true
unwind: false
filter:cors:
paste.filter_factory: oslo_middleware.cors:filter_factory
oslo_config_project: barbican
filter:http_proxy_to_wsgi:
paste.filter_factory: oslo_middleware:HTTPProxyToWSGI.factory
policy:
admin: role:admin
observer: role:observer
creator: role:creator
audit: role:audit
service_admin: role:key-manager:service-admin
admin_or_user_does_not_work: project_id:%(project_id)s
admin_or_user: rule:admin or project_id:%(project_id)s
admin_or_creator: rule:admin or rule:creator
all_but_audit: rule:admin or rule:observer or rule:creator
all_users: rule:admin or rule:observer or rule:creator or rule:audit or rule:service_admin
secret_project_match: project:%(target.secret.project_id)s
secret_acl_read: "'read':%(target.secret.read)s"
secret_private_read: "'False':%(target.secret.read_project_access)s"
secret_creator_user: user:%(target.secret.creator_id)s
container_project_match: project:%(target.container.project_id)s
container_acl_read: "'read':%(target.container.read)s"
container_private_read: "'False':%(target.container.read_project_access)s"
container_creator_user: user:%(target.container.creator_id)s
secret_non_private_read: rule:all_users and rule:secret_project_match and not rule:secret_private_read
secret_decrypt_non_private_read: rule:all_but_audit and rule:secret_project_match
and not rule:secret_private_read
container_non_private_read: rule:all_users and rule:container_project_match and not
rule:container_private_read
secret_project_admin: rule:admin and rule:secret_project_match
secret_project_creator: rule:creator and rule:secret_project_match and rule:secret_creator_user
container_project_admin: rule:admin and rule:container_project_match
container_project_creator: rule:creator and rule:container_project_match and rule:container_creator_user
version:get: "@"
secret:decrypt: rule:secret_decrypt_non_private_read or rule:secret_project_creator
or rule:secret_project_admin or rule:secret_acl_read
secret:get: rule:secret_non_private_read or rule:secret_project_creator or rule:secret_project_admin
or rule:secret_acl_read
secret:put: rule:admin_or_creator and rule:secret_project_match
secret:delete: rule:secret_project_admin or rule:secret_project_creator
secrets:post: rule:admin_or_creator
secrets:get: rule:all_but_audit
orders:post: rule:admin_or_creator
orders:get: rule:all_but_audit
order:get: rule:all_users
order:put: rule:admin_or_creator
order:delete: rule:admin
consumer:get: rule:admin or rule:observer or rule:creator or rule:audit or rule:container_non_private_read
or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read
consumers:get: rule:admin or rule:observer or rule:creator or rule:audit or rule:container_non_private_read
or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read
consumers:post: rule:admin or rule:container_non_private_read or rule:container_project_creator
or rule:container_project_admin or rule:container_acl_read
consumers:delete: rule:admin or rule:container_non_private_read or rule:container_project_creator
or rule:container_project_admin or rule:container_acl_read
containers:post: rule:admin_or_creator
containers:get: rule:all_but_audit
container:get: rule:container_non_private_read or rule:container_project_creator or
rule:container_project_admin or rule:container_acl_read
container:delete: rule:container_project_admin or rule:container_project_creator
container_secret:post: rule:admin
container_secret:delete: rule:admin
transport_key:get: rule:all_users
transport_key:delete: rule:admin
transport_keys:get: rule:all_users
transport_keys:post: rule:admin
certificate_authorities:get_limited: rule:all_users
certificate_authorities:get_all: rule:admin
certificate_authorities:post: rule:admin
certificate_authorities:get_preferred_ca: rule:all_users
certificate_authorities:get_global_preferred_ca: rule:service_admin
certificate_authorities:unset_global_preferred: rule:service_admin
certificate_authority:delete: rule:admin
certificate_authority:get: rule:all_users
certificate_authority:get_cacert: rule:all_users
certificate_authority:get_ca_cert_chain: rule:all_users
certificate_authority:get_projects: rule:service_admin
