Commit Graph

104 Commits

Author SHA1 Message Date
Ruslan Aliev a3a1645169 Use designated image for chart test
Armada chart currently uses the same image for testing
as for deployment. The PS introduces flexible way to choose
the image for tests.

Signed-off-by: Ruslan Aliev <raliev@mirantis.com>
Change-Id: If9bebd27cf710e91c49c8dcf8f247990bd5acfab
2024-03-08 15:21:45 -06:00
Ruslan Aliev d9e2248172 Add configurable support of armada-operator for armada-api
Signed-off-by: Ruslan Aliev <raliev@mirantis.com>
Change-Id: I76fb41062d152bf360a85d781c19ab5b204769b8
2024-02-12 11:09:18 -06:00
Sean Eagan 026a00a88e Attempt to fix Armada self-upgrade race condition
Change-Id: I1b84abb02fedfc788739de162d1e4938a008bc7d
2021-10-09 14:33:01 -05:00
Sean Eagan a5730f8db8 Remove Tiller
For now we leave the tiller status enpdpoint, until
Shipyard has had a release to stop depending on it [0].

[0]: https://review.opendev.org/c/airship/shipyard/+/802718

Signed-off-by: Sean Eagan <seaneagan1@gmail.com>
Change-Id: If8a02d7118f6840fdbbe088b4086aee9a18ababb
2021-10-05 02:41:32 +00:00
Sean Eagan 2efb96eea0 charts: move to helm 3 preferred apis
- `helm.sh/hook: test-success` > `helm.sh/hook: test`

Signed-off-by: Sean Eagan <seaneagan1@gmail.com>
Change-Id: I5471b2825d24da5584d40902430fdf99ea54e529
2021-10-05 02:41:26 +00:00
Sean Eagan f3842f9fe1 Use helm 3 in chart build
`helm serve` is removed in helm 3 so this moves
to using local `file://` dependencies [0] instead.

[0]: https://helm.sh/docs/chart_best_practices/dependencies/#repository-urls

Signed-off-by: Sean Eagan <seaneagan1@gmail.com>
Change-Id: I2282e231591a89073e65d9db3f59e1baea707380
2021-10-05 02:41:21 +00:00
Sean Eagan 68747d0815 Use helm 3 CLI as backend
Helm 3 breaking changes (likely non-exhaustive):

- crd-install hook removed and replaced with crds directory in
  chart where all CRDs defined in it will be installed before
  any rendering of the chart
- test-failure hook annotation value removed, and test-success
  deprecated. Use test instead
- `--force` no longer handles recreating resources which
  cannot be updated due to e.g. immutability [0]
- `--recreate-pods` removed, use declarative approach instead [1]

[0]: https://github.com/helm/helm/issues/7082
[1]: https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments

Signed-off-by: Sean Eagan <seaneagan1@gmail.com>
Change-Id: I20ff40ba55197de3d37e5fd647e7d2524a53248f
2021-10-04 21:40:26 -05:00
Sean Eagan 8c5e5c7d24 Remove unused commands
This removes release rollback/delete functionality. This functionality
was likely not being used and thus was likely not working.

This primary driver for this change is to ease introduction of Helm 3
support. Particularly to avoid having to make API changes related to
the namespacing of helm releases in Helm 3.

This also removes the swagger api documentation as it was not
maintained.

Change-Id: I7edb1c449d43690c87e5bb24726a9fcaf428c00b
2021-09-30 17:22:16 -05:00
DeJaeger, Darren (dd118r) eb2e87d32b Add "labels" to Armada deployment
Adding said label, that's already defined, to the deployment itself.
This will enable Armada itself to properly wait for certain percentages
of the deployment replicas to be ready prior to proceeding. Prior to
this change, there wasn't a way to select the Armada deployment via
labels.

Change-Id: I3d36566b100b15d58a5152c8559e9becf1b3be00
2021-06-03 15:11:26 +00:00
Phil Sphicas a3f11e5873 Tiller: listen on localhost by default
This change introduces a configuration option to control whether Tiller
listens on any IP addresses (the previous default), or binds only to
127.0.0.1 (the new default).

The same option is used for both the Armada and Tiller charts:
    .conf.tiller.listen_on_any (default: false)

The affected tiller command line argument is:
    -listen 127.0.0.1:port (if false)
    -listen :port (if true)

Listening on any address allows Helm client direct access to Tiller, via
'helm --host pod_ip:port'.

Listening on localhost does prevent connections directly to the pod IP,
but it does not preclude the use of 'kubectl port-forward' to establish
a connection to Tiller.

