This ensures the options for oslo.versionedobjects library are
included in the file generated by oslo-config-generator.
Change-Id: Ie1b28295317a2e5c5fc32b400a777e5e29c55a71
Using the healthcheck middleware as a filter is deprecated and
the middleware should be used as an application[1].
[1] 6feaa13610c450c8486f969703768db5319b4846
This change updates definition and usage of the healthcheck middleware
accordingly to avoid the following deprecation warning.
DeprecationWarning: Using function/method 'Healthcheck.factory()' is
deprecated: The healthcheck middleware must now be configured as
an application, not as a filter.
Change-Id: Ie81140d3b03c315f0a057d2f59754ee14dac539c
With the new config option `keystone_auth_default_policy`, cloud admin
can set a default keystone auth policy for k8s cluster when the
keystone auth is enabled. As a result, user can use their current
keystone user to access k8s cluster as long as they're assigned
correct roles, and they will get the pre-defined permissions
set by the cloud provider.
The default policy now is based on the v2 format recently introduced
in k8s-keystone-auth which is getting more useful now. For example,
in v1 it doesn't support a policy for user to access resources from
all namespaces but kube-system, but v2 can do that.
NOTE: Now we're using openstackmagnum dockerhub repo until CPO
team fixing their image release issue.
Task: 30069
Story: 1755770
Change-Id: I2425e957bd99edc92482b6f11ca0b1f91fe59ff6
This commit uses the existing policy-in-code module to move all
default policies for magnum service and stat into code. This commit
also adds helpful documentation about each API those policies protect,
which will be generated in sample policy files and completely remove
usage of policy.json file.
Co-authored-By: Dai Dang-Van <daidv@vn.fujitsu.com>
Implements: blueprint policy-in-code
Change-Id: I01a8ce964bf8bd569d4aa4e899cbcd9855281835
This commit uses the existing policy-in-code module to move all
default policies for certificates into code. This commit also adds
helpful documentation about each API those policies protect,
which will be generated in sample policy files.
Co-authored-By: Dai Dang-Van <daidv@vn.fujitsu.com>
Implements: blueprint policy-in-code
Change-Id: I1abc75441d7984497739194a273d8bda63f832a0
This commit uses the existing policy-in-code module to move all
default policies for quotas into code. This commit also adds
helpful documentation about each API those policies protect,
which will be generated in sample policy files.
Co-authored-By: Dai Dang-Van <daidv@vn.fujitsu.com>
Implements: blueprint policy-in-code
Change-Id: I2fbd7577545ed08dee10064d321e8c6941324b5d
This commit uses the existing policy-in-code module to move all
default policies for cluster templates into code. This commit also adds
helpful documentation about each API those policies protect,
which will be generated in sample policy files.
Co-authored-By: Dai Dang-Van <daidv@vn.fujitsu.com>
Implements: blueprint policy-in-code
Change-Id: I9a8176ea20e3c925441473d1d84db3a73edca7a5
This commit uses the existing policy-in-code module to move all
default policies for clusters into code. This commit also adds
helpful documetation about each API those policies protect,
which will be generated in sample policy files.
Change-Id: I36e69fe930505c2777f4376be1f6ddf17016998f
Co-authored-By: Dai Dang-Van <daidv@vn.fujitsu.com>
Implements: blueprint policy-in-code
This commit uses the existing policy-in-code module to move all
default policies for baymodels into code. This commit also adds
helpful documetation about each API those policies protect, which
will be generated in sample policy files.
Change-Id: Ia4409ff712d0e64985d9565e11671b33c8ac9ddf
Co-authored-By: Dai Dang-Van <daidv@vn.fujitsu.com>
Implements: blueprint policy-in-code
This commit uses the existing policy-in-code module to move all
default policies for bays into code. This commit also adds helpful
documetation about each API those policies protect, which will be
generated in sample policy files.
Change-Id: I4221ed56146ed952781f5f38bc4344d8a0d07881
Co-authored-By: Dai Dang-Van <daidv@vn.fujitsu.com>
Implements: blueprint policy-in-code
This change prepares the magnum project to start implementing
policies in code. Subsequent patches will register more magnum
policies in code and remove the corresponding entry from the
policy file maintained in source.
