bd057784d5
Add functionality to keystone to act as a certificate transfer provider. Add actions to add, remove, list CA certs to keystone. Add Certificate Transfer requires handler in ops_sunbeam. Update keystone_auth section cafile option if certificate is available in receive-ca-cert relation. Update metadata.yaml for keystone and rest of k8s charms. Change-Id: I9c800e8f8a0c9197b195331be7b445bafe794780
202 lines
5.1 KiB
Django/Jinja
202 lines
5.1 KiB
Django/Jinja
bundle: kubernetes
|
|
|
|
applications:
|
|
traefik:
|
|
charm: ch:traefik-k8s
|
|
channel: 1.0/candidate
|
|
scale: 1
|
|
trust: true
|
|
options:
|
|
kubernetes-service-annotations: metallb.universe.tf/address-pool=public
|
|
mysql:
|
|
charm: ch:mysql-k8s
|
|
channel: 8.0/stable
|
|
scale: 1
|
|
trust: true
|
|
constraints: cpu-power=1000 mem=1G
|
|
vault:
|
|
charm: ch:vault-k8s
|
|
channel: latest/edge
|
|
scale: 1
|
|
trust: false
|
|
tls-operator:
|
|
charm: self-signed-certificates
|
|
channel: latest/beta
|
|
scale: 1
|
|
options:
|
|
ca-common-name: internal-ca
|
|
rabbitmq:
|
|
charm: ch:rabbitmq-k8s
|
|
channel: 3.12/edge
|
|
scale: 1
|
|
trust: true
|
|
options:
|
|
minimum-replicas: 1
|
|
ovn-central:
|
|
{% if ovn_central_k8s is defined and ovn_central_k8s is sameas true -%}
|
|
charm: ../../../ovn-central-k8s.charm
|
|
{% else -%}
|
|
charm: ch:ovn-central-k8s
|
|
channel: 23.03/edge
|
|
{% endif -%}
|
|
scale: 1
|
|
trust: true
|
|
resources:
|
|
ovn-sb-db-server-image: ghcr.io/canonical/ovn-consolidated:23.09
|
|
ovn-nb-db-server-image: ghcr.io/canonical/ovn-consolidated:23.09
|
|
ovn-northd-image: ghcr.io/canonical/ovn-consolidated:23.09
|
|
keystone:
|
|
{% if keystone_k8s is defined and keystone_k8s is sameas true -%}
|
|
charm: ../../../keystone-k8s.charm
|
|
{% else -%}
|
|
charm: ch:keystone-k8s
|
|
channel: 2023.2/edge
|
|
{% endif -%}
|
|
scale: 1
|
|
trust: true
|
|
options:
|
|
admin-role: admin
|
|
storage:
|
|
fernet-keys: 5M
|
|
credential-keys: 5M
|
|
resources:
|
|
keystone-image: ghcr.io/canonical/keystone:2023.2
|
|
glance:
|
|
{% if glance_k8s is defined and glance_k8s is sameas true -%}
|
|
charm: ../../../glance-k8s.charm
|
|
{% else -%}
|
|
charm: ch:glance-k8s
|
|
channel: 2023.2/edge
|
|
{% endif -%}
|
|
scale: 1
|
|
trust: true
|
|
storage:
|
|
local-repository: 5G
|
|
resources:
|
|
glance-api-image: ghcr.io/canonical/glance-api:2023.2
|
|
heat:
|
|
{% if heat_k8s is defined and heat_k8s is sameas true -%}
|
|
charm: ../../../heat-k8s.charm
|
|
{% else -%}
|
|
charm: ch:heat-k8s
|
|
channel: 2023.2/edge
|
|
{% endif -%}
|
|
scale: 1
|
|
trust: true
|
|
resources:
|
|
heat-api-image: ghcr.io/canonical/heat-consolidated:2023.2
|
|
heat-engine-image: ghcr.io/canonical/heat-consolidated:2023.2
|
|
octavia:
|
|
{% if octavia_k8s is defined and octavia_k8s is sameas true -%}
|
|
charm: ../../../octavia-k8s.charm
|
|
{% else -%}
|
|
charm: ch:octavia-k8s
|
|
channel: 2023.2/edge
|
|
