Commit Graph

79 Commits

Author SHA1 Message Date
Brian Haley f31cfb2ef9 support image registries with authentication
Based on spec in openstack-helm repo,
support-OCI-image-registry-with-authentication-turned-on.rst

Each Helm chart can configure an OCI image registry and
credentials to use. A Kubernetes secret is then created with these
info. Service Accounts then specify an imagePullSecret specifying
the Secret with creds for the registry. Then any pod using one
of these ServiceAccounts may pull images from an authenticated
container registry.

Change-Id: Iebda4c7a861aa13db921328776b20c14ba346269
2022-07-20 14:28:47 -05:00
Gage Hugo 22e50a5569 Update htk requirements
This change updates the helm-toolkit path in each chart as part
of the move to helm v3. This is due to a lack of helm serve.

Change-Id: I011e282616bf0b5a5c72c1db185c70d8c721695e
2021-10-06 01:02:28 +00:00
Thiago Brito 5a0ba49d50 Prepending library/ to docker official images
This will ease mirroring capabilities for the docker official images.

Signed-off-by: Thiago Brito <thiago.brito@windriver.com>
Change-Id: I0f9177b0b83e4fad599ae0c3f3820202bf1d450d
2021-06-02 15:04:38 -03:00
Xiaoguang(William) Zhang 567e4703e9 Remove Alerta from openstack-helm-infra repository
There is no significant value been added from Alerta base on current user story.

Change-Id: I274263e3dfefd7b9ec8ff84d03504d194225d693
2021-02-18 12:02:18 -05:00
Steven Fitzpatrick 39173f27a8 Alertmanager: Add Prometheus Scrape Annotation
This change adds the scrape annotation to the alertmanager service

Change-Id: I62e405eb37750a57a22fdafdf1ab457aecbb151e
2021-02-16 21:45:10 +00:00
Xiaoguang(William) Zhang d3bf218250 Remove snmp_notifier subchart from alertmanager
snmp_notifier lack of features to forward alert labels from Alertmanager.

Change-Id: I4978df1bcdb45ad24e632d976eb407d4129715ad
2021-02-05 14:56:36 +00:00
Steven Fitzpatrick 72f42ba091 Add LDAP to Alertmanager
This change adds an apache sidecar to the Alertmanager statefulset
in order to facillitate authentication to the service.

Change-Id: I6e3cfb582251ecd280644439bfbd432a1f86ede3
2021-02-02 16:27:14 +00:00
Steven Fitzpatrick 2bdf4f8239 Add extensible command line flags to Alertmanager
Alertmanager is configured similarly to Prometheus. This change
brings the utils.command_line_flags template from the osh-infra
prometheus chart to Alertmanager, allowing these flags to be
configured in Values.yaml

Change-Id: Ieca94c09881bc52b62500efa4c6f8730b9208d3b
2020-10-05 17:05:26 +00:00
Andrii Ostapenko 1532958c80
Change helm-toolkit dependency version to ">= 0.1.0"
Since we introduced chart version check in gates, requirements are not
satisfied with strict check of 0.1.0

Change-Id: I15950b735b4f8566bc0018fe4f4ea9ba729235fc
Signed-off-by: Andrii Ostapenko <andrii.ostapenko@att.com>
2020-09-24 12:19:28 -05:00
Mohammed Naser c7a45f166f Run chart-testing on all charts
Added chart lint in zuul CI to enhance the stability for charts.
Fixed some lint errors in the current charts.

Change-Id: I9df4024c7ccf8b3510e665fc07ba0f38871fcbdb
2020-09-11 18:02:38 +03:00
diwakar thyagaraj 30afcad5a2 Add Apparmor to Prometheus alert manager and snmp-notifier
1) Added to service account name insted of traditional pod name
   to resolve for dynamic release names.
2) Added Apparmor Job to Prometheus Alert Manager.

Change-Id: Ib65f721c5b99b3ae3d3af924ca5187ad6174ed20
Signed-off-by: diwakar thyagaraj <diwakar.chitoor.thyagaraj@att.com>
2020-08-25 17:09:45 +00:00
Zuul 3e582c8aa6 Merge "Updating promethious alertmanager container name to make it consistent" 2020-08-25 14:12:05 +00:00
Yadav, Satender (sy336r) 588d0f6db4 Updating promethious alertmanager container name to make it consistent
Change-Id: I0b4f0fb20f9f9ecdc3e07fcbba4395feb1d8c868
2020-08-24 16:03:34 -05:00
Xiaoguang(William) Zhang c371890112 Add "alert.severities" flag to snmp-notifier
- Add "alert.severities" flag to snmp-notifier of Alertmanager
- Reogranize snmp-notifier flags.

