openstack/sunbeam-charms
Code Issues Proposed changes
Files
204fb83a2783afe29e5795915d6edea7b34e6d18
sunbeam-charms/charms/keystone-k8s/charmcraft.yaml
Gabriel Adrian Samfira 204fb83a27 Add SAML2 support 
This change adds SAML2 support through the use of a new keystone SAML
integrator charm (keystone-saml-k8s).

Needed changes have also been made in the keystone charm to make use of
the new relation.

A new option has also been added to keystone-k8s through which a secret
can be specified which should contain the x509 certificate an the
corresponding key from which it was derived, used to generate the keystone
SP metadata file.

Change-Id: Id9b6ab2a51891ac378a2cb406dbe3a456bc24fc4
Signed-off-by: Gabriel Adrian Samfira <gsamfira@cloudbasesolutions.com>
2025-08-20 09:28:30 +03:00

241 lines
6.0 KiB
YAML
Raw Blame History

type: charm
name: keystone-k8s
summary: OpenStack identity service
description: |
Keystone is an OpenStack project that provides Identity, Token, Catalog and
Policy services for use specifically by projects in the OpenStack family. It
implements OpenStack's Identity API.
assumes:
- k8s-api
- juju >= 3.1
links:
source:
- https://opendev.org/openstack/charm-keystone-k8s
issues:
- https://bugs.launchpad.net/charm-keystone-k8s
base: ubuntu@24.04
platforms:
amd64:
config:
options:
debug:
default: false
description: Enable debug logging.
type: boolean
log-level:
default: WARNING
type: string
description: Log level (WARNING, INFO, DEBUG, ERROR)
region:
default: RegionOne
description: Name of the OpenStack region
type: string
catalog-cache-expiration:
type: int
default: 60
description: Amount of time (in seconds) the catalog should be cached for.
dogpile-cache-expiration:
type: int
default: 60
description: |
Amount of time (in seconds) to cache items in the dogpile.cache. This only applies
to cached methods that do not have an explicitly defined cache expiration time.
identity-backend:
type: string
default: sql
description: |
Keystone identity backend, valid options are sql and pam
enable-telemetry-notifications:
type: boolean
default: false
description: Enable notifications to send to telemetry.
saml-x509-keypair:
type: secret
default: !!null ""
description: |
The SAML2 x509 certificates. This certificate is used by SAML2 for two purposes:
* Sign messages between the SP and the IDP
* Encrypt messages. This is rarely used as in the majority of cases, SAML2 traffic is
sent over https.
This certificate will be part of the SAML2 metadata.
The secret is expected to have two keys:
{
"certificate": "contents of the certificate",
"key": "contents of the key"
}
You can upload the secrets by running:
juju add-secret saml-secret \
certificate#file=/path/to/cert.pem \
key#file=/path/to/corresponding/key
juju grant-secret saml-secret keystone
actions:
get-admin-password:
description: Get the password for the Keystone Admin user
get-admin-account:
description: Get full access details for the Keystone Admin user
get-service-account:
description: Create/get details for a new/existing service account.
params:
username:
type: string
description: The username for the service account.
required:
- username
additionalProperties: false
regenerate-password:
description: |
Regenerate password for the given user.
params:
username:
type: string
description: The username for the account.
required:
- username
additionalProperties: false
add-ca-certs:
description: |
Add CA certs for transfer
params:
name:
type: string
description: Name of CA certs bundle
ca:
type: string
description: Base64 encoded CA certificate
chain:
type: string
description: Base64 encoded CA Chain
required:
- name
- ca
additionalProperties: false
remove-ca-certs:
description: |
Remove CA certs
params:
name:
type: string
description: Name of CA certs bundle
required:
- name
additionalProperties: false
list-ca-certs:
description: |
List CA certs uploaded for transfer.
Certificate names with `.` will be replace with `-`.
containers:
keystone:
resource: keystone-image
mounts:
- storage: fernet-keys
location: /etc/keystone/fernet-keys/
- storage: credential-keys
location: /etc/keystone/credential-keys/
resources:
keystone-image:
type: oci-image
description: OCI image for OpenStack Keystone
upstream-source: ghcr.io/canonical/keystone:2025.1
storage:
fernet-keys:
type: filesystem
description: |
Persistent storage for the location of fernet keys
minimum-size: 5M
credential-keys:
type: filesystem
description: |
Persistent storage for the location of credential keys
minimum-size: 5M
requires:
database:
interface: mysql_client
limit: 1
ingress-internal:
interface: ingress
limit: 1
ingress-public:
interface: ingress
optional: true
limit: 1
amqp:
interface: rabbitmq
optional: true
domain-config:
interface: keystone-domain-config
optional: true
logging:
interface: loki_push_api
optional: true
tracing:
interface: tracing
optional: true
limit: 1
oauth:
interface: oauth
optional: true
receive-ca-cert:
interface: certificate_transfer
optional: true
trusted-dashboard:
interface: trusted-dashboard
optional: true
external-idp:
interface: external_provider
optional: true
keystone-saml:
interface: keystone_saml
optional: true
provides:
identity-service:
interface: keystone
identity-credentials:
interface: keystone-credentials
identity-ops:
interface: keystone-resources
send-ca-cert:
interface: certificate_transfer
peers:
peers:
interface: keystone-peer
parts:
update-certificates:
plugin: nil
override-build: |
apt update
apt install -y ca-certificates
update-ca-certificates
charm:
after:
- update-certificates
build-packages:
- git
- libffi-dev
- libssl-dev
- pkg-config
- rustc-1.80
- cargo-1.80
charm-binary-python-packages:
- cryptography
- jsonschema
- pydantic
- jinja2
build-snaps: [astral-uv]
override-build: |
uv export --frozen --no-hashes --format=requirements-txt -o requirements.txt
craftctl default
charm-requirements: [requirements.txt]
View Git Blame Copy Permalink