This PS fises a rendering erros in the joinListWithComma function
when used with values from the helm --set cli command.
From Kolla-Kubernetes: https://review.openstack.org/#/c/488513/
All Credit to: Serguei Bezverkhi
Change-Id: I013a37f5e6dec43232c6ee300be8f918f9ef554a
Keystone is using keys to encrypt credentials saved into the database.
The mechanism is very similar to fernet tokens. This commit implements a
job setting key repository up and rotate job for those keys. All is
based on implementation of fernet tokens.
Change-Id: I88faf1d02d2b317563e8603cebba542f8b133c6a
Closes-Bug: 1693807
Keystone supports (and that's a default setting since Ocata) using
non-persistent fernet tokens instead of UUID tokens written into the DB.
This setting is in some cases better in terms of performance and
manageability (no more tokens DB table cleanups). OpenStack-Helm should
be able to support it.
General issue with fernet tokens is that keys used to encrypt them need
to be persistent and shared accross the cluster. Moreover "rotate"
operation generates a new key, so key repository will change over time.
This commit implements fernet tokens support by:
* A 'keystone-fernet-keys' secret is created to serve as keys repository.
* New fernet-setup Job will populate secret with initial keys.
* New fernet-rotate CronJob will be run periodically (weekly by default)
and perform key rotation operation and update the secret.
* Secret is attached to keystone-api pods in /etc/keystone/fernet-tokens
directory.
Turns out k8s is updating secrets attached to pods automatically, so
because of Keystone's fernet tokens implementation, we don't need to
worry about synchronization of the key repository. Everything should be
fine unless fernet-rotate job will run before all of the pods will
notice the change in the secret. As in real-world scenario you would
rotate your keys no more often than once an hour, this should be totally
fine.
Implements: blueprint keystone-fernet-tokens
Change-Id: Ifc84b8c97e1a85d30eb46260582d9c58220fbf0a
Glance bootstrap job fails due to missing 'paste_deploy' values.
This PS solves the issue by adding the values to glance chart.
Change-Id: I850863fe29c25aab9cf57eee62098e2b5d23a7f8
Closes-Bug: 1705421
Currently Ceph namespace job cleaner uses a fixed name. This leads to
helm delete fails to clean up Ceph package. This fix randomizes the job
name to avoid name conflicts.
DocImpact
Closes-Bug: #1707670
Change-Id: I7ac7b7482b945a9a836f6f69df0ef8cebc37bafb
This PS fix openstack endpoint show option at _ks-endpoint.sh
as job-ks-endpoint fails when endpoint needs updated.
Change-Id: I8aa05f3d40e7825410eace3ad7b44d36e3bb6434
This PS adds loopback device support to the gate scripts.
Rather than using simple loopback devices we use iscsi to
allow is to target the created devices via the bus they are
connected to. An arbitary number of devices of a desired size
can be created, and controlled via env vars.
Change-Id: I05fb7f3a1564bc36903aed2c46ed996bb8cc57c8
This PS updates the nova boostrap job, both bringing it inline with
other services and also adding the default flavours from Mitaka.
By setting the m1.tiny size to match the upstream it is expected
that the majority of gate failures will be solved - as many of the
VMs in nodepool do not have 20GB of free space on the rootfs.
Change-Id: I767795015422a1b326a6f34b5a3f50bf41a0ca4b
This PS updates the MariaDB start script remove templated values
from being directly inserted into the script. It also moves the
root connection params to a secret to prevent the root password
being exposed in logs.
Change-Id: I10977ef267877a5913bf265280ff5439c7bf268c
Fixes the reference to mariadb replicas used when adding pods to
the mariadb cluster. This was causing nodes to not be added to
the cluster properly
Change-Id: I9df586c8939e241ea58d933652c767542fd364ff
This PS allows an operator to change the service account password
though the values fed into a chart.
Change-Id: If3a859f0db84237c71303ef329573c7d6aafdae7
This PS updates the pod affinity function to allow customisation by
operators at the point of deployment.
