ceb30e8cc7
This ps moves to use a container sultaible for use as the heat engine for all possible admin jobs - it is lighter than the kolla-toolbox image and makes it easy to swap out to other image sets. This is as the heat engine container should contain the openstack client (with all required libs for the cloud) and the oslo_db supporting libs required by the db management jobs, as well as the oslo_messaging libs required for future rabbitmq management expansion. Change-Id: I5451c15c8fb49c85b4f254cc60156420bee2efea
400 lines
12 KiB
YAML
400 lines
12 KiB
YAML
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
labels:
|
|
node_selector_key: openstack-control-plane
|
|
node_selector_value: enabled
|
|
|
|
release_group: null
|
|
|
|
images:
|
|
bootstrap: docker.io/kolla/ubuntu-source-heat-engine:3.0.3
|
|
dep_check: docker.io/kolla/ubuntu-source-kubernetes-entrypoint:4.0.0
|
|
test: docker.io/kolla/ubuntu-source-heat-engine:3.0.3
|
|
db_init: docker.io/kolla/ubuntu-source-heat-engine:3.0.3
|
|
db_sync: docker.io/kolla/ubuntu-source-barbican-api:3.0.3
|
|
ks_user: docker.io/kolla/ubuntu-source-heat-engine:3.0.3
|
|
ks_service: docker.io/kolla/ubuntu-source-heat-engine:3.0.3
|
|
ks_endpoints: docker.io/kolla/ubuntu-source-heat-engine:3.0.3
|
|
api: docker.io/kolla/ubuntu-source-barbican-api:3.0.3
|
|
pull_policy: "IfNotPresent"
|
|
|
|
pod:
|
|
affinity:
|
|
anti:
|
|
type:
|
|
default: preferredDuringSchedulingIgnoredDuringExecution
|
|
topologyKey:
|
|
default: kubernetes.io/hostname
|
|
mounts:
|
|
barbican_api:
|
|
init_container: null
|
|
barbican_api:
|
|
barbican_bootstrap:
|
|
init_container: null
|
|
barbican_bootstrap:
|
|
barbican_tests:
|
|
init_container: null
|
|
barbican_tests:
|
|
replicas:
|
|
api: 1
|
|
lifecycle:
|
|
upgrades:
|
|
deployments:
|
|
revision_history: 3
|
|
pod_replacement_strategy: RollingUpdate
|
|
rolling_update:
|
|
max_unavailable: 1
|
|
max_surge: 3
|
|
disruption_budget:
|
|
api:
|
|
min_available: 0
|
|
resources:
|
|
enabled: false
|
|
api:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
jobs:
|
|
bootstrap:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
db_init:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
db_sync:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
ks_endpoints:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
ks_service:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
ks_user:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
tests:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
|
|
network:
|
|
api:
|
|
ingress:
|
|
public: true
|
|
node_port:
|
|
enabled: false
|
|
port: 39486
|
|
|
|
bootstrap:
|
|
enabled: false
|
|
script: |
|
|
openstack token issue
|
|
|
|
dependencies:
|
|
db_init:
|
|
services:
|
|
- service: oslo_db
|
|
endpoint: internal
|
|
db_sync:
|
|
jobs:
|
|
- barbican-db-init
|
|
services:
|
|
- service: oslo_db
|
|
endpoint: internal
|
|
ks_user:
|
|
services:
|
|
- service: identity
|
|
endpoint: internal
|
|
ks_service:
|
|
services:
|
|
- service: identity
|
|
endpoint: internal
|
|
ks_endpoints:
|
|
jobs:
|
|
- barbican-ks-service
|
|
services:
|
|
- service: identity
|
|
endpoint: internal
|
|
api:
|
|
jobs:
|
|
- barbican-db-sync
|
|
- barbican-ks-user
|
|
- barbican-ks-endpoints
|
|
services:
|
|
- service: oslo_db
|
|
endpoint: internal
|
|
- service: identity
|
|
endpoint: internal
|
|
|
|
conf:
|
|
paste:
|
|
override:
|
|
append:
|
|
policy:
|
|
admin: role:admin
|
|
observer: role:observer
|
|
creator: role:creator
|
|
audit: role:audit
|
|
service_admin: role:key-manager:service-admin
|
|
admin_or_user_does_not_work: project_id:%(project_id)s
|
|
admin_or_user: rule:admin or project_id:%(project_id)s
|
|
admin_or_creator: rule:admin or rule:creator
|
|
