This disables static page on Apache which would disable Directory
Listings. This is done as a part of Security defect.
Change-Id: Ia1aa07c83c0db9dc33be6d1dfa7e2e60b3a33de9
This updates the Armada LMA manifest to include overrides for
recent changes to the LMA services in osh-infra
Change-Id: Ib1ec2c23570a86d63df35a9f0d690d9e625f1dd0
The repo used both openstackdocstheme and oslosphinx in requirements but
then configured openstackdocstheme, remove oslosphinx everywhere.
Instead of using sphinx-build, use docstheme-build-translated.sh to
build English and translated documents.
Update doc/source/conf.py for newer openstackdocstheme and require
a new enough version.
Remove module index - it does not exist, this is not a python repo where
autodoc works.
Remove sphinx-quickstart generated output from index.rst, it's not
needed anymore.
Change-Id: Ib3f09128226f0bcc78384b1ee2da811d62a5b59d
- Change all tests to support Mimic and Luminous releases
- Update ceph-config-helper dockerfile to use Mimic Ceph binaries
Change-Id: I06a545c1964eaa5b983c58db48b6ad4ccaaa3b8b
A change was merged that had commented out the check jobs. This
simply uncomments them so checks run against changes to
openstack-helm
The change can be found here: https://review.openstack.org/#/c/591808/48
Change-Id: Ia100f1248ebe783d154420c543a9b19fb1ba4ccc
neutron-sanity-check module load logging.conf file
but there is no config file.
Change-Id: I5e6dd298ccd9fb5432002f76bad3931ec035bb16
Signed-off-by: Hyunkook Cho <hk0713.cho@samsung.com>
cinder volume can be created with glance image.
but network policy of glance didn't allow for cinder.
so it should be added cinder podSelector on glance network policy.
ex. openstack volume create --image XXX --size 1 valume-name
Change-Id: Ia41961e16e2583ab571ed8a851a2ee2d14aa71c5
Signed-off-by: Hyunkook Cho <hk0713.cho@samsung.com>
This patch fixes the network policy issue when use nodeport mode.
If you enable node port witout this patch, it will block by network policy.
so should be allowed tcp port of horizon when use nodeport.
Change-Id: I5e2622c29c6a32ab6d1c5d99d84d4f13382dab65
Signed-off-by: Hyunkook Cho <hk0713.cho@samsung.com>
This patchset enables and moves the securityContext: runAsUser to the pod
level, and uses a non-root user (UID != 0) wherever applicable.
Depends-On: I95264c933b51e2a8e38f63faa1e239bb3c1ebfda
Change-Id: I81f6e11fe31ab7333a3805399b2e5326ec1e06a7
Signed-off-by: Tin Lam <tin@irrational.io>
Since rally 1.0, rally has been a platform for testing, and rally for
openstack has been separated by rally-openstack. The current version
of rally in openstack-helm is version 0.8 which corresponds to ocata.
This patch tests with the latest version of rally-openstack, version
1.3.0, and removes scenarios that are no longer in use.
Change-Id: I380a976c0f48c4af0796c9d866fc8787025ce548
securitycontext with non-root user is implemented at pod level
and leveraged the helm-toolkit snippet
Fix for adding allowPrivilegeEscalation flag as a blanket
policy on the pod in the keyston chart
Depends-On: I95264c933b51e2a8e38f63faa1e239bb3c1ebfda
Change-Id: I15333df4707948e50deb935ffc1ee599588e4788
This change sets lockout_failure_attempts and lockout_duration
configuration options in security_compliance group.
Change-Id: I72910e52239ace23b92d826794cd0603a061e6c3
This patchset updates the chart configuration overrides to account
for functionality supported with the move to Ocata over Newton.
This includes updating the OpenStack service logging configuration
to leverage the fluent handler/formatter that was introduced in the
Ocata release, updating Fluentd's configuration to filter out
duplicate logs, tagging logged events with their log level, and
creating separate indexes for the different log types created by
the elasticsearch templates. This also adds support for leveraging
ceph-radosgw's s3 API for Elasticsearch snapshots.
This also removes the barbican chart deployment from the
armada gate, to help alleviate resource consumption.
Change-Id: I45128bf102909e1762b832fc16ad04bedcfe4f00
This PS is enable the Egress policies
and enforces them in Openstack-helm.
Depends-On: Icbe2a18c98dba795d15398dcdcac64228f6a7b4c
Change-Id: I6ef3cd157749fd562acb2f89ad44e63be4f7e975
This PS fixes the neutron db sync job to perform full db migrations
in addaion to tap-as-a-service when enabled.
Change-Id: Ieab54649344fb8737e2d8855f00a9ed574ace5ee
Signed-off-by: Pete Birley <pete@port.direct>
This disables the deployment of gnocchi, ceilometer and mongodb
from the multinode job until we can determine the root cause of
the failures in these charts
Change-Id: I8c936cae0b814841da12aabd6d3f95e902912bda
Random job names mean `helm upgrade` or indeed anything looks for
changes from rendered templates will see changes when there are none
causing churn and restarts.
Change-Id: I44331e00c288b517fccf69a4b60435efa2e13d61
securityContext with non-root user is implemented
at Pod level and leveraged the helm-toolkit snippet
Fix for adding allowPrivilegeEscalation flag in container
securityContext in the neutron charts whereever needed
Depends-On: I95264c933b51e2a8e38f63faa1e239bb3c1ebfda
Change-Id: Id93b56d2e3886b9dd9115e79c28f661930146b00
Without this patch it is not possible to have an override of
the helm values for the ingress controllers.
This is a problem, as this is inconsistent with other components
and this has reduced flexibility.
This patch solves the problem by exposing two extra overrides
for ingress: $OSH_EXTRA_HELM_ARGS_INGRESS_ceph and
$OSH_EXTRA_HELM_ARGS_INGRESS_openstack, next to the usual
$OSH_EXTRA_HELM_ARGS
Change-Id: I5b56941a6e9a585b9398099c632df349414112fa
This patch set deploys a livenessProbe
for the Cinder API container.
Change-Id: Ice932f3209b9bbff0b54fadc79a99cfc1c2f1ee5
Signed-off-by: Huang,Sophie(sh879n) <sh879n@att.com>
This updates the upgrade host playbook in openstack-helm to match
the playbook used in openstack-helm-infra. The recent addition of
adding an apparmor profile to the calico chart requires us to
do the same setup on hosts in the openstack-helm jobs before
attempting to deploy calico
Change-Id: I264ba4ee8a2f24ffcbb36e28f6b91bbc114b406d
This PS updates the mount options for the nova-compute pod to mount
cgroups as read only within the pod.
Change-Id: I82e958c2865029cd4a093f62614a1e878075098a
Signed-off-by: Pete Birley <pete@port.direct>
