ADD openstack chart with values_overrides
* rabbitmq
* mariadb
* memcached
* keystone
* heat
* glance
This adds umbrella chart that references other charts via
symlink and include global values.
Because chart valeus_overrides yaml apply to the main chart,
the umbrella chart has a chart-scoped replacement
ADD openstack.sh deploy script
This script deploys all components with a single release.
ADD corresponding release notes
CHG wait-for-pods-sh to accept timeout arguement
CHG get-values-overrides.sh to modify file path for subchart
Change-Id: I25cd9d6785c61540d6329657c0358f27299d3647
This changes use the helm-toolkit template for toleration
in openstack services
Signed-off-by: Lucas Cavalcante <lucasmedeiros.cavalcante@windriver.com>
Story: 2009276
Task: 43531
Depends-On: I168837f962465d1c89acc511b7bf4064ac4b546c
Change-Id: I30ca8050e02a5deeec52319d45025f4af7139059
This reverts commit 73531436e9.
Reason for revert: When the keys are rotated, the links become
broken and keystone only uses the 0 key.
Change-Id: Iffc4ab5d659b01babe7b4f9ee35b0a5789dac3ec
Current implementation of Keystone prints a warning message if the
directory containing the fernet keys is world readable (o+r). As OSH
uses a volumeMount to handle fernet keys and is by default readonly,
there is no meaningful way to make the directory (not the keys) world
unreadable. Consequently, keystone just keep logging that warning,
adding no particular value besides flooding the log.
Rather than disabling the log message in keystone (as that warning is
meaningful from a security standpoint), this patch set changes the way
we deal with the secret volume so the directory is no longer world
readable, so keystone will stop issuing that warning message.
Signed-off-by: Tin Lam <t@lam.wtf>
Change-Id: Id29abe667f5ef0b61da3d3825b5bf795f2d98865
If labels are not specified on a Job, kubernetes defaults them
to include the labels of their underlying Pod template. Helm 3
injects metadata into all resources [0] including a
`app.kubernetes.io/managed-by: Helm` label. Thus when kubernetes
sees a Job's labels they are no longer empty and thus do not get
defaulted to the underlying Pod template's labels. This is a
problem since Job labels are depended on by
- Armada pre-upgrade delete hooks
- Armada wait logic configurations
- kubernetes-entrypoint dependencies
Thus, for Job templates previously missed, this adds labels matching
the underlying Pod template to retain the same labels that were
present with Helm 2.
[0]: https://github.com/helm/helm/pull/7649
Change-Id: Ie438b449a3d9853d786215d40a39c32d164e9950
If labels are not specified on a Job, kubernetes defaults them
to include the labels of their underlying Pod template. Helm 3
injects metadata into all resources [0] including a
`app.kubernetes.io/managed-by: Helm` label. Thus when kubernetes
sees a Job's labels they are no longer empty and thus do not get
defaulted to the underlying Pod template's labels. This is a
problem since Job labels are depended on by
- Armada pre-upgrade delete hooks
- Armada wait logic configurations
- kubernetes-entrypoint dependencies
Thus for each Job template this adds labels matching the
underlying Pod template to retain the same labels that were
present with Helm 2.
[0]: https://github.com/helm/helm/pull/7649
Change-Id: Ib5a7eb494fb776d74e1edc767b9522b02453b19d
The default of 'domain_config_dir' in keystone is '/etc/keystone/domains'.
This patch adds the missing slash.
Change-Id: I30523ec3fd3144811a76b9078e915eff4ffa2b66
Keystone may communicate with other components that do not support TLS. This
patchset makes keystone more flexible and enable it to communicate successfully
with such components
Depends-on: https://review.opendev.org/c/openstack/openstack-helm-infra/+/800097
Change-Id: I5c697c1748b62a81b43e7b0d6c7f89d374a50d94
Mount rabbitmq TLS secret to openstack services which support internal
TLS. Once internal TLS support is added to other service, the TLSed
rabbitmq support should be added.
Depends-on: https://review.opendev.org/c/openstack/openstack-helm-infra/+/795188
Change-Id: I9aa272e365f846746f2e06aa7b7010db730e17df
In the Victoria cycle oslo.policy decided to change all default policies
to yaml format. Today on openstack-helm we have a mix of json and yaml
on projects and, after having a bad time debugging policies that should
have beeing mounted somewhere but was being mounted elsewhere, I'm
proposing this change so we can unify the delivery method for all
policies across components on yaml (that is supported for quite some
time). This will also avoid having problems in the future as the
services move from json to yaml.
[1] https://specs.openstack.org/openstack/oslo-specs/specs/victoria/policy-json-to-yaml.html
Signed-off-by: Thiago Brito <thiago.brito@windriver.com>
Change-Id: Id170bf184e44fd77cd53929d474582022a5b6d4f
With keystone moving to flask back in Stein, the paste pipeline
configuration and file are no longer needed. With OSH no longer
supporting those older releases, this change removes the paste ini
settings and file mounts since they are no longer used.
