Commit Graph

379 Commits

Author SHA1 Message Date
ricolin 6ac304d752 Support uWSGI for API server
Currently Nova API server still using eventlet-based HTTP servers,
it is generally considered more performant and flexible to run them
using a generic HTTP server that supports WSGI.

Change-Id: I489557181bb8becbaf5cf7d9812a671d5cb3cc4a
2024-03-05 16:19:36 +08:00
cw0306-lee 44e2b10447 Use metadata_listen_port in nova config
metadata_port value used in queens version and changed
in rocky version to metadata_listen_port

story: 2011052
task: 49616
Change-Id: I106f50f620c2594b1f8ea7dc516d2e254c6af479
2024-03-03 21:45:10 -06:00
okozachenko d5b62a8235 nova: use directory mount for vencrypt certs
Kubernetes subpath mount does not reflect the changes of the
volume origin(ConfigMap, Secret or whatever).
This patch uses directory mount instead of subPath for renewed
certs to be reflected inside the pod automatically

Change-Id: I740737d23db1fe3621b4490523730375e6c36313
2024-01-11 12:03:16 -06:00
hailu 3620054def feat: Add public endpoints for the spiceproxy
Change-Id: I5e1d51931d7362359dfaac5b67eddba345ebe396
2024-01-11 10:35:14 +08:00
hailu 846ea09f24 feat: create 'vms' pool when 'conf.ceph.enabled = true'
Change-Id: I95a19d5a52ac88585d0f53a5349977e7c28ca361
2024-01-11 10:00:48 +08:00
okozachenko 48a59b1324 set startupProbe in nova compute
In environments where there is a large number of ports (100+) on a
hypervisor, the start up can take a long time, and eventually the
liveness test will fail because the process is stuck plugging ports
in.
No need initial delay for live/readiness probe and Startup probe
is enough

Change-Id: I54544a45a716fa4ff840019c0526343063ed1ac5
2024-01-04 08:12:59 -06:00
hailu 91bea58ee0 feat: getting LISTEN IP for CIDR
`CIDR` is easier to manage than `interface` on clusters with different hardware.

Change-Id: I1266eb37c1355b95f23efd33856a79f259020017
2023-12-29 15:16:25 +08:00
dengzhaosen 2dfccce221 Add the conditional statement for log_config_append
As the nova.DEFAULT.log_config_append is a aption
for the configuration of nova, we should be add
condtional statement here.

Change-Id: Ib9c50c9ccc0c93226fffccc997c232b0259dff0c
2023-12-01 16:17:36 +08:00
Ritchie, Frank (fr801x) 488481c332 Ability to add extra commands for service cleaner
This PS makes to possible to add extra commands to the nova service
cleaner job if needed.

Change-Id: Ic1dee3e15a5b56712128142e054e0ca2813944bf
2023-11-08 15:53:20 -05:00
Ritchie, Frank (fr801x) e44c4749b4 Ability to define extra commands for cell setup
This PS makes to possible to add extra commands to the nova cell setup
job if needed.

Change-Id: I3b1f4e2ee58e60d3d830772cbb57c115dd712824
2023-11-06 16:16:39 -05:00
Ritchie, Frank (fr801x) 507ed30b95 Improve cinder authentication support
The current values specified in values.yaml along with the configmap-etc
template can make it very difficult for the end user to properly configure
a cinder authentication method other than password. These changes give the end
user the needed flexibility.

Change-Id: I99e75e1aa9ddd8378518b1291123a34d2881715f
2023-09-28 12:49:05 -04:00
Thales Elero Cervi 7189e6c916 Nova: Add IP addresses search control flag
Add options to nova to enable/disable the use of:
1. The vnc or spice server proxyclient address found by the console
   compute init container
2. The my_ip hypervisor address found by compute init container
3. The libvirt live_migration_inbound_addr used by nova compute to
   live-migrate instances

These options can be used to prevent cases where the found addresses
overwrite what has already been defined in nova.conf by per host nova
compute DaemonSet overrides.
It is important to allow the flexibility of using or not the default
ConfigMap - DaemonSet cluster level configuration, allowing the
possibility of having custom per host overrides definitions that will
not be overwrite by nova-compute-init.sh

One use case (live-migration) for this flexibility is the following:
Originally the nova-compute-init.sh script received the capability of
selection a target interface (by name, in a ConfigMap level) through
which the live-migration traffic should be handled [1], allowing the
possibility of selecting a separate network to handle live-migration
traffic. This was not assuming any interface/network IP if users did not
set .Values.conf.libvirt.live_migration_interface.
Later [2], same script was updated to fall-back to default gateway IP
resolution in case the live_migration_interface is not defined.
So, currently it is mandatory to define a "cluster level config" for the
interface name (i.e., through ConfigMap) or to rely on default gateway
IP resolution for live-migration addresses.
This can be problematic for use cases were:
* There are many networks defined for the cluster and a host default
  gateway might not resolve to the desired network IP;
* There is the need of having a per host definition of nova.conf, since
  nova-compute-init.sh will create a new .conf that will overwrite it.

