In some environments, the readiness probe for the cinder-api, glance-api
and heat-api are failing, but the liveness probes are not. This change
adds a initialDelaySeconds value to the readiness probes of these
deployments.
Change-Id: Id3859cee9a2827f9c1fda9dcdca0a23879eb45d4
Signed-off-by: Lucas de Ataides <lucas.deataidesbarreto@windriver.com>
This change updates all Ceph images for Jammy-based deployments in
openstack-helm to latest-ubuntu_jammy.
Change-Id: Id80f0fc074da01548006fc37c2629b27fbddbd25
If there are multi regions, OS_SWIFT_ENDPOINT_PREFIX has broken url. To prevent this problem, use --region option.
story: 2010964
task: 49071
Change-Id: I1bbd76616ab9c9ec7a8554c7f382642b2dbe0661
In Bobcat by default the ssh keypair is generated
with ed25519 algorithm which is incompatible with
Cirros 0.3.5. The Cirros 0.6.2 also requires minimum
128Mi of RAM
Change-Id: I0135c09a9ae5bc3171891576b29a450f7000f180
Glance image PVC contains requires images that should be careful handled
during changing glance storage when migrate out of PVC mode for glance
storage.
Which in migrate/upgrade path, should be be correctly moved and deleted
the PVC after.
On the other hand, it's also possible to accidentally changes storage
mode out of `pvc` and lose the `glance-images` PVC which is unbearable
mistake.
Once storage mode set to `pvc, we should allow that PVC to be able to
stay and ready for reuse again until it's mannually deleted.
This add flag `keep_pvc` (default to true).
Set it to true to set helm/resource-policy to keep for glance-images.
Set it to false to allow helm delete glance-images PVC when request.
Change-Id: I9d0e2a49aabf81eb2d4e00ad2a9d42125261489e
- Also run last two test scripts in compute-kit job
sequentially. This is handy since it allows to see
what is happening during the test run. Both these
test scripts usually take just few minutes. But if
we run them using ansible async feature and one of
the scripts fails then we are forced to wait for
a long timeout.
Change-Id: I75b8fde3ec4e3355319b1c3f257e2d76c36f6aa4
Also a new nodeset was temporarily added.
The aio compute-kit jobs for recent releases require
a huge node to work reliably. We'll remove the temporary nodeset
once this is merged
https://review.opendev.org/c/openstack/openstack-helm-infra/+/884989
Change-Id: I7572fc39a8f6248ff7dac44f20076ba74a3499fc
If application credentials with access rules are required,
an OpenStack service using keystonemiddleware to authenticate
with keystone, needs to define service_type in its configuration
file.
Change-Id: I7034e82837d724f12d57969857f79d67c962cebe
The configFile path shouble be /etc/glance/glance-api.conf,
not default /etc/glance/glance.conf defined by helm-toolkit,
since secrets mounted in '/etc/glance' have glance-api.conf not glance.conf in it.
The wrong path '/etc/glance/glance.conf' would be a dir in bootstarp container,
and lead to all config files in /etc/glance dir unreachable.
This bug may not affect bootstrap,
but should be fixed in case the config files are needed.
Change-Id: If25966e07ca7f9a80dd0e76ff7663a945db66a23
This change updates all Ceph image references to use Focal images
for all charts in openstack-helm.
Change-Id: I67cd294e2aabf3c3af404da42204f9b6157b06f7
Beginning with the Pacific release, Ceph pools are not allowed to
use 1x replication by default. This is problematic for the
openstack-helm gate scripts, which frequently use 1x replication
for automated testing. This change adds Ceph configuration and
command overrides to allow those gate scripts to continue to use
1x replication for testing.
Change-Id: I21ed3e43f3773d5ea830959f1b66b35f38185ca7
OpenStack services already moved to use policy in code.
No need to have policy file at this point, at least no need to put
default policy rule to policy.yaml file anymore.
To put in duplicate rules, will cause unnecessay logs and process.
Also not healthy for policy in code maintain as the `default` rules in
openstack-helm might override actual default rules in code which we
might not even mean to change it at all.
Change-Id: I29ea57aa80444ed64673818e597c9ca346ba7b2f
We dropped train support a long time ago now, and our latest efforts
are to drop ussuri/bionic images. This change removes any leftover
train overrides as well as any ussuri overrides. This also changes
any image defaults to use wallaby.
Change-Id: I818a3a79faa631ec1b7de625f2113c6f19610760
Strictly speaking, open socket doesn't mean working API.
We experienced API stopped responding and the socket was still
open so API was unhealthy actually but kubernetes did not restart.
HTTP probe will fix this issue.
Change-Id: I95bb3ad3123d8a4a784d260477f037fa5506d290
port number in glance
Now binding ports of service and pod spec are configured using
internal endpoint values.
To support reverse proxy for internalUrl, need to distinguish
between binding ports and internal endpoint ports.
I added `service` section in endpoint items apart from admin,
public, internal and default.
Change-Id: I8fc8ea4e81648f3b98006491a7cb2aa9c0f479b6
This allows glance to consume TLS openstack endpoints.
Jobs consume openstack endpoints, typically identity endpoints.
