Updates the FluxCD jinja templates for CRDs, deployments,
rbac, and services. Kubernetes system-images.yml files
have also been updated with the corresponding images:
docker.io/fluxcd/helm-controller:v1.0.1
docker.io/fluxcd/source-controller:v1.3.0
Test Plan:
This test plan is conducted with helm version
3.12 and 3.14.
PASS: Build STX packages & ISO
PASS: Boostrap an STX ISO and ensure FluxCD starts
without error: K8S 1.28.4
PASS: Install all applications under K8S 1.28.4
using updated FluxCD. Verify all apps
upload/apply/remove/delete without error.
PASS: Bootstrap an STX ISO and ensure FluxCD starts
without error: K8S 1.24.4
PASS: Install al applications under K8S 1.24.4
using updated FluxCD. Verify all apps
upload/apply/remove/delete without error.
Story: 2011129
Task: 50173
Depends-On: https://review.opendev.org/c/starlingx/integ/+/920040
Change-Id: I3ddd3bf0596537ad93f728be750d72fb95e35b49
Signed-off-by: Reed, Joshua <Joshua.Reed@windriver.com>
This commit creates the Keystone identity service and endpoints
during keystone bootstrap configuration. This enables the Barbican
service to create OpenStack secrets.
Test Plan:
PASS: Perform a complete deploy in a DC environment.
PASS: Check that OpenStack secrets were created.
PASS: Verify Barbican secrets can get on the subcloud with the correct
payload.
Closes-bug: 2067097
Change-Id: I3e76bb1ccdf0fd24adbbb714083fb6381d9290f9
Signed-off-by: Hugo Brito <hugo.brito@windriver.com>
This commit adds tasks to update the dns config and docker registries
config for subcloud enrollment.
Test plan:
Passed - verified DNS servers and docker registries with barbican screts
can be created on AIOSX with this change.
Depends-on: https://review.opendev.org/c/starlingx/ansible-playbooks/+/917065
Story: 2011100
Task: 50112
Signed-off-by: Yuxing Jiang <Yuxing.Jiang@windriver.com>
Change-Id: I3e546c9cb62f6a8ff1ead9b0c92beb936d2fd5ed
In this commit:
- Add a skeleton playbook for subcloud enrollment. Roles implementation
will be incrementally added. The initial version of the playbook
only prepares the enrollment values and validates the factory
installed subcloud.
- Move tasks that can be shared betwen enroll and rehome playbooks to
rehome-enroll-common role.
- Add docker proxy values to host vars of the rehome playbook. This
will be used to update the docker proxy and no proxy list for
non-simplex subclouds. The handling of this configuration for rehome
playbook will be done in the same commit as for enroll playbook.
Test plan:
Passed - verify the subcloud enroll playbook:
1. Bring up a factory installed AIOSX and a distributed cloud with this
commit.
2. Use the "dcmanager subcloud deploy create" with bootstrap values in
the system controller to create the subcloud's overrides and inventory.
The subcloud overrides and inventory are under:
/var/rootdirs/opt/dc-vault/ansible/.
3. Verfied this playbook finishes successfully against the
subcloud.
Passed - bootstrap a DC with an AIOSX subcloud:
1. Verfied fresh deployment of a distributed cloud with an AIOSX
subcloud.
Passed - rehome subclouds to a DC
1. Verified the SX subcloud rehoming succeeded with this change.
2. Verified the DX subcloud rehoming succeeded with this change,
verified the docker no proxy list with the oam address of node_1.
Story: 2011100
Task: 49977
Signed-off-by: Yuxing Jiang <Yuxing.Jiang@windriver.com>
Change-Id: I7842dd35777f17f4b6686c5a35d3eafac4b546ae
The backup_user_images flag override in create_subcloud_backup.yml
was not named correctly. It should be default_user_images_backup_prefix
instead of docker_local_registry_backup_filename_prefix.
Test Plan:
Pass: Perform backup and restore on AIO-DX subcloud
with --registry-images parameter
Closes-Bug: #2062375
Change-Id: I8851af689286258bba32bc11968fb39bd98e80d4
Signed-off-by: sshathee <shunmugam.shatheesh@windriver.com>
This change added code to ansible bootstrap playbook to start/restart
ipsec-auth service and call ipsec-auth client to configure and enable
IPSec. This will configure and enable IPsec for the first controller.
IPsec config and enablement will be skipped for SX, because SX has only
one node so no IPsec is required.
