Allow ClusterTemplate to explicitly specify a driver to use for creating
Clusters.
This is initially sourced from the image property 'magnum_driver', but
may be improved to be specified via client in the future.
Falls back to old driver discovery using (coe, server_type, os) tuple to
keep existing behaviour.
Change-Id: I9e206b589951a02360d3cef0282a9538236ef53b
Cluster conductor creates trusts for all drivers, but does not clean
them up. The Heat driver has previously performed this action.
This change moves the lifecycle of trust and certificate creation
to the Conductor, so drivers do not need to clean up resources they
didn't create.
Change-Id: I2b3e99589d2d3069191d0727406601f0647a9722
This is part of the steps to remove usage of six library, which is no
longer needed since python 2 support was removed.
Change-Id: I14ebd809b39079d06a8ecc8f747b6bb80d550acb
Label validator function has been left behind, although it's not
checking for anything right now - might be useful in future.
Change-Id: I74c744dc957d73aef7556aff00837611dadbada7
This setting policies (RBAC) new defaults and scope to ``True`` by default.
Note: This should only merged, after at least a cycle gap to allow
operators to adopt new changes.
Depends-On: https://review.opendev.org/c/openstack/magnum-tempest-plugin/+/877086
Change-Id: I6db4eaa64e2efd455dc3d37ccc74ebd8e7a5dbb2
Cluster user is no longer used for drivers in Magnum since [1].
Remove unused policy rule to reflect that fix.
[1] https://review.opendev.org/c/openstack/magnum/+/889144
Change-Id: Ic7ef89a61835a7045d81dbf5af77714a3270cd7c
This propose changes is base on same concerns as this bug in neutron
https://bugs.launchpad.net/neutron/+bug/1997089
This propose to keep and make sure ADMIN can perform all API requests.
Change-Id: I9a3003963bf13a591cc363fa04ec8e5719ae9114
The Magnum service allow enables policies (RBAC) new defaults and scope by
default. The Default value of config options ``[oslo_policy] enforce_scope``
and ``[oslo_policy] oslo_policy.enforce_new_defaults`` are both to
``False``, but will change to ``True`` in following cycles.
To enable them then modify the below config options value in
``magnum.conf`` file::
[oslo_policy]
enforce_new_defaults=True
enforce_scope=True
reference tc goal for more detail:
https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html
Related blueprint secure-rbac
Change-Id: I249942a355577c4f1ef51b3988f0cc4979959d0b
- Drop bay and baymodel tests
- Drop bay and baymodel from controllers
Depends-On: Ib85e4fda8e4ac467bd49590dc72ba5913bb9a19d
Story: 2009104
Task: 42957
Task: 42959
Signed-off-by: Diogo Guerra <diogo.filipe.tomas.guerra@cern.ch>
Change-Id: Ida2e42c86400438951d9804e3ce122c56a46b94f
The changes in version 5.5 barbicanclient cause breaking changes.
Changing which barbicanclient is used fixes this issue.
Story: 2010629
Task: 47581
Change-Id: I1b6b0a4c1960fb5cb6ce04ea755074944fe4bb6f
This fix propose two parts:
* introduce timeout (60s) to requests calls
* remove `file` scheme support for requests calls.
Change-Id: Ide2c2915ba5d6ff03933160b74f7206492276968
In Change I523a4a85867f82d234ba1f3e6fad8b8cd2291182, the pep8 test was
accidentally dropped.
Fix up code so that pep8 passes.
In addition to that following change has been added here to unbreak CI:
Add WebTest as an indirect test dependency
Pecan has made webtest an optional dependency for testing only [1].
Since it is still used for testing we need to add it to our
test-requirements.txt.
[1]: https://github.com/pecan/pecan/pull/140
Change-Id: I2f85adb4ef29a43389897c201e6152fd4c7be9d6
Tenant has been removed from context.
Fixes UTs and pep8.
Signed-off-by: Spyros Trigazis <spyridon.trigazis@cern.ch>
Change-Id: I10daa22b614aab456b837c03278eb04da0355ff7
If a stack has been deleted (either by Magnum or the user) but
Magnum did not update and set `stack_id` to empty, the cluster
will fail to delete inside pre-deletion.
This will have a safe failover to skip if it can't find the
Heat stack, it assumes things are gone.
Change-Id: I6ebe188895e51ed83ad1514a380e4772fed5eb42
- _OID_NAMES was moved to a different module by [1].
- default_backend() is silently ignored, so should be dropped[2].
- The new Rust backend does not accept mocked private keys
which caused failures with invalid private keys for tests.
[1]: 7b5634911c
[2]: https://cryptography.io/en/latest/faq/#faq-missing-backend
Change-Id: I44407703fbcf2da97c29a28043520c781ef4c3b2
In Change I643d408cde0d6e30812cf6429fb7118184793400 a bunch of actions
were changed from
is_admin:True or project_id:%(project_id)s
to
rule:deny_cluster_user
Which means that those actions are not verifying that the project ID of
a token matches the project ID of the resource. This only seems to work
for resources that a user can otherwise see.
