As part of the move to helm v3, all the charts in the OSH repos
will no longer lint/build properly due to a lack of helm serve
in helm v3.
This change modifies the helm-toolkit repo location to the
osh-infra repo in order to account for the removal oh helm serve.
This work is part of the migration to helm v3 and will be utilized
in future changes.
Change-Id: I90d25943d69ad6c76455f7778a4894f00c525c46
If labels are not specified on a Job, kubernetes defaults them
to include the labels of their underlying Pod template. Helm 3
injects metadata into all resources [0] including a
`app.kubernetes.io/managed-by: Helm` label. Thus when kubernetes
sees a Job's labels they are no longer empty and thus do not get
defaulted to the underlying Pod template's labels. This is a
problem since Job labels are depended on by
- Armada pre-upgrade delete hooks
- Armada wait logic configurations
- kubernetes-entrypoint dependencies
Thus, for Job templates previously missed, this adds labels matching
the underlying Pod template to retain the same labels that were
present with Helm 2.
[0]: https://github.com/helm/helm/pull/7649
Change-Id: Ie438b449a3d9853d786215d40a39c32d164e9950
If labels are not specified on a Job, kubernetes defaults them
to include the labels of their underlying Pod template. Helm 3
injects metadata into all resources [0] including a
`app.kubernetes.io/managed-by: Helm` label. Thus when kubernetes
sees a Job's labels they are no longer empty and thus do not get
defaulted to the underlying Pod template's labels. This is a
problem since Job labels are depended on by
- Armada pre-upgrade delete hooks
- Armada wait logic configurations
- kubernetes-entrypoint dependencies
Thus for each Job template this adds labels matching the
underlying Pod template to retain the same labels that were
present with Helm 2.
[0]: https://github.com/helm/helm/pull/7649
Change-Id: Ib5a7eb494fb776d74e1edc767b9522b02453b19d
Chart upgrading was failing due to some immutable fields in job are needed to upgrade. So, we have added the helm.sh/hook annotations with post-install and post-upgrade values. As for hook-weight annotations, we have added these to control the flow of the jobs with hook creation as the jobs are dependent. Like, db-init jobs need to run before db-sync and so on. Also helm3_hook value is introduced in values.yaml, which can be used to disable helm hook if needed.
Change-Id: Idb4b992b4061f4a014570b7933a585df1a096299
Defines compute kit and cinder jobs for new releases with
corresponding values overrides.
Disables compute agent list test for Wallaby since related API
is removed [0].
Since Wallaby with switch of osc to sdk '--id auto' is no longer
treated specially in 'openstack flavor create'. The same behavior
can be achieved w/o specifying --id flag for flavor creation [1].
Starting Wallaby 'nova-manage api_db version' returns init version
for empty database greater than 0 [2]. _db-sync.sh.tpl logic prior to
this commit does not work due to this. We need to either remove
(done in current commit) or justify and alter previous logic.
[0] https://review.opendev.org/749309
[1] https://review.opendev.org/750151
[2] https://opendev.org/openstack/nova/src/branch/stable/wallaby/nova/db/sqlalchemy/migration.py#L32
Change-Id: I361431d9aa8c1a06c5d59f479fb161ecd87e2ee2
Signed-off-by: Andrii Ostapenko <andrii.ostapenko@att.com>
Mount rabbitmq TLS secret to openstack services which support internal
TLS. Once internal TLS support is added to other service, the TLSed
rabbitmq support should be added.
Depends-on: https://review.opendev.org/c/openstack/openstack-helm-infra/+/795188
Change-Id: I9aa272e365f846746f2e06aa7b7010db730e17df
In the Victoria cycle oslo.policy decided to change all default policies
to yaml format. Today on openstack-helm we have a mix of json and yaml
on projects and, after having a bad time debugging policies that should
have beeing mounted somewhere but was being mounted elsewhere, I'm
proposing this change so we can unify the delivery method for all
policies across components on yaml (that is supported for quite some
time). This will also avoid having problems in the future as the
services move from json to yaml.
[1] https://specs.openstack.org/openstack/oslo-specs/specs/victoria/policy-json-to-yaml.html
Signed-off-by: Thiago Brito <thiago.brito@windriver.com>
Change-Id: Id170bf184e44fd77cd53929d474582022a5b6d4f
This is to fix the ceph version checks for enabling the applications
on newly created pools for openstack services like cinder and glance.
Change-Id: I2c007f728180cf7753255463ebf2f8dc5dc6fa5b
This change bumps each openstack chart version up to the next
greatest minor version of 0.2.0, signifying that openstack-helm
will no longer support older, EOL releases for each chart.
