Changes the interface from the default (internal) to public.
Change-Id: I0862d7263dcb60b358f865002dc974d55deabee5
Signed-off-by: Tin Lam <tin@irrational.io>
This updates the sonobuoy chart to include the pod
security context on the pod template.
This also adds the container security context to set
readOnlyRootFilesystem flag to true
Depends-On: https://review.opendev.org/740119/
Change-Id: I0964c9809402635c9a7049b61fb954a4ebf01bb1
This role enables the readonly serviceaccount to additionally perform
pod/exec within the configured namespace.
Some organizations deploy pods in a particular namespace in Kubernetes
that have a locked down user/CLI that allows examining resources with
readonly access (to prevent any modifications, etc.). This change
enables the Sonobuoy plugins to leverage these pods by executing into
them.
Change-Id: I781248fdd251e7fca31e0ab831326a9f475392cd
The current copyright refers to a non-existent group
"openstack helm authors" with often out-of-date references that
are confusing when adding a new file to the repo.
This change removes all references to this copyright by the
non-existent group and any blank lines underneath.
Change-Id: I631ae4345f18fee70b380867ba8b33af5e3b3254
This value was left at the old v0.11.4, but Sonobuoy was updated to
v0.16.4 [1]. This doesn't seem to impact anything, but could cause
confusion.
1 - https://review.opendev.org/#/c/695944/
Change-Id: Ifb230b55662ee5deadb91b6b7508f45773427401
v0.16.* supports Kubernetes 1.16.* [1]
v0.16.4 [2] prevents Sonobuoy considering a Node in "error" immediately
when an `ErrImagePull` or `ImagePullBackOff`. Instead, Sonobuoy gives
the pod 5 minutes to recover from this.
There are times when a Kubernetes cluster receives a timeout from the
Docker daemon when pulling images. This update will prevent a temporary
network issue from failing the Node immediately.
Also, new Sonobuoy images are published to docker.io instead of gcr.io.
[1] - https://github.com/vmware-tanzu/sonobuoy/releases/tag/v0.16.0
[2] - https://github.com/vmware-tanzu/sonobuoy/releases/tag/v0.16.4
Change-Id: I0c30ade1824cab297fe5b27944747a8607bef25c
This updates the kubernetes-entrypoint image reference to consume
the publicly available kubernetes-entrypoint image that is built
and maintained under the airshipit namespace, as the stackanetes
image is no longer actively maintained
Depends-On: https://review.opendev.org/688435
Change-Id: I7f48605f08f574822179d51cd645ded07714d9c3
Signed-off-by: Steve Wilkerson <sw5822@att.com>
Currently, results are stored using an emptyDir volume. This change adds
support for storing results using a customizable hostPath. When storing
results in a hostPath, results can still be obtained form the hostPath
while result publishing is disabled.
Change-Id: Ibd01da23a8e74a54f500429cf0ba8ca72f2ac77d
We now have a process for OSH-images image building,
using Zuul, so we should point the images by default to those
images, instead of pointing to stale images.
Without this, the osh-images build process is completely not
in use (and completely opaque to deployers), and updating the
osh-images process or patching its code has no impact on OSH-addons.
This should fix it.
Change-Id: I23d69b56e6de4f0f76d6031b301e81a294ddcc50
Adds a yaml path for providing additional yaml that will be stored in a
secret and provided to the plugin. Values can be added to plugin_values
that will result in being needed configuration and expected values
for tests. Utilizes the extra-volumes functionality as described [0]
[0]: https://github.com/heptio/sonobuoy/blob/master/docs/plugins.md#writing-your-own-plugin
Change-Id: I41d9bc02c8c0154903366a4cdcd287b95ea9707a
Manually set Namespace for Sonobuoy's config.json.
Sonobuoy's bug forcing heptio-sonobuoy namespace [1] usage only does not
impact this Helm chart because the config.json is directly controlled
by the `values.yaml` and not Sonobuoy's CLI.
Now multiple instances of this chart may exist at once by specifying
unique namespaces at helm install time.
Modify Sonobuoy test script to install two instances of Sonobuoy Helm
chart. Also install readonly serviceaccount to verify it will work with
more than one instance simultaneously.
[1] https://github.com/heptio/sonobuoy/issues/420
Change-Id: I6d4ecfb812a4312af13abf1e265de495e27967f9
Using this readonly ServiceAccount enables plugins
to use a Kubernetes client with different permissions
than the Sonobuoy ServiceAccount, which has full
permissions on the cluster.
This ServiceAccount enables get/list/watch on all resource types in all
API groups.
The reason the secret is used to mount the service account token because
there is not a way to specify a service account from just a container
spec [1]. Sonobuoy doesn't provide access to the pod spec for plugins,
so we are limited to the container spec.
[1] https://github.com/kubernetes/kubernetes/issues/66020
Change-Id: I69aeaaedf1fb7672f7167c83b220cf6abb890cb5
This change enables operators to disable results publishing where Swift
and Ceph may not be setup.
This configuration option does not prevent deploying other resources
such as ks-user. The operator will want to disable those via the
`manifests` dictionary in `values.yaml`.
Change-Id: I00be7d51309889fcaf3b2a9756e38dcf49c31312
This enables persistently storing Sonobuoy tests results tarball
in Ceph (authed with Keystone).
1. Adds job-ks-user and secrety-keystone to create Sonobuoy user in
Keystone
2. Sonobuoy pod has a results-publisher container that waits for
Sonobuoy container to populate test results directory with the tarball
3. results-publisher container creates Swift container for Sonobuoy
results
4. results-publisher adds Sonobuoy test results to Swift container
5. results-publisher sets expiry date on the object to be deleted
after 30 days
Change-Id: Ic2d9fb345dce1101040e60113564e7ecdb2c51ea
This adds a Sonobuoy chart that only runs the systemd-logs plugin[1]. The
Sonobuoy pod (tests) are executed as a `helm test`.
This chart must be installed under the heptio-sonobuoy namespace[2]. A node
with the label selector specified in values.yaml (labels.api) must exist
for the Sonobuoy pod to even be created.
Also add an experimental job to test Sonobuoy chart.
[1] https://github.com/heptio/sonobuoy-plugin-systemd-logs
[2] https://github.com/heptio/sonobuoy/issues/420
Change-Id: I613fab635b97a70ac20820e1ececde48952ac2da
Gage Hugo