# See the License for the specific language governing permissions and
# limitations under the License.
options:
- image:
- type: string
- default: opensourcemano/keystone:latest
- description: The docker image to install.
- image_username:
- type: string
- description: |
- The username for accessing the registry specified in image.
- default: ""
- image_password:
- type: string
- description: |
- The password associated with image_username for accessing
- the registry specified in image.
- default: ""
max_file_size:
type: int
description: |
If there is a reverse proxy in front of Keystone, it may
need to be configured to handle the requested size.
default: 5
+ ingress_class:
+ type: string
+ description: |
+ Ingress class name. This is useful for selecting the ingress to be used
+ in case there are multiple ingresses in the underlying k8s clusters.
ingress_whitelist_source_range:
type: string
description: |
type: string
description: Ingress URL
default: ""
- ldap_enabled:
- type: boolean
- description: Boolean to enable/disable LDAP authentication
- default: false
+ image_pull_policy:
+ type: string
+ description: |
+ ImagePullPolicy configuration for the pod.
+ Possible values: always, ifnotpresent, never
+ default: always
region_id:
type: string
description: Region ID to be created when starting the service
type: string
description: Keystone DB Password
default: admin
+ mysql_host:
+ type: string
+ description: MySQL Host (external database)
+ mysql_port:
+ type: int
+ description: MySQL Port (external database)
+ mysql_root_password:
+ type: string
+ description: MySQL Root Password (external database)
admin_username:
type: string
description: Admin username to be created when starting the service
description: |
Project domain name (Hardcoded in the container start.sh script)
default: default
-
- # ENV LDAP_AUTHENTICATION_DOMAIN_NAME no default
- # ENV LDAP_URL ldap://localhost
- # ENV LDAP_BIND_USER no defauslt
- # ENV LDAP_BIND_PASSWORD no default
- # ENV LDAP_USER_TREE_DN no default
- # ENV LDAP_USER_OBJECTCLASS inetOrgPerson
- # ENV LDAP_USER_ID_ATTRIBUTE cn
- # ENV LDAP_USER_NAME_ATTRIBUTE sn
- # ENV LDAP_USER_PASS_ATTRIBUTE userPassword
- # ENV LDAP_USER_FILTER no default
- # ENV LDAP_USER_ENABLED_ATTRIBUTE enabled
- # ENV LDAP_USER_ENABLED_MASK 0
- # ENV LDAP_USER_ENABLED_DEFAULT true
- # ENV LDAP_USER_ENABLED_INVERT false
- # ENV LDAP_USE_STARTTLS false
- # ENV LDAP_TLS_CACERT_BASE64 no default
- # ENV LDAP_TLS_REQ_CERT demand
+ token_expiration:
+ type: int
+ description: Token keys expiration in seconds
+ default: 172800
+ ldap_enabled:
+ type: boolean
+ description: Boolean to enable/disable LDAP authentication
+ default: false
+ ldap_authentication_domain_name:
+ type: string
+ description: Name of the domain which use LDAP authentication
+ default: ""
+ ldap_url:
+ type: string
+ description: URL of the LDAP server
+ default: "ldap://localhost"
+ ldap_bind_user:
+ type: string
+ description: User to bind and search for users
+ default: ""
+ ldap_bind_password:
+ type: string
+ description: Password to bind and search for users
+ default: ""
+ ldap_chase_referrals:
+ type: string
+ description: |
+ Sets keystone’s referral chasing behavior across directory partitions.
+ If left unset, the system’s default behavior will be used.
+ default: ""
+ ldap_page_size:
+ type: int
+ description: |
+ Defines the maximum number of results per page that keystone should
+ request from the LDAP server when listing objects. A value of zero (0)
+ disables paging.
+ default: 0
+ ldap_user_tree_dn:
+ type: string
+ description: |
+ Root of the tree in LDAP server in which Keystone will search for users
+ default: ""
+ ldap_user_objectclass:
+ type: string
+ description: |
+ LDAP object class that Keystone will filter on within user_tree_dn to
+ find user objects. Any objects of other classes will be ignored.
