openstack/openstack-helm
Code Issues Proposed changes

Merge remote-tracking branch 'upstream/master' into maas-region-cleanup

Browse Source
This commit is contained in:
Larry Rensing 2017-01-25 00:05:34 +00:00
commit 20cb6f0c63
161 changed files with 5236 additions and 874 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
Makefile
View File

@ -1,12 +1,12 @@
.PHONY: ceph bootstrap mariadb keystone memcached rabbitmq common openstack neutron maas all clean
.PHONY: ceph bootstrap mariadb keystone memcached rabbitmq common openstack neutron nova cinder heat maas all clean
B64_DIRS := common/secrets
B64_EXCLUDE := $(wildcard common/secrets/*.b64)
CHARTS := ceph mariadb rabbitmq GLANCE memcached keystone glance horizon neutron maas openstack
CHARTS := ceph mariadb rabbitmq memcached keystone glance horizon neutron nova cinder heat maas openstack
COMMON_TPL := common/templates/_globals.tpl
all: common ceph bootstrap mariadb rabbitmq memcached keystone glance horizon neutron maas openstack
all: common ceph bootstrap mariadb rabbitmq memcached keystone glance horizon neutron nova cinder heat maas openstack
common: build-common
@ -19,6 +19,8 @@ mariadb: build-mariadb
keystone: build-keystone
cinder: build-cinder
horizon: build-horizon
rabbitmq: build-rabbitmq
@ -27,6 +29,10 @@ glance: build-glance
neutron: build-neutron
nova: build-nova
heat: build-heat
maas: build-maas
memcached: build-memcached
@ -44,4 +50,3 @@ build-%:
if [ -f $*/requirements.yaml ]; then helm dep up $*; fi
helm lint $*
helm package $*

2
README.md
View File

@ -1,5 +1,7 @@
# Openstack-Helm
Join us on [freenode](https://freenode.net/): `#openstack-helm`
Openstack-Helm is a fully self-contained Helm-based OpenStack deployment on Kubernetes. It will provide baremetal provisioning, persistent storage, full-stack resiliency, full-stack scalability, performance monitoring and tracing, and an optional development pipeline (using Jenkins). This project, along with the tools used within are community-based and open sourced.
# Mission

2
ceph/templates/daemonset-osd.yaml
View File

@ -40,7 +40,7 @@ spec:
containers:
- name: osd-pod
image: {{ .Values.images.daemon }}
imagePullPolicy: Always
imagePullPolicy: {{ .Values.images.pull_policy }}
volumeMounts:
- name: devices
mountPath: /dev

1
ceph/templates/deployment-mds.yaml
View File

@ -34,6 +34,7 @@ spec:
containers:
- name: ceph-mon
image: {{ .Values.images.daemon }}
imagePullPolicy: {{ .Values.images.pull_policy }}
ports:
- containerPort: 6800
env:

6
ceph/templates/deployment-moncheck.yaml
View File

@ -34,7 +34,7 @@ spec:
containers:
- name: ceph-mon
image: {{ .Values.images.daemon }}
imagePullPolicy: Always
imagePullPolicy: {{ .Values.images.pull_policy }}
ports:
- containerPort: 6789
env:
@ -42,8 +42,8 @@ spec:
value: MON_HEALTH
- name: KV_TYPE
value: k8s
- name: MON_IP_AUTO_DETECT
value: "1"
- name: NETWORK_AUTO_DETECT
value: "4"
- name: CLUSTER
value: ceph
volumeMounts:

1
ceph/templates/deployment-rgw.yaml
View File

@ -36,6 +36,7 @@ spec:
containers:
- name: ceph-rgw
image: {{ .Values.images.daemon }}
imagePullPolicy: {{ .Values.images.pull_policy }}
ports:
- containerPort: {{ .Values.network.port.rgw_target }}
env:

4
ceph/templates/statefulset-mon.yaml
View File

@ -58,7 +58,7 @@ spec:
containers:
- name: ceph-mon
image: {{ .Values.images.daemon }}
imagePullPolicy: Always
imagePullPolicy: {{ .Values.images.pull_policy }}
lifecycle:
preStop:
exec:
@ -73,7 +73,7 @@ spec:
- name: KV_TYPE
value: k8s
- name: NETWORK_AUTO_DETECT
value: "1"
value: "4"
- name: CLUSTER
value: ceph
volumeMounts:

1
ceph/values.yaml
View File

@ -18,6 +18,7 @@ service:
images:
daemon: quay.io/attcomdev/ceph-daemon:latest
pull_policy: IfNotPresent
labels:
node_selector_key: ceph-storage

3
cinder/Chart.yaml Normal file
View File

@ -0,0 +1,3 @@
description: A Helm chart for cinder
name: cinder
version: 0.1.0

4
cinder/requirements.yaml Normal file
View File

@ -0,0 +1,4 @@
dependencies:
- name: common
repository: http://localhost:8879/charts
version: 0.1.0

45
cinder/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,45 @@
# This file is required because we use a slightly different endpoint layout in
# the values yaml, until we can make this change for all services.
# this function returns the endpoint uri for a service, it takes an tuple
# input in the form: service-type, endpoint-class, port-name. eg:
# { tuple "orchestration" "public" "api" . | include "endpoint_type_lookup_addr" }
# will return the appropriate URI. Once merged this should phase out the above.
{{- define "endpoint_type_lookup_addr" -}}
{{- $type := index . 0 -}}
{{- $endpoint := index . 1 -}}
{{- $port := index . 2 -}}
{{- $context := index . 3 -}}
{{- $endpointMap := index $context.Values.endpoints $type }}
{{- $fqdn := $context.Release.Namespace -}}
{{- if $context.Values.endpoints.fqdn -}}
{{- $fqdn := $context.Values.endpoints.fqdn -}}
{{- end -}}
{{- with $endpointMap -}}
{{- $endpointScheme := .scheme }}
{{- $endpointHost := index .hosts $endpoint | default .hosts.default}}
{{- $endpointPort := index .port $port }}
{{- $endpointPath := .path }}
{{- printf "%s://%s.%s:%1.f%s" $endpointScheme $endpointHost $fqdn $endpointPort $endpointPath | quote -}}
{{- end -}}
{{- end -}}
#-------------------------------
# endpoint name lookup
#-------------------------------
# this function is used in endpoint management templates
# it returns the service type for an openstack service eg:
# { tuple orchestration . | include "ks_endpoint_type" }
# will return "heat"
{{- define "endpoint_name_lookup" -}}
{{- $type := index . 0 -}}
{{- $context := index . 1 -}}
{{- $endpointMap := index $context.Values.endpoints $type }}
{{- $endpointName := index $endpointMap "name" }}
{{- $endpointName | quote -}}
{{- end -}}

21
cinder/templates/bin/_db-init.sh.tpl Normal file
View File

@ -0,0 +1,21 @@
#!/bin/bash
set -ex
export HOME=/tmp
ansible localhost -vvv \
-m mysql_db -a "login_host='{{ .Values.database.address }}' \
login_port='{{ .Values.database.port }}' \
login_user='{{ .Values.database.root_user }}' \
login_password='{{ .Values.database.root_password }}' \
name='{{ .Values.database.cinder_database_name }}'"
ansible localhost -vvv \
-m mysql_user -a "login_host='{{ .Values.database.address }}' \
login_port='{{ .Values.database.port }}' \
login_user='{{ .Values.database.root_user }}' \
login_password='{{ .Values.database.root_password }}' \
name='{{ .Values.database.cinder_user }}' \
password='{{ .Values.database.cinder_password }}' \
host='%' \
priv='{{ .Values.database.cinder_database_name }}.*:ALL' \
append_privs='yes'"

13
cinder/templates/configmap-bin.yaml Normal file
View File

@ -0,0 +1,13 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: cinder-bin
data:
db-init.sh: |+
{{ tuple "bin/_db-init.sh.tpl" . | include "template" | indent 4 }}
ks-service.sh: |+
{{- include "common_keystone_service" . | indent 4 }}
ks-endpoints.sh: |+
{{- include "common_keystone_endpoints" . | indent 4 }}
ks-user.sh: |+
{{- include "common_keystone_user" . | indent 4 }}

15
cinder/templates/configmap-etc.yaml Normal file
View File

@ -0,0 +1,15 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: cinder-etc
data:
cinder.conf: |+
{{ tuple "etc/_cinder.conf.tpl" . | include "template" | indent 4 }}
api-paste.ini: |+
{{ tuple "etc/_cinder-api-paste.ini.tpl" . | include "template" | indent 4 }}
policy.json: |+
{{ tuple "etc/_policy.json.tpl" . | include "template" | indent 4 }}
ceph.conf: |+
{{ tuple "etc/_ceph.conf.tpl" . | include "template" | indent 4 }}
ceph.client.{{ .Values.ceph.cinder_user }}.keyring: |+
{{ tuple "etc/_ceph-cinder.keyring.tpl" . | include "template" | indent 4 }}

73
cinder/templates/deployment-api.yaml Normal file
View File

@ -0,0 +1,73 @@
{{- $envAll := . }}
{{- $dependencies := .Values.dependencies.api }}
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: cinder-api
spec:
replicas: {{ .Values.replicas.api }}
revisionHistoryLimit: {{ .Values.upgrades.revision_history }}
strategy:
type: {{ .Values.upgrades.pod_replacement_strategy }}
{{ if eq .Values.upgrades.pod_replacement_strategy "RollingUpdate" }}
rollingUpdate:
maxUnavailable: {{ .Values.upgrades.rolling_update.max_unavailable }}
maxSurge: {{ .Values.upgrades.rolling_update.max_surge }}
{{ end }}
template:
metadata:
labels:
app: cinder-api
annotations:
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "hash" }}
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "hash" }}
pod.beta.kubernetes.io/init-containers: '[
{{ tuple $envAll $dependencies | include "dep-check-init-cont" | indent 10 }}
]'
spec:
nodeSelector:
{{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
containers:
- name: cinder-api
image: {{ .Values.images.api }}
imagePullPolicy: {{ .Values.images.pull_policy }}
command:
- cinder-api
- --config-dir
- /etc/cinder/conf
ports:
- containerPort: {{ .Values.service.api.port }}
readinessProbe:
tcpSocket:
port: {{ .Values.service.api.port }}
volumeMounts:
- name: pod-etc-cinder
mountPath: /etc/cinder
- name: pod-var-cache-cinder
mountPath: /var/cache/cinder
- name: cinderconf
mountPath: /etc/cinder/conf/cinder.conf
subPath: cinder.conf
readOnly: true
- name: cinderpaste
mountPath: /etc/cinder/api-paste.ini
subPath: api-paste.ini
readOnly: true
- name: cinderpolicy
mountPath: /etc/cinder/policy.json
subPath: policy.json
readOnly: true
volumes:
- name: pod-etc-cinder
emptyDir: {}
- name: pod-var-cache-cinder
emptyDir: {}
- name: cinderconf
configMap:
name: cinder-etc
- name: cinderpaste
configMap:
name: cinder-etc
- name: cinderpolicy
configMap:
name: cinder-etc

68
cinder/templates/deployment-scheduler.yaml Normal file
View File

@ -0,0 +1,68 @@
{{- $envAll := . }}
{{- $dependencies := .Values.dependencies.scheduler }}
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: cinder-scheduler
spec:
replicas: {{ .Values.replicas.scheduler }}
revisionHistoryLimit: {{ .Values.upgrades.revision_history }}
strategy:
type: {{ .Values.upgrades.pod_replacement_strategy }}
{{ if eq .Values.upgrades.pod_replacement_strategy "RollingUpdate" }}
rollingUpdate:
maxUnavailable: {{ .Values.upgrades.rolling_update.max_unavailable }}
maxSurge: {{ .Values.upgrades.rolling_update.max_surge }}
{{ end }}
template:
metadata:
labels:
app: cinder-scheduler
annotations:
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "hash" }}
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "hash" }}
pod.beta.kubernetes.io/init-containers: '[
{{ tuple $envAll $dependencies | include "dep-check-init-cont" | indent 10 }}
]'
spec:
nodeSelector:
{{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
containers:
- name: cinder-scheduler
image: {{ .Values.images.scheduler }}
imagePullPolicy: {{ .Values.images.pull_policy }}
command:
- cinder-scheduler
- --config-dir
- /etc/cinder/conf
volumeMounts:
- name: pod-etc-cinder
mountPath: /etc/cinder
- name: pod-var-cache-cinder
mountPath: /var/cache/cinder
- name: cinderconf
mountPath: /etc/cinder/conf/cinder.conf
subPath: cinder.conf
readOnly: true
- name: cinderpaste
mountPath: /etc/cinder/api-paste.ini
subPath: api-paste.ini
readOnly: true
- name: cinderpolicy
mountPath: /etc/cinder/policy.json
subPath: policy.json
readOnly: true
volumes:
- name: pod-etc-cinder
emptyDir: {}
- name: pod-var-cache-cinder
emptyDir: {}
- name: cinderconf
configMap:
name: cinder-etc
- name: cinderpaste
configMap:
name: cinder-etc
- name: cinderpolicy
configMap:
name: cinder-etc

68
cinder/templates/deployment-volume.yaml Normal file
View File

@ -0,0 +1,68 @@
{{- $envAll := . }}
{{- $dependencies := .Values.dependencies.volume }}
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: cinder-volume
spec:
replicas: {{ .Values.replicas.volume }}
revisionHistoryLimit: {{ .Values.upgrades.revision_history }}
strategy:
type: {{ .Values.upgrades.pod_replacement_strategy }}
{{ if eq .Values.upgrades.pod_replacement_strategy "RollingUpdate" }}
rollingUpdate:
maxUnavailable: {{ .Values.upgrades.rolling_update.max_unavailable }}
maxSurge: {{ .Values.upgrades.rolling_update.max_surge }}
{{ end }}
template:
metadata:
labels:
app: cinder-volume
annotations:
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "hash" }}
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "hash" }}
pod.beta.kubernetes.io/init-containers: '[
{{ tuple $envAll $dependencies | include "dep-check-init-cont" | indent 10 }}
]'
spec:
nodeSelector:
{{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
containers:
- name: cinder-volume
image: {{ .Values.images.volume }}
imagePullPolicy: {{ .Values.images.pull_policy }}
command:
- cinder-volume
- --config-dir
- /etc/cinder/conf
volumeMounts:
- name: pod-etc-cinder
mountPath: /etc/cinder
- name: pod-var-cache-cinder
mountPath: /var/cache/cinder
- name: cinderconf
mountPath: /etc/cinder/conf/cinder.conf
subPath: cinder.conf
readOnly: true
- name: cephconf
mountPath: /etc/ceph/ceph.conf
subPath: ceph.conf
readOnly: true
- name: cephclientcinderkeyring
mountPath: /etc/ceph/ceph.client.{{ .Values.ceph.cinder_user }}.keyring
subPath: ceph.client.{{ .Values.ceph.cinder_user }}.keyring
readOnly: true
volumes:
- name: pod-etc-cinder
emptyDir: {}
- name: pod-var-cache-cinder
emptyDir: {}
- name: cinderconf
configMap:
name: cinder-etc
- name: cephconf
configMap:
name: cinder-etc
- name: cephclientcinderkeyring
configMap:
name: cinder-etc

6
cinder/templates/etc/_ceph-cinder.keyring.tpl Normal file
View File

@ -0,0 +1,6 @@
[client.{{ .Values.ceph.cinder_user }}]
{{- if .Values.ceph.cinder_keyring }}
key = {{ .Values.ceph.cinder_keyring }}
{{- else }}
key = {{- include "secrets/ceph-client-key" . -}}
{{- end }}

16
cinder/templates/etc/_ceph.conf.tpl Normal file
View File

@ -0,0 +1,16 @@
[global]
rgw_thread_pool_size = 1024
rgw_num_rados_handles = 100
{{- if .Values.ceph.monitors }}
[mon]
{{ range .Values.ceph.monitors }}
[mon.{{ . }}]
host = {{ . }}
mon_addr = {{ . }}
{{ end }}
{{- else }}
mon_host = ceph-mon.ceph
{{- end }}
[client]
rbd_cache_enabled = true
rbd_cache_writethrough_until_flush = true

75
cinder/templates/etc/_cinder-api-paste.ini.tpl Normal file
View File

@ -0,0 +1,75 @@
#############
# OpenStack #
#############
[composite:osapi_volume]
use = call:cinder.api:root_app_factory
/: apiversions
/v1: openstack_volume_api_v1
/v2: openstack_volume_api_v2
/v3: openstack_volume_api_v3
[composite:openstack_volume_api_v1]
use = call:cinder.api.middleware.auth:pipeline_factory
noauth = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler noauth apiv1
keystone = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv1
keystone_nolimit = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv1
[composite:openstack_volume_api_v2]
use = call:cinder.api.middleware.auth:pipeline_factory
noauth = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler noauth apiv2
keystone = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv2
keystone_nolimit = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv2
[composite:openstack_volume_api_v3]
use = call:cinder.api.middleware.auth:pipeline_factory
noauth = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler noauth apiv3
keystone = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv3
keystone_nolimit = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv3
[filter:request_id]
paste.filter_factory = oslo_middleware.request_id:RequestId.factory
[filter:http_proxy_to_wsgi]
paste.filter_factory = oslo_middleware.http_proxy_to_wsgi:HTTPProxyToWSGI.factory
[filter:cors]
paste.filter_factory = oslo_middleware.cors:filter_factory
oslo_config_project = cinder
[filter:faultwrap]
paste.filter_factory = cinder.api.middleware.fault:FaultWrapper.factory
[filter:osprofiler]
paste.filter_factory = osprofiler.web:WsgiMiddleware.factory
[filter:noauth]
paste.filter_factory = cinder.api.middleware.auth:NoAuthMiddleware.factory
[filter:sizelimit]
paste.filter_factory = oslo_middleware.sizelimit:RequestBodySizeLimiter.factory
[app:apiv1]
paste.app_factory = cinder.api.v1.router:APIRouter.factory
[app:apiv2]
paste.app_factory = cinder.api.v2.router:APIRouter.factory
[app:apiv3]
paste.app_factory = cinder.api.v3.router:APIRouter.factory
[pipeline:apiversions]
pipeline = cors http_proxy_to_wsgi faultwrap osvolumeversionapp
[app:osvolumeversionapp]
paste.app_factory = cinder.api.versions:Versions.factory
##########
# Shared #
##########
[filter:keystonecontext]
paste.filter_factory = cinder.api.middleware.auth:CinderKeystoneContext.factory
[filter:authtoken]
paste.filter_factory = keystonemiddleware.auth_token:filter_factory

