Since we introduced chart version check in gates, requirements are not
satisfied with strict check of 0.1.0
Change-Id: I6e0a3b301392e82231a2081859ca4d380a0138d8
Signed-off-by: Andrii Ostapenko <andrii.ostapenko@att.com>
Changes the interface from the default (internal) to public.
Change-Id: I0862d7263dcb60b358f865002dc974d55deabee5
Signed-off-by: Tin Lam <tin@irrational.io>
This patch set updates the endpoint from the internal to the public
endpoints for keystone-related processing.
Change-Id: Id792cba5a7227a63dfbd38035d98110da74efdc9
Signed-off-by: Tin Lam <tin@irrational.io>
This updates the sonobuoy chart to include the pod
security context on the pod template.
This also adds the container security context to set
readOnlyRootFilesystem flag to true
Depends-On: https://review.opendev.org/740119/
Change-Id: I0964c9809402635c9a7049b61fb954a4ebf01bb1
- brackets
- braces
- colon
- commas
- comments
- key-duplicates
with corresponding code adjustment.
Also removes x flag from yamls for ranger and ranger-agent charts.
Change-Id: I156b991ba6e17b6f9e1f128295362c0675afd8cc
This role enables the readonly serviceaccount to additionally perform
pod/exec within the configured namespace.
Some organizations deploy pods in a particular namespace in Kubernetes
that have a locked down user/CLI that allows examining resources with
readonly access (to prevent any modifications, etc.). This change
enables the Sonobuoy plugins to leverage these pods by executing into
them.
Change-Id: I781248fdd251e7fca31e0ab831326a9f475392cd
The current copyright refers to a non-existent group
"openstack helm authors" with often out-of-date references that
are confusing when adding a new file to the repo.
This change removes all references to this copyright by the
non-existent group and any blank lines underneath.
Change-Id: I631ae4345f18fee70b380867ba8b33af5e3b3254
This value was left at the old v0.11.4, but Sonobuoy was updated to
v0.16.4 [1]. This doesn't seem to impact anything, but could cause
confusion.
1 - https://review.opendev.org/#/c/695944/
Change-Id: Ifb230b55662ee5deadb91b6b7508f45773427401
v0.16.* supports Kubernetes 1.16.* [1]
v0.16.4 [2] prevents Sonobuoy considering a Node in "error" immediately
when an `ErrImagePull` or `ImagePullBackOff`. Instead, Sonobuoy gives
the pod 5 minutes to recover from this.
There are times when a Kubernetes cluster receives a timeout from the
Docker daemon when pulling images. This update will prevent a temporary
network issue from failing the Node immediately.
Also, new Sonobuoy images are published to docker.io instead of gcr.io.
[1] - https://github.com/vmware-tanzu/sonobuoy/releases/tag/v0.16.0
[2] - https://github.com/vmware-tanzu/sonobuoy/releases/tag/v0.16.4
Change-Id: I0c30ade1824cab297fe5b27944747a8607bef25c
This updates the kubernetes-entrypoint image reference to consume
the publicly available kubernetes-entrypoint image that is built
and maintained under the airshipit namespace, as the stackanetes
image is no longer actively maintained
Depends-On: https://review.opendev.org/688435
Change-Id: I7f48605f08f574822179d51cd645ded07714d9c3
Signed-off-by: Steve Wilkerson <sw5822@att.com>
Currently, results are stored using an emptyDir volume. This change adds
support for storing results using a customizable hostPath. When storing
results in a hostPath, results can still be obtained form the hostPath
while result publishing is disabled.
Change-Id: Ibd01da23a8e74a54f500429cf0ba8ca72f2ac77d
Before, if conf.publish_results was false then Helm would fail to
install the Sonobuoy chart because the apparmor annotation was being
added for the results-publisher container, but the container didn't
actually exist because it was disabled.
Now, the apparmor annotation is only included for the results-publisher
container when conf.publish_results is true.
Change-Id: I731b7d03c9699db0fcab61439479796617ebff2a
We now have a process for OSH-images image building,
using Zuul, so we should point the images by default to those
images, instead of pointing to stale images.
