| David Garcia | 009a5d6 | 2020-08-27 16:53:44 +0200 | [diff] [blame] | 1 | # Copyright 2020 Canonical Ltd. |
| 2 | # |
| 3 | # Licensed under the Apache License, Version 2.0 (the "License"); |
| 4 | # you may not use this file except in compliance with the License. |
| 5 | # You may obtain a copy of the License at |
| 6 | # |
| 7 | # http://www.apache.org/licenses/LICENSE-2.0 |
| 8 | # |
| 9 | # Unless required by applicable law or agreed to in writing, software |
| 10 | # distributed under the License is distributed on an "AS IS" BASIS, |
| 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 12 | # See the License for the specific language governing permissions and |
| 13 | # limitations under the License. |
| 14 | options: |
| 15 | image: |
| 16 | type: string |
| 17 | default: opensourcemano/keystone:latest |
| 18 | description: The docker image to install. |
| 19 | image_username: |
| 20 | type: string |
| 21 | description: | |
| 22 | The username for accessing the registry specified in image. |
| 23 | default: "" |
| 24 | image_password: |
| 25 | type: string |
| 26 | description: | |
| 27 | The password associated with image_username for accessing |
| 28 | the registry specified in image. |
| 29 | default: "" |
| 30 | max_file_size: |
| 31 | type: int |
| 32 | description: | |
| 33 | The maximum file size, in megabytes. |
| 34 | |
| 35 | If there is a reverse proxy in front of Keystone, it may |
| 36 | need to be configured to handle the requested size. |
| 37 | default: 5 |
| 38 | ingress_whitelist_source_range: |
| 39 | type: string |
| 40 | description: | |
| 41 | A comma-separated list of CIDRs to store in the |
| 42 | ingress.kubernetes.io/whitelist-source-range annotation. |
| 43 | |
| 44 | This can be used to lock down access to |
| 45 | Keystone based on source IP address. |
| 46 | default: "" |
| 47 | tls_secret_name: |
| 48 | type: string |
| 49 | description: TLS Secret name |
| 50 | default: "" |
| 51 | site_url: |
| 52 | type: string |
| 53 | description: Ingress URL |
| 54 | default: "" |
| David Garcia | 009a5d6 | 2020-08-27 16:53:44 +0200 | [diff] [blame] | 55 | region_id: |
| 56 | type: string |
| 57 | description: Region ID to be created when starting the service |
| 58 | default: RegionOne |
| 59 | keystone_db_password: |
| 60 | type: string |
| 61 | description: Keystone DB Password |
| 62 | default: admin |
| 63 | admin_username: |
| 64 | type: string |
| 65 | description: Admin username to be created when starting the service |
| 66 | default: admin |
| 67 | admin_password: |
| 68 | type: string |
| 69 | description: Admin password to be created when starting the service |
| 70 | default: admin |
| 71 | admin_project: |
| 72 | type: string |
| 73 | description: Admin project to be created when starting the service |
| 74 | default: admin |
| 75 | service_username: |
| 76 | type: string |
| 77 | description: Service Username to be created when starting the service |
| 78 | default: nbi |
| 79 | service_password: |
| 80 | type: string |
| 81 | description: Service Password to be created when starting the service |
| 82 | default: nbi |
| 83 | service_project: |
| 84 | type: string |
| 85 | description: Service Project to be created when starting the service |
| 86 | default: service |
| 87 | user_domain_name: |
| 88 | type: string |
| 89 | description: User domain name (Hardcoded in the container start.sh script) |
| 90 | default: default |
| 91 | project_domain_name: |
| 92 | type: string |
| 93 | description: | |
| 94 | Project domain name (Hardcoded in the container start.sh script) |
| 95 | default: default |
| sousaedu | 126a443 | 2020-09-23 13:28:25 +0100 | [diff] [blame] | 96 | ldap_enabled: |
| 97 | type: boolean |
| 98 | description: Boolean to enable/disable LDAP authentication |
| 99 | default: false |
| 100 | ldap_authentication_domain_name: |
| 101 | type: string |
| 102 | description: Name of the domain which use LDAP authentication |
| 103 | default: "" |
| 104 | ldap_url: |
| 105 | type: string |
| 106 | description: URL of the LDAP server |
| 107 | default: "ldap://localhost" |
| 108 | ldap_bind_user: |
| 109 | type: string |
| 110 | description: User to bind and search for users |
| 111 | default: "" |
| 112 | ldap_bind_password: |
| 113 | type: string |
| 114 | description: Password to bind and search for users |
| 115 | default: "" |
| 116 | ldap_user_tree_dn: |
| 117 | type: string |
| 118 | description: | |
| 119 | Root of the tree in LDAP server in which Keystone will search for users |
| 120 | default: "" |
| 121 | ldap_user_objectclass: |
| 122 | type: string |
| 123 | description: | |
| 124 | LDAP object class that Keystone will filter on within user_tree_dn to |
| 125 | find user objects. Any objects of other classes will be ignored. |
| 126 | default: inetOrgPerson |
| 127 | ldap_user_id_attribute: |
| 128 | type: string |
| 129 | description: | |
| 130 | This set of options define the mapping to LDAP attributes for the three |
| 131 | key user attributes supported by Keystone. The LDAP attribute chosen for |