Test Plan:
PASS: DX system, install and bootstrap controller-0, after bootstrap,
verify ipsec-auth service is running, strongswan configuration
files and certficate/key are generated, and swanctl config is
loaded.
PASS: SX system, verify bootstrap is successful, and after bootstrap,
ipsec-auth service is not running, strongswan configuration files
and certficate/key are not generated.
PASS: DC system with SX subcloud, verify in central cloud, controller-0
is installed and bootstrapped successfully, and after bootstrap,
verify ipsec-auth service is running, strongswan configuration
files and certficate/key are generated, and swanctl config is
loaded.
Verify the subcloud is installed and bootstrap successfully,
and after bootstrap, ipsec-auth service is not running,
strongswan configuration files and certficate/key are not
generated.
Verify subcloud is online, managed and all resources are in-sync.
Story: 2010940
Task: 50020
Signed-off-by: Andy Ning <andy.ning@windriver.com>
Change-Id: Iccf263b982dc89f6648fd3017a68c4e3a0f175ee
This commit upversions the iso to 24.09 for this repo.
Test Plan:
PASS: install/bootstrap/unlock
PASS: build ISO, verify software version is updated accordingly
Story: 2010651
Task: 50041
Change-Id: I7b3be5ae11492bf98500b19043cf9b4f29fc7b22
Signed-off-by: Heitor Matsui <heitorvieira.matsui@windriver.com>
Adding remote backup file transfer capability for vault restore
playbook. If backup files on local machine should be used, the user can
set on_box_data to false when calling the playbook. It will copy over
the local backup tarball to target_backup_dir on the target machine,
then run vault restore on the copied tarball. The behaviour is same as
the platform restore.
Test Plan:
PASS For each scenario, validate vault sanity
PASS For each scenario, validate that correct backup tarball was used
PASS With on_box_data=false, remote restore succeeds using backup
file transfered from local machine
PASS With on_box_data=true, remote restore succeeds using backup
file on the target
PASS With neither on_box_data nor initial_backup_data supplied,
remote restore succeeds using backup file on the target
PASS local restore succeeds using backup file on the target
Story: 2011073
Task: 49841
Change-Id: Id59b30512c71fedbebbe2a694d5570fb5a3b5b46
Signed-off-by: Tae Park <tae.park@windriver.com>
Add cert-manager images v1.7.1 to support upgrade
from stx9.0 to stx10.0
Test Cases:
PASS: Perform an upgrade from stx9.0 to stx10.0 and after
running upgrade playbook verify that cert-manager app
is successfully running, perform upgrade activate
and notice that app is upgraded.
Closes-Bug: 2063372
Change-Id: I68c534420857b4dc718760f45b987e07056a07f3
Signed-off-by: amantri <ayyappa.mantri@windriver.com>
This update prevents a 25min wait for shutdown services task when
resetting Kubernetes.
Before shutdown services task is run, etcd reconfigure manifest
is applied which regenerates etcd server auth certificates.
This also causes etcd to be stopped.
Kubeadm reset command stops and removes all pods. For this it
internally uses commands 'crictl stopp' and 'crictl rmp'.
These commands release all pod resources for which it requires
kube-apiserver and etcd to be running.
If etcd is not running, 'crictl stopp' does several retries before
eventually deleting the pod. The process is time consuming for each
pod and accumulates to around 25 minutes for all pods.
This change temporarily starts etcd before 'kubeadm reset' is run.
This forces kube-apiserver to restart with newer etcd
client certificates. Both actions do not impact rest of the playbook
run as 'kubeadm reset' removes kube-apiserver and etcd is stopped
again after 'kubeadm reset' is run. The task 'Bring-up kube-master'
initialiazes the kubernetes cluster from scratch during later stages
of the playbook.
Test Plan:
On AIO-SX:
PASS: Run ansible-bootstrap playbook to completion.
Replay ansible-bootstrap playbook to completion.
PASS: Run ansible-bootstrap playbook. Abort (Ctrl+C) before
'bring-up kubemaster' task is run (emulating a failure).
Replay ansible-bootstrap playbook to completion.
PASS: Run ansible-bootstrap playbook. Abort (Ctrl+C) after
'bring-up kubemaster' task is run (emulating a failure).
Replay ansible-bootstrap playbook to completion.
PASS: Run ansible-bootstrap playbook. Stop kube-apiserver pod.
This results into two kube-apiserver pods, one in "Ready"
state and another "NotReady". Replay ansible-bootstrap playbook
to completion.
