Keystone WebSSO redirect

COMPUTED VALUES: bootstrap: enabled: true ks_user: admin script: | # admin needs the admin role for the default domain openstack role add \ --user="${OS_USERNAME}" \ --domain="${OS_DEFAULT_DOMAIN}" \ "admin" conf: access_rules: {} keystone: DEFAULT: max_token_size: 255 auth: methods: password,token,openid,application_credential cache: backend: dogpile.cache.memcached enabled: true memcache_servers: memcached.openstack.svc.cluster.local:11211 cors: allowed_origins: '*' credential: key_repository: /etc/keystone/credential-keys/ database: connection_recycle_time: 600 max_overflow: 50 max_pool_size: 5 max_retries: -1 pool_timeout: 30 federation: trusted_dashboard: type: multistring values: - http://localhost:9990/auth/websso/ - https://dashboard.199-204-45-113.nip.io/auth/websso/ fernet_tokens: key_repository: /etc/keystone/fernet-keys/ max_active_keys: 7 identity: domain_config_dir: /etc/keystone/domains domain_specific_drivers_enabled: true openid: remote_id_attribute: HTTP_OIDC_ISS oslo_messaging_notifications: driver: noop oslo_messaging_rabbit: rabbit_ha_queues: true oslo_middleware: enable_proxy_headers_parsing: true oslo_policy: policy_file: /etc/keystone/policy.yaml security_compliance: lockout_duration: 1800 lockout_failure_attempts: 5 token: expiration: 43200 provider: fernet ks_domains: atmosphere: identity: driver: keycloak keycloak: client_id: keystone client_secret_key: ilN1BQbqhByxhDLq9jihppZY4FlH3g5m realm_name: atmosphere server_url: http://keycloak.auth-system.svc logging: formatter_context: class: oslo_log.formatters.ContextFormatter datefmt: '%Y-%m-%d %H:%M:%S' formatter_default: datefmt: '%Y-%m-%d %H:%M:%S' format: '%(message)s' formatters: keys: - context - default handler_null: args: () class: logging.NullHandler formatter: default handler_stderr: args: (sys.stderr,) class: StreamHandler formatter: context handler_stdout: args: (sys.stdout,) class: StreamHandler formatter: context handlers: keys: - stdout - stderr - "null" logger_amqp: handlers: stderr level: WARNING qualname: amqp logger_amqplib: handlers: stderr level: WARNING qualname: amqplib logger_boto: handlers: stderr level: WARNING qualname: boto logger_eventletwsgi: handlers: stderr level: WARNING qualname: eventlet.wsgi.server logger_keystone: handlers: - stdout level: INFO qualname: keystone logger_root: handlers: "null" level: WARNING logger_sqlalchemy: handlers: stderr level: WARNING qualname: sqlalchemy loggers: keys: - root - keystone mpm_event: | ServerLimit 1024 StartServers 32 MinSpareThreads 32 MaxSpareThreads 256 ThreadsPerChild 25 MaxRequestsPerChild 128 ThreadLimit 720 policy: {} rabbitmq: policies: - apply-to: all definition: message-ttl: 70000 name: ha_ttl_keystone pattern: ^(?!(amq\.|reply_)).* priority: 0 vhost: keystone rally_tests: run_tempest: false tests: KeystoneBasic.add_and_remove_user_role: - runner: concurrency: 1 times: 1 type: constant sla: failure_rate: max: 0 KeystoneBasic.authenticate_user_and_validate_token: - args: {} runner: concurrency: 1 times: 1 type: constant sla: failure_rate: max: 0 KeystoneBasic.create_add_and_list_user_roles: - runner: concurrency: 1 times: 1 type: constant sla: failure_rate: max: 0 KeystoneBasic.create_and_delete_ec2credential: - runner: concurrency: 1 times: 1 type: constant sla: failure_rate: max: 0 KeystoneBasic.create_and_delete_role: - runner: concurrency: 1 times: 1 type: constant sla: failure_rate: max: 0 KeystoneBasic.create_and_delete_service: - args: description: test_description service_type: Rally_test_type runner: concurrency: 1 times: 1 type: constant sla: failure_rate: max: 0 