Store Sonobuoy results in Ceph

This enables persistently storing Sonobuoy tests results tarball in Ceph (authed with Keystone). 1. Adds job-ks-user and secrety-keystone to create Sonobuoy user in Keystone 2. Sonobuoy pod has a results-publisher container that waits for Sonobuoy container to populate test results directory with the tarball 3. results-publisher container creates Swift container for Sonobuoy results 4. results-publisher adds Sonobuoy test results to Swift container 5. results-publisher sets expiry date on the object to be deleted after 30 days Change-Id: Ic2d9fb345dce1101040e60113564e7ecdb2c51ea
2018-11-07 10:41:52 -06:00 · 2018-11-07 10:41:52 -06:00 · 5559878087
parent 27ffec19c8
commit 5559878087
13 changed files with 555 additions and 2 deletions
--- a/.zuul.yaml
+++ b/.zuul.yaml
@ -61,12 +61,14 @@
    name: openstack-helm-addons-sonobuoy
    required-projects:
      - openstack/openstack-helm-infra
+      - openstack/openstack-helm
    roles:
      - zuul: openstack/openstack-helm-infra
    timeout: 7200
    vars:
      osh_openstack_release: newton
      zuul_osh_infra_relative_path: ../openstack-helm-infra/
+      zuul_osh_relative_path: ../openstack-helm/
    nodeset: openstack-helm-ubuntu
    pre-run:
      - tools/gate/playbooks/osh-infra-upgrade-host.yaml
--- a/sonobuoy/templates/bin/_publish_results.sh.tpl
+++ b/sonobuoy/templates/bin/_publish_results.sh.tpl
@ -0,0 +1,34 @@
+#!/bin/bash
+
+{{/*
+Copyright 2017 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -xe
+
+while [ "$(ls -l $RESULTS_DIR/*.tar.gz | wc -l)" -eq 0 ]; do
+  sleep 5
+done
+
+file_name=$(ls $RESULTS_DIR/*.tar.gz | xargs -n1 basename)
+prefixed_file_name={{ .Values.conf.swift.object_name_prefix }}$file_name
+
+openstack container create {{ .Values.conf.swift.container_name }}
+openstack container show {{ .Values.conf.swift.container_name }}
+
+openstack object create --name $prefixed_file_name {{ .Values.conf.swift.container_name }} $RESULTS_DIR/$file_name
+openstack object show {{ .Values.conf.swift.container_name }} $prefixed_file_name
+
+swift post {{ .Values.conf.swift.container_name }} $prefixed_file_name -H \"X-Delete-After:{{ .Values.conf.swift.delete_objects_after_seconds }}\"
--- a/sonobuoy/templates/configmap-bin.yaml
+++ b/sonobuoy/templates/configmap-bin.yaml
@ -22,6 +22,10 @@ kind: ConfigMap
 metadata:
  name: sonobuoy-bin
 data:
+  ks-user.sh: |
+{{- include "helm-toolkit.scripts.keystone_user" $envAll | indent 4 }}
+  publish_results.sh: |
+{{ tuple "bin/_publish_results.sh.tpl" $envAll | include "helm-toolkit.utils.template" | indent 4 }}
  run_master.sh: |
 {{ tuple "bin/_run_master.sh.tpl" $envAll | include "helm-toolkit.utils.template" | indent 4 }}
 {{- end }}
--- a/sonobuoy/templates/job-ks-user.yaml
+++ b/sonobuoy/templates/job-ks-user.yaml
@ -0,0 +1,20 @@
+{{/*
+Copyright 2017 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.job_ks_user }}
+{{- $ksUserJob := dict "envAll" . "serviceName" "sonobuoy" -}}
+{{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }}
+{{- end }}