{% endif -%}
|
|
scale: 1
|
|
trust: true
|
|
resources:
|
|
octavia-api-image: ghcr.io/canonical/octavia-consolidated:2023.2
|
|
octavia-driver-agent-image: ghcr.io/canonical/octavia-consolidated:2023.2
|
|
octavia-housekeeping-image: ghcr.io/canonical/octavia-consolidated:2023.2
|
|
barbican:
|
|
{% if barbican_k8s is defined and barbican_k8s is sameas true -%}
|
|
charm: ../../../barbican-k8s.charm
|
|
{% else -%}
|
|
charm: ch:barbican-k8s
|
|
channel: 2023.2/edge
|
|
{% endif -%}
|
|
scale: 1
|
|
trust: false
|
|
resources:
|
|
barbican-api-image: ghcr.io/canonical/barbican-consolidated:2023.2
|
|
barbican-worker-image: ghcr.io/canonical/barbican-consolidated:2023.2
|
|
magnum:
|
|
{% if magnum_k8s is defined and magnum_k8s is sameas true -%}
|
|
charm: ../../../magnum-k8s.charm
|
|
{% else -%}
|
|
charm: ch:magnum-k8s
|
|
channel: 2023.2/edge
|
|
{% endif -%}
|
|
scale: 1
|
|
trust: false
|
|
resources:
|
|
magnum-api-image: ghcr.io/canonical/magnum-consolidated:2023.2
|
|
magnum-conductor-image: ghcr.io/canonical/magnum-consolidated:2023.2
|
|
|
|
relations:
|
|
- - tls-operator:certificates
|
|
- ovn-central:certificates
|
|
|
|
- - mysql:database
|
|
- keystone:database
|
|
- - traefik:ingress
|
|
- keystone:ingress-public
|
|
|
|
- - mysql:database
|
|
- glance:database
|
|
- - keystone:identity-service
|
|
- glance:identity-service
|
|
- - rabbitmq:amqp
|
|
- glance:amqp
|
|
- - traefik:ingress
|
|
- glance:ingress-public
|
|
- - keystone:send-ca-cert
|
|
- glance:receive-ca-cert
|
|
|
|
- - mysql:database
|
|
- heat:database
|
|
- - keystone:identity-service
|
|
- heat:identity-service
|
|
- - keystone:identity-ops
|
|
- heat:identity-ops
|
|
- - traefik:traefik-route
|
|
- heat:traefik-route-public
|
|
- - rabbitmq:amqp
|
|
- heat:amqp
|
|
- - keystone:send-ca-cert
|
|
- heat:receive-ca-cert
|
|
|
|
- - mysql:database
|
|
- octavia:database
|
|
- - keystone:identity-service
|
|
- octavia:identity-service
|
|
- - keystone:identity-ops
|
|
- octavia:identity-ops
|
|
- - traefik:ingress
|
|
- octavia:ingress-public
|
|
- - tls-operator:certificates
|
|
- octavia:certificates
|
|
- - octavia:ovsdb-cms
|
|
- ovn-central:ovsdb-cms
|
|
- - keystone:send-ca-cert
|
|
- octavia:receive-ca-cert
|
|
|
|
- - mysql:database
|
|
- barbican:database
|
|
- - rabbitmq:amqp
|
|
- barbican:amqp
|
|
- - keystone:identity-service
|
|
- barbican:identity-service
|
|
- - keystone:identity-ops
|
|
- barbican:identity-ops
|
|
- - traefik:ingress
|
|
- barbican:ingress-public
|
|
- - vault:vault-kv
|
|
- barbican:vault-kv
|
|
- - keystone:send-ca-cert
|
|
- barbican:receive-ca-cert
|
|
|
|
- - mysql:database
|
|
- magnum:database
|
|
- - rabbitmq:amqp
|
|
- magnum:amqp
|
|
- - keystone:identity-service
|
|
- magnum:identity-service
|
|
- - keystone:identity-ops
|
|
- magnum:identity-ops
|
|
- - traefik:ingress
|
|
- magnum:ingress-public
|
|
- - keystone:send-ca-cert
|
|
- magnum:receive-ca-cert
|