Commit Graph

157 Commits

Author SHA1 Message Date
ricolin b72f3d0f3c Avoid unrequired policy setup
OpenStack services already moved to use policy in code.
No need to have policy file at this point, at least no need to put
default policy rule to policy.yaml file anymore.
To put in duplicate rules, will cause unnecessay logs and process.
Also not healthy for policy in code maintain as the `default` rules in
openstack-helm might override actual default rules in code which we
might not even mean to change it at all.

Change-Id: I29ea57aa80444ed64673818e597c9ca346ba7b2f
2022-11-23 22:43:10 +08:00
okozachenko f3ed56cc18 Use HTTP probe instead of TCP probe
Strictly speaking, open socket doesn't mean working API.
We experienced API stopped responding and the socket was still
open so API was unhealthy actually but kubernetes did not restart.

HTTP probe will fix this issue.

Change-Id: I95bb3ad3123d8a4a784d260477f037fa5506d290
2022-09-01 15:54:07 +10:00
Brian Haley ced30abead Support image registries with authentication
Based on spec
support-OCI-image-registry-with-authentication-turned-on.rst

Each Helm chart can configure an OCI image registry and
credentials to use. A Kubernetes secret is then created with this
info. Service Accounts then specify an imagePullSecret specifying
the Secret with creds for the registry. Then any pod using one
of these ServiceAccounts may pull images from an authenticated
container registry.

Related OSH-infra change:
https://review.opendev.org/c/openstack/openstack-helm-infra/+/848142

Change-Id: I54540f14fed29622bc5af8d18939afd06d65e2d8
2022-08-11 00:18:37 +00:00
Schubert Anselme 8d5ddc9035
Migrate CronJob resources to batch/v1 and PodDisruptionBudget resources to policy/v1
This change updates the following charts to migrate CronJob resources to the batch/v1 API version, available since v1.21. [0]
and to migrate PodDisruptionBudget to the policy/v1 API version, also available since v1.21. [1]

- aodh (CronJob & PodDisruptionBudget)
- barbican (PodDisruptionBudget)
- ceilometer (PodDisruptionBudget)
- cinder (CronJob & PodDisruptionBudget)
- cyborg (PodDisruptionBudget)
- designate (PodDisruptionBudget)
- glance (PodDisruptionBudget)
- heat (CronJob & PodDisruptionBudget)
- horizon (PodDisruptionBudget)
- Ironic (PodDisruptionBudget)
- Keystone (CronJob & PodDisruptionBudget)
- magnum (PodDisruptionBudget)
- masakari (PodDisruptionBudget)
- mistral (PodDisruptionBudget)
- neutron (PodDisruptionBudget)
- nova (CronJob & PodDisruptionBudget)
- octavia (PodDisruptionBudget)
- placement (PodDisruptionBudget)
- rally (PodDisruptionBudget)
- senlin (CronJob & PodDisruptionBudget)

0: https://kubernetes.io/docs/reference/using-api/deprecation-guide/#cronjob-v125
1: https://kubernetes.io/docs/reference/using-api/deprecation-guide/#poddisruptionbudget-v125

Change-Id: I2fc0692e1c8e2c4fa4d4ca1da96b5c6a832343fa
2022-05-19 10:08:18 -04:00
Gage Hugo f475f1e127 Update mistral default image values to wallaby
This change updates the mistral default image values from ocata
to wallaby.

Change-Id: I60ab94561b3376a05fdbfdedbe17f842cdc1992f
2022-04-27 09:23:29 -05:00
Gage Hugo c20c1e4400 Update htk requirements repo
As part of the move to helm v3, all the charts in the OSH repos
will no longer lint/build properly due to a lack of helm serve
in helm v3.

This change modifies the helm-toolkit repo location to the
osh-infra repo in order to account for the removal oh helm serve.

This work is part of the migration to helm v3 and will be utilized
in future changes.

Change-Id: I90d25943d69ad6c76455f7778a4894f00c525c46
2021-10-10 18:45:28 -05:00
Thiago Brito 8ab6013409 Changing all policies to yaml format
In the Victoria cycle oslo.policy decided to change all default policies
to yaml format. Today on openstack-helm we have a mix of json and yaml
on projects and, after having a bad time debugging policies that should
have beeing mounted somewhere but was being mounted elsewhere, I'm
proposing this change so we can unify the delivery method for all
policies across components on yaml (that is supported for quite some
time). This will also avoid having problems in the future as the
services move from json to yaml.

