This PS adds namespace and fqdn support to endpoint lookup functions,
it also permits over-riding of the puplic endpoint for ingress.
Change-Id: Ib61c5c00a214d75fe85fbffe9080c2ae88bd8cb9
Before this change, there was no ability to append custom volume for
any of the services. The reason was a missing new line character, so
the templates were formatted like this:
- name: pod-shared
mountPath: /tmp/pod-shared - mountPath: /tmp/test2
name: test2
Apart from that, for some of the services (mostly job-bootstrap) invalid
indentation for custom volumes (and their mounts) was set.
Closes-Bug: 1712745
Change-Id: Ib57c76a34c0e28ad9e67ea47d1fc250b17711a42
Signed-off-by: Mateusz Blaszkowski <mateusz.blaszkowski@intel.com>
This PS adds a configmap teplater helper to helm-toolkit. It makes it
simpler to write consistent charts that supports over-riding of all
values.
Change-Id: I9a587999859ea02802485eb25a3f0ebec8c712a8
Now, openstack-helm support "helm test" function, and It execute rally
container.
Rally also can test Tempest itself, so this fix will be add tempest
test in rally container.
Change-Id: I2c2f684f6583f2a3d9c7279a3d85cb242934e90e
Implements: blueprint add-tempest-in-helm-test
This PS removes the licence header from rendered output from tiller,
significantly reducing the configmap size of charts deployed to the
cluster.
Change-Id: I5d1b246f2068f3b83bf59ba79fe8b88bbc9a6161
This PS allows the rendering of manifests to be controlled. It enables
both increased control over deployment when required but also makes
development of a feature easier to target.
Change-Id: I1716e8ee23fe5c53f935bd739ea283bc4a2a9963
This PS adds labels to all jobs in OpenStack-Helm, allowing them to be
found by label searches. This makes management of large clusters using
tools like Armada easier.
Change-Id: I49b2cb7a94fab96958f187ca11e2c2a0c80ff843
Keystone is using keys to encrypt credentials saved into the database.
The mechanism is very similar to fernet tokens. This commit implements a
job setting key repository up and rotate job for those keys. All is
based on implementation of fernet tokens.
Change-Id: I88faf1d02d2b317563e8603cebba542f8b133c6a
Closes-Bug: 1693807
Keystone supports (and that's a default setting since Ocata) using
non-persistent fernet tokens instead of UUID tokens written into the DB.
This setting is in some cases better in terms of performance and
manageability (no more tokens DB table cleanups). OpenStack-Helm should
be able to support it.
General issue with fernet tokens is that keys used to encrypt them need
to be persistent and shared accross the cluster. Moreover "rotate"
operation generates a new key, so key repository will change over time.
This commit implements fernet tokens support by:
* A 'keystone-fernet-keys' secret is created to serve as keys repository.
* New fernet-setup Job will populate secret with initial keys.
* New fernet-rotate CronJob will be run periodically (weekly by default)
and perform key rotation operation and update the secret.
* Secret is attached to keystone-api pods in /etc/keystone/fernet-tokens
directory.
Turns out k8s is updating secrets attached to pods automatically, so
because of Keystone's fernet tokens implementation, we don't need to
worry about synchronization of the key repository. Everything should be
fine unless fernet-rotate job will run before all of the pods will
notice the change in the secret. As in real-world scenario you would
rotate your keys no more often than once an hour, this should be totally
fine.
Implements: blueprint keystone-fernet-tokens
Change-Id: Ifc84b8c97e1a85d30eb46260582d9c58220fbf0a
This PS moves the mounts key to be under the pod key in the values.
It brings further consolation of related configuration params to be
nested under common keys across all charts.
Change-Id: If9963e4f8b438847e2fcad3bdd8c0d71ca9ecdd8
This PS move s the replicas key to be under the pod key in the values.
It brings further consolation of related configuration params to be
nested under common keys across all charts.
Change-Id: I420b06debd0a62ba5d83497be43ff6c49c49d339
This patchset enforces stricter file permission on *-etc configmap and
sets readOnly flag to true in a number of charts.
Change-Id: I233689a5d56dd1352e0d81997a94b4cdd6bed5d2
Signed-off-by: Tin Lam <tin@irrational.io>
This PS unifies and normalises Kubernetes resource allocation and
update strategy across all OpenStack-Helm elements.
Change-Id: Ia41fc453cb5191fa447ca6e1aa0f5b431c939dc8
This PS moves keystone credentials to the endpoints section within
the values.yaml, and also adds a 'secrets' key, allowing standardiation
of secrets and credential management across OpenStack-Helm.
Change-Id: I86a21e625afd822379ac11351603b2c606a3769f
gen-oslo-openstack-helm generated configuration file templates in
incorrect form, causing setting mulitple values in Values.yaml to
produce something like:
foo=barfoo=baz
This commit fixes this in the generator and updates config file
templates to generate configs correctly:
foo=bar
foo=baz
Change-Id: Iea661dcf1710987b2e111d7141ba888f01c44a50
Closes-Bug: 1699581
This PS adds soft anti-affinity to all pods in OS-H. By doing so
resiliancy is improved by attempting to ensure that pods are created
on seperate nodes.
Change-Id: I0c1092498f7a1e44218ef785ca3f73fa9f49819c
The existing entrypoint logic used static names to reolve dependencies.