[1] commit 31be86079d
[2] commit 8f0a154138

Change-Id: Iaf86e0a215802001f58d607a1a3a18acf83f5e81
Signed-off-by: Thales Elero Cervi <thaleselero.cervi@windriver.com>
Signed-off-by: Robert Church <robert.church@windriver.com>
2023-09-25 15:49:46 -03:00
okozachenko 96ea802204 Create a certificate for novnc vencrypt separately
Once manifests.certificates is set as true, TLS for all
components are enabled. There is no way to enable TLS for each
component.
This patch is to support the usecase to just enable vencrypt auth
scheme.

Change-Id: I1e33071a16e0eb764c51442f99c3795ceb9efb19
2023-09-07 23:16:17 +03:00
Sadegh Hayeri 5aa17f74d8 Fix VNC configs
Change-Id: Ib169ca0dff1a32a055c62a1bd9e9c1636a7f6634
2023-09-01 01:03:40 +03:00
okozachenko bd955f077f Update health probe script in nova
If we define ovsdb_connection in os_vif_ovs config group, health
probe fails for nova-compute because of the wrong condition to
detect db connection string from configuration file.
This patch detects db connection string using string.startswith()
in a more strict way.

Change-Id: I12a3ea4061d5c13879b878b85eb206726b5db27c
2023-09-01 01:29:38 +10:00
okozachenko 7d39af25fd nova: Add cinder auth config
Change-Id: Ieaf2400f73e5a9b940539a22ae696f19a6a1e2bf
2023-08-30 02:36:24 +03:00
Mosher, Jaymes (jm616v) bee2353cae Allow enabling vencrypt for VNC
This patchset allows enabling vencrypt for VNC, based on a
downstream patchset. [1]

Primary differences:
- uses HTK to render the cert instead of its own template
- leaves the creation of a separate (sub)issuer for vencrypt as
  outside the scope of this (and the libvirt) chart.

1. https://github.com/vexxhost/atmosphere/pull/483

Co-Authored-By: Oleksandr Kozachenko okozachenko1203@gmail.com

Change-Id: If377faebc4c65f37b08a3c8aab2fed844a07c26f
2023-08-29 15:46:18 -06:00
Ali Safari 818b067071 Fix nova ssh keys permission
Change-Id: Ic7a2c8b5fb3ea530eba965a75122044da59713f8
2023-08-29 21:41:37 +03:00
az7961 5ef1d54607 Ensure that the script handles cases where the PID file exists but is empty or does not contain the expected data structure.
Change-Id: I4301a6cbea0688369c735d4751c741106b3fe7ab
2023-07-06 14:20:57 -05:00
moontaek-rho 969e3f7871 title: Update oslo_messaging_RPCClient
oslo_messaging.RPCClient is currently deprecated.
Configure health probe to use get_rpc_client if get_rpc_client is
available

story: 2010766
task: 48076
Change-Id: I0795e6e099b935ead8d6d3d22722999b852749d0
2023-05-25 19:40:04 +09:00
moontaek-rho b6cbbf38a9 title: Update get_notification_transport
If the transport_url of nova's oslo messaging notification and the default transport_url value are different, timeout occurs when oslo_messaging.RPCClient.call is executed because of the part written in oslo_messaging.get_notification_transport.
This change moves the health probe to use get_rpc_transport instead.

story: 2010766
task: 48074
Change-Id: Ia6a2b9ce500e8806f76882b28f4d9cca440b6e1a
2023-05-24 03:26:09 +00:00
Jerry Elmore bd6a78e983 Fixed typo openstack-helm/nova/templates/deployment-spiceproxy.yaml that caused SPICE console deployment to break.
Change-Id: Ibfb7decb1d76854c61654e2ad3b0f627485c610c
2023-05-09 13:05:03 +03:00
liyingjun f90fa9ea9e fix(nova): missing privilege separation directory for nova ssh
nova-compute-ssh failed to start with error "Missing privilege
separation directory: /run/sshd" when nova ssh is enabled.