[1] https://specs.openstack.org/openstack/oslo-specs/specs/victoria/policy-json-to-yaml.html

Signed-off-by: Thiago Brito <thiago.brito@windriver.com>
Change-Id: Id170bf184e44fd77cd53929d474582022a5b6d4f
2021-05-26 18:15:41 -03:00
Gage Hugo 5233582991 Remove support for openstack releases older than T
This change bumps each openstack chart version up to the next
greatest minor version of 0.2.0, signifying that openstack-helm
will no longer support older, EOL releases for each chart.

Change-Id: I7ce80c7bdc779c1de4472079f18102f506bfbb90
2021-04-29 12:04:34 -05:00
Susanta Gautam 79eefa97a5 Added post-install and post-upgrade hook for jobs in mistral
Chart upgrading was failing due to some immutable fields are needed to upgrade before the jobs can be upgraded. For solving this issue, we
have added the helm.sh/hook annotations with post-install and post-upgrade values.
As for hook-weight annotations, we have added these to control the flow of the jobs with hook creation as the jobs are dependent. Like,
db-init jobs need to run before db-sync and so on.

Change-Id: Ia8eebf87a646aa0e25f89721ebda0e237dcf23af
2021-03-24 19:42:01 +05:45
Andrii Ostapenko 20b6b9a236
Change helm-toolkit dependency version to ">= 0.1.0"
Since we introduced chart version check in gates, requirements are not
satisfied with strict check of 0.1.0

Change-Id: If537f69dec7e3360f6bffcc4424f10c248919ece
Signed-off-by: Andrii Ostapenko <andrii.ostapenko@att.com>
2020-09-24 12:20:13 -05:00
Zuul 28669f8854 Merge "Sync logging values with upstream repos" 2020-09-17 04:08:40 +00:00
Mohammed Naser 89969ade3a Add chart-testing linter
Added chart lint in zuul CI to enhance the stability for charts.
Fixed some lint errors in the current charts.

Change-Id: I7e4b191fb9e355ab5d5a233e8ed121346519df62
2020-09-16 21:12:17 +03:00
okozachenko a8fc28696d Sync logging values with upstream repos
Some OSH charts have diffferent values for logger_root
handler from upsgream repo config defaul values.
Exactly, logger_root handler values.
This leads double logging finally.
To fix this, set logger_root as null like upstream repos.

Change-Id: I20e4f48efe29ae59c56f74e0ed9a4085283de6ad
2020-09-15 19:15:05 +03:00
Gage Hugo 44882d60e2 Update xrally version to 2.0.0
This change updates the xrally image from 1.3.0 to 2.0.0
in order to better match the current versions of openstack
we are running in the gate.

Change-Id: I3f417a20e0f6d34b9e7ed569207a3df90c6ddfd2
2020-07-31 20:00:24 +00:00
Andrii Ostapenko 8cfa2aa390 Enable yamllint checks
- brackets
- braces
- colon
- commas
- comments
- document-end
- document-start
- empty-lines
- hyphens
- indentation
- new-line-at-end-of-file
- new-lines
- octal-values
- trailing-spaces

with corresponding code adjustment.

Also add yamllint.conf under the check.

Change-Id: Ie6251c9063c9c99ebe7c6db54c65d45d6ee7a1d4
2020-05-27 19:16:34 -05:00
Gage Hugo db79e79788 Remove OSH Authors copyright
The current copyright refers to a non-existent group
"openstack helm authors" with often out-of-date references that
are confusing when adding a new file to the repo.

This change removes all references to this copyright by the
non-existent group and any blank lines underneath.

Change-Id: Ia035037e000f1bf95202fc07b8cd1ad0fc019094
2020-04-03 20:53:32 +00:00
Gage Hugo f9dbba7043 Revert "Revert "Keystone Authtoken Cache: allow universal secret key to be set""
This reverts commit 90d070390d.

Change-Id: I017c6e9676b872e1aab21f9dc8aa2f93db58d49f
2020-02-21 11:16:55 -06:00
Vasyl Saienko 90d070390d Revert "Keystone Authtoken Cache: allow universal secret key to be set"
This reverts commit 1c85fdc390.

Do not use randomly generated strings in configmaps as this leads to
whole helm release redeployment even no values are changed. The random
items have to be generated outside of helm chart and provided via
values.
Also previous behaviour didn't allow to use cache during rolling upgrade
as new pods were spawned with new key.