64
cinder/templates/etc/_cinder.conf.tpl Normal file
View File

@ -0,0 +1,64 @@
[DEFAULT]
debug = {{ .Values.misc.debug }}
use_syslog = False
use_stderr = True
enable_v1_api = false
volume_name_template = %s
osapi_volume_workers = {{ .Values.api.workers }}
osapi_volume_listen = 0.0.0.0
osapi_volume_listen_port = {{ .Values.service.api.port }}
api_paste_config = /etc/cinder/api-paste.ini
glance_api_servers = "{{ .Values.glance.proto }}://{{ .Values.glance.host }}:{{ .Values.glance.port }}"
glance_api_version = {{ .Values.glance.version }}
enabled_backends = {{ include "joinListWithColon" .Values.backends.enabled }}
auth_strategy = keystone
os_region_name = {{ .Values.keystone.cinder_region_name }}
# ensures that our volume worker service-list doesn't
# explode with dead agents from terminated containers
# by pinning the agent identifier
host=cinder-volume-worker
[database]
connection = mysql+pymysql://{{ .Values.database.cinder_user }}:{{ .Values.database.cinder_password }}@{{ .Values.database.address }}:{{ .Values.database.port }}/{{ .Values.database.cinder_database_name }}
max_retries = -1
[keystone_authtoken]
auth_url = {{ .Values.keystone.auth_url }}
auth_type = password
project_domain_name = {{ .Values.keystone.cinder_project_domain }}
user_domain_name = {{ .Values.keystone.cinder_user_domain }}
project_name = {{ .Values.keystone.cinder_project_name }}
username = {{ .Values.keystone.cinder_user }}
password = {{ .Values.keystone.cinder_password }}
[oslo_concurrency]
lock_path = /var/lib/cinder/tmp
[oslo_messaging_rabbit]
rabbit_userid = {{ .Values.messaging.user }}
rabbit_password = {{ .Values.messaging.password }}
rabbit_ha_queues = true
rabbit_hosts = {{ .Values.messaging.hosts }}
[rbd1]
volume_driver = cinder.volume.drivers.rbd.RBDDriver
rbd_pool = {{ .Values.backends.rbd1.pool }}
rbd_ceph_conf = /etc/ceph/ceph.conf
rbd_flatten_volume_from_snapshot = false
rbd_max_clone_depth = 5
rbd_store_chunk_size = 4
rados_connect_timeout = -1
{{- if .Values.backends.rbd1.secret }}
rbd_user = {{ .Values.backends.rbd1.user }}
{{- else }}
rbd_secret_uuid = {{- include "secrets/ceph-client-key" . -}}
{{- end }}
rbd_secret_uuid = {{ .Values.backends.rbd1.secret }}
report_discard_supported = True

138
cinder/templates/etc/_policy.json.tpl Normal file
View File

@ -0,0 +1,138 @@
{
"context_is_admin": "role:admin",
"admin_or_owner": "is_admin:True or project_id:%(project_id)s",
"default": "rule:admin_or_owner",
"admin_api": "is_admin:True",
"volume:create": "",
"volume:delete": "rule:admin_or_owner",
"volume:get": "rule:admin_or_owner",
"volume:get_all": "rule:admin_or_owner",
"volume:get_volume_metadata": "rule:admin_or_owner",
"volume:create_volume_metadata": "rule:admin_or_owner",
"volume:delete_volume_metadata": "rule:admin_or_owner",
"volume:update_volume_metadata": "rule:admin_or_owner",
"volume:get_volume_admin_metadata": "rule:admin_api",
"volume:update_volume_admin_metadata": "rule:admin_api",
"volume:get_snapshot": "rule:admin_or_owner",
"volume:get_all_snapshots": "rule:admin_or_owner",
"volume:create_snapshot": "rule:admin_or_owner",
"volume:delete_snapshot": "rule:admin_or_owner",
"volume:update_snapshot": "rule:admin_or_owner",
"volume:get_snapshot_metadata": "rule:admin_or_owner",
"volume:delete_snapshot_metadata": "rule:admin_or_owner",
"volume:update_snapshot_metadata": "rule:admin_or_owner",
"volume:extend": "rule:admin_or_owner",
"volume:update_readonly_flag": "rule:admin_or_owner",
"volume:retype": "rule:admin_or_owner",
"volume:update": "rule:admin_or_owner",
"volume_extension:types_manage": "rule:admin_api",
"volume_extension:types_extra_specs": "rule:admin_api",
"volume_extension:access_types_qos_specs_id": "rule:admin_api",
"volume_extension:access_types_extra_specs": "rule:admin_api",
"volume_extension:volume_type_access": "rule:admin_or_owner",
"volume_extension:volume_type_access:addProjectAccess": "rule:admin_api",
"volume_extension:volume_type_access:removeProjectAccess": "rule:admin_api",
"volume_extension:volume_type_encryption": "rule:admin_api",
"volume_extension:volume_encryption_metadata": "rule:admin_or_owner",
"volume_extension:extended_snapshot_attributes": "rule:admin_or_owner",
"volume_extension:volume_image_metadata": "rule:admin_or_owner",
"volume_extension:quotas:show": "",
"volume_extension:quotas:update": "rule:admin_api",
"volume_extension:quotas:delete": "rule:admin_api",
"volume_extension:quota_classes": "rule:admin_api",
"volume_extension:quota_classes:validate_setup_for_nested_quota_use": "rule:admin_api",
"volume_extension:volume_admin_actions:reset_status": "rule:admin_api",
"volume_extension:snapshot_admin_actions:reset_status": "rule:admin_api",
"volume_extension:backup_admin_actions:reset_status": "rule:admin_api",
"volume_extension:volume_admin_actions:force_delete": "rule:admin_api",
"volume_extension:volume_admin_actions:force_detach": "rule:admin_api",
"volume_extension:snapshot_admin_actions:force_delete": "rule:admin_api",
"volume_extension:backup_admin_actions:force_delete": "rule:admin_api",
"volume_extension:volume_admin_actions:migrate_volume": "rule:admin_api",
"volume_extension:volume_admin_actions:migrate_volume_completion": "rule:admin_api",
"volume_extension:volume_actions:upload_public": "rule:admin_api",
"volume_extension:volume_actions:upload_image": "rule:admin_or_owner",
"volume_extension:volume_host_attribute": "rule:admin_api",
"volume_extension:volume_tenant_attribute": "rule:admin_or_owner",
"volume_extension:volume_mig_status_attribute": "rule:admin_api",
"volume_extension:hosts": "rule:admin_api",
"volume_extension:services:index": "rule:admin_api",
"volume_extension:services:update" : "rule:admin_api",
"volume_extension:volume_manage": "rule:admin_api",
"volume_extension:volume_unmanage": "rule:admin_api",
"volume_extension:list_manageable": "rule:admin_api",
"volume_extension:capabilities": "rule:admin_api",
"volume:create_transfer": "rule:admin_or_owner",
"volume:accept_transfer": "",
"volume:delete_transfer": "rule:admin_or_owner",
"volume:get_transfer": "rule:admin_or_owner",
"volume:get_all_transfers": "rule:admin_or_owner",
"volume_extension:replication:promote": "rule:admin_api",
"volume_extension:replication:reenable": "rule:admin_api",
"volume:failover_host": "rule:admin_api",
"volume:freeze_host": "rule:admin_api",
"volume:thaw_host": "rule:admin_api",
"backup:create" : "",
"backup:delete": "rule:admin_or_owner",
"backup:get": "rule:admin_or_owner",
"backup:get_all": "rule:admin_or_owner",
"backup:restore": "rule:admin_or_owner",
"backup:backup-import": "rule:admin_api",
"backup:backup-export": "rule:admin_api",
"backup:update": "rule:admin_or_owner",
"snapshot_extension:snapshot_actions:update_snapshot_status": "",
"snapshot_extension:snapshot_manage": "rule:admin_api",
"snapshot_extension:snapshot_unmanage": "rule:admin_api",
"snapshot_extension:list_manageable": "rule:admin_api",
"consistencygroup:create" : "group:nobody",
"consistencygroup:delete": "group:nobody",
"consistencygroup:update": "group:nobody",
"consistencygroup:get": "group:nobody",
"consistencygroup:get_all": "group:nobody",
"consistencygroup:create_cgsnapshot" : "group:nobody",
"consistencygroup:delete_cgsnapshot": "group:nobody",
"consistencygroup:get_cgsnapshot": "group:nobody",
"consistencygroup:get_all_cgsnapshots": "group:nobody",
"group:group_types_manage": "rule:admin_api",
"group:group_types_specs": "rule:admin_api",
"group:access_group_types_specs": "rule:admin_api",
"group:group_type_access": "rule:admin_or_owner",
"group:create" : "",
"group:delete": "rule:admin_or_owner",
"group:update": "rule:admin_or_owner",
"group:get": "rule:admin_or_owner",
"group:get_all": "rule:admin_or_owner",
"group:create_group_snapshot": "",
"group:delete_group_snapshot": "rule:admin_or_owner",
"group:update_group_snapshot": "rule:admin_or_owner",
"group:get_group_snapshot": "rule:admin_or_owner",
"group:get_all_group_snapshots": "rule:admin_or_owner",
"scheduler_extension:scheduler_stats:get_pools" : "rule:admin_api",
"message:delete": "rule:admin_or_owner",
"message:get": "rule:admin_or_owner",
"message:get_all": "rule:admin_or_owner",
"clusters:get": "rule:admin_api",
"clusters:get_all": "rule:admin_api",
"clusters:update": "rule:admin_api"
}

36
cinder/templates/job-db-init.yaml Normal file
View File

@ -0,0 +1,36 @@
{{- $envAll := . }}
{{- $dependencies := .Values.dependencies.db_init }}
apiVersion: batch/v1
kind: Job
metadata:
name: cinder-db-init
spec:
template:
metadata:
annotations:
pod.beta.kubernetes.io/init-containers: '[
{{ tuple $envAll $dependencies | include "dep-check-init-cont" | indent 10 }}
]'
spec:
restartPolicy: OnFailure
nodeSelector:
{{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
containers:
- name: cinder-db-init
image: {{ .Values.images.db_init | quote }}
imagePullPolicy: {{ .Values.images.pull_policy | quote }}
env:
- name: ANSIBLE_LIBRARY
value: /usr/share/ansible/
command:
- bash
- /tmp/db-init.sh
volumeMounts:
- name: dbinitsh
mountPath: /tmp/db-init.sh
subPath: db-init.sh
readOnly: true
volumes:
- name: dbinitsh
configMap:
name: cinder-bin

41
cinder/templates/job-db-sync.yaml Normal file
View File

@ -0,0 +1,41 @@
{{- $envAll := . }}
{{- $dependencies := .Values.dependencies.db_sync }}
apiVersion: batch/v1
kind: Job
metadata:
name: cinder-db-sync
spec:
template:
metadata:
annotations:
pod.beta.kubernetes.io/init-containers: '[
{{ tuple $envAll $dependencies | include "dep-check-init-cont" | indent 10 }}
]'
spec:
restartPolicy: OnFailure
nodeSelector:
{{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
containers:
- name: cinder-db-sync
image: {{ .Values.images.db_sync }}
imagePullPolicy: {{ .Values.images.pull_policy }}
command:
- cinder-manage
args:
- --config-dir
- /etc/cinder/conf
- db
- sync
volumeMounts:
- name: pod-etc-cinder
mountPath: /etc/cinder
- name: cinderconf
mountPath: /etc/cinder/conf/cinder.conf
subPath: cinder.conf
readOnly: true
volumes:
- name: pod-etc-cinder
emptyDir: {}
- name: cinderconf
configMap:
name: cinder-etc

50
cinder/templates/job-ks-endpoints.yaml.yaml Normal file
View File

@ -0,0 +1,50 @@
{{- $envAll := . }}
{{- $ksAdminSecret := $envAll.Values.keystone.admin_secret | default "cinder-env-keystone-admin" }}
{{- $dependencies := .Values.dependencies.ks_endpoints }}
apiVersion: batch/v1
kind: Job
metadata:
name: cinder-ks-endpoints
spec:
template:
metadata:
annotations:
pod.beta.kubernetes.io/init-containers: '[
{{ tuple $envAll $dependencies | include "dep-check-init-cont" | indent 10 }}
]'
spec:
restartPolicy: OnFailure
nodeSelector:
{{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
containers:
{{- range $key1, $osServiceType := tuple "volume" "volumev2" "volumev3" }}
{{- range $key2, $osServiceEndPoint := tuple "admin" "internal" "public" }}
- name: {{ $osServiceType }}-ks-endpoints-{{ $osServiceEndPoint }}
image: {{ $envAll.Values.images.ks_endpoints }}
imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
command:
- bash
- /tmp/ks-endpoints.sh
volumeMounts:
- name: ks-endpoints-sh
mountPath: /tmp/ks-endpoints.sh
subPath: ks-endpoints.sh
readOnly: true
env:
{{- with $env := dict "ksUserSecret" $ksAdminSecret }}
{{- include "env_ks_openrc_tpl" $env | indent 12 }}
{{- end }}
- name: OS_SVC_ENDPOINT
value: {{ $osServiceEndPoint }}
- name: OS_SERVICE_NAME
value: {{ tuple $osServiceType $envAll | include "endpoint_name_lookup" }}
- name: OS_SERVICE_TYPE
value: {{ $osServiceType }}
- name: OS_SERVICE_ENDPOINT
value: {{ tuple $osServiceType $osServiceEndPoint "api" $envAll | include "endpoint_type_lookup_addr" }}
{{- end }}
{{- end }}
volumes:
- name: ks-endpoints-sh
configMap:
name: cinder-bin

44
cinder/templates/job-ks-service.yaml Normal file
View File

@ -0,0 +1,44 @@
{{- $envAll := . }}
{{- $ksAdminSecret := .Values.keystone.admin_secret | default "cinder-env-keystone-admin" }}
{{- $dependencies := .Values.dependencies.ks_service }}
apiVersion: batch/v1
kind: Job
metadata:
name: cinder-ks-service
spec:
template:
metadata:
annotations:
pod.beta.kubernetes.io/init-containers: '[
{{ tuple $envAll $dependencies | include "dep-check-init-cont" | indent 10 }}
]'
spec:
restartPolicy: OnFailure
nodeSelector:
{{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
containers:
{{- range $key1, $osServiceType := tuple "volume" "volumev2" "volumev3" }}
- name: {{ $osServiceType }}-ks-service-registration
image: {{ $envAll.Values.images.ks_service }}
imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
command:
- bash
- /tmp/ks-service.sh
volumeMounts:
- name: ks-service-sh
mountPath: /tmp/ks-service.sh
subPath: ks-service.sh
readOnly: true
env:
{{- with $env := dict "ksUserSecret" $ksAdminSecret }}
{{- include "env_ks_openrc_tpl" $env | indent 12 }}
{{- end }}
- name: OS_SERVICE_NAME
value: {{ tuple $osServiceType $envAll | include "endpoint_name_lookup" }}
- name: OS_SERVICE_TYPE
value: {{ $osServiceType }}
{{- end }}
volumes:
- name: ks-service-sh
configMap:
name: cinder-bin

46
cinder/templates/job-ks-user.yaml Normal file
View File

@ -0,0 +1,46 @@
{{- $ksAdminSecret := .Values.keystone.admin_secret | default "cinder-env-keystone-admin" }}
{{- $ksUserSecret := .Values.keystone.user_secret | default "cinder-env-keystone-user" }}
{{- $envAll := . }}
{{- $dependencies := .Values.dependencies.ks_user }}
apiVersion: batch/v1
kind: Job
metadata:
name: cinder-ks-user
spec:
template:
metadata:
annotations:
pod.beta.kubernetes.io/init-containers: '[
{{ tuple $envAll $dependencies | include "dep-check-init-cont" | indent 10 }}
]'
spec:
restartPolicy: OnFailure
nodeSelector:
{{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
containers:
- name: cinder-ks-user
image: {{ .Values.images.ks_user }}
imagePullPolicy: {{ .Values.images.pull_policy }}
command:
- bash
- /tmp/ks-user.sh
volumeMounts:
- name: ks-user-sh
mountPath: /tmp/ks-user.sh
subPath: ks-user.sh
readOnly: true
env:
{{- with $env := dict "ksUserSecret" $ksAdminSecret }}
{{- include "env_ks_openrc_tpl" $env | indent 12 }}
{{- end }}
- name: SERVICE_OS_SERVICE_NAME
value: "cinder"
{{- with $env := dict "ksUserSecret" $ksUserSecret }}
{{- include "env_ks_user_create_openrc_tpl" $env | indent 12 }}
{{- end }}
- name: SERVICE_OS_ROLE
value: {{ .Values.keystone.cinder_user_role | quote }}
volumes:
- name: ks-user-sh
configMap:
name: cinder-bin

20
cinder/templates/secret-keystone-admin.env.yaml Normal file
View File

@ -0,0 +1,20 @@
apiVersion: v1
kind: Secret
metadata:
name: cinder-env-keystone-admin
type: Opaque
data:
OS_AUTH_URL: |
{{ .Values.keystone.auth_url | b64enc | indent 4 }}
OS_REGION_NAME: |
{{ .Values.keystone.admin_region_name | b64enc | indent 4 }}
OS_PROJECT_DOMAIN_NAME: |
{{ .Values.keystone.admin_project_domain | b64enc | indent 4 }}
OS_PROJECT_NAME: |
{{ .Values.keystone.admin_project_name | b64enc | indent 4 }}
OS_USER_DOMAIN_NAME: |
{{ .Values.keystone.admin_user_domain | b64enc | indent 4 }}
OS_USERNAME: |
{{ .Values.keystone.admin_user | b64enc | indent 4 }}
OS_PASSWORD: |
{{ .Values.keystone.admin_password | b64enc | indent 4 }}

