Commit Graph

133 Commits

Author SHA1 Message Date
Ritchie, Frank (fr801x) 906f9a5f15 Change pathtype to prefix
Due to cve-2022-4886 the default pathType for an ingress should be
either "Exact" or "Prefix". This allows for more strict path validation by
the admission controller.

Change-Id: I1089bd5c893685fe3b2bcd6868da2f2b761e144f
2024-01-29 10:58:42 -05:00
Alexey Odinokov cd65140a7c Fixing name for maas-export-api-key job
previously it was maas-export-api-key}-job.
It worked, but looked not accurate.

Change-Id: I578c70c09ebbf2bdbccbf81eae69db70250a715d
2023-11-21 12:36:05 -06:00
SPEARS, DUSTIN (ds443n) ba3657c0c1 Add option to mount host path for cgroups
Capability added to disable cgroups host path volume

Change-Id: I007d9a79b812094126fadb36fd743133495d337f
2023-09-19 13:24:28 -04:00
Anselme, Schubert (sa246v) 736c936394
Parametrise readiness probe
Change-Id: I358ae8307799fff0674a428c42b90381d6d3a631
Signed-off-by: Anselme, Schubert (sa246v) <sa246v@att.com>
2023-08-23 14:42:59 -04:00
Ruslan Aliev eaabbb2722 Disable ipv6 for bind9 named service
* Allow any recursion and cache queries for named svc
 * Bump maas v3 to the actual version

Signed-off-by: Ruslan Aliev <raliev@mirantis.com>
Change-Id: I16a4ec843dc73a2349e8603d4200920599eab918
2023-07-12 21:31:53 -05:00
Wahlstedt, Walter (ww229g) 565d20ee18 add commissioning script
Change-Id: I5aadcee07b4eefccdf5666fa024d87f2f4e86eb5
2023-05-24 15:59:53 -04:00
Ruslan Aliev 003f7bf702 MAAS region & rack controller upgrade v3.0.0
Signed-off-by: Ruslan Aliev <raliev@mirantis.com>
Change-Id: I87a86c920e49e53447c87bcff3c0fae08ebf267f
2023-03-13 02:20:28 -05:00
Ruslan Aliev 23a2b557f1 Revert "Upgrading MAAS to v3"
This reverts commit 129d958a51.

Reason for revert: reverting back to 2.8.7 to modify chart

Change-Id: I68d3abfb19decc5eb470fcf43694506bc5edd4b6
2023-02-16 15:32:01 -06:00
Anselme, Schubbert (sa246v) 129d958a51
Upgrading MAAS to v3
Signed-off-by: Anselme, Schubert (sa246v) <sa246v@att.com>
Change-Id: I4b5a5f6a7e21d790cce13a5ccff9819f517cad64
2022-11-23 12:55:52 -05:00
Ruslan Aliev 2d5b698d9e Switch PVCs to use storageClassName
HTK and Helm versions are also updated.

Signed-off-by: Ruslan Aliev <raliev@mirantis.com>
Change-Id: Ia1ef4ec23f53dcb591e139c3476e143a55351fd3
2022-09-16 19:02:23 -05:00
Phil Sphicas 50b3d68905 Control bind9 and nginx resource usage
The named and nginx processes both try to use all available CPUs. In
addition, there is a bug in named that sometimes causes it to spin on a
FUTEX, pegging the CPU.

This change constrains those processes to a single CPU (overridable in
values.yaml), and includes /etc/bind/bind.keys in named.conf to avoid
the CPU spike.