Change-Id: I4fa25a56f191aae6b4fa9efce508723d7c256c8c
2023-04-24 02:05:53 +00:00
Mohammed Naser 8f0a154138 fix(nova): add default live_migration_inbound_addr
At the moment, if live_migration_inbound_addr is not defined it
will default to the hostname of the hypervisor which requires
DNS in order to work properly.

DNS can be complicated and it is possible that an environment
might not have it, so it makes sense to default to grabbing the
default route interface to do live migrations over in order
to allow live migrations when DNS is not setup.

Change-Id: I10eb63fc64d7cd34ef89df529637b1e81951e38c
2023-03-30 13:31:41 -04:00
Mohammed Naser d77e5389f0 fix: vnc access
The VNC port option was changed long ago..

Let's catch up.

Change-Id: I9f45c7102422af20f03f95fa30271d51df6d72ee
2023-03-24 14:37:11 -04:00
Markin, Sergiy ccd6ab8cce Added backoffLimit control for nova-bootstrap job
This PS adds backoffLimit to nova-bootstrap job in nova chart. By default, this job was created from a template in helm-toolkit.

58291db1a6

In this commit the job was re-designed without controlling of the backoffLimit value.

Change-Id: Icb28363be8063d849fd22e9c2542edf1eb203d60
2022-11-15 17:42:16 -06:00
okozachenko f3ed56cc18 Use HTTP probe instead of TCP probe
Strictly speaking, open socket doesn't mean working API.
We experienced API stopped responding and the socket was still
open so API was unhealthy actually but kubernetes did not restart.

HTTP probe will fix this issue.

Change-Id: I95bb3ad3123d8a4a784d260477f037fa5506d290
2022-09-01 15:54:07 +10:00
josebb b356cbe21f Support TLS endpoints in nova metadata-api
This allows nova metadata-api to consume TLS openstack endpoints,
typically identity endpoints.

Same idea with
https://review.opendev.org/c/openstack/openstack-helm/+/820212

Change-Id: I80e580badc96908f382fe8c6ddb2fae7caa957ed
2022-08-17 09:10:05 +03:00
josebb 6882155faf Distinguish between port number of internal endpoint and binding
port number in nova

Now binding ports of service and pod spec are configured using
internal endpoint values.
To support reverse proxy for internalUrl, need to distinguish
between binding ports and internal endpoint ports.

I added `service` section in endpoint items apart from admin,public
,internal and default.

Change-Id: Id5ce67f65374382d103c8a0aec78cb43713ce4d2
2022-08-13 12:01:37 +03:00
Brian Haley ced30abead Support image registries with authentication
Based on spec
support-OCI-image-registry-with-authentication-turned-on.rst

Each Helm chart can configure an OCI image registry and
credentials to use. A Kubernetes secret is then created with this
info. Service Accounts then specify an imagePullSecret specifying
the Secret with creds for the registry. Then any pod using one
of these ServiceAccounts may pull images from an authenticated
container registry.

Related OSH-infra change:
https://review.opendev.org/c/openstack/openstack-helm-infra/+/848142

Change-Id: I54540f14fed29622bc5af8d18939afd06d65e2d8
2022-08-11 00:18:37 +00:00
zhen 5598b7d6c4 Add missing configration [vnv]/novncproxy_host
[vnv]/novncproxy_host is necessary for novncproxy to binding to
specfied ip address.

Change-Id: Ib2a79e0901e9e31da37b162661f3491362378e87
2022-07-08 18:00:12 +08:00
Graham Steffaniak 2e5b7f9cb7 add compute-kit to openstack umbrella chart
ADD: include new charts to the umbrella chart for comprehensive
     deployment of openstack-helm.

       * openvswitch
       * libvirt
       * neutron
       * nova
       * placement

Change-Id: I78d1c7c629024c3f9530239dff9f8eb9da598764
2022-05-19 17:07:31 -05:00
Schubert Anselme 8d5ddc9035
Migrate CronJob resources to batch/v1 and PodDisruptionBudget resources to policy/v1
This change updates the following charts to migrate CronJob resources to the batch/v1 API version, available since v1.21. [0]
and to migrate PodDisruptionBudget to the policy/v1 API version, also available since v1.21. [1]

