Skip to content
Snippets Groups Projects
Normal view History Permalink
config.yaml 8.52 KiB
Newer Older
garciadav's avatar
Add keystone charm and interface
garciadav committed
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 
# Copyright 2020 Canonical Ltd.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
#     Unless required by applicable law or agreed to in writing, software
#     distributed under the License is distributed on an "AS IS" BASIS,
#     WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
#     See the License for the specific language governing permissions and
#     limitations under the License.
options:
  image:
    type: string
    default: opensourcemano/keystone:latest
    description: The docker image to install.
  image_username:
    type: string
    description: |
      The username for accessing the registry specified in image.
    default: ""
  image_password:
    type: string
    description: |
      The password associated with image_username for accessing
      the registry specified in image.
    default: ""
  max_file_size:
    type: int
    description: |
      The maximum file size, in megabytes.

      If there is a reverse proxy in front of Keystone, it may
      need to be configured to handle the requested size.
    default: 5
  ingress_whitelist_source_range:
    type: string
    description: |
      A comma-separated list of CIDRs to store in the
      ingress.kubernetes.io/whitelist-source-range annotation.

      This can be used to lock down access to
      Keystone based on source IP address.
    default: ""
  tls_secret_name:
    type: string
    description: TLS Secret name
    default: ""
  site_url:
    type: string
    description: Ingress URL
    default: ""
  region_id:
    type: string
    description: Region ID to be created when starting the service
    default: RegionOne
  keystone_db_password:
    type: string
    description: Keystone DB Password
    default: admin
  admin_username:
    type: string
    description: Admin username to be created when starting the service
    default: admin
  admin_password:
    type: string
    description: Admin password to be created when starting the service
    default: admin
  admin_project:
    type: string
    description: Admin project to be created when starting the service
    default: admin
  service_username:
    type: string
    description: Service Username to be created when starting the service
    default: nbi
  service_password:
    type: string
    description: Service Password to be created when starting the service
    default: nbi
  service_project:
    type: string
    description: Service Project to be created when starting the service
    default: service
  user_domain_name:
    type: string
    description: User domain name (Hardcoded in the container start.sh script)
    default: default
  project_domain_name:
    type: string
    description: |
      Project domain name (Hardcoded in the container start.sh script)
    default: default
sousaedu's avatar
Adding LDAP support for Keystone charm  
sousaedu committed
96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 
  ldap_enabled:
    type: boolean
    description: Boolean to enable/disable LDAP authentication
    default: false
  ldap_authentication_domain_name:
    type: string
    description: Name of the domain which use LDAP authentication
    default: ""
  ldap_url:
    type: string
    description: URL of the LDAP server
    default: "ldap://localhost"
  ldap_bind_user:
    type: string
    description: User to bind and search for users
    default: ""
  ldap_bind_password:
    type: string
    description: Password to bind and search for users
    default: ""
  ldap_user_tree_dn:
    type: string
    description: |
      Root of the tree in LDAP server in which Keystone will search for users
    default: ""
  ldap_user_objectclass:
    type: string
    description: |
      LDAP object class that Keystone will filter on within user_tree_dn to
      find user objects. Any objects of other classes will be ignored.
    default: inetOrgPerson
  ldap_user_id_attribute:
    type: string
    description: |
      This set of options define the mapping to LDAP attributes for the three
      key user attributes supported by Keystone. The LDAP attribute chosen for
      user_id must be something that is immutable for a user and no more than
      64 characters in length. Notice that Distinguished Name (DN) may be
      longer than 64 characters and thus is not suitable. An uid, or mail may
      be appropriate.
    default: cn
  ldap_user_name_attribute:
    type: string
    description: |
      This set of options define the mapping to LDAP attributes for the three
      key user attributes supported by Keystone. The LDAP attribute chosen for
      user_id must be something that is immutable for a user and no more than
      64 characters in length. Notice that Distinguished Name (DN) may be
      longer than 64 characters and thus is not suitable. An uid, or mail may
      be appropriate.
    default: sn
  ldap_user_pass_attribute:
    type: string
    description: |
      This set of options define the mapping to LDAP attributes for the three
      key user attributes supported by Keystone. The LDAP attribute chosen for
      user_id must be something that is immutable for a user and no more than
      64 characters in length. Notice that Distinguished Name (DN) may be
      longer than 64 characters and thus is not suitable. An uid, or mail may
      be appropriate.
    default: userPassword
  ldap_user_filter:
    type: string
    description: |
      This filter option allow additional filter (over and above
      user_objectclass) to be included into the search of user. One common use
      of this is to provide more efficient searching, where the recommended
      search for user objects is (&(objectCategory=person)(objectClass=user)).
      By specifying user_objectclass as user and user_filter as
      objectCategory=person in the Keystone configuration file, this can be
      achieved.
    default: ""
  ldap_user_enabled_attribute:
    type: string
    description: |
      In Keystone, a user entity can be either enabled or disabled. Setting
      the above option will give a mapping to an equivalent attribute in LDAP,
      allowing your LDAP management tools to disable a user.
    default: enabled
  ldap_user_enabled_mask:
    type: int
    description: |
      Some LDAP schemas, rather than having a dedicated attribute for user
      enablement, use a bit within a general control attribute (such as
      userAccountControl) to indicate this. Setting user_enabled_mask will
      cause Keystone to look at only the status of this bit in the attribute
      specified by user_enabled_attribute, with the bit set indicating the
      user is enabled.
    default: 0
  ldap_user_enabled_default:
    type: boolean
    description: |
      Most LDAP servers use a boolean or bit in a control field to indicate
      enablement. However, some schemas might use an integer value in an
      attribute. In this situation, set user_enabled_default to the integer
      value that represents a user being enabled.
    default: true
  ldap_user_enabled_invert:
    type: boolean
    description: |
      Some LDAP schemas have an “account locked” attribute, which is the
      equivalent to account being “disabled.” In order to map this to the
      Keystone enabled attribute, you can utilize the user_enabled_invert
      setting in conjunction with user_enabled_attribute to map the lock
      status to disabled in Keystone.
    default: false
  ldap_use_starttls:
    type: boolean
    description: |
      Enable Transport Layer Security (TLS) for providing a secure connection
      from Keystone to LDAP (StartTLS, not LDAPS).
    default: false
  ldap_tls_cacert_base64:
    type: string
    description: |
      CA certificate in Base64 format (if you have the PEM file, text inside
      "-----BEGIN CERTIFICATE-----"/"-----END CERTIFICATE-----" tags).
    default: ""
  ldap_tls_req_cert:
    type: string
    description: |
      Defines how the certificates are checked for validity in the client
      (i.e., Keystone end) of the secure connection (this doesn’t affect what
      level of checking the server is doing on the certificates it receives
      from Keystone). Possible values are "demand", "never", and "allow". The
      default of demand means the client always checks the certificate and
      will drop the connection if it is not provided or invalid. never is the
      opposite—it never checks it, nor requires it to be provided. allow means
      that if it is not provided then the connection is allowed to continue,
      but if it is provided it will be checked—and if invalid, the connection
      will be dropped.
    default: demand