certificate_authority:add_to_project: rule:admin
certificate_authority:remove_from_project: rule:admin
certificate_authority:set_preferred: rule:admin
certificate_authority:set_global_preferred: rule:service_admin
secret_acls:put_patch: rule:secret_project_admin or rule:secret_project_creator
secret_acls:delete: rule:secret_project_admin or rule:secret_project_creator
secret_acls:get: rule:all_but_audit and rule:secret_project_match
container_acls:put_patch: rule:container_project_admin or rule:container_project_creator
container_acls:delete: rule:container_project_admin or rule:container_project_creator
container_acls:get: rule:all_but_audit and rule:container_project_match
quotas:get: rule:all_users
project_quotas:get: rule:service_admin
project_quotas:put: rule:service_admin
project_quotas:delete: rule:service_admin
secret_meta:get: rule:all_but_audit
secret_meta:post: rule:admin_or_creator
secret_meta:put: rule:admin_or_creator
secret_meta:delete: rule:admin_or_creator
secretstores:get: rule:admin
secretstores:get_global_default: rule:admin
secretstores:get_preferred: rule:admin
secretstore_preferred:post: rule:admin
secretstore_preferred:delete: rule:admin
secretstore:get: rule:admin
audit_map:
DEFAULT:
# default target endpoint type
# should match the endpoint type defined in service catalog
target_endpoint_type: key-manager
custom_actions:
# map urls ending with specific text to a unique action
# Don't need custom mapping for other resource operations
# Note: action should match action names defined in CADF taxonomy
acl/get: read
path_keywords:
# path of api requests for CADF target typeURI
# Just need to include top resource path to identify class of resources
secrets: null
containers: null
orders: null
cas: "None"
quotas: null
project-quotas: null
service_endpoints:
# map endpoint type defined in service catalog to CADF typeURI
key-manager: service/security/keymanager
barbican_api:
uwsgi:
socket: null
protocol: http
processes: 1
lazy: true
vacuum: true
no-default-app: true
memory-report: true
plugins: python
paste: "config:/etc/barbican/barbican-api-paste.ini"
add-header: "Connection: close"
barbican:
DEFAULT:
transport_url: null
keystone_authtoken:
auth_type: password
auth_version: v3
memcache_security_strategy: ENCRYPT
database:
max_retries: -1
barbican_api:
bind_port: 9311
# Names of secrets used by bootstrap and environmental checks
secrets:
identity:
admin: barbican-keystone-admin
barbican: barbican-keystone-user
oslo_db:
admin: barbican-db-admin
barbican: barbican-db-user
endpoints:
cluster_domain_suffix: cluster.local
identity:
name: keystone
auth:
admin:
region_name: RegionOne
username: admin
password: password
project_name: admin
user_domain_name: default
project_domain_name: default
barbican:
role: admin
region_name: RegionOne
username: barbican
password: password
project_name: service
user_domain_name: default
project_domain_name: default
hosts:
default: keystone-api
public: keystone
host_fqdn_override:
default: null
path:
default: /v3
scheme:
default: http
port:
admin:
default: 35357
api:
default: 80
key_manager:
name: barbican
hosts:
default: barbican-api
public: barbican
host_fqdn_override:
default: null
path:
default: /v1
scheme:
default: http
port:
api:
default: 9311
public: 80
oslo_db:
auth:
admin:
username: root
password: password
barbican:
username: barbican
password: password
hosts:
default: mariadb
host_fqdn_override:
default: null
path: /barbican
scheme: mysql+pymysql
port:
mysql:
default: 3306
oslo_messaging:
auth:
barbican:
username: rabbitmq
password: password
hosts:
default: rabbitmq
host_fqdn_override:
default: null
path: /
scheme: rabbit
port:
amqp:
default: 5672
oslo_cache:
hosts:
default: memcached
host_fqdn_override:
default: null
port:
memcache:
default: 11211
manifests:
configmap_bin: true
configmap_etc: true
deployment_api: true
ingress_api: true
job_bootstrap: true
job_db_init: true
job_db_sync: true
job_db_drop: false
job_ks_endpoints: true
job_ks_service: true
job_ks_user: true
pdb_api: true
secret_db: true
secret_keystone: true
service_ingress_api: true
service_api: true
View Git Blame Copy Permalink