--- a/sonobuoy/templates/pod-api.yaml
+++ b/sonobuoy/templates/pod-api.yaml
@ -58,6 +58,8 @@ metadata:
 spec:
  nodeSelector:
    {{ .Values.labels.api.node_selector_key }}: {{ .Values.labels.api.node_selector_value}}
+  initContainers:
+{{ tuple $envAll "sonobuoy" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 4 }}
  containers:
  - name: kube-sonobuoy
    env:
@ -79,6 +81,23 @@ spec:
      mountPath: /run_master.sh
      subPath: run_master.sh
      readOnly: true
+  - name: results-publisher
+{{ tuple $envAll "results_publisher" | include "helm-toolkit.snippets.image" | indent 4 }}
+    env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.sonobuoy }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 4 }}
+{{- end }}
+    - name: RESULTS_DIR
+      value: {{ .Values.conf.sonobuoy.ResultsDir }}
+    command:
+    - /publish_results.sh
+    volumeMounts:
+    - name: sonobuoy-bin
+      mountPath: /publish_results.sh
+      subPath: publish_results.sh
+      readOnly: true
+    - mountPath: {{ .Values.conf.sonobuoy.ResultsDir }}
+      name: sonobuoy-output
  restartPolicy: Never
  serviceAccountName: {{ $serviceAccountName }}
  volumes:
--- a/sonobuoy/templates/secret-keystone.yaml
+++ b/sonobuoy/templates/secret-keystone.yaml
@ -0,0 +1,30 @@
+{{/*
+Copyright 2017 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_keystone }}
+{{- $envAll := . }}
+{{- range $key1, $userClass := tuple "admin" "sonobuoy" }}
+{{- $secretName := index $envAll.Values.secrets.identity $userClass }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $secretName }}
+type: Opaque
+data:
+{{- tuple $userClass "internal" $envAll | include "helm-toolkit.snippets.keystone_secret_openrc" | indent 2 -}}
+{{- end }}
+{{- end }}
--- a/sonobuoy/values.yaml
+++ b/sonobuoy/values.yaml
@ -14,6 +14,9 @@

 images:
  tags:
+    dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.3.1
+    ks_user: docker.io/openstackhelm/heat:ocata
+    results_publisher: docker.io/openstackhelm/heat:ocata
    sonobuoy_api: gcr.io/heptio-images/sonobuoy:v0.11.4
    systemd_logs: gcr.io/heptio-images/sonobuoy-plugin-systemd-logs:v0.1
  pull_policy: "IfNotPresent"
@ -25,18 +28,82 @@ labels:
  api:
    node_selector_key: openstack-control-plane
    node_selector_value: enabled
+  job:
+    node_selector_key: openstack-control-plane
+    node_selector_value: enabled

 dependencies:
  dynamic: {}
-  static: {}
+  static:
+    sonobuoy:
+      jobs:
+      - sonobuoy-ks-user
+
+pod:
+  resources:
+    enabled: false
+    jobs:
+      ks_user:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "128Mi"
+          cpu: "2000m"
+
+secrets:
+  identity:
+    admin: sonobuoy-keystone-admin
+    sonobuoy: sonobuoy-keystone-user
+
+endpoints:
+  cluster_domain_suffix: cluster.local
+  identity:
+    name: keystone
+    auth:
+      admin:
+        region_name: RegionOne
+        username: admin
+        password: password
+        project_name: admin
+        user_domain_name: default
+        project_domain_name: default
+      sonobuoy:
+        role: admin