+ default: inetOrgPerson
+ ldap_user_id_attribute:
+ type: string
+ description: |
+ This set of options define the mapping to LDAP attributes for the three
+ key user attributes supported by Keystone. The LDAP attribute chosen for
+ user_id must be something that is immutable for a user and no more than
+ 64 characters in length. Notice that Distinguished Name (DN) may be
+ longer than 64 characters and thus is not suitable. An uid, or mail may
+ be appropriate.
+ default: cn
+ ldap_user_name_attribute:
+ type: string
+ description: |
+ This set of options define the mapping to LDAP attributes for the three
+ key user attributes supported by Keystone. The LDAP attribute chosen for
+ user_id must be something that is immutable for a user and no more than
+ 64 characters in length. Notice that Distinguished Name (DN) may be
+ longer than 64 characters and thus is not suitable. An uid, or mail may
+ be appropriate.
+ default: sn
+ ldap_user_pass_attribute:
+ type: string
+ description: |
+ This set of options define the mapping to LDAP attributes for the three
+ key user attributes supported by Keystone. The LDAP attribute chosen for
+ user_id must be something that is immutable for a user and no more than
+ 64 characters in length. Notice that Distinguished Name (DN) may be
+ longer than 64 characters and thus is not suitable. An uid, or mail may
+ be appropriate.
+ default: userPassword
+ ldap_user_filter:
+ type: string
+ description: |
+ This filter option allow additional filter (over and above
+ user_objectclass) to be included into the search of user. One common use
+ of this is to provide more efficient searching, where the recommended
+ search for user objects is (&(objectCategory=person)(objectClass=user)).
+ By specifying user_objectclass as user and user_filter as
+ objectCategory=person in the Keystone configuration file, this can be
+ achieved.
+ default: ""
+ ldap_user_enabled_attribute:
+ type: string
+ description: |
+ In Keystone, a user entity can be either enabled or disabled. Setting
+ the above option will give a mapping to an equivalent attribute in LDAP,
+ allowing your LDAP management tools to disable a user.
+ default: enabled
+ ldap_user_enabled_mask:
+ type: int
+ description: |
+ Some LDAP schemas, rather than having a dedicated attribute for user
+ enablement, use a bit within a general control attribute (such as
+ userAccountControl) to indicate this. Setting user_enabled_mask will
+ cause Keystone to look at only the status of this bit in the attribute
+ specified by user_enabled_attribute, with the bit set indicating the
+ user is enabled.
+ default: 0
+ ldap_user_enabled_default:
+ type: string
+ description: |
+ Most LDAP servers use a boolean or bit in a control field to indicate
+ enablement. However, some schemas might use an integer value in an
+ attribute. In this situation, set user_enabled_default to the integer
+ value that represents a user being enabled.
+ default: "true"
+ ldap_user_enabled_invert:
+ type: boolean
+ description: |
+ Some LDAP schemas have an “account locked” attribute, which is the
+ equivalent to account being “disabled.” In order to map this to the
+ Keystone enabled attribute, you can utilize the user_enabled_invert
+ setting in conjunction with user_enabled_attribute to map the lock
+ status to disabled in Keystone.
+ default: false
+ ldap_group_objectclass:
+ type: string
+ description: The LDAP object class to use for groups.
+ default: groupOfNames
+ ldap_group_tree_dn:
+ type: string
+ description: The search base to use for groups.
+ default: ""
+ ldap_use_starttls:
+ type: boolean
+ description: |
+ Enable Transport Layer Security (TLS) for providing a secure connection
+ from Keystone to LDAP (StartTLS, not LDAPS).
+ default: false
+ ldap_tls_cacert_base64:
+ type: string
+ description: |
+ CA certificate in Base64 format (if you have the PEM file, text inside
+ "-----BEGIN CERTIFICATE-----"/"-----END CERTIFICATE-----" tags).
+ default: ""
+ ldap_tls_req_cert:
+ type: string
+ description: |
+ Defines how the certificates are checked for validity in the client
+ (i.e., Keystone end) of the secure connection (this doesn’t affect what
+ level of checking the server is doing on the certificates it receives
+ from Keystone). Possible values are "demand", "never", and "allow". The
+ default of demand means the client always checks the certificate and
+ will drop the connection if it is not provided or invalid. never is the
+ opposite—it never checks it, nor requires it to be provided. allow means
+ that if it is not provided then the connection is allowed to continue,
+ but if it is provided it will be checked—and if invalid, the connection
+ will be dropped.
+ default: demand