From d11edaf5bec41060d4159d946b0da93f3bcdff4d Mon Sep 17 00:00:00 2001 From: Tin Lam Date: Wed, 16 May 2018 09:40:13 -0500 Subject: [PATCH] Add kubernetes-keystone-webhook chart This patch set adds a kubernetes keystone webhook authorizer chart to OpenStack-Helm-Infra. Change-Id: I16136f4ac2a787e8bcf90eb0675294300ac088f0 Co-Authored-By: Gage Hugo Signed-off-by: Tin Lam Signed-off-by: Pete Birley --- kubernetes-keystone-webhook/Chart.yaml | 24 +++ kubernetes-keystone-webhook/requirements.yaml | 18 ++ .../_kubernetes-keystone-webhook-test.sh.tpl | 33 ++++ .../templates/bin/_start.sh.tpl | 25 +++ .../templates/configmap-bin.yaml | 29 +++ .../templates/configmap-etc.yaml | 28 +++ .../templates/deployment.yaml | 79 ++++++++ .../templates/ingress.yaml | 20 ++ .../templates/pod-test.yaml | 62 ++++++ .../templates/secret-certificates.yaml | 28 +++ .../templates/secret-keystone.yaml | 30 +++ .../templates/service-ingress-api.yaml | 20 ++ .../templates/service.yaml | 30 +++ kubernetes-keystone-webhook/values.yaml | 183 ++++++++++++++++++ 14 files changed, 609 insertions(+) create mode 100644 kubernetes-keystone-webhook/Chart.yaml create mode 100644 kubernetes-keystone-webhook/requirements.yaml create mode 100644 kubernetes-keystone-webhook/templates/bin/_kubernetes-keystone-webhook-test.sh.tpl create mode 100644 kubernetes-keystone-webhook/templates/bin/_start.sh.tpl create mode 100644 kubernetes-keystone-webhook/templates/configmap-bin.yaml create mode 100644 kubernetes-keystone-webhook/templates/configmap-etc.yaml create mode 100644 kubernetes-keystone-webhook/templates/deployment.yaml create mode 100644 kubernetes-keystone-webhook/templates/ingress.yaml create mode 100644 kubernetes-keystone-webhook/templates/pod-test.yaml create mode 100644 kubernetes-keystone-webhook/templates/secret-certificates.yaml create mode 100644 kubernetes-keystone-webhook/templates/secret-keystone.yaml create mode 100644 kubernetes-keystone-webhook/templates/service-ingress-api.yaml create mode 100644 kubernetes-keystone-webhook/templates/service.yaml create mode 100644 kubernetes-keystone-webhook/values.yaml diff --git a/kubernetes-keystone-webhook/Chart.yaml b/kubernetes-keystone-webhook/Chart.yaml new file mode 100644 index 000000000..d345487d5 --- /dev/null +++ b/kubernetes-keystone-webhook/Chart.yaml @@ -0,0 +1,24 @@ + +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +description: OpenStack-Helm Kubernetes keystone webhook +name: kubernetes-keystone-webhook +version: 0.1.0 +home: https://github.com/kubernetes/cloud-provider-openstack +sources: + - https://github.com/elastic/kibana + - https://git.openstack.org/cgit/openstack/openstack-helm-infra +maintainers: + - name: OpenStack-Helm Authors diff --git a/kubernetes-keystone-webhook/requirements.yaml b/kubernetes-keystone-webhook/requirements.yaml new file mode 100644 index 000000000..53782e69b --- /dev/null +++ b/kubernetes-keystone-webhook/requirements.yaml @@ -0,0 +1,18 @@ +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +dependencies: + - name: helm-toolkit + repository: http://localhost:8879/charts + version: 0.1.0 diff --git a/kubernetes-keystone-webhook/templates/bin/_kubernetes-keystone-webhook-test.sh.tpl b/kubernetes-keystone-webhook/templates/bin/_kubernetes-keystone-webhook-test.sh.tpl new file mode 100644 index 000000000..22bd98ba5 --- /dev/null +++ b/kubernetes-keystone-webhook/templates/bin/_kubernetes-keystone-webhook-test.sh.tpl @@ -0,0 +1,33 @@ +#!/bin/bash + +{{/* +Copyright 2018 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +set -ex + +TOKEN="$(openstack token issue -f value -c id)" +cat << EOF | curl -kvs -XPOST -d @- "${WEBHOOK_URL}" | python -mjson.tool +{ + "apiVersion": "authentication.k8s.io/v1beta1", + "kind": "TokenReview", + "metadata": { + "creationTimestamp": null + }, + "spec": { + "token": "$TOKEN" + } +} +EOF diff --git a/kubernetes-keystone-webhook/templates/bin/_start.sh.tpl b/kubernetes-keystone-webhook/templates/bin/_start.sh.tpl new file mode 100644 index 000000000..1c5f008ec --- /dev/null +++ b/kubernetes-keystone-webhook/templates/bin/_start.sh.tpl @@ -0,0 +1,25 @@ +#!