+        region_name: RegionOne
+        username: sonobuoy
+        password: password
+        project_name: sonobuoy
+        user_domain_name: sonobuoy
+        project_domain_name: sonobuoy
+    hosts:
+      default: keystone
+      internal: keystone-api
+    host_fqdn_override:
+      default: null
+    path:
+      default: /v3
+    scheme:
+      default: http
+    port:
+      api:
+        default: 80
+        internal: 5000

 manifests:
  configmap_bin: true
  configmap_plugins: true
+  job_ks_user: true
  pod_api: true
  secret_etc: true
+  secret_keystone: true

 conf:
+  swift:
+    container_name: sonobuoy
+    # delete objects after 1 month (60 * 60 * 24 * 30 seconds)
+    delete_objects_after_seconds: "2592000"
+    object_name_prefix: ""
  sonobuoy:
    Description: "sonobuoy run for scanner.heptio.com"
    Version: v0.11.4
--- a/tools/gate/playbooks/osh-addons-sonobuoy.yaml
+++ b/tools/gate/playbooks/osh-addons-sonobuoy.yaml
@ -1,5 +1,91 @@
 - hosts: primary
  tasks:
+    - name: Build Charts
+      shell: |
+        set -xe;
+        ./tools/gate/scripts/010-setup-client.sh
+      args:
+        chdir: "{{ zuul_osh_addons_relative_path | default(zuul.project.src_dir) }}"
+    - name: Deploy MariaDB
+      environment:
+        OSH_EXTRA_HELM_ARGS: "{{ zuul_osh_extra_helm_args_relative_path | default('') }}"
+        OSH_INFRA_PATH: "{{ zuul_osh_infra_relative_path | default('') }}"
+        zuul_site_mirror_fqdn: "{{ zuul_site_mirror_fqdn }}"
+      shell: |
+        set -xe;
+        ./tools/gate/scripts/020-deploy-mariadb.sh
+      args:
+        chdir: "{{ zuul_osh_addons_relative_path | default(zuul.project.src_dir) }}"
+    - name: Deploy RabbitMQ
+      environment:
+        OSH_EXTRA_HELM_ARGS: "{{ zuul_osh_extra_helm_args_relative_path | default('') }}"
+        OSH_INFRA_PATH: "{{ zuul_osh_infra_relative_path | default('') }}"
+        zuul_site_mirror_fqdn: "{{ zuul_site_mirror_fqdn }}"
+      shell: |
+        set -xe;
+        ./tools/gate/scripts/030-deploy-rabbitmq.sh
+      args:
+        chdir: "{{ zuul_osh_addons_relative_path | default(zuul.project.src_dir) }}"
+    - name: Deploy Memcached
+      environment:
+        OSH_EXTRA_HELM_ARGS: "{{ zuul_osh_extra_helm_args_relative_path | default('') }}"
+        OSH_INFRA_PATH: "{{ zuul_osh_infra_relative_path | default('') }}"
+        zuul_site_mirror_fqdn: "{{ zuul_site_mirror_fqdn }}"
+      shell: |
+        set -xe;
+        ./tools/gate/scripts/040-deploy-memcached.sh
+      args:
+        chdir: "{{ zuul_osh_addons_relative_path | default(zuul.project.src_dir) }}"
+    - name: Deploy Keystone
+      environment:
+        OSH_EXTRA_HELM_ARGS: "{{ zuul_osh_extra_helm_args_relative_path | default('') }}"
+        OSH_PATH: "{{ zuul_osh_relative_path | default('') }}"
+        zuul_site_mirror_fqdn: "{{ zuul_site_mirror_fqdn }}"
+      shell: |
+        set -xe;
+        ./tools/gate/scripts/050-deploy-keystone.sh
+      args:
+        chdir: "{{ zuul_osh_addons_relative_path | default(zuul.project.src_dir) }}"