Change-Id: I423611b18fca0d65e2e721a9c6a0c3d8df0813d2
2020-02-12 11:18:06 +00:00
Steve Wilkerson 9736f5f544 Update kubernetes-entrypoint image reference
This updates the kubernetes-entrypoint image reference to consume
the publicly available kubernetes-entrypoint image that is built
and maintained under the airshipit namespace, as the stackanetes
image is no longer actively maintainedy

Depends-On: https://review.opendev.org/688435

Change-Id: I8e76cdcc9d4db8975b330e97169754a2a407341f
Signed-off-by: Steve Wilkerson <sw5822@att.com>
2019-10-21 13:58:22 +00:00
Tin Lam e8e5072a18 Apply network policy to all services
The base network policy framework currently applies only to some
OpenStack services' charts but not others. This patch set applies the
same base network policies framework to all services.

Change-Id: I786c68057f6742a79a33f78db6e3bba8b99cf1b8
Signed-off-by: Tin Lam <tin@irrational.io>
2019-09-27 14:18:26 +00:00
Pete Birley 9bcf0df94c Messaging: use htk function to directly hit RabbitMQ servers
This PS updates the charts to use the htk function recently introduced
to allow oslo.messaging clients ans servers to directly hit their
backends rather than using either DNS or K8S svc based routing.

Depends-On: I5150a64bd29fa062e30496c1f2127de138322863

Change-Id: I458b4313c57fc50c8181cedeca9919670487926a
Signed-off-by: Pete Birley <pete@port.direct>
2019-06-18 21:47:45 +00:00
Zuul cd460f12c2 Merge "Rafactoring volume mount variables in db sync job" 2019-06-18 18:24:18 +00:00
Pete Birley 31bd9c832d Logs: Make it optional to use log_config_append option
This PS enables the use of simple logging options if desired.

Change-Id: If6ea420c6ed595b3b6b6eedf99a0bf26a20b6abf
Signed-off-by: Pete Birley <pete@port.direct>
2019-06-17 13:51:21 -05:00
Gage Hugo 976cab856c Create separate users for helm test
Currently each service uses the same name for their helm test user,
"test". While this works when services are ran sequentially, when
multiple services are deployed and tested at the same time, it can
lead to a race condition where one service deletes the user before
the other is done testing, causing a failure.

This change makes it so that each service defines its own test user
in the form of [service]-test.

Change-Id: Idd7ad3bef78a039f23fb0dd79391e3588e94b73c
2019-06-03 11:26:18 -05:00
John Haan 0ea9be7ade Rafactoring volume mount variables in db sync job
This patch make the db sync job template follows the same pattern
that other templates utilize the variables to make in a predictable
pattern.

Change-Id: Idbedd046c6b4fd001cf63004ffac792173a5778b
Story: 2005754
Task: 33457
2019-05-22 17:47:03 +09:00
Zuul f8adab245b Merge "Point to OSH-images images" 2019-05-18 19:12:58 +00:00
Jean-Philippe Evrard 1d335146fa Point to OSH-images images
We now have a process for OSH-images image building,
using Zuul, so we should point the images by default to those
images, instead of pointing to stale images.

Without this, the osh-images build process is completely not
in use, and updating the osh-images process or patching its
code has no impact on OSH.

This should fix it.

Change-Id: I672b8755bf9e182b15eff067479b662529a13477
2019-05-13 10:58:02 +02:00
Roy Tang (rt7380) 5df6fa3789 Expose Anti-Affinity Weight Setting.
Add weight default setting to anti-affinity.

Depends-on: Id8eb303674764ef8b0664f62040723aaf77e0a54
Change-Id: I09f96522cddf3a77dae73daca4557877eda5df50
2019-05-10 22:05:24 -05:00
caoyuan cb77d3adff Replace git.openstack.org URLs with opendev.org URLs
Change-Id: I9a7bcee8727cb127d57ccb4dce1183895a4130cd
2019-04-25 00:37:57 +08:00
Pete Birley 623c131292 OSH: Add emptydirs for tmp
This PS adds emptydirs backing the /tmp directory in pods, which
is required in most cases for full operation when using a read only
filesystem backing the container.

Additionally some yaml indent issues are resolved.