Change-Id: I7e21241c8133289539b41a770e32a2fc1ae16c14
2020-08-22 22:36:55 -04:00
Xiaoguang(William) Zhang 83a55fd19e Add Alerta feature to osh-infra
Change-Id: Id8dc3f86b8d6754df4ba3c0c720a78731e3f54d5
2020-08-19 13:35:40 +00:00
Xiaoguang(William) Zhang 7c94deae43 Update alertmanager include snmp_notifier function
Change-Id: I5aedbdcdbba397a9fddde19a0898cb91de08553a
2020-08-07 12:25:33 -04:00
willxz c97c592216 Change for alertmanager v0.20
- Update alertmanger and prometheus discovery port from 6783 to 9094
- Update to support fqdn for discovery hostname
- Add one test alert to Prometheus to test alert pipeline
- update container name from alertmanger to prometheus-alertmanager

Change-Id: Iec5e758e4b576dff01e84591a2440d030d5ff3c4
2020-07-22 17:39:09 -04:00
Xiaoguang(William) Zhang 09fccd6b71 Update alertmanager image to v0.20.0
Update alertmanager image from v0.11.0 to v0.20.0

Change-Id: I0ba14d1001a53964ebc28bc9ea9be999402d54fb
2020-07-09 14:24:28 -04:00
Andrii Ostapenko 824f168efc Undo octal-values restriction together with corresponding code
Unrestrict octal values rule since benefits of file modes readability
exceed possible issues with yaml 1.2 adoption in future k8s versions.
These issues will be addressed when/if they occur.

Also ensure osh-infra is a required project for lint job, that matters
when running job against another project.

Change-Id: Ic5e327cf40c4b09c90738baff56419a6cef132da
Signed-off-by: Andrii Ostapenko <andrii.ostapenko@att.com>
2020-07-07 15:42:53 +00:00
Andrii Ostapenko 83e27e600c Enable key-duplicates and octal-values yamllint checks
With corresponding code changes.

Change-Id: I11cde8971b3effbb6eb2b69a7d31ecf12140434e
2020-06-17 13:14:30 -05:00
Andrii Ostapenko 8f24a74bc7 Introduces templates linting
This commit rewrites lint job to make template linting available.
Currently yamllint is run in warning mode against all templates
rendered with default values. Duplicates detected and issues will be
addressed in subsequent commits.

Also all y*ml files are added for linting and corresponding code changes
are made. For non-templates warning rules are disabled to improve
readability. Chart and requirements yamls are also modified in the name
of consistency.

Change-Id: Ife6727c5721a00c65902340d95b7edb0a9c77365
2020-06-11 23:29:42 -05:00
Andrii Ostapenko 731a6b4cfa Enable yamllint checks
- document-end
- document-start
- empty-lines
- hyphens
- indentation
- key-duplicates
- new-line-at-end-of-file
- new-lines
- octal-values

with corresponding code adjustment.

Change-Id: I92d6aa20df82aa0fe198f8ccd535cfcaf613f43a
2020-05-29 19:49:05 +00:00
Andrii Ostapenko 67d1409a74 Enable yamllint checks
- brackets
- braces
- colon
- commas

with corresponding code adjustment.

Change-Id: I8d294cfa8f358431bee6ecb97396dae66f955b86
2020-05-21 14:04:23 +00:00
Gage Hugo d14d826b26 Remove OSH Authors copyright
The current copyright refers to a non-existent group
"openstack helm authors" with often out-of-date references that
are confusing when adding a new file to the repo.

This change removes all references to this copyright by the
non-existent group and any blank lines underneath.

Change-Id: I1882738cf9757c5350a8533876fd37b5920b5235
2020-05-07 02:11:15 +00:00
diwakar thyagaraj ebfcec03e2 Enable Docker default Apparmor for all Prometheus init Containers
Change-Id: I036882f7e443d3494e3fb38b2d5ded4bfa11a9b1
Signed-off-by: diwakar thyagaraj <diwakar.chitoor.thyagaraj@att.com>
2020-05-06 17:18:16 +00:00
diwakar thyagaraj 17592f54ae Enable Docker default Apparmor for all Prometheus Containers
Change-Id: I97fc39e52b36fc0be84abd049fdbce1e7026107d
Signed-off-by: diwakar thyagaraj <diwakar.chitoor.thyagaraj@att.com>
2020-02-18 14:46:09 +00:00
Tin Lam c199addf3c Update apiVersion
This patch set updates and tests the apiVersion for rbac.authorization.k8s.io
from v1beta1 to v1 in preparation for its removal in k8s 1.20.