20
cinder/templates/secret-keystone-user.env.yaml Normal file
View File

@ -0,0 +1,20 @@
apiVersion: v1
kind: Secret
metadata:
name: cinder-env-keystone-user
type: Opaque
data:
OS_AUTH_URL: |
{{ .Values.keystone.auth_url | b64enc | indent 4 }}
OS_REGION_NAME: |
{{ .Values.keystone.cinder_region_name | b64enc | indent 4 }}
OS_PROJECT_DOMAIN_NAME: |
{{ .Values.keystone.cinder_project_domain | b64enc | indent 4 }}
OS_PROJECT_NAME: |
{{ .Values.keystone.cinder_project_name | b64enc | indent 4 }}
OS_USER_DOMAIN_NAME: |
{{ .Values.keystone.cinder_user_domain | b64enc | indent 4 }}
OS_USERNAME: |
{{ .Values.keystone.cinder_user | b64enc | indent 4 }}
OS_PASSWORD: |
{{ .Values.keystone.cinder_password | b64enc | indent 4 }}

9
cinder/templates/service-api.yaml Normal file
View File

@ -0,0 +1,9 @@
apiVersion: v1
kind: Service
metadata:
name: {{ .Values.service.api.name }}
spec:
ports:
- port: {{ .Values.service.api.port }}
selector:
app: cinder-api

185
cinder/values.yaml Normal file
View File

@ -0,0 +1,185 @@
# Default values for keystone.
# This is a YAML-formatted file.
# Declare name/value pairs to be passed into your templates.
# name: value
replicas:
api: 1
volume: 1
scheduler: 1
labels:
node_selector_key: openstack-control-plane
node_selector_value: enabled
images:
dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.1.0
ks_user: quay.io/stackanetes/stackanetes-kolla-toolbox:newton
ks_service: quay.io/stackanetes/stackanetes-kolla-toolbox:newton
ks_endpoints: quay.io/stackanetes/stackanetes-kolla-toolbox:newton
db_init: quay.io/stackanetes/stackanetes-kolla-toolbox:newton
db_sync: quay.io/stackanetes/stackanetes-cinder-api:newton
api: quay.io/stackanetes/stackanetes-cinder-api:newton
scheduler: quay.io/stackanetes/stackanetes-cinder-scheduler:newton
volume: quay.io/stackanetes/stackanetes-cinder-volume:newton
pull_policy: "IfNotPresent"
upgrades:
revision_history: 3
pod_replacement_strategy: RollingUpdate
rolling_update:
max_unavailable: 1
max_surge: 3
keystone:
auth_uri: "http://keystone-api:5000"
auth_url: "http://keystone-api:35357"
admin_user: "admin"
admin_user_domain: "default"
admin_password: "password"
admin_project_name: "admin"
admin_project_domain: "default"
admin_region_name: "RegionOne"
cinder_user: "cinder"
cinder_user_domain: "default"
cinder_user_role: "admin"
cinder_password: "password"
cinder_project_name: "service"
cinder_project_domain: "default"
cinder_region_name: "RegionOne"
service:
api:
name: "cinder-api"
port: 8776
proto: "http"
database:
address: mariadb
port: 3306
root_user: root
root_password: password
cinder_database_name: cinder
cinder_password: password
cinder_user: cinder
ceph:
enabled: true
monitors: []
cinder_user: "admin"
# a null value for the keyring will
# attempt to use the key from
# common/secrets/ceph-client-key
cinder_keyring: null
backends:
enabled:
- rbd1
rbd1:
secret: null
user: "admin"
pool: "volumes"
glance:
proto: "http"
host: "glance-api"
port: 9292
version: 2
messaging:
hosts: rabbitmq
user: rabbitmq
password: password
api:
workers: 8
misc:
debug: false
dependencies:
db_init:
jobs:
- mariadb-seed
service:
- mariadb
db_sync:
jobs:
- cinder-db-init
service:
- mariadb
ks_user:
service:
- keystone-api
ks_service:
service:
- keystone-api
ks_endpoints:
jobs:
- cinder-ks-service
service:
- keystone-api
api:
jobs:
- cinder-db-sync
- cinder-ks-user
- cinder-ks-endpoints
service:
- mariadb
- keystone-api
volume:
jobs:
- cinder-db-sync
- cinder-ks-user
- cinder-ks-endpoints
service:
- keystone-api
- cinder-api
scheduler:
jobs:
- cinder-db-sync
- cinder-ks-user
- cinder-ks-endpoints
service:
- keystone-api
- cinder-api
# We use a different layout of the endpoints here to account for versioning
# this swaps the service name and type, and should be rolled out to other
# services.
endpoints:
identity:
name: keystone
hosts:
default: keystone-api
path: /v3
scheme: 'http'
port:
admin: 35357
public: 5000
volume:
name: cinder
hosts:
default: cinder-api
path: '/v1/%(tenant_id)s'
scheme: 'http'
port:
api: 8776
volumev2:
name: cinder
hosts:
default: cinder-api
path: '/v2/%(tenant_id)s'
scheme: 'http'
port:
api: 8776
volumev3:
name: cinder
hosts:
default: cinder-api
path: '/v3/%(tenant_id)s'
scheme: 'http'
port:
api: 8776

45
common/templates/_endpoints.tpl
View File

@ -87,8 +87,51 @@
{{- end -}}
{{- end -}}
# this function returns the endpoint uri for a service, it takes an tuple
# input in the form: service-name, endpoint-class, port-name. eg:
# { tuple "heat" "public" "api" . | include "endpoint_addr_lookup" }
# will return the appropriate URI. Once merged this should phase out the above.
{{- define "endpoint_addr_lookup" -}}
{{- $name := index . 0 -}}
{{- $endpoint := index . 1 -}}
{{- $port := index . 2 -}}
{{- $context := index . 3 -}}
{{- $nameNorm := $name | replace "-" "_" }}
{{- $endpointMap := index $context.Values.endpoints $nameNorm }}
{{- $fqdn := $context.Release.Namespace -}}
{{- if $context.Values.endpoints.fqdn -}}
{{- $fqdn := $context.Values.endpoints.fqdn -}}
{{- end -}}
{{- with $endpointMap -}}
{{- $endpointScheme := .scheme }}
{{- $endpointHost := index .hosts $endpoint | default .hosts.default}}
{{- $endpointPort := index .port $port }}
{{- $endpointPath := .path }}
{{- printf "%s://%s.%s:%1.f%s" $endpointScheme $endpointHost $fqdn $endpointPort $endpointPath | quote -}}
{{- end -}}
{{- end -}}
#-------------------------------
# endpoint type lookup
#-------------------------------
# this function is used in endpoint management templates
# it returns the service type for an openstack service eg:
# { tuple heat . | include "ks_endpoint_type" }
# will return "orchestration"
{{- define "endpoint_type_lookup" -}}
{{- $name := index . 0 -}}
{{- $context := index . 1 -}}
{{- $nameNorm := $name | replace "-" "_" }}
{{- $endpointMap := index $context.Values.endpoints $nameNorm }}
{{- $endpointType := index $endpointMap "type" }}
{{- $endpointType | quote -}}
{{- end -}}
#-------------------------------
# kolla helpers
#-------------------------------
{{ define "keystone_auth" }}{'auth_url':'{{ include "endpoint_keystone_internal" . }}', 'username':'{{ .Values.keystone.admin_user }}','password':'{{ .Values.keystone.admin_password }}','project_name':'{{ .Values.keystone.admin_project_name }}','domain_name':'default'}{{end}}

31
common/templates/_funcs.tpl
View File

@ -22,3 +22,34 @@
{{- include $wtf $context | sha256sum | quote -}}
{{- end -}}
{{- define "dep-check-init-cont" -}}
{{- $envAll := index . 0 -}}
{{- $deps := index . 1 -}}
{
"name": "init",
"image": {{ $envAll.Values.images.dep_check | quote }},
"imagePullPolicy": {{ $envAll.Values.images.pull_policy | quote }},
"env": [
{
"name": "NAMESPACE",
"value": "{{ $envAll.Release.Namespace }}"
},
{
"name": "INTERFACE_NAME",
"value": "eth0"
},
{
"name": "DEPENDENCY_SERVICE",
"value": "{{ include "joinListWithColon" $deps.service }}"
},
{
"name": "DEPENDENCY_JOBS",
"value": "{{ include "joinListWithColon" $deps.jobs }}"
},
{
"name": "COMMAND",
"value": "echo done"
}
]
}
{{- end -}}

57
common/templates/scripts/_ks-domain-user.sh.tpl Normal file
View File

@ -0,0 +1,57 @@
{{- define "common_keystone_domain_user" }}
#!/bin/bash
# Copyright 2017 Pete Birley
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
set -ex
# Manage domain
SERVICE_OS_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \
--description="Service Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_DOMAIN_NAME}" \
"${SERVICE_OS_DOMAIN_NAME}")
# Display domain
openstack domain show "${SERVICE_OS_DOMAIN_ID}"
# Manage user
SERVICE_OS_USERID=$(openstack user create --or-show --enable -f value -c id \
--domain="${SERVICE_OS_DOMAIN_ID}" \
--description "Service User for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_DOMAIN_NAME}" \
--password="${SERVICE_OS_PASSWORD}" \
"${SERVICE_OS_USERNAME}")
# Display user
openstack user show "${SERVICE_OS_USERID}"
# Manage role
SERVICE_OS_ROLE_ID=$(openstack role show -f value -c id \
--domain="${SERVICE_OS_DOMAIN_ID}" \
"${SERVICE_OS_ROLE}" || openstack role create -f value -c id \
--domain="${SERVICE_OS_DOMAIN_ID}" \
"${SERVICE_OS_ROLE}" )
# Manage user role assignment
openstack role add \
--domain="${SERVICE_OS_DOMAIN_ID}" \
--user="${SERVICE_OS_USERID}" \
--user-domain="${SERVICE_OS_DOMAIN_ID}" \
"${SERVICE_OS_ROLE_ID}"
# Display user role assignment
openstack role assignment list \
--role="${SERVICE_OS_ROLE_ID}" \
--user-domain="${SERVICE_OS_DOMAIN_ID}" \
--user="${SERVICE_OS_USERID}"
{{- end }}

65
common/templates/scripts/_ks-endpoints.sh.tpl Executable file
View File

@ -0,0 +1,65 @@
{{- define "common_keystone_endpoints" }}
#!/bin/bash
# Copyright 2017 Pete Birley
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
set -ex
# Get Service ID
OS_SERVICE_ID=$( openstack service list -f csv --quote none | \
grep ",${OS_SERVICE_NAME},${OS_SERVICE_TYPE}$" | \
sed -e "s/,${OS_SERVICE_NAME},${OS_SERVICE_TYPE}//g" )
# Get Endpoint ID if it exists
OS_ENDPOINT_ID=$( openstack endpoint list -f csv --quote none | \
grep "^[a-z0-9]*,${OS_REGION_NAME},${OS_SERVICE_NAME},${OS_SERVICE_TYPE},True,${OS_SVC_ENDPOINT}," | \
awk -F ',' '{ print $1 }' )
# Making sure only a single endpoint exists for a service within a region
if [ "$(echo $OS_ENDPOINT_ID | wc -w)" -gt "1" ]; then
echo "More than one endpoint found, cleaning up"
for ENDPOINT_ID in $OS_ENDPOINT_ID; do
openstack endpoint delete ${ENDPOINT_ID}
done
unset OS_ENDPOINT_ID
fi
# Determine if Endpoint needs updated
if [[ ${OS_ENDPOINT_ID} ]]; then
OS_ENDPOINT_URL_CURRENT=$(openstack endpoint show ${OS_ENDPOINT_ID} --f value -c url)
if [ "${OS_ENDPOINT_URL_CURRENT}" == "${OS_SERVICE_ENDPOINT}" ]; then
echo "Endpoints Match: no action required"
OS_ENDPOINT_UPDATE="False"
else
echo "Endpoints Dont Match: removing existing entries"
openstack endpoint delete ${OS_ENDPOINT_ID}
OS_ENDPOINT_UPDATE="True"
fi
else
OS_ENDPOINT_UPDATE="True"
fi
# Update Endpoint if required
if [[ "${OS_ENDPOINT_UPDATE}" == "True" ]]; then
OS_ENDPOINT_ID=$( openstack endpoint create -f value -c id \
--region="${OS_REGION_NAME}" \
"${OS_SERVICE_ID}" \
${OS_SVC_ENDPOINT} \
"${OS_SERVICE_ENDPOINT}" )
fi
# Display the Endpoint
openstack endpoint show ${OS_ENDPOINT_ID}
{{- end }}

37
common/templates/scripts/_ks-service.sh.tpl Normal file
View File

@ -0,0 +1,37 @@
{{- define "common_keystone_service" }}
#!/bin/bash
# Copyright 2017 Pete Birley
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
set -ex
# Service boilerplate description
OS_SERVICE_DESC="${OS_REGION_NAME}: ${OS_SERVICE_NAME} (${OS_SERVICE_TYPE}) service"
# Get Service ID if it exists
unset OS_SERVICE_ID
OS_SERVICE_ID=$( openstack service list -f csv --quote none | \
grep ",${OS_SERVICE_NAME},${OS_SERVICE_TYPE}$" | \
sed -e "s/,${OS_SERVICE_NAME},${OS_SERVICE_TYPE}//g" )
# If a Service ID was not found, then create the service
if [[ -z ${OS_SERVICE_ID} ]]; then
OS_SERVICE_ID=$(openstack service create -f value -c id \
--name="${OS_SERVICE_NAME}" \
--description "${OS_SERVICE_DESC}" \
--enable \
"${OS_SERVICE_TYPE}")
fi
{{- end }}

60
common/templates/scripts/_ks-user.sh.tpl Normal file
View File

@ -0,0 +1,60 @@
{{- define "common_keystone_user" }}
#!/bin/bash
# Copyright 2017 Pete Birley
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
set -ex
# Manage user project
USER_PROJECT_DESC="Service Project for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_PROJECT_DOMAIN_NAME}"
USER_PROJECT_ID=$(openstack project create --or-show --enable -f value -c id \
--domain="${SERVICE_OS_PROJECT_DOMAIN_NAME}" \
--description="${USER_PROJECT_DESC}" \
"${SERVICE_OS_PROJECT_NAME}");
# Display project
openstack project show "${USER_PROJECT_ID}"
# Manage user
USER_DESC="Service User for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_USER_DOMAIN_NAME}/${SERVICE_OS_SERVICE_NAME}"
USER_ID=$(openstack user create --or-show --enable -f value -c id \
--domain="${SERVICE_OS_USER_DOMAIN_NAME}" \
--project-domain="${SERVICE_OS_PROJECT_DOMAIN_NAME}" \
--project="${USER_PROJECT_ID}" \
--description="${USER_DESC}" \
--password="${SERVICE_OS_PASSWORD}" \
"${SERVICE_OS_USERNAME}");
# Display user
openstack user show "${USER_ID}"
# Manage user role
USER_ROLE_ID=$(openstack role create --or-show -f value -c id \
"${SERVICE_OS_ROLE}");
# Manage user role assignment
openstack role add \
--user="${USER_ID}" \
--user-domain="${SERVICE_OS_USER_DOMAIN_NAME}" \
--project-domain="${SERVICE_OS_PROJECT_DOMAIN_NAME}" \
--project="${USER_PROJECT_ID}" \
"${USER_ROLE_ID}"
# Display user role assignment
openstack role assignment list \
--role="${SERVICE_OS_ROLE}" \
--user-domain="${SERVICE_OS_USER_DOMAIN_NAME}" \
--user="${USER_ID}"
{{- end }}

40
common/templates/snippets/_ks_env_openrc.tpl Normal file
View File

@ -0,0 +1,40 @@
{{- define "env_ks_openrc_tpl" }}
{{- $ksUserSecret := .ksUserSecret }}
- name: OS_IDENTITY_API_VERSION
value: "3"
- name: OS_AUTH_URL
valueFrom:
secretKeyRef:
name: {{ $ksUserSecret }}
key: OS_AUTH_URL
- name: OS_REGION_NAME
valueFrom:
secretKeyRef:
name: {{ $ksUserSecret }}
key: OS_REGION_NAME
- name: OS_PROJECT_DOMAIN_NAME
valueFrom:
secretKeyRef:
name: {{ $ksUserSecret }}
key: OS_PROJECT_DOMAIN_NAME
- name: OS_PROJECT_NAME
valueFrom:
secretKeyRef:
name: {{ $ksUserSecret }}
key: OS_PROJECT_NAME
- name: OS_USER_DOMAIN_NAME
valueFrom:
secretKeyRef:
name: {{ $ksUserSecret }}
key: OS_USER_DOMAIN_NAME
- name: OS_USERNAME
valueFrom:
secretKeyRef:
name: {{ $ksUserSecret }}
key: OS_USERNAME
- name: OS_PASSWORD
valueFrom:
secretKeyRef:
name: {{ $ksUserSecret }}
key: OS_PASSWORD
{{- end }}

33
common/templates/snippets/_ks_env_user_create_openrc.tpl Normal file
View File