/bin/sh + +{{/* +Copyright 2018 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +set -xe + +exec /bin/k8s-keystone-auth \ + --tls-cert-file /opt/kubernetes-keystone-webhook/pki/tls.crt \ + --tls-private-key-file /opt/kubernetes-keystone-webhook/pki/tls.key \ + --keystone-policy-file /etc/kubernetes-keystone-webhook/policy.json \ + --keystone-url {{ tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }} diff --git a/kubernetes-keystone-webhook/templates/configmap-bin.yaml b/kubernetes-keystone-webhook/templates/configmap-bin.yaml new file mode 100644 index 000000000..ec6c4dd89 --- /dev/null +++ b/kubernetes-keystone-webhook/templates/configmap-bin.yaml @@ -0,0 +1,29 @@ +{{/* +Copyright 2018 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.configmap_bin }} +{{- $envAll := . -}} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: kubernetes-keystone-webhook-bin +data: + start.sh: | +{{ tuple "bin/_start.sh.tpl" $envAll | include "helm-toolkit.utils.template" | indent 4 }} + kubernetes-keystone-webhook-test.sh: | +{{ tuple "bin/_kubernetes-keystone-webhook-test.sh.tpl" $envAll | include "helm-toolkit.utils.template" | indent 4 }} +{{- end }} diff --git a/kubernetes-keystone-webhook/templates/configmap-etc.yaml b/kubernetes-keystone-webhook/templates/configmap-etc.yaml new file mode 100644 index 000000000..25a9f494e --- /dev/null +++ b/kubernetes-keystone-webhook/templates/configmap-etc.yaml @@ -0,0 +1,28 @@ +{{/* +Copyright 2018 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.configmap_etc }} +{{- $envAll := . -}} + +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: kubernetes-keystone-webhook-etc +data: + policy.json: | +{{ toPrettyJson $envAll.Values.conf.policy | indent 4 }} +{{- end }} diff --git a/kubernetes-keystone-webhook/templates/deployment.yaml b/kubernetes-keystone-webhook/templates/deployment.yaml new file mode 100644 index 000000000..5cd788359 --- /dev/null +++ b/kubernetes-keystone-webhook/templates/deployment.yaml @@ -0,0 +1,79 @@ +{{/* +Copyright 2018 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.deployment }} +{{- $envAll := . }} +--- +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: kubernetes-keystone-webhook +spec: + replicas: {{ $envAll.Values.pod.replicas.api }} + template: + metadata: + labels: +{{ tuple $envAll "kubernetes-keystone-webhook" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} + spec: + containers: + - name: kubernetes-keystone-webhook +{{ tuple $envAll "kubernetes_keystone_webhook" | include "helm-toolkit.snippets.image" | indent 10 }} + command: + - /tmp/start.sh + readinessProbe: + tcpSocket: + port: {{ tuple "kubernetes_keystone_webhook" "internal" "api" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }} + initialDelaySeconds: 15 + periodSeconds: 10 + ports: + - name: k8sksauth-pub + containerPort: {{ tuple "kubernetes_keystone_webhook" "internal" "api" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }} +{{ tuple $envAll $envAll.Values.pod.resources.server | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} + volumeMounts: + - name: etc-kubernetes-keystone-webhook + mountPath: /etc/kubernetes-keystone-webhook + - name: key-kubernetes-keystone-webhook + mountPath: /opt/kubernetes-keystone-webhook/pki/tls.crt + subPath: tls.crt + readOnly: true + - name: key-kubernetes-keystone-webhook + mountPath: /opt/kubernetes-keystone-webhook/pki/tls.key + subPath: tls.key + readOnly: true + - name: kubernetes-keystone-webhook-etc + mountPath: /etc/kubernetes-keystone-webhook/policy.json + subPath: policy.json + readOnly: true + - name: kubernetes-keystone-webhook-bin + mountPath: /tmp/start.sh + subPath: start.sh + readOnly: true + volumes: + - name: etc-kubernetes-keystone-webhook + emptyDir: {} + - name: key-kubernetes-keystone-webhook + secret: + secretName: {{ $envAll.Values.secrets.certificates.api }} + defaultMode: 0444 + - name: kubernetes-keystone-webhook-etc + configMap: + name: kubernetes-keystone-webhook-etc + defaultMode: 0444 + - name: kubernetes-keystone-webhook-bin + configMap: + name: kubernetes-keystone-webhook-bin + defaultMode: 0555 +{{- end }} diff --git a/kubernetes-keystone-webhook/templates/ingress.yaml b/kubernetes-keystone-webhook/templates/ingress.yaml new file mode 100644 index 000000000..477f888a4 --- /dev/null +++ b/kubernetes-keystone-webhook/templates/ingress.yaml @@ -0,0 +1,20 @@ +{{/* +Copyright 2018 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.manifests.ingress_webhook .Values.network.api.ingress.public }} +{{- $ingressOpts := dict "envAll" . "backendService" "api" "backendServiceType" "kubernetes_keystone_webhook" "backendPort" "k8sksauth-pub" -}} +{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }} +{{- end }} diff --git a/kubernetes-keystone-webhook/templates/pod-test.yaml b/kubernetes-keystone-webhook/templates/pod-test.yaml new file mode 100644 index 000000000..38bb149fa --- /dev/null +++ b/kubernetes-keystone-webhook/templates/pod-test.yaml @@ -0,0 +1,62 @@ +{{/* +Copyright 2018 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.pod_test }} +{{- $envAll := . }} + +{{- $mounts_kubernetes_keystone_webhook_tests := $envAll.Values.pod.mounts.kubernetes_keystone_webhook_tests.kubernetes_keystone_webhook_tests }} +{{- $mounts_kubernetes_keystone_webhook_tests_init := $envAll.Values.pod.mounts.kubernetes_keystone_webhook_tests.init_container }} + +{{- $serviceAccountName := print $envAll.Release.Name "-test" }} +{{ tuple $envAll "tests" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} +--- +apiVersion: v1 +kind: Pod +metadata: + name: "{{ $envAll.Release.Name }}-test" + annotations: + "helm.sh/hook": test-success +spec: + serviceAccountName: {{ $serviceAccountName }} + nodeSelector: + {{ $envAll.Values.labels.test.node_selector_key }}: {{ $envAll.Values.labels.test.node_selector_value }} + restartPolicy: Never + initContainers: +{{ tuple $envAll "tests" $mounts_kubernetes_keystone_webhook_tests_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} + containers: + - name: {{ $envAll.Release.Name }}-kubernetes-keystone-webhook-test + image: {{ $envAll.Values.images.tags.scripted_test }} + env: + - name: WEBHOOK_URL + value: {{ tuple "kubernetes_keystone_webhook" "internal" "api" $envAll | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | quote }} +{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }} +{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }} +{{- end }} + command: + - /tmp/kubernetes-keystone-webhook-test.sh + volumeMounts: + - name: kubernetes-keystone-webhook-bin + mountPath: /tmp/kubernetes-keystone-webhook-test.sh + subPath: kubernetes-keystone-webhook-test.sh + readOnly: true +{{ if $mounts_kubernetes_keystone_webhook_tests.volumeMounts }}{{ toYaml $mounts_kubernetes_keystone_webhook_tests.volumeMounts | indent 8 }}{{ end }} + volumes: + - name: kubernetes-keystone-webhook-bin + configMap: + name: kubernetes-keystone-webhook-bin + defaultMode: 0555 +{{ if $mounts_kubernetes_keystone_webhook_tests.volumes }}{{ toYaml $mounts_kubernetes_keystone_webhook_tests.volumes | indent 4 }}{{ end }} +{{- end }} diff --git a/kubernetes-keystone-webhook/templates/secret-certificates.yaml b/kubernetes-keystone-webhook/templates/secret-certificates.yaml new file mode 100644 index 000000000..54779ad8d --- /dev/null +++ b/kubernetes-keystone-webhook/templates/secret-certificates.yaml @@ -0,0 +1,28 @@ +{{/* +Copyright 2018 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.secret_certificates }} +{{- $envAll := . }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ $envAll.Values.secrets.certificates.api }} +type: kubernetes.io/tls +data: + tls.crt: {{ $envAll.Values.endpoints.kubernetes.auth.api.tls.crt }} + tls.key: {{ $envAll.Values.endpoints.kubernetes.auth.api.tls.key }} +{{- end }} diff --git a/kubernetes-keystone-webhook/templates/secret-keystone.yaml b/kubernetes-keystone-webhook/templates/secret-keystone.yaml new file mode 100644 index 000000000..99f1d5b84 --- /dev/null +++ b/kubernetes-keystone-webhook/templates/secret-keystone.yaml @@ -0,0 +1,30 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.secret_keystone }} +{{- $envAll := . }} +{{- range $key1, $userClass := tuple "admin" }} +{{- $secretName := index $envAll.Values.secrets.identity $userClass }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ $secretName }} +type: Opaque +data: +{{- tuple $userClass "internal" $envAll | include "helm-toolkit.snippets.keystone_secret_openrc" | indent 2 -}} +{{- end }} +{{- end }} diff --git a/kubernetes-keystone-webhook/templates/service-ingress-api.yaml b/kubernetes-keystone-webhook/templates/service-ingress-api.yaml new file mode 100644 index 000000000..3286d84c9 --- /dev/null +++ b/kubernetes-keystone-webhook/templates/service-ingress-api.yaml @@ -0,0 +1,20 @@ +{{/* +Copyright 2018 