Add keystone-api-proxy helm charts and overrides

This update adds the required helm charts, manifest and overrides to deploy the containerized keystone-api-proxy. It also configures the required chart groups for openstack services running on System Controller. Story: 2004766 Task: 30454 Change-Id: I3a8ac1f1ca811b3004c42a13c9bcab61e1c2f405 Signed-off-by: Tao Liu <tao.liu@windriver.com>
2019-04-22 14:39:33 -04:00 · 2019-04-22 14:39:33 -04:00 · e962470e7e
parent 71720ae2f2
commit e962470e7e
17 changed files with 701 additions and 0 deletions
--- a/stx-openstack-helm/centos/stx-openstack-helm.spec
+++ b/stx-openstack-helm/centos/stx-openstack-helm.spec
@ -59,6 +59,7 @@ make nova-api-proxy
 make rbd-provisioner
 make garbd
 make ceph-pools-audit
+make keystone-api-proxy

 # terminate helm server (the last backgrounded task)
 kill %1
--- a/stx-openstack-helm/stx-openstack-helm/helm-charts/keystone-api-proxy/Chart.yaml
+++ b/stx-openstack-helm/stx-openstack-helm/helm-charts/keystone-api-proxy/Chart.yaml
@ -0,0 +1,5 @@
+apiVersion: v1
+appVersion: "1.0"
+description: StarlingX-Helm keystone-api-proxy
+name: keystone-api-proxy
+version: 0.1.0
--- a/stx-openstack-helm/stx-openstack-helm/helm-charts/keystone-api-proxy/requirements.yaml
+++ b/stx-openstack-helm/stx-openstack-helm/helm-charts/keystone-api-proxy/requirements.yaml
@ -0,0 +1,10 @@
+#
+# Copyright (c) 2019 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+dependencies:
+  - name: helm-toolkit
+    repository: http://localhost:8879/charts
+    version: 0.1.0
--- a/stx-openstack-helm/stx-openstack-helm/helm-charts/keystone-api-proxy/templates/bin/_endpoint-update.sh.tpl
+++ b/stx-openstack-helm/stx-openstack-helm/helm-charts/keystone-api-proxy/templates/bin/_endpoint-update.sh.tpl
@ -0,0 +1,35 @@
+#!/bin/bash
+
+{{/*
+#
+# Copyright (c) 2019 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+*/}}
+
+set -ex
+
+# Get service id
+OS_SERVICE_ID=$( openstack service list -c Type -c ID -f value | \
+                 grep ${OS_SERVICE_TYPE} | cut -f1 -d" " )
+
+# Check if endpoint exists
+OS_ENDPOINT_ID=$( openstack endpoint list --service ${OS_SERVICE_TYPE} \
+                  --region ${OS_SERVICE_REGION} \
+                  --interface ${OS_SVC_ENDPOINT} -c ID -f value )
+
+# Delete the old endpoint
+if [[ -v $OS_ENDPOINT_ID ]]; then
+  openstack endpoint delete ${OS_ENDPOINT_ID}
+fi
+
+# Create the new endpoint
+OS_ENDPOINT_ID=$( openstack endpoint create -f value -c id \
+    --region=${OS_SERVICE_REGION} \
+    "${OS_SERVICE_ID}" \
+    ${OS_SVC_ENDPOINT} \
+    "${OS_SERVICE_ENDPOINT}" )
+
+# Display the Endpoint
+openstack endpoint show ${OS_ENDPOINT_ID}
--- a/stx-openstack-helm/stx-openstack-helm/helm-charts/keystone-api-proxy/templates/bin/_keystone-api-proxy.sh.tpl
+++ b/stx-openstack-helm/stx-openstack-helm/helm-charts/keystone-api-proxy/templates/bin/_keystone-api-proxy.sh.tpl
@ -0,0 +1,13 @@
+#!/bin/bash
+
+{{/*
+#
+# Copyright (c) 2019 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+*/}}
+
+set -ex
+
+dcorch-api-proxy --config-file=/etc/dcorch/dcorch.conf --type identity
--- a/stx-openstack-helm/stx-openstack-helm/helm-charts/keystone-api-proxy/templates/configmap-bin.yaml
+++ b/stx-openstack-helm/stx-openstack-helm/helm-charts/keystone-api-proxy/templates/configmap-bin.yaml
@ -0,0 +1,21 @@
+{{/*
+#
+# Copyright (c) 2019 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+*/}}
+
+{{- if .Values.manifests.configmap_bin }}
+{{- $envAll := . }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: keystone-api-proxy-bin
+data:
+  keystone-api-proxy.sh: |
+{{ tuple "bin/_keystone-api-proxy.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  endpoint-update.sh: |
+{{ tuple "bin/_endpoint-update.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+{{- end }}
--- a/stx-openstack-helm/stx-openstack-helm/helm-charts/keystone-api-proxy/templates/configmap-etc.yaml
+++ b/stx-openstack-helm/stx-openstack-helm/helm-charts/keystone-api-proxy/templates/configmap-etc.yaml
@ -0,0 +1,28 @@
+{{/*
+#
+# Copyright (c) 2019 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+*/}}
+
+{{- define "keystone_proxy.configmap.etc" }}
+{{- $envAll := index . 1 }}
+{{- with $envAll }}
