# Copyright (c) 2017 AT&T Intellectual Property. All rights reserved. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # This file provides defaults for deckhand labels: api: node_selector_key: ucp-control-plane node_selector_value: enabled job: node_selector_key: ucp-control-plane node_selector_value: enabled test: node_selector_key: ucp-control-plane node_selector_value: enabled images: tags: deckhand: quay.io/airshipit/deckhand:latestlatest-ubuntu_focal dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0 db_init: docker.io/postgres:14.8 db_sync: quay.io/airshipit/deckhand:latest-ubuntu_focal image_repo_sync: docker.io/docker:23.0.3 ks_endpoints: docker.io/openstackhelm/heat:wallaby-ubuntu_focal ks_service: docker.io/openstackhelm/heat:wallaby-ubuntu_focal ks_user: docker.io/openstackhelm/heat:wallaby-ubuntu_focal pull_policy: "IfNotPresent" local_registry: active: false exclude: - dep_check - image_repo_sync release_group: null network: api: ingress: public: true classes: namespace: "nginx" cluster: "nginx-cluster" annotations: nginx.ingress.kubernetes.io/rewrite-target: / node_port: enabled: false port: 301902 dependencies: dynamic: common: local_image_registry: jobs: - glance-image-repo-sync services: - endpoint: node service: local_image_registry static: db_init: services: - service: postgresql endpoint: internal db_sync: jobs: - deckhand-db-init services: - service: postgresql endpoint: internal ks_user: services: - service: identity endpoint: internal ks_service: services: - service: identity endpoint: internal ks_endpoints: jobs: - deckhand-ks-service services: - service: identity endpoint: internal deckhand: jobs: - deckhand-ks-endpoints - deckhand-ks-user - deckhand-ks-endpoints services: - service: identity endpoint: internal - service: key_manager endpoint: internal # typically overridden by environmental # values, but should include all endpoints # required by this chart endpoints: cluster_domain_suffix: cluster.local local_image_registry: name: docker-registry namespace: docker-registry hosts: default: localhost internal: docker-registry node: localhost host_fqdn_override: default: null port: registry: node: 5000 identity: name: keystone auth: deckhand: region_name: RegionOne role: admin project_name: service project_domain_name: default user_domain_name: default username: deckhand password: password admin: region_name: RegionOne project_name: admin password: password username: admin user_domain_name: default project_domain_name: default hosts: default: keystone internal: keystone-api path: default: /v3 scheme: default: http port: api: default: 80 internal: 5000 host_fqdn_override: default: null deckhand: name: deckhand hosts: default: deckhand-int public: deckhand-api port: api: default: 9000 public: 80 path: default: /api/v1.0 scheme: default: http host_fqdn_override: default: null # NOTE(lamt): This chart supports TLS for fqdn overriden public # endpoints using the following format: # public: # host: null # tls: # crt: null # key: null postgresql: name: postgresql auth: admin: username: postgres password: password user: username: deckhand password: password database: deckhand hosts: default: postgresql path: /deckhand scheme: postgresql+psycopg2 port: postgresql: default: 5432 host_fqdn_override: default: null key_manager: name: barbican hosts: default: barbican-api public: barbican host_fqdn_override: default: null path: default: /v1 scheme: default: http port: api: default: 9311 public: 80 oslo_cache: hosts: default: memcached host_fqdn_override: default: null port: memcache: default: 11211 secrets: identity: admin: deckhand-keystone-admin deckhand: deckhand-keystone-user postgresql: admin: deckhand-db-admin user: deckhand-db-user tls: deckhand: api: public: deckhand-tls-public conf: uwsgi: # NOTE(fmontei): Deckhand's database is not configured to work with # multiprocessing. Currently there is a data race on acquiring shared # SQLAlchemy engine pooled connection strings when workers > 1. As a # workaround, we use multiple threads but only 1 worker. For more # information, see: https://github.com/att-comdev/deckhand/issues/20 threads: 16 workers: 1 policy: admin_api: role:admin deckhand:create_cleartext_documents: rule:admin_api deckhand:create_encrypted_documents: rule:admin_api deckhand:list_cleartext_documents: rule:admin_api deckhand:list_encrypted_documents: rule:admin_api deckhand:show_revision: rule:admin_api deckhand:list_revisions: rule:admin_api deckhand:delete_revisions: rule:admin_api deckhand:show_revision_deepdiff: rule:admin_api deckhand:show_revision_diff: rule:admin_api deckhand:create_tag: rule:admin_api deckhand:show_tag: rule:admin_api deckhand:list_tags: rule:admin_api deckhand:delete_tag: rule:admin_api deckhand:delete_tags: rule:admin_api paste: filter:authtoken: paste.filter_factory: keystonemiddleware.auth_token:filter_factory filter:debug: use: egg:oslo.middleware#debug filter:cors: paste.filter_factory: oslo_middleware.cors:filter_factory oslo_config_project: deckhand filter:request_id: paste.filter_factory: oslo_middleware:RequestId.factory app:api: paste.app_factory: deckhand.service:deckhand_app_factory pipeline:deckhand_api: pipeline: authtoken api deckhand: DEFAULT: debug: true use_stderr: true use_syslog: true profiler: false logging_context_format_string: '%(asctime)s,%(msecs)03d %(levelname)-8s req_id=%(request_id)s ctx=%(context_marker)s end_user=%(end_user)s user=%(user_name)s %(name)s:%(filename)s:%(lineno)3d:%(funcName)s %(message)s' database: connection: keystone_authtoken: delay_auth_decision: true auth_type: password auth_version: v3 memcache_security_strategy: ENCRYPT oslo_policy: policy_file: policy.yaml policy_default_rule: default policy_dirs: policy.d barbican: api_endpoint: logging: loggers: keys: 'root, deckhand, error' handlers: keys: 'null, stderr, stdout, syslog' formatters: keys: 'simple, context' logger_deckhand: level: DEBUG handlers: stdout qualname: deckhand logger_error: level: ERROR handlers: stderr qualname: deckhand logger_root: level: WARNING handlers: null handler_null: class: 'logging.NullHandler' formatter: context args: '()' handler_stderr: class: StreamHandler args: '(sys.stderr,)' formatter: context handler_stdout: class: StreamHandler args: '(sys.stdout,)' formatter: context handler_syslog: class: 'handlers.SysLogHandler' level: ERROR args: "('/dev/log', handlers.SysLogHandler.LOG_USER)" formatter_context: class: 'oslo_log.formatters.ContextFormatter' formatter_simple: format: "%(asctime)s.%(msecs)03d %(process)d %(levelname)s: %(message)s" pod: mandatory_access_control: type: apparmor deckhand-api: init: runtime/default deckhand-api: runtime/default deckhand-db-init: init: runtime/default deckhand-db-init: runtime/default deckhand-db-sync: init: runtime/default deckhand-db-sync: runtime/default deckhand-api-test: deckhand-api-test: runtime/default security_context: deckhand: pod: runAsUser: 65534 container: deckhand_api: readOnlyRootFilesystem: true allowPrivilegeEscalation: false db_init: pod: runAsUser: 65534 container: deckhand_db_init: readOnlyRootFilesystem: true allowPrivilegeEscalation: false db_sync: pod: runAsUser: 65534 container: deckhand_db_sync: readOnlyRootFilesystem: true allowPrivilegeEscalation: false api_test: pod: runAsUser: 65534 container: deckhand_api_test: readOnlyRootFilesystem: true allowPrivilegeEscalation: false mounts: deckhand_db_init: init_container: null deckhand_db_init: deckhand_db_sync: init_container: null deckhand_db_sync: deckhand: init_container: null deckhand: lifecycle: upgrades: deployments: revision_history: 3 pod_replacement_strategy: RollingUpdate rolling_update: max_unavailable: 1 max_surge: 3 termination_grace_period: deckhand: timeout: 30 affinity: anti: type: default: preferredDuringSchedulingIgnoredDuringExecution topologyKey: default: kubernetes.io/hostname replicas: deckhand: 1 resources: enabled: false api: limits: memory: "128Mi" cpu: "100m" requests: memory: "128Mi" cpu: "100m" jobs: ks_user: limits: memory: "128Mi" cpu: "100m" requests: memory: "128Mi" cpu: "100m" ks_service: limits: memory: "128Mi" cpu: "100m" requests: memory: "128Mi" cpu: "100m" ks_endpoints: limits: memory: "128Mi" cpu: "100m" requests: memory: "128Mi" cpu: "100m" test: deckhand: limits: memory: "128Mi" cpu: "100m" requests: memory: "128Mi" cpu: "100m" network_policy: deckhand: ingress: - {} egress: - {} manifests: configmap_bin: true configmap_etc: true deployment: true ingress_api: true job_db_init: true job_db_sync: true job_image_repo_sync: true job_ks_endpoints: true job_ks_service: true job_ks_user: true secret_db: true secret_ingress_tls: true secret_keystone: true service_api: true service_ingress_api: true test_deckhand_api: true network_policy: false