# Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # Default values for barbican. # This is a YAML-formatted file. # Declare name/value pairs to be passed into your templates. # name: value --- labels: api: node_selector_key: openstack-control-plane node_selector_value: enabled job: node_selector_key: openstack-control-plane node_selector_value: enabled test: node_selector_key: openstack-control-plane node_selector_value: enabled release_group: null # NOTE(philsphicas): the pre-install hook breaks upgrade for helm2 # Set to false to upgrade using helm2 helm3_hook: true images: tags: bootstrap: quay.io/airshipit/heat:2024.1-ubuntu_jammy dep_check: quay.io/airshipit/kubernetes-entrypoint:latest-ubuntu_focal scripted_test: quay.io/airshipit/heat:2024.1-ubuntu_jammy db_init: quay.io/airshipit/heat:2024.1-ubuntu_jammy barbican_db_sync: quay.io/airshipit/barbican:2024.1-ubuntu_jammy db_drop: quay.io/airshipit/heat:2024.1-ubuntu_jammy ks_user: quay.io/airshipit/heat:2024.1-ubuntu_jammy ks_service: quay.io/airshipit/heat:2024.1-ubuntu_jammy ks_endpoints: quay.io/airshipit/heat:2024.1-ubuntu_jammy barbican_api: quay.io/airshipit/barbican:2024.1-ubuntu_jammy rabbit_init: docker.io/rabbitmq:3.13-management image_repo_sync: docker.io/docker:17.07.0 pull_policy: "IfNotPresent" local_registry: active: false exclude: - dep_check - image_repo_sync pod: security_context: barbican: pod: runAsUser: 42424 container: barbican_api: allowPrivilegeEscalation: false readOnlyRootFilesystem: true test: pod: runAsUser: 42424 container: barbican_test: allowPrivilegeEscalation: false readOnlyRootFilesystem: true affinity: anti: type: default: preferredDuringSchedulingIgnoredDuringExecution topologyKey: default: kubernetes.io/hostname weight: default: 10 tolerations: barbican: enabled: false tolerations: - key: node-role.kubernetes.io/master operator: Exists effect: NoSchedule - key: node-role.kubernetes.io/control-plane operator: Exists effect: NoSchedule mounts: barbican_api: init_container: null barbican_api: volumeMounts: volumes: barbican_bootstrap: init_container: null barbican_bootstrap: volumeMounts: volumes: barbican_tests: init_container: null barbican_tests: volumeMounts: volumes: barbican_db_sync: barbican_db_sync: volumeMounts: volumes: replicas: api: 1 lifecycle: upgrades: deployments: revision_history: 3 pod_replacement_strategy: RollingUpdate rolling_update: max_unavailable: 1 max_surge: 3 disruption_budget: api: min_available: 0 probes: api: barbican-api: readiness: enabled: true params: periodSeconds: 10 timeoutSeconds: 5 liveness: enabled: true params: initialDelaySeconds: 5 periodSeconds: 10 timeoutSeconds: 5 resources: enabled: false api: requests: memory: "128Mi" cpu: "100m" limits: memory: "1024Mi" cpu: "2000m" jobs: bootstrap: requests: memory: "128Mi" cpu: "100m" limits: memory: "1024Mi" cpu: "2000m" db_init: requests: memory: "128Mi" cpu: "100m" limits: memory: "1024Mi" cpu: "2000m" db_sync: requests: memory: "128Mi" cpu: "100m" limits: memory: "1024Mi" cpu: "2000m" db_drop: requests: memory: "128Mi" cpu: "100m" limits: memory: "1024Mi" cpu: "2000m" rabbit_init: requests: memory: "128Mi" cpu: "100m" limits: memory: "1024Mi" cpu: "2000m" ks_endpoints: requests: memory: "128Mi" cpu: "100m" limits: memory: "1024Mi" cpu: "2000m" ks_service: requests: memory: "128Mi" cpu: "100m" limits: memory: "1024Mi" cpu: "2000m" ks_user: requests: memory: "128Mi" cpu: "100m" limits: memory: "1024Mi" cpu: "2000m" tests: requests: memory: "128Mi" cpu: "100m" limits: memory: "1024Mi" cpu: "2000m" image_repo_sync: requests: memory: "128Mi" cpu: "100m" limits: memory: "1024Mi" cpu: "2000m" network: api: ingress: public: true classes: namespace: "nginx" cluster: "nginx-cluster" annotations: nginx.ingress.kubernetes.io/rewrite-target: / external_policy_local: false node_port: enabled: false port: 30486 network_policy: barbican: ingress: - {} egress: - {} bootstrap: enabled: false ks_user: barbican script: | openstack token issue dependencies: dynamic: common: local_image_registry: jobs: - barbican-image-repo-sync services: - endpoint: node service: local_image_registry static: api: jobs: - barbican-db-sync - barbican-ks-user - barbican-ks-endpoints - barbican-rabbit-init services: - endpoint: internal service: oslo_db - endpoint: internal service: identity - endpoint: internal service: oslo_messaging db_drop: services: - endpoint: internal service: oslo_db db_init: services: - endpoint: internal service: oslo_db db_sync: jobs: - barbican-db-init services: - endpoint: internal service: oslo_db image_repo_sync: services: - endpoint: internal service: local_image_registry ks_endpoints: jobs: - barbican-ks-service services: - endpoint: internal service: identity ks_service: services: - endpoint: internal service: identity ks_user: services: - endpoint: internal service: identity rabbit_init: services: - endpoint: internal service: oslo_messaging conf: paste: composite:main: use: egg:Paste#urlmap /: barbican_version /v1: barbican-api-keystone /healthcheck: healthcheck pipeline:barbican_version: pipeline: cors http_proxy_to_wsgi versionapp pipeline:barbican_api: pipeline: cors http_proxy_to_wsgi unauthenticated-context apiapp pipeline:barbican-profile: pipeline: cors http_proxy_to_wsgi unauthenticated-context egg:Paste#cgitb egg:Paste#httpexceptions profile apiapp pipeline:barbican-api-keystone: pipeline: cors http_proxy_to_wsgi authtoken context apiapp pipeline:barbican-api-keystone-audit: pipeline: http_proxy_to_wsgi authtoken context audit apiapp app:apiapp: paste.app_factory: barbican.api.app:create_main_app app:versionapp: paste.app_factory: barbican.api.app:create_version_app app:healthcheck: paste.app_factory: oslo_middleware:Healthcheck.app_factory backends: disable_by_file disable_by_file_path: /etc/barbican/healthcheck_disable filter:simple: paste.filter_factory: barbican.api.middleware.simple:SimpleFilter.factory filter:unauthenticated-context: paste.filter_factory: barbican.api.middleware.context:UnauthenticatedContextMiddleware.factory filter:context: paste.filter_factory: barbican.api.middleware.context:ContextMiddleware.factory filter:audit: paste.filter_factory: keystonemiddleware.audit:filter_factory audit_map_file: /etc/barbican/api_audit_map.conf filter:authtoken: paste.filter_factory: keystonemiddleware.auth_token:filter_factory filter:profile: use: egg:repoze.profile log_filename: myapp.profile cachegrind_filename: cachegrind.out.myapp discard_first_request: true path: /__profile__ flush_at_shutdown: true unwind: false filter:cors: paste.filter_factory: oslo_middleware.cors:filter_factory oslo_config_project: barbican filter:http_proxy_to_wsgi: paste.filter_factory: oslo_middleware:HTTPProxyToWSGI.factory policy: {} audit_map: DEFAULT: # default target endpoint type # should match the endpoint type defined in service catalog target_endpoint_type: key-manager custom_actions: # map urls ending with specific text to a unique action # Don't need custom mapping for other resource operations # Note: action should match action names defined in CADF taxonomy acl/get: read path_keywords: # path of api requests for CADF target typeURI # Just need to include top resource path to identify class of resources secrets: null containers: null orders: null cas: "None" quotas: null project-quotas: null service_endpoints: # map endpoint type defined in service catalog to CADF typeURI key-manager: service/security/keymanager barbican_api_uwsgi: uwsgi: add-header: "Connection: close" buffer-size: 65535 die-on-term: true enable-threads: true exit-on-reload: false hook-master-start: unix_signal:15 gracefully_kill_them_all lazy-apps: true log-x-forwarded-for: true master: true procname-prefix-spaced: "barbiacan-api:" route-user-agent: '^kube-probe.