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.manifests.service_ingress_api .Values.network.api.ingress.public }} +{{- $serviceIngressOpts := dict "envAll" . "backendService" "api" "backendServiceType" "kubernetes_keystone_webhook" -}} +{{ $serviceIngressOpts | include "helm-toolkit.manifests.service_ingress" }} +{{- end }} diff --git a/kubernetes-keystone-webhook/templates/service.yaml b/kubernetes-keystone-webhook/templates/service.yaml new file mode 100644 index 000000000..5a709ff05 --- /dev/null +++ b/kubernetes-keystone-webhook/templates/service.yaml @@ -0,0 +1,30 @@ +{{/* +Copyright 2018 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.service }} +{{- $envAll := . }} +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ tuple "kubernetes_keystone_webhook" "internal" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} +spec: + ports: + - name: k8sksauth-pub + port: {{ tuple "kubernetes_keystone_webhook" "internal" "api" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }} + selector: +{{ tuple $envAll "kubernetes-keystone-webhook" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} +{{- end }} diff --git a/kubernetes-keystone-webhook/values.yaml b/kubernetes-keystone-webhook/values.yaml new file mode 100644 index 000000000..8d324938a --- /dev/null +++ b/kubernetes-keystone-webhook/values.yaml @@ -0,0 +1,183 @@ +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +labels: + api: + node_selector_key: openstack-control-plane + node_selector_value: enabled + test: + node_selector_key: openstack-control-plane + node_selector_value: enabled + +images: + tags: + kubernetes_keystone_webhook: docker.io/gagehugo/k8s-keystone-auth:latest + scripted_test: docker.io/openstackhelm/heat:newton + dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.3.1 + image_repo_sync: docker.io/docker:17.07.0 + pull_policy: IfNotPresent + local_registry: + active: false + exclude: + - dep_check + - image_repo_sync + +network: + api: + ingress: + public: true + classes: + namespace: "nginx" + cluster: "nginx-cluster" + annotations: + nginx.ingress.kubernetes.io/rewrite-target: / + nginx.ingress.kubernetes.io/secure-backends: "true" + external_policy_local: false + node_port: + enabled: false + port: 30601 + +pod: + affinity: + anti: + type: + default: preferredDuringSchedulingIgnoredDuringExecution + topologyKey: + default: kubernetes.io/hostname + replicas: + api: 1 + resources: + enabled: false + api: + requests: + memory: "128Mi" + cpu: "100m" + limits: + memory: "256Mi" + cpu: "200m" + jobs: + tests: + requests: + memory: "128Mi" + cpu: "100m" + limits: + memory: "256Mi" + cpu: "200m" + mounts: + kubernetes_keystone_webhook_api: + init_container: null + kubernetes_keystone_webhook_api: null + kubernetes_keystone_webhook_tests: + init_container: null + kubernetes_keystone_webhook_tests: null + +release_group: null + +conf: + policy: + - resource: + verbs: + - get + - list + - watch + resources: + - pods + namespace: openstack + version: "*" + match: + - type: user + values: + - admin + +secrets: + identity: + admin: kubernetes-keystone-webhook-admin + certificates: + api: kubernetes-keystone-webhook-certs + +endpoints: + cluster_domain_suffix: cluster.local + kubernetes: + auth: + api: + tls: + crt: null + key: null + identity: + name: keystone + auth: + admin: + region_name: RegionOne + username: admin + password: password + project_name: admin + user_domain_name: default + project_domain_name: default + hosts: + default: keystone-api + public: keystone + host_fqdn_override: + default: null + path: + default: /v3 + scheme: + default: http + port: + admin: + default: 35357 + api: + default: 80 + kubernetes_keystone_webhook: + namespace: null + name: k8sksauth + hosts: + default: k8sksauth-api + public: k8sksauth + host_fqdn_override: + default: null + path: + default: /webhook + scheme: + default: https + port: + api: + default: 8443 + public: 443 + + +dependencies: + dynamic: + common: + local_image_registry: + jobs: + - k8sksauth-image-repo-sync + services: + - endpoint: node + service: local_image_registry + static: + api: + jobs: null + services: null + +manifests: + api_secret: true + configmap_etc: true + configmap_bin: true + deployment: true + ingress_webhook: true + pod_test: true + secret_certificates: true + secret_keystone: true + service_ingress_api: true + service: true