PASS: Duplex Backup and restore successful.
Closes-bug: 2060255
Change-Id: I05f6c35014a65fbcec5c63d4f1e4ea4cc88dbd59
Signed-off-by: Kaustubh Dhokte <kaustubh.dhokte@windriver.com>
Add keystone_bootstrap task file to apply_bootstrap_manifest role
to reduce bootstrap time by, approximately, 25 seconds. The
corresponding keystone bootstrap implementation in puppet will be removed.
Changes include:
- Create a template for keystone.conf and keystone-extra.conf files
- Create fernet-keys directory
- Configure and bootstrap keystone
- Configure the required services, roles and users in keystone
- Update the create_sysinv_endpoints.py script to use the update_users
function from openstack_config_endpoints.py
Test plan:
1. PASS: Deploy a DC system with one system controller and two subclouds
and ensure the subclouds can be managed
2. PASS: Deploy an AIO-SX system and verify the host unlocks
3. PASS: Perform bootstrap replay and ensure the host unlocks after
re-execution
4. PASS: Verify the creation of the services project, _member_ role and
the admin user update to the correct e-mail address
5. PASS: Verify the keystone.conf and keystone-extra.conf files for each
deployment type
6. PASS: Validate the sql dump of the keystone database generated in
a subcloud deployment in relation to the one generated before the
changes
7. PASS: Validate the permissions in /etc/keystone and
/opt/platform/keystone
8. PASS: Validate that the admin and sysinv users have the
ignore_lockout_failure_attempts set to true
9. PASS: Perform backup and restore on a system controller
and an AIO-SX deployment
Depends-On: https://review.opendev.org/c/starlingx/config/+/916539
Story: 2011035
Task: 49923
Change-Id: I52223934b04d77324e75235df534b376964d6f3a
Signed-off-by: Raphael Lima <Raphael.Lima@windriver.com>
Include some improvements in the playbook:
- CAs cert/keys are verified first, then installed at the end of
the playbook (this makes the playbook work if the system-local-ca
secret was deleted - not having the secret prevented installing
the RCA as trusted in the early steps of playbook).
- Not deleting oidc-auth-apps-certificate Certificate unless the
application is applied in the system (Certificate is recreated in
this case).
- Only wait for 'system-openldap-local-certificate' when the
playbook created it (only standalone or SystemController).
- Included step to reapply old 'system-local-ca' secret if the
playbook fails in a state where the secret was already deleted.
Test Plan:
PASS: Run update_platform_certificates playbook in DC + SX subcloud.
PASS: Remove system-local-ca secret.
Run upgrade_platform_certificates playbook.
PASS: Provide wrong field in inventory file.
Run upgrade_platform_certificates playbook, observe that it
fails.
Fix the inventory file.
Run upgrade_platform_certificates plabook.
PASS: Issue oidc-auth-apps-certificate Certificate, using
system-local-ca ClusterIssuer.
Without oidc auth apps applied in the system, run
upgrade_platform_certificates plabook.
Observe that the certificate is not deleted.
Story: 2009811
Task: 50080
Change-Id: Ic0213ea739dbb116536f9e4a85d16da0b55cf6ca
Signed-off-by: Marcelo Loebens <Marcelo.DeCastroLoebens@windriver.com>
Integrating Hashcorp vault backup procedure into platform backup, so it
can be backed up alongside platform optionally. Also contains amendments
to vault backup/restore playbook to accomodate for platform integration.
The vault backup playbook now will create a tarball containing both the
snapshot tarball and the metadata. The vault subdir will be treated as
tempdir and deleted at the end.
The vault restore playbook now requires the tarball created above in the
backup procedure, instead of vault subdir and its parent dir. It will
follow the same convention as the platform restore playbook.
The restore playbook also has extra validation procedures, to
automatically attempt to fix the sealed vault pods.
Test Plan:
PASS Validate platform backup with backup_hc_vault enabled
PASS Validate new hashcorp vault backup playbook
PASS Validate new hashcorp vault restore playbook
PASS Validate vault sanity after restore
PASS Vault is restored to correct status produced by backup
PASS Unit test
Story: 2011073
Task: 49841
Change-Id: I1cba38893d9191bdd3902ef02abdf89d0ec943ed
Signed-off-by: Tae Park <tae.park@windriver.com>
This commit will be updating default password occurrences on
ansible-playbooks files to comply with new password rules, that will be:
- Minimum 12 characters
- At least 1 Uppercase letter
- At least 1 number
- At least 1 special character
- Cannot reuse past 5 passwords
- Default password expiry period should be set to 90 days.