all_but_audit: rule:admin or rule:observer or rule:creator
|
|
all_users: rule:admin or rule:observer or rule:creator or rule:audit or rule:service_admin
|
|
secret_project_match: project:%(target.secret.project_id)s
|
|
secret_acl_read: "'read':%(target.secret.read)s"
|
|
secret_private_read: "'False':%(target.secret.read_project_access)s"
|
|
secret_creator_user: user:%(target.secret.creator_id)s
|
|
container_project_match: project:%(target.container.project_id)s
|
|
container_acl_read: "'read':%(target.container.read)s"
|
|
container_private_read: "'False':%(target.container.read_project_access)s"
|
|
container_creator_user: user:%(target.container.creator_id)s
|
|
secret_non_private_read: rule:all_users and rule:secret_project_match and not rule:secret_private_read
|
|
secret_decrypt_non_private_read: rule:all_but_audit and rule:secret_project_match
|
|
and not rule:secret_private_read
|
|
container_non_private_read: rule:all_users and rule:container_project_match and not
|
|
rule:container_private_read
|
|
secret_project_admin: rule:admin and rule:secret_project_match
|
|
secret_project_creator: rule:creator and rule:secret_project_match and rule:secret_creator_user
|
|
container_project_admin: rule:admin and rule:container_project_match
|
|
container_project_creator: rule:creator and rule:container_project_match and rule:container_creator_user
|
|
version:get: "@"
|
|
secret:decrypt: rule:secret_decrypt_non_private_read or rule:secret_project_creator
|
|
or rule:secret_project_admin or rule:secret_acl_read
|
|
secret:get: rule:secret_non_private_read or rule:secret_project_creator or rule:secret_project_admin
|
|
or rule:secret_acl_read
|
|
secret:put: rule:admin_or_creator and rule:secret_project_match
|
|
secret:delete: rule:secret_project_admin or rule:secret_project_creator
|
|
secrets:post: rule:admin_or_creator
|
|
secrets:get: rule:all_but_audit
|
|
orders:post: rule:admin_or_creator
|
|
orders:get: rule:all_but_audit
|
|
order:get: rule:all_users
|
|
order:put: rule:admin_or_creator
|
|
order:delete: rule:admin
|
|
consumer:get: rule:admin or rule:observer or rule:creator or rule:audit or rule:container_non_private_read
|
|
or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read
|
|
consumers:get: rule:admin or rule:observer or rule:creator or rule:audit or rule:container_non_private_read
|
|
or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read
|
|
consumers:post: rule:admin or rule:container_non_private_read or rule:container_project_creator
|
|
or rule:container_project_admin or rule:container_acl_read
|
|
consumers:delete: rule:admin or rule:container_non_private_read or rule:container_project_creator
|
|
or rule:container_project_admin or rule:container_acl_read
|
|
containers:post: rule:admin_or_creator
|
|
containers:get: rule:all_but_audit
|
|
container:get: rule:container_non_private_read or rule:container_project_creator or
|
|
rule:container_project_admin or rule:container_acl_read
|
|
container:delete: rule:container_project_admin or rule:container_project_creator
|
|
container_secret:post: rule:admin
|
|
container_secret:delete: rule:admin
|
|
transport_key:get: rule:all_users
|
|
transport_key:delete: rule:admin
|
|
transport_keys:get: rule:all_users
|
|
transport_keys:post: rule:admin
|
|
certificate_authorities:get_limited: rule:all_users
|
|
certificate_authorities:get_all: rule:admin
|
|
certificate_authorities:post: rule:admin
|
|
certificate_authorities:get_preferred_ca: rule:all_users
|
|
certificate_authorities:get_global_preferred_ca: rule:service_admin
|
|
certificate_authorities:unset_global_preferred: rule:service_admin
|
|
certificate_authority:delete: rule:admin
|
|
certificate_authority:get: rule:all_users
|
|
certificate_authority:get_cacert: rule:all_users
|
|
