---

keystone_patch: |
  spec:
    keystone:
      enabled: true
      apiOverride:
        route: {}
      template:
        customServiceConfig: |
          [token]
          expiration = 360000
        override:
          service:
            internal:
              metadata:
                annotations:
                  metallb.universe.tf/address-pool: internalapi
                  metallb.universe.tf/allow-shared-ip: internalapi
                  {% if ipv6_enabled | default(false) -%}
                  metallb.universe.tf/loadBalancerIPs: {{ internalapi_prefix_ipv6 | default('2620:cf:cf:bbbb') }}::50
                  {%- else -%}
                  metallb.universe.tf/loadBalancerIPs: {{ internalapi_prefix | default('172.17.0') }}.80
                  {%- endif %}

              spec:
                type: LoadBalancer
        databaseInstance: openstack
        secret: osp-secret

keystone_patch_federation: |
  spec:
    tls:
      caBundleSecretName: keycloakca
    keystone:
      enabled: true
      apiOverride:
        route: {}
      template:
        customServiceConfig: |
          [token]
          expiration = 360000
          [federation]
          trusted_dashboard={{ cifmw_federation_horizon_url }}/dashboard/auth/websso/
          sso_callback_template=/etc/keystone/sso_callback_template.html
          [openid]
          remote_id_attribute=HTTP_OIDC_ISS
          [auth]
          methods = password,token,oauth1,mapped,application_credential,openid
          [trusted_ip]
          trusted_forwarded_for_header=True
        httpdCustomization:
          customConfigSecret: keystone-httpd-override
        override:
          service:
            internal:
              metadata:
                annotations:
                  metallb.universe.tf/address-pool: internalapi
                  metallb.universe.tf/allow-shared-ip: internalapi
                  {% if ipv6_enabled | default(false) -%}
                  metallb.universe.tf/loadBalancerIPs: {{ internalapi_prefix_ipv6 | default('2620:cf:cf:bbbb') }}::50
                  {%- else -%}
                  metallb.universe.tf/loadBalancerIPs: {{ internalapi_prefix | default('172.17.0') }}.80
                  {%- endif %}

              spec:
                type: LoadBalancer
        databaseInstance: openstack
        secret: osp-secret

keystone_retry_delay: 30

keystone_patch_ldap: |
  spec:
    keystone:
      enabled: true
      apiOverride:
        route: {}
      template:
        customServiceConfig: |
          [token]
          expiration = 360000
          [identity]
          domain_specific_drivers_enabled = true
        extraMounts:
          - name: v1
            region: r1
            extraVol:
              - propagation:
                - Keystone
                extraVolType: Conf
                volumes:
                - name: keystone-domains
                  secret:
                    secretName: keystone-domains
                mounts:
                - name: keystone-domains
                  mountPath: "/etc/keystone/domains"
                  readOnly: true
        override:
          service:
            internal:
              metadata:
                annotations:
                  metallb.universe.tf/address-pool: internalapi
                  metallb.universe.tf/allow-shared-ip: internalapi
                  {% if ipv6_enabled | default(false) -%}
                  metallb.universe.tf/loadBalancerIPs: {{ internalapi_prefix_ipv6 | default('2620:cf:cf:bbbb') }}::50
                  {%- else -%}
                  metallb.universe.tf/loadBalancerIPs: {{ internalapi_prefix | default('172.17.0') }}.80
                  {%- endif %}

              spec:
                type: LoadBalancer
        databaseInstance: openstack
        secret: osp-secret

# IPA-related variables
ipa_hostname: "osp-free-ipa-0.ooo.test"
ipa_ssh_host: "{{ ipa_hostname.split('.')[0] }}"
ipa_admin_password: "nomoresecrets"
ipa_user_password: "nomoresecrets"