Commit Graph

374 Commits

Author SHA1 Message Date
Tadas Sutkaitis 5002bea34f
Keystone: Enable custom annotations
Enable custom annotations for pods [deployments, daemonsets]

Change-Id: I5dcc4dbf21b0079de5b503e54cd79196caf3a0b0
2024-03-27 09:25:05 +02:00
Anselme, Schubert (sa246v) 6ed9a4132e
Make barbican & keystone TLS configuration granular
Change-Id: Ibdcb202d8f813a248df3f0743b949e9befe18c7a
Signed-off-by: Anselme, Schubert (sa246v) <sa246v@att.com>
2023-12-07 10:37:40 -05:00
chung00-lee 5b596e39ba Use region option in keystone endpoint-update.py
In multi-region environment, endpoints of other regions are also changed.
So, if we add the region option to endpoint-update file,
it changes endpoints only for the current region.

story: 2010965
task: 49081
Change-Id: Ia678b6737871dec8f6979924de7f2ba53153e7bf
2023-11-13 13:45:17 +09:00
Vladimir Kozhukalov 82a6aa8ce9 Add 2023.2 (Bobcat) jobs
Change-Id: Iea2a16db8acaa94259aeb3e21097bb771b70c38e
2023-10-13 12:40:12 -05:00
Vladimir Kozhukalov 5aadee0dc8 Add Ubuntu Jammy overrides
Change-Id: Icabf43efee2e64c856ae14a69881d96b380d7751
2023-09-07 00:12:04 +03:00
Vladimir Kozhukalov b1f74a351a Add 2023.1 test jobs
- Also run last two test scripts in compute-kit job
  sequentially. This is handy since it allows to see
  what is happening during the test run. Both these
  test scripts usually take just few minutes. But if
  we run them using ansible async feature and one of
  the scripts fails then we are forced to wait for
  a long timeout.

Change-Id: I75b8fde3ec4e3355319b1c3f257e2d76c36f6aa4
2023-07-04 18:34:31 +03:00
Vladimir Kozhukalov 02a9e1e0ed Enable Zed compute-kit and cinder jobs
Also a new nodeset was temporarily added.
The aio compute-kit jobs for recent releases require
a huge node to work reliably. We'll remove the temporary nodeset
once this is merged
https://review.opendev.org/c/openstack/openstack-helm-infra/+/884989

Change-Id: I7572fc39a8f6248ff7dac44f20076ba74a3499fc
2023-06-01 16:15:50 +03:00
Samuel Liu 73e696b3fb Replace node-role.kubernetes.io/master with control-plane
The master label is no longer present on kubeadm control plane nodes(v1.24). For new clusters, the label 'node-role.kubernetes.io/master' will no longer be added to control plane nodes, only the label 'node-role.kubernetes.io/control-plane' will be added. For more information, refer to KEP-2067[https://github.com/kubernetes/enhancements/tree/master/keps/sig-cluster-lifecycle/kubeadm/2067-rename-master-label-taint]: Rename the kubeadm "master" label and taint.

the kubernetes pr: https://github.com/kubernetes/kubernetes/pull/107533

Change-Id: Iad8c833371efb3ec35149c89eb8fafdf1150fa87
2023-03-21 09:02:00 +08:00
Gage Hugo 5ffefb60c1 Remove train and ussuri overrides
We dropped train support a long time ago now, and our latest efforts
are to drop ussuri/bionic images. This change removes any leftover
train overrides as well as any ussuri overrides. This also changes
any image defaults to use wallaby.

Change-Id: I818a3a79faa631ec1b7de625f2113c6f19610760
2022-10-24 16:00:59 -05:00
josebb 94319bc926 Distinguish between port number of internal endpoint and binding
port number in keystone

Now binding ports of service and pod spec are configured using
internal endpoint values.
To support reverse proxy for internalUrl, need to distinguish
between binding ports and internal endpoint ports.

I added `service` section in endpoint items apart from admin,public
,internal and default.

Change-Id: I79b867a4e6771e07d1eebec89235352d7613e8eb
2022-08-30 17:33:05 +03:00
josebb 5e1e535dd8 Support TLS endpoints in keystone
This allows ks-bootstrap job to consume TLS endpoint.

Change-Id: I02c07878376934b27888dc643e42ebf1a4caf0ce
2022-08-12 21:34:59 +03:00
Brian Haley ced30abead Support image registries with authentication
Based on spec
support-OCI-image-registry-with-authentication-turned-on.rst

Each Helm chart can configure an OCI image registry and
credentials to use. A Kubernetes secret is then created with this
info. Service Accounts then specify an imagePullSecret specifying
the Secret with creds for the registry. Then any pod using one
of these ServiceAccounts may pull images from an authenticated
container registry.