This is part of a community effort to provide better user
experience for those having to maintain RBAC policy. More
information on this effort can be found below:
https://governance.openstack.org/tc/goals/queens/policy-in-code.html
Change-Id: I0e2b34067ea1e4d5868df544a9f65ae3f1944c43
Co-authored-By: Dai Dang-Van <daidv@vn.fujitsu.com>
Implements: blueprint policy-in-code
Set the clustertemplate:publish policy to be admin only by default -
currently it is admin_or_user, which means any openstack user can create
a public cluster template.
Update tests for bay model and cluster template, splitting tests
requiring admin credentials into a separate class.
Change-Id: I0bfb57c569863f1ecf7d697cd5ac161a9a710432
Closes-Bug: #1687887
This commit addresses multiple potential vulnerabilities in
Magnum. It makes the following changes:
* Permissions for /etc/sysconfig/heat-params inside Magnum
created instances are tightened to 0600 (used to be 0755).
* Certificate retrieval is modified to work without the need
for a Keystone trust.
* The cluster's Keystone trust id is only passed into
instances for clusters where that is actually needed. This
prevents the trustee user from consuming the trust in cases
where it is not needed.
* The configuration setting trust/cluster_user_trust (False by
default) is introduced. It needs to be explicitely enabled
by the cloud operator to allow clusters that need the
trust_id to be passed into instances to work. Without this
setting, attempts to create such clusters will fail.
Please note, that none of these changes apply to existing
clusters. They will have to be deleted and rebuilt to benefit
from these changes.
Change-Id: I643d408cde0d6e30812cf6429fb7118184793400
This will give admins a way to revoke access to an existing cluster
once a user has been granted access.
Bumped the API microversion to 1.5 for the new endpoint.
Deprecated policy certificate:get in favor of certificate:get_ca for
clarity and consistency.
Depends-On: Ie960464e45445e195e75b91e8d65a4046eb21e93
Implements: blueprint revoke-cluster-cert
Change-Id: Ief28bef3a79f212acf4166e443a96e5419fbb757
* Add osprofiler wsgi middleware. This middleware is used for 2 things:
1) It checks that person who wants to trace is trusted and knows
secret HMAC key.
2) It starts tracing in case of proper trace headers
and adds first wsgi trace point, with info about HTTP request
* Add initialization of osprofiler at start of service
Currently that includes oslo.messaging notifer instance creation
to send Ceilometer backend notifications.
* Traces HTTP/RPC/DB API calls
Demo: https://hieulq.github.io/cluster-create-false-new-html.html
Co-Authored-By: Hieu LE <hieulq@vn.fujitsu.com>
Implements: blueprint osprofiler-support-in-magnum
Change-Id: I7d68995aab81d365433950aada078ef1fcd5469b
This change introduces a new /stats REST endpoint that
provide the following basic information;
1) Total number of clusters and nodes for the given tenant.
2) Total number of clusters and nodes across all the tenants.
Follow-up patches include more stats.
Change-Id: Iac0bf9343549de31654545d5b1fd7601e56142a7
Partially Implements blueprint magnum-stats-api
This sets up the HTTPProxyToWSGI middleware in front of magnum. The
purpose of thise middleware is to set up the request URL correctly in
case there is a proxy.
Closes-Bug: #1590608
Change-Id: I3f22716575af96aea884bd481c023d394a0b00a5
Initialize magnum centralize config folder and test cases.
Change-Id: Ib68e54701e127546fbaa91e3633f50d149a5b878
Implements: blueprint centralize-config-magnum
This is the first of several patches to add new Cluster commands
that will replace the Bay terminalogy in Magnum. This patch adds
the new Cluster and ClusterTemplate commands in addition to the
Bay and Baymodel commands. Additional patches will be created
for client, docs, and additional functional tests.