And glance itself interact with other openstack services via
endpoints.
Change-Id: I35ab5d1bbaa20bfc73d0dc7af2710ca1d14b0627
Based on spec
support-OCI-image-registry-with-authentication-turned-on.rst
Each Helm chart can configure an OCI image registry and
credentials to use. A Kubernetes secret is then created with this
info. Service Accounts then specify an imagePullSecret specifying
the Secret with creds for the registry. Then any pod using one
of these ServiceAccounts may pull images from an authenticated
container registry.
Related OSH-infra change:
https://review.opendev.org/c/openstack/openstack-helm-infra/+/848142
Change-Id: I54540f14fed29622bc5af8d18939afd06d65e2d8
If a Helm upgrade is performed on the OpenStack Umbrella chart using
the exact same configuration as the first release, then it's expected
for no DaemonSets, Deployments, or StatefulSets to be updated.
This did not work as expected.
A few changes were required to support this desired behavior:
1. Update glance's configmap-etc.yaml to trim whitespace and convert
YAML comment to Helm template comment. Before this change, Helm
rendered the template with the YAML comment and a newline for the
install phase. On upgrades, Helm rendered the template without the
YAML comment and newline causing the hash of configmap-etc to change,
thus causing the glance-api Deployment to update.
2. Update openstack.sh script to create a randomly generated memcache
secret for glance. Without this change, the glance-api deployment
changes each time since Helm randomly generates a new memcache
secret if not provided.
This behavior is enforced via a new test script,
validate-umbrella-upgrade-no-side-effects.sh.
The following jobs are always recreated due to hooks:
- keystone-bootstrap
- keystone-credential-setup
- keystone-db-init
- keystone-db-sync
- keystone-domain-manage
- keystone-fernet-setup
- keystone-rabbit-init
- rabbitmq-cluster-wait
Some Jobs are created via CronJobs and could be created during
validation. So far, heat-engine-cleaner has been seen, but others
could be caught too.
So the validation script ignores these pod changes by ignoring if
Jobs were recreated. Plus Jobs being recreated should not impact
the OpenStack deployment.
Change-Id: Iffaa346d814b8d0a3e2292849943219f70d50a23
This change adds the overrides needed to run both the Xena and
Yoga releases in the OSH zuul jobs.
Change-Id: I65e016a4cb3fd52707ab29c37f025818fcb6c405
ADD openstack chart with values_overrides
* rabbitmq
* mariadb
* memcached
* keystone
* heat
* glance
This adds umbrella chart that references other charts via
symlink and include global values.
Because chart valeus_overrides yaml apply to the main chart,
the umbrella chart has a chart-scoped replacement
ADD openstack.sh deploy script
This script deploys all components with a single release.
ADD corresponding release notes
CHG wait-for-pods-sh to accept timeout arguement
CHG get-values-overrides.sh to modify file path for subchart
Change-Id: I25cd9d6785c61540d6329657c0358f27299d3647
The glance-api pod has a terminationGracePeriodSeconds
of 600s(10min) and the others services has 30s. This high
terminationGracePeriodSeconds may cause timeout in some
cases and there is no reason for this high
terminationGracePeriodSeconds.
The terminationGracePeriodSeconds has been introduced on
https://review.opendev.org/c/openstack/openstack-helm/+/469974
but there is no explanation why it is too high.
Story: 2009959
Task: 44926
Signed-off-by: Arthur Luz de Avila <arthur.luzdeavila@windriver.com>
Change-Id: I9f9092e48c4f4ecf5a145dc42dbafe4f96cfa91c
This changes use the helm-toolkit template for toleration
in openstack services
Signed-off-by: Lucas Cavalcante <lucasmedeiros.cavalcante@windriver.com>
Story: 2009276
Task: 43531
Depends-On: I168837f962465d1c89acc511b7bf4064ac4b546c
Change-Id: Ifa05d9adb69ed46177ba2e7e1707d2e46eff62e4
Glance registry was deprecated in Queens and removed in Stein.
This change removes glance-registry settings and templates
from the glance chart. Also removed the overrides from older
releases that are no longer actively supported and tested.
Change-Id: I704d844b9ab96daa73ec42e29cded31fbbe3f720
As part of the move to helm v3, all the charts in the OSH repos
will no longer lint/build properly due to a lack of helm serve
in helm v3.
This change modifies the helm-toolkit repo location to the
osh-infra repo in order to account for the removal oh helm serve.
This work is part of the migration to helm v3 and will be utilized
in future changes.
Change-Id: I90d25943d69ad6c76455f7778a4894f00c525c46
If labels are not specified on a Job, kubernetes defaults them
to include the labels of their underlying Pod template. Helm 3
injects metadata into all resources [0] including a
`app.kubernetes.io/managed-by: Helm` label. Thus when kubernetes
sees a Job's labels they are no longer empty and thus do not get
defaulted to the underlying Pod template's labels. This is a
problem since Job labels are depended on by
- Armada pre-upgrade delete hooks
- Armada wait logic configurations
- kubernetes-entrypoint dependencies
Thus, for Job templates previously missed, this adds labels matching
the underlying Pod template to retain the same labels that were
present with Helm 2.