The Tiller container in the Armada pod exists only to service Armada via
127.0.0.1. The Helm client automatically sets up port forwarding (if it
has access to the Kubernetes API). As a result, this change should be
non-impacting. However, the previous behavior can be restored by setting
.conf.tiller.listen_on_any=true.

Change-Id: Id308976bac21cc521e8470516ce49ebd1942da68
2021-04-22 20:29:02 +00:00
Angie Wang b0980f7a87 Add configurations for helm/tiller sql storage backend
This adds two parameters to the armada and tiller charts
to allow to configure sql storage backend [0].

[0]: https://v2.helm.sh/docs/install/#sql-storage-backend

Change-Id: Iba621c4ebcb0e34d514358ac5970697e2215166c
Signed-off-by: Angie Wang <angie.wang@windriver.com>
2020-10-27 14:19:46 -04:00
Andrii Ostapenko 45ffa16648
Change helm-toolkit dependency version to ">= 0.1.0"
Since we introduced chart version check in gates, requirements are not
satisfied with strict check of 0.1.0

Change-Id: I70a3306b3722bfa0116d415ef11ed407eddf6834
2020-09-24 19:42:34 -05:00
KAVVA, JAGAN MOHAN REDDY (jk330k) 36efc4828d Move Tiller version to 2.16.9
Update Helm chart for Armada to use Tiller version 2.16.9.

depends on: https://review.opendev.org/#/c/749497/

Change-Id: I16f7a5e8e571f067154e79a5f2ceb18be7d8db2d
2020-09-17 10:48:44 -05:00
Drew Walters 7bf1423752 Add documentation to docs.airshipit.org
This change adds publishing to docs.airshipit.org and updates the theme
to match the other Airship projects on the site. This change also
updates orphaned links and removes the Read the Docs jobs.

The documentation can be found at docs.airshipit.org/armada when this
change merges.

Change-Id: I9641753f6084f911e3286c623d0c2de7b3f6040a
Signed-off-by: Drew Walters <andrew.walters@att.com>
2020-08-03 10:33:13 +00:00
KHIYANI, RAHUL (rk0850) d31aefb76c Implement helm-toolkit snippet to armada test pods/containers
This updates the armada chart to include the pod
security context on the pod template.

This also adds the container security context to set
readOnlyRootFilesystem flag to true

Change-Id: Ie19852e6a87c15a93caca8915ba92d51c47ec04b
2020-06-30 23:59:36 +00:00
DODDA, PRATEEK 04ac986684 Enable Apparmor to all Armada test pods
Depends-On: https://review.opendev.org/#/c/731856/

Change-Id: Ib0ea0873d78edd0e3c5f847c84ce89cf151268ca
2020-06-01 14:13:43 -05:00
KHIYANI, RAHUL (rk0850) c72dae0c5c Tiller: Add apparmor profile to tiller container
Adding profile to missing container in armada chart

Change-Id: Ic51c93c503d616f7583050d36eff9d774a257312
2020-04-14 21:59:20 +00:00
Phil Sphicas 1810da025f Apply security context to tiller in Armada pod
Allows container security context to be applied to the tiller container
inside the Armada API pod, and sets the following: run as nobody (uid
65534), read-only root filesystem, deny privilege escalation. Also sets
the rest of the armada pod to run as armada (uid 1000).

Change-Id: I38eb32f54ca4c0a20c1c63fca2f4927ced6e9e81
2020-03-20 22:07:19 -07:00
Phil Sphicas 4e74fa8ff2 Fix rendering for volumes and mounts in Armada pod
Rendering for custom volume mounts in the Armada deployment is broken:
the tiller container is missing the volumeMounts: key, and the volume
mounts are not being applied at all to the armada_api container.

This change allows distinct volume mounts for the containers, defined
under:
.pod.mounts.armada_api.armada_api.volumeMounts
.pod.mounts.armada_api.tiller.volumeMounts

The pod's volumes: key includes a concatenation of whatever is defined
under these keys (without any deduplication):
.pod.mounts.armada_api.armada_api.volumes
.pod.mounts.armada_api.tiller.volumes

Change-Id: I7b5dd491df01cf30be9f2f2c2b25c427472832fb
2020-03-20 22:07:19 -07:00
KHIYANI, RAHUL (rk0850) 6cc6346cde Add Docker default AppArmor profile to tiller chart
Change-Id: Ia8f876a9395a6fe4f18613f8f5318db3079a7ec1
2020-02-17 15:58:56 +00:00
Zuul ee60fb5edb Merge "Add Docker default AppArmor profile to armada" 2020-02-07 14:30:25 +00:00
Sean Eagan f688313341 Fix tiller kubernetes client caching
The cache dir could no longer be written to when
readOnlyRootFilesystem went into effect [0].