The default passwords are updated as follows:
St8rlingX* -> St8rlingXCloud*
Boot5trap*1234 -> Boot5trapCloud*
Test Plan:
PASS: Run build-pkgs -c -p playbookconfig
Task: 50001
Story: 2011084
Change-Id: Ib6c1fd96f335bfb53e71da48966baa4246649a1f
Signed-off-by: Karla Felix <karla.karolinenogueirafelix@windriver.com>
This commit creates the Barbican user, service, and
endpoints before the 'update sysinv db' task. This
enables the creation of the registry secrets to be
used to create service parameters for the registries.
Test Plan:
PASS: Perform a complete deploy in a DC environment.
PASS: Check that all service parameters for Docker are created.
PASS: Successfully apply the platform-integ-apps.
Closes-Bug: 2065317
Change-Id: I259e176a4a6309ca8748aef37e137e0c6e0894b9
Signed-off-by: Hugo Brito <hugo.brito@windriver.com>
This commit will be updating default password occurrences on
ansible-playbooks files to comply with new password rules, that will be:
- Minimum 12 characters
- At least 1 Uppercase letter
- At least 1 number
- At least 1 special character
- Cannot reuse past 5 passwords
- Default password expiry period should be set to 90 days.
The default passwords are updated as follows:
St8rlingX* -> St8rlingX*1234
Boot5trap* -> Boot5trap*1234
Test Plan:
PASS: Run a full deploy successfully.
Story: 2011084
Task: 49824
Change-Id: If1b7acdde2adc749a3113c0d4a923fd7e92912c0
Signed-off-by: Karla Felix <karla.karolinenogueirafelix@windriver.com>
Add FluxCD images from helm-controller v0.27.0 and
source-controller v0.32.1 to support upgrade from
stx9.0 to stx10.0
Test Case:
PASS: Perform an upgrade from stx9.0 to stx10.0 and
after running upgrade playbook verify that FluxCD
pods are successfully running.
Closes-Bug: 2064525
Change-Id: I0a5c957fd7d2ed1ea7c49f2a7ad983c841ae880e
Signed-off-by: Reed, Joshua <Joshua.Reed@windriver.com>
Changed initial configurations to bootstrap the system w/
HTTPS endpoints. This will change current behavior, that is to
perform the change during the first unlock of c0.
Test plan:
PASS: Deploy AIO-SX - Verify HTTPS endpoints
PASS: Deploy DC + SX subcloud - Verify HTTPS endpoints
Story: 2009811
Task: 50010
Change-Id: Ie0a187838b1da080d81fa3e28607a56a1f9fbf50
Signed-off-by: Marcelo Loebens <Marcelo.DeCastroLoebens@windriver.com>
Included code to avoid repeating the system_local_ca_cert in case
the ca.crt cannot be retrieved.
Filling this field with a cert that it's not a RCA can cause problems when renewing certificates signed by 'system-local-ca' issuer, while
having the field as an empty string doesn't pose a problem for
renewal.
Test plan:
PASS: Bootstrap AIO-SX (fresh install).
PASS: Bootstrap DC + SX subcloud (fresh install).
PASS: Perform upgrade from stx 9.0 (AIO-SX).
Story: 2009811
Task: 50018
Change-Id: I1757b5c0438aba9ca8a782b3f05c160cdabec134
Signed-off-by: Marcelo Loebens <Marcelo.DeCastroLoebens@windriver.com>
Switch to using "stage1" and "stage2" symlinks under
/var/lib/kubernetes to select versions for kubeadm, kubelet,
and kubectl.
We have been using bind mounts to select K8s versions, but they are not
well supported by Puppet and suffer from fragility since you cannot
remove a bind mount while an executable is still running from it. They
also need to be re-created when creating an OSTree hotfix.
Symlinks suffer from no such issues, they just need to be created in
a filesystem that is not managed by OSTree.
NOTE: This needs to go in at the same time as its two dependencies or
else things will break.
Depends-On: https://review.opendev.org/c/starlingx/integ/+/916337
Depends-On: https://review.opendev.org/c/starlingx/stx-puppet/+/916338
Story: 2011047
Task: 49914
TEST PLAN:
See integ repo commit for test plan.
Change-Id: Ia092228fc4afef081b9a95cb09f13b7f5fe729b0
Signed-off-by: Chris Friesen <chris.friesen@windriver.com>
Use the 'gpg' linux command to encrypt/decrypt a file. The encryption
method is "--symmetric", with a user supplied passphrase.