[0]: https://github.com/helm/helm/pull/7649
Change-Id: Ie438b449a3d9853d786215d40a39c32d164e9950
If labels are not specified on a Job, kubernetes defaults them
to include the labels of their underlying Pod template. Helm 3
injects metadata into all resources [0] including a
`app.kubernetes.io/managed-by: Helm` label. Thus when kubernetes
sees a Job's labels they are no longer empty and thus do not get
defaulted to the underlying Pod template's labels. This is a
problem since Job labels are depended on by
- Armada pre-upgrade delete hooks
- Armada wait logic configurations
- kubernetes-entrypoint dependencies
Thus for each Job template this adds labels matching the
underlying Pod template to retain the same labels that were
present with Helm 2.
[0]: https://github.com/helm/helm/pull/7649
Change-Id: Ib5a7eb494fb776d74e1edc767b9522b02453b19d
Chart upgrading was failing due to some immutable fields in job are needed to upgrade. So, we have added the helm.sh/hook annotations with post-install and post-upgrade values. As for hook-weight annotations, we have added these to control the flow of the jobs with hook creation as the jobs are dependent. Like, db-init jobs need to run before db-sync and so on. Also helm3_hook value is introduced in values.yaml, which can be used to disable helm hook if needed.
Change-Id: Idb4b992b4061f4a014570b7933a585df1a096299
Defines compute kit and cinder jobs for new releases with
corresponding values overrides.
Disables compute agent list test for Wallaby since related API
is removed [0].
Since Wallaby with switch of osc to sdk '--id auto' is no longer
treated specially in 'openstack flavor create'. The same behavior
can be achieved w/o specifying --id flag for flavor creation [1].
Starting Wallaby 'nova-manage api_db version' returns init version
for empty database greater than 0 [2]. _db-sync.sh.tpl logic prior to
this commit does not work due to this. We need to either remove
(done in current commit) or justify and alter previous logic.
[0] https://review.opendev.org/749309
[1] https://review.opendev.org/750151
[2] https://opendev.org/openstack/nova/src/branch/stable/wallaby/nova/db/sqlalchemy/migration.py#L32
Change-Id: I361431d9aa8c1a06c5d59f479fb161ecd87e2ee2
Signed-off-by: Andrii Ostapenko <andrii.ostapenko@att.com>
Mount rabbitmq TLS secret to openstack services which support internal
TLS. Once internal TLS support is added to other service, the TLSed
rabbitmq support should be added.
Depends-on: https://review.opendev.org/c/openstack/openstack-helm-infra/+/795188
Change-Id: I9aa272e365f846746f2e06aa7b7010db730e17df
In the Victoria cycle oslo.policy decided to change all default policies
to yaml format. Today on openstack-helm we have a mix of json and yaml
on projects and, after having a bad time debugging policies that should
have beeing mounted somewhere but was being mounted elsewhere, I'm
proposing this change so we can unify the delivery method for all
policies across components on yaml (that is supported for quite some
time). This will also avoid having problems in the future as the
services move from json to yaml.
[1] https://specs.openstack.org/openstack/oslo-specs/specs/victoria/policy-json-to-yaml.html
Signed-off-by: Thiago Brito <thiago.brito@windriver.com>
Change-Id: Id170bf184e44fd77cd53929d474582022a5b6d4f
This is to fix the ceph version checks for enabling the applications
on newly created pools for openstack services like cinder and glance.
Change-Id: I2c007f728180cf7753255463ebf2f8dc5dc6fa5b
This change bumps each openstack chart version up to the next
greatest minor version of 0.2.0, signifying that openstack-helm
will no longer support older, EOL releases for each chart.
Change-Id: I7ce80c7bdc779c1de4472079f18102f506bfbb90
Currently, when users try to navigate through horizon
panels or use the command-line interface that contains
calls to /api/glance/metadefs it will pop up insufficient
permission errors due to the fact we are disabling [1]
the metadef APIs in glance addressing OSSN-0088 [2].
As a side effect on how we address the OSSN, all API calls
to metadefs will be forbidden for any user, which is not recommended
in production environments. However, we have the current
recommendation of the OSSN which allows CRUD of metadef to
admin only and provide read access to all users.
[1] aab5ee7711
[2] https://wiki.openstack.org/wiki/OSSN/OSSN-0088
Story: 2008761
Task: 42128
Change-Id: Ib1415cadbbfab874a8d44ac6b5c6fba3c7502242
There was an issue with the metadef APIs in glance, detailed in
the latest OSSN[0] that they have the potential to leak resources.
This change updates the default policy for the metadef APIs to
be disabled by default.
[0] https://wiki.openstack.org/wiki/OSSN/OSSN-0088
Change-Id: I7377b3a2f3784fe7da78bdd7aba146328cc0f406
When using a helm3 to deploy , it fails
Helm3 no more support rbac.authorization.k8s.io/v1beta1 , but v1 can
support helm2 and helm3.
This change optimized deployment.
Change-Id: I107d6e965ca00a6d8b766e91573be2c9aeb4f782
Lucas de Ataides