installers/charm/keystone/config.yaml

# Copyright 2020 Canonical Ltd.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
#     Unless required by applicable law or agreed to in writing, software
#     distributed under the License is distributed on an "AS IS" BASIS,
#     WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
#     See the License for the specific language governing permissions and
#     limitations under the License.
options:
  max_file_size:
    type: int
    description: |
      The maximum file size, in megabytes.

      If there is a reverse proxy in front of Keystone, it may
      need to be configured to handle the requested size.
    default: 5
  ingress_class:
    type: string
    description: |
      Ingress class name. This is useful for selecting the ingress to be used
      in case there are multiple ingresses in the underlying k8s clusters.
  ingress_whitelist_source_range:
    type: string
    description: |
      A comma-separated list of CIDRs to store in the
      ingress.kubernetes.io/whitelist-source-range annotation.

      This can be used to lock down access to
      Keystone based on source IP address.
    default: ""
  tls_secret_name:
    type: string
    description: TLS Secret name
    default: ""
  site_url:
    type: string
    description: Ingress URL
    default: ""
  image_pull_policy:
    type: string
    description: |
      ImagePullPolicy configuration for the pod.
      Possible values: always, ifnotpresent, never
    default: always
  security_context:
    description: Enables the security context of the pods
    type: boolean
    default: false
  region_id:
    type: string
    description: Region ID to be created when starting the service
    default: RegionOne
  keystone_db_password:
    type: string
    description: Keystone DB Password
    default: admin
  mysql_uri:
    type: string
    description: |
      Mysql uri with the following format:
        mysql://<user>:<pass>@<host>:<port>/<database>
  admin_username:
    type: string
    description: Admin username to be created when starting the service
    default: admin
  admin_password:
    type: string
    description: Admin password to be created when starting the service
    default: admin
  admin_project:
    type: string
    description: Admin project to be created when starting the service
    default: admin
  service_username:
    type: string
    description: Service Username to be created when starting the service
    default: nbi
  service_password:
    type: string
    description: Service Password to be created when starting the service
    default: nbi
  service_project:
    type: string
    description: Service Project to be created when starting the service
    default: service
  user_domain_name:
    type: string
    description: User domain name (Hardcoded in the container start.sh script)
    default: default
  project_domain_name:
    type: string
    description: |
      Project domain name (Hardcoded in the container start.sh script)
    default: default
  token_expiration:
    type: int
    description: Token keys expiration in seconds
    default: 172800
  ldap_enabled:
    type: boolean
    description: Boolean to enable/disable LDAP authentication
    default: false
  ldap_authentication_domain_name:
    type: string
    description: Name of the domain which use LDAP authentication
    default: ""
  ldap_url:
    type: string
    description: URL of the LDAP server
    default: "ldap://localhost"
  ldap_bind_user:
    type: string
    description: User to bind and search for users
    default: ""
  ldap_bind_password:
    type: string
    description: Password to bind and search for users
    default: ""
  ldap_chase_referrals:
    type: string
    description: |
      Sets keystone’s referral chasing behavior across directory partitions.
      If left unset, the system’s default behavior will be used.
    default: ""
  ldap_page_size:
    type: int
    description: |
      Defines the maximum number of results per page that keystone should
      request from the LDAP server when listing objects. A value of zero (0)
      disables paging.
    default: 0
  ldap_user_tree_dn:
    type: string
    description: |
      Root of the tree in LDAP server in which Keystone will search for users
    default: ""
  ldap_user_objectclass:
    type: string
    description: |
      LDAP object class that Keystone will filter on within user_tree_dn to
      find user objects. Any objects of other classes will be ignored.
    default: inetOrgPerson
  ldap_user_id_attribute:
    type: string
    description: |
      This set of options define the mapping to LDAP attributes for the three
      key user attributes supported by Keystone. The LDAP attribute chosen for
