Keystone is using keys to encrypt credentials saved into the database.
The mechanism is very similar to fernet tokens. This commit implements a
job setting key repository up and rotate job for those keys. All is
based on implementation of fernet tokens.
Change-Id: I88faf1d02d2b317563e8603cebba542f8b133c6a
Closes-Bug: 1693807
Keystone supports (and that's a default setting since Ocata) using
non-persistent fernet tokens instead of UUID tokens written into the DB.
This setting is in some cases better in terms of performance and
manageability (no more tokens DB table cleanups). OpenStack-Helm should
be able to support it.
General issue with fernet tokens is that keys used to encrypt them need
to be persistent and shared accross the cluster. Moreover "rotate"
operation generates a new key, so key repository will change over time.
This commit implements fernet tokens support by:
* A 'keystone-fernet-keys' secret is created to serve as keys repository.
* New fernet-setup Job will populate secret with initial keys.
* New fernet-rotate CronJob will be run periodically (weekly by default)
and perform key rotation operation and update the secret.
* Secret is attached to keystone-api pods in /etc/keystone/fernet-tokens
directory.
Turns out k8s is updating secrets attached to pods automatically, so
because of Keystone's fernet tokens implementation, we don't need to
worry about synchronization of the key repository. Everything should be
fine unless fernet-rotate job will run before all of the pods will
notice the change in the secret. As in real-world scenario you would
rotate your keys no more often than once an hour, this should be totally
fine.
Implements: blueprint keystone-fernet-tokens
Change-Id: Ifc84b8c97e1a85d30eb46260582d9c58220fbf0a
This PS updates the pod affinity function to allow customisation by
operators at the point of deployment.
Change-Id: I8b7b2f584e990e068051d9a6d5cc7b1e1adb5aa5
This PS moves the mounts key to be under the pod key in the values.
It brings further consolation of related configuration params to be
nested under common keys across all charts.
Change-Id: If9963e4f8b438847e2fcad3bdd8c0d71ca9ecdd8
This PS move s the replicas key to be under the pod key in the values.
It brings further consolation of related configuration params to be
nested under common keys across all charts.
Change-Id: I420b06debd0a62ba5d83497be43ff6c49c49d339
This patchset enforces stricter file permission on *-etc configmap and
sets readOnly flag to true in a number of charts.
Change-Id: I233689a5d56dd1352e0d81997a94b4cdd6bed5d2
Signed-off-by: Tin Lam <tin@irrational.io>
This PS unifies and normalises Kubernetes resource allocation and
update strategy across all OpenStack-Helm elements.
Change-Id: Ia41fc453cb5191fa447ca6e1aa0f5b431c939dc8
This PS moves keystone credentials to the endpoints section within
the values.yaml, and also adds a 'secrets' key, allowing standardiation
of secrets and credential management across OpenStack-Helm.
Change-Id: I86a21e625afd822379ac11351603b2c606a3769f
gen-oslo-openstack-helm generated configuration file templates in
incorrect form, causing setting mulitple values in Values.yaml to
produce something like:
foo=barfoo=baz
This commit fixes this in the generator and updates config file
templates to generate configs correctly:
foo=bar
foo=baz
Change-Id: Iea661dcf1710987b2e111d7141ba888f01c44a50
Closes-Bug: 1699581
This PS adds soft anti-affinity to all pods in OS-H. By doing so
resiliancy is improved by attempting to ensure that pods are created
on seperate nodes.
Change-Id: I0c1092498f7a1e44218ef785ca3f73fa9f49819c
This PS makes the initial Keystone Admin and Service account users
members of the projects that they are in.
Change-Id: I2de081a216b7e7b99d301ab605c84d882cdb5840
The existing entrypoint logic used static names to reolve dependencies.
This prevented the service names, and thus the hostnames of services
being altered. This PS resolves that issue by looking up the service name
from the endpoints specified in the values for a chart.
Partial-Implements: blueprint enhance-entrypoint-dependency-checking
External-Tracking-Id: OSH-21
Change-Id: Ib49490f332f8cd88e98c50d9335dfd314a170936
The admin_token_auth in keystone paste posts a security issue, and has
been deprecated in the M release, and removed in O release. Operators
should be using ``keystone-manage bootstrap`` to bootstrap the "admin"
user. This patch set removes the filter and its usage in the various
pipelines from the paste.ini file.
Implements: bp keystone-admin-token-disable
External-Tracking-Id: OSH-102
[0] https://blueprints.launchpad.net/openstack-helm/+spec/keystone-admin-token-disable
Change-Id: I5ae29cad4f7daa4bc8fa117b6f5ed998c2ec6cad
Currently, the memory and cpu limits are identical to the requests.
This patch set ups the limits to be similar to other services
such as nova and neutron.
Change-Id: I16985e622bdca95d88585d2f1e5bbb09e7dc766b
Memcached is required by keystone to work optimally, this PS adds
it as a requirement. It could be argued that RabbitMQ should be
added as well, but this is only required when using Ceilometer AFAIK.
Change-Id: If2eec45455e05972c0fbb534262e5b1b69cef3b3
This PS sets the default modetype of mounts from *-bin configmaps
to 0555, and removes the then unnecessary commands from the manifests.
Change-Id: I93ce0facb06affdf362a58f8520e69ba94ea3034
This PS helps improve the Image agnosticism of the Keystone chart.