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: keystone-api-proxy-etc
+data:
+  dcorch.conf: |
+{{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.keystone_api_proxy | indent 4 }}
+  api-paste.ini : |
+{{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.paste | indent 4 }}
+  logging.conf: |
+{{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.logging | indent 4 }}
+{{- end }}
+{{- end }}
+{{- if .Values.manifests.configmap_etc }}
+{{- list "keystone-proxy-etc" . | include "keystone_proxy.configmap.etc" }}
+{{- end }}
--- a/stx-openstack-helm/stx-openstack-helm/helm-charts/keystone-api-proxy/templates/deployment.yaml
+++ b/stx-openstack-helm/stx-openstack-helm/helm-charts/keystone-api-proxy/templates/deployment.yaml
@ -0,0 +1,88 @@
+{{/*
+#
+# Copyright (c) 2019 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+*/}}
+
+{{- if .Values.manifests.deployment_api_proxy }}
+{{- $envAll := . }}
+
+{{- $mounts_keystone_api_proxy := .Values.pod.mounts.keystone_api_proxy.keystone_api_proxy }}
+{{- $mounts_keystone_api_proxy_init := .Values.pod.mounts.keystone_api_proxy.init_container }}
+
+{{- $serviceAccountName := "keystone-api-proxy" }}
+{{ tuple $envAll "keystone-api-proxy" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: keystone-api-proxy
+  labels:
+{{ tuple $envAll "dcorch" "keystone-api-proxy" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+  replicas: {{ .Values.pod.replicas.proxy }}
+  selector:
+    matchLabels:
+{{ tuple $envAll "dcorch" "keystone-api-proxy" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll "dcorch" "keystone-api-proxy" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+        configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      affinity:
+{{ tuple $envAll "dcorch" "keystone-api-proxy" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
+      nodeSelector:
+        {{ .Values.labels.keystone_api_proxy.node_selector_key }}: {{ .Values.labels.keystone_api_proxy.node_selector_value }}
+      terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.keystone_api_proxy.timeout | default "30" }}
+      initContainers:
+{{ tuple $envAll "api" $mounts_keystone_api_proxy_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: keystone-api-proxy
+{{ tuple $envAll "keystone_api_proxy" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.keystone_api_proxy | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          securityContext:
+            runAsUser: {{ .Values.pod.user.keystone_api_proxy.uid }}
+          command:
+            - /tmp/keystone-api-proxy.sh
+          ports:
+            - name: ks-proxy
+              containerPort: {{ tuple "keystone_api_proxy" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+          readinessProbe:
+            tcpSocket:
+              port: {{ tuple "keystone_api_proxy" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+          volumeMounts:
+            - name: keystone-api-proxy-bin
+              mountPath: /tmp/keystone-api-proxy.sh
+              subPath: keystone-api-proxy.sh
+              readOnly: true
+            - name: keystone-api-proxy-etc
+              mountPath: /etc/dcorch/dcorch.conf
+              subPath: dcorch.conf
+              readOnly: true
+            - name: keystone-api-proxy-etc
+              mountPath: /etc/dcorch/logging.conf
+              subPath: logging.conf
+              readOnly: true
+            - name: keystone-api-proxy-etc
+              mountPath: /etc/dcorch/api-paste.ini
+              subPath: api-paste.ini
+              readOnly: true
+{{ if $mounts_keystone_api_proxy.volumeMounts }}{{ toYaml $mounts_keystone_api_proxy.volumeMounts | indent 12 }}{{ end }}
+      volumes:
+        - name: keystone-api-proxy-bin
+          configMap:
+            name: keystone-api-proxy-bin
+            defaultMode: 0777
+        - name: keystone-api-proxy-etc
+          configMap:
+            name: keystone-api-proxy-etc
+            defaultMode: 0777
+{{ if $mounts_keystone_api_proxy.volumes}}{{ toYaml $mounts_keystone_api_proxy.volumes | indent 8 }}{{ end }}
+{{- end }}
--- a/stx-openstack-helm/stx-openstack-helm/helm-charts/keystone-api-proxy/templates/image_repo_sync.yaml