* donotlog:' thunder-lock: true worker-reload-mercy: 80 wsgi-file: /var/lib/openstack/bin/barbican-wsgi-api processes: 1 barbican: DEFAULT: transport_url: null log_config_append: /etc/barbican/logging.conf keystone_authtoken: auth_type: password auth_version: v3 memcache_security_strategy: ENCRYPT memcache_secret_key: null service_type: key-manager database: max_retries: -1 barbican_api: # NOTE(portdirect): the bind port should not be defined, and is manipulated # via the endpoints section. bind_port: null oslo_policy: policy_file: /etc/barbican/policy.yaml # When using the simple_crypto_plugin, a kek must be provided as: # .conf.barbican.simple_crypto_plugin.kek # If no kek is provided, barbican will use a well-known default. # If upgrading the chart with a new kek, the old kek must be provided as: # .conf.simple_crypto_plugin_rewrap.old_kek # Please refer to the .conf.simple_crypto_key_rewrap section below. # The barbican defaults are included here as a reference: # secretstore: # enabled_secretstore_plugins: # - store_crypto # crypto: # enabled_crypto_plugins: # - simple_crypto # simple_crypto_plugin: # # The kek should be a 32-byte value which is base64 encoded. # kek: "dGhpcnR5X3R3b19ieXRlX2tleWJsYWhibGFoYmxhaGg=" # KEK rotation for the simple_crypto plugin simple_crypto_kek_rewrap: # To allow for chart upgrades when modifying the Key Encryption Key, the # db-sync job can rewrap the existing project keys with the new kek, leaving # each secret’s encrypted data unchanged. # This feature is enabled automatically, if a kek is specified at: # .conf.barbican.simple_crypto_plugin.kek # and the previous kek is also specified at: # .conf.simple_crypto_kek_rewrap.old_kek # The project keys are decrypted with 'old_kek' and re-encrypted with the # target kek (as defined in barbican.conf). # This resembles the lightweight rotation described here, which was never # implemented for the simple crypto plugin: # https://specs.openstack.org/openstack/barbican-specs/specs/liberty/add-crypto-mkek-rotation-support-lightweight.html # The KEK value "dGhpcnR5X3R3b19ieXRlX2tleWJsYWhibGFoYmxhaGg=" matches the # plugin default, and is retained here for convenience, in case the chart was # previously installed without explicitly specifying a kek. old_kek: "dGhpcnR5X3R3b19ieXRlX2tleWJsYWhibGFoYmxhaGg=" logging: loggers: keys: - root - barbican handlers: keys: - stdout - stderr - "null" formatters: keys: - context - default logger_root: level: WARNING handlers: 'null' logger_barbican: level: INFO handlers: - stdout qualname: barbican logger_amqp: level: WARNING handlers: stderr qualname: amqp logger_amqplib: level: WARNING handlers: stderr qualname: amqplib logger_eventletwsgi: level: WARNING handlers: stderr qualname: eventlet.wsgi.server logger_sqlalchemy: level: WARNING handlers: stderr qualname: sqlalchemy logger_boto: level: WARNING handlers: stderr qualname: boto handler_null: class: logging.NullHandler formatter: default args: () handler_stdout: class: StreamHandler args: (sys.stdout,) formatter: context handler_stderr: class: StreamHandler args: (sys.stderr,) formatter: context formatter_context: class: oslo_log.formatters.ContextFormatter datefmt: "%Y-%m-%d %H:%M:%S" formatter_default: format: "%(message)s" datefmt: "%Y-%m-%d %H:%M:%S" # Names of secrets used by bootstrap and environmental checks secrets: identity: admin: barbican-keystone-admin barbican: barbican-keystone-user oslo_db: admin: barbican-db-admin