This adds a configurable volume/mount for the cache dir.

[0]: https://review.opendev.org/#/c/703881/

Change-Id: I63a7c8575041aa3c6fd523213f8dffb0542fb0e5
2020-02-06 15:09:56 -06:00
Prateek Dodda 825e123fb9 Add Docker default AppArmor profile to armada
Change-Id: Iee43dfd56ecf5e4d18f93872b58359851c73d55f
2020-02-06 20:12:30 +00:00
Zuul adc8f306aa Merge "Fix port conflict for tiller" 2020-02-03 15:27:22 +00:00
Kumar, Nishant (nk613n) 2203d1dad0 Fix port conflict for tiller
This change is primarily based on this PS-https://review.opendev.org/#/c/659369/

Change-Id: Ia213445be76b58870bec009b75a16a4e3374a5c3
2020-01-27 11:13:57 -06:00
KHIYANI, RAHUL (rk0850) da0f6e61ba Tiller-deploy: Add pod/container security context
This updates the tiller chart to include the pod
security context on the pod template.

This also adds the container security context to set
readOnlyRootFilesystem flag to true

Change-Id: I08694e58d057c04f7ba30ded5dca1207ceaac5e2
2020-01-22 16:09:56 -06:00
Samuel Pilla 50384e47c7 Upgrade Tiller to v2.16.1
This leaves support in Armada for tiller 2.13+ as
we don't use any new features since then, so don't
need to require a newer version.

Change-Id: I6e5343fe942794987bec140e23208dd04fcbfd44
2019-12-05 18:44:25 +00:00
Prateek Dodda 430586927c Implement Security Context for Armada
Implement readOnlyRootFilesystem:true for init container

- Armada server deployment

Change-Id: Ifbc48bef07eab97c015b65a1941a526fc6a28c6d
2019-10-30 14:25:12 -05:00
Drew Walters 7ef4905c44 images: Create single metrics dir in entrypoint
The entrypoint script for the Armada Docker container attempts to create
a nested, temporary directory when one is not provided through an
environment variable. This is fine when deploying Armada via a Helm
chart, as a writable volume mount exists; however, the directory
/tmp/armada/metrics does not exist when running as a standalone
container. This commit changes the entrypoint script to use a flat,
temporary directory to avoid requiring a user to mount a temporary
volume.

Change-Id: I26857908fa90c64c98038d508263a5094b06668a
Signed-off-by: Drew Walters <andrew.walters@att.com>
2019-10-11 10:11:16 -05:00
Zuul 5fae57d179 Merge "Allow configuration of armada-api/tiller probes" 2019-10-11 14:33:38 +00:00
Zuul e88cbafd62 Merge "Use apps/v1 k8s controllers and add labels" 2019-10-08 20:29:12 +00:00
Itxaka d90eb125ed
Allow configuration of armada-api/tiller probes
Allows to configure the probes via values.yaml in both
the armada charts, which includes armada and tiller
containers, and in the standalone tiller chart

Also bumps the osh sha in tools/helm_tk.sh to latest
22ef25ab295d6b7c6797cfffaa77cf181c673e9b

Change-Id: I0bb0acf00ecc0b61f8d324fe9b6a8507c361e9fc
2019-10-07 20:49:26 +02:00
Hemanth Nakkina 1548d845ab Use apps/v1 k8s controllers and add labels
Update apiversion for ClusterRole, ClusterRoleBinding to rbac.authorization.k8s.io/v1
Update apiversion for deployment to apps/v1
Add selector match labels to deployment

This patch is similar to https://review.opendev.org/#/c/638276/
These changes are required to install armada, tiller helm charts against k8s 1.16.0

Change-Id: Ife08b4af4721c6c49c9c6faadd7fd31aa8700b39
2019-10-01 03:09:42 +05:30
Sean Eagan 3e40262ce3 Fix tiller storage configuration
Removes extra quotes which were getting included as
part of the storage argument.

Change-Id: I3e5c165694dc036b21ad14cf1b25648971d232c5
2019-09-27 13:50:25 -05:00
Zuul d5ab6a05c4 Merge "Allow to configure service network policy" 2019-09-27 10:36:41 +00:00
Sean Eagan 6c97853c26 Add configuration for tiller storage
This adds a parameter to the armada and tiller charts
to configure the tiller storage [0] type. For backward
compatibility, by default the parameter is not passed
to tiller, thus relying on the upstream default, which
is 'configmap'.