Related OSH-infra change:
https://review.opendev.org/c/openstack/openstack-helm-infra/+/848142

Change-Id: I54540f14fed29622bc5af8d18939afd06d65e2d8
2022-08-11 00:18:37 +00:00
Takashi Kajinami 95df1344e7 Use LOG.warning instead of deprecated LOG.warn
The LOG.warn method is deprecated[1] and the LOG.warning method should
be used instead.

[1] https://docs.python.org/3/library/logging.html#logging.warning

Change-Id: I455bb6662b3ccc36b856e923e7220e357e8ef48f
2022-07-20 17:14:30 -04:00
Gage Hugo 89addfd4e1 Add Xena and Yoga values overrides
This change adds the overrides needed to run both the Xena and
Yoga releases in the OSH zuul jobs.

Change-Id: I65e016a4cb3fd52707ab29c37f025818fcb6c405
2022-06-08 17:21:57 +00:00
Schubert Anselme 8d5ddc9035
Migrate CronJob resources to batch/v1 and PodDisruptionBudget resources to policy/v1
This change updates the following charts to migrate CronJob resources to the batch/v1 API version, available since v1.21. [0]
and to migrate PodDisruptionBudget to the policy/v1 API version, also available since v1.21. [1]

- aodh (CronJob & PodDisruptionBudget)
- barbican (PodDisruptionBudget)
- ceilometer (PodDisruptionBudget)
- cinder (CronJob & PodDisruptionBudget)
- cyborg (PodDisruptionBudget)
- designate (PodDisruptionBudget)
- glance (PodDisruptionBudget)
- heat (CronJob & PodDisruptionBudget)
- horizon (PodDisruptionBudget)
- Ironic (PodDisruptionBudget)
- Keystone (CronJob & PodDisruptionBudget)
- magnum (PodDisruptionBudget)
- masakari (PodDisruptionBudget)
- mistral (PodDisruptionBudget)
- neutron (PodDisruptionBudget)
- nova (CronJob & PodDisruptionBudget)
- octavia (PodDisruptionBudget)
- placement (PodDisruptionBudget)
- rally (PodDisruptionBudget)
- senlin (CronJob & PodDisruptionBudget)

0: https://kubernetes.io/docs/reference/using-api/deprecation-guide/#cronjob-v125
1: https://kubernetes.io/docs/reference/using-api/deprecation-guide/#poddisruptionbudget-v125

Change-Id: I2fc0692e1c8e2c4fa4d4ca1da96b5c6a832343fa
2022-05-19 10:08:18 -04:00
Gage Hugo 180076c899 Remove unused admin port in keystone override
Currently the netpol overrides in keystone have the old v2 admin
port defined. This is no longer needed since keystone v2 has been
long removed.

Change-Id: Iaed37bad01e621e95b9d1493eb8fcf2ec19a3526
2022-04-26 11:28:43 -05:00
songwenping 5d33d80371 Remove usage of six
Six is not used anymore for python3

Change-Id: I2734efe490014d164b53caa164ac491c53c8e09c
2022-04-20 10:07:51 +08:00
Gage Hugo bedaa714d2 Remove pre-train release overrides from keystone
This change removes all the pre-train values overrides from the
keystone chart since openstack-helm does not support them anymore.

Change-Id: I2a69451167d3ec4b938ba773e4bbf5a4d17683e0
2022-04-07 14:59:05 -05:00
Graham Steffaniak 1157d95b71 Create Openstack common components umbrella chart
ADD openstack chart with values_overrides
    * rabbitmq
    * mariadb
    * memcached
    * keystone
    * heat
    * glance

    This adds umbrella chart that references other charts via
    symlink and include global values.

    Because chart valeus_overrides yaml apply to the main chart,
    the umbrella chart has a chart-scoped replacement

  ADD openstack.sh deploy script
    This script deploys all components with a single release.

  ADD corresponding release notes

  CHG wait-for-pods-sh to accept timeout arguement

  CHG get-values-overrides.sh to modify file path for subchart

Change-Id: I25cd9d6785c61540d6329657c0358f27299d3647
2022-04-05 09:47:06 -05:00
Thiago Brito d8b1f217c8 Enable taint toleration for keystone
This changes use the helm-toolkit template for toleration
in openstack services

Signed-off-by: Lucas Cavalcante <lucasmedeiros.cavalcante@windriver.com>
Story: 2009276
Task: 43531
Depends-On: I168837f962465d1c89acc511b7bf4064ac4b546c
Change-Id: I30ca8050e02a5deeec52319d45025f4af7139059
2022-03-22 18:45:05 +00:00
Gage Hugo 537716e157 Revert "fix(log): reduces chattiness in keystone log"
This reverts commit 73531436e9.