+    - name: Deploy Ceph
+      environment:
+        OSH_EXTRA_HELM_ARGS: "{{ zuul_osh_extra_helm_args_relative_path | default('') }}"
+        OSH_INFRA_PATH: "{{ zuul_osh_infra_relative_path | default('') }}"
+        zuul_site_mirror_fqdn: "{{ zuul_site_mirror_fqdn }}"
+      shell: |
+        set -xe;
+        ./tools/gate/scripts/080-deploy-ceph.sh
+      args:
+        chdir: "{{ zuul_osh_addons_relative_path | default(zuul.project.src_dir) }}"
+    - name: Activate Ceph Namespace
+      environment:
+        OSH_EXTRA_HELM_ARGS: "{{ zuul_osh_extra_helm_args_relative_path | default('') }}"
+        OSH_INFRA_PATH: "{{ zuul_osh_infra_relative_path | default('') }}"
+        zuul_site_mirror_fqdn: "{{ zuul_site_mirror_fqdn }}"
+      shell: |
+        set -xe;
+        ./tools/gate/scripts/085-ceph-ns-activate.sh
+      args:
+        chdir: "{{ zuul_osh_addons_relative_path | default(zuul.project.src_dir) }}"
+    - name: Deploy RadosGW
+      environment:
+        OSH_EXTRA_HELM_ARGS: "{{ zuul_osh_extra_helm_args_relative_path | default('') }}"
+        OSH_INFRA_PATH: "{{ zuul_osh_infra_relative_path | default('') }}"
+        zuul_site_mirror_fqdn: "{{ zuul_site_mirror_fqdn }}"
+      shell: |
+        set -xe;
+        ./tools/gate/scripts/090-radosgw-openstack.sh
+      args:
+        chdir: "{{ zuul_osh_addons_relative_path | default(zuul.project.src_dir) }}"
+    - name: Deploy Ingress
+      environment:
+        OSH_EXTRA_HELM_ARGS: "{{ zuul_osh_extra_helm_args_relative_path | default('') }}"
+        OSH_INFRA_PATH: "{{ zuul_osh_infra_relative_path | default('') }}"
+        zuul_site_mirror_fqdn: "{{ zuul_site_mirror_fqdn }}"
+      shell: |
+        set -xe;
+        ./tools/gate/scripts/100-ingress.sh
+      args:
+        chdir: "{{ zuul_osh_addons_relative_path | default(zuul.project.src_dir) }}"
    - name: Install and Test Sonobuoy Chart
      shell: |
        set -xe;
--- a/tools/gate/scripts/080-deploy-ceph.sh
+++ b/tools/gate/scripts/080-deploy-ceph.sh
@ -0,0 +1,101 @@
+#!/bin/bash
+
+# Copyright 2017 The Openstack-Helm Authors.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+set -xe
+
+#NOTE: Lint and package chart
+: ${OSH_INFRA_PATH:="../openstack-helm-infra"}
+for CHART in ceph-mon ceph-osd ceph-client ceph-provisioners; do
+  make -C ${OSH_INFRA_PATH} "${CHART}"
+done
+
+#NOTE: Deploy command
+
+: ${OSH_EXTRA_HELM_ARGS:=""}
+CEPH_PUBLIC_NETWORK="$($OSH_INFRA_PATH/tools/deployment/multinode/kube-node-subnet.sh)"
+CEPH_CLUSTER_NETWORK="$($OSH_INFRA_PATH/tools/deployment/multinode/kube-node-subnet.sh)"
+[ -s /tmp/ceph-fs-uuid.txt ] || uuidgen > /tmp/ceph-fs-uuid.txt
+CEPH_FS_ID="$(cat /tmp/ceph-fs-uuid.txt)"
+#NOTE(portdirect): to use RBD devices with Ubuntu kernels < 4.5 this
+# should be set to 'hammer'
+. /etc/os-release
+if [ "x${ID}" == "xubuntu" ] && \
+   [ "$(uname -r | awk -F "." '{ print $2 }')" -lt "5" ]; then
+  CRUSH_TUNABLES=hammer
+else
+  CRUSH_TUNABLES=null
+fi
+tee /tmp/ceph.yaml <<EOF
+endpoints:
+  identity:
+    namespace: openstack
