Commit Graph

15 Commits

Author SHA1 Message Date
anthony.bellino 0e8b5cfe59 Uplift Promenade image to address CVEs
The current Promenade image is vulnerable to several CVEs:
CVE-2019-3462
CVE-2018-16865
CVE-2018-16864

Which Ubuntu 16.04/18.04 addresses.
This patchset makes the following changes:
1. Adds new distro specific dockerfiles for xenial/bionic.
2. Updates gates to be specific about the ubuntu image being
   checked.
3. Updates .zuul.yaml checks/gates/post jobs for xenial/bionic.
4. Updates build-image.sh docker build for specific dockerfile
   specified in config.sh (IMAGE_PROMENADE_DISTRO).

Change-Id: I89e5297a3baa8c2d2c142e5e29932476fc628398
2020-05-28 16:09:40 +00:00
Egorov, Stanislav 4f0ae384a8 CoreDNS probe refactoring and version uplift
This is uplift for CoreDNS to version 1.6.2

Upstream CoreDNS image has no tools inside like wget/dig and can't
be used as is because pod probes will fail. Coredns pod has
Liveness/Readiness probes which are just a shell script to run
wget/dig to determine that CoreDNS is functional. So, decided
to add tools for probes in promenade image and do refactoring.

New endpoints for health check are running in side-car:
/externalhealth - to do the same check like previous shell script,
/selfcheck - to do check of the health of side-car itself.

Main container should be pointed to check endpoint provided by
side-car container.

Change-Id: Ib7fcf309b6cc34a86eeeec6e2109988cfa862955
2019-10-16 12:04:33 -07:00
Sean Eagan 2718c1fe0d Fix outdated external references
This change has passed the Promenade resiliency gate.

- Use `master` versions of armada/tiller charts.
- Use consistent and updated HTK version in tests/examples.
   - Fixes resiliency gate which broke due to missed HTK
     version updates [0].
- Updates for "opendev" rebranding.

[0]: https://review.opendev.org/#/c/659863/

Change-Id: Ic145cde908a383b5130b2b0294d48708fcb1823f
2019-09-06 13:11:17 -05:00
Roman Gorshunov d12927a156 Fix: Promenade Exceptions docs rendering on RTD
Readthedocs failed to render Promenade exceptions with error:
> WARNING: autodoc: failed to import exception 'xxx' from module
> 'promenade'; the following exception was raised: No module
> named 'falcon'

Trying to add Promenade requirements to the installed requirements list,
so that Readthedocs has all modules, including those needed for the
Promenade itself.

Unify docs building by utilizing Zuul docs-on-readthedocs template job.

Cosmetic readability changes:
1. combined all Makefile .PHONY targets into one
2. merged multiple LABEL instructions in Dockerfile into one

Change-Id: I731ee3426a631fa765f13ba7091dcb4b9ebd0353
2019-08-27 22:57:15 +02:00
Crank, Daniel (dc6350) 5c92a11b8a Fixes/updates for webhook-apiserver
a. Adding the same encryption configuration to webhook-apiserver
as is used for kubernetes-apiserver, so it can access secrets
stored in etcd by kubernetes-apiserver.

b. Adding an additional ingress annotation to allow for TLS
access to the Keystone backend.

c. Adding an apt-get clean to Dockerfile as this seems to be
needed to get image building working properly.

This patchset has passed the Promenade resiliency gate.

Change-Id: I7b15779b688458ec0faf2b23700d0c1bc2ede7e6
2019-08-20 09:07:24 -05:00
Ahmad Mahmoudi a6e8fdbe22 Enable using PBR for package library
Updated promenade packaging scripts to use pbr.
This was done to make sure all required packages
for promenade package library are pulled, when another
moudle does git pull to use promenade package library.

Change-Id: I820ac6513c42456d52f92dab72dba2a34d8b437b
2018-10-25 17:04:29 -05:00
Roman Gorshunov 02c5f2943e Fix: git commit id labels on images
1) Use OCI Image Specs for labels instead of custom 'commit-id=xxxxx'
   or legacy "Label Schema"
2) Fix missing git commit id labels on images (.revision)
3) Add human-readable title (.title) of the image, URL (.url), and
   a few other properties (annotations) according to the latest Specs
4) Unify docker-image-build.yaml playbook with other Airship-*
   components