Reason for revert: When the keys are rotated, the links become
broken and keystone only uses the 0 key.

Change-Id: Iffc4ab5d659b01babe7b4f9ee35b0a5789dac3ec
2022-02-01 23:19:56 -06:00
Gage Hugo 073d9a14ee Remove default policy in keystone chart
Keystone has default policy defined in code, this change
removes the outdated values set in values.yaml in order to fall
back onto the in code values for policy.

Change-Id: If27eb0aa312b52c6fddd3811f10bc6207c7dfe27
2022-01-05 16:46:50 +00:00
Gage Hugo 9a89037615 Update default image references
This change updates the image references in the keystone chart
to the latest supported releases of both openstack and ubuntu.

Change-Id: If4f30252b5d839cfe517ee57cbef96e7775e7ec5
2021-10-28 18:15:38 +00:00
Gage Hugo 613fecd37f Remove extra fsGroup
The keystone chart recently had a change to fix the world
readable warning message, but an extra fsGroup entry causes
the chart to fail to deploy when using helm3.

This change removes the offending entry from the values file
in the keystone chart.

Change-Id: I540854da7123f413215b627d3bfb077c6f4864c6
2021-10-23 05:37:20 +00:00
Tin Lam 73531436e9 fix(log): reduces chattiness in keystone log
Current implementation of Keystone prints a warning message if the
directory containing the fernet keys is world readable (o+r). As OSH
uses a volumeMount to handle fernet keys and is by default readonly,
there is no meaningful way to make the directory (not the keys) world
unreadable. Consequently, keystone just keep logging that warning,
adding no particular value besides flooding the log.

Rather than disabling the log message in keystone (as that warning is
meaningful from a security standpoint), this patch set changes the way
we deal with the secret volume so the directory is no longer world
readable, so keystone will stop issuing that warning message.

Signed-off-by: Tin Lam <t@lam.wtf>
Change-Id: Id29abe667f5ef0b61da3d3825b5bf795f2d98865
2021-10-20 09:21:50 -05:00
Gage Hugo c20c1e4400 Update htk requirements repo
As part of the move to helm v3, all the charts in the OSH repos
will no longer lint/build properly due to a lack of helm serve
in helm v3.

This change modifies the helm-toolkit repo location to the
osh-infra repo in order to account for the removal oh helm serve.

This work is part of the migration to helm v3 and will be utilized
in future changes.

Change-Id: I90d25943d69ad6c76455f7778a4894f00c525c46
2021-10-10 18:45:28 -05:00
DeJaeger, Darren (dd118r) 7803000a54 Helm 3 - Fix Additional Job Labels
If labels are not specified on a Job, kubernetes defaults them
to include the labels of their underlying Pod template. Helm 3
injects metadata into all resources [0] including a
`app.kubernetes.io/managed-by: Helm` label. Thus when kubernetes
sees a Job's labels they are no longer empty and thus do not get
defaulted to the underlying Pod template's labels. This is a
problem since Job labels are depended on by
- Armada pre-upgrade delete hooks
- Armada wait logic configurations
- kubernetes-entrypoint dependencies

Thus, for Job templates previously missed, this adds labels matching
the underlying Pod template to retain the same labels that were
present with Helm 2.

[0]: https://github.com/helm/helm/pull/7649

Change-Id: Ie438b449a3d9853d786215d40a39c32d164e9950
2021-10-10 12:04:49 -05:00
Gage Hugo 1e651dc3c3 Helm 3 - Fix Job Labels
If labels are not specified on a Job, kubernetes defaults them
to include the labels of their underlying Pod template. Helm 3
injects metadata into all resources [0] including a
`app.kubernetes.io/managed-by: Helm` label. Thus when kubernetes
sees a Job's labels they are no longer empty and thus do not get
defaulted to the underlying Pod template's labels. This is a
problem since Job labels are depended on by
- Armada pre-upgrade delete hooks
- Armada wait logic configurations
- kubernetes-entrypoint dependencies

Thus for each Job template this adds labels matching the
underlying Pod template to retain the same labels that were
present with Helm 2.

[0]: https://github.com/helm/helm/pull/7649

Change-Id: Ib5a7eb494fb776d74e1edc767b9522b02453b19d
2021-10-06 13:54:58 -05:00
ericxiett c5105fd9da Add missing slash
The default of 'domain_config_dir' in keystone is '/etc/keystone/domains'.
This patch adds the missing slash.

