|
| 1 | +--- |
| 2 | +# Copyright Red Hat, Inc. |
| 3 | +# All Rights Reserved. |
| 4 | +# |
| 5 | +# Licensed under the Apache License, Version 2.0 (the "License"); you may |
| 6 | +# not use this file except in compliance with the License. You may obtain |
| 7 | +# a copy of the License at |
| 8 | +# |
| 9 | +# http://www.apache.org/licenses/LICENSE-2.0 |
| 10 | +# |
| 11 | +# Unless required by applicable law or agreed to in writing, software |
| 12 | +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT |
| 13 | +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the |
| 14 | +# License for the specific language governing permissions and limitations |
| 15 | +# under the License. |
| 16 | +- name: Create kustomization to update Keystone to use security compliance configuration |
| 17 | + hosts: "{{ cifmw_target_hook_host | default('localhost') }}" |
| 18 | + tasks: |
| 19 | + - name: Create file to customize keystone for pci dss deployed in the control plane |
| 20 | + ansible.builtin.copy: |
| 21 | + dest: "{{ cifmw_basedir }}/artifacts/manifests/kustomizations/controlplane/keystone_pci_dss.yaml" |
| 22 | + content: |- |
| 23 | + apiVersion: kustomize.config.k8s.io/v1beta1 |
| 24 | + kind: Kustomization |
| 25 | + resources: |
| 26 | + - namespace: {{ namespace }} |
| 27 | + patches: |
| 28 | + - target: |
| 29 | + kind: OpenStackControlPlane |
| 30 | + name: .* |
| 31 | + patch: |- |
| 32 | + - op: add |
| 33 | + path: /spec/keystone/template/customServiceConfig |
| 34 | + value: | |
| 35 | + [security_compliance] |
| 36 | + lockout_failure_attempts = 2 |
| 37 | + lockout_duration = 5 |
| 38 | + password_regex = ^.{7,}$ |
| 39 | + unique_last_password_count = 2 |
| 40 | + user_minimum_password_age = 0 |
| 41 | + disable_user_account_days_inactive = 1 |
| 42 | + password_expires_days = 90 |
| 43 | + mode: "0644" |
0 commit comments