KeystoneBasic.create_and_get_role: - args: {} runner: concurrency: 1 times: 1 type: constant sla: failure_rate: max: 0 KeystoneBasic.create_and_list_ec2credentials: - runner: concurrency: 1 times: 1 type: constant sla: failure_rate: max: 0 KeystoneBasic.create_and_list_services: - args: description: test_description service_type: Rally_test_type runner: concurrency: 1 times: 1 type: constant sla: failure_rate: max: 0 KeystoneBasic.create_and_list_tenants: - args: {} runner: concurrency: 1 times: 1 type: constant sla: failure_rate: max: 0 KeystoneBasic.create_and_list_users: - args: {} runner: concurrency: 1 times: 1 type: constant sla: failure_rate: max: 0 KeystoneBasic.create_delete_user: - args: {} runner: concurrency: 1 times: 1 type: constant sla: failure_rate: max: 0 KeystoneBasic.create_tenant: - args: {} runner: concurrency: 1 times: 1 type: constant sla: failure_rate: max: 0 KeystoneBasic.create_tenant_with_users: - args: users_per_tenant: 1 runner: concurrency: 1 times: 1 type: constant sla: failure_rate: max: 0 KeystoneBasic.create_update_and_delete_tenant: - args: {} runner: concurrency: 1 times: 1 type: constant sla: failure_rate: max: 0 KeystoneBasic.create_user: - args: {} runner: concurrency: 1 times: 1 type: constant sla: failure_rate: max: 0 KeystoneBasic.create_user_set_enabled_and_delete: - args: enabled: true runner: concurrency: 1 times: 1 type: constant sla: failure_rate: max: 0 - args: enabled: false runner: concurrency: 1 times: 1 type: constant sla: failure_rate: max: 0 KeystoneBasic.create_user_update_password: - args: {} runner: concurrency: 1 times: 1 type: constant sla: failure_rate: max: 0 KeystoneBasic.get_entities: - runner: concurrency: 1 times: 1 type: constant sla: failure_rate: max: 0 security: | # # Disable access to the entire file system except for the directories that # are explicitly allowed later. # # This currently breaks the configurations that come with some web application # Debian packages. # # # AllowOverride None # Require all denied # # Changing the following options will not really affect the security of the # server, but might make attacks slightly more difficult in some cases. # # ServerTokens # This directive configures what you return as the Server HTTP response # Header. The default is 'Full' which sends information about the OS-Type # and compiled in modules. # Set to one of: Full | OS | Minimal | Minor | Major | Prod # where Full conveys the most information, and Prod the least. ServerTokens Prod # # Optionally add a line containing the server version and virtual host # name to server-generated pages (internal error documents, FTP directory # listings, mod_status and mod_info output etc., but not CGI generated # documents or custom error documents). # Set to "EMail" to also include a mailto: link to the ServerAdmin. # Set to one of: On | Off | EMail ServerSignature Off # # Allow TRACE method # # Set to "extended" to also reflect the request body (only for testing and # diagnostic purposes). # # Set to one of: On | Off | extended TraceEnable Off # # Forbid access to version control directories # # If you use version control systems in your document root, you should # probably deny access to their directories. For example, for subversion: # # # Require all denied # # # Setting this header will prevent MSIE from interpreting files as something # else than declared by the content type in the HTTP headers. # Requires mod_headers to be enabled. # #Header set X-Content-Type-Options: "nosniff" # # Setting this header will prevent other sites from embedding pages from this # site as frames. This defends against clickjacking