This is achieved by removing the presumed locations of the Keystone
WSGI scripts, enabling support for images that either do not use a venv
or the same venv location that Kolla uses.
Change-Id: Id04f5e485d6a421b6ac7464cbb14f0e3819b778d
With 1.6, init containers are officially part of the kubernetes
API. This changes the format of the helm template for the
entrypoint container from json to yaml, and updates the
charts accordingly.
Co-Authored-By: Pete Birley <pete@port.direct>
Change-Id: I569566ce4b031d107af2d38483040a26210bec45
This PS introduces 'helm test' functionaility to keystone and
provides the basic framwork for charts to use.
Change-Id: Ie84a6ca0ed007fb55e10d503d1c3e49788908eec
Partial-Implements: blueprint implement-helm-test-for-charts
This commit fixes some warnings shown by `keystone-manage doctor`
command that are present in Keystone installed with default chart
configuration. In particular:
* Set max_toke_size=32 as this is correct value for uuid token provider.
* Enable caching using memcache by setting [cache] memcache_servers
option correctly in configmap-etc.yaml
Change-Id: I38cc7be577e0a7cd9be715e633f3637baafcc21b
Closes-Bug: 1693806
This PS add Barbican support, and moves all potentially container
specific logic into the service start script from the api manifests.
Also fixes a permissions issue with the nova-api, which incorrectly
had the NET_ADMIN capability.
Change-Id: I18fc1ea5d7aa70ea7dabb829361a3da57e905100
This commit adds graceful termination to all existing charts.
It also adds a setting in the values.yaml file for clarity and
the ability to override if wished.
Change-Id: I42025e4be86d248be467c1d2f0980f864c4d440e
This PS updates the Keystone template to use a template generated
from the current version of the oslo-gen util.
Change-Id: Id900da732a49b2e154baf950881f0bd15ce3672e
This PS updates the way helm-toolkit functions are named to
reference the full path they are loacted at. This should make
development and debugging easier. Addtionally unused functions
have been pruned as well.
Change-Id: I03c553f1d01bccc70c86768b416b147c90d9b2f0
With pod disruption budget set it is not possible to drain nodes
and perform other expected operations. This PS changes the default
value to 0, restoring the typically expected operation of pods.
Change-Id: I43ef35638c98caee2cf567487173399157000ada
Addresses consistency issues that appear with autoincrement fields in
the existing chart, as demonstrated in [1]. It should allow automatic
recovery of 2 out of the 3 (default) cluster members.
It does not address automatic recovery of a complete shutdown of all
cluster nodes.
[1] https://review.openstack.org/#/c/465977/
Change-Id: I84c86e1862f03a6d381bf219b821ea3636049f0b
This is the initial pod disruption budget that will serve as the template
for all services in OpenStack-Helm.
Partially-Implements: blueprint add-pod-disruption-budgets
Change-Id: I67eeaa66257e793f77a089f3bc0dd4b700638c63
OpenStack Foundation started serving project mascots files on
openstack.org. This commit adds URLs to those files as chart icons for
OpenStack projects.
Change-Id: I2482174cd1d9a0f32df91d7d81974a0dc37f5c4d
Keystone service.yaml currently has duplicate selector entries.
This patch set removes the duplicate.
Change-Id: Ic3e195e354b69683f8f3e8b6bb8f4b3a72b75cdb
This PS proposes a potential enhancement to the chart.yaml, idealy
this would also reference the project Mascot but currently there is
no CDN (that I'm aware of) hosting these images publicly.
Change-Id: I5160290e1e6b4bc67486e9834461ebfaa00bf665
This patch set moves the required keystone config files to the manifests, and
allows users to specify their own additional volume mounts if necessary.
Change-Id: I622abbba3e19390ce1003441eb9c0a3477754b82
This PS updates the chart.yaml to be consistent across the repo, and
changes the description to make clear that they are the OpenStack-Helm
derived versions of the charts while using `helm search`.
Change-Id: Iac3cfd2cddba7130b28a65c3d353712c8a3aa02b
The Keystone Chart had some extranious whitespace at the
end of lines, this commit rectifies that.
Change-Id: I4da8e4812a5aa92b85cc3baa3f76d08ba5967091
* Initial Commit of Nova Configuration Overrides
This commit is an evolution of the initial keystone configuration
overrides work
It expands upon that work by introducing many of the same concepts
into nova. It differs in that a few concepts were changed. Namely
the helm-toolkit/_oslo.tpl concept was abandoned, as there are too
many unique oslo paths for configuration elements, so dynamic oslo
setting mechanism was moved locally into configmap-etc.yaml, where
it is generally used.
Secondly, in nova the mount override effort was altered to instead
provide mount "append" capability. Keeping the manifest mounts
closer to the actual pod, and keeping values.yaml a tad smaller.
This still allows the original flexibility of operators adding
mounts, but they cannot "undo" any of the charts built in mounts.
There were several manual tweaks that needd to be done to _nova.conf.tpl
after the oslo-config-gen process this time. This is because there is a
bug in the newton version of generating this file. It does not include
the proper service authentication credentials in the [keystone_authtoken]
section. Future releases have a separate service credentials section
so future config generations will likely not need these added lines.
* Remove unused values.yaml parameters
Fix references to removed helm-toolkit oslo macro
* resolve nova feedback
* bugfix nova-etc/nova-bin swap