Change-Id: I4e68db1f75ff72eee55ecec93bd59c68c179c627
Signed-off-by: Tin Lam <tin@irrational.io>
2020-01-09 08:59:48 +00:00
Steve Wilkerson c1555920e5 Update podManagementPolicy for Prometheus and Alertmanager
This updates the podManagementPolicy to 'Parallel' for Prometheus
and Alertmanager, as there's no need to handle deploying these
two services in a sequential manner

Change-Id: I2f33b9651bed20c4cb2e0c477ae2227cbf9310cf
Signed-off-by: Steve Wilkerson <sw5822@att.com>
2019-11-20 21:37:55 +00:00
Steven Fitzpatrick 1971d23da8 Make corrections to pod lifecycle upgrade values
It was observed in some charts' values.yaml that the values defining
lifecycle upgrade parameters were incorrectly placed.

This change aims to correct these instances by adding a deployment-
type subkey corresponding with the deployment types identified in
the chart's templates dir, and indenting the values appropriately.

Change-Id: Id5437b1eeaf6e71472520f1fee91028c9b6bfdd3
2019-10-31 20:34:07 +00:00
Steve Wilkerson b50fae62a4 Update kubernetes-entrypoint image reference
This updates the kubernetes-entrypoint image reference to consume
the publicly available kubernetes-entrypoint image that is built
and maintained under the airshipit namespace, as the stackanetes
image is no longer actively maintained

Change-Id: I5bfdc156ae228ab16da57569ac6b05a9a125cb6a
Signed-off-by: Steve Wilkerson <sw5822@att.com>
2019-10-18 18:20:11 +00:00
Tin Lam aa2ce5fef4 Add default netpol to LMA charts
Change-Id: I86389085e922848a833d8787573e0b6be843ace4
Signed-off-by: Tin Lam <tin@irrational.io>
2019-09-30 23:40:15 +00:00
Randeep Jalli 1c4084bdc0 add docker-default apparmor profile for prometheus-alertmanager
Add in prometheus-alertmanager gate script as a script

Change-Id: I3c10f9a9d4403fd91da292a50d204f73a9295611
2019-06-22 10:13:18 +00:00
caoyuan 040edeb79a Replace git.openstack.org URLs with opendev.org URLs
Change-Id: I0e3af4a3385f5b2a7705bc19b775863b16c2e08e
2019-05-31 01:52:10 +00:00
Roy Tang (rt7380) 85bd731562 Expose Anti-Affinity Weight Setting
This ps exposes the anti-affinity weight value, including
default, that will be consumed by the updated htk function.

Change-Id: Id8eb303674764ef8b0664f62040723aaf77e0a54
2019-05-14 17:04:52 -05:00
RAHUL KHIYANI 95bb125207 prometheus-alertmanager: Fix security context
This PS fixes the pod application name and also adds security context
to initcontainer

Change-Id: Ia7cd5057247b0a07f88406259d41601659688f1a
2019-04-22 15:59:36 -05:00
Pete Birley 2abf62ff4d OSH-Infra: Add emptydirs for tmp
This PS adds emptydirs backing the /tmp directory in pods, which
is required in most cases for full operation when using a read only
filesystem backing the container.

Additionally some yaml indent issues are resolved.

Change-Id: I8b7f1614da059783254aa6efc09facf23fca3cad
Signed-off-by: Pete Birley <pete@port.direct>
2019-04-20 20:50:59 +00:00
Rahul Khiyani aeda85c642 prometheus-alertmanager: Add container security context
This adds the container security context to set
readOnlyRootFilesystem to true

Change-Id: Ic8d33ae817ace49bf5ead40b2b41c6002217aa5e
2019-03-22 01:57:35 +00:00
Steve Wilkerson 84f30ec103 Add release-annotation to pod spec, add missing annotations
This adds the release-annotation to the pod spec for the charts in
openstack-helm-infra. This also adds missing configmap annotations
to charts in openstack-helm-infra

