Brian Haley f31cfb2ef9 support image registries with authentication
Based on spec in openstack-helm repo,
support-OCI-image-registry-with-authentication-turned-on.rst

Each Helm chart can configure an OCI image registry and
credentials to use. A Kubernetes secret is then created with these
info. Service Accounts then specify an imagePullSecret specifying
the Secret with creds for the registry. Then any pod using one
of these ServiceAccounts may pull images from an authenticated
container registry.

Change-Id: Iebda4c7a861aa13db921328776b20c14ba346269
2022-07-20 14:28:47 -05:00

265 lines
5.8 KiB
YAML

# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Default values for ldap.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
---
pod:
affinity:
anti:
type:
default: preferredDuringSchedulingIgnoredDuringExecution
topologyKey:
default: kubernetes.io/hostname
weight:
default: 10
replicas:
server: 1
lifecycle:
upgrades:
deployments:
revision_history: 3
pod_replacement_strategy: RollingUpdate
rolling_update:
max_unavailable: 1
max_surge: 3
resources:
enabled: false
server:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
jobs:
bootstrap:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
image_repo_sync:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
mounts:
ldap_data_load:
init_container: null
ldap_data_load:
images:
tags:
bootstrap: "docker.io/osixia/openldap:1.2.0"
ldap: "docker.io/osixia/openldap:1.2.0"
dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
image_repo_sync: docker.io/library/docker:17.07.0
pull_policy: IfNotPresent
local_registry:
active: false
exclude:
- dep_check
- image_repo_sync
dependencies:
dynamic:
common:
local_image_registry:
jobs:
- ldap-image-repo-sync
services:
- endpoint: node
service: local_image_registry
static:
ldap:
jobs: null
bootstrap:
services:
- endpoint: internal
service: ldap
server:
jobs:
- ldap-load-data
services:
- endpoint: internal
service: ldap
image_repo_sync:
services:
- endpoint: internal
service: local_image_registry
storage:
pvc:
enabled: true
size: 2Gi
class_name: general
host:
data_path: /data/openstack-helm/ldap
config_path: /data/openstack-helm/config
labels:
server:
node_selector_key: openstack-control-plane
node_selector_value: enabled
job:
node_selector_key: openstack-control-plane
node_selector_value: enabled
bootstrap:
enabled: false
endpoints:
cluster_domain_suffix: cluster.local
local_image_registry:
name: docker-registry
namespace: docker-registry
hosts:
default: localhost
internal: docker-registry
node: localhost
host_fqdn_override:
default: null
port:
registry:
node: 5000
oci_image_registry:
name: oci-image-registry
namespace: oci-image-registry
auth:
enabled: false
ldap:
username: ldap
password: password
hosts:
default: localhost
host_fqdn_override:
default: null
port:
registry:
default: null
ldap:
hosts:
default: ldap
host_fqdn_override:
default: null
path: null
scheme: 'ldap'
port:
ldap:
default: 389
network_policy:
ldap:
ingress:
- {}
egress:
- {}
data:
sample: |
dn: ou=People,dc=cluster,dc=local
objectclass: organizationalunit
ou: People
description: We the People
# NOTE: Password is "password" without quotes
dn: uid=alice,ou=People,dc=cluster,dc=local
objectClass: inetOrgPerson
objectClass: top
objectClass: posixAccount
objectClass: shadowAccount
objectClass: person
sn: Alice
cn: alice
uid: alice
userPassword: {SSHA}+i3t/DLCgLDGaIOAmfeFJ2kDeJWmPUDH
description: SHA
gidNumber: 1000
uidNumber: 1493
homeDirectory: /home/alice
mail: alice@example.com
# NOTE: Password is "password" without quotes
dn: uid=bob,ou=People,dc=cluster,dc=local
objectClass: inetOrgPerson
objectClass: top
objectClass: posixAccount
objectClass: shadowAccount
objectClass: person
sn: Bob
cn: bob
uid: bob
userPassword: {SSHA}fCJ5vuW1BQ4/OfOVkkx1qjwi7yHFuGNB
description: MD5
gidNumber: 1000
uidNumber: 5689
homeDirectory: /home/bob
mail: bob@example.com
dn: ou=Groups,dc=cluster,dc=local
objectclass: organizationalunit
ou: Groups
description: We the People
dn: cn=cryptography,ou=Groups,dc=cluster,dc=local
objectclass: top
objectclass: posixGroup
gidNumber: 418
cn: cryptography
description: Cryptography Team
memberUID: uid=alice,ou=People,dc=cluster,dc=local
memberUID: uid=bob,ou=People,dc=cluster,dc=local
dn: cn=blue,ou=Groups,dc=cluster,dc=local
objectclass: top
objectclass: posixGroup
gidNumber: 419
cn: blue
description: Blue Team
memberUID: uid=bob,ou=People,dc=cluster,dc=local
dn: cn=red,ou=Groups,dc=cluster,dc=local
objectclass: top
objectclass: posixGroup
gidNumber: 420
cn: red
description: Red Team
memberUID: uid=alice,ou=People,dc=cluster,dc=local
secrets:
identity:
admin: admin
ldap: ldap
oci_image_registry:
ldap: ldap-oci-image-registry-key
openldap:
domain: cluster.local
password: password
manifests:
configmap_bin: true
configmap_etc: true
job_bootstrap: true
job_image_repo_sync: true
network_policy: false
secret_registry: true
statefulset: true
service: true
...