OpenStack services already moved to use policy in code.
No need to have policy file at this point, at least no need to put
default policy rule to policy.yaml file anymore.
To put in duplicate rules, will cause unnecessay logs and process.
Also not healthy for policy in code maintain as the `default` rules in
openstack-helm might override actual default rules in code which we
might not even mean to change it at all.
Change-Id: I29ea57aa80444ed64673818e597c9ca346ba7b2f
Based on spec
support-OCI-image-registry-with-authentication-turned-on.rst
Each Helm chart can configure an OCI image registry and
credentials to use. A Kubernetes secret is then created with this
info. Service Accounts then specify an imagePullSecret specifying
the Secret with creds for the registry. Then any pod using one
of these ServiceAccounts may pull images from an authenticated
container registry.
Related OSH-infra change:
https://review.opendev.org/c/openstack/openstack-helm-infra/+/848142
Change-Id: I54540f14fed29622bc5af8d18939afd06d65e2d8
This changes use the helm-toolkit template for toleration
in openstack services
Signed-off-by: Lucas Cavalcante <lucasmedeiros.cavalcante@windriver.com>
Story: 2009276
Task: 43531
Depends-On: I168837f962465d1c89acc511b7bf4064ac4b546c
Change-Id: I482236b1177b04ddc5e3cd17e92ac7a896f9314e
In the Victoria cycle oslo.policy decided to change all default policies
to yaml format. Today on openstack-helm we have a mix of json and yaml
on projects and, after having a bad time debugging policies that should
have beeing mounted somewhere but was being mounted elsewhere, I'm
proposing this change so we can unify the delivery method for all
policies across components on yaml (that is supported for quite some
time). This will also avoid having problems in the future as the
services move from json to yaml.
[1] https://specs.openstack.org/openstack/oslo-specs/specs/victoria/policy-json-to-yaml.html
Signed-off-by: Thiago Brito <thiago.brito@windriver.com>
Change-Id: Id170bf184e44fd77cd53929d474582022a5b6d4f
This change updates the xrally image from 1.3.0 to 2.0.0
in order to better match the current versions of openstack
we are running in the gate.
Change-Id: I3f417a20e0f6d34b9e7ed569207a3df90c6ddfd2
The current copyright refers to a non-existent group
"openstack helm authors" with often out-of-date references that
are confusing when adding a new file to the repo.
This change removes all references to this copyright by the
non-existent group and any blank lines underneath.
Change-Id: Ia035037e000f1bf95202fc07b8cd1ad0fc019094
This reverts commit 1c85fdc390.
Do not use randomly generated strings in configmaps as this leads to
whole helm release redeployment even no values are changed. The random
items have to be generated outside of helm chart and provided via
values.
Also previous behaviour didn't allow to use cache during rolling upgrade
as new pods were spawned with new key.
Change-Id: I423611b18fca0d65e2e721a9c6a0c3d8df0813d2
This updates the kubernetes-entrypoint image reference to consume
the publicly available kubernetes-entrypoint image that is built
and maintained under the airshipit namespace, as the stackanetes
image is no longer actively maintainedy
Depends-On: https://review.opendev.org/688435
Change-Id: I8e76cdcc9d4db8975b330e97169754a2a407341f
Signed-off-by: Steve Wilkerson <sw5822@att.com>
The base network policy framework currently applies only to some
OpenStack services' charts but not others. This patch set applies the
same base network policies framework to all services.
Change-Id: I786c68057f6742a79a33f78db6e3bba8b99cf1b8
Signed-off-by: Tin Lam <tin@irrational.io>
This PS updates the charts to use the htk function recently introduced
to allow oslo.messaging clients ans servers to directly hit their
backends rather than using either DNS or K8S svc based routing.
Depends-On: I5150a64bd29fa062e30496c1f2127de138322863
Change-Id: I458b4313c57fc50c8181cedeca9919670487926a
Signed-off-by: Pete Birley <pete@port.direct>
Currently each service uses the same name for their helm test user,
"test". While this works when services are ran sequentially, when
multiple services are deployed and tested at the same time, it can
lead to a race condition where one service deletes the user before
the other is done testing, causing a failure.