+  object_store:
+    namespace: ceph
+  ceph_mon:
+    namespace: ceph
+network:
+  public: ${CEPH_PUBLIC_NETWORK}
+  cluster: ${CEPH_CLUSTER_NETWORK}
+deployment:
+  storage_secrets: true
+  ceph: true
+  rbd_provisioner: true
+  cephfs_provisioner: true
+  client_secrets: false
+  rgw_keystone_user_and_endpoints: false
+bootstrap:
+  enabled: true
+conf:
+  ceph:
+    global:
+      fsid: ${CEPH_FS_ID}
+  rgw_ks:
+    enabled: true
+  pool:
+    crush:
+      tunables: ${CRUSH_TUNABLES}
+    target:
+      # NOTE(portdirect): 5 nodes, with one osd per node
+      osd: 5
+      pg_per_osd: 100
+  storage:
+    osd:
+      - data:
+          type: directory
+          location: /var/lib/openstack-helm/ceph/osd/osd-one
+        journal:
+          type: directory
+          location: /var/lib/openstack-helm/ceph/osd/journal-one
+EOF
+
+for CHART in ceph-mon ceph-osd ceph-client ceph-provisioners; do
+  helm upgrade --install ${CHART} ${OSH_INFRA_PATH}/${CHART} \
+    --namespace=ceph \
+    --values=/tmp/ceph.yaml \
+    ${OSH_EXTRA_HELM_ARGS} \
+    ${OSH_EXTRA_HELM_ARGS_CEPH_DEPLOY}
+
+  #NOTE: Wait for deploy
+  ./tools/gate/scripts/wait-for-pods.sh ceph
+
+  #NOTE: Validate deploy
+  MON_POD=$(kubectl get pods \
+    --namespace=ceph \
+    --selector="application=ceph" \
+    --selector="component=mon" \
+    --no-headers | awk '{ print $1; exit }')
+  kubectl exec -n ceph ${MON_POD} -- ceph -s
+done
--- a/tools/gate/scripts/085-ceph-ns-activate.sh
+++ b/tools/gate/scripts/085-ceph-ns-activate.sh
@ -0,0 +1,63 @@
+#!/bin/bash
+
+# Copyright 2017 The Openstack-Helm Authors.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+set -xe
+
+#NOTE: Lint and package chart
+: ${OSH_INFRA_PATH:="../openstack-helm-infra"}
+make -C ${OSH_INFRA_PATH} ceph-provisioners
+
+#NOTE: Deploy command
+: ${OSH_EXTRA_HELM_ARGS:=""}
+CEPH_PUBLIC_NETWORK="$($OSH_INFRA_PATH/tools/deployment/multinode/kube-node-subnet.sh)"
+CEPH_CLUSTER_NETWORK="$($OSH_INFRA_PATH/tools/deployment/multinode/kube-node-subnet.sh)"
+tee /tmp/ceph-openstack-config.yaml <<EOF
+endpoints:
+  identity:
+    namespace: openstack
+  object_store:
+    namespace: ceph
+  ceph_mon:
+    namespace: ceph
+network:
+  public: ${CEPH_PUBLIC_NETWORK}
+  cluster: ${CEPH_CLUSTER_NETWORK}
+deployment:
+  storage_secrets: false
+  ceph: false
+  rbd_provisioner: false
+  cephfs_provisioner: false
+  client_secrets: true
+  rgw_keystone_user_and_endpoints: false
+bootstrap:
+  enabled: false
+conf:
+  rgw_ks:
+    enabled: true
+EOF
+helm upgrade --install ceph-openstack-config ${OSH_INFRA_PATH}/ceph-provisioners \
+  --namespace=openstack \
+  --values=/tmp/ceph-openstack-config.yaml \
+  ${OSH_EXTRA_HELM_ARGS} \
+  ${OSH_EXTRA_HELM_ARGS_CEPH_NS_ACTIVATE}
+
+#NOTE: Wait for deploy
+./tools/gate/scripts/wait-for-pods.sh openstack
+
+#NOTE: Validate Deployment info
+kubectl get -n openstack jobs --show-all
+kubectl get -n openstack secrets
+kubectl get -n openstack configmaps
--- a/tools/gate/scripts/090-radosgw-openstack.sh
+++ b/tools/gate/scripts/090-radosgw-openstack.sh