Change-Id: I8b7b2f584e990e068051d9a6d5cc7b1e1adb5aa5
Adds the specs/ directory to openstack-helm for housing future
specifications for the project. It also includes an appropriate
README with directions for drafting specs, links to the openstack
resources for bp+spec lifecycle, and a template for use in
drafting specifications
Change-Id: Ice23447b358b520a8b4fb703fc836e8f09fa34d1
The issue was with type of upgrade strategy, which was rendered as empty.
It was due to wrong access to the pod_replacement_strategy, which was
out of modified scope:
daemonsets:
pod_replacement_strategy: RollingUpdate
dhcp_agent:
enabled: false
min_ready_seconds: 0
max_unavailable: 1
and the snippet was modifying the scope to daemonset.dhcp_agent, then
trying to access daemonsets.dhcpagent.pod_replacement_strategy, which was
not there:
{{- $upgradeMap := index $envAll.Values.pod.lifecycle.upgrades.daemonsets $component }}
updateStrategy:
type: {{ .pod_replacement_strategy }}
The fix is to evaluate the common variable before entering the scope
modification.
{{- $pod_replacement_strategy := $envAll.Values.pod.lifecycle.upgrades.daemonsets.pod_replacement_strategy -}}
type: {{ $pod_replacement_strategy }}
Change-Id: I78937b1bf1e0d50ca372de095582c71105d76331
Closes-Bug: 1705662
If you re-install glance chart with fixed bootstrap image id
in your own ceph environment, glance chart can't create bootstrap
image because of same object is exist in ceph.
This patch add job-clean that remove bootstrap image when you
delete glance chart.
Change-Id: I4ca55f0500479cbc48eff4133c7ac1683a76e60f
Closes-Bug: #1705386
Nginx's configuration has the underscore header value disabled.
When uploading image, glance api uses underscore header.
For example, x-image-meta-disk_format or x-image-meta_name.
Change-Id: I86e7f7d8d908904a4e45fa68f6bd613028d45801
When trying to re-install ceph chart, the
ceph-namespace-client-key-generator job is not working because of the
already created pvc-ceph-client-key secret.
So it needs to remove the secret when deleting ceph chart.
Closes-Bug: #1705177
Change-Id: I7338a516fe3b9f265953b8b1fddd3dbfb97bafd2
Ceph mon has been changed from a statefulset to a daemonset,
so the PodDisruptionBudget is no longer needed.
Change-Id: I86d46ed2e6377177eff9251d5e4f3bb433eaf250
Ceph's health when running in the single node gate currently
is 'HEALTH_WARN'. This PS adds an extra config option such that
the ceph cluster will not attempt to perform replication when deployed
on a single node, as well as introduces a mvp yaml file for ceph
deployments in the gate.
Change-Id: Ib2ec3345140f541c94da044ff9d77723ea3ee2bd
This enhances the stability and recovery of ceph by leveraging
hostNetworking for monitors as well as OSDs, and enables the
K8S_HOST_NETWORK variable within ceph-docker. This enhancement should
allow recovery of monitors from a complete downed cluster.
Additionally, ceph's generic "ceph-storage" node label has been
split out for mon, mds, and osd.
Co-Authored-By: Larry Rensing <lr699s@att.com>
Change-Id: I27efe5c41d04ab044dccb5f38db897cb041d4723
This PS moves the mounts key to be under the pod key in the values.
It brings further consolation of related configuration params to be
nested under common keys across all charts.
Change-Id: If9963e4f8b438847e2fcad3bdd8c0d71ca9ecdd8
This moves the set of ceph entrypoint scripts into the helm chart
this allows us to control how the different pods start. Also gives
each script the +x flag to give better insight as to the execution of
entrypoint scripts.
Change-Id: Ib78b8a5d57f653bdb399a1980b34ab5ea25f94cc
This PS move s the replicas key to be under the pod key in the values.
It brings further consolation of related configuration params to be
nested under common keys across all charts.
Change-Id: I420b06debd0a62ba5d83497be43ff6c49c49d339
Hardened the grep/awk that extracts the default interface for use
as the tunneling interface. The command failed on multiple
Ubuntu machines as-was.
Change-Id: Ib7d0a8e55e67391d6cb7a58910cfc2ed617a4cbc
This PS updates the Multinode Doc for Ceph deployemnt now that we
have bootstrap capability within the chart.
Change-Id: I40110db926bbbcbfb5a08300784e6a9735d32955