Change-Id: I4a278023f5c0dd5e7bdee46891591b278f2ddcad
2021-11-10 23:35:50 -08:00
Phil Sphicas 666567eae5 Update chart to use stable Kubernetes APIs
Update the MAAS chart to use non-deprecated APIs [0], specifically
addressing the following resource types:
* ClusterRole
* ClusterRoleBinding
* Ingress
* Role
* Rolebinding

The APIs being migrated to are available in v1.19 or earlier. As of this
change, v1.19 is the oldest supported Kubernetes version, slated for EOL
on 2021-10-28. [1]

Also includes an HTK uplift that includes updated Ingress templates. [2]

0: https://kubernetes.io/docs/reference/using-api/deprecation-guide/
1: https://kubernetes.io/releases/
2: https://review.opendev.org/c/openstack/openstack-helm-infra/+/813115

Change-Id: I5e78f1ab094666538ed419a78f6966a2ba295d6a
2021-10-18 11:52:30 -07:00
Sean Eagan 983853de55 Helm 3: Fix Job labels
See the dependency below for details.

Depends-On: https://review.opendev.org/c/openstack/openstack-helm-infra/+/811826
Change-Id: I997313865002469f1916c5baa8ccaa26c37619b5
2021-10-01 13:40:45 -05:00
Phil Sphicas b648edfe40 Deploy MAAS 2.8 on Ubuntu bionic
Image changes:
* base image ubuntu:18.04
* MAAS version 2.8.6-8602-g.07cdffcaa-0ubuntu1~18.04.1 from ppa/2.8
* default contents of /var/lib/maas are archived in /opt/maas
* updated patches:
  - 2.3_bios_grub_partition.patch, changed in maas [0]
  - 2.3_partitiontable_does_not_exist.patch, changed in maas [1] [2]
  - 2.3_secure_headers.patch, updated for twisted 17.9.0 [3]
* removed patches:
  - 2.3_bios_grub_preseed.patch, changed in maas, now N/A [0]
  - 2.3_hostheader.patch, fixed in maas [4]
  - 2.3_maas_enlist.patch, fixed in maas [5]
  - 2.3_mac_address.patch, fixed in maas [6]
* new patches:
  - 2.8_maas_ipmi_autodetect_tool.patch, enlistment reliability
* reformatted patches due to blackening change [1]:
  - 2.3_configure_ipmi_user.patch
  - 2.3_ipmi_error.patch
  - 2.3_kernel_package.patch, custom req to specify kernel package
  - 2.3_nic_filter.patch, custom req to ignore cali* interfaces
  - 2.3_region_secret_rotate.patch
  - 2.3_route.patch

Chart changes:
* maas-region podport is 5240
* maas config option http_boot is no longer configurable [7]
* start script restores some default files into /var/lib/maas
* register-rack-controller script removes old files in /etc/maas
* enlist userdata now matches commissioning/curtin userdata [8]
* force_gpt option is removed [9], as GPT is now the default
* update to configure remote_syslog in import resources job [10]
* enlist_commissioning is disabled for backwards compatibility [11]

0: d8e234eb09
1: db30bb39fa
2: 665feb7575
3: https://github.com/twisted/twisted/blob/twisted-17.9.0/src/twisted/web/server.py
4: 573da69729
5: d390a1da6a
6: 34631c2fe5
7: 0e94c26a53
8: 22641cffcc
9: 97c25a0486
10: d67c359c7b
11: 51b9712c20

Change-Id: I0685d76cf083ff5aa33c8db552059721289d5c53
2021-08-03 21:56:23 +00:00
DeJaeger, Darren (dd118r) 5a1866fb45 Add "labels" to MAAS ingress & ingress-errors deployments
Adding said label, that's already defined, to the deployments themselves.
This will enable Armada to properly wait for certain percentages of the
deployment replicas to be ready prior to proceeding. Prior to this change,
there wasn't a way to select these deployments via labels.

Change-Id: I4d8e479eb40e4395a4e3b79bbc9df651aa4e12e7
2021-04-30 16:58:31 -04:00
Phil Sphicas 35fa3175e3 Allow additional preseed overrides
Sometimes the ephemeral environment needs additional cloud-init data.
This change allows user-data sections to be added to the default files
in /etc/maas/preseeds: enlist, commissioning, and curtin.

