Armada chart currently uses the same image for testing
as for deployment. The PS introduces flexible way to choose
the image for tests.
Signed-off-by: Ruslan Aliev <raliev@mirantis.com>
Change-Id: If9bebd27cf710e91c49c8dcf8f247990bd5acfab
For now we leave the tiller status enpdpoint, until
Shipyard has had a release to stop depending on it [0].
[0]: https://review.opendev.org/c/airship/shipyard/+/802718
Signed-off-by: Sean Eagan <seaneagan1@gmail.com>
Change-Id: If8a02d7118f6840fdbbe088b4086aee9a18ababb
Helm 3 breaking changes (likely non-exhaustive):
- crd-install hook removed and replaced with crds directory in
chart where all CRDs defined in it will be installed before
any rendering of the chart
- test-failure hook annotation value removed, and test-success
deprecated. Use test instead
- `--force` no longer handles recreating resources which
cannot be updated due to e.g. immutability [0]
- `--recreate-pods` removed, use declarative approach instead [1]
[0]: https://github.com/helm/helm/issues/7082
[1]: https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
Signed-off-by: Sean Eagan <seaneagan1@gmail.com>
Change-Id: I20ff40ba55197de3d37e5fd647e7d2524a53248f
This removes release rollback/delete functionality. This functionality
was likely not being used and thus was likely not working.
This primary driver for this change is to ease introduction of Helm 3
support. Particularly to avoid having to make API changes related to
the namespacing of helm releases in Helm 3.
This also removes the swagger api documentation as it was not
maintained.
Change-Id: I7edb1c449d43690c87e5bb24726a9fcaf428c00b
Adding said label, that's already defined, to the deployment itself.
This will enable Armada itself to properly wait for certain percentages
of the deployment replicas to be ready prior to proceeding. Prior to
this change, there wasn't a way to select the Armada deployment via
labels.
Change-Id: I3d36566b100b15d58a5152c8559e9becf1b3be00
This change introduces a configuration option to control whether Tiller
listens on any IP addresses (the previous default), or binds only to
127.0.0.1 (the new default).
The same option is used for both the Armada and Tiller charts:
.conf.tiller.listen_on_any (default: false)
The affected tiller command line argument is:
-listen 127.0.0.1:port (if false)
-listen :port (if true)
Listening on any address allows Helm client direct access to Tiller, via
'helm --host pod_ip:port'.
Listening on localhost does prevent connections directly to the pod IP,
but it does not preclude the use of 'kubectl port-forward' to establish
a connection to Tiller.
The Tiller container in the Armada pod exists only to service Armada via
127.0.0.1. The Helm client automatically sets up port forwarding (if it
has access to the Kubernetes API). As a result, this change should be
non-impacting. However, the previous behavior can be restored by setting
.conf.tiller.listen_on_any=true.
Change-Id: Id308976bac21cc521e8470516ce49ebd1942da68
This adds two parameters to the armada and tiller charts
to allow to configure sql storage backend [0].
[0]: https://v2.helm.sh/docs/install/#sql-storage-backend
Change-Id: Iba621c4ebcb0e34d514358ac5970697e2215166c
Signed-off-by: Angie Wang <angie.wang@windriver.com>
Since we introduced chart version check in gates, requirements are not
satisfied with strict check of 0.1.0
Change-Id: I70a3306b3722bfa0116d415ef11ed407eddf6834
Update Helm chart for Armada to use Tiller version 2.16.9.
depends on: https://review.opendev.org/#/c/749497/
Change-Id: I16f7a5e8e571f067154e79a5f2ceb18be7d8db2d
This change adds publishing to docs.airshipit.org and updates the theme
to match the other Airship projects on the site. This change also
updates orphaned links and removes the Read the Docs jobs.
The documentation can be found at docs.airshipit.org/armada when this
change merges.
Change-Id: I9641753f6084f911e3286c623d0c2de7b3f6040a
Signed-off-by: Drew Walters <andrew.walters@att.com>
This updates the armada chart to include the pod
security context on the pod template.
This also adds the container security context to set
readOnlyRootFilesystem flag to true
Change-Id: Ie19852e6a87c15a93caca8915ba92d51c47ec04b
Allows container security context to be applied to the tiller container
inside the Armada API pod, and sets the following: run as nobody (uid
65534), read-only root filesystem, deny privilege escalation. Also sets
the rest of the armada pod to run as armada (uid 1000).
Change-Id: I38eb32f54ca4c0a20c1c63fca2f4927ced6e9e81
Rendering for custom volume mounts in the Armada deployment is broken:
the tiller container is missing the volumeMounts: key, and the volume
mounts are not being applied at all to the armada_api container.