+++ b/stx-openstack-helm/stx-openstack-helm/helm-charts/keystone-api-proxy/templates/image_repo_sync.yaml
@ -0,0 +1,13 @@
+{{/*
+#
+# Copyright (c) 2019 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+*/}}
+
+{{- if and .Values.manifests.job_image_repo_sync .Values.images.local_registry.active }}
+{{- $imageRepoSyncJob := dict "envAll" . "serviceName" "keystone-api-proxy" -}}
+{{ $imageRepoSyncJob | include "helm-toolkit.manifests.job_image_repo_sync" }}
+{{- end }}
+
--- a/stx-openstack-helm/stx-openstack-helm/helm-charts/keystone-api-proxy/templates/ingress.yaml
+++ b/stx-openstack-helm/stx-openstack-helm/helm-charts/keystone-api-proxy/templates/ingress.yaml
@ -0,0 +1,12 @@
+{{/*
+#
+# Copyright (c) 2019 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+*/}}
+
+{{- if and .Values.manifests.ingress_api .Values.network.keystone_api_proxy.ingress.public }}
+{{- $ingressOpts := dict "envAll" . "backendService" "keystone_api_proxy" "backendServiceType" "keystone_api_proxy" "backendPort" "ks-api-proxy" -}}
+{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
+{{- end }}
--- a/stx-openstack-helm/stx-openstack-helm/helm-charts/keystone-api-proxy/templates/job-ks-endpoints.yaml
+++ b/stx-openstack-helm/stx-openstack-helm/helm-charts/keystone-api-proxy/templates/job-ks-endpoints.yaml
@ -0,0 +1,75 @@
+{{/*
+#
+# Copyright (c) 2019 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+#
+*/}}
+
+{{- if .Values.manifests.job_ks_endpoints }}
+{{- $envAll := . }}
+{{- $serviceName := "keystone-api-proxy" }}
+{{- $serviceRegion := $envAll.Values.endpoints.keystone_api_proxy.region_name }}
+{{- $nodeSelector := dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value -}}
+{{- $configMapBin := printf "%s-%s" $serviceName "bin" }}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceName "ks-endpoints" }}
+{{ tuple $envAll "ks_endpoints" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceName "ks-endpoints" | quote }}
+spec:
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "ks-endpoints" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: OnFailure
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+      initContainers:
+{{ tuple $envAll "ks_endpoints" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+{{- range $key1, $osServiceType := tuple "identity" }}
+{{- range $key2, $osRealServiceType := tuple "keystone_api_proxy" }}
+{{- range $key3, $osServiceEndPoint := tuple "admin" "internal" "public" }}
+        - name: {{ printf "%s-%s-%s" "keystone-proxy" "ks-endpoints" $osServiceEndPoint | quote }}
+          image: {{ $envAll.Values.images.tags.ks_endpoints }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{- $osServiceRegion := $serviceRegion }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_endpoints | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          command:
+            - /tmp/endpoint-update.sh
+          volumeMounts:
+            - name: endpoint-update-sh
+              mountPath: /tmp/endpoint-update.sh
+              subPath: endpoint-update.sh
+              readOnly: true
+          env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+            - name: OS_SVC_ENDPOINT
+              value: {{ $osServiceEndPoint | quote }}
+            - name: OS_SERVICE_NAME
+              value: {{ tuple $osServiceType $envAll | include "helm-toolkit.endpoints.keystone_endpoint_name_lookup" }}
+            - name: OS_SERVICE_TYPE
+              value: {{ $osServiceType | quote }}
+            - name: OS_SERVICE_ENDPOINT
+              value: {{ tuple $osRealServiceType $osServiceEndPoint "api" $envAll | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | quote }}
+            - name: OS_SERVICE_REGION
+              value: {{ $osServiceRegion | quote }}
+{{- end }}
+{{- end }}
+      volumes:
+        - name: endpoint-update-sh
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+{{- end }}
--- a/stx-openstack-helm/stx-openstack-helm/helm-charts/keystone-api-proxy/templates/secret-ingress-tls.yaml
+++ b/stx-openstack-helm/stx-openstack-helm/helm-charts/keystone-api-proxy/templates/secret-ingress-tls.yaml
@ -0,0 +1,11 @@
+{{/*
+#
+#Copyright (c) 2019 Wind River Systems, Inc.
