# Copyright 2021 Canonical Ltd.
# See LICENSE file for licensing details.

name: keystone-k8s
summary: OpenStack identity service
maintainer: Openstack Charmers <openstack-charmers@lists.ubuntu.com>
description: |
  Keystone is an OpenStack project that provides Identity, Token, Catalog and
  Policy services for use specifically by projects in the OpenStack family. It
  implements OpenStack's Identity API.
version: 3
bases:
  - name: ubuntu
    channel: 22.04/stable
assumes:
  - k8s-api
  - juju >= 3.1
tags:
  - openstack
  - identity
  - misc
source: https://opendev.org/openstack/charm-keystone-k8s
issues: https://bugs.launchpad.net/charm-keystone-k8s

provides:
  identity-service:
    interface: keystone
  identity-credentials:
    interface: keystone-credentials
  identity-ops:
    interface: keystone-resources
  send-ca-cert:
    interface: certificate_transfer

requires:
  database:
    interface: mysql_client
    limit: 1
  ingress-internal:
    interface: ingress
    limit: 1
    optional: true
  ingress-public:
    interface: ingress
    limit: 1
  amqp:
    interface: rabbitmq
    optional: true
  domain-config:
    interface: keystone-domain-config
  logging:
    interface: loki_push_api
    optional: true

peers:
  peers:
    interface: keystone-peer

storage:
  fernet-keys:
    type: filesystem
    description: |
      Persistent storage for the location of fernet keys
    minimum-size: 5M

  credential-keys:
    type: filesystem
    description: |
      Persistent storage for the location of credential keys
    minimum-size: 5M

containers:
  # The primary container that runs the keystone services
  keystone:
    resource: keystone-image
    mounts:
      - storage: fernet-keys
        # The fernet keys used for generated tokens are stored here. With a
        # mounted storage option, the fernet keys are persisted across
        # container restarts.
        location: /etc/keystone/fernet-keys/

      - storage: credential-keys
        # The credential keys used for generated credentials are stored here.
        # With a mounted storage option, the credential keys are persisted
        # across container restarts.
        location: /etc/keystone/credential-keys/

resources:
  keystone-image:
    type: oci-image
    description: OCI image for OpenStack Keystone
    # ghcr.io/canonical/keystone:2024.1
    upstream-source: ghcr.io/canonical/keystone:2024.1