- aodh (CronJob & PodDisruptionBudget)
- barbican (PodDisruptionBudget)
- ceilometer (PodDisruptionBudget)
- cinder (CronJob & PodDisruptionBudget)
- cyborg (PodDisruptionBudget)
- designate (PodDisruptionBudget)
- glance (PodDisruptionBudget)
- heat (CronJob & PodDisruptionBudget)
- horizon (PodDisruptionBudget)
- Ironic (PodDisruptionBudget)
- Keystone (CronJob & PodDisruptionBudget)
- magnum (PodDisruptionBudget)
- masakari (PodDisruptionBudget)
- mistral (PodDisruptionBudget)
- neutron (PodDisruptionBudget)
- nova (CronJob & PodDisruptionBudget)
- octavia (PodDisruptionBudget)
- placement (PodDisruptionBudget)
- rally (PodDisruptionBudget)
- senlin (CronJob & PodDisruptionBudget)

0: https://kubernetes.io/docs/reference/using-api/deprecation-guide/#cronjob-v125
1: https://kubernetes.io/docs/reference/using-api/deprecation-guide/#poddisruptionbudget-v125

Change-Id: I2fc0692e1c8e2c4fa4d4ca1da96b5c6a832343fa
2022-05-19 10:08:18 -04:00
Gage Hugo d1b72aa35e Remove nova-placement from nova chart
nova-placement has been removed as of train, since we
do not support openstack releases before train, it
is no longer needed. This change removes nova-placement
from the nova chart and all the overrides, as well as
changes the compute-kit scripts to always deploy
the placement chart.

Change-Id: Ic8649371fe9e954806cbe4bf11c589fb58c7a88d
2022-04-07 14:50:29 -05:00
josebb 8b2ba7b029 Support TLS endpoints in nova
This allows nova to consume TLS openstack endpoints.
Jobs consume openstack endpoints, typically identity endpoints.
And nova itself interact with other openstack services via
endpoints.

Change-Id: Iff4422360ca51e94fd1b00854693e266cc202390
2022-04-01 19:05:59 +03:00
Thiago Brito 45ea26175b Enable taint toleration for nova
This changes use the helm-toolkit template for toleration
in openstack services

Signed-off-by: Lucas Cavalcante <lucasmedeiros.cavalcante@windriver.com>
Story: 2009276
Task: 43531
Depends-On: I168837f962465d1c89acc511b7bf4064ac4b546c
Change-Id: I72a4f6073eaf19c662ccd0b3e35ca62c5b88ad65
2022-03-28 10:44:19 -03:00
Gage Hugo f3de6d808a Remove consoleauth in nova
Nova consoleauth was removes several releases ago and most of our
overrides were specifically needing to disable it in order to
deploy. Since it is no longer in nova, this change removes the
nova consoleauth support from the nova chart.

Change-Id: I0a27265330156a11f6049e9beaaa14a38d8a4a93
2022-03-26 18:49:30 -05:00
Mitya_Eremeev 9f5e397f3b Host of compute ironic service equals pod name.
If compute ironic pod migrates to another host,
old compute ironic service is not deleted and
in 'down' status forever. Unless it's deleted manually.
New compute ironic service is
created successfuly and in 'up' status.
This error behavior is due to host of compute
ironic service equals node name because of host networking.
The patch disables host networking which solves the issue.

Story: #2009843
Task: #44446
Change-Id: Iec86be4961cbf3a74c8028cd981ed2a9f6584add
2022-03-21 12:36:17 +03:00
Gage Hugo b09f5c0bf0 Update oslo messaging get_transport
oslo_messaging.get_transport is currently deprecated. This change
moves the health prove to use get_notification_transport instead.

Change-Id: Iea7c914b41dec70b36ebe93fa8ce91e00894f50e
2022-02-28 02:04:15 +00:00
Anderson, Craig (ca846m) d514395d81 Improve health probe logging for nova and neutron
1. Log specific compute services failing rabbitMQ socket tests in nova
   health probe
2. Log specific compute services failing Database socket tests in nova
   health probe
3. Make log level configurable for nova and neutron health probes

Change-Id: I5e5d909d598af734596eb1732ae42808c1f6cd12
2022-02-22 10:05:15 +00:00
Hugo Brito 3ff41ce11c Remove ssh-config
All ssh configurations for the nova-compute pods
are now done by _ssh-init.sh.tpl . This patch removes
the ssh-config that is not needed anymore.

Signed-off-by: Hugo Brito <hugo.brito@windriver.com>
Change-Id: Ib1b24466678a0df28a3ce7ba4d3fe94bfb169702
2022-02-04 10:05:14 -03:00
Thiago Brito c63b1920d5 Fix nova-compute-ssh init to execute as runAsUser
On _ssh-init.sh.tpl, despite one change the runAsUser for the
nova-compute container on the securityContext, the ssh keys are always
being copied into the 'nova' user's folder. This change fixes it by
getting the correct user defined on the securityContext and copying the
keys to its correct folder.