Change-Id: Idacd973f090562eaee28567d9422eb761951096f
The pre-install hooks for several of the keystone templates
cause upgrade failures when using helm2. This change wraps them
in a conditional that can be toggled off for anyone still
using helm2.
Change-Id: I179583bd595bc8ed1e4c29eb7c2a744e3c6a5708
When using a helm3 to deploy , it fails. Helm3 no more support rbac.authorization.k8s.io/v1beta1 , but v1 can support helm2 and helm3.
Change-Id: If37ec26443feb5328d49e6b3c419305832bdae9e
When using a chart with the flux operator and helm3, it fails
when encountering a volumeMount "subpath" instead of "subPath".
This change corrects the typo to the right camelcase entry.
Change-Id: Id2d9ea25445d84f89b299c7f0b24da1cc5aaf264
This patch makes the fernet and credential secret something that gets
created only once when the deployment is first done, as when using Helm,
it's possible that it overrides it's values with an empty secret in the
runs afterwards.
By making it a hook, it will instead create it and leave an owner
reference in Helm 3 to delete it later if the release is deleted. It
will not manage it afterwards as well.
Change-Id: I7c1c97f38877e0e54bea7fc09b37dd6f77c9dc8a
When starting the keystone-api pod, the service checks for a
access_rules file for application credentials during startup.
If the file does not exist, keystone emits a warning saying the
file is not found:
WARNING keystone.access_rules_config.backends.json [-] No config
file found for access rules, application credential access rules
will be unavailable.: FileNotFoundError: [Errno 2] No such file
or directory: '/etc/keystone/access_rules.json'
This change adds in a blank access_rules.json file to the
keystone etc directory in order to surpress this message.
Change-Id: I63ac153cc91ac45b3fd223f8a54b933b5cbffac4
This updates the Keystone chart to include the pod
security context on the pod template.
This also adds the container security context to set
readOnlyRootFilesystem flag to true
Change-Id: I0e00571d4060cca914d1bdb4f36e736fa8501130
This updates the Keystone chart to include the pod
security context on the pod template.
This also adds the container security context to set
readOnlyRootFilesystem flag to true
Change-Id: I655ef19a3c187e3462ff8ec1a54bc9691ca64d41
This updates the Keystone chart to include the pod
security context on the pod template.
This also adds the container security context to set
readOnlyRootFilesystem flag to true.
Change-Id: I2ac3a4efa6798e263de19f0db444f37c5236d121
The current copyright refers to a non-existent group
"openstack helm authors" with often out-of-date references that
are confusing when adding a new file to the repo.
This change removes all references to this copyright by the
non-existent group and any blank lines underneath.
Change-Id: Ia035037e000f1bf95202fc07b8cd1ad0fc019094
This patch set fixes an issue with where the keystone chart's
domain-manage job/pod always restart once due to a calculation
logic error.
Change-Id: I801d04559a526d3a7339cd5102f2e738af9f72e0
Signed-off-by: Tin Lam <tin@irrational.io>
In case of keystone-fernet-setup job rerun (delete and create),
fernet tokens are recreated. Which leads to ongoing openstack request
fail.
keystone-manage fernet_setup is idempotent, let's make the
keystone-fernet-setup job idempotent as well.
Change-Id: I62e741fe5192b7a0018bc84ccdac1ea5311a1e03
Pods for some of the CronJobs do not have correct
application and component labels applied, they are
unable to start if Network Policies are enabled.
Change-Id: Ie4eed0e9829419b4b2e40e9b712b73a86d6fc3d2
This patch set is one of many to migrate existing code/script to be
python-3 compatible as python-2 is sunsetting in January of 2020.
Change-Id: I337069203a3273e9aba6a37294ee3c25e5b4870a
Signed-off-by: Tin Lam <tin@irrational.io>
Using the direct / path for the keystone probes can lead to the
probes receiving an http 300. We want to have an http 200 so there
is no warning from the probes. Use the full v3 path so the probes
are stable
Change-Id: If8b45801bb053778bd2e1691ff8556aa73cb434d
In cases where mariadb is not accessable, either from being deleted
prior to deleting keystone, or some other reason, it is preferred
to fail and move on with the keystone-credential-cleanup.
This change adds hook-failed to the "hook-delete-policy" for the
keystone-credential-cleanup job. This is address cases where deleting
keystone would cause the delete task to hang while the cleanup hook
would fail to connect to mariadb, often due to mariadb being already
deleted.
Change-Id: Ice7187fe6329c8b12333f508351bd5f9e2cdc8e2
Python 3 renamed ConfigParser module to configparser.
This patch fixes compatibility with Python 3 for the
keystone-credential-cleanup job.
Change-Id: I6e34ba995d7a02f94b12162f0e5f8f326dfa8108
The keystone-credential-cleanup hook was previously changed to
post-delete, this can cause issues where the serviceName is deleted
prior to running and will cause this to fail. This change reverts
the hook back to pre-delete to avoid this issue.
Change-Id: I45f3e73f8a957576ef82a733c1a7b7feaba7b679