Change-Id: I89afed3bf6a1f9fa92391d605bb6b3c871e58126
2018-09-21 03:31:13 +02:00
Jerome Brette 5232d17a2a Update Dockerfile to allow override of FROM variable
l is to let user customize the base image of the component
by passing FROM=myimage during the build process. This would let any
project leveraging Airship ensure that the base image is matching the
security requirements for that project and still use the same Dockerfile.
This will also ease the control of the /etc/apt/source.list
and thereby the result of apt-get update/upgrade procedure.
2. The above goal is achievable by using docker-ce feature such as:
ARG FROM="defaultbaseimage:xx"
FROM ${FROM}
For this reason, the installation of docker.io in the Zuul gating is beeing
replaced by docker-ce.
3. Third Goal is to bring consistency with the other compoenents leveraging
Helm such as the openstack-helm and potentially use bindep the same way
the LOCI images are to ensure
4. The new syntax in the Dockerfile is still commented out until the associated
image builder have been updated to use docker-ce as they have been for the LOCI
images.

Change-Id: Ie5ae836221dc3cb9bdafc6e5e6670f914d3d1bb4
2018-07-24 21:11:35 +00:00
Mark Burnett 6caf7fb54d Add initial chart for Promenade API
Co-author: Mark Burnett <mark.m.burnett@gmail.com>
Co-author: Samantha Blanco <spblanco.1@gmail.com>

Change-Id: I2e6af00b7905d9070f79b8c536385ebdae877d50
2017-11-15 14:19:43 -06:00
Mark Burnett 95643147c5 Migrate to self hosted using charts
This change includes several interconnected features:

* Migration to Deckhand-based configuration.  This is integrated here,
  because new configuration data were needed, so it would have been
  wasted effort to either implement it in the old format or to update
  the old configuration data to Dechkand format.
* Failing faster with stronger validation.  Migration to Deckhand
  configuration was a good opportunity to add schema validation, which
  is a requirement in the near term anyway.  Additionally, rendering
  all templates up front adds an additional layer of "fail-fast".
* Separation of certificate generation and configuration assembly into
  different commands.  Combined with Deckhand substitution, this creates
  a much clearer distinction between Promenade configuration and
  deployable secrets.
* Migration of components to charts.  This is a key step that will
  enable support for dynamic node management.  Additionally, this paves
  the way for significant configurability in component deployment.
* Version of kubelet is configurable & controlled via download url.
* Restructuring templates to be more intuitive.  Many of the templates
  require changes or deletion due to the migration to charts.
* Installation of pre-configured useful tools on hosts, including calicoctl.
* DNS is now provided by coredns, which is highly configurable.

Change-Id: I9f2d8da6346f4308be5083a54764ce6035a2e10c
2017-10-17 13:29:46 -05:00
Mark Burnett 3d7c567f8c Update versions for testing
- Tiller and helm to 2.5.0
- Kubernetes to 1.6.8

Tiller 2.5 adds a verbosity flag which we are using, so the older
version not having this flag is causing test failures.

Kubernetes 1.6.4 seems to not be assigning IPs to static pods, therefore
they don't properly get added to services (in particular, this effects
the calico-etcd service).

Change-Id: I9d8a55dc2b5d248eb6bd3c820fe33f0f827bc83d
2017-08-16 15:07:09 -05:00
Mark Burnett 4fe1857e49 rsync Calico & DNS charts onto host
This is a temporary measure to improve iteration for development.  These
can be moved out once armada supports loading charts from, e.g.
`helm serve`.
2017-07-27 13:45:00 -05:00
Mark Burnett a1c0d4b64a make build process more verbose 2017-06-22 07:37:28 -05:00
Mark Burnett 1a930e8b79 tighten up Dockerfile 2017-06-20 10:46:45 -05:00
Mark Burnett fce98459a6 Basic HA kubernetes deployment (#7)
* remove old files

* sketch of non-bootkube genesis

* add basic chroot/bootstrap script

* cleanup kubectl/kubelet fetching

* fix cni bin asset path

* add non-pod asset loader

* add example ca

* refactor key gen/distribution

* flannel up on genesis

* refactor some code toward join

* WIP: last commit working on "self-hosted, helm-managed"

* first pass at consolidating config for vanilla deploy

* refactor cli a bit

* use provided cluster ca

* separate genesis and join scripts

* add basic etcd joining

* actually run the proxy everywhere

* update readme

* enable kubelet service

* add pki most places

* use consistent sa keypair

* use quay.io/attcomdev/promenade

* fix typo in n3

* tls everywhere in kubernetes

* tls for etcd

* remove currently unused files
2017-06-15 20:57:22 -07:00