certificate_authority:get_ca_cert_chain: rule:all_users
|
|
certificate_authority:get_projects: rule:service_admin
|
|
certificate_authority:add_to_project: rule:admin
|
|
certificate_authority:remove_from_project: rule:admin
|
|
certificate_authority:set_preferred: rule:admin
|
|
certificate_authority:set_global_preferred: rule:service_admin
|
|
secret_acls:put_patch: rule:secret_project_admin or rule:secret_project_creator
|
|
secret_acls:delete: rule:secret_project_admin or rule:secret_project_creator
|
|
secret_acls:get: rule:all_but_audit and rule:secret_project_match
|
|
container_acls:put_patch: rule:container_project_admin or rule:container_project_creator
|
|
container_acls:delete: rule:container_project_admin or rule:container_project_creator
|
|
container_acls:get: rule:all_but_audit and rule:container_project_match
|
|
quotas:get: rule:all_users
|
|
project_quotas:get: rule:service_admin
|
|
project_quotas:put: rule:service_admin
|
|
project_quotas:delete: rule:service_admin
|
|
secret_meta:get: rule:all_but_audit
|
|
secret_meta:post: rule:admin_or_creator
|
|
secret_meta:put: rule:admin_or_creator
|
|
secret_meta:delete: rule:admin_or_creator
|
|
secretstores:get: rule:admin
|
|
secretstores:get_global_default: rule:admin
|
|
secretstores:get_preferred: rule:admin
|
|
secretstore_preferred:post: rule:admin
|
|
secretstore_preferred:delete: rule:admin
|
|
secretstore:get: rule:admin
|
|
audit_map:
|
|
override:
|
|
append:
|
|
barbican_api:
|
|
override:
|
|
append:
|
|
barbican:
|
|
override:
|
|
append:
|
|
keystone_authtoken:
|
|
keystonemiddleware:
|
|
auth_token:
|
|
auth_type: password
|
|
auth_version: v3
|
|
memcache_security_strategy: ENCRYPT
|
|
database:
|
|
oslo:
|
|
db:
|
|
max_retries: -1
|
|
barbican_api:
|
|
barbican:
|
|
config:
|
|
bind_port: 9311
|
|
|
|
# Names of secrets used by bootstrap and environmental checks
|
|
secrets:
|
|
identity:
|
|
admin: barbican-keystone-admin
|
|
user: barbican-keystone-user
|
|
oslo_db:
|
|
admin: barbican-db-admin
|
|
user: barbican-db-user
|
|
|
|
endpoints:
|
|
identity:
|
|
name: keystone
|
|
auth:
|
|
admin:
|
|
region_name: RegionOne
|
|
username: admin
|
|
password: password
|
|
project_name: admin
|
|
user_domain_name: default
|
|
project_domain_name: default
|
|
user:
|
|
role: admin
|
|
region_name: RegionOne
|
|
username: barbican
|
|
password: password
|
|
project_name: service
|
|
user_domain_name: default
|
|
project_domain_name: default
|
|
hosts:
|
|
default: keystone-api
|
|
public: keystone
|
|
path:
|
|
default: /v3
|
|
scheme:
|
|
default: http
|
|
port:
|
|
admin:
|
|
default: 35357
|
|
api:
|
|
default: 80
|
|
key-manager:
|
|
name: barbican
|
|
hosts:
|
|
default: barbican-api
|
|
public: barbican
|
|
path:
|
|
default: /v1
|
|
scheme:
|
|
default: http
|
|
port:
|
|
api:
|
|
default: 9311
|
|
public: 80
|
|
oslo_db:
|
|
auth:
|
|
admin:
|
|
username: root
|
|
password: password
|
|
user:
|
|
username: barbican
|
|
password: password
|
|
hosts:
|
|
default: mariadb
|
|
path: /barbican
|
|
scheme: mysql+pymysql
|
|
port:
|
|
mysql:
|
|
default: 3306
|
|
oslo_messaging:
|
|
auth:
|
|
admin:
|
|
username: admin
|
|
password: password
|
|
user:
|
|
username: rabbitmq
|
|
password: password
|
|
hosts:
|
|
default: rabbitmq
|
|
path: /
|
|
scheme: rabbit
|
|
port:
|
|
amqp:
|
|
default: 5672
|
|
oslo_cache:
|
|
hosts:
|
|
default: memcached
|
|
port:
|
|
memcache:
|
|
default: 11211
|
|
|
|
manifests:
|
|
configmap_bin: true
|
|
configmap_etc: true
|
|
deployment_api: true
|
|
ingress_api: true
|
|
job_bootstrap: true
|
|
job_db_init: true
|
|
job_db_sync: true
|
|
job_ks_endpoints: true
|
|
job_ks_service: true
|
|
job_ks_user: true
|
|
pdb_api: true
|
|
secret_db: true
|
|
secret_keystone: true
|
|
service_ingress_api: true
|
|
service_api: true
|