Change-Id: Ie686281a6f98a1a9931158d2a79eee6ac21ed9a1
Implements: blueprint rename-bay-to-cluster
Following on from removing the k8s specific APIs in
I1f6f04a35dfbb39f217487fea104ded035b75569 the objects associated with
these APIs need removal.
Remove the container object, drop the db table and remove references to
the container object. The docker_conductor has also been removed as this
was used for managing containers using Magnum objects.
Change-Id: I288fa7a9717519b1ae8195820975676d99b4d6d2
Partially-Implements: blueprint delete-container-endpoint
Co-Authored-By: Spyros Trigazis <strigazi@gmail.com>
Following on from removing the k8s specific APIs in
I1f6f04a35dfbb39f217487fea104ded035b75569 the objects associated with
these APIs need removal.
Remove the service object, drop the db table and remove references to
the service object.
Change-Id: I4f06bb779caa0ad369a2b96b4714e1bf2db8acc6
Partially-Implements: blueprint delete-container-endpoint
Following on from removing the k8s specific APIs in
I1f6f04a35dfbb39f217487fea104ded035b75569 the objects associated with
these APIs need removal.
Remove the pod object, drop the db table and remove references to the
pod object.
Change-Id: I8c2499ccb97aae39d80868ce02fbef292d762c10
Partially-Implements: blueprint delete-container-endpoint
Use the healthcheck middleware from oslo_middleware. This adds a new
pipeline that depends if /etc/magnum/healthcheck_disable file exists.
The healthcheck middleware is avalible under the /healthcheck URL.
Return values:
200 OK (If the file does not exist)
503 DISABLED BY FILE (If file exists)
Change-Id: I23179d5285831af12de7f392849c490d86a5682e
The default values needed for magnum's implementation of cors
middleware have been moved from paste.ini into the configuration
hooks provided by oslo.config. Furthermore, these values have been
added to the default initialization procedure. This ensures
that if a value remains unset in the configuration file, it will
fallback to using sane defaults. It also ensures that an operator
modifying the configuration will be presented with that same
set of defaults.
Change-Id: I7d8f8708d53bbab117600070982ac80482fa0a77
Closes-Bug: 1551836
This change replaces the hard coded WSGI app creation with a pipeline
of WSGI apps declared in a configuration file.
Paste Deploy was used to create the pipeline since it is used by many other
OpenStack projects and it is an active project
with new contributors and supports Python 3. Dependency on Paste is
localized so switching to another library would not be hard if OpenStack moves
to another package in the future.
Change-Id: I9a45f974c2c8c67a01748583639e6a6248003b85
Closes-Bug:#1551134
Only the user who creates the bay can get the certificate and call
the certificate signing request of the bay and create containers
in the bay, which is needed by [1].
[1] https://github.com/openstack/magnum/blob/master/specs/
create-trustee-user-for-each-bay.rst
Change-Id: Id959b76cb136ffbb0e6bcb8c3b83e02b30de66cf
Closes-Bug: #1536883
Partially-Implements: blueprint create-trustee-user-for-each-bay
The node object represents either a bare metal or virtual machine
node that is provisioned with an OS to run the containers, or
alternatively, run kubernetes. Magnum use Heat to deploy the nodes,
so it is unnecessary to maintain node object in Magnum. Heat can do
the work for us. The code about node object is useless now, so let's
remove it from Magnum.
Closes-Bug: #1540790
Change-Id: If8761b06a364127683099afb4dc51ea551be6f89
Now magnum.conf.sample need to generate by tox -egenconfig
It is convenient to have a help doc in the directory etc/magnum/
Change-Id: Ia18db548e8840bbccc915b58b7a2301043533469
We hard code configure options in tox.ini to generate Magnum config
sample file, and we keep this config sample file in our repository
before.
It is inconvenient for developer if the add/remove/change some
configuration options cause they need to take care about the
config.sample file.
This patch removes magnum.config.sample instead of letting admin generate it
from magnum-config-generator.conf(picked from tox.ini).
P.S. Make tox.ini cleanup since it is not a good idea we mess up tox.ini
with configuration options.