This prevented the service names, and thus the hostnames of services
being altered. This PS resolves that issue by looking up the service name
from the endpoints specified in the values for a chart.
Partial-Implements: blueprint enhance-entrypoint-dependency-checking
External-Tracking-Id: OSH-21
Change-Id: Ib49490f332f8cd88e98c50d9335dfd314a170936
The admin_token_auth in keystone paste posts a security issue, and has
been deprecated in the M release, and removed in O release. Operators
should be using ``keystone-manage bootstrap`` to bootstrap the "admin"
user. This patch set removes the filter and its usage in the various
pipelines from the paste.ini file.
Implements: bp keystone-admin-token-disable
External-Tracking-Id: OSH-102
[0] https://blueprints.launchpad.net/openstack-helm/+spec/keystone-admin-token-disable
Change-Id: I5ae29cad4f7daa4bc8fa117b6f5ed998c2ec6cad
This PS sets the default modetype of mounts from *-bin configmaps
to 0555, and removes the then unnecessary commands from the manifests.
Change-Id: I93ce0facb06affdf362a58f8520e69ba94ea3034
This PS helps improve the Image agnosticism of the Keystone chart.
This is achieved by removing the presumed locations of the Keystone
WSGI scripts, enabling support for images that either do not use a venv
or the same venv location that Kolla uses.
Change-Id: Id04f5e485d6a421b6ac7464cbb14f0e3819b778d
With 1.6, init containers are officially part of the kubernetes
API. This changes the format of the helm template for the
entrypoint container from json to yaml, and updates the
charts accordingly.
Co-Authored-By: Pete Birley <pete@port.direct>
Change-Id: I569566ce4b031d107af2d38483040a26210bec45
This PS introduces 'helm test' functionaility to keystone and
provides the basic framwork for charts to use.
Change-Id: Ie84a6ca0ed007fb55e10d503d1c3e49788908eec
Partial-Implements: blueprint implement-helm-test-for-charts
This commit fixes some warnings shown by `keystone-manage doctor`
command that are present in Keystone installed with default chart
configuration. In particular:
* Set max_toke_size=32 as this is correct value for uuid token provider.
* Enable caching using memcache by setting [cache] memcache_servers
option correctly in configmap-etc.yaml
Change-Id: I38cc7be577e0a7cd9be715e633f3637baafcc21b
Closes-Bug: 1693806
This PS add Barbican support, and moves all potentially container
specific logic into the service start script from the api manifests.
Also fixes a permissions issue with the nova-api, which incorrectly
had the NET_ADMIN capability.
Change-Id: I18fc1ea5d7aa70ea7dabb829361a3da57e905100
This commit adds graceful termination to all existing charts.
It also adds a setting in the values.yaml file for clarity and
the ability to override if wished.
Change-Id: I42025e4be86d248be467c1d2f0980f864c4d440e
This PS updates the Keystone template to use a template generated
from the current version of the oslo-gen util.
Change-Id: Id900da732a49b2e154baf950881f0bd15ce3672e
This PS updates the way helm-toolkit functions are named to
reference the full path they are loacted at. This should make
development and debugging easier. Addtionally unused functions
have been pruned as well.
Change-Id: I03c553f1d01bccc70c86768b416b147c90d9b2f0
This is the initial pod disruption budget that will serve as the template
for all services in OpenStack-Helm.
Partially-Implements: blueprint add-pod-disruption-budgets
Change-Id: I67eeaa66257e793f77a089f3bc0dd4b700638c63
Keystone service.yaml currently has duplicate selector entries.
This patch set removes the duplicate.
Change-Id: Ic3e195e354b69683f8f3e8b6bb8f4b3a72b75cdb
This patch set moves the required keystone config files to the manifests, and
allows users to specify their own additional volume mounts if necessary.
Change-Id: I622abbba3e19390ce1003441eb9c0a3477754b82
The Keystone Chart had some extranious whitespace at the
end of lines, this commit rectifies that.
Change-Id: I4da8e4812a5aa92b85cc3baa3f76d08ba5967091
* Initial Commit of Nova Configuration Overrides
This commit is an evolution of the initial keystone configuration
overrides work
It expands upon that work by introducing many of the same concepts
into nova. It differs in that a few concepts were changed. Namely
the helm-toolkit/_oslo.tpl concept was abandoned, as there are too
many unique oslo paths for configuration elements, so dynamic oslo
setting mechanism was moved locally into configmap-etc.yaml, where
it is generally used.
Secondly, in nova the mount override effort was altered to instead
provide mount "append" capability. Keeping the manifest mounts
closer to the actual pod, and keeping values.yaml a tad smaller.
This still allows the original flexibility of operators adding
mounts, but they cannot "undo" any of the charts built in mounts.
There were several manual tweaks that needd to be done to _nova.conf.tpl
after the oslo-config-gen process this time. This is because there is a
bug in the newton version of generating this file. It does not include
the proper service authentication credentials in the [keystone_authtoken]
section. Future releases have a separate service credentials section
so future config generations will likely not need these added lines.
* Remove unused values.yaml parameters
Fix references to removed helm-toolkit oslo macro
* resolve nova feedback
* bugfix nova-etc/nova-bin swap