Signed-off-by: Thiago Brito <thiago.brito@windriver.com>
Change-Id: Ia7883dc4626a295892eb4637ef717b0b1725ac89
2022-01-12 17:32:12 -03:00
Huy Tran 1d7f880c42 Add check for number of computes in cell-setup-init script
This PS further enhances [1] to handle case where present
computes are up, but the number of present computes is not
equal to total number of expected computes.

[1] https://review.opendev.org/c/openstack/openstack-helm/+/815086

Change-Id: Idb2a7aeb202fe29fc528ba0dde987e7e0ee65a95
2021-11-03 11:09:02 -05:00
Phil Sphicas 46692e21d9 Fix nova-bootstrap job labels
Similar to earlier changes [0] [1], this change ensures that the labels
for the nova-boostrap job are consistently applied under .metadata and
.spec.template.metadata.

Unfortunately, there was a conflict in the "application" label that was
unresolvable in a backwards-compatible way.

    metadata:
      labels:
        application: nova-bootstrap
    spec:
      template:
        metadata:
          labels:
            application: nova
            ...

The standard helm-toolkit labels are now applied in both places, and the
application: nova-bootstrap label is removed.

0: https://review.opendev.org/c/openstack/openstack-helm/+/812233
1: https://review.opendev.org/c/openstack/openstack-helm/+/813300

Change-Id: I72275f3cf59ca8c1677922ca3b6f2e10b5578ab0
Depends-On: I0c892be5aba7ccd6e3c378e4e45a79d2df03c06a
2021-11-02 14:38:19 +00:00
Huy Tran 6b785b16dc Add option to extend the wait for cell-setup-init
In some deployement environments, nova compute processes took a bit
longer to register on all hosts, and vm/server is instantiated almost
immediately before the process is registered on remaining hosts.
This PS enhances the cell-setup-init script to enable option to
extend the wait before performing discover hosts.

Change-Id: Ie9867e64c554d4f39fdc7432823a1869f0b4a520
2021-10-26 19:03:48 +00:00
Gage Hugo 1e651dc3c3 Helm 3 - Fix Job Labels
If labels are not specified on a Job, kubernetes defaults them
to include the labels of their underlying Pod template. Helm 3
injects metadata into all resources [0] including a
`app.kubernetes.io/managed-by: Helm` label. Thus when kubernetes
sees a Job's labels they are no longer empty and thus do not get
defaulted to the underlying Pod template's labels. This is a
problem since Job labels are depended on by
- Armada pre-upgrade delete hooks
- Armada wait logic configurations
- kubernetes-entrypoint dependencies

Thus for each Job template this adds labels matching the
underlying Pod template to retain the same labels that were
present with Helm 2.

[0]: https://github.com/helm/helm/pull/7649

Change-Id: Ib5a7eb494fb776d74e1edc767b9522b02453b19d
2021-10-06 13:54:58 -05:00
Gupta, Sangeet (sg774j) a772a30f07 nova: Update script to true of grep does get anything.
Change-Id: I54addea00b4ab91d8fe4925f88cacd582888a7f3
2021-10-06 14:02:45 +00:00
Gupta, Sangeet (sg774j) b75545d0c6 nova: Define service cleaner sleep time
This makes the service cleaner sleep time if any service is down
provisionable.

Change-Id: If55a22c4f22ff0a48767dae3d57aca6c3c8cccac
2021-10-05 14:34:13 +00:00
Gupta, Sangeet (sg774j) 0c80a415bf nova: Give service time to restore
nova-service-cleaner job deletes the service which are down. If the
database is down, the service will go down as well. When database comes
back up, all the services starts to come back to up status. If the
nova-service-cleaner is run in this interim time, the service that
were down gets deleted. These would have come up if the job had not
run. Adding sleep to this job to give service time to come back up
if recovering. The sleep is set to 2 times the report_interval.

Change-Id: Ia292d19508e9449ccb40d1100b1d56b1283e5d53
2021-10-05 05:10:39 +00:00
Thiago Brito b4c58ca27b Fixing nova's helm.sh/hook disablement
It's impossible to disable the helm.sh/hook for the nova-ks-service
job since the hook is being added in duplicity to the job dictionary
before the check for Values.helm3_hook. This commit removes the
duplicity so we can disable it properly.

Signed-off-by: Thiago Brito <thiago.brito@windriver.com>
Change-Id: Ie72a13afc81bce4424b10bbc542dc7c44dd38975
2021-10-01 15:46:00 -03:00