This change makes it so that each service defines its own test user
in the form of [service]-test.
Change-Id: Idd7ad3bef78a039f23fb0dd79391e3588e94b73c
This patch make the db sync job template follows the same pattern
that other templates utilize the variables to make in a predictable
pattern.
Change-Id: Idbedd046c6b4fd001cf63004ffac792173a5778b
Story: 2005754
Task: 33457
We now have a process for OSH-images image building,
using Zuul, so we should point the images by default to those
images, instead of pointing to stale images.
Without this, the osh-images build process is completely not
in use, and updating the osh-images process or patching its
code has no impact on OSH.
This should fix it.
Change-Id: I672b8755bf9e182b15eff067479b662529a13477
This change adds the keystonemiddleware audit paste filter[0]
and enables it for the ceilometer-api service. This provides
the ability to audit API requests for ceilometer.
[0] https://docs.openstack.org/keystonemiddleware/latest/audit.html
Change-Id: I9d49769bc04f9623ecf5ba4276665dc3b5bebd07
With this patch we allow for a more easy way of overriding some
of the values that may be used in other distros while maintainting
the default values if those values are not overriden.
The following values are introduced to be overriden:
conf:
security:
software:
apache2:
conf_dir:
site_dir:
mods_dir:
binary:
start_flags:
a2enmod:
a2dismod:
On which:
* conf_dir: directory where to drop the config files
* site_dir: directory where to drop the enabled virtualhosts
* mods_dir: directory where to drop any mod configuration
* binary: the binary to use for launching apache
* start_flags: any flags that will be passed to the apache binary call
* a2enmod: mods to enable
* a2dismod: mods to disable
* security: security configuration for apache
Notice that if there is no overrides given, it should not affect anything
and the templates will not be changed as the default values are set to what
they used to be as to not disrupt existing deployments.
Change-Id: Ibb7e3bec0f6561bccc6a1aea907a2f3e4e1bfb73
If user wants to add an extra volumeMounts/volume to a pod,
amd uses override values e.g. like this
pod:
mounts:
nova_placement:
init_container: null
nova_placement:
volumeMounts:
- name: nova-etc
...
helm template parser complains with
Warning: The destination item 'nova_placement' is a table and ignoring the source 'nova_placement' as it has a non-table value of: <nil>
So when we create empty values for such keys in values.yaml, the source
will be present and warning does not need to be shown.
Change-Id: Ib8dc53c3a54e12014025de8fafe16fbe9721c0da
Currently, ceilometer is not listening to the notifications which
sent from the openstack services as the messaging_urls isn't configured
properly. The commit updates the messaging_urls with the correct type
and the default value.
The configuration for the cache server is also added. With the cache
server configured, ceilometer will not update the resource metadata
through gnocchi client if the resource is not changed.
Change-Id: I77e5acf3da31e211c444032f26d7625e51d8b0a9
Story: 2005019
Task: 29746
Signed-off-by: Angie Wang <angie.wang@windriver.com>
This commit adds the ability to deploy a polling process with ipmi
functionality to pull ipmi samples.
Story: 2005019
Task: 29819
Signed-off-by: Angie Wang <angie.wang@windriver.com>
Change-Id: Ib61d65f9ab815faa0d750422ffb0e36406dd3ccd
This commit adds two missing definition files which are
meters.yaml and polling.yaml.
meters.yaml is the meter definition file that used for
ceilometer notification agent to convert meters.
polling.yaml is the polling definition file that used for
ceilometer polling agents to pull meters.