@ -0,0 +1,33 @@
{{- define "env_ks_user_create_openrc_tpl" }}
{{- $ksUserSecret := .ksUserSecret }}
- name: SERVICE_OS_REGION_NAME
valueFrom:
secretKeyRef:
name: {{ $ksUserSecret }}
key: OS_REGION_NAME
- name: SERVICE_OS_PROJECT_DOMAIN_NAME
valueFrom:
secretKeyRef:
name: {{ $ksUserSecret }}
key: OS_PROJECT_DOMAIN_NAME
- name: SERVICE_OS_PROJECT_NAME
valueFrom:
secretKeyRef:
name: {{ $ksUserSecret }}
key: OS_PROJECT_NAME
- name: SERVICE_OS_USER_DOMAIN_NAME
valueFrom:
secretKeyRef:
name: {{ $ksUserSecret }}
key: OS_USER_DOMAIN_NAME
- name: SERVICE_OS_USERNAME
valueFrom:
secretKeyRef:
name: {{ $ksUserSecret }}
key: OS_USERNAME
- name: SERVICE_OS_PASSWORD
valueFrom:
secretKeyRef:
name: {{ $ksUserSecret }}
key: OS_PASSWORD
{{- end }}

24
docs/developer/minikube.md
View File

@ -1,9 +1,9 @@
# Development of Openstack-Helm
Community development is extremely important to us. As an open source development team, we want the development of Openstack-Helm to be an easy experience. Please evaluate, and make recommendations. We want developers to feel welcomed to contribute to this project. Below are some instructions and suggestions to help you get started.
Community development is extremely important to us. As an open source development team, we want the development of Openstack-Helm to be an easy experience. Please evaluate, and make recommendations. We want developers to feel welcome to contribute to this project. Below are some instructions and suggestions to help you get started.
# Requirements
We've tried to minimize the amount of prerequisites required in order to get started. The main prerequisite is to install the most recent versions of Minikube and Helm.
We've tried to minimize the number of prerequisites required in order to get started. The main prerequisite is to install the most recent versions of Minikube and Helm.
**Kubernetes Minikube:**
Ensure that you have installed a recent version of [Kubernetes/Minikube](http://kubernetes.io/docs/getting-started-guides/minikube/).
@ -75,7 +75,7 @@ kube-system tiller-deploy-3299276078-n98ct 1/1 Running 0
With Helm installed, you will need to start a local [Helm server](https://github.com/kubernetes/helm/blob/7a15ad381eae794a36494084972e350306e498fd/docs/helm/helm_serve.md#helm-serve) (in the background), and point to a locally configured Helm [repository](https://github.com/kubernetes/helm/blob/7a15ad381eae794a36494084972e350306e498fd/docs/helm/helm_repo_index.md#helm-repo-index):
```
$ helm serve . &
$ helm serve &
$ helm repo add local http://localhost:8879/charts
"local" has been added to your repositories
```
@ -107,13 +107,13 @@ Perfect! Youre ready to install, develop, deploy, destroy, and repeat (when n
# Installation and Testing
After following the instructions above you're environment is in a state where you can enhance the current charts, or develop new charts for the project. If you need to make changes to a chart, simply re-run `make` against the project in the top-tier directory. The charts will be updated and automatically re-pushed to your local repository.
After following the instructions above your environment is in a state where you can enhance the current charts, or develop new charts for the project. If you need to make changes to a chart, simply re-run `make` against the project in the top-tier directory. The charts will be updated and automatically re-pushed to your local repository.
Consider the following when using Minikube and development mode:
* Persistent Storage used for Minikube development mode is `hostPath`. The Ceph PVC's included with this project are not intended to work with Minikube.
* There is *no need* to install the `common` `ceph` or `bootstrap` charts. These charts are required for deploying Ceph PVC's.
* Familiarize yourself wtih `values.yaml` included wtih the MariaDB chart. You will will want to have the `hostPath` directory created prior to deploying MariaDB.
* Familiarize yourself with `values.yaml` included with the MariaDB chart. You will want to have the `hostPath` directory created prior to deploying MariaDB.
* If Ceph development is required, you will need to follow the [getting started guide](https://github.com/att-comdev/openstack-helm/blob/master/docs/installation/getting-started.md) rather than this development mode documentation.
To deploy Openstack-Helm in development mode, ensure you've created a minikube-approved `hostPath` volume. Minikube is very specific about what is expected for `hostPath` volumes. The following volumes are acceptable for minikube deployments:
@ -160,20 +160,22 @@ $ helm install --name=memcached local/memcached --namespace=openstack
$ helm install --name=rabbitmq local/rabbitmq --namespace=openstack
$ helm install --name=keystone local/keystone --namespace=openstack
$ helm install --name=horizon local/horizon --namespace=openstack
$ helm install --name=cinder local/cinder --namespace=openstack
$ helm install --name=glance local/glance --namespace=openstack
$ helm install --name=nova local/nova --namespace=openstack
$ helm install --name=neutron local/neutron --namespace=openstack
$ helm install --name=heat local/heat --namespace=openstack
```
# Horizon Management
After each of the chart is deployed, you may wish to change the typical service endpoint for Horizon to a `nodePort` service endpoint (this is unique to Minikube deployments). Use the `kubectl edit` command to edit this service manually.
After each chart is deployed, you may wish to change the typical service endpoint for Horizon to a `nodePort` service endpoint (this is unique to Minikube deployments). Use the `kubectl edit` command to edit this service manually.
```
$ sudo kubectl edit svc horizon -n openstack
```
With the deployed manifest in edit mode, you can enable `nodePort` by replicating some of the fields below (specifically, the `nodePort` lines).
With the deployed manifest in edit mode, you can enable `nodePort` by replicating some of the fields below (specifically, the `nodePort` lines).
```
apiVersion: v1
@ -201,7 +203,7 @@ status:
```
**Accessing Horizon:**<br>
*Now you're ready to manage Openstack! Point your browser to the following:*<br>
*Now you're ready to manage OpenStack! Point your browser to the following:*<br>
***URL:*** *http://192.168.99.100:31537/* <br>
***User:*** *admin* <br>
***Pass:*** *password* <br>
@ -210,7 +212,7 @@ If you have any questions, comments, or find any bugs, please submit an issue so
# Troubleshooting
In order to protect your general sanity, we've included a currated list of verification and troubleshooting steps that may help you avoid some potential issues while developing Openstack-Helm.
In order to protect your general sanity, we've included a curated list of verification and troubleshooting steps that may help you avoid some potential issues while developing Openstack-Helm.
**MariaDB**<br>
To verify the state of MariaDB, use the following command:
@ -224,7 +226,7 @@ $ kubectl exec mariadb-0 -it -n openstack -- mysql -uroot -ppassword -e 'show da
| mysql |
| performance_schema |
+--------------------+
$
$
```
**Helm Server/Repository**<br>
@ -251,7 +253,7 @@ $ helm repo list
NAME URL
stable https://kubernetes-charts.storage.googleapis.com/
local http://localhost:8879/charts
$
$
$ helm repo remove local
```

81
glance/templates/api.yaml
View File

@ -1,81 +0,0 @@
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: glance-api
spec:
replicas: {{ .Values.replicas }}
template:
metadata:
labels:
app: glance-api
annotations:
pod.beta.kubernetes.io/init-containers: '[
{
"name": "init",
"image": "quay.io/stackanetes/kubernetes-entrypoint:v0.1.0",
"imagePullPolicy": "{{ .Values.images.pull_policy }}",
"env": [
{
"name": "NAMESPACE",
"value": "{{ .Release.Namespace }}"
},
{
"name": "DEPENDENCY_SERVICE",
"value": "{{ include "joinListWithColon" .Values.dependencies.api.service }}"
},
{
"name": "DEPENDENCY_JOBS",
"value": "{{ include "joinListWithColon" .Values.dependencies.api.jobs }}"
},
{
"name": "COMMAND",
"value": "echo done"
}
]
}
]'
spec:
nodeSelector:
{{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
containers:
- name: glance-api
image: {{ .Values.images.api }}
imagePullPolicy: {{ .Values.images.pull_policy }}
command:
- bash
- /tmp/start.sh
ports:
- containerPort: {{ .Values.network.port.api }}
readinessProbe:
tcpSocket:
port: {{ .Values.network.port.api }}
volumeMounts:
- name: glanceapiconf
mountPath: /etc/glance/glance-api.conf
subPath: glance-api.conf
- name: startsh
mountPath: /tmp/start.sh
subPath: start.sh
- name: etcglance
mountPath: /etc/glance
- name: cephconf
mountPath: /etc/ceph/ceph.conf
subPath: ceph.conf
- name: cephclientglancekeyring
mountPath: /etc/ceph/ceph.client.{{ .Values.ceph.glance_user }}.keyring
subPath: ceph.client.{{ .Values.ceph.glance_user }}.keyring
volumes:
- name: glanceapiconf
configMap:
name: glance-glanceapiconf
- name: startsh
configMap:
name: glance-startsh
- name: cephconf
configMap:
name: glance-cephconf
- name: cephclientglancekeyring
configMap:
name: glance-cephclientglancekeyring
- name: etcglance
emptyDir: {}

17
glance/templates/bin/_init.sh.tpl Normal file
View File

@ -0,0 +1,17 @@
#!/bin/bash
set -ex
export HOME=/tmp
ansible localhost -vvv -m mysql_db -a "login_host='{{ .Values.database.address }}' \
login_port='{{ .Values.database.port }}' \
login_user='{{ .Values.database.root_user }}' \
login_password='{{ .Values.database.root_password }}' \
name='{{ .Values.database.glance_database_name }}'"
ansible localhost -vvv -m mysql_user -a "login_host='{{ .Values.database.address }}' \
login_port='{{ .Values.database.port }}' \
login_user='{{ .Values.database.root_user }}' \
login_password='{{ .Values.database.root_password }}' \
name='{{ .Values.database.glance_user }}' \
password='{{ .Values.database.glance_password }}' \
host='%' priv='{{ .Values.database.glance_database_name }}.*:ALL' append_privs='yes'"

42
glance/templates/bin/_post.sh.tpl Normal file
View File

@ -0,0 +1,42 @@
#!/bin/bash
set -ex
export HOME=/tmp
ansible localhost -vvv -m kolla_keystone_service -a "service_name=glance \
service_type=image \
description='Openstack Image' \
endpoint_region='{{ .Values.keystone.glance_region_name }}' \
url='{{ include "endpoint_glance_api_internal" . }}' \
interface=admin \
region_name='{{ .Values.keystone.admin_region_name }}' \
auth='{{ include "keystone_auth" . }}'" \
-e "{'openstack_glance_auth': {{ include "keystone_auth" . }}}"
ansible localhost -vvv -m kolla_keystone_service -a "service_name=glance \
service_type=image \
description='Openstack Image' \
endpoint_region='{{ .Values.keystone.glance_region_name }}' \
url='{{ include "endpoint_glance_api_internal" . }}' \
interface=internal \
region_name='{{ .Values.keystone.admin_region_name }}' \
auth='{{ include "keystone_auth" . }}'" \
-e "{ 'openstack_glance_auth': {{ include "keystone_auth" . }} }"
ansible localhost -vvv -m kolla_keystone_service -a "service_name=glance \
service_type=image \
description='Openstack Image' \
endpoint_region='{{ .Values.keystone.glance_region_name }}' \
url='{{ include "endpoint_glance_api_internal" . }}' \
interface=public \
region_name='{{ .Values.keystone.admin_region_name }}' \
auth='{{ include "keystone_auth" . }}'" \
-e "{ 'openstack_glance_auth': {{ include "keystone_auth" . }} }"
ansible localhost -vvv -m kolla_keystone_user -a "project=service \
user={{ .Values.keystone.glance_user }} \
password={{ .Values.keystone.glance_password }} \
role=admin \
region_name={{ .Values.keystone.admin_region_name }} \
auth='{{ include "keystone_auth" . }}'" \
-e "{ 'openstack_glance_auth': {{ include "keystone_auth" . }} }"

13
glance/templates/ceph.client.glance.keyring.yaml
View File

@ -1,13 +0,0 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: glance-cephclientglancekeyring
data:
ceph.client.{{ .Values.ceph.glance_user }}.keyring: |+
[client.{{ .Values.ceph.glance_user }}]
{{- if .Values.ceph.glance_keyring }}
key = {{ .Values.ceph.glance_keyring }}
{{- else }}
key = {{- include "secrets/ceph-client-key" . -}}
{{- end }}

23
glance/templates/ceph.conf.yaml
View File

@ -1,23 +0,0 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: glance-cephconf
data:
ceph.conf: |+
[global]
rgw_thread_pool_size = 1024
rgw_num_rados_handles = 100
{{- if .Values.ceph.monitors }}
[mon]
{{ range .Values.ceph.monitors }}
[mon.{{ . }}]
host = {{ . }}
mon_addr = {{ . }}
{{ end }}
{{- else }}
mon_host = ceph-mon.ceph
{{- end }}
[client]
rbd_cache_enabled = true
rbd_cache_writethrough_until_flush = true

9
glance/templates/configmap-bin.yaml Normal file
View File

@ -0,0 +1,9 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: glance-bin
data:
init.sh: |+
{{ tuple "bin/_init.sh.tpl" . | include "template" | indent 4 }}
post.sh: |+
{{ tuple "bin/_post.sh.tpl" . | include "template" | indent 4 }}

19
glance/templates/configmap-etc.yaml Normal file
View File

@ -0,0 +1,19 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: glance-etc
data:
ceph.conf: |+
{{ tuple "etc/_ceph.conf.tpl" . | include "template" | indent 4 }}
ceph.client.{{ .Values.ceph.glance_user }}.keyring: |+
{{ tuple "etc/_ceph.client.glance.keyring.tpl" . | include "template" | indent 4 }}
glance-api.conf: |+
{{ tuple "etc/_glance-api.conf.tpl" . | include "template" | indent 4 }}
glance-api-paste.ini: |+
{{ tuple "etc/_glance-api-paste.ini.tpl" . | include "template" | indent 4 }}
glance-registry.conf: |+
{{ tuple "etc/_glance-registry.conf.tpl" . | include "template" | indent 4 }}
glance-registry-paste.ini: |+
{{ tuple "etc/_glance-registry-paste.ini.tpl" . | include "template" | indent 4 }}
policy.json: |+
{{ tuple "etc/_policy.json.tpl" . | include "template" | indent 4 }}

10
glance/templates/db-sync.sh.yaml
View File

@ -1,10 +0,0 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: glance-dbsyncsh
data:
db-sync.sh: |+
#!/bin/bash
set -ex
glance-manage db_sync

56
glance/templates/db-sync.yaml
View File

@ -1,56 +0,0 @@
apiVersion: batch/v1
kind: Job
metadata:
name: glance-db-sync
spec:
template:
metadata:
annotations:
pod.beta.kubernetes.io/init-containers: '[
{
"name": "init",
"image": "quay.io/stackanetes/kubernetes-entrypoint:v0.1.0",
"imagePullPolicy": "{{ .Values.images.pull_policy }}",
"env": [
{
"name": "NAMESPACE",
"value": "{{ .Release.Namespace }}"
},
{
"name": "DEPENDENCY_SERVICE",
"value": "{{ include "joinListWithColon" .Values.dependencies.db_sync.service }}"
},
{
"name": "DEPENDENCY_JOBS",
"value": "{{ include "joinListWithColon" .Values.dependencies.db_sync.jobs }}"
},
{
"name": "COMMAND",
"value": "echo done"
}
]
}
]'
spec:
restartPolicy: OnFailure
containers:
- name: glance-db-sync
image: {{ .Values.images.db_sync }}
imagePullPolicy: {{ .Values.images.pull_policy }}
command:
- bash
- /tmp/db-sync.sh
volumeMounts:
- name: glanceapiconf
mountPath: /etc/glance/glance-api.conf
subPath: glance-api.conf
- name: dbsyncsh
mountPath: /tmp/db-sync.sh
subPath: db-sync.sh
volumes:
- name: glanceapiconf
configMap:
name: glance-glanceapiconf
- name: dbsyncsh
configMap:
name: glance-dbsyncsh

98
glance/templates/deployment-api.yaml Normal file
View File

@ -0,0 +1,98 @@
{{- $envAll := . }}
{{- $dependencies := .Values.dependencies.api }}
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: glance-api
spec:
{{- if .Values.development.enabled }}
replicas: 1
{{- else }}
replicas: {{ .Values.replicas.api }}
{{- end }}
revisionHistoryLimit: {{ .Values.upgrades.revision_history }}
strategy:
type: {{ .Values.upgrades.pod_replacement_strategy }}
{{ if eq .Values.upgrades.pod_replacement_strategy "RollingUpdate" }}
rollingUpdate:
maxUnavailable: {{ .Values.upgrades.rolling_update.max_unavailable }}
maxSurge: {{ .Values.upgrades.rolling_update.max_surge }}
{{ end }}
template:
metadata:
labels:
app: glance-api
annotations:
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "hash" }}
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "hash" }}
pod.beta.kubernetes.io/init-containers: '[
{{ tuple $envAll $dependencies | include "dep-check-init-cont" | indent 10 }}
]'
spec:
nodeSelector:
{{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
containers:
- name: glance-api
image: {{ .Values.images.api }}
imagePullPolicy: {{ .Values.images.pull_policy }}
command:
- glance-api
- --config-file
- /etc/glance/glance-api.conf
ports:
- containerPort: {{ .Values.network.port.api }}
readinessProbe:
tcpSocket:
port: {{ .Values.network.port.api }}
volumeMounts:
- name: etcglance
mountPath: /etc/glance
- name: glanceapiconf
mountPath: /etc/glance/glance-api.conf
subPath: glance-api.conf
readOnly: true
- name: glanceapipaste
mountPath: /etc/glance/glance-api-paste.ini
subPath: glance-api-paste.ini
readOnly: true
- name: glancepolicy
mountPath: /etc/glance/policy.json
subPath: policy.json
readOnly: true
{{- if .Values.development.enabled }}
- name: glance-data
mountPath: /var/lib/glance/images
{{- else }}
- name: cephconf
mountPath: /etc/ceph/ceph.conf
subPath: ceph.conf
readOnly: true
- name: cephclientglancekeyring
mountPath: /etc/ceph/ceph.client.{{ .Values.ceph.glance_user }}.keyring
subPath: ceph.client.{{ .Values.ceph.glance_user }}.keyring
readOnly: true
{{- end }}
volumes:
- name: glanceapiconf
configMap:
name: glance-etc
- name: glanceapipaste
configMap:
name: glance-etc
{{- if .Values.development.enabled }}
- name: glance-data
hostPath:
path: {{ .Values.development.storage_path }}
{{- else }}
- name: cephconf
configMap:
name: glance-etc
- name: cephclientglancekeyring
configMap:
name: glance-etc
{{- end }}
- name: etcglance
emptyDir: {}
- name: glancepolicy
configMap:
name: glance-etc

65
glance/templates/deployment-registry.yaml Normal file
View File

@ -0,0 +1,65 @@
{{- $envAll := . }}
{{- $dependencies := .Values.dependencies.registry }}
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: glance-registry
spec:
{{- if .Values.development.enabled }}
replicas: 1
{{- else }}
replicas: {{ .Values.replicas.registry }}
{{- end }}
template:
metadata:
labels:
app: glance-registry
annotations:
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "hash" }}
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "hash" }}
pod.beta.kubernetes.io/init-containers: '[
{{ tuple $envAll $dependencies | include "dep-check-init-cont" | indent 10 }}
]'
spec:
nodeSelector:
{{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
containers:
- name: glance-registry
image: {{ .Values.images.registry }}
imagePullPolicy: {{ .Values.images.pull_policy }}
command:
- glance-registry
- --config-file
- /etc/glance/glance-registry.conf
ports:
- containerPort: {{ .Values.network.port.registry }}
readinessProbe:
tcpSocket:
port: {{ .Values.network.port.registry }}
volumeMounts:
- name: etcglance
mountPath: /etc/glance
- name: glanceregistryconf
mountPath: /etc/glance/glance-registry.conf
subPath: glance-registry.conf
readOnly: true
- name: glanceregistrypaste
mountPath: /etc/glance/glance-registry-paste.ini
subPath: glance-registry-paste.ini
readOnly: true
- name: glancepolicy
mountPath: /etc/glance/policy.json
subPath: policy.json
readOnly: true
volumes:
- name: etcglance
emptyDir: {}
- name: glanceregistryconf
configMap:
name: glance-etc
- name: glanceregistrypaste
configMap:
name: glance-etc
- name: glancepolicy
configMap:
name: glance-etc

6
glance/templates/etc/_ceph.client.glance.keyring.tpl Normal file
View File

@ -0,0 +1,6 @@
[client.{{ .Values.ceph.glance_user }}]
{{- if .Values.ceph.glance_keyring }}
key = {{ .Values.ceph.glance_keyring }}
{{- else }}
key = {{- include "secrets/ceph-client-key" . -}}
{{- end }}

16
glance/templates/etc/_ceph.conf.tpl Normal file
View File

@ -0,0 +1,16 @@
[global]
rgw_thread_pool_size = 1024
rgw_num_rados_handles = 100
{{- if .Values.ceph.monitors }}
[mon]
{{ range .Values.ceph.monitors }}
[mon.{{ . }}]
host = {{ . }}
mon_addr = {{ . }}
{{ end }}
{{- else }}
mon_host = ceph-mon.ceph
{{- end }}
[client]
rbd_cache_enabled = true
rbd_cache_writethrough_until_flush = true

90
glance/templates/etc/_glance-api-paste.ini.tpl Normal file
View File

@ -0,0 +1,90 @@
# Use this pipeline for no auth or image caching - DEFAULT
[pipeline:glance-api]
pipeline = cors healthcheck http_proxy_to_wsgi versionnegotiation osprofiler unauthenticated-context rootapp
# Use this pipeline for image caching and no auth
[pipeline:glance-api-caching]
pipeline = cors healthcheck http_proxy_to_wsgi versionnegotiation osprofiler unauthenticated-context cache rootapp
# Use this pipeline for caching w/ management interface but no auth
[pipeline:glance-api-cachemanagement]
pipeline = cors healthcheck http_proxy_to_wsgi versionnegotiation osprofiler unauthenticated-context cache cachemanage rootapp
# Use this pipeline for keystone auth
[pipeline:glance-api-keystone]
pipeline = cors healthcheck http_proxy_to_wsgi versionnegotiation osprofiler authtoken context rootapp
# Use this pipeline for keystone auth with image caching
[pipeline:glance-api-keystone+caching]
pipeline = cors healthcheck http_proxy_to_wsgi versionnegotiation osprofiler authtoken context cache rootapp
# Use this pipeline for keystone auth with caching and cache management
[pipeline:glance-api-keystone+cachemanagement]
pipeline = cors healthcheck http_proxy_to_wsgi versionnegotiation osprofiler authtoken context cache cachemanage rootapp
# Use this pipeline for authZ only. This means that the registry will treat a
# user as authenticated without making requests to keystone to reauthenticate
# the user.
[pipeline:glance-api-trusted-auth]
pipeline = cors healthcheck http_proxy_to_wsgi versionnegotiation osprofiler context rootapp
# Use this pipeline for authZ only. This means that the registry will treat a
# user as authenticated without making requests to keystone to reauthenticate
# the user and uses cache management
[pipeline:glance-api-trusted-auth+cachemanagement]
pipeline = cors healthcheck http_proxy_to_wsgi versionnegotiation osprofiler context cache cachemanage rootapp
[composite:rootapp]
paste.composite_factory = glance.api:root_app_factory
/: apiversions
/v1: apiv1app
/v2: apiv2app
[app:apiversions]
paste.app_factory = glance.api.versions:create_resource
[app:apiv1app]
paste.app_factory = glance.api.v1.router:API.factory
[app:apiv2app]
paste.app_factory = glance.api.v2.router:API.factory
[filter:healthcheck]
paste.filter_factory = oslo_middleware:Healthcheck.factory
backends = disable_by_file
disable_by_file_path = /etc/glance/healthcheck_disable
[filter:versionnegotiation]
paste.filter_factory = glance.api.middleware.version_negotiation:VersionNegotiationFilter.factory
[filter:cache]
paste.filter_factory = glance.api.middleware.cache:CacheFilter.factory
[filter:cachemanage]
paste.filter_factory = glance.api.middleware.cache_manage:CacheManageFilter.factory
[filter:context]
paste.filter_factory = glance.api.middleware.context:ContextMiddleware.factory
[filter:unauthenticated-context]
paste.filter_factory = glance.api.middleware.context:UnauthenticatedContextMiddleware.factory
[filter:authtoken]
paste.filter_factory = keystonemiddleware.auth_token:filter_factory
delay_auth_decision = true
[filter:gzip]
paste.filter_factory = glance.api.middleware.gzip:GzipMiddleware.factory
[filter:osprofiler]
paste.filter_factory = osprofiler.web:WsgiMiddleware.factory
hmac_keys = SECRET_KEY #DEPRECATED
enabled = yes #DEPRECATED
[filter:cors]
paste.filter_factory = oslo_middleware.cors:filter_factory
oslo_config_project = glance
oslo_config_program = glance-api
[filter:http_proxy_to_wsgi]
paste.filter_factory = oslo_middleware:HTTPProxyToWSGI.factory

44
glance/templates/etc/_glance-api.conf.tpl Normal file
View File

@ -0,0 +1,44 @@
[DEFAULT]
debug = {{ .Values.misc.debug }}
use_syslog = False
use_stderr = True
bind_port = {{ .Values.network.port.api }}
workers = {{ .Values.misc.workers }}
registry_host = glance-registry
# Enable Copy-on-Write
show_image_direct_url = True
[database]
connection = mysql+pymysql://{{ .Values.database.glance_user }}:{{ .Values.database.glance_password }}@{{ .Values.database.address }}/{{ .Values.database.glance_database_name }}
max_retries = -1
[keystone_authtoken]
auth_uri = {{ .Values.keystone.auth_uri }}
auth_url = {{ .Values.keystone.auth_url }}
auth_type = password
project_domain_id = default
user_domain_id = default
project_name = service
username = {{ .Values.keystone.glance_user }}
password = {{ .Values.keystone.glance_password }}
[paste_deploy]
flavor = keystone
[oslo_messaging_notifications]
driver = noop
[glance_store]
filesystem_store_datadir = /var/lib/glance/images/
{{- if .Values.development.enabled }}
stores = file, http
default_store = file
{{- else }}
stores = file, http, rbd
default_store = rbd
rbd_store_pool = {{ .Values.ceph.glance_pool }}
rbd_store_user = {{ .Values.ceph.glance_user }}
rbd_store_ceph_conf = /etc/ceph/ceph.conf
rbd_store_chunk_size = 8
{{- end }}

35
glance/templates/etc/_glance-registry-paste.ini.tpl Normal file
View File

@ -0,0 +1,35 @@
# Use this pipeline for no auth - DEFAULT
[pipeline:glance-registry]
pipeline = healthcheck osprofiler unauthenticated-context registryapp
# Use this pipeline for keystone auth
[pipeline:glance-registry-keystone]
pipeline = healthcheck osprofiler authtoken context registryapp
# Use this pipeline for authZ only. This means that the registry will treat a
# user as authenticated without making requests to keystone to reauthenticate
# the user.
[pipeline:glance-registry-trusted-auth]
pipeline = healthcheck osprofiler context registryapp
[app:registryapp]
paste.app_factory = glance.registry.api:API.factory
[filter:healthcheck]
paste.filter_factory = oslo_middleware:Healthcheck.factory
backends = disable_by_file
disable_by_file_path = /etc/glance/healthcheck_disable
[filter:context]
paste.filter_factory = glance.api.middleware.context:ContextMiddleware.factory
[filter:unauthenticated-context]
paste.filter_factory = glance.api.middleware.context:UnauthenticatedContextMiddleware.factory
[filter:authtoken]
paste.filter_factory = keystonemiddleware.auth_token:filter_factory
[filter:osprofiler]
paste.filter_factory = osprofiler.web:WsgiMiddleware.factory
hmac_keys = SECRET_KEY #DEPRECATED
enabled = yes #DEPRECATED

26
glance/templates/etc/_glance-registry.conf.tpl Normal file
View File

@ -0,0 +1,26 @@
[DEFAULT]
debug = {{ .Values.misc.debug }}
use_syslog = False
use_stderr = True
bind_port = {{ .Values.network.port.registry }}
workers = {{ .Values.misc.workers }}
[database]
connection = mysql+pymysql://{{ .Values.database.glance_user }}:{{ .Values.database.glance_password }}@{{ .Values.database.address }}/{{ .Values.database.glance_database_name }}
max_retries = -1
[keystone_authtoken]
auth_uri = {{ .Values.keystone.auth_uri }}
auth_url = {{ .Values.keystone.auth_url }}
auth_type = password
project_domain_id = default
user_domain_id = default
project_name = service
username = {{ .Values.keystone.glance_user }}
password = {{ .Values.keystone.glance_password }}
[paste_deploy]
flavor = keystone
[oslo_messaging_notifications]
driver = noop

61
glance/templates/etc/_policy.json.tpl Normal file
View File

@ -0,0 +1,61 @@
{
"context_is_admin": "role:admin",
"default": "role:admin",
"add_image": "",
"delete_image": "",
"get_image": "",
"get_images": "",
"modify_image": "",
"publicize_image": "role:admin",
"copy_from": "",
"download_image": "",
"upload_image": "",
"delete_image_location": "",
"get_image_location": "",
"set_image_location": "",
"add_member": "",
"delete_member": "",
"get_member": "",
"get_members": "",
"modify_member": "",
"manage_image_cache": "role:admin",
"get_task": "role:admin",
"get_tasks": "role:admin",
"add_task": "role:admin",
"modify_task": "role:admin",
"deactivate": "",
"reactivate": "",
"get_metadef_namespace": "",
"get_metadef_namespaces":"",
"modify_metadef_namespace":"",
"add_metadef_namespace":"",
"get_metadef_object":"",
"get_metadef_objects":"",
"modify_metadef_object":"",
"add_metadef_object":"",
"list_metadef_resource_types":"",
"get_metadef_resource_type":"",
"add_metadef_resource_type_association":"",
"get_metadef_property":"",
"get_metadef_properties":"",
"modify_metadef_property":"",
"add_metadef_property":"",
"get_metadef_tag":"",
"get_metadef_tags":"",
"modify_metadef_tag":"",
"add_metadef_tag":"",
"add_metadef_tags":""
}

48
glance/templates/glance-api.conf.yaml
View File

@ -1,48 +0,0 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: glance-glanceapiconf
data:
glance-api.conf: |+
[DEFAULT]
debug = {{ .Values.misc.debug }}
use_syslog = False
use_stderr = True
bind_port = {{ .Values.network.port.api }}
workers = {{ .Values.misc.workers }}
registry_host = {{ include "glance_registry_host" . }}
# Enable Copy-on-Write
show_image_direct_url = True
[database]
connection = mysql+pymysql://{{ .Values.database.glance_user }}:{{ .Values.database.glance_password }}@{{ .Values.database.address }}/{{ .Values.database.glance_database_name }}
max_retries = -1
[keystone_authtoken]
auth_uri = {{ .Values.keystone.auth_uri }}
auth_url = {{ .Values.keystone.auth_url }}
auth_type = password
project_domain_id = default
user_domain_id = default
project_name = service
username = {{ .Values.keystone.glance_user }}
password = {{ .Values.keystone.glance_password }}
[paste_deploy]
flavor = keystone
[oslo_messaging_notifications]
driver = noop
[glance_store]
filesystem_store_datadir = /var/lib/glance/images/
stores = file, http, rbd
default_store = rbd
rbd_store_pool = {{ .Values.ceph.glance_pool }}
rbd_store_user = {{ .Values.ceph.glance_user }}
rbd_store_ceph_conf = /etc/ceph/ceph.conf
rbd_store_chunk_size = 8

34
glance/templates/glance-registry.conf.yaml
View File

@ -1,34 +0,0 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: glance-glanceregistryconf
data:
glance-registry.conf: |+
[DEFAULT]
debug = {{ .Values.misc.debug }}
use_syslog = False
use_stderr = True
bind_port = {{ .Values.network.port.registry }}
workers = {{ .Values.misc.workers }}
[database]
connection = mysql+pymysql://{{ .Values.database.glance_user }}:{{ .Values.database.glance_password }}@{{ .Values.database.address }}/{{ .Values.database.glance_database_name }}
max_retries = -1
[keystone_authtoken]
auth_uri = {{ .Values.keystone.auth_uri }}
auth_url = {{ .Values.keystone.auth_url }}
auth_type = password
project_domain_id = default
user_domain_id = default
project_name = service
username = {{ .Values.keystone.glance_user }}
password = {{ .Values.keystone.glance_password }}
[paste_deploy]
flavor = keystone
[oslo_messaging_notifications]
driver = noop

12
glance/templates/init.sh.yaml
View File

@ -1,12 +0,0 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: glance-initsh
data:
init.sh: |+
#!/bin/bash
set -ex
export HOME=/tmp
ansible localhost -vvv -m mysql_db -a "login_host='{{ .Values.database.address }}' login_port='{{ .Values.database.port }}' login_user='{{ .Values.database.root_user }}' login_password='{{ .Values.database.root_password }}' name='{{ .Values.database.glance_database_name }}'"
ansible localhost -vvv -m mysql_user -a "login_host='{{ .Values.database.address }}' login_port='{{ .Values.database.port }}' login_user='{{ .Values.database.root_user }}' login_password='{{ .Values.database.root_password }}' name='{{ .Values.database.glance_user }}' password='{{ .Values.database.glance_password }}' host='%' priv='{{ .Values.database.glance_database_name }}.*:ALL' append_privs='yes'"

53
glance/templates/init.yaml
View File

@ -1,53 +0,0 @@
apiVersion: batch/v1
kind: Job
metadata:
name: glance-init
spec:
template:
metadata:
annotations:
pod.beta.kubernetes.io/init-containers: '[
{
"name": "init",
"image": "quay.io/stackanetes/kubernetes-entrypoint:v0.1.0",