See also man 'gpg' for description of the command options.
Ansible variable options are described in roles/encrypt/vars/main.yml
and roles/decrypt/vars/main.yml
Story: 2011073
Task: 49929
Test Plan:
pass ansible-lint
pass Unit test
Change-Id: Ibc4fc574733b321e3f8e309417cfd5ec7fc91071
Signed-off-by: Michel Thebeau <michel.thebeau@windriver.com>
Use the 'shred' linux command to securely remove files. See also
'man shred' for description of the command options.
Ansible variable options are described in roles/shred/vars/main.yml
Story: 2011073
Task: 49925
Test Plan:
PASS ansible-lint
PASS Unit test
Change-Id: I54f6f1c93a7fe9f9b9fbfb70d455e789680d7b6c
Signed-off-by: Michel Thebeau <michel.thebeau@windriver.com>
This commit fixes the solution introduced in
https://review.opendev.org/c/starlingx/ansible-playbooks/+/912317.
Test Plan:
PASS: Deploy a DC environment with one SX and one DX subcloud
and backup both subclouds. Restore the subclouds backup and
verify that both operations completes successfully.
Story: 2011035
Task: 49694
Signed-off-by: Gustavo Pereira <gustavo.lyrapereira@windriver.com>
Change-Id: I9f84328d15fba6acf867e6a322e97e4dd3b2a6df
Add cert-manager images from v1.7.1 to v1.11.5 to support upgrade
from stx9.0 to stx10.0
Test Cases:
PASS: Perform an upgrade from stx9.0 to stx10.0 and after
running upgrade playbook verify that cert-manager app
is successfully running, perform upgrade activate
and notice that app is upgraded.
Closes-Bug: 2063372
Change-Id: I30fc44bb3e76375c0590233708a8cc23b6e1141c
Signed-off-by: amantri <ayyappa.mantri@windriver.com>
Previously, L4 ports had default values defined in Puppet classes for
bootstrap and backup/restore scenarios.
These defaults were removed to ensure all ports are managed by the
firewall. The change is:
https://review.opendev.org/c/starlingx/stx-puppet/+/885586
While this functions well for fresh installations, it caused an issue
during DX subcloud backup and restore. Specifically, the Ansible
playbook wasn't configuring L4 ports during subcloud restore.
Test Plan:
IPv4 DC with subcloud AIO-DX fresh install
IPv4 AIO-DX fresh install
IPv4 AIO-SX fresh install
IPv4 Subcloud AIO-DX Backup and Restore
IPv4 AIO-DX Backup and Restore
IPv4 AIO-SX Backup and Restore
Closes-Bug: 2056054
Signed-off-by: Fabiano Correa Mercer <fabiano.correamercer@windriver.com>
Change-Id: I91b0d0e714aff1a2a0dbfbb1031975d010872c81
Creating new ansible playbooks vault_backup and vault_restore that
creates a vault snapshot for backup and uses it to restore vault
respectively. Each playbook invokes the vault backup/restore script to
access vault REST API.
The vault_backup playbook has one required option and one optional option:
required:
--initial_backup_dir: the path to the directory, where the vault
subdirectory will be created. The vault_backup playbook will place the
resulting backup tarball in the subdur.
optional:
--encrypt_hc_vault_secret: a string that will be used as a secret key
for encrypting the backup tarball
The vault_restore playbook, in addition to the options for vault_backup,
has one additional required option:
--backup_filename: the filename of the backup tarball that will be used
to restore the vault application. This file must be in the vault
subdirectory of the initial_backup_dir directory
Test Plan:
PASS vault backup then vault restore
PASS vault backup/restore with custom encryption secret key
PASS backup, rekey vault, lose the new key shards, restore from
backup
PASS backup, delete the vault namespace and recreate the cluster,
restore
Story: 2011073
Task: 49841
Change-Id: I3824450ae8bb0c602c44cddd19dd10f5b307e8d6
Signed-off-by: Tae Park <tae.park@windriver.com>
The CNI system images for the last version of the old release
and the first version of the new release should be the same.
Testing:
- Build successful
- All kube-system pods came up
- Manual K8s upgrade
Story: 2010639
Task: 49900
Change-Id: Id28ba013c3470c3656ca36745e09a53924ad6dcf
Signed-off-by: Mohammad Issa <mohammad.issa@windriver.com>