As public cluster templates can be seen by a user, a user is hence able
to delete a CT.
Fix it so that CT can only be modifiable or deletable by admin or
owner.
Story: 2008824
Task: 42289
Change-Id: I6dec817725338387a614f83e85a5f1f2814b020e
Block Storage API v2 was deprecated during Pike cycle and is being
removed during Xena cycle, and current v3 API should be used instead.
Additional Zuul config for Devstack allows CI to pass which can be
reverted later [1].
[1] https://bugs.launchpad.net/glance/+bug/1938151
Change-Id: Ib66b754f4a0854a0d62d62047a69b04a24434634
Up till now, cluster api controller cluster_template_id was a
property field loading the id from the DB every time. With this
change the field becomes of text type and mandatory, so wsme fwk
guarantees that the field is provided when needed.
Cluster objects will not load the cluster template on creation.
Instead cluster templates will be loaded when they are actually
needed.
story: 2006693
task: 36989
Co-Authored-By: Stavros Moiras <stavros.moiras@cern.ch>
Change-Id: I2313c6a8b647e521cfa476f9cec65ab286fa5a23
This patch cleans up the current rpc
implementation by moving the seralizer
back to the rpc module, this is more in
line with other projects; such as Nova.
- Moved _init_serializer back into rpc.
- Added back unit-tests for profiler.
Change-Id: Ia148b2d3bc352e96e7633f7af82ecd26b5f35e35
As per the community goal of migrating the policy file
the format from JSON to YAML[1], we need to do two things:
1. Change the default value of '[oslo_policy] policy_file''
config option from 'policy.json' to 'policy.yaml' with
upgrade checks.
2. Deprecate the JSON formatted policy file on the project side
via warning in doc and releasenotes.
Also replace policy.json to policy.yaml ref from doc.
[1]https://governance.openstack.org/tc/goals/selected/wallaby/migrate-policy-format-from-json-to-yaml.html
Change-Id: Icfd9e2a75d8fdfb24cbd1c850f498aadee91f543
At present, all clients can request resize of cluster nodes to zero.
This PS ensures that only requests with 1.10 microversion header or more
are fulfilled.
Story: 2007851
Task: 41841
Additionally, unit tests are also included to ensure that the
microversions are respected for create, update and resizing clusters
with zero node count.
Additionally, unit tests for the following APIs are tested explictly:
- resize API with microversion 1.7
- upgrade API with microversion 1.8
- nodegroup API with microversion 1.9
Story: 2005054
Task: 41840
Change-Id: Iba9d619d2e92abcbaa3eca5da68f5e0f203dea8d
This patch changes the rpc server to re-use
the transport in the same manner as the rpc client.
Story: 2008494
Task: 41752
Change-Id: I93eecacbe45d19c4f73e9a974d60e642e87bbdf0
We are currently creating a new transport for each api
call. This patch changes that so that each worker
can re-use the same transport for multiple requests.
Story: 2008494
Task: 41544
Change-Id: I11a24f035a9d66a536e5e58328084ee08f0c6285
During cluster deletion, magnum tries to delete the cluster's load
balancers in advance of deleting the heat stack. If these load balancers
do not exist for some reason, the cluster deletion will fail with an
error such as the following:
Failed to pre-delete resources for cluster
748b628a-2cd8-456f-8aee-c93804b2099b, error: list indices must be
integers or slices, not str.
This happens because the heat stack has the physical_resource_id set to
None for the load balancer, which causes the load_balancer_show method
of octavia client to GET all load balancers, rather than just one. The
returned data is a list, rather than a dict, leading to the error above.
This change fixes the issue by checking if physical_resource_id is set
to None, and skipping the load balancer deletion if so.
Change-Id: I8f4ca497a01ad04db6cb6c4bc81caed0d714b5a6
Story: 2008548
Task: 41669
Unleash the capability that admin user can do rolling upgrade on
behalf of the end user so that cloud admin can do urgent security
patching when it's really necessary.
Task: 39784
Story: 2007675
Change-Id: I8fa9a30ee8252b94baa80e4bbca197b285fb7f71
When a stack has already been deleted, the pre-deletion tries to check
for loadbalancer for stack_id=None which returns PreDeletionFailed
exception. This patch addresses this issue.
Change-Id: Id7a9c5080633bca411398b7989026004e74ccb65
Story: 2007657
Task: 39783
When deleting cluster, Magnum only deletes the load balancers for
Kubernetes services/ingresses before deleting Heat stack. The process of
stack deletion is to delete resources in dependencies, which means, for
Octavia resources, member is deleted first, then pool, listener, and
finally load balancer. The whole process is error-prone, especially
Octavia controller needs to talk to amphora for each API call before
deleting load balancer, if any step fails, the deletion operation will
fail.