barbican: barbican-db-user oslo_messaging: admin: barbican-rabbitmq-admin barbican: barbican-rabbitmq-user tls: key_manager: api: public: barbican-tls-public internal: barbican-tls-internal oci_image_registry: barbican: barbican-oci-image-registry endpoints: cluster_domain_suffix: cluster.local local_image_registry: name: docker-registry namespace: docker-registry hosts: default: localhost internal: docker-registry node: localhost host_fqdn_override: default: null port: registry: node: 5000 oci_image_registry: name: oci-image-registry namespace: oci-image-registry auth: enabled: false barbican: username: barbican password: password hosts: default: localhost host_fqdn_override: default: null port: registry: default: null identity: name: keystone auth: admin: region_name: RegionOne username: admin password: password project_name: admin user_domain_name: default project_domain_name: default barbican: role: admin region_name: RegionOne username: barbican password: password project_name: service user_domain_name: service project_domain_name: service hosts: default: keystone internal: keystone-api host_fqdn_override: default: null path: default: /v3 scheme: default: http port: api: default: 80 internal: 5000 key_manager: name: barbican hosts: default: barbican-api public: barbican host_fqdn_override: default: tls: secretName: barbican-tls-internal issuerRef: kind: ClusterIssuer name: ca-clusterissuer path: default: / healthcheck: /healthcheck scheme: default: http service: http port: api: default: 9311 public: 80 service: 9311 oslo_db: auth: admin: username: root password: password secret: tls: internal: mariadb-tls-direct barbican: username: barbican password: password hosts: default: mariadb host_fqdn_override: default: null path: /barbican scheme: mysql+pymysql port: mysql: default: 3306 oslo_messaging: auth: admin: username: rabbitmq password: password secret: tls: internal: rabbitmq-tls-direct barbican: username: barbican password: password statefulset: replicas: 2 name: rabbitmq-rabbitmq hosts: default: rabbitmq host_fqdn_override: default: null path: /barbican scheme: rabbit port: amqp: default: 5672 http: default: 15672 oslo_cache: auth: # NOTE(portdirect): this is used to define the value for keystone # authtoken cache encryption key, if not set it will be populated # automatically with a random value, but to take advantage of # this feature all services should be set to use the same key, # and memcache service. memcache_secret_key: null hosts: default: memcached host_fqdn_override: default: null port: memcache: default: 11211 fluentd: namespace: null name: fluentd hosts: default: fluentd-logging host_fqdn_override: default: null path: default: null scheme: 'http' port: service: default: 24224 metrics: default: 24220 # NOTE(tp6510): these endpoints allow for things like DNS lookups and ingress # They are using to enable the Egress K8s network policy. kube_dns: namespace: kube-system name: kubernetes-dns hosts: default: kube-dns host_fqdn_override: default: null path: default: null scheme: http port: dns: default: 53 protocol: UDP ingress: namespace: null name: ingress hosts: default: ingress port: ingress: default: 80 tls: identity: false oslo_messaging: false oslo_db: false manifests: certificates: false configmap_bin: true configmap_etc: true deployment_api: true ingress_api: true job_bootstrap: true job_db_init: true job_db_sync: true job_db_drop: false job_image_repo_sync: true job_rabbit_init: true job_ks_endpoints: true job_ks_service: true job_ks_user: true pdb_api: true pod_test: true secret_db: true network_policy: false secret_ingress_tls: true secret_keystone: true secret_rabbitmq: true secret_registry: true service_ingress_api: true service_api: true ...