"imagePullPolicy": "{{ .Values.images.pull_policy }}",
"env": [
{
"name": "NAMESPACE",
"value": "{{ .Release.Namespace }}"
},
{
"name": "DEPENDENCY_SERVICE",
"value": "{{ include "joinListWithColon" .Values.dependencies.init.service }}"
},
{
"name": "DEPENDENCY_JOBS",
"value": "{{ include "joinListWithColon" .Values.dependencies.init.jobs }}"
},
{
"name": "COMMAND",
"value": "echo done"
}
]
}
]'
spec:
restartPolicy: OnFailure
containers:
- name: glance-init
image: {{ .Values.images.init }}
imagePullPolicy: {{ .Values.images.pull_policy }}
env:
- name: ANSIBLE_LIBRARY
value: /usr/share/ansible/
command:
- bash
- /tmp/init.sh
volumeMounts:
- name: initsh
mountPath: /tmp/init.sh
subPath: init.sh
volumes:
- name: initsh
configMap:
name: glance-initsh

32
glance/templates/job-db-sync.yaml Normal file
View File

@ -0,0 +1,32 @@
{{- $envAll := . }}
{{- $dependencies := .Values.dependencies.db_sync }}
apiVersion: batch/v1
kind: Job
metadata:
name: glance-db-sync
spec:
template:
metadata:
annotations:
pod.beta.kubernetes.io/init-containers: '[
{{ tuple $envAll $dependencies | include "dep-check-init-cont" | indent 10 }}
]'
spec:
restartPolicy: OnFailure
nodeSelector:
{{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
containers:
- name: glance-db-sync
image: {{ .Values.images.db_sync }}
imagePullPolicy: {{ .Values.images.pull_policy }}
command:
- glance-manage
- db_sync
volumeMounts:
- name: glanceapiconf
mountPath: /etc/glance/glance-api.conf
subPath: glance-api.conf
volumes:
- name: glanceapiconf
configMap:
name: glance-etc

35
glance/templates/job-init.yaml Normal file
View File

@ -0,0 +1,35 @@
{{- $envAll := . }}
{{- $dependencies := .Values.dependencies.init }}
apiVersion: batch/v1
kind: Job
metadata:
name: glance-init
spec:
template:
metadata:
annotations:
pod.beta.kubernetes.io/init-containers: '[
{{ tuple $envAll $dependencies | include "dep-check-init-cont" | indent 10 }}
]'
spec:
restartPolicy: OnFailure
nodeSelector:
{{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
containers:
- name: glance-init
image: {{ .Values.images.init }}
imagePullPolicy: {{ .Values.images.pull_policy }}
env:
- name: ANSIBLE_LIBRARY
value: /usr/share/ansible/
command:
- bash
- /tmp/init.sh
volumeMounts:
- name: initsh
mountPath: /tmp/init.sh
subPath: init.sh
volumes:
- name: initsh
configMap:
name: glance-bin

35
glance/templates/job-post.yaml Normal file
View File

@ -0,0 +1,35 @@
{{- $envAll := . }}
{{- $dependencies := .Values.dependencies.post }}
apiVersion: batch/v1
kind: Job
metadata:
name: glance-post
spec:
template:
metadata:
annotations:
pod.beta.kubernetes.io/init-containers: '[
{{ tuple $envAll $dependencies | include "dep-check-init-cont" | indent 10 }}
]'
spec:
nodeSelector:
{{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
restartPolicy: OnFailure
containers:
- name: glance-post
image: {{ .Values.images.post }}
imagePullPolicy: {{ .Values.images.pull_policy }}
command:
- bash
- /tmp/post.sh
volumeMounts:
- name: postsh
mountPath: /tmp/post.sh
subPath: post.sh
env:
- name: ANSIBLE_LIBRARY
value: /usr/share/ansible/
volumes:
- name: postsh
configMap:
name: glance-bin

48
glance/templates/post.sh.yaml
View File

@ -1,48 +0,0 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: glance-postsh
data:
post.sh: |+
#!/bin/bash
set -ex
export HOME=/tmp
ansible localhost -vvv -m kolla_keystone_service -a "service_name=glance \
service_type=image \
description='Openstack Image' \
endpoint_region='{{ .Values.keystone.glance_region_name }}' \
url='{{ include "endpoint_glance_api_internal" . }}' \
interface=admin \
region_name='{{ .Values.keystone.admin_region_name }}' \
auth='{{ include "keystone_auth" . }}'" \
-e "{'openstack_glance_auth': {{ include "keystone_auth" . }}}"
ansible localhost -vvv -m kolla_keystone_service -a "service_name=glance \
service_type=image \
description='Openstack Image' \
endpoint_region='{{ .Values.keystone.glance_region_name }}' \
url='{{ include "endpoint_glance_api_internal" . }}' \
interface=internal \
region_name='{{ .Values.keystone.admin_region_name }}' \
auth='{{ include "keystone_auth" . }}'" \
-e "{ 'openstack_glance_auth': {{ include "keystone_auth" . }} }"
ansible localhost -vvv -m kolla_keystone_service -a "service_name=glance \
service_type=image \
description='Openstack Image' \
endpoint_region='{{ .Values.keystone.glance_region_name }}' \
url='{{ include "endpoint_glance_api_internal" . }}' \
interface=public \
region_name='{{ .Values.keystone.admin_region_name }}' \
auth='{{ include "keystone_auth" . }}'" \
-e "{ 'openstack_glance_auth': {{ include "keystone_auth" . }} }"
ansible localhost -vvv -m kolla_keystone_user -a "project=service \
user={{ .Values.keystone.glance_user }} \
password={{ .Values.keystone.glance_password }} \
role=admin \
region_name={{ .Values.keystone.admin_region_name }} \
auth='{{ include "keystone_auth" . }}'" \
-e "{ 'openstack_glance_auth': {{ include "keystone_auth" . }} }"

56
glance/templates/post.yaml
View File

@ -1,56 +0,0 @@
apiVersion: batch/v1
kind: Job
metadata:
name: glance-post
spec:
template:
metadata:
annotations:
pod.beta.kubernetes.io/init-containers: '[
{
"name": "init",
"image": "quay.io/stackanetes/kubernetes-entrypoint:v0.1.0",
"imagePullPolicy": "{{ .Values.images.pull_policy }}",
"env": [
{
"name": "NAMESPACE",
"value": "{{ .Release.Namespace }}"
},
{
"name": "DEPENDENCY_SERVICE",
"value": "{{ include "joinListWithColon" .Values.dependencies.post.service }}"
},
{
"name": "DEPENDENCY_JOBS",
"value": "{{ include "joinListWithColon" .Values.dependencies.post.jobs }}"
},
{
"name": "COMMAND",
"value": "echo done"
}
]
}
]'
spec:
nodeSelector:
{{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
restartPolicy: OnFailure
containers:
- name: glance-post
image: {{ .Values.images.post }}
imagePullPolicy: {{ .Values.images.pull_policy }}
command:
- bash
- /tmp/post.sh
volumeMounts:
- name: postsh
mountPath: /tmp/post.sh
subPath: post.sh
env:
- name: ANSIBLE_LIBRARY
value: /usr/share/ansible/
volumes:
- name: postsh
configMap:
name: glance-postsh

58
glance/templates/registry.yaml
View File

@ -1,58 +0,0 @@
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: glance-registry
spec:
replicas: {{ .Values.replicas }}
template:
metadata:
labels:
app: glance-registry
annotations:
pod.beta.kubernetes.io/init-containers: '[
{
"name": "init",
"image": "quay.io/stackanetes/kubernetes-entrypoint:v0.1.0",
"imagePullPolicy": "{{ .Values.images.pull_policy }}",
"env": [
{
"name": "NAMESPACE",
"value": "{{ .Release.Namespace }}"
},
{
"name": "DEPENDENCY_SERVICE",
"value": "{{ include "joinListWithColon" .Values.dependencies.registry.service }}"
},
{
"name": "DEPENDENCY_JOBS",
"value": "{{ include "joinListWithColon" .Values.dependencies.registry.jobs }}"
},
{
"name": "COMMAND",
"value": "echo done"
}
]
}
]'
spec:
nodeSelector:
{{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
containers:
- name: glance-registry
image: {{ .Values.images.registry }}
imagePullPolicy: {{ .Values.images.pull_policy }}
command:
- glance-registry
ports:
- containerPort: {{ .Values.network.port.registry }}
readinessProbe:
tcpSocket:
port: {{ .Values.network.port.registry }}
volumeMounts:
- name: glanceregistryconf
mountPath: /etc/glance/glance-registry.conf
subPath: glance-registry.conf
volumes:
- name: glanceregistryconf
configMap:
name: glance-glanceregistryconf

12
glance/templates/start.sh.yaml
View File

@ -1,12 +0,0 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: glance-startsh
data:
start.sh: |+
#!/bin/bash
set -ex
cp `find / -not -path "/etc/*" -name glance-api-paste.ini` /etc/glance/
glance-api

16
glance/values.yaml
View File

@ -3,7 +3,13 @@
# Declare name/value pairs to be passed into your templates.
# name: value
replicas: 1
replicas:
api: 1
registry: 1
development:
enabled: false
storage_path: /data/openstack-helm/glance/images
labels:
node_selector_key: openstack-control-plane
@ -15,8 +21,16 @@ images:
init: quay.io/stackanetes/stackanetes-kolla-toolbox:newton
registry: quay.io/stackanetes/stackanetes-glance-registry:newton
post: quay.io/stackanetes/stackanetes-kolla-toolbox:newton
dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.1.0
pull_policy: "IfNotPresent"
upgrades:
revision_history: 3
pod_replacement_strategy: RollingUpdate
rolling_update:
max_unavailable: 1
max_surge: 3
keystone:
auth_uri: "http://keystone-api:5000"
auth_url: "http://keystone-api:35357"

3
heat/Chart.yaml Normal file
View File

@ -0,0 +1,3 @@
description: A Helm chart for heat
name: heat
version: 0.1.0

4
heat/requirements.yaml Normal file
View File

@ -0,0 +1,4 @@
dependencies:
- name: common
repository: http://localhost:8879/charts
version: 0.1.0

21
heat/templates/bin/_db-init.sh.tpl Normal file
View File

@ -0,0 +1,21 @@
#!/bin/bash
set -ex
export HOME=/tmp
ansible localhost -vvv \
-m mysql_db -a "login_host='{{ .Values.database.address }}' \
login_port='{{ .Values.database.port }}' \
login_user='{{ .Values.database.root_user }}' \
login_password='{{ .Values.database.root_password }}' \
name='{{ .Values.database.heat_database_name }}'"
ansible localhost -vvv \
-m mysql_user -a "login_host='{{ .Values.database.address }}' \
login_port='{{ .Values.database.port }}' \
login_user='{{ .Values.database.root_user }}' \
login_password='{{ .Values.database.root_password }}' \
name='{{ .Values.database.heat_user }}' \
password='{{ .Values.database.heat_password }}' \
host='%' \
priv='{{ .Values.database.heat_database_name }}.*:ALL' \
append_privs='yes'"

15
heat/templates/configmap-bin.yaml Normal file
View File

@ -0,0 +1,15 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: heat-bin
data:
db-init.sh: |+
{{ tuple "bin/_db-init.sh.tpl" . | include "template" | indent 4 }}
ks-service.sh: |+
{{- include "common_keystone_service" . | indent 4 }}
ks-endpoints.sh: |+
{{- include "common_keystone_endpoints" . | indent 4 }}
ks-user.sh: |+
{{- include "common_keystone_user" . | indent 4 }}
ks-domain-user.sh: |+
{{- include "common_keystone_domain_user" . | indent 4 }}

11
heat/templates/configmap-etc.yaml Normal file
View File

@ -0,0 +1,11 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: heat-etc
data:
heat.conf: |+
{{ tuple "etc/_heat.conf.tpl" . | include "template" | indent 4 }}
api-paste.ini: |+
{{ tuple "etc/_heat-api-paste.ini.tpl" . | include "template" | indent 4 }}
policy.json: |+
{{ tuple "etc/_heat-policy.json.tpl" . | include "template" | indent 4 }}

63
heat/templates/deployment-api.yaml Executable file
View File

@ -0,0 +1,63 @@
{{- $envAll := . }}
{{- $dependencies := .Values.dependencies.api }}
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: heat-api
spec:
replicas: {{ .Values.replicas.api }}
template:
metadata:
labels:
app: heat-api
annotations:
pod.beta.kubernetes.io/init-containers: '[
{{ tuple $envAll $dependencies | include "dep-check-init-cont" | indent 10 }}
]'
spec:
nodeSelector:
{{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
containers:
- name: heat-api
image: {{ .Values.images.api }}
imagePullPolicy: {{ .Values.images.pull_policy }}
command:
- heat-api
- --config-dir
- /etc/heat/conf
ports:
- containerPort: {{ .Values.service.api.port }}
readinessProbe:
tcpSocket:
port: {{ .Values.service.api.port }}
volumeMounts:
- name: pod-etc-heat
mountPath: /etc/heat
- name: pod-var-cache-heat
mountPath: /var/cache/heat
- name: heatconf
mountPath: /etc/heat/conf/heat.conf
subPath: heat.conf
readOnly: true
- name: heatpaste
mountPath: /etc/heat/api-paste.ini
subPath: api-paste.ini
readOnly: true
- name: heatpolicy
mountPath: /etc/heat/policy.json
subPath: policy.json
readOnly: true
volumes:
- name: pod-etc-heat
emptyDir: {}
- name: pod-var-cache-heat
emptyDir: {}
- name: heatconf
configMap:
name: heat-etc
- name: heatpaste
configMap:
name: heat-etc
- name: heatpolicy
configMap:
name: heat-etc

63
heat/templates/deployment-cfn.yaml Normal file
View File

@ -0,0 +1,63 @@
{{- $envAll := . }}
{{- $dependencies := .Values.dependencies.cfn }}
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: heat-cfn
spec:
replicas: {{ .Values.replicas.cfn }}
template:
metadata:
labels:
app: heat-cfn
annotations:
pod.beta.kubernetes.io/init-containers: '[
{{ tuple $envAll $dependencies | include "dep-check-init-cont" | indent 10 }}
]'
spec:
nodeSelector:
{{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
containers:
- name: heat-cfn
image: {{ .Values.images.cfn }}
imagePullPolicy: {{ .Values.images.pull_policy }}
command:
- heat-api-cfn
- --config-dir
- /etc/heat/conf
ports:
- containerPort: {{ .Values.service.cfn.port }}
readinessProbe:
tcpSocket:
port: {{ .Values.service.cfn.port }}
volumeMounts:
- name: pod-etc-heat
mountPath: /etc/heat
- name: pod-var-cache-heat
mountPath: /var/cache/heat
- name: heatconf
mountPath: /etc/heat/conf/heat.conf
subPath: heat.conf
readOnly: true
- name: heatpaste
mountPath: /etc/heat/api-paste.ini
subPath: api-paste.ini
readOnly: true
- name: heatpolicy
mountPath: /etc/heat/policy.json
subPath: policy.json
readOnly: true
volumes:
- name: pod-etc-heat
emptyDir: {}
- name: pod-var-cache-heat
emptyDir: {}
- name: heatconf
configMap:
name: heat-etc
- name: heatpaste
configMap:
name: heat-etc
- name: heatpolicy
configMap:
name: heat-etc

63
heat/templates/deployment-cloudwatch.yaml Normal file
View File

@ -0,0 +1,63 @@
{{- $envAll := . }}
{{- $dependencies := .Values.dependencies.cloudwatch }}
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: heat-cloudwatch
spec:
replicas: {{ .Values.replicas.cloudwatch }}
template:
metadata:
labels:
app: heat-cloudwatch
annotations:
pod.beta.kubernetes.io/init-containers: '[
{{ tuple $envAll $dependencies | include "dep-check-init-cont" | indent 10 }}
]'
spec:
nodeSelector:
{{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
containers:
- name: heat-cloudwatch
image: {{ .Values.images.cloudwatch }}
imagePullPolicy: {{ .Values.images.pull_policy }}
command:
- heat-api-cloudwatch
- --config-dir
- /etc/heat/conf
ports:
- containerPort: {{ .Values.service.cloudwatch.port }}
readinessProbe:
tcpSocket:
port: {{ .Values.service.cloudwatch.port }}
volumeMounts:
- name: pod-etc-heat
mountPath: /etc/heat
- name: pod-var-cache-heat
mountPath: /var/cache/heat
- name: heatconf
mountPath: /etc/heat/conf/heat.conf
subPath: heat.conf
readOnly: true
- name: heatpaste
mountPath: /etc/heat/api-paste.ini
subPath: api-paste.ini
readOnly: true
- name: heatpolicy
mountPath: /etc/heat/policy.json
subPath: policy.json
readOnly: true
volumes:
- name: pod-etc-heat
emptyDir: {}
- name: pod-var-cache-heat
emptyDir: {}
- name: heatconf
configMap:
name: heat-etc
- name: heatpaste
configMap:
name: heat-etc
- name: heatpolicy
configMap:
name: heat-etc

104
heat/templates/etc/_heat-api-paste.ini.tpl Normal file
View File

@ -0,0 +1,104 @@
# heat-api pipeline
[pipeline:heat-api]
pipeline = cors request_id faultwrap http_proxy_to_wsgi versionnegotiation osprofiler authurl authtoken context apiv1app
# heat-api pipeline for standalone heat
# ie. uses alternative auth backend that authenticates users against keystone
# using username and password instead of validating token (which requires
# an admin/service token).
# To enable, in heat.conf:
# [paste_deploy]
# flavor = standalone
#
[pipeline:heat-api-standalone]
pipeline = cors request_id faultwrap http_proxy_to_wsgi versionnegotiation authurl authpassword context apiv1app
# heat-api pipeline for custom cloud backends
# i.e. in heat.conf:
# [paste_deploy]
# flavor = custombackend
#
[pipeline:heat-api-custombackend]
pipeline = cors request_id faultwrap versionnegotiation context custombackendauth apiv1app
# heat-api-cfn pipeline
[pipeline:heat-api-cfn]
pipeline = cors cfnversionnegotiation osprofiler ec2authtoken authtoken context apicfnv1app
# heat-api-cfn pipeline for standalone heat
# relies exclusively on authenticating with ec2 signed requests
[pipeline:heat-api-cfn-standalone]