[0]: https://helm.sh/docs/using_helm/#tiller-s-release-information

Change-Id: I5d2a7558e3847331a0ce95c15b2e741f96130674
2019-09-23 10:02:23 -05:00
Evgeny L 2d320ff0aa Allow to configure service network policy
The patch introduces network policy configuration similar
to openstack-helm services. It allows users to configure
policies depending on the environment.

* Network policies are disabled by default.
* When enabled default policies allow all ingress and
  egress traffic (i.e. policy set to {}), this may be
  changed in future patch-sets.

Change-Id: Ie14a652830b4366e070ded91f8bbf83ca24d1007
2019-09-20 19:49:07 +00:00
Sean Eagan 42b972181a Fix release_uuid annotations
- Re-add annotation that was accidentally removed
- Fix wrong indentation
- Use programmatic indentation consistently

Change-Id: Ief9eb709d4db1152f133873bf68ef234649f20a9
2019-09-05 08:03:53 -05:00
Sean Eagan 0721ed43aa Implement Prometheus metric integration
This implements Prometheus metric integration, including metric
definition, collection, and exportation.

End user documentation for supported metric data and exportation
interface is included.

Change-Id: Ia0837f28073d6cd8e0220ac84cdd261b32704ae4
2019-08-15 16:12:17 +00:00
Roman Gorshunov d404e3c034 Change various URLs for the OpenDev migration
Change-Id: I3d345cfe1b3cf6134f5aad69ce639ddd21dc101f
2019-07-26 16:32:02 +02:00
Zuul 082aa624db Merge "Add release uuid annotation to POD spec" 2019-06-26 11:32:49 +00:00
Kumar, Nishant(nk613n) 6f608fd8cd Add release uuid annotation to POD spec
Change-Id: I1de990aa377cff5fcf9ce3918c22e81021521d44
2019-06-25 14:50:24 +00:00
Dejaeger, Darren (dd118r) c25533ae3d Add node selector to test pod and standalone tiller
This PS looks to add a node selector into the test pod's spec,
as well as the standalone tiller's spec.

Change-Id: I8d2054f0d9d360cb6baaa7ff636348c5a4d18149
2019-06-20 11:26:31 -04:00
Zuul 07b4f61c05 Merge "Prevent tiller from leaving releases in pending status" 2019-06-17 16:46:28 +00:00
Sean Eagan 9573afd3c2 Prevent tiller from leaving releases in pending status
In general, stuck pending statuses can be avoided by not enabling
the tiller native wait flag when updating releases, since tiller
then marks the release completed directly after applying the
resources to kubernetes.

However, when updating tiller itself, once kubernetes sees the
updated tiller resource, it can bring tiller down
before it has a chance to mark the release which contains tiller
as completed, leaving it in pending status.

This adds a preStop hook to both the standalone and sidecar tiller
containers to simply sleep to give them a chance to finish updating
their release, before terminating.

Ideally tiller would handle this on its own
via signal handling, but it doesn't. We could try to query for
the absence of PENDING_*** releases via `helm ls` before exiting,
however the helm CLI is not available inside the tiller image, and
those releases could be getting updated from another tiller instance,
or had already got stuck in that state previously, in which case we
don't want to hold up tiller termination.

Change-Id: I300c613f2a89eb1406531ce0a9af85c429a886f2
2019-06-17 09:18:37 -05:00
Zuul 2f28fb5bf0 Merge "Revert "Move to helm 2.14"" 2019-06-05 21:10:13 +00:00
Sean Eagan e51db14add Revert "Move to helm 2.14"
There is a breaking change in helm 2.14.0 [0]. This is expected to be fixed in helm 2.14.1, reverting until we can update to that.

[0]: https://github.com/helm/helm/issues/5750

This reverts commit 89d98fb827.

Change-Id: Ica6d51b5c67a26c356804fd69d466e88ad5c216b
2019-06-05 20:11:53 +00:00
Zuul d2bab9fa7d Merge "Implement Security Context for Armada" 2019-06-04 19:03:21 +00:00
pd2839 8048e1e824 Implement Security Context for Armada
Implement container and pod level security context for the following
Armada resources:

- Armada server deployment

Change-Id: Ic4caba4a75ba00c92aff2e8fc16e480463632e04
2019-05-31 14:32:18 +00:00
Sean Eagan 89d98fb827 Move to helm 2.14
Change-Id: I6439650076b289d3983e119c06181baf6562ccc3
2019-05-17 11:50:19 -05:00