Octavia provides cascade deletion API[1] for the load balancer, which
could delete all the related resources in one API call and doesn't
involve communication between Octavia controller and amphora instance.
This patch deletes the api/etcd load balancers (if applicable) before
deleting Heat stack, making the cluster deletion process more robust.
[1]: https://docs.openstack.org/api-ref/load-balancer/v2/index.html?expanded=remove-a-load-balancer-detail#remove-a-load-balancer
story: 2007657
task: 39743
Change-Id: Ibe8f788559d0977475d0991fc99ad91ccfd7dca7
The original design of k8s cluster health status is allowing
the health status being updated by Magnum control plane. However,
it doesn't work when the cluster is private. This patch supports
updating the k8s cluster health status via the Magnum cluster
update API by a 3rd party service so that a controller (e.g.
magnum-auto-healer) running inside the k8s cluster can call
the Magnum update API to update the cluster health status.
Task: 38583
Story: 2007242
Change-Id: Ie7189d328c4038403576b0324e7b0e8a9b305a5e
The repo is Python 3 now, so update hacking to version 3.0 which
supports Python 3.
Fix problems found.
Update local hacking checks for new flake8.
Remove hacking and friends from lower-constraints, those are not needed
for co-installing.
Change-Id: I926efaef501f190e78da9cab40c1e94203277258
With this change, the nodegroup api controller raises an exception
if the user tries to create a nodegroup in a cluster that does not
have an api_address yet. If the nodegroup is created without the
cluster's API address as an input then the new nodes will not be
able to join the cluster.
Change-Id: If3b168d7f756a055b80d38a4f80cedc97f1b47e8
story: 2006716
task: 37087
Without this patch, it is impossible to create a cluster without
defining a fixed_network or a fixed_subnet that already exists since we
get a Fixed{Network,Subnet}NotFound error, and Heat is unable to create
these for us.
Story: 2002652
Task: 37201
Change-Id: I0e26682b0b6093b215393eb4ce8e94eae8e5e8f7
Signed-off-by: Bharat Kunwar <brtknr@bath.edu>
Adds support for upgrading nodegroups. All non-default nodegroups,
are allowed to be upgraded using the CT set in the cluster. The
only label that gets upgraded for now is kube_tag. All other labels
in the new cluster_template are ignored.
Change-Id: Icade1a70f160d5ec1c0e6f06ee642e29fe9b02ff
Since OpenStack Cloud Controller Manager only accepts fixed_subnet uuid,
convert fixed_subnet name to uuid when a cluster is created.
Without this patch, there is a chance OCCM fails to start in come cases
when fixed_subnet is rendered as name.
Story: 2002652
Task: 28816
Change-Id: Ie70bc00f5617ef94c39c9faea7d39617ee01b07b
* Fedora CoreOS need the key to be passed as
a string.
* We can adopt in all drivers so that users in
the same project can do cluster resize.
story: 2005201
task: 36934
Change-Id: I9a18ce4dcbd74f0dcd23274baed7c8c3d2029d50
Signed-off-by: Spyros Trigazis <spyridon.trigazis@cern.ch>
This adds the changes needed in the API and conductor level to support
creating updating and deleting nodegroups.
Change-Id: I4ad60994ad6b4cb9cac18129557e1e87e61ae98c
Support boot from volume for Kubernetes all nodes (master and worker)
so that user can create a big size root volume, which could be more
flexible than using docker_volume_size. And user can specify the
volume type so that user can leverage high performance storage, e.g.
NVMe etc.
And a new label etcd_volme_type is added as well so that user can
set volume type for etcd volume.
If the boot_volume_type or etcd_volume_type are not passed by labels,
Magnum will try to read them from config option
default_boot_volume_type and default_etcd_volume_type. A random
volume type from Cinder will be used if those options are not set.
Task: 30374
Story: 2005386
Co-Authorized-By: Feilong Wang<flwang@catalyst.net.nz>
Change-Id: I39dd456bfa285bf06dd948d11c86867fc03d5afb
Sometimes, the fixed_network value gets rendered as UUID. However OCCM's
internal-network-name requires the network name, it does not support
UUID. This patch introduces a new parameter called fixed_network_name
which converts fixed_network UUID to name if it is UUID-like.
Story: 2005333
Task: 36313
Change-Id: I3453bc0dbea285687d39c9782685cb1f2a3ecd39
Currently, if variable dns-nameserver is a list which
contains extra spaces, e.g., '8.8.8.8, 8.8.4.4', then
validate_dns will fail and API will throw 400 Bad request.
This patch strips extra spaces before the dns format validation.
Change-Id: I8d7c94f42e9ea70009157c5de3dce75620ff5fe8
Story: 2006407
Task: 36291
Zuul