Change-Id: I9df8f70e913b911ff755600fa2f669d9c5dcb928
Signed-off-by: Pete Birley <pete@port.direct>
2019-04-20 08:55:44 -05:00
Jiří Suchomel a2a5dda47c Added volume related keys to pod mounts to ease the overriding
If user wants to add an extra volumeMounts/volume to a pod,
amd uses override values e.g. like this

pod:
  mounts:
    nova_placement:
      init_container: null
      nova_placement:
        volumeMounts:
          - name: nova-etc
          ...

helm template parser complains with

Warning: The destination item 'nova_placement' is a table and ignoring the source 'nova_placement' as it has a non-table value of: <nil>

So when we create empty values for such keys in values.yaml, the source
will be present and warning does not need to be shown.

Change-Id: Ib8dc53c3a54e12014025de8fafe16fbe9721c0da
2019-03-15 16:29:19 +00:00
Zuul 1ad5467252 Merge "Increase default logging" 2019-03-06 04:09:58 +00:00
Jean-Philippe Evrard 5890ebf4f8 Increase default logging
The current helm chart defaults drops logs of any warnings
(and above) for any logger outside of the namespace
of the deployed chart.

This is a problem, as logging could reveal important information for
operators. While this could be done with a value override, there
is no reason to hide warning, errors, or critical information that
are happening in the cycle of the operation of the software
deployed with the helm charts. For example, nothing would get
logged in oslo_service, which is a very important part of running
OpenStack.

This fixes it by logging to stdout all the warnings (and above)
for OpenStack apps.

Change-Id: I16f77f4cc64caf21b21c8519e6da34eaf5d31498
2019-02-28 09:53:01 +00:00
Pavlo Shchelokovskyy 55645c7e73 Explicitly set datefmt for logging
the defaults in Python [0] and oslo.log [1] are such that when using
separate config file for logging configuration (log-config-append)
the log fomat of dates containes miliseconds twice (as in sec,ms.ms)
which is exactly what is currently seen in logs of OpenStack services
deployed by openstack-helm.

When not provided with datefmt log formatter option, Python effectively
uses '%Y-%m-%d %H:%M:%S,%f' [0] as a default time formatting string to
render `%(asctime)s`, but the defaults in oslo.log add another `.%f`
to it [1].

Since `log-date-format` oslo.log option has no effect when using
log-config-append, we need to explicitly set date format to avoid double
miliseconds rendering in date of log entries.

[0] 6ee41793d2/Lib/logging/__init__.py (L427-L428)
[1] http://git.openstack.org/cgit/openstack/oslo.log/tree/oslo_log/_options.py?id=7c5f8362b26313217b6c248e77be3dc8e2ef74a5#n148

Change-Id: I47aa7ce96770d94b905b56d6fe4abad428f01047
2019-02-21 08:28:35 +00:00
Steve Wilkerson f4c01d2461 Add release-uuid annotation to pod spec
This adds the release-uuid annotation to the pod spec for all
replication controller templates in the openstack-helm charts

Change-Id: I0159f2741c27277fd173208e7169ff657bb33e57
2019-02-12 12:31:59 -06:00
Jaesang Lee 2a03fd65bf Upgrade rally to 1.3.0
Since rally 1.0, rally has been a platform for testing, and rally for
openstack has been separated by rally-openstack. The current version
of rally in openstack-helm is version 0.8 which corresponds to ocata.
This patch tests with the latest version of rally-openstack, version
1.3.0, and removes scenarios that are no longer in use.

Change-Id: I380a976c0f48c4af0796c9d866fc8787025ce548
2018-12-20 00:22:49 +00:00
Tin Lam 29f32a07ac Enable network policy enforcement
This patch set updates the gate to by default uses network policy
for all components and enforces them in Openstack-helm.

Change-Id: I70c90b5808075797f02670f21481a4f968205325
Depends-On: I78e87ef3276e948ae4dd2eb462b4b8012251c8c8
Co-Authored-By: Mike Pham <tp6510@att.com>
Signed-off-by: Tin Lam <tin@irrational.io>
2018-10-23 14:58:13 +00:00
Tin Lam 3cd4d0898a Upgrade default from newton to ocata
This patch set moves the default deployment to ocata from newton.
Newton zuul job is now moved into its separate job.