Change-Id: I7ce80c7bdc779c1de4472079f18102f506bfbb90
Currently, when users try to navigate through horizon
panels or use the command-line interface that contains
calls to /api/glance/metadefs it will pop up insufficient
permission errors due to the fact we are disabling [1]
the metadef APIs in glance addressing OSSN-0088 [2].
As a side effect on how we address the OSSN, all API calls
to metadefs will be forbidden for any user, which is not recommended
in production environments. However, we have the current
recommendation of the OSSN which allows CRUD of metadef to
admin only and provide read access to all users.
[1] aab5ee7711
[2] https://wiki.openstack.org/wiki/OSSN/OSSN-0088
Story: 2008761
Task: 42128
Change-Id: Ib1415cadbbfab874a8d44ac6b5c6fba3c7502242
There was an issue with the metadef APIs in glance, detailed in
the latest OSSN[0] that they have the potential to leak resources.
This change updates the default policy for the metadef APIs to
be disabled by default.
[0] https://wiki.openstack.org/wiki/OSSN/OSSN-0088
Change-Id: I7377b3a2f3784fe7da78bdd7aba146328cc0f406
When using a helm3 to deploy , it fails
Helm3 no more support rbac.authorization.k8s.io/v1beta1 , but v1 can
support helm2 and helm3.
This change optimized deployment.
Change-Id: I107d6e965ca00a6d8b766e91573be2c9aeb4f782
ClusterIssuer does not belong to a single namespace (unlike Issuer)
and can be referenced by Certificate resources from multiple different
namespaces. When internal TLS is added to multiple namespaces, same
ClusterIssuer can be used instead of one Issuer per namespace.
Depends-on: https://review.opendev.org/c/openstack/openstack-helm-infra/+/766359
Change-Id: I6585d5a8c2ccb507a5c99784c0190502b55a5bcf
Since we introduced chart version check in gates, requirements are not
satisfied with strict check of 0.1.0
Change-Id: If537f69dec7e3360f6bffcc4424f10c248919ece
Signed-off-by: Andrii Ostapenko <andrii.ostapenko@att.com>
Added chart lint in zuul CI to enhance the stability for charts.
Fixed some lint errors in the current charts.
Change-Id: I7e4b191fb9e355ab5d5a233e8ed121346519df62
Some OSH charts have diffferent values for logger_root
handler from upsgream repo config defaul values.
Exactly, logger_root handler values.
This leads double logging finally.
To fix this, set logger_root as null like upstream repos.
Change-Id: I20e4f48efe29ae59c56f74e0ed9a4085283de6ad
'function' keyword is a bash extension and not recognizable by sh.
Change-Id: I96205e337a28e12f3e3d06ca99e5f04e0f9a38f4
Signed-off-by: Andrii Ostapenko <andrii.ostapenko@att.com>
This change updates the xrally image from 1.3.0 to 2.0.0
in order to better match the current versions of openstack
we are running in the gate.
Change-Id: I3f417a20e0f6d34b9e7ed569207a3df90c6ddfd2
This patch set add CA certificate to glance storage init and also
converts the nginx.sh script to shell script.
Change-Id: If3e0cd194af7ed3e15668df799b2b9026e0135d8
This corrects an issue with glance registry ingress failing due to a
name mismatch. This also provides a proper glance registry public secret that was
missing.
Change-Id: Ibe3d5ca774365b7f4df01940884953fc0181394f
Signed-off-by: Tin Lam <tin@irrational.io>
This updates the Glance chart to include the pod
security context on the pod template.
This also adds the container security context to set
readOnlyRootFilesystem flag to true
Change-Id: I0a164ed48dd11780b4fdbb8be6b492fb45efe0aa
This updates the Glance chart to include the pod
security context on the pod template.
This also adds the container security context to set
readOnlyRootFilesystem flag to true
Change-Id: I49ac688fa9cb73ddbc215198c74fae26f503cb51
The current copyright refers to a non-existent group
"openstack helm authors" with often out-of-date references that
are confusing when adding a new file to the repo.
This change removes all references to this copyright by the
non-existent group and any blank lines underneath.
Change-Id: Ia035037e000f1bf95202fc07b8cd1ad0fc019094
This reverts commit 1c85fdc390.
Do not use randomly generated strings in configmaps as this leads to
whole helm release redeployment even no values are changed. The random
items have to be generated outside of helm chart and provided via
values.
Also previous behaviour didn't allow to use cache during rolling upgrade
as new pods were spawned with new key.
Change-Id: I423611b18fca0d65e2e721a9c6a0c3d8df0813d2