Change-Id: I6b9b7543aa1a77661d6a86166af59fde85085513
Story: 2005019
Task: 29811
Signed-off-by: Angie Wang <angie.wang@windriver.com>
Upgrade the default images from newton to ocata and update
the following configuration files to align with ocata.
event_definitions.yaml
pipeline.yaml
policy.json
api_paste.ini
Story: 2005019
Task: 29773
Change-Id: Ib0ba502215aa0fe959606f15dacf39e2cdd06fe6
Signed-off-by: Angie Wang <angie.wang@windriver.com>
Since rally 1.0, rally has been a platform for testing, and rally for
openstack has been separated by rally-openstack. The current version
of rally in openstack-helm is version 0.8 which corresponds to ocata.
This patch tests with the latest version of rally-openstack, version
1.3.0, and removes scenarios that are no longer in use.
Change-Id: I380a976c0f48c4af0796c9d866fc8787025ce548
This patch set updates the gate to by default uses network policy
for all components and enforces them in Openstack-helm.
Change-Id: I70c90b5808075797f02670f21481a4f968205325
Depends-On: I78e87ef3276e948ae4dd2eb462b4b8012251c8c8
Co-Authored-By: Mike Pham <tp6510@att.com>
Signed-off-by: Tin Lam <tin@irrational.io>
This PS udpates the keystone endpoint definition to point to the
correct host for the admin endpoint when looked up using endpoint
functions from helm-toolkit.
Change-Id: Ic6b82a002cca92e37d21f594bad5f00758f1ea7a
Signed-off-by: Pete Birley <pete@port.direct>
This PS moves ceilometer inline with other charts, and drives all config
directly from the charts values.yaml.
Change-Id: I475302c8be97364e32286b642629e400590ae5f0
Signed-off-by: Pete Birley <pete@port.direct>
This PS updates the keystoen chart to stop running the keystone api
as the root user.
Change-Id: If3042210f761476846da02fc8e648c700267a591
Signed-off-by: Pete Birley <pete@port.direct>
This PS disables the v2 keystone API, and finishes the migration to
full v3 support.
Change-Id: I3021ebe0bee668db9f28e7fb18e2d4b26172f209
Signed-off-by: Pete Birley <pete@port.direct>
This PS moves to use port 80 by default for the keystone
asdmin endpoint, and adjusts paths accordingly.
Change-Id: Iccae704dadc17eba269e857301654782f64763c9
Signed-off-by: Pete Birley <pete@port.direct>
This PS moves to use a service domain for openstack service accounts
and users.
Change-Id: Ibe7c5f83a9fc9960fb85e53f9745d24f2192a94a
Signed-off-by: Pete Birley <pete@port.direct>
This PS updates keystone, and the keystone endpoints sections to use
the same layout for port declarations as other charts.
Change-Id: I7dddabee6c74bf023da4b1cdf722a409e7475f8f
Signed-off-by: Pete Birley <pete@port.direct>
This PS adds the local registry image managment to OSH from OSH-Infra.
With this the delta between helm-toolkits in the Repo's is removed,
allowing the toolkit from OSH-Infra to be used and the one from OSH
to be depreciated.
Change-Id: If5e218cf7df17261fe5ef249d281f9d9637e2f6a
Co-Authored-By: Pete Birley <pete@port.direct>
This PS updates various aspects of the ceilomter and mongodb charts
to bring them closer to operational.
Change-Id: If72f107297298aa7d02d17236404c9e86cd50ba5
This patch set tidies up the existing charts. Fixes include:
* add release_group key in yaml
* fix indentation inconsistency issue
* clean up the ldap chart's value.yaml to be consistent with mariaDB
Change-Id: Ibd9d86603ebc6c6c31c596dc0af523eb71c083d0
Signed-off-by: Tin Lam <tin@irrational.io>
Move to v0.3.1 of kubernetes-entrypoint which has 2
breaking changes to pod dependencies, and also adds support for
depending on jobs via labels.
Change-Id: I49d2cea11fbe5c5919ae22a020b877ebbb285992
This PS adds vhost management to rabbitmq jobs. It also prevents
sensitive information being displayed in the management job, and
removes the 'administrator' tag from service users.
Change-Id: Id337f763c5e4776bce7269676a8a2dc54dc2e5f8
Samuel Liu