Change-Id: Ic534c8ee02179f23c7855d93a4707e5a2fd77354
Signed-off-by: Tin Lam <tin@irrational.io>
2018-10-13 04:18:46 +00:00
Pete Birley 3ae745a10e Add release uuid to pods and rc objects
This PS adds the ability to attach a release uuid to pods and rc
objects as desired. A follow up ps will add the ability to add arbitary
annotations to the same objects.

Depends-On: Iceedba457a03387f6fc44eb763a00fd57f9d84a5
Change-Id: I324680f10263c1aefca2be9056e70d0ff22fcaf0
Signed-off-by: Pete Birley <pete@port.direct>
2018-09-13 06:29:14 -05:00
Jean-Philippe Evrard 05d0e2b4b8 Revert "Update OSH Author copyrights to OSF"
This reverts commit b1755c3993.

Change-Id: I215a172f2ff4220340292b95f5323847944baeb7
2018-08-28 17:25:13 +00:00
Matt McEuen b1755c3993 Update OSH Author copyrights to OSF
This PS updates the "Openstack-Helm Authors" copyright attribution
to be the "OpenStack Foundation", as decided in the 2018-03-20
team meeting:
http://eavesdrop.openstack.org/meetings/openstack_helm/2018/openstack_helm.2018-03-20-15.00.log.html

No other copyright attributions were changed.

Change-Id: I167ceedab8fadee28c19514fad6f125d0a521caf
2018-08-26 17:17:41 -05:00
Zuul e31f82668e Merge "Keystone: Correct endpoint definition" 2018-08-24 16:01:53 +00:00
Pete Birley 4b3cbafc9a Keystone: Correct endpoint definition
This PS udpates the keystone endpoint definition to point to the
correct host for the admin endpoint when looked up using endpoint
functions from helm-toolkit.

Change-Id: Ic6b82a002cca92e37d21f594bad5f00758f1ea7a
Signed-off-by: Pete Birley <pete@port.direct>
2018-08-23 11:33:21 -05:00
Pete Birley 83b91e6e1b Openstack: Use k8s secret to store config
This PS moves openstack components in OSH to use secrets to store
potentially sensitive config information.

Depends-On: https://review.openstack.org/#/c/593732

Change-Id: I9bab586c03597effea0e48a58c69efff3f980a92
Signed-off-by: Pete Birley <pete@port.direct>
2018-08-22 20:39:52 -05:00
Pete Birley 7e90bb02bd Logging: update logging config to pass null as a string to oslo config
This PS updates the logging config to pass null as a string though to
the rendering engine, which is required to avoid things like `<no value>`
when base64 encoding output.

Change-Id: I04d6afbc693ec1adf560c7be15704c8b7434c08f
Signed-off-by: Pete Birley <pete@port.direct>
2018-08-20 13:28:27 -05:00
Pete Birley 4a6d740154 Keystone: Stop running keystone container with root user
This PS updates the keystoen chart to stop running the keystone api
as the root user.

Change-Id: If3042210f761476846da02fc8e648c700267a591
Signed-off-by: Pete Birley <pete@port.direct>
2018-08-04 10:06:32 -05:00
Pete Birley 5f349ae653 Keystone: Disable v2 api
This PS disables the v2 keystone API, and finishes the migration to
full v3 support.

Change-Id: I3021ebe0bee668db9f28e7fb18e2d4b26172f209
Signed-off-by: Pete Birley <pete@port.direct>
2018-08-03 14:50:45 +00:00
Pete Birley dc7008d9a5 Keystone: enable external access to admin endpoint
This PS moves to use port 80 by default for the keystone
asdmin endpoint, and adjusts paths accordingly.

Change-Id: Iccae704dadc17eba269e857301654782f64763c9
Signed-off-by: Pete Birley <pete@port.direct>
2018-08-02 14:40:20 +00:00
Pete Birley d003a082c8 Logging: Only output std logs to stdout
This PS removes the double logging of openstack components that
were caused by outputting to both stdout and stderr.

Change-Id: I6e0ae5861bbf5b8d736ae08251aa865e1c4ce0d8
Signed-off-by: Pete Birley <pete@port.direct>
2018-07-27 11:01:30 +00:00
Pete Birley 95c5b4942d Keystone: Use service domain for service users
This PS moves to use a service domain for openstack service accounts
and users.

Change-Id: Ibe7c5f83a9fc9960fb85e53f9745d24f2192a94a
Signed-off-by: Pete Birley <pete@port.direct>
2018-07-26 05:19:38 +00:00