Without this, the osh-images build process is completely not
in use (and completely opaque to deployers), and updating the
osh-images process or patching its code has no impact on OSH-addons.
This should fix it.
Change-Id: I23d69b56e6de4f0f76d6031b301e81a294ddcc50
Adds a yaml path for providing additional yaml that will be stored in a
secret and provided to the plugin. Values can be added to plugin_values
that will result in being needed configuration and expected values
for tests. Utilizes the extra-volumes functionality as described [0]
[0]: https://github.com/heptio/sonobuoy/blob/master/docs/plugins.md#writing-your-own-plugin
Change-Id: I41d9bc02c8c0154903366a4cdcd287b95ea9707a
Manually set Namespace for Sonobuoy's config.json.
Sonobuoy's bug forcing heptio-sonobuoy namespace [1] usage only does not
impact this Helm chart because the config.json is directly controlled
by the `values.yaml` and not Sonobuoy's CLI.
Now multiple instances of this chart may exist at once by specifying
unique namespaces at helm install time.
Modify Sonobuoy test script to install two instances of Sonobuoy Helm
chart. Also install readonly serviceaccount to verify it will work with
more than one instance simultaneously.
[1] https://github.com/heptio/sonobuoy/issues/420
Change-Id: I6d4ecfb812a4312af13abf1e265de495e27967f9
Before, the secret was not getting installed when upgrading from a
previous version of this chart without the secret. On clean install it
was working.
Now, with the addition of the post-upgrade hook this chart will install
the secret correctly when upgrading from a previous version without this
secret.
The deletion policy is required for sequential upgrades. Tiller
does not keep track of resources installed via post-{install,upgrade}
hooks, this causes an "Already exists" error when upgrading without this
hook. With this hook, the secret will be deleted before upgrading,
which will then install this resource.
Change-Id: Ia3af5af8bcf28cae3ad31f427068a025a5a4c7fd
Using this readonly ServiceAccount enables plugins
to use a Kubernetes client with different permissions
than the Sonobuoy ServiceAccount, which has full
permissions on the cluster.
This ServiceAccount enables get/list/watch on all resource types in all
API groups.
The reason the secret is used to mount the service account token because
there is not a way to specify a service account from just a container
spec [1]. Sonobuoy doesn't provide access to the pod spec for plugins,
so we are limited to the container spec.
[1] https://github.com/kubernetes/kubernetes/issues/66020
Change-Id: I69aeaaedf1fb7672f7167c83b220cf6abb890cb5
This change enables operators to disable results publishing where Swift
and Ceph may not be setup.
This configuration option does not prevent deploying other resources
such as ks-user. The operator will want to disable those via the
`manifests` dictionary in `values.yaml`.
Change-Id: I00be7d51309889fcaf3b2a9756e38dcf49c31312
This enables persistently storing Sonobuoy tests results tarball
in Ceph (authed with Keystone).
1. Adds job-ks-user and secrety-keystone to create Sonobuoy user in
Keystone
2. Sonobuoy pod has a results-publisher container that waits for
Sonobuoy container to populate test results directory with the tarball
3. results-publisher container creates Swift container for Sonobuoy
results
4. results-publisher adds Sonobuoy test results to Swift container
5. results-publisher sets expiry date on the object to be deleted
after 30 days
Change-Id: Ic2d9fb345dce1101040e60113564e7ecdb2c51ea
It's presumed that some versions of Kubernetes do not handle this,
which is why the experimental job is still working.
Change-Id: If3a712cca278e02908cf9be8dfefa75a782bac09
This adds a Sonobuoy chart that only runs the systemd-logs plugin[1]. The
Sonobuoy pod (tests) are executed as a `helm test`.
This chart must be installed under the heptio-sonobuoy namespace[2]. A node
with the label selector specified in values.yaml (labels.api) must exist
for the Sonobuoy pod to even be created.
Also add an experimental job to test Sonobuoy chart.
[1] https://github.com/heptio/sonobuoy-plugin-systemd-logs
[2] https://github.com/heptio/sonobuoy/issues/420
Change-Id: I613fab635b97a70ac20820e1ececde48952ac2da