This change allows distinct volume mounts for the containers, defined
under:
.pod.mounts.armada_api.armada_api.volumeMounts
.pod.mounts.armada_api.tiller.volumeMounts
The pod's volumes: key includes a concatenation of whatever is defined
under these keys (without any deduplication):
.pod.mounts.armada_api.armada_api.volumes
.pod.mounts.armada_api.tiller.volumes
Change-Id: I7b5dd491df01cf30be9f2f2c2b25c427472832fb
The cache dir could no longer be written to when
readOnlyRootFilesystem went into effect [0].
This adds a configurable volume/mount for the cache dir.
[0]: https://review.opendev.org/#/c/703881/
Change-Id: I63a7c8575041aa3c6fd523213f8dffb0542fb0e5
This updates the tiller chart to include the pod
security context on the pod template.
This also adds the container security context to set
readOnlyRootFilesystem flag to true
Change-Id: I08694e58d057c04f7ba30ded5dca1207ceaac5e2
This leaves support in Armada for tiller 2.13+ as
we don't use any new features since then, so don't
need to require a newer version.
Change-Id: I6e5343fe942794987bec140e23208dd04fcbfd44
The entrypoint script for the Armada Docker container attempts to create
a nested, temporary directory when one is not provided through an
environment variable. This is fine when deploying Armada via a Helm
chart, as a writable volume mount exists; however, the directory
/tmp/armada/metrics does not exist when running as a standalone
container. This commit changes the entrypoint script to use a flat,
temporary directory to avoid requiring a user to mount a temporary
volume.
Change-Id: I26857908fa90c64c98038d508263a5094b06668a
Signed-off-by: Drew Walters <andrew.walters@att.com>
Allows to configure the probes via values.yaml in both
the armada charts, which includes armada and tiller
containers, and in the standalone tiller chart
Also bumps the osh sha in tools/helm_tk.sh to latest
22ef25ab295d6b7c6797cfffaa77cf181c673e9b
Change-Id: I0bb0acf00ecc0b61f8d324fe9b6a8507c361e9fc
Update apiversion for ClusterRole, ClusterRoleBinding to rbac.authorization.k8s.io/v1
Update apiversion for deployment to apps/v1
Add selector match labels to deployment
This patch is similar to https://review.opendev.org/#/c/638276/
These changes are required to install armada, tiller helm charts against k8s 1.16.0
Change-Id: Ife08b4af4721c6c49c9c6faadd7fd31aa8700b39
This adds a parameter to the armada and tiller charts
to configure the tiller storage [0] type. For backward
compatibility, by default the parameter is not passed
to tiller, thus relying on the upstream default, which
is 'configmap'.
[0]: https://helm.sh/docs/using_helm/#tiller-s-release-information
Change-Id: I5d2a7558e3847331a0ce95c15b2e741f96130674
The patch introduces network policy configuration similar
to openstack-helm services. It allows users to configure
policies depending on the environment.
* Network policies are disabled by default.
* When enabled default policies allow all ingress and
egress traffic (i.e. policy set to {}), this may be
changed in future patch-sets.
Change-Id: Ie14a652830b4366e070ded91f8bbf83ca24d1007
This implements Prometheus metric integration, including metric
definition, collection, and exportation.
End user documentation for supported metric data and exportation
interface is included.
Change-Id: Ia0837f28073d6cd8e0220ac84cdd261b32704ae4
This PS looks to add a node selector into the test pod's spec,
as well as the standalone tiller's spec.
Change-Id: I8d2054f0d9d360cb6baaa7ff636348c5a4d18149
In general, stuck pending statuses can be avoided by not enabling
the tiller native wait flag when updating releases, since tiller
then marks the release completed directly after applying the
resources to kubernetes.
However, when updating tiller itself, once kubernetes sees the
updated tiller resource, it can bring tiller down
before it has a chance to mark the release which contains tiller
as completed, leaving it in pending status.
This adds a preStop hook to both the standalone and sidecar tiller
containers to simply sleep to give them a chance to finish updating
their release, before terminating.
Ideally tiller would handle this on its own
via signal handling, but it doesn't. We could try to query for
the absence of PENDING_*** releases via `helm ls` before exiting,
however the helm CLI is not available inside the tiller image, and
those releases could be getting updated from another tiller instance,
or had already got stuck in that state previously, in which case we
don't want to hold up tiller termination.
Change-Id: I300c613f2a89eb1406531ce0a9af85c429a886f2
There is a breaking change in helm 2.14.0 [0]. This is expected to be fixed in helm 2.14.1, reverting until we can update to that.
[0]: https://github.com/helm/helm/issues/5750
This reverts commit 89d98fb827.
Change-Id: Ica6d51b5c67a26c356804fd69d466e88ad5c216b
Implement container and pod level security context for the following
Armada resources:
- Armada server deployment
Change-Id: Ic4caba4a75ba00c92aff2e8fc16e480463632e04