pipeline = cors cfnversionnegotiation ec2authtoken context apicfnv1app
# heat-api-cloudwatch pipeline
[pipeline:heat-api-cloudwatch]
pipeline = cors versionnegotiation osprofiler ec2authtoken authtoken context apicwapp
# heat-api-cloudwatch pipeline for standalone heat
# relies exclusively on authenticating with ec2 signed requests
[pipeline:heat-api-cloudwatch-standalone]
pipeline = cors versionnegotiation ec2authtoken context apicwapp
[app:apiv1app]
paste.app_factory = heat.common.wsgi:app_factory
heat.app_factory = heat.api.openstack.v1:API
[app:apicfnv1app]
paste.app_factory = heat.common.wsgi:app_factory
heat.app_factory = heat.api.cfn.v1:API
[app:apicwapp]
paste.app_factory = heat.common.wsgi:app_factory
heat.app_factory = heat.api.cloudwatch:API
[filter:versionnegotiation]
paste.filter_factory = heat.common.wsgi:filter_factory
heat.filter_factory = heat.api.openstack:version_negotiation_filter
[filter:cors]
paste.filter_factory = oslo_middleware.cors:filter_factory
oslo_config_project = heat
[filter:faultwrap]
paste.filter_factory = heat.common.wsgi:filter_factory
heat.filter_factory = heat.api.openstack:faultwrap_filter
[filter:cfnversionnegotiation]
paste.filter_factory = heat.common.wsgi:filter_factory
heat.filter_factory = heat.api.cfn:version_negotiation_filter
[filter:cwversionnegotiation]
paste.filter_factory = heat.common.wsgi:filter_factory
heat.filter_factory = heat.api.cloudwatch:version_negotiation_filter
[filter:context]
paste.filter_factory = heat.common.context:ContextMiddleware_filter_factory
[filter:ec2authtoken]
paste.filter_factory = heat.api.aws.ec2token:EC2Token_filter_factory
[filter:http_proxy_to_wsgi]
paste.filter_factory = oslo_middleware:HTTPProxyToWSGI.factory
# Middleware to set auth_url header appropriately
[filter:authurl]
paste.filter_factory = heat.common.auth_url:filter_factory
# Auth middleware that validates token against keystone
[filter:authtoken]
paste.filter_factory = keystonemiddleware.auth_token:filter_factory
# Auth middleware that validates username/password against keystone
[filter:authpassword]
paste.filter_factory = heat.common.auth_password:filter_factory
# Auth middleware that validates against custom backend
[filter:custombackendauth]
paste.filter_factory = heat.common.custom_backend_auth:filter_factory
# Middleware to set x-openstack-request-id in http response header
[filter:request_id]
paste.filter_factory = oslo_middleware.request_id:RequestId.factory
[filter:osprofiler]
paste.filter_factory = osprofiler.web:WsgiMiddleware.factory

96
heat/templates/etc/_heat-policy.json.tpl Normal file
View File

@ -0,0 +1,96 @@
{
"context_is_admin": "role:admin and is_admin_project:True",
"project_admin": "role:admin",
"deny_stack_user": "not role:heat_stack_user",
"deny_everybody": "!",
"cloudformation:ListStacks": "rule:deny_stack_user",
"cloudformation:CreateStack": "rule:deny_stack_user",
"cloudformation:DescribeStacks": "rule:deny_stack_user",
"cloudformation:DeleteStack": "rule:deny_stack_user",
"cloudformation:UpdateStack": "rule:deny_stack_user",
"cloudformation:CancelUpdateStack": "rule:deny_stack_user",
"cloudformation:DescribeStackEvents": "rule:deny_stack_user",
"cloudformation:ValidateTemplate": "rule:deny_stack_user",
"cloudformation:GetTemplate": "rule:deny_stack_user",
"cloudformation:EstimateTemplateCost": "rule:deny_stack_user",
"cloudformation:DescribeStackResource": "",
"cloudformation:DescribeStackResources": "rule:deny_stack_user",
"cloudformation:ListStackResources": "rule:deny_stack_user",
"cloudwatch:DeleteAlarms": "rule:deny_stack_user",
"cloudwatch:DescribeAlarmHistory": "rule:deny_stack_user",
"cloudwatch:DescribeAlarms": "rule:deny_stack_user",
"cloudwatch:DescribeAlarmsForMetric": "rule:deny_stack_user",
"cloudwatch:DisableAlarmActions": "rule:deny_stack_user",
"cloudwatch:EnableAlarmActions": "rule:deny_stack_user",
"cloudwatch:GetMetricStatistics": "rule:deny_stack_user",
"cloudwatch:ListMetrics": "rule:deny_stack_user",
"cloudwatch:PutMetricAlarm": "rule:deny_stack_user",
"cloudwatch:PutMetricData": "",
"cloudwatch:SetAlarmState": "rule:deny_stack_user",
"actions:action": "rule:deny_stack_user",
"build_info:build_info": "rule:deny_stack_user",
"events:index": "rule:deny_stack_user",
"events:show": "rule:deny_stack_user",
"resource:index": "rule:deny_stack_user",
"resource:metadata": "",
"resource:signal": "",
"resource:mark_unhealthy": "rule:deny_stack_user",
"resource:show": "rule:deny_stack_user",
"stacks:abandon": "rule:deny_stack_user",
"stacks:create": "rule:deny_stack_user",
"stacks:delete": "rule:deny_stack_user",
"stacks:detail": "rule:deny_stack_user",
"stacks:export": "rule:deny_stack_user",
"stacks:generate_template": "rule:deny_stack_user",
"stacks:global_index": "rule:deny_everybody",
"stacks:index": "rule:deny_stack_user",
"stacks:list_resource_types": "rule:deny_stack_user",
"stacks:list_template_versions": "rule:deny_stack_user",
"stacks:list_template_functions": "rule:deny_stack_user",
"stacks:lookup": "",
"stacks:preview": "rule:deny_stack_user",
"stacks:resource_schema": "rule:deny_stack_user",
"stacks:show": "rule:deny_stack_user",
"stacks:template": "rule:deny_stack_user",
"stacks:environment": "rule:deny_stack_user",
"stacks:files": "rule:deny_stack_user",
"stacks:update": "rule:deny_stack_user",
"stacks:update_patch": "rule:deny_stack_user",
"stacks:preview_update": "rule:deny_stack_user",
"stacks:preview_update_patch": "rule:deny_stack_user",
"stacks:validate_template": "rule:deny_stack_user",
"stacks:snapshot": "rule:deny_stack_user",
"stacks:show_snapshot": "rule:deny_stack_user",
"stacks:delete_snapshot": "rule:deny_stack_user",
"stacks:list_snapshots": "rule:deny_stack_user",
"stacks:restore_snapshot": "rule:deny_stack_user",
"stacks:list_outputs": "rule:deny_stack_user",
"stacks:show_output": "rule:deny_stack_user",
"software_configs:global_index": "rule:deny_everybody",
"software_configs:index": "rule:deny_stack_user",
"software_configs:create": "rule:deny_stack_user",
"software_configs:show": "rule:deny_stack_user",
"software_configs:delete": "rule:deny_stack_user",
"software_deployments:index": "rule:deny_stack_user",
"software_deployments:create": "rule:deny_stack_user",
"software_deployments:show": "rule:deny_stack_user",
"software_deployments:update": "rule:deny_stack_user",
"software_deployments:delete": "rule:deny_stack_user",
"software_deployments:metadata": "",
"service:index": "rule:context_is_admin",
"resource_types:OS::Nova::Flavor": "rule:project_admin",
"resource_types:OS::Cinder::EncryptedVolumeType": "rule:project_admin",
"resource_types:OS::Cinder::VolumeType": "rule:project_admin",
"resource_types:OS::Cinder::Quota": "rule:project_admin",
"resource_types:OS::Manila::ShareType": "rule:project_admin",
"resource_types:OS::Neutron::QoSPolicy": "rule:project_admin",
"resource_types:OS::Neutron::QoSBandwidthLimitRule": "rule:project_admin",
"resource_types:OS::Nova::HostAggregate": "rule:project_admin",
"resource_types:OS::Cinder::QoSSpecs": "rule:project_admin"
}

90
heat/templates/etc/_heat.conf.tpl Normal file
View File

@ -0,0 +1,90 @@
[DEFAULT]
debug = {{ .Values.misc.debug }}
use_syslog = False
use_stderr = True
deferred_auth_method = "trusts"
enable_stack_adopt = "True"
enable_stack_abandon = "True"
heat_metadata_server_url = {{ .Values.service.cfn.proto }}://{{ .Values.service.cfn.name }}:{{ .Values.service.cfn.port }}
heat_waitcondition_server_url = {{ .Values.service.cfn.proto }}://{{ .Values.service.cfn.name }}:{{ .Values.service.cfn.port }}/v1/waitcondition
heat_watch_server_url = {{ .Values.service.cloudwatch.proto }}://{{ .Values.service.cloudwatch.name }}:{{ .Values.service.cloudwatch.port }}
num_engine_workers = {{ .Values.resources.engine.workers }}
stack_user_domain_name = {{ .Values.keystone.heat_stack_user_domain }}
stack_domain_admin = {{ .Values.keystone.heat_stack_user }}
stack_domain_admin_password = {{ .Values.keystone.heat_stack_password }}
trusts_delegated_roles = "Member"
[cache]
enabled = "True"
backend = oslo_cache.memcache_pool
memcache_servers = "{{ .Values.memcached.host }}:{{ .Values.memcached.port }}"
[database]
connection = mysql+pymysql://{{ .Values.database.heat_user }}:{{ .Values.database.heat_password }}@{{ .Values.database.address }}:{{ .Values.database.port }}/{{ .Values.database.heat_database_name }}
max_retries = -1
[keystone_authtoken]
signing_dir = "/var/cache/heat"
memcached_servers = "{{ .Values.memcached.host }}:{{ .Values.memcached.port }}"
auth_version = v3
auth_url = {{ include "endpoint_keystone_internal" . }}
auth_type = password
region_name = {{ .Values.keystone.heat_region_name }}
project_domain_name = {{ .Values.keystone.heat_project_domain }}
project_name = {{ .Values.keystone.heat_project_name }}
user_domain_name = {{ .Values.keystone.heat_user_domain }}
username = {{ .Values.keystone.heat_user }}
password = {{ .Values.keystone.heat_password }}
[heat_api]
bind_port = {{ .Values.service.api.port }}
bind_host = 0.0.0.0
workers = {{ .Values.resources.api.workers }}
[heat_api_cloudwatch]
bind_port = {{ .Values.service.cloudwatch.port }}
bind_host = 0.0.0.0
workers = {{ .Values.resources.cloudwatch.workers }}
[heat_api_cfn]
bind_port = {{ .Values.service.cfn.port }}
bind_host = 0.0.0.0
workers = {{ .Values.resources.cfn.workers }}
[oslo_messaging_rabbit]
rabbit_userid = {{ .Values.messaging.user }}
rabbit_password = {{ .Values.messaging.password }}
rabbit_ha_queues = true
rabbit_hosts = {{ .Values.messaging.hosts }}
[paste_deploy]
config_file = /etc/heat/api-paste.ini
[trustee]
auth_type = "password"
auth_section = "trustee_keystone"
[trustee_keystone]
signing_dir = "/var/cache/heat"
memcached_servers = "{{ .Values.memcached.host }}:{{ .Values.memcached.port }}"
auth_version = v3
auth_url = {{ include "endpoint_keystone_internal" . }}
auth_type = password
region_name = {{ .Values.keystone.heat_trustee_region_name }}
user_domain_name = {{ .Values.keystone.heat_trustee_user_domain }}
username = {{ .Values.keystone.heat_trustee_user }}
password = {{ .Values.keystone.heat_trustee_password }}
[clients]
endpoint_type = internalURL
[clients_keystone]
endpoint_type = internalURL
auth_uri = {{ include "endpoint_keystone_internal" . }}

36
heat/templates/job-db-init.yaml Normal file
View File

@ -0,0 +1,36 @@
{{- $envAll := . }}
{{- $dependencies := .Values.dependencies.init }}
apiVersion: batch/v1
kind: Job
metadata:
name: heat-db-init
spec:
template:
metadata:
annotations:
pod.beta.kubernetes.io/init-containers: '[
{{ tuple $envAll $dependencies | include "dep-check-init-cont" | indent 10 }}
]'
spec:
restartPolicy: OnFailure
nodeSelector:
{{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
containers:
- name: heat-db-init
image: {{ .Values.images.db_init | quote }}
imagePullPolicy: {{ .Values.images.pull_policy | quote }}
env:
- name: ANSIBLE_LIBRARY
value: /usr/share/ansible/
command:
- bash
- /tmp/db-init.sh
volumeMounts:
- name: dbinitsh
mountPath: /tmp/db-init.sh
subPath: db-init.sh
readOnly: true
volumes:
- name: dbinitsh
configMap:
name: heat-bin

40
heat/templates/job-db-sync.yaml Normal file
View File

@ -0,0 +1,40 @@
{{- $envAll := . }}
{{- $dependencies := .Values.dependencies.db_sync }}
apiVersion: batch/v1
kind: Job
metadata:
name: heat-db-sync
spec:
template:
metadata:
annotations:
pod.beta.kubernetes.io/init-containers: '[
{{ tuple $envAll $dependencies | include "dep-check-init-cont" | indent 10 }}
]'
spec:
restartPolicy: OnFailure
nodeSelector:
{{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
containers:
- name: heat-db-sync
image: {{ .Values.images.db_sync }}
imagePullPolicy: {{ .Values.images.pull_policy }}
command:
- heat-manage
args:
- --config-dir
- /etc/heat/conf
- db_sync
volumeMounts:
- name: pod-etc-heat
mountPath: /etc/heat
- name: heatconf
mountPath: /etc/heat/conf/heat.conf
subPath: heat.conf
readOnly: true
volumes:
- name: pod-etc-heat
emptyDir: {}
- name: heatconf
configMap:
name: heat-etc

50
heat/templates/job-ks-endpoints.yaml.yaml Normal file
View File

@ -0,0 +1,50 @@
{{- $envAll := . }}
{{- $ksAdminSecret := .Values.keystone_secrets.admin }}
{{- $dependencies := .Values.dependencies.ks_endpoints }}
apiVersion: batch/v1
kind: Job
metadata:
name: heat-ks-endpoints
spec:
template:
metadata:
annotations:
pod.beta.kubernetes.io/init-containers: '[
{{ tuple $envAll $dependencies | include "dep-check-init-cont" | indent 10 }}
]'
spec:
restartPolicy: OnFailure
nodeSelector:
{{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
containers:
{{- range $key1, $osServiceName := tuple "heat" "heat-cfn" }}
{{- range $key2, $osServiceEndPoint := tuple "admin" "internal" "public" }}
- name: {{ $osServiceName }}-ks-endpoints-{{ $osServiceEndPoint }}
image: {{ $envAll.Values.images.ks_endpoints }}
imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
command:
- bash
- /tmp/ks-endpoints.sh
volumeMounts:
- name: ks-endpoints-sh
mountPath: /tmp/ks-endpoints.sh
subPath: ks-endpoints.sh
readOnly: true
env:
{{- with $env := dict "ksUserSecret" $ksAdminSecret }}
{{- include "env_ks_openrc_tpl" $env | indent 12 }}
{{- end }}
- name: OS_SVC_ENDPOINT
value: {{ $osServiceEndPoint }}
- name: OS_SERVICE_NAME
value: {{ $osServiceName }}
- name: OS_SERVICE_TYPE
value: {{ tuple $osServiceName $envAll | include "endpoint_type_lookup" }}
- name: OS_SERVICE_ENDPOINT
value: {{ tuple $osServiceName $osServiceEndPoint "api" $envAll | include "endpoint_addr_lookup" }}
{{- end }}
{{- end }}
volumes:
- name: ks-endpoints-sh
configMap:
name: heat-bin

44
heat/templates/job-ks-service.yaml Normal file
View File

@ -0,0 +1,44 @@
{{- $envAll := . }}
{{- $ksAdminSecret := .Values.keystone_secrets.admin }}
{{- $dependencies := .Values.dependencies.ks_service }}
apiVersion: batch/v1
kind: Job
metadata:
name: heat-ks-service
spec:
template:
metadata:
annotations:
pod.beta.kubernetes.io/init-containers: '[
{{ tuple $envAll $dependencies | include "dep-check-init-cont" | indent 10 }}
]'
spec:
restartPolicy: OnFailure
nodeSelector:
{{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
containers:
{{- range $key1, $osServiceName := tuple "heat" "heat-cfn" }}
- name: {{ $osServiceName }}-ks-service-registration
image: {{ $envAll.Values.images.ks_service }}
imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
command:
- bash
- /tmp/ks-service.sh
volumeMounts:
- name: ks-service-sh
mountPath: /tmp/ks-service.sh
subPath: ks-service.sh
readOnly: true
env:
{{- with $env := dict "ksUserSecret" $ksAdminSecret }}
{{- include "env_ks_openrc_tpl" $env | indent 12 }}
{{- end }}
- name: OS_SERVICE_NAME
value: {{ $osServiceName }}
- name: OS_SERVICE_TYPE
value: {{ tuple $osServiceName $envAll | include "endpoint_type_lookup" }}
{{- end }}
volumes:
- name: ks-service-sh
configMap:
name: heat-bin

110
heat/templates/job-ks-user.yaml Normal file
View File

@ -0,0 +1,110 @@
{{- $envAll := . }}
{{- $dependencies := .Values.dependencies.ks_user }}
{{- $ksAdminSecret := .Values.keystone_secrets.admin }}
{{- $ksUserSecret := .Values.keystone_secrets.user }}
# The heat user management job is a bit different from other services as it also needs to create a stack domain and trusts user
{{- $ksTrusteeUserSecret := .Values.keystone_secrets.trustee }}
{{- $ksStackUserSecret := .Values.keystone_secrets.stack }}
apiVersion: batch/v1
kind: Job
metadata:
name: heat-ks-user
spec:
template:
metadata:
annotations:
pod.beta.kubernetes.io/init-containers: '[
{{ tuple $envAll $dependencies | include "dep-check-init-cont" | indent 10 }}
]'
spec:
restartPolicy: OnFailure
nodeSelector:
{{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
containers:
- name: heat-ks-user
image: {{ .Values.images.ks_user }}
imagePullPolicy: {{ .Values.images.pull_policy }}
command:
- bash
- /tmp/ks-user.sh
volumeMounts:
- name: ks-user-sh
mountPath: /tmp/ks-user.sh
subPath: ks-user.sh
readOnly: true
env:
{{- with $env := dict "ksUserSecret" $ksAdminSecret }}
{{- include "env_ks_openrc_tpl" $env | indent 12 }}
{{- end }}
- name: SERVICE_OS_SERVICE_NAME
value: "heat"
{{- with $env := dict "ksUserSecret" $ksUserSecret }}
{{- include "env_ks_user_create_openrc_tpl" $env | indent 12 }}
{{- end }}
- name: SERVICE_OS_ROLE
value: {{ .Values.keystone.heat_user_role | quote }}
- name: heat-ks-trustee-user
image: {{ .Values.images.ks_user }}
imagePullPolicy: {{ .Values.images.pull_policy }}
command:
- bash
- /tmp/ks-user.sh
volumeMounts:
- name: ks-user-sh
mountPath: /tmp/ks-user.sh
subPath: ks-user.sh
readOnly: true
env:
{{- with $env := dict "ksUserSecret" $ksAdminSecret }}
{{- include "env_ks_openrc_tpl" $env | indent 12 }}
{{- end }}
- name: SERVICE_OS_SERVICE_NAME
value: "heat"
{{- with $env := dict "ksUserSecret" $ksTrusteeUserSecret }}
{{- include "env_ks_user_create_openrc_tpl" $env | indent 12 }}
{{- end }}
- name: SERVICE_OS_ROLE
value: {{ .Values.keystone.heat_trustee_role | quote }}
- name: heat-ks-domain-user
image: {{ .Values.images.ks_user }}
imagePullPolicy: {{ .Values.images.pull_policy }}
command:
- bash
- /tmp/ks-domain-user.sh
volumeMounts:
- name: ks-user-sh
mountPath: /tmp/ks-domain-user.sh
subPath: ks-domain-user.sh
readOnly: true
env:
{{- with $env := dict "ksUserSecret" $ksAdminSecret }}
{{- include "env_ks_openrc_tpl" $env | indent 12 }}
{{- end }}
- name: SERVICE_OS_SERVICE_NAME
value: "heat"
- name: SERVICE_OS_REGION_NAME
valueFrom:
secretKeyRef:
name: {{ $ksStackUserSecret }}
key: OS_REGION_NAME
- name: SERVICE_OS_DOMAIN_NAME
valueFrom:
secretKeyRef:
name: {{ $ksStackUserSecret }}
key: OS_DOMAIN_NAME
- name: SERVICE_OS_USERNAME
valueFrom:
secretKeyRef:
name: {{ $ksStackUserSecret }}
key: OS_USERNAME
- name: SERVICE_OS_PASSWORD
valueFrom:
secretKeyRef:
name: {{ $ksStackUserSecret }}
key: OS_PASSWORD
- name: SERVICE_OS_ROLE
value: {{ .Values.keystone.heat_stack_user_role | quote }}
volumes:
- name: ks-user-sh
configMap:
name: heat-bin

20
heat/templates/secret-keystone-admin.env.yaml Normal file
View File

@ -0,0 +1,20 @@
apiVersion: v1
kind: Secret
metadata:
name: {{ .Values.keystone_secrets.admin }}
type: Opaque
data:
OS_AUTH_URL: |
{{ .Values.keystone.auth_url | b64enc | indent 4 }}
OS_REGION_NAME: |
{{ .Values.keystone.admin_region_name | b64enc | indent 4 }}
OS_PROJECT_DOMAIN_NAME: |
{{ .Values.keystone.admin_project_domain | b64enc | indent 4 }}
OS_PROJECT_NAME: |
{{ .Values.keystone.admin_project_name | b64enc | indent 4 }}
OS_USER_DOMAIN_NAME: |
{{ .Values.keystone.admin_user_domain | b64enc | indent 4 }}
OS_USERNAME: |
{{ .Values.keystone.admin_user | b64enc | indent 4 }}
OS_PASSWORD: |
{{ .Values.keystone.admin_password | b64enc | indent 4 }}

14
heat/templates/secret-keystone-stack-user.env.yaml Normal file
View File

@ -0,0 +1,14 @@
apiVersion: v1
kind: Secret
metadata:
name: {{ .Values.keystone_secrets.stack }}
type: Opaque
data:
OS_REGION_NAME: |
{{ .Values.keystone.heat_stack_region_name | b64enc | indent 4 }}
OS_DOMAIN_NAME: |
{{ .Values.keystone.heat_stack_domain | b64enc | indent 4 }}
OS_USERNAME: |
{{ .Values.keystone.heat_stack_user | b64enc | indent 4 }}
OS_PASSWORD: |
{{ .Values.keystone.heat_stack_password | b64enc | indent 4 }}

20
heat/templates/secret-keystone-trustee.env.yaml Normal file
View File

@ -0,0 +1,20 @@
apiVersion: v1
kind: Secret
metadata:
name: {{ .Values.keystone_secrets.trustee }}
type: Opaque
data:
OS_AUTH_URL: |
{{ .Values.keystone.auth_url | b64enc | indent 4 }}
OS_REGION_NAME: |
{{ .Values.keystone.heat_trustee_region_name | b64enc | indent 4 }}
OS_PROJECT_DOMAIN_NAME: |
{{ .Values.keystone.heat_trustee_project_domain | b64enc | indent 4 }}
OS_PROJECT_NAME: |
{{ .Values.keystone.heat_trustee_project_name | b64enc | indent 4 }}
OS_USER_DOMAIN_NAME: |
{{ .Values.keystone.heat_trustee_user_domain | b64enc | indent 4 }}
OS_USERNAME: |
{{ .Values.keystone.heat_trustee_user | b64enc | indent 4 }}
OS_PASSWORD: |
{{ .Values.keystone.heat_trustee_password | b64enc | indent 4 }}

20
heat/templates/secret-keystone-user.env.yaml Normal file
View File

@ -0,0 +1,20 @@
apiVersion: v1
kind: Secret
metadata:
name: {{ .Values.keystone_secrets.user }}
type: Opaque
data:
OS_AUTH_URL: |
{{ .Values.keystone.auth_url | b64enc | indent 4 }}
OS_REGION_NAME: |
{{ .Values.keystone.heat_region_name | b64enc | indent 4 }}
OS_PROJECT_DOMAIN_NAME: |
{{ .Values.keystone.heat_project_domain | b64enc | indent 4 }}
OS_PROJECT_NAME: |
{{ .Values.keystone.heat_project_name | b64enc | indent 4 }}
OS_USER_DOMAIN_NAME: |
{{ .Values.keystone.heat_user_domain | b64enc | indent 4 }}
OS_USERNAME: |
{{ .Values.keystone.heat_user | b64enc | indent 4 }}
OS_PASSWORD: |
{{ .Values.keystone.heat_password | b64enc | indent 4 }}

9
heat/templates/service-api.yaml Normal file
View File

@ -0,0 +1,9 @@
apiVersion: v1
kind: Service
metadata:
name: {{ .Values.service.api.name }}
spec:
ports:
- port: {{ .Values.service.api.port }}
selector:
app: heat-api

9
heat/templates/service-cfn.yaml Normal file
View File

@ -0,0 +1,9 @@
apiVersion: v1
kind: Service
metadata:
name: {{ .Values.service.cfn.name }}
spec:
ports:
- port: {{ .Values.service.cfn.port }}
selector:
app: heat-cfn

9
heat/templates/service-cloudwatch.yaml Normal file
View File

@ -0,0 +1,9 @@
apiVersion: v1
kind: Service
metadata:
name: {{ .Values.service.cloudwatch.name }}
spec:
ports:
- port: {{ .Values.service.cloudwatch.port }}
selector:
app: heat-cloudwatch

52
heat/templates/statefulset-engine.yaml Normal file
View File

@ -0,0 +1,52 @@
{{- $envAll := . }}
{{- $dependencies := .Values.dependencies.engine }}
apiVersion: apps/v1beta1
kind: StatefulSet
metadata:
name: heat-engine
spec:
serviceName: heat-engine
replicas: {{ .Values.replicas.engine }}
template:
metadata:
labels:
app: heat-engine
annotations:
pod.beta.kubernetes.io/init-containers: '[
{{ tuple $envAll $dependencies | include "dep-check-init-cont" | indent 10 }}
]'
spec:
nodeSelector:
{{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
containers:
- name: heat-engine
image: {{ .Values.images.engine }}
imagePullPolicy: {{ .Values.images.pull_policy }}
command:
- heat-engine
- --config-dir
- /etc/heat/conf
volumeMounts:
- name: pod-etc-heat
mountPath: /etc/heat
- name: pod-var-cache-heat
mountPath: /var/cache/heat
- name: heatconf
mountPath: /etc/heat/conf/heat.conf
subPath: heat.conf
readOnly: true
- name: heatpolicy
mountPath: /etc/heat/policy.json
subPath: policy.json
readOnly: true
volumes:
- name: pod-etc-heat
emptyDir: {}
- name: pod-var-cache-heat
emptyDir: {}
- name: heatconf
configMap:
name: heat-etc
- name: heatpolicy
configMap:
name: heat-etc

208
heat/values.yaml Normal file
View File

@ -0,0 +1,208 @@
# Default values for keystone.
# This is a YAML-formatted file.
# Declare name/value pairs to be passed into your templates.
# name: value
replicas:
api: 1
cfn: 1
cloudwatch: 1
engine: 1
labels:
node_selector_key: openstack-control-plane
node_selector_value: enabled
images:
dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.1.0
db_init: quay.io/stackanetes/stackanetes-kolla-toolbox:newton
db_sync: docker.io/kolla/ubuntu-source-heat-api:3.0.1
ks_user: quay.io/stackanetes/stackanetes-kolla-toolbox:newton
ks_service: quay.io/stackanetes/stackanetes-kolla-toolbox:newton
ks_endpoints: quay.io/stackanetes/stackanetes-kolla-toolbox:newton
api: docker.io/kolla/ubuntu-source-heat-api:3.0.1
cfn: docker.io/kolla/ubuntu-source-heat-api:3.0.1
cloudwatch: docker.io/kolla/ubuntu-source-heat-api:3.0.1
engine: docker.io/kolla/ubuntu-source-heat-engine:3.0.1
pull_policy: "IfNotPresent"
keystone_secrets:
admin: "heat-env-keystone-admin"
user: "heat-env-keystone-user"
trustee: "heat-env-keystone-trustee"
stack: "heat-env-keystone-stack-user"
keystone:
auth_uri: "http://keystone-api:5000"
auth_url: "http://keystone-api:35357"
admin_user: "admin"
admin_user_domain: "default"
admin_password: "password"
admin_project_name: "admin"
admin_project_domain: "default"
admin_region_name: "RegionOne"
heat_user: "heat"
heat_user_domain: "default"
heat_user_role: "admin"
heat_password: "password"
heat_project_name: "service"
heat_project_domain: "default"
heat_region_name: "RegionOne"
heat_trustee_user: "heat-trust"
heat_trustee_user_domain: "default"
heat_trustee_role: "admin"
heat_trustee_password: "password"
heat_trustee_project_name: "service"
heat_trustee_project_domain: "default"
heat_trustee_region_name: "RegionOne"
heat_stack_user: "heat-domain"
heat_stack_domain: "heat"
heat_stack_user_role: "admin"
heat_stack_password: "password"
heat_stack_region_name: "RegionOne"
service:
api:
name: "heat-api"
port: 8004
proto: "http"
cfn:
name: "heat-cfn"
port: 8000
proto: "http"
cloudwatch:
name: "heat-cloudwatch"
port: 8003
proto: "http"
database:
address: mariadb
port: 3306
root_user: root
root_password: password
heat_database_name: heat
heat_password: password
heat_user: heat
messaging:
hosts: rabbitmq
user: rabbitmq
password: password
memcached:
host: memcached
port: 11211
resources:
api:
workers: 8
cfn:
workers: 8
cloudwatch:
workers: 8
engine:
workers: 8
misc:
debug: true
secrets:
keystone_admin:
dependencies:
db_init:
jobs:
- mariadb-seed
service:
- mariadb
db_sync:
jobs:
- heat-db-init
service:
- mariadb
ks_user:
service:
- keystone-api
ks_service:
service:
- keystone-api
ks_endpoints:
jobs:
- heat-ks-service
service:
- keystone-api
api:
jobs:
- heat-db-sync
- heat-ks-user
- heat-ks-endpoints
service:
- keystone-api
- mariadb
cfn:
jobs:
- heat-db-sync
- heat-ks-user
- heat-ks-endpoints
service:
- keystone-api
- mariadb
cloudwatch:
jobs:
- heat-db-sync
- heat-ks-user
- heat-ks-endpoints
service:
- keystone-api
- mariadb
engine:
jobs:
- heat-db-sync
- heat-ks-user
- heat-ks-endpoints
service:
- keystone-api
- mariadb
# typically overriden by environmental
# values, but should include all endpoints
# required by this chart
endpoints:
keystone:
hosts:
default: keystone-api
path: /v3
type: identity
scheme: 'http'
port:
admin: 35357
public: 5000
heat:
hosts:
default: heat-api
path: '/v1/%(project_id)s'
type: orchestration
scheme: 'http'
port:
api: 8004
heat_cfn:
hosts:
default: heat-cfn
path: /v1
type: cloudformation
scheme: 'http'
port:
api: 8000
# Cloudwatch does not get an entry in the keystone service catalog
heat_cloudwatch:
hosts:
default: heat-cloudwatch
path: null
type: null
scheme: 'http'
port:
api: 8003

32
horizon/templates/deployment.yaml
View File

@ -1,9 +1,19 @@
{{- $envAll := . }}
{{- $dependencies := .Values.dependencies.dashboard }}
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: horizon
spec:
replicas: {{ .Values.replicas }}
revisionHistoryLimit: {{ .Values.upgrades.revision_history }}
strategy:
type: {{ .Values.upgrades.pod_replacement_strategy }}
{{ if eq .Values.upgrades.pod_replacement_strategy "RollingUpdate" }}
rollingUpdate:
maxUnavailable: {{ .Values.upgrades.rolling_update.max_unavailable }}
maxSurge: {{ .Values.upgrades.rolling_update.max_surge }}
{{ end }}
template:
metadata:
labels:
@ -12,26 +22,8 @@ spec:
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "hash" }}
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "hash" }}
pod.beta.kubernetes.io/init-containers: '[
{
"name": "init",
"image": "{{ .Values.images.entrypoint }}",
"imagePullPolicy": "{{ .Values.images.pull_policy }}",
"env": [
{
"name": "NAMESPACE",
"value": "{{ .Release.Namespace }}"
},
{
"name": "DEPENDENCY_SERVICE",
"value": "{{ include "joinListWithColon" .Values.dependencies.dashboard.service }}"
},
{
"name": "COMMAND",
"value": "echo done"
}
]
}
]'
{{ tuple $envAll $dependencies | include "dep-check-init-cont" | indent 10 }}
]'
spec:
nodeSelector:
{{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}

12
horizon/templates/service.yaml
View File

@ -4,6 +4,18 @@ metadata:
name: horizon
spec:
ports:
{{ if .Values.network.enable_node_port }}
- nodePort: {{ .Values.network.node_port }}
port: {{ .Values.network.port }}
protocol: TCP
targetPort: {{ .Values.network.port }}
{{ else }}
- port: {{ .Values.network.port }}
protocol: TCP
targetPort: {{ .Values.network.port }}
{{ end }}
selector:
app: horizon
{{ if .Values.network.enable_node_port }}
type: NodePort
{{ end }}

11
horizon/values.yaml
View File

@ -6,16 +6,25 @@
replicas: 1
images:
entrypoint: quay.io/stackanetes/kubernetes-entrypoint:v0.1.0
dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.1.0
horizon: quay.io/stackanetes/stackanetes-horizon:newton
pull_policy: "IfNotPresent"
upgrades:
revision_history: 3
pod_replacement_strategy: RollingUpdate
rolling_update:
max_unavailable: 1
max_surge: 3
labels:
node_selector_key: openstack-control-plane
node_selector_value: enabled
network:
port: 80
node_port: 30000
enable_node_port: false
local_settings:
horizon_secret_key: 9aee62c0-5253-4a86-b189-e0fb71fa503c

27
keystone/templates/bin/_db-sync.sh.tpl
View File

@ -1,22 +1,13 @@
#!/bin/bash
set -ex
# order of kolla_keystone_bootstrap urls
# for those of looking for a little expanation
# to a mysterious blackbox
#
# these will feed into the keystone endpoints
# so it is important they are correct
#
# keystone_admin_url
# keystone_internal_url
# keystone_public_url
keystone-manage db_sync
kolla_keystone_bootstrap {{ .Values.keystone.admin_user }} {{ .Values.keystone.admin_password }} \
{{ .Values.keystone.admin_project_name }} admin \
{{ include "endpoint_keystone_admin" . }} \
{{ include "endpoint_keystone_internal" . }} \
{{ include "endpoint_keystone_internal" . }} \
{{ .Values.keystone.admin_region_name }}
keystone-manage --config-file=/etc/keystone/keystone.conf db_sync
keystone-manage --config-file=/etc/keystone/keystone.conf bootstrap \
--bootstrap-username {{ .Values.keystone.admin_user }} \
--bootstrap-password {{ .Values.keystone.admin_password }} \
--bootstrap-project-name {{ .Values.keystone.admin_project_name }} \
--bootstrap-admin-url {{ include "endpoint_keystone_admin" . }} \
--bootstrap-public-url {{ include "endpoint_keystone_internal" . }} \
--bootstrap-internal-url {{ include "endpoint_keystone_internal" . }} \
--bootstrap-region-id {{ .Values.keystone.admin_region_name }}

19
keystone/templates/bin/_init.sh.tpl
View File

@ -2,5 +2,20 @@
set -ex
export HOME=/tmp
ansible localhost -vvv -m mysql_db -a "login_host='{{ include "keystone_db_host" . }}' login_port='{{ .Values.database.port }}' login_user='{{ .Values.database.root_user }}' login_password='{{ .Values.database.root_password }}' name='{{ .Values.database.keystone_database_name }}'"
ansible localhost -vvv -m mysql_user -a "login_host='{{ include "keystone_db_host" . }}' login_port='{{ .Values.database.port }}' login_user='{{ .Values.database.root_user }}' login_password='{{ .Values.database.root_password }}' name='{{ .Values.database.keystone_user }}' password='{{ .Values.database.keystone_password }}' host='%' priv='{{ .Values.database.keystone_database_name }}.*:ALL' append_privs='yes'"
ansible localhost -vvv \
-m mysql_db -a "login_host='{{ include "keystone_db_host" . }}' \
login_port='{{ .Values.database.port }}' \
login_user='{{ .Values.database.root_user }}' \
login_password='{{ .Values.database.root_password }}' \
name='{{ .Values.database.keystone_database_name }}'"
ansible localhost -vvv \
-m mysql_user -a "login_host='{{ include "keystone_db_host" . }}' \
login_port='{{ .Values.database.port }}' \
login_user='{{ .Values.database.root_user }}' \
login_password='{{ .Values.database.root_password }}' \
name='{{ .Values.database.keystone_user }}' \
password='{{ .Values.database.keystone_password }}' \
host='%' \
priv='{{ .Values.database.keystone_database_name }}.*:ALL' \
append_privs='yes'"

Some files were not shown because too many files have changed in this diff Show More