Change-Id: I30523ec3fd3144811a76b9078e915eff4ffa2b66
2021-09-21 09:44:59 +08:00
Gupta, Sangeet (sg774j) 2d248874dd keystone: Make internal TLS more robust
Keystone may communicate with other components that do not support TLS. This
patchset makes keystone more flexible and enable it to communicate successfully
with such components

Depends-on: https://review.opendev.org/c/openstack/openstack-helm-infra/+/800097

Change-Id: I5c697c1748b62a81b43e7b0d6c7f89d374a50d94
2021-08-04 05:28:14 +00:00
Andrii Ostapenko 3ac3caa013 Add support for Victoria and Wallaby
Defines compute kit and cinder jobs for new releases with
corresponding values overrides.

Disables compute agent list test for Wallaby since related API
is removed [0].

Since Wallaby with switch of osc to sdk '--id auto' is no longer
treated specially in 'openstack flavor create'. The same behavior
can be achieved w/o specifying --id flag for flavor creation [1].

Starting Wallaby 'nova-manage api_db version' returns init version
for empty database greater than 0 [2]. _db-sync.sh.tpl logic prior to
this commit does not work due to this. We need to either remove
(done in current commit) or justify and alter previous logic.

[0] https://review.opendev.org/749309
[1] https://review.opendev.org/750151
[2] https://opendev.org/openstack/nova/src/branch/stable/wallaby/nova/db/sqlalchemy/migration.py#L32

Change-Id: I361431d9aa8c1a06c5d59f479fb161ecd87e2ee2
Signed-off-by: Andrii Ostapenko <andrii.ostapenko@att.com>
2021-08-02 15:46:07 +00:00
Gage Hugo 87b39c553d Remove member bootstrap logic
As of Rocky, keystone creates the member role by default. Since
our removal of pre-Train support, the logic we have in the
bootstrap script is no longer needed.

This change removes the member user and role logic.

Change-Id: Ide3af5c47c6b45c013b4dee08076d11bcfe87c53
2021-07-19 03:11:25 +00:00
Kabanov, Dmitrii b1abce9a75 Add Ussuri release support
The PS adds the set of overrides for Ussuri release.

Change-Id: I6b3055e376aa14d0c2ecbea638e6e9ba3b03bde5
2021-06-30 16:47:22 -07:00
Gage Hugo c1c6cb8300 Modify default probe timings
This change modifies the keystone probe timings to be less
aggressive. This should prevent the probes from restarting any
keystone-api pods that are under a high volume of traffic as well
as reduce the amount of log spam.

Change-Id: Icce06bf2247591a7b603aa32ded254ce7b6cc67a
2021-06-18 19:14:55 -05:00
Gupta, Sangeet (sg774j) 5028aa8de1 Mount rabbitmq TLS secret
Mount rabbitmq TLS secret to openstack services which support internal
TLS. Once internal TLS support is added to other service, the TLSed 
rabbitmq support should be added.

Depends-on: https://review.opendev.org/c/openstack/openstack-helm-infra/+/795188

Change-Id: I9aa272e365f846746f2e06aa7b7010db730e17df
2021-06-10 14:12:57 +00:00
Thiago Brito 8ab6013409 Changing all policies to yaml format
In the Victoria cycle oslo.policy decided to change all default policies
to yaml format. Today on openstack-helm we have a mix of json and yaml
on projects and, after having a bad time debugging policies that should
have beeing mounted somewhere but was being mounted elsewhere, I'm
proposing this change so we can unify the delivery method for all
policies across components on yaml (that is supported for quite some
time). This will also avoid having problems in the future as the
services move from json to yaml.

[1] https://specs.openstack.org/openstack/oslo-specs/specs/victoria/policy-json-to-yaml.html

Signed-off-by: Thiago Brito <thiago.brito@windriver.com>
Change-Id: Id170bf184e44fd77cd53929d474582022a5b6d4f
2021-05-26 18:15:41 -03:00
Haider, Nafiz (nh532m) c900712f30 feat(tls): Make openstack services compatible with rabbitmq TLS
Depends-on: https://review.opendev.org/c/openstack/openstack-helm-infra/+/770678

Co-authored-by: Sangeet Gupta <sg774j@att.com>

Change-Id: I11e9ad3f4079b0e12e498f9ed57e5b87ae9dc66a
2021-05-21 01:27:18 +00:00
Tin 26afeb4cb2 fix(pep8): makes python script pep8 compliant
Fixes keystone python script so it is pep8 compliant.