      user_id must be something that is immutable for a user and no more than
      64 characters in length. Notice that Distinguished Name (DN) may be
      longer than 64 characters and thus is not suitable. An uid, or mail may
      be appropriate.
    default: cn
  ldap_user_name_attribute:
    type: string
    description: |
      This set of options define the mapping to LDAP attributes for the three
      key user attributes supported by Keystone. The LDAP attribute chosen for
      user_id must be something that is immutable for a user and no more than
      64 characters in length. Notice that Distinguished Name (DN) may be
      longer than 64 characters and thus is not suitable. An uid, or mail may
      be appropriate.
    default: sn
  ldap_user_pass_attribute:
    type: string
    description: |
      This set of options define the mapping to LDAP attributes for the three
      key user attributes supported by Keystone. The LDAP attribute chosen for
      user_id must be something that is immutable for a user and no more than
      64 characters in length. Notice that Distinguished Name (DN) may be
      longer than 64 characters and thus is not suitable. An uid, or mail may
      be appropriate.
    default: userPassword
  ldap_user_filter:
    type: string
    description: |
      This filter option allow additional filter (over and above
      user_objectclass) to be included into the search of user. One common use
      of this is to provide more efficient searching, where the recommended
      search for user objects is (&(objectCategory=person)(objectClass=user)).
      By specifying user_objectclass as user and user_filter as
      objectCategory=person in the Keystone configuration file, this can be
      achieved.
    default: ""
  ldap_user_enabled_attribute:
    type: string
    description: |
      In Keystone, a user entity can be either enabled or disabled. Setting
      the above option will give a mapping to an equivalent attribute in LDAP,
      allowing your LDAP management tools to disable a user.
    default: enabled
  ldap_user_enabled_mask:
    type: int
    description: |
      Some LDAP schemas, rather than having a dedicated attribute for user
      enablement, use a bit within a general control attribute (such as
      userAccountControl) to indicate this. Setting user_enabled_mask will
      cause Keystone to look at only the status of this bit in the attribute
      specified by user_enabled_attribute, with the bit set indicating the
      user is enabled.
    default: 0
  ldap_user_enabled_default:
    type: string
    description: |
      Most LDAP servers use a boolean or bit in a control field to indicate
      enablement. However, some schemas might use an integer value in an
      attribute. In this situation, set user_enabled_default to the integer
      value that represents a user being enabled.
    default: "true"
  ldap_user_enabled_invert:
    type: boolean
    description: |
      Some LDAP schemas have an “account locked” attribute, which is the
      equivalent to account being “disabled.” In order to map this to the
      Keystone enabled attribute, you can utilize the user_enabled_invert
      setting in conjunction with user_enabled_attribute to map the lock
      status to disabled in Keystone.
    default: false
  ldap_group_objectclass:
    type: string
    description: The LDAP object class to use for groups.
    default: groupOfNames
  ldap_group_tree_dn:
    type: string
    description: The search base to use for groups.
    default: ""
  ldap_use_starttls:
    type: boolean
    description: |
      Enable Transport Layer Security (TLS) for providing a secure connection
      from Keystone to LDAP (StartTLS, not LDAPS).
    default: false
  ldap_tls_cacert_base64:
    type: string
    description: |
      CA certificate in Base64 format (if you have the PEM file, text inside
      "-----BEGIN CERTIFICATE-----"/"-----END CERTIFICATE-----" tags).
    default: ""
  ldap_tls_req_cert:
    type: string
    description: |
      Defines how the certificates are checked for validity in the client
      (i.e., Keystone end) of the secure connection (this doesn’t affect what
      level of checking the server is doing on the certificates it receives
      from Keystone). Possible values are "demand", "never", and "allow". The
      default of demand means the client always checks the certificate and
      will drop the connection if it is not provided or invalid. never is the
      opposite—it never checks it, nor requires it to be provided. allow means
      that if it is not provided then the connection is allowed to continue,
      but if it is provided it will be checked—and if invalid, the connection
      will be dropped.
    default: demand