+++ /dev/null
-# Copyright 2020 Canonical Ltd.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-options:
- max_file_size:
- type: int
- description: |
- The maximum file size, in megabytes.
-
- If there is a reverse proxy in front of Keystone, it may
- need to be configured to handle the requested size.
- default: 5
- ingress_class:
- type: string
- description: |
- Ingress class name. This is useful for selecting the ingress to be used
- in case there are multiple ingresses in the underlying k8s clusters.
- ingress_whitelist_source_range:
- type: string
- description: |
- A comma-separated list of CIDRs to store in the
- ingress.kubernetes.io/whitelist-source-range annotation.
-
- This can be used to lock down access to
- Keystone based on source IP address.
- default: ""
- tls_secret_name:
- type: string
- description: TLS Secret name
- default: ""
- site_url:
- type: string
- description: Ingress URL
- default: ""
- image_pull_policy:
- type: string
- description: |
- ImagePullPolicy configuration for the pod.
- Possible values: always, ifnotpresent, never
- default: always
- security_context:
- description: Enables the security context of the pods
- type: boolean
- default: false
- region_id:
- type: string
- description: Region ID to be created when starting the service
- default: RegionOne
- keystone_db_password:
- type: string
- description: Keystone DB Password
- default: admin
- mysql_uri:
- type: string
- description: |
- Mysql uri with the following format:
- mysql://<user>:<pass>@<host>:<port>/<database>
- admin_username:
- type: string
- description: Admin username to be created when starting the service
- default: admin
- admin_password:
- type: string
- description: Admin password to be created when starting the service
- default: admin
- admin_project:
- type: string
- description: Admin project to be created when starting the service
- default: admin
- service_username:
- type: string
- description: Service Username to be created when starting the service
- default: nbi
- service_password:
- type: string
- description: Service Password to be created when starting the service
- default: nbi
- service_project:
- type: string
- description: Service Project to be created when starting the service
- default: service
- user_domain_name:
- type: string
- description: User domain name (Hardcoded in the container start.sh script)
- default: default
- project_domain_name:
- type: string
- description: |
- Project domain name (Hardcoded in the container start.sh script)
- default: default
- token_expiration:
- type: int
- description: Token keys expiration in seconds
- default: 172800
- ldap_enabled:
- type: boolean
- description: Boolean to enable/disable LDAP authentication
- default: false
- ldap_authentication_domain_name:
- type: string
- description: Name of the domain which use LDAP authentication
- default: ""
- ldap_url:
- type: string
- description: URL of the LDAP server
- default: "ldap://localhost"
- ldap_bind_user:
- type: string
- description: User to bind and search for users
- default: ""
- ldap_bind_password:
- type: string
- description: Password to bind and search for users
- default: ""
- ldap_chase_referrals:
- type: string
- description: |
- Sets keystone’s referral chasing behavior across directory partitions.
- If left unset, the system’s default behavior will be used.
- default: ""
- ldap_page_size:
- type: int
- description: |
- Defines the maximum number of results per page that keystone should
- request from the LDAP server when listing objects. A value of zero (0)
- disables paging.
- default: 0
- ldap_user_tree_dn:
- type: string
- description: |
- Root of the tree in LDAP server in which Keystone will search for users
- default: ""
- ldap_user_objectclass:
- type: string
- description: |
- LDAP object class that Keystone will filter on within user_tree_dn to
- find user objects. Any objects of other classes will be ignored.
- default: inetOrgPerson
- ldap_user_id_attribute:
- type: string
- description: |
- This set of options define the mapping to LDAP attributes for the three
- key user attributes supported by Keystone. The LDAP attribute chosen for
- user_id must be something that is immutable for a user and no more than
- 64 characters in length. Notice that Distinguished Name (DN) may be
- longer than 64 characters and thus is not suitable. An uid, or mail may
- be appropriate.
- default: cn
- ldap_user_name_attribute:
- type: string
- description: |
- This set of options define the mapping to LDAP attributes for the three
- key user attributes supported by Keystone. The LDAP attribute chosen for
- user_id must be something that is immutable for a user and no more than
- 64 characters in length. Notice that Distinguished Name (DN) may be
- longer than 64 characters and thus is not suitable. An uid, or mail may
- be appropriate.
- default: sn
- ldap_user_pass_attribute:
- type: string
- description: |
- This set of options define the mapping to LDAP attributes for the three
- key user attributes supported by Keystone. The LDAP attribute chosen for
- user_id must be something that is immutable for a user and no more than
- 64 characters in length. Notice that Distinguished Name (DN) may be
- longer than 64 characters and thus is not suitable. An uid, or mail may
- be appropriate.
- default: userPassword
- ldap_user_filter:
- type: string
- description: |
- This filter option allow additional filter (over and above
- user_objectclass) to be included into the search of user. One common use
- of this is to provide more efficient searching, where the recommended
- search for user objects is (&(objectCategory=person)(objectClass=user)).
- By specifying user_objectclass as user and user_filter as
- objectCategory=person in the Keystone configuration file, this can be
- achieved.
- default: ""
- ldap_user_enabled_attribute:
- type: string
- description: |
- In Keystone, a user entity can be either enabled or disabled. Setting
- the above option will give a mapping to an equivalent attribute in LDAP,
- allowing your LDAP management tools to disable a user.
- default: enabled
- ldap_user_enabled_mask:
- type: int
- description: |
- Some LDAP schemas, rather than having a dedicated attribute for user
- enablement, use a bit within a general control attribute (such as
- userAccountControl) to indicate this. Setting user_enabled_mask will
- cause Keystone to look at only the status of this bit in the attribute
- specified by user_enabled_attribute, with the bit set indicating the
- user is enabled.
- default: 0
- ldap_user_enabled_default:
- type: string
- description: |
- Most LDAP servers use a boolean or bit in a control field to indicate
- enablement. However, some schemas might use an integer value in an
- attribute. In this situation, set user_enabled_default to the integer
- value that represents a user being enabled.
- default: "true"
- ldap_user_enabled_invert:
- type: boolean
- description: |
- Some LDAP schemas have an “account locked” attribute, which is the
- equivalent to account being “disabled.” In order to map this to the
- Keystone enabled attribute, you can utilize the user_enabled_invert
- setting in conjunction with user_enabled_attribute to map the lock
- status to disabled in Keystone.
- default: false
- ldap_group_objectclass:
- type: string
- description: The LDAP object class to use for groups.
- default: groupOfNames
- ldap_group_tree_dn:
- type: string
- description: The search base to use for groups.
- default: ""
- ldap_use_starttls:
- type: boolean
- description: |
- Enable Transport Layer Security (TLS) for providing a secure connection
- from Keystone to LDAP (StartTLS, not LDAPS).
- default: false
- ldap_tls_cacert_base64:
- type: string
- description: |
- CA certificate in Base64 format (if you have the PEM file, text inside
- "-----BEGIN CERTIFICATE-----"/"-----END CERTIFICATE-----" tags).
- default: ""
- ldap_tls_req_cert:
- type: string
- description: |
- Defines how the certificates are checked for validity in the client
- (i.e., Keystone end) of the secure connection (this doesn’t affect what
- level of checking the server is doing on the certificates it receives
- from Keystone). Possible values are "demand", "never", and "allow". The
- default of demand means the client always checks the certificate and
- will drop the connection if it is not provided or invalid. never is the
- opposite—it never checks it, nor requires it to be provided. allow means
- that if it is not provided then the connection is allowed to continue,
- but if it is provided it will be checked—and if invalid, the connection
- will be dropped.
- default: demand