@ -0,0 +1,64 @@
+#!/bin/bash
+
+# Copyright 2017 The Openstack-Helm Authors.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+set -xe
+
+#NOTE: Lint and package chart
+: ${OSH_INFRA_PATH:="../openstack-helm-infra"}
+make -C ${OSH_INFRA_PATH} ceph-rgw
+
+#NOTE: Deploy command
+: ${OSH_EXTRA_HELM_ARGS:=""}
+CEPH_PUBLIC_NETWORK="$($OSH_INFRA_PATH/tools/deployment/multinode/kube-node-subnet.sh)"
+CEPH_CLUSTER_NETWORK="$($OSH_INFRA_PATH/tools/deployment/multinode/kube-node-subnet.sh)"
+tee /tmp/radosgw-openstack.yaml <<EOF
+endpoints:
+  identity:
+    namespace: openstack
+  object_store:
+    namespace: openstack
+  ceph_mon:
+    namespace: ceph
+network:
+  public: ${CEPH_PUBLIC_NETWORK}
+  cluster: ${CEPH_CLUSTER_NETWORK}
+deployment:
+  storage_secrets: false
+  ceph: true
+  rbd_provisioner: false
+  cephfs_provisioner: false
+  client_secrets: false
+  rgw_keystone_user_and_endpoints: true
+bootstrap:
+  enabled: false
+conf:
+  rgw_ks:
+    enabled: true
+pod:
+  replicas:
+    rgw: 1
+EOF
+helm upgrade --install radosgw-openstack ${OSH_INFRA_PATH}/ceph-rgw \
+  --namespace=openstack \
+  --values=/tmp/radosgw-openstack.yaml \
+  ${OSH_EXTRA_HELM_ARGS} \
+  ${OSH_EXTRA_HELM_ARGS_CEPH_RGW}
+
+#NOTE: Wait for deploy
+./tools/gate/scripts/wait-for-pods.sh openstack
+
+#NOTE: Validate Deployment info
+helm status radosgw-openstack
--- a/tools/gate/scripts/100-ingress.sh
+++ b/tools/gate/scripts/100-ingress.sh
@ -0,0 +1,61 @@
+#!/bin/bash
+
+# Copyright 2017 The Openstack-Helm Authors.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+set -xe
+
+#NOTE: Deploy global ingress
+: ${OSH_INFRA_PATH:="../openstack-helm-infra"}
+tee /tmp/ingress-kube-system.yaml << EOF
+pod:
+  replicas:
+    error_page: 2
+deployment:
+  mode: cluster
+  type: DaemonSet
+network:
+  host_namespace: true
+EOF
+helm upgrade --install ingress-kube-system ${OSH_INFRA_PATH}/ingress \
+  --namespace=kube-system \
+  --values=/tmp/ingress-kube-system.yaml \
+  ${OSH_EXTRA_HELM_ARGS} \
+  ${OSH_EXTRA_HELM_ARGS_INGRESS_KUBE_SYSTEM}
+
+#NOTE: Wait for deploy
+./tools/gate/scripts/wait-for-pods.sh kube-system
+
+#NOTE: Display info
+helm status ingress-kube-system
+
+#NOTE: Deploy namespaced ingress controllers
+for NAMESPACE in openstack ceph; do
+  #NOTE: Deploy namespace ingress
+  tee /tmp/ingress-${NAMESPACE}.yaml << EOF
+pod:
+  replicas:
+    ingress: 2
+    error_page: 2
+EOF
+  helm upgrade --install ingress-${NAMESPACE} ${OSH_INFRA_PATH}/ingress \
+    --namespace=${NAMESPACE} \
+    --values=/tmp/ingress-${NAMESPACE}.yaml
+
+  #NOTE: Wait for deploy
+  ./tools/gate/scripts/wait-for-pods.sh ${NAMESPACE}
+
+  #NOTE: Display info
+  helm status ingress-${NAMESPACE}
+done
--- a/tools/gate/scripts/sonobuoy.sh
+++ b/tools/gate/scripts/sonobuoy.sh
@ -17,5 +17,7 @@
 set -xe

 helm dependency update sonobuoy
-helm install sonobuoy --namespace=heptio-sonobuoy --name=sonobuoy
+helm upgrade --install sonobuoy sonobuoy \
+    --namespace=heptio-sonobuoy \
+    --set endpoints.identity.namespace=openstack
 helm test sonobuoy