Closes-Bug: #1538374
Change-Id: I80d019b5c98e0282cd0fe50fd4ad66286287e2cb
Option "notification_driver" from group "DEFAULT" is deprecated.
Use option "driver" from group "oslo_messaging_notifications"
Reference link:
[1] https://github.com/openstack/oslo.messaging/blob/master/
oslo_messaging/notify/notifier.py#L34
Change-Id: I3e211ac315bb582961ad03e2cf06d4409eb20ed3
Closes-Bug: #1535611
When initiate glanceclient, we should use 'glanceclient.client.Client'
instead of inner class 'glanceclient.v2.client.Client'
[1] http://docs.openstack.org/developer/python-glanceclient/ref/
client.html
Change-Id: I65036aaac255264ae598e6166a0fd8ae25ed0e2d
Closes-Bug: #1533550
All bays use the same trustee_user and different trust. A trust is
created for a bay when the bay is created, and is deleted when the
bay is deleted.
Partially-Implements: blueprint registryv2-in-master
Change-Id: Iab2037677f683fe4c562915b98303da02c59c299
Previously, Swarm leveraged Docker's public discovery mechanism
for bootstrapping a cluster. Etcd bootstrapping is supported by
Swarm and is preferred for production use for the following reasons:
1. Required for HA.
2. Is more secure.
3. Required for the Flannel network-driver.
Partially-Implements: blueprint extend-baymodel-net-attributes
Partially-Implements: blueprint conductor-template-net-update
Change-Id: Iab844c03ed7cf8bbee69b72ff71c219f0a5ab1dd
Problem description:
Magnum should provide support for configuration of default network drivers per
COE. An example use case could be a cloud operator who would like to have
control of what default container network driver should be used on a per-COE
basis. The cloud operator in this case should be able to set the default
network driver per COE in /etc/magnum/magnum.conf.
Proposed fix:
Add 3 configuration list options to the config in /etc/magnum/magnum.conf:
- kubernetes_default_network_driver
(default='flannel')
- swarm_default_network_driver
(default='docker')
- mesos_default_network_driver
(default='docker')
When a baymodel is created and the --network-driver attribute is not supplied,
then the configured default network driver for the selected COE will first be
checked against the list of allowed network drivers for that COE, and if
allowed, the configured default network driver will be used for the new
baymodel.
Change-Id: I1e1d68c3348f609975b914926994bd79c1ef6d28
Closes-Bug: #1504664
Rename heat-kubernetes to kubernetes, heat-mesos to mesos,
docker-swarm to swarm in templates. We use heat templates and
no other methods, so I think it is unnecessary to add heat before
coe. kubernetes, mesos, swarm are better than
heat-kubernetes, heat-mesos, docker-swarm.
Change-Id: I257b35c1c4ef55d3172095736f550f2c55c8d81f
Closes-Bug: #1514682
Problem:
With the changes that were merged with https://review.openstack.org/230147, the
choices of container network drivers that can be selected for a given COE type
when creating a Magnum baymodel are hardcoded, and are based on network drivers
that Magnum can support for each COE.
These hard-coded selections will probably make sense in most cases. However, in
some cloud instances, a cloud provider or cloud admin may want to restrict the
choices of network drivers that a user can select for a given COE even further,
based on specific restrictions in the cloud.
Magnum should provide support for configuration of what container network
drivers are allowed, and this needs to be provided on a per-COE basis.
Proposed fix:
Add 3 configuration list options to the config in /etc/magnum/magnum.conf for
configuring allowed nework drivers for kubernetes, swarm and mesos
respectively. The keyword 'all' can be used to allow all network drivers
supported by Magnum for that COE. The new config options are:
- kubernetes_allowed_network_drivers
(default=['all'])
- swarm_allowed_network_drivers
(default=['all'])
- mesos_allowed_network_drivers
(default=['all'])
Validation of the --network-driver attributes for a baymodel create will be
performed against this above configuration on a per-COE basis.
Change-Id: Ibaa21d43fd6b5c1a6acc10e56145280eeaea8534
Closes-Bug: #1504635