For example, to resolve issues with 'apt-get update' failures during
enlistment, something like this may be necessary:
conf:
  cloudconfig:
    override: true
    sections:
      bootcmd:
        - "rm -fr /var/lib/apt/lists"

Change-Id: I817006a799003ace3f35d02507489720b0f9079b
2021-02-12 06:29:10 +00:00
Phil Sphicas ccfbd4340f Use HostToContainer mountPropagation
For any host mounts that include /var/lib/kubelet, use HostToContainer
mountPropagation, which avoids creating extra references to mounts in
other containers.

Affects the following resources:
* maas-ingress deployment

Change-Id: I8f8239dc868e30d0203cb994b0eb6a615f40d87b
2021-01-07 20:31:00 +00:00
Andrii Ostapenko a1cf7a95ed
Change helm-toolkit dependency version to ">= 0.1.0"
Since we introduced chart version check in gates, requirements are not
satisfied with strict check of 0.1.0

Change-Id: I74df8053fadaf5a3f07d6fd947161886f01c728b
2020-09-24 19:43:02 -05:00
KHIYANI, RAHUL (rk0850) 2dd543c841 override security context capabilities to values.yaml
Change-Id: I1120a4f5325172a8ece7d2ce8bb24706e28b319f
2020-08-06 12:20:30 -05:00
KHIYANI, RAHUL (rk0850) f899a11a06 Fix: updating maas-syslog to readOnly-fs false
updating it to false as it requires write permission to write pid file

Change-Id: I2b68ef641619a56d88bd4c659fe75d40267e3977
2020-07-31 17:14:34 -05:00
KHIYANI, RAHUL (rk0850) 926dadfbf4 [FIX] override security context capabilities in values.yaml
Add missing helm-toolkit snippet for ingress-errors container

Change-Id: I9c7ec6b71a1d026257c2a1f76e18a3e3be8e244d
2020-07-21 03:56:42 +00:00
KHIYANI, RAHUL (rk0850) 20c6e525ea Implement helm-toolkit snippet to maas pods/containers
This updates the maas chart to include the pod
security context on the pod template.

This also adds the container security context to set
readOnlyRootFilesystem flag

Change-Id: I1eba6ab3a7c27ddcb3e8ddc8e743b91dc5e521c3
2020-07-20 14:43:41 +00:00
Zuul 749a968d90 Merge "Enable Docker default AppArmor profile to maas" 2020-06-26 16:20:39 +00:00
KAVVA, JAGAN MOHAN REDDY (jk330k) a8a530bec7 Enable Docker default AppArmor profile to maas
This adds default Apparmor profile to maas-cache container.

Change-Id: Ib181189d968e328291b802d1528b33fc74b7873e
2020-06-26 08:44:58 -05:00
Phil Sphicas 843089243b Allow additional late_commands in curtin userdata
This change allows extra late_commands to be added to the curtin
userdata, which are executed before the node is rebooted at the end of
the deployment. This can be useful to install packages or perform other
customization.

One sample use-case is the installation of specific kernel module
packages that match the target kernel image, in cases where the
ephemeral environment uses a different kernel version.

Change-Id: I80084c544f6a7dafd6aa84c8041cf86bdc3b9f4b
2020-06-20 18:57:42 +00:00
Phil Sphicas 6f6c9b4aec Fix rendering of obscure MAAS file drivers.yaml
The existing drivers.yaml rendered by the MAAS chart is missing the
top-level 'drivers' key, so it doesn't actually work. This change fixes
the rendering of the file, and adds a comment in values.yaml about where
to look for additional information about where and how the file is used:

https://github.com/maas/maas/blob/2.3.5/src/maasserver/third_party_drivers.py

Change-Id: I940c8a57d3e404a101de5c1ea92f8a467319dbaa
2020-06-20 17:46:34 +00:00
Zuul 2989bbb4a2 Merge "maas-region: option to always use GPT" 2020-06-02 20:35:30 +00:00
Zuul 036043a175 Merge "maas-syslog fix: eliminate duplicate messages" 2020-06-02 16:17:46 +00:00
Phil Sphicas 97c25a0486 maas-region: option to always use GPT
MAAS uses MBR for boot disks smaller than 2 TiB. This change provides an
option to force the use of GPT, regardless of boot disk size. The chart
value is: conf.maas.force_gpt=true.

