---
images:
  tags:
    nginx: docker.io/nginx:1.18.0
conf:
  glance:
    DEFAULT:
      bind_host: 127.0.0.1
    keystone_authtoken:
      cafile: /etc/glance/certs/ca.crt
    glance_store:
      https_ca_certificates_file: /etc/glance/certs/ca.crt
      swift_store_cacert: /etc/glance/certs/ca.crt
  glance_registry:
    keystone_authtoken:
      cafile: /etc/glance/certs/ca.crt
  nginx: |
    worker_processes 1;
    daemon off;
    user nginx;

    events {
      worker_connections 1024;
    }

    http {
      include /etc/nginx/mime.types;
      default_type application/octet-stream;

      sendfile on;
      keepalive_timeout 65s;
      tcp_nodelay on;

      log_format main '[nginx] method=$request_method path=$request_uri '
                      'status=$status upstream_status=$upstream_status duration=$request_time size=$body_bytes_sent '
                      '"$remote_user" "$http_referer" "$http_user_agent"';

      access_log /dev/stdout  main;

      upstream websocket {
        server 127.0.0.1:$PORT;
      }

      server {
        server_name {{ printf "%s.%s.svc.%s" "${SHORTNAME}" .Release.Namespace .Values.endpoints.cluster_domain_suffix }};
        listen $POD_IP:$PORT ssl;

        client_max_body_size  0;

        ssl_certificate      /etc/nginx/certs/tls.crt;
        ssl_certificate_key  /etc/nginx/certs/tls.key;
        ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;

        location / {
          proxy_pass_request_headers on;

          proxy_http_version  1.1;
          proxy_pass          http://websocket;
          proxy_read_timeout  90;
        }
      }
    }
network:
  api:
    ingress:
      annotations:
        nginx.ingress.kubernetes.io/backend-protocol: "https"
  registry:
    ingress:
      annotations:
        nginx.ingress.kubernetes.io/backend-protocol: "https"

endpoints:
  identity:
    name: keystone
    auth:
      admin:
        cacert: /etc/ssl/certs/openstack-helm.crt
      glance:
        cacert: /etc/ssl/certs/openstack-helm.crt
      test:
        cacert: /etc/ssl/certs/openstack-helm.crt
    scheme:
      default: https
    port:
      api:
        default: 443
  image:
    host_fqdn_override:
      default:
        tls:
          secretName: glance-tls-api
          issuerRef:
            name: ca-issuer
            kind: ClusterIssuer
    scheme:
      default: https
      public: https
    port:
      api:
        public: 443
  image_registry:
    host_fqdn_override:
      default:
        tls:
          secretName: glance-tls-reg
          issuerRef:
            name: ca-issuer
            kind: ClusterIssuer
    scheme:
      default: https
      public: https
    port:
      api:
        public: 443
  dashboard:
    scheme:
      default: https
      public: https
    port:
      web:
        default: 80
        public: 443
pod:
  security_context:
    glance:
      pod:
        runAsUser: 0
  resources:
    nginx:
      requests:
        memory: "128Mi"
        cpu: "100m"
      limits:
        memory: "1024Mi"
        cpu: "2000m"
manifests:
  certificates: true
...