Change-Id: Ie23f0c16a7a21d3929e98928db2bbcef69ae6490
2019-03-21 09:10:48 -05:00
dt241s 77b37ca520 Add default AppArmor profile to prometheus-alert-manager
Change-Id: I008eeb520af853678078091b838b0b2ca48e026c
2019-03-16 18:30:28 +00:00
Rahul Khiyani 5b513d333f readOnlyRootFilesystem: true for Prometheus exporters charts
Fix for adding readOnlyRootFilesystem flag at pod
level

Change-Id: I3d81f9dca7e1bce0134a39a96b96ef7712d28d84
2019-03-07 17:10:39 +00:00
Chris Wedgwood b7b7c5ea44 [alertmanager] default to 1 replica, multinode gate uses 3
Change-Id: Ifb1420f8dcf7237349a79f1f97aea5e547bafeab
2019-01-30 08:43:18 +00:00
Zuul 737327482f Merge "Alertmanager: Add security context for pod/container" 2019-01-07 16:30:34 +00:00
Chris Wedgwood 0c4e37391f 'NOP' cleanup for more consistent white-space use in charts
Where we have the style '{{ ...' we should use the style '... }}'.

Change-Id: Ic3e779e4681370d396f95d3804ca27db5b9d3642
2019-01-03 22:45:49 +00:00
Steve Wilkerson 72e231c5c1 Alertmanager: Add security context for pod/container
This adds the security context snipper to the alertmanager pod.
This changes the default user from root to the nobody user instead

This also adds the container security context to explicitly set
allowPrivilegeEscalation to false

Change-Id: Ie4423c57e871a03ab4baea346ac777c9f2ca3e2e
2019-01-03 16:13:41 -06:00
Tin Lam 92e68d33ea Add network policy toolkit function
This patch set implements the helm toolkit function to generate a
kubernetes network policy manifest based on overrideable values.
This also adds a chart that shuts down all the ingress and egress
traffics in the namespace. This can be used to ensure the
whitelisted network policy works as intended.

Additionally, implementation is done for some infrastructure charts.

Change-Id: I78e87ef3276e948ae4dd2eb462b4b8012251c8c8
Co-Authored-By: Mike Pham <tp6510@att.com>
Signed-off-by: Tin Lam <tin@irrational.io>
2018-10-15 13:50:50 +00:00
Pete Birley bb3ff98d53 Add release uuid to pods and rc objects
This PS adds the ability to attach a release uuid to pods and rc
objects as desired. A follow up ps will add the ability to add arbitary
annotations to the same objects.

Change-Id: Iceedba457a03387f6fc44eb763a00fd57f9d84a5
Signed-off-by: Pete Birley <pete@port.direct>
2018-09-13 05:35:35 +00:00
Robert Choi 8a82aa613a Prometheus-alertmanager: modify wrong variables
This PS fixes following things:
- fix wrong variable 'alertmanager_templats' to 'alert_templates'
- remove 'toYaml' function for alert_templates
- create alertmanager config in default location

Change-Id: I4862435441b8a36f9d0ce4ff32667e8412ea3c14
2018-08-10 10:55:58 +09:00
Seungkyu Ahn a430533e6a Quoting node_select_value in Ingress Controller
In most cases, the ingress controller's nodeSelector key and value
are "node-role.kubernetes.io/ingress" and "true".
Using quote to treat the nodeSelector value as a string.

Change-Id: Ie1745629b90795e4d888d85f35565e6d6350e09b
2018-08-01 02:39:05 +00:00
Steve Wilkerson c26a1b53f6 Update TLS secret templates, remove nagios readiness probe
This updates the TLS secret templates to include the backend
service in the dict supplied to the manifest template, as it is
required for the TLS secret to render correctly.

This also removes the readiness probe from the nagios container in
the deployment for the nagios chart, as it wasn't functioning as
intended due to the port not being available for the probe

Change-Id: Iabcfd40c74938e0497d08ffeeebc98ab722fa660
2018-06-27 18:56:45 -05:00
Steve Wilkerson b823954787 Ingress: Add initial TLS Support for osh-infra public endpoints
Adds support for TLS on overriden fqdns for public endpoints for
the services that have them in openstack-helm-infra. Currently this
implementation is limited, in that it does not provide support for
dynamically loading CAs into the containers, or specifying them manually
via configuration. As a result only well known or CA's added manually
to containers will be recognised.

Change-Id: I4ab4bbe24b6544b64cd365467e8efb2a421ac3f4
2018-06-26 14:47:19 -05:00