attacks. # Requires mod_headers to be enabled. # #Header set X-Frame-Options: "sameorigin" software: apache2: a2dismod: null a2enmod: null binary: apache2 conf_dir: /etc/apache2/conf-enabled mods_dir: /etc/apache2/mods-available site_dir: /etc/apache2/sites-enable start_parameters: -DFOREGROUND sso_callback_template: | Keystone WebSSO redirect wsgi_keystone: | LoadModule headers_module /usr/lib/apache2/modules/mod_headers.so Listen 0.0.0.0:5000 TransferLog /dev/stdout ErrorLog /dev/stderr # WSGI WSGIDaemonProcess keystone-public processes=4 threads=1 user=keystone group=keystone display-name=%{GROUP} WSGIProcessGroup keystone-public WSGIScriptAlias / /var/www/cgi-bin/keystone/keystone-wsgi-public WSGIApplicationGroup %{GLOBAL} WSGIPassAuthorization On # NOTE(mnaser): This is to by-pass large header limits for large tokens LimitRequestFieldSize 16384 # OIDC OIDCClaimPrefix "OIDC-" OIDCMetadataDir /var/lib/apache2/oidc OIDCSSLValidateServer "Off" OIDCCryptoPassphrase obPDDzgDQjKxNHaWgEy2nvN5SDHkFzkp OIDCRedirectURI https://identity.199-204-45-113.nip.io/v3/auth/OS-FEDERATION/identity_providers/redirect OIDCRedirectURLsAllowed ^https://identity.199-204-45-113.nip.io/v3/auth/OS-FEDERATION/identity_providers/(atmosphere)/protocols/openid/websso ^https://dashboard.199-204-45-113.nip.io/auth/logout/$ # NOTE(mnaser): These are Atmosphere specific settings. OIDCSessionType client-cookie:store_id_token OIDCXForwardedHeaders X-Forwarded-Host X-Forwarded-Proto AuthType openid-connect Require valid-user Require valid-user AuthType openid-connect Require valid-user AuthType oauth20 Require valid-user AuthType openid-connect OIDCDiscoverURL https://identity.199-204-45-113.nip.io/v3/auth/OS-FEDERATION/identity_providers/redirect?iss=https%3A%2F%2Fkeycloak.199-204-45-113.nip.io%2Frealms%2Fatmosphere dependencies: dynamic: common: local_image_registry: jobs: - keystone-image-repo-sync services: - endpoint: node service: local_image_registry rabbit_init: services: - endpoint: internal service: oslo_messaging static: api: jobs: - keystone-db-sync - keystone-credential-setup - keystone-fernet-setup services: - endpoint: internal service: oslo_cache - endpoint: internal service: oslo_db bootstrap: jobs: - keystone-domain-manage services: - endpoint: internal service: identity credential_cleanup: services: - endpoint: internal service: oslo_db credential_rotate: jobs: - keystone-credential-setup credential_setup: null db_drop: services: - endpoint: internal service: oslo_db db_init: services: - endpoint: internal service: oslo_db db_sync: jobs: - keystone-db-init - keystone-credential-setup - keystone-fernet-setup services: - endpoint: internal service: oslo_db domain_manage: services: - endpoint: internal service: identity fernet_rotate: jobs: - keystone-fernet-setup fernet_setup: null image_repo_sync: services: - endpoint: internal service: local_image_registry tests: services: - endpoint: internal service: identity endpoints: cluster_domain_suffix: cluster.local fluentd: host_fqdn_override: default: null hosts: default: fluentd-logging name: fluentd namespace: null path: default: null port: metrics: default: 24220 service: default: 24224 scheme: http identity: auth: admin: default_domain_id: default password: 49BwNyXJINqy9oNQWHDCRTY1tRNwjFPT project_domain_name: default project_name: admin region_name: RegionOne user_domain_name: default username: admin-RegionOne test: default_domain_id: default password: password project_domain_name: default project_name: test region_name: RegionOne role: admin user_domain_name: default username: keystone-test host_fqdn_override: default: null public: host: identity.199-204-45-113.nip.io hosts: default: keystone-api internal: keystone-api name: keystone namespace: null path: default: / port: api: default: 5000 internal: 5000 public: 443 service: 5000 scheme: default: http public: https service: http ingress: hosts: default: ingress name: ingress namespace: null port: ingress: default: 80 kube_dns: host_fqdn_override: default: null hosts: default: kube-dns name: kubernetes-dns namespace: kube-system path: default: null port: dns: default: 53 protocol: UDP scheme: http ldap: auth: client: tls: ca: null local_image_registry: host_fqdn_override: default: null hosts: default: localhost internal: docker-registry node: localhost name: docker-registry namespace: docker-registry port: registry: node: 5000 oci_image_registry: auth: enabled: false keystone: password: password username: keystone host_fqdn_override: default: null hosts: default: localhost name: oci-image-registry namespace: oci-image-registry port: registry: default: null oslo_cache: auth: memcache_secret_key: 4S2pchmxUKC3ubDR2RuxyK8wBXGOBKse host_fqdn_override: default: null hosts: default: memcached namespace: null port: memcache: default: 11211 oslo_db: auth: admin: password: iht4oeFLldzvQcCGmhdrpjV10iLKwGNV secret: tls: internal: mariadb-tls-direct username: root keystone: password: JMfAOTh9La9qu7afZ30sErjZMO2cmZhZ username: keystone host_fqdn_override: default: null hosts: default: percona-xtradb-haproxy namespace: null path: /keystone port: mysql: default: 3306 scheme: mysql+pymysql oslo_messaging: auth: admin: password: xRmEK0MVH2TNBdqhZoeaKpvZgPGgyPGd secret: tls: internal: rabbitmq-tls-direct username: default_user_CwyBANKfW_LFwyTXqzM keystone: password: WcOmvvTC5pGmmekMzsSTTS6jej2ikd1s username: keystone user: password: xRmEK0MVH2TNBdqhZoeaKpvZgPGgyPGd username: default_user_CwyBANKfW_LFwyTXqzM host_fqdn_override: default: null hosts: default: rabbitmq-keystone namespace: null path: /keystone port: amqp: default: 5672 http: default: 15672 scheme: rabbit helm-toolkit: global: {} helm3_hook: true images: local_registry: active: false exclude: - dep_check - image_repo_sync pull_policy: IfNotPresent tags: bootstrap: harbor.atmosphere.dev/ghcr.io/vexxhost/heat:main@sha256:422a6db051c98bbe42b4bf61da3e6eed001579eb27f7d9e842809cf494f4b667 db_drop: harbor.atmosphere.dev/ghcr.io/vexxhost/heat:main@sha256:422a6db051c98bbe42b4bf61da3e6eed001579eb27f7d9e842809cf494f4b667 db_init: harbor.atmosphere.dev/ghcr.io/vexxhost/heat:main@sha256:422a6db051c98bbe42b4bf61da3e6eed001579eb27f7d9e842809cf494f4b667 dep_check: harbor.atmosphere.dev/ghcr.io/vexxhost/kubernetes-entrypoint:edge@sha256:8921b64b87af184a1421dd856b2703bcf3cff9f50863cd0d18371cf964a87bd3 image_repo_sync: docker.io/docker:17.07.0 keystone_api: harbor.atmosphere.dev/ghcr.io/vexxhost/keystone:main@sha256:e6bbce0c593b2279ecef2c04f6fe3416132fb2e2210d500c4dd884c71fee0aad keystone_credential_cleanup: harbor.atmosphere.dev/ghcr.io/vexxhost/heat:main@sha256:422a6db051c98bbe42b4bf61da3e6eed001579eb27f7d9e842809cf494f4b667 keystone_credential_rotate: harbor.atmosphere.dev/ghcr.io/vexxhost/keystone:main@sha256:e6bbce0c593b2279ecef2c04f6fe3416132fb2e2210d500c4dd884c71fee0aad keystone_credential_setup: harbor.atmosphere.dev/ghcr.io/vexxhost/keystone:main@sha256:e6bbce0c593b2279ecef2c04f6fe3416132fb2e2210d500c4dd884c71fee0aad keystone_db_sync: harbor.atmosphere.dev/ghcr.io/vexxhost/keystone:main@sha256:e6bbce0c593b2279ecef2c04f6fe3416132fb2e2210d500c4dd884c71fee0aad keystone_domain_manage: harbor.atmosphere.dev/ghcr.io/vexxhost/heat:main@sha256:422a6db051c98bbe42b4bf61da3e6eed001579eb27f7d9e842809cf494f4b667 keystone_fernet_rotate: harbor.atmosphere.dev/ghcr.io/vexxhost/keystone:main@sha256:e6bbce0c593b2279ecef2c04f6fe3416132fb2e2210d500c4dd884c71fee0aad keystone_fernet_setup: harbor.atmosphere.dev/ghcr.io/vexxhost/keystone:main@sha256:e6bbce0c593b2279ecef2c04f6fe3416132fb2e2210d500c4dd884c71fee0aad ks_user: harbor.atmosphere.dev/ghcr.io/vexxhost/heat:main@sha256:422a6db051c98bbe42b4bf61da3e6eed001579eb27f7d9e842809cf494f4b667 rabbit_init: harbor.atmosphere.dev/docker.io/library/rabbitmq:4.1.4-management test: docker.io/xrally/xrally-openstack:2.0.0 jobs: credential_rotate: cron: 0 0 1 * * group: keystone history: failed: 1 success: 3 migrate_wait: 120 user: keystone credential_setup: group: keystone user: keystone fernet_rotate: cron: 0 */12 * * * group: keystone history: failed: 1 success: 3 user: keystone fernet_setup: group: keystone user: keystone labels: api: node_selector_key: openstack-control-plane node_selector_value: enabled job: node_selector_key: openstack-control-plane node_selector_value: enabled test: node_selector_key: openstack-control-plane node_selector_value: enabled manifests: certificates: false configmap_bin: true configmap_etc: true cron_credential_rotate: true cron_fernet_rotate: true deployment_api: true ingress_api: false job_bootstrap: true job_credential_cleanup: false job_credential_setup: true job_db_drop: false job_db_init: true job_db_sync: true job_domain_manage: true job_fernet_setup: true job_image_repo_sync: true job_rabbit_init: true network_policy: false pdb_api: true pod_rally_test: true secret_credential_keys: true secret_db: true secret_fernet_keys: true secret_ingress_tls: true secret_keystone: true secret_rabbitmq: true secret_registry: true service_api: true service_ingress_api: false network: admin: node_port: enabled: false port: 30357 api: external_policy_local: false ingress: annotations: nginx.ingress.kubernetes.io/rewrite-target: / classes: cluster: nginx-cluster namespace: nginx public: true node_port: enabled: false port: 30500 network_policy: keystone: egress: - {} ingress: - {} pod: affinity: anti: topologyKey: default: kubernetes.io/hostname type: default: preferredDuringSchedulingIgnoredDuringExecution weight: default: 10 labels: include_app_kubernetes_io: false lifecycle: disruption_budget: api: min_available: 0 termination_grace_period: api: timeout: 30 upgrades: deployments: pod_replacement_strategy: RollingUpdate revision_history: 3 rolling_update: max_surge: 3 max_unavailable: 1 mounts: keystone_api: init_container: null keystone_api: volumeMounts: - mountPath: /var/lib/apache2/oidc/keycloak.199-204-45-113.nip.io%2Frealms%2Fatmosphere.client name: keystone-openid-metadata subPath: atmosphere-oidc-client - mountPath: /var/lib/apache2/oidc/keycloak.199-204-45-113.nip.io%2Frealms%2Fatmosphere.conf name: keystone-openid-metadata subPath: atmosphere-oidc-conf - mountPath: /var/lib/apache2/oidc/keycloak.199-204-45-113.nip.io%2Frealms%2Fatmosphere.provider name: keystone-openid-metadata subPath: atmosphere-oidc-provider - mountPath: /etc/ssl/certs/ca-certificates.crt name: ca-certificates readOnly: true volumes: - configMap: name: keystone-openid-metadata name: keystone-openid-metadata - hostPath: path: /etc/ssl/certs/ca-certificates.crt name: ca-certificates keystone_bootstrap: init_container: null keystone_bootstrap: volumeMounts: null volumes: null keystone_credential_cleanup: init_container: null keystone_credential_cleanup: volumeMounts: null volumes: null keystone_credential_rotate: init_container: null keystone_credential_rotate: volumeMounts: null volumes: null keystone_credential_setup: init_container: null keystone_credential_setup: volumeMounts: null volumes: null keystone_db_init: init_container: null keystone_db_init: volumeMounts: null volumes: null keystone_db_sync: init_container: null keystone_db_sync: volumeMounts: null volumes: null keystone_domain_manage: init_container: null keystone_domain_manage: volumeMounts: null volumes: null keystone_fernet_rotate: init_container: null keystone_fernet_rotate: volumeMounts: null volumes: null keystone_fernet_setup: init_container: null keystone_fernet_setup: volumeMounts: null volumes: null keystone_tests: init_container: null keystone_tests: volumeMounts: null volumes: null probes: api: api: liveness: enabled: true params: initialDelaySeconds: 50 periodSeconds: 60 timeoutSeconds: 15 readiness: enabled: true params: initialDelaySeconds: 15 periodSeconds: 60 timeoutSeconds: 15 replicas: api: 1 resources: api: limits: cpu: 2000m memory: 1024Mi requests: cpu: 100m memory: 128Mi enabled: false jobs: bootstrap: limits: cpu: 2000m memory: 1024Mi requests: cpu: 100m memory: 128Mi credential_cleanup: limits: cpu: 2000m memory: 1024Mi requests: cpu: 100m memory: 128Mi credential_rotate: limits: cpu: 2000m memory: 1024Mi requests: cpu: 100m memory: 128Mi credential_setup: limits: cpu: 2000m memory: 1024Mi requests: cpu: 100m memory: 128Mi db_drop: limits: cpu: 2000m memory: 1024Mi requests: cpu: 100m memory: 128Mi db_init: limits: cpu: 2000m memory: 1024Mi requests: cpu: 100m memory: 128Mi db_sync: limits: cpu: 2000m memory: 1024Mi requests: cpu: 100m memory: 128Mi domain_manage: limits: cpu: 2000m memory: 1024Mi requests: cpu: 100m memory: 128Mi fernet_rotate: limits: cpu: 2000m memory: 1024Mi requests: cpu: 100m memory: 128Mi fernet_setup: limits: cpu: 2000m memory: 1024Mi requests: cpu: 100m memory: 128Mi image_repo_sync: limits: cpu: 2000m memory: 1024Mi requests: cpu: 100m memory: 128Mi rabbit_init: limits: cpu: 2000m memory: 1024Mi requests: cpu: 100m memory: 128Mi tests: limits: cpu: 2000m memory: 1024Mi requests: cpu: 100m memory: 128Mi security_context: credential_setup: container: keystone_credential_setup: allowPrivilegeEscalation: false readOnlyRootFilesystem: true pod: runAsUser: 42424 domain_manage: container: keystone_domain_manage: allowPrivilegeEscalation: false readOnlyRootFilesystem: true keystone_domain_manage_init: allowPrivilegeEscalation: false readOnlyRootFilesystem: true pod: runAsUser: 42424 fernet_rotate: container: keystone_fernet_rotate: allowPrivilegeEscalation: false readOnlyRootFilesystem: true pod: runAsUser: 42424 fernet_setup: container: keystone_fernet_setup: allowPrivilegeEscalation: false readOnlyRootFilesystem: true pod: runAsUser: 42424 keystone: container: keystone_api: allowPrivilegeEscalation: false readOnlyRootFilesystem: true pod: runAsUser: 42424 test: container: keystone_test: allowPrivilegeEscalation: false readOnlyRootFilesystem: true runAsUser: 65500 keystone_test_ks_user: allowPrivilegeEscalation: false readOnlyRootFilesystem: true pod: runAsUser: 42424 tolerations: keystone: enabled: false tolerations: - effect: NoSchedule key: node-role.kubernetes.io/master operator: Exists - effect: NoSchedule key: node-role.kubernetes.io/control-plane operator: Exists release_group: null secrets: identity: admin: keystone-keystone-admin test: keystone-keystone-test ldap: tls: keystone-ldap-tls oci_image_registry: keystone: keystone-oci-image-registry oslo_db: admin: keystone-db-admin keystone: keystone-db-user oslo_messaging: admin: keystone-rabbitmq-admin keystone: keystone-rabbitmq-user tls: identity: api: internal: keystone-tls-api public: keystone-tls-public tls: identity: false oslo_db: false oslo_messaging: false