Change-Id: Ib94707996441f35e6ffb32a6d63ab6adbd17a87d
Signed-off-by: Tin <tin@irrational.io>
2021-05-19 22:55:35 +00:00
Gage Hugo 17eff06bb3 Remove keystone paste ini file
With keystone moving to flask back in Stein, the paste pipeline
configuration and file are no longer needed. With OSH no longer
supporting those older releases, this change removes the paste ini
settings and file mounts since they are no longer used.

Change-Id: Idacd973f090562eaee28567d9422eb761951096f
2021-05-05 16:42:28 -05:00
Gage Hugo 5233582991 Remove support for openstack releases older than T
This change bumps each openstack chart version up to the next
greatest minor version of 0.2.0, signifying that openstack-helm
will no longer support older, EOL releases for each chart.

Change-Id: I7ce80c7bdc779c1de4472079f18102f506bfbb90
2021-04-29 12:04:34 -05:00
Gage Hugo a3d26068ad Update helm hook conditionals
Updated the db job annotation hooks to be wrapped with
conditionals for helm v2 support.

Change-Id: I069fe3572b837714e263252646e56471c81745d5
2021-04-28 21:36:03 +00:00
Gupta, Sangeet (sg774j) f498f203cf Keystone: Fix error - wrong number of args for set
Change-Id: Ibc06d00f659c9ae7a1a14d1b2aa70607842b2f53
2021-04-22 13:19:46 +00:00
Gage Hugo 0f6f83dcdc Add conditional wrapper to helm hook
The pre-install hooks for several of the keystone templates
cause upgrade failures when using helm2. This change wraps them
in a conditional that can be toggled off for anyone still
using helm2.

Change-Id: I179583bd595bc8ed1e4c29eb7c2a744e3c6a5708
2021-04-19 20:29:22 +00:00
jinyuanliu 86fd8dd134 Remove congress residue
About congress chart,It's been removed,Remove congress residue now.

Related-Bug: #1917762
Change-Id: Ib52e77330cadf45bd3353bfaedc251485620d9f8
2021-03-04 21:48:39 +08:00
jinyuanliu da9f28cefa Update rbac api version for keystone
When using a helm3 to deploy , it fails. Helm3 no more support rbac.authorization.k8s.io/v1beta1 , but v1 can support helm2 and helm3.

Change-Id: If37ec26443feb5328d49e6b3c419305832bdae9e
2021-03-02 23:57:51 +08:00
okozachenko 909f967920 Add helm.sh/hook related annotations in keystone chart
Same motivation with openstack/openstack-helm-infra/776466

Depends-On: https://review.opendev.org/openstack/openstack-helm-infra/777980
Change-Id: I4388eda429f3093fed214633e5cebf3105bcebd3
2021-03-01 15:06:01 +02:00
Nafiz Haider ca47e3c974 Re-enable "feat(tls): Change Issuer to ClusterIssuer""
This reverts commit 2ec17153c6.

Reason for revert: resolved bug with cluster issuer versioning

Depends-on: https://review.opendev.org/c/openstack/openstack-helm-infra/+/772814

Co-authored-by: Sangeet Gupta <sg774j@att.com>

Change-Id: If7ebef1cebbe5b1d97ac530dd7136e3fc9232b21
2021-02-26 02:43:09 +00:00
Gage Hugo de912628ca Move rabbit-init to dynamic dependency
With a previous change[0] that moved rabbit-init jobs to dynamic
in helm-toolkit, this change continues that work by moving the
keystone rabbit-init job to dynamic as well.

[0] https://review.opendev.org/c/openstack/openstack-helm-infra/+/671727

Change-Id: Iec2ea3fdf36e19ac4f2e203389dbe19737d14c3a
2021-02-25 19:15:49 +00:00
Gage Hugo fc680cf8c4 Update typo in subPath for volume mount
When using a chart with the flux operator and helm3, it fails
when encountering a volumeMount "subpath" instead of "subPath".

This change corrects the typo to the right camelcase entry.

Change-Id: Id2d9ea25445d84f89b299c7f0b24da1cc5aaf264
2021-01-28 22:51:59 +00:00
Tin Lam 2ec17153c6 Revert "feat(tls): Change Issuer to ClusterIssuer"
This reverts commit 43e75eaa83.

Reason for revert: Doing this as part of the revert here - https://review.opendev.org/c/openstack/openstack-helm-infra/+/772733

Change-Id: I9c04a35c179d23ec1b7612b4f87d9d16352985cc
2021-01-27 17:09:42 -06:00