We need flexibility to add securityContext to ks-user job at pod and containerlevel,
so that it can be executed without elevated privileges.
Change-Id: Ibd8abdc10906ca4648bfcaa91d0f122e56690606
In cert-manager v1 API, the private key size "keySize" was updated to "size"
under "privateKey".
Support of minor (less than v1) API version is also removed for certificates.
Change-Id: If3fa0e296b8a1c2ab473e67b24d4465fe42a5268
Since most of the charts in both openstack-helm and
this repo use helm-toolkit, changes in helm-toolkit
have the possibility of impacting charts in the
openstack-helm repo and will not be caught in testing
here.
This change adds a conditional linter to lint the
charts in the openstack-helm repo if any changes
to helm-toolkit are made.
Change-Id: I0f6a935eca53d966c01e0902e546ea132a636a9d
This reverts commit 5407b547bb.
Reason for revert: This outputs duplicate securityContext entries,
breaking the yamllinter in osh. This needs a slight rework.
Change-Id: I0c892be5aba7ccd6e3c378e4e45a79d2df03c06a
If thread launch_cluster_Monitor() and launch_leader_election() operates on the configmap at the same time, Will cause a error 'Exception in thread "Thread-1"'.
This error will cause the thread to get stuck. Configmap will not be updated and the error "data too old" will be reported.
Just passing kubernetes_API exceptions is not enough, all are more appropriate.
Change-Id: I6baa9ece474f9c937fe9bce2231ef500562e0406
We need flexibility to add securityContext to ks-user job , so that it can be executed without elevated privileges.
Change-Id: I24544015816d57d86c1e69f44b90b6b0271e76a4
The fedora and centos jobs have not been used or maintained for
quite some time. This change removes them and the related notes.
Also removed an outdate note about disabling all the experimental
and periodic jobs.
Change-Id: Ic8eb628e21c49957bdcd10a8d69d850ec921b6d6
This change updates the ceph.conf update job as follows:
* renames it to "ceph-ns-client-ceph-config"
* consolidates some Roles and RoleBindings
This change also moves the logic of figuring out the mon_host addresses
from the kubernetes endpoint object to a snippet, which is used by the
various bash scripts that need it.
In particular, this logic is added to the rbd-pool job, so that it does
not depend on the ceph-ns-client-ceph-config job.
Note that the ceph.conf update job has a race with several other jobs
and pods that mount ceph.conf from the ceph-client-etc configmap while
it is being modified. Depending on the restartPolicy, pods (such as the
one created for the ceph-rbd-pool job) may linger in StartError state.
This is not addressed here.
Change-Id: Id4fdbfa9cdfb448eb7bc6b71ac4c67010f34fc2c
This change fixes two issues with the recently introduced [0] job that
updates "ceph.conf" inside ceph-client-etc configmap with a discovered
mon_host value:
1. adds missing metadata.labels to the job
2. allows the job to be disabled
(fixes rendering when manifests.job_ns_client_ceph_config = false)
0: https://review.opendev.org/c/openstack/openstack-helm-infra/+/812159
Change-Id: I3a8f1878df4af5da52d3b88ca35ba0b97deb4c35
The log-runner previously was not included in the mandatory access
control (MAC) annotation for the OSD pods, which means it could not
have any AppArmor profile applied to it. This patchset adds that
capability for that container.
Change-Id: I11036789de45c0f8f66b51e15f2cc253e6cb230c
A previous change to move the linting job to helm3 removed the
chart testing role. This change adds it back.
Change-Id: Ifb8b1885b4dbe8d964f46347c8c510c743af91f4
This reverts commit 122dcef629.
https://review.opendev.org/c/openstack/openstack-helm-infra/+/805246
The changes from the above patchset is a result of upgrading
Elasticsearch and Kibana images to v7.14. This image has been
reverted back to v7.9.2. As such, these changes are no longer
correct.
Change-Id: I44e9993002cbf1d2c4f5cb23d340b01bad521427
This change adds a condition to ensure that an IP address was
obtained for a ceph-mon kubernetes endpoint before building the
expected endpoint string and checking it against the monmap. If an
IP address isn't available, the check is skipped for that mon.
Change-Id: I45a2e2987b5ef0c27b0bb765f7967fcce1af62e4
As ceph clients expect the ceph_mon config as shown below for Ceph
Nautilus and later releases, this change updates the ceph-client-etc
configmap to reflect the correct mon endpoint specification.
mon_host = [v1:172.29.1.139:6789/0,v2:172.29.1.139:3300/0],
[v1:172.29.1.140:6789/0,v2:172.29.1.140:3300/0],
[v1:172.29.1.145:6789/0,v2:172.29.1.145:3300/0]
Change-Id: Ic3a1cb7e56317a5a5da46f3bf97ee23ece36c99c
The ceph-mon-check pod only knew about the v1 port before, and didn't
have the proper mon_host configuration in its ceph.conf file. This
patchset adds knowledge about the v2 port also and correctly configures
the ceph.conf file. Also fixes a namespace hardcoding that was found
in the last ceph-mon-check fix.
Change-Id: I460e43864a2d4b0683b67ae13bf6429d846173fc
In cases where the pool deletion feature [0] is used, but the pool does
not exists, a pool is created and then subsequently deleted.
This was broken by the performance optimizations introduced with [1], as
the job is trying to delete a pool that does not exist (yet).
This change makes the ceph-rbd-pool job wait for manage_pools to finish
before trying to delete the pool.
0: https://review.opendev.org/c/792851
1: https://review.opendev.org/c/806443
Change-Id: Ibb77e33bed834be25ec7fd215bc448e62075f52a
With the move to helm v3, helm status requires a namespace to be specified, but doing so breaks helm v2 compatability. This change removes the usage of helm serve in openstack-helm-infra's deployment scripts.
Change-Id: I649512e17fc62049fef5b9d5e05c69c0e99635f9
With the move to helm v3, helm status requires a namespace to be specified, but doing so breaks helm v2 compatability. This change removes the usage of helm serve in openstack-helm-infra's deployment scripts.
Change-Id: I7ed4a88fca679b1d27c74f0e260e690093fdf591