+#
+#SPDX-License-Identifier: Apache-2.0
+#
+*/}}
+
+{{- if .Values.manifests.secret_ingress_tls }}
+{{ include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "keystone_api_proxy" ) }}
+{{- end }}
--- a/stx-openstack-helm/stx-openstack-helm/helm-charts/keystone-api-proxy/templates/secret.yaml
+++ b/stx-openstack-helm/stx-openstack-helm/helm-charts/keystone-api-proxy/templates/secret.yaml
@ -0,0 +1,22 @@
+{{/*
+#
+# Copyright (c) 2019 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+*/}}
+
+{{- if .Values.manifests.secret_keystone }}
+{{- $envAll := . }}
+{{- range $key1, $userClass := tuple "admin" }}
+{{- $secretName := index $envAll.Values.secrets.identity $userClass }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $secretName }}
+type: Opaque
+data:
+{{- tuple $userClass "internal" $envAll | include "helm-toolkit.snippets.keystone_secret_openrc" | indent 2 -}}
+{{- end }}
+{{- end }}
--- a/stx-openstack-helm/stx-openstack-helm/helm-charts/keystone-api-proxy/templates/service-ingress.yaml
+++ b/stx-openstack-helm/stx-openstack-helm/helm-charts/keystone-api-proxy/templates/service-ingress.yaml
@ -0,0 +1,12 @@
+{{/*
+#
+# Copyright (c) 2019 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+*/}}
+
+{{- if and .Values.manifests.service_ingress_api .Values.network.keystone_api_proxy.ingress.public }}
+{{- $serviceIngressOpts := dict "envAll" . "backendServiceType" "keystone_api_proxy" -}}
+{{ $serviceIngressOpts | include "helm-toolkit.manifests.service_ingress" }}
+{{- end }}
--- a/stx-openstack-helm/stx-openstack-helm/helm-charts/keystone-api-proxy/templates/service.yaml
+++ b/stx-openstack-helm/stx-openstack-helm/helm-charts/keystone-api-proxy/templates/service.yaml
@ -0,0 +1,31 @@
+{{/*
+#
+# Copyright (c) 2019 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+*/}}
+
+{{- if .Values.manifests.service_api }}
+{{- $envAll := . }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ tuple "keystone-api-proxy" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+spec:
+  ports:
+    - name: ks-api-proxy
+      port: {{ tuple "keystone-api-proxy" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+    {{ if .Values.network.keystone_api_proxy.node_port.enabled }}
+      nodePort: {{ .Values.network.keystone_api_proxy.node_port.port }}
+    {{ end }}
+  selector:
+{{ tuple $envAll "dcorch" "keystone-api-proxy" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+  {{ if .Values.network.keystone_api_proxy.node_port.enabled }}
+  type: NodePort
+  {{ if .Values.network.keystone_api_proxy.external_policy_local }}
+  externalTrafficPolicy: Local
+  {{ end }}
+  {{ end }}
+{{- end }}
--- a/stx-openstack-helm/stx-openstack-helm/helm-charts/keystone-api-proxy/values.yaml
+++ b/stx-openstack-helm/stx-openstack-helm/helm-charts/keystone-api-proxy/values.yaml
@ -0,0 +1,274 @@
+#
+# Copyright (c) 2019 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+# Default values for keystone-api-proxy.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+replicaCount: 1
+
+labels:
+  keystone_api_proxy:
+    node_selector_key: openstack-control-plane
+    node_selector_value: enabled
+  job:
+    node_selector_key: openstack-control-plane
+    node_selector_value: enabled
+
+images:
+  tags:
+    ks_endpoints: docker.io/openstackhelm/heat:pike
+    keystone_api_proxy: docker.io/starlingx/stx-keystone-api-proxy:master-centos-stable-latest
+    dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.3.1
+  pullPolicy: IfNotPresent
+  local_registry:
+    active: false
+    exclude:
+      - dep_check
+      - image_repo_sync
+
+network:
+  keystone_api_proxy:
+    ingress:
+      public: true
+      classes:
+        namespace: "nginx"
+        cluster: "nginx-cluster"
+      annotations:
+        nginx.ingress.kubernetes.io/rewrite-target: /
+    external_policy_local: false
+    node_port:
+      enabled: false
+      port: 25000
+
+conf:
+  keystone_api_proxy:
+    DEFAULT:
+      log_config_append: /etc/dcorch/logging.conf
+      api_paste_config: api-paste.ini
+      debug: False
+      use_syslog: False
+      transport_url: rabbit://guest:guess@127.0.0.1:5672
+    database:
+      connection: postgresql+psycopg2://admin-dcorch:admin-dcorch@127.0.0.1/dcorch
+    identity:
+      bind_host: 0.0.0.0
+      bind_port: 25000
+      remote_host: keystone-api.openstack.svc.cluster.local
+      remote_port: 5000
+
+  paste:
+    pipeline:dcorch-api-proxy:
+      pipeline: filter acceptor proxyapp
+    filter:filter:
+      paste.filter_factory: dcorch.api.proxy.apps.filter:ApiFiller.factory
+    filter:acceptor:
+      paste.filter_factory: dcorch.api.proxy.apps.acceptor:Acceptor.factory
+    app:proxyapp:
+      paste.app_factory: dcorch.api.proxy.apps.proxy:Proxy.factory
+
+  logging:
+    loggers:
+      keys:
+        - root
+        - dcorch
+    handlers:
+      keys:
+        - stdout
+        - stderr
+        - "null"
+    formatters:
+      keys:
+        - context
+        - default
+    logger_root:
+      level: WARNING
+      handlers: null
+    logger_dcorch:
+      level: INFO
+      handlers:
+        - stdout
+      qualname: dcorch
+    logger_amqp:
+      level: INFO
+      handlers: stdout
+      qualname: amqp
+    logger_amqplib:
+      level: INFO
+      handlers: stdout
+      qualname: amqplib
+    logger_eventletwsgi:
+      level: WARNING
+      handlers: stderr
+      qualname: eventlet.wsgi.server
+    logger_sqlalchemy:
+      level: WARNING
+      handlers: stderr
+      qualname: sqlalchemy
+    logger_boto:
+      level: WARNING
+      handlers: stderr
+      qualname: boto
+    handler_null:
+      class: logging.NullHandler
+      formatter: default
+      args: ()
+    handler_stdout:
+      class: StreamHandler
+      args: (sys.stdout,)
+      formatter: context
+    handler_stderr:
+      class: StreamHandler
+      args: (sys.stderr,)
+      formatter: context
+    formatter_context:
+      class: oslo_log.formatters.ContextFormatter
+    formatter_default:
+      format: "%(message)s"
+
+dependencies:
+  dynamic:
+    common:
+      local_image_registry:
+        jobs:
+          - image-repo-sync
+        services:
+          - endpoint: node
+            service: local_image_registry
+  static:
+    ks_endpoints:
+      services:
+        - endpoint: internal
+          service: identity
+
+
+endpoints:
+  cluster_domain_suffix: cluster.local
+  local_image_registry:
+    name: docker-registry
+    namespace: docker-registry
+    hosts:
+      default: localhost
+      internal: docker-registry
+      node: localhost
+    host_fqdn_override:
+      default: null
+    port:
+      registry:
+        node: 5000
+  identity:
+    name: keystone
+    auth:
+      admin:
+        region_name: RegionOne
+        username: admin
+        password: password
+        project_name: admin
+        user_domain_name: default
+        project_domain_name: default
+    hosts:
+      default: keystone
+      internal: keystone-api
+    host_fqdn_override:
+      default: null
+    path:
+      default: /v3
+    scheme:
+      default: http
+    port:
+      api:
+        default: 80
+        internal: 5000
+  keystone_api_proxy:
+    name: keystone-proxy
+    region_name: SystemController
+    hosts:
+      default: keystone-api-proxy
+      public: keystone-proxy
+    host_fqdn_override:
+      default: null
+    path:
+      default: /v3
+    scheme:
+      default: 'http'
+    port:
+      api:
+        default: 25000
+        public: 80
+
+pod:
+  user:
+    keystone_api_proxy:
+      uid: 0
+  affinity:
+    anti:
+      type:
+        default: preferredDuringSchedulingIgnoredDuringExecution
+      topologyKey:
+        default: kubernetes.io/hostname
+  mounts:
+    keystone_api_proxy:
+      init_container: null
+      keystone_api_proxy:
+  replicas:
+    proxy: 1
+  lifecycle:
+    upgrades:
+      deployments:
+        revision_history: 3
+        pod_replacement_strategy: RollingUpdate
+        rolling_update:
+          max_unavailable: 1
+          max_surge: 3
+    disruption_budget:
+      keystone_api_proxy:
+        min_available: 0
+    termination_grace_period:
+      keystone_api_proxy:
+        timeout: 60
+  resources:
+    enabled: false
+    keystone_api_proxy:
+      requests:
+        memory: "128Mi"
+        cpu: "100m"
+      limits:
+        memory: "1024Mi"
+        cpu: "2000m"
+    jobs:
+      ks_endpoints:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+
+secrets:
+  identity:
+    admin: dcorch-keystone-admin
+  tls:
+    keystone_api_proxy:
+      keystone_api_proxy:
+        public: keystone-api-proxy-tls-public
+
+manifests:
+  configmap_bin: true
+  configmap_etc: true
+  deployment_api_proxy: true
+  ingress_api: true
+  secret_keystone: true
+  service_api: true
+  service_ingress_api: true
+  job_ks_endpoints: true
+
+resources: {}
+
+nodeSelector: {}
+
+tolerations: []
+
+affinity: {}
--- a/stx-openstack-helm/stx-openstack-helm/manifests/manifest.yaml
+++ b/stx-openstack-helm/stx-openstack-helm/manifests/manifest.yaml
@ -426,6 +426,46 @@ data:
    - helm-toolkit
 ---
 schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: openstack-keystone-api-proxy
+data:
+  chart_name: keystone-api-proxy
+  release: openstack-keystone-api-proxy
+  namespace: openstack
+  wait:
+    timeout: 1800
+    labels:
+      release_group: osh-openstack-keystone-api-proxy
+  test:
+    enabled: false
+  install:
+    no_hooks: false
+  upgrade:
+    no_hooks: false
+    pre:
+      delete:
+        - type: job
+          labels:
+            release_group: osh-openstack-keystone-api-proxy
+        - type: pod
+          labels:
+            release_group: osh-openstack-keystone-api-proxy
+            component: test
+  values:
+    images:
+      tags:
+        keystone_api_proxy: docker.io/starlingx/stx-keystone-api-proxy:master-centos-stable-latest
+        ks_endpoints: docker.io/starlingx/stx-heat:master-centos-stable-latest
+  source:
+    type: tar
+    location: http://172.17.0.1/helm_charts/keystone-api-proxy-0.1.0.tgz
+    subpath: keystone-api-proxy
+    reference: master
+  dependencies:
+    - helm-toolkit
+---
+schema: armada/Chart/v1
 metadata:
  schema: metadata/Document/v1
  name: openstack-barbican
@ -3006,6 +3046,16 @@ data:
    - openstack-keystone
 ---
 schema: armada/ChartGroup/v1
+metadata:
+  schema: metadata/Document/v1
+  name: openstack-keystone-api-proxy
+data:
+  description: "Deploy keystone api proxy"
+  sequenced: true
+  chart_group:
+    - openstack-keystone-api-proxy
+---
+schema: armada/ChartGroup/v1
 metadata:
  schema: metadata/Document/v1
  name: openstack-barbican