The 2 TiB "threshold" for when GPT is required is simply lowered to 0:
https://github.com/maas/maas/blob/2.3/src/maasserver/models/partitiontable.py#L51-L53

This change could be accomplished with a patch to the maas-region image
directly, but then it would not be configurable, and it may not be
useful for all users. Using sed in the startup script seems like a fair
solution.

Change-Id: I87d3f4b9c97048cdef383cbd15c5a16ac219066b
2020-06-02 02:17:18 +00:00
Phil Sphicas cad7c5c9e1 Enhance MAAS ntpd stub
Using `exit 0` in the ntpd stub causes some unwanted log warnings:

    maas.service_monitor[151]: [warn] Service 'ntp' is on but not in the
    expected state of 'running', its current state is 'exited'.

This change allows the stub to respond appropriately to 'systemctl
status ntpd' and 'systemctl restart ntpd' and keeps MAAS happier.

Change-Id: I41b95051ce595fb9001f4104a1abb48b66a657c4
2020-06-02 02:15:59 +00:00
Phil Sphicas 3624da26f5 Disable creation of swap file
By default, curtin creates a swap file of up to 8GB. When swap is later
disabled, there is still a /swap.img file left hanging around that needs
to be cleaned up.

This change sets the size to 0 to disable the creation of the swap file
in the first place.

https://curtin.readthedocs.io/en/latest/topics/config.html#swap

Change-Id: I9e1e5f67007ae3c49617525e989b27e123b69d53
2020-06-01 23:09:36 +00:00
Phil Sphicas 44c68d4d65 maas-syslog fix: eliminate duplicate messages
A recent change[0] to allow customization of the log level inadvertently
resulted in most messages being logged twice - once if they matched the
severity constraint, and again for all non-local messages, which for the
intended use case is all of them.

This change corrects the rsyslog.conf to drop local messages, and log
the remainder at the configured severity level. It also removes the
"$RepeatedMsgReduction on" parameter, which may have partially masked
the issue, and whose use is not advised.[1]

Change-Id: Ib15f82d9e1c7cef7d6085d6a215354b064aa09bb
0: e22afb6e95
1: https://www.rsyslog.com/doc/v8-stable/configuration/action/rsconf1_repeatedmsgreduction.html
2020-05-30 05:42:45 +00:00
Zuul 8f35260091 Merge "Enabling Apparmor for maas test containers" 2020-05-27 14:59:55 +00:00
DODDA, PRATEEK 9f897d33e4 Enabling Apparmor for maas test containers
Change-Id: I935f2fb265656b7e5f630c3ae215dddcf334fd02
2020-05-20 20:04:33 +00:00
Zuul 329154c083 Merge "MAAS chart: configure extra MAAS settings" 2020-05-20 04:53:00 +00:00
Phil Sphicas 636777ee79 MAAS chart: configure extra MAAS settings
Provide a knob to adjust some less-common MAAS configuration settings.
Changes the default values as follows: disables network discovery, sets
the active subnet mapping interval to 0 (from 10800 seconds), marks the
intro as completed, and disables Google analytics.

Refer to `maas $PROFILE maas set-config -h` for the list of available
configuration items.

Change-Id: I46d348ef5777e22ebeb7a062e5f6061d9ad61a1c
2020-05-03 07:56:06 +00:00
KAVVA, JAGAN MOHAN REDDY (jk330k) b2e100f6ce Enable Docker default AppArmor profile to maas
This adds default Apparmor profile to maas.

Change-Id: I9c68fdb2be074c855085032dfe9ff0dbbeadcf7c
2020-04-02 15:24:40 +00:00
Anderson, Craig (ca846m) 5af724cff0 Add ability to configure system account password
Change-Id: Ifae2fa7d19472c601069ba9dff5b24396c2db338
2020-03-18 13:25:41 -07:00
Zuul c689772a12 Merge "Add log_level attribute in the Chart to allow overwrite of default" 2020-02-17 17:28:17 +00:00
Nishant Kumar 1e035afc2c Robust maas-rack readiness probe
With the existing readiness probe mechanism, if log rotation occurs
then it may lead maas rack pod to show false not ready. Instead save
the success message of rack registration to a file and then use it in
the readiness probe.