| 132 | user_id must be something that is immutable for a user and no more than |
| 133 | 64 characters in length. Notice that Distinguished Name (DN) may be |
| 134 | longer than 64 characters and thus is not suitable. An uid, or mail may |
| 135 | be appropriate. |
| 136 | default: cn |
| 137 | ldap_user_name_attribute: |
| 138 | type: string |
| 139 | description: | |
| 140 | This set of options define the mapping to LDAP attributes for the three |
| 141 | key user attributes supported by Keystone. The LDAP attribute chosen for |
| 142 | user_id must be something that is immutable for a user and no more than |
| 143 | 64 characters in length. Notice that Distinguished Name (DN) may be |
| 144 | longer than 64 characters and thus is not suitable. An uid, or mail may |
| 145 | be appropriate. |
| 146 | default: sn |
| 147 | ldap_user_pass_attribute: |
| 148 | type: string |
| 149 | description: | |
| 150 | This set of options define the mapping to LDAP attributes for the three |
| 151 | key user attributes supported by Keystone. The LDAP attribute chosen for |
| 152 | user_id must be something that is immutable for a user and no more than |
| 153 | 64 characters in length. Notice that Distinguished Name (DN) may be |
| 154 | longer than 64 characters and thus is not suitable. An uid, or mail may |
| 155 | be appropriate. |
| 156 | default: userPassword |
| 157 | ldap_user_filter: |
| 158 | type: string |
| 159 | description: | |
| 160 | This filter option allow additional filter (over and above |
| 161 | user_objectclass) to be included into the search of user. One common use |
| 162 | of this is to provide more efficient searching, where the recommended |
| 163 | search for user objects is (&(objectCategory=person)(objectClass=user)). |
| 164 | By specifying user_objectclass as user and user_filter as |
| 165 | objectCategory=person in the Keystone configuration file, this can be |
| 166 | achieved. |
| 167 | default: "" |
| 168 | ldap_user_enabled_attribute: |
| 169 | type: string |
| 170 | description: | |
| 171 | In Keystone, a user entity can be either enabled or disabled. Setting |
| 172 | the above option will give a mapping to an equivalent attribute in LDAP, |
| 173 | allowing your LDAP management tools to disable a user. |
| 174 | default: enabled |
| 175 | ldap_user_enabled_mask: |
| 176 | type: int |
| 177 | description: | |
| 178 | Some LDAP schemas, rather than having a dedicated attribute for user |
| 179 | enablement, use a bit within a general control attribute (such as |
| 180 | userAccountControl) to indicate this. Setting user_enabled_mask will |
| 181 | cause Keystone to look at only the status of this bit in the attribute |
| 182 | specified by user_enabled_attribute, with the bit set indicating the |
| 183 | user is enabled. |
| 184 | default: 0 |
| 185 | ldap_user_enabled_default: |
| 186 | type: boolean |
| 187 | description: | |
| 188 | Most LDAP servers use a boolean or bit in a control field to indicate |
| 189 | enablement. However, some schemas might use an integer value in an |
| 190 | attribute. In this situation, set user_enabled_default to the integer |
| 191 | value that represents a user being enabled. |
| 192 | default: true |
| 193 | ldap_user_enabled_invert: |
| 194 | type: boolean |
| 195 | description: | |
| 196 | Some LDAP schemas have an “account locked” attribute, which is the |
| 197 | equivalent to account being “disabled.” In order to map this to the |
| 198 | Keystone enabled attribute, you can utilize the user_enabled_invert |
| 199 | setting in conjunction with user_enabled_attribute to map the lock |
| 200 | status to disabled in Keystone. |
| 201 | default: false |
| 202 | ldap_use_starttls: |
| 203 | type: boolean |
| 204 | description: | |
| 205 | Enable Transport Layer Security (TLS) for providing a secure connection |
| 206 | from Keystone to LDAP (StartTLS, not LDAPS). |
| 207 | default: false |
| 208 | ldap_tls_cacert_base64: |
| 209 | type: string |
| 210 | description: | |
| 211 | CA certificate in Base64 format (if you have the PEM file, text inside |
| 212 | "-----BEGIN CERTIFICATE-----"/"-----END CERTIFICATE-----" tags). |
| 213 | default: "" |
| 214 | ldap_tls_req_cert: |
| 215 | type: string |
| 216 | description: | |
| 217 | Defines how the certificates are checked for validity in the client |
| 218 | (i.e., Keystone end) of the secure connection (this doesn’t affect what |
| 219 | level of checking the server is doing on the certificates it receives |
| 220 | from Keystone). Possible values are "demand", "never", and "allow". The |
| 221 | default of demand means the client always checks the certificate and |
| 222 | will drop the connection if it is not provided or invalid. never is the |
| 223 | opposite—it never checks it, nor requires it to be provided. allow means |
| 224 | that if it is not provided then the connection is allowed to continue, |
| 225 | but if it is provided it will be checked—and if invalid, the connection |
| 226 | will be dropped. |
| 227 | default: demand |