Change-Id: I569b99186d398db44a10824dc3fe8c745b13a4ac
2020-02-17 13:45:32 +00:00
Trung Thai e22afb6e95 Add log_level attribute in the Chart to allow overwrite of default
Provide the ability to overwrite the default logging level.
Use 'info' as the default with log_level attribute.

Change-Id: I4bfd82a568c1eaad7de891bd103b3f8ff032e589
2020-02-13 02:12:15 +00:00
Phil Sphicas 0a8b01bb72 Chart uplift: ingress-nginx-controller 0.26.1
Uplifts the ingress-nginx-controller image to 0.26.1, including the
required chart modifications for RBAC, new options for stream and
profiler ports, and a change in the default status port from 18080
to 10246.

Change-Id: Ia0b33a739ea180de45b7e3920968d12ea651a573
2020-01-01 14:30:10 -08:00
Phil Sphicas d79b355188 MAAS chart: reduce syslog startup spam
When the MAAS syslog pod starts, it polls continuously until the log
file exists, generating a message every 10 seconds. However, rsyslogd
won't create the file until it receives the first message, which could
take a while.

This change will create an empty file if none exists prior to starting
the rsyslogd service.

Previous comments indicate some concerns about a race condition, and it
is possible that there are some circumstances when the file may go away
and come back, so the polling loop is left in place.

Change-Id: Ic56faf718038c5d17ab9353399a94ec74e91f8d0
2019-11-17 06:22:29 +00:00
Phil Sphicas 1147e9689e MAAS chart fixes: ingress apiversion, serviceNames
This change fixes a few issues with the MAAS chart:

1. Removes extraneous serviceName from maas-ingress-errors Deployment
2. Adds missing serviceName to maas-syslog StatefulSet
3. Moves maas-region-api Ingress object back under extensions/v1beta1
   Similar to: https://review.opendev.org/691701/

Change-Id: I83156c0e255ad17bbac024daba293490980414ee
2019-11-12 08:46:22 -08:00
Zuul 8e55aa815f Merge "(chart) Fix import issue" 2019-10-11 16:05:07 +00:00
Kumar, Nishant (nk613n) f0ac0a62c2 [Ingress] Change apiVersion for Ingress and Deployment Resource
'apps/v1beta1' apiVersion for Deployment has been deprecated.
'extensions/v1beta1' apiVersion for Ingress resource has been deprecated.

This PS aligns towards the effort in moving to k8s 1.16.

Reference: https://v1-14.docs.kubernetes.io/docs/setup/release/notes/#deprecations

Change-Id: Ied31e4e136fb9bf0343d609cf75bd1b7028d6f66
2019-10-07 10:20:58 -04:00
Scott Hussey 277fb483a4 (chart) Fix import issue
- The import script would skip creating a new boot source
  selection for a non-default distro in some cases due
  to a non-recommended if construct. Change to the recommended
  'if ! grep -q' pattern

Change-Id: I59e6732598f74fc34a6986dbdfe4200d8cd9ea9f
2019-10-02 02:37:10 -05:00
Zuul ae902d8510 Merge "Allow to configure service network policy" 2019-09-27 10:29:27 +00:00
Zuul 3ef4059c41 Merge "[fix] Run maas-ingress as root" 2019-09-26 16:11:53 +00:00
anthony.bellino 8e4b97900c [fix] Deploy maas-ingress-errors
Updating deployment-ingress-errors chart so ingress-errors deploys.
The chart was previously checking for rack_deployment which is now
rack_statefulset.

Change-Id: I79750804ca7bb62a7fcf9c91b80a435d9af332aa
2019-09-24 19:28:17 +00:00