diff --git a/Makefile b/Makefile
index 5c7e2a1e61..4ca9917a35 100644
--- a/Makefile
+++ b/Makefile
@@ -1,12 +1,12 @@
-.PHONY: ceph bootstrap mariadb keystone memcached rabbitmq common openstack neutron maas all clean
+.PHONY: ceph bootstrap mariadb keystone memcached rabbitmq common openstack neutron nova cinder heat maas all clean
B64_DIRS := common/secrets
B64_EXCLUDE := $(wildcard common/secrets/*.b64)
-CHARTS := ceph mariadb rabbitmq GLANCE memcached keystone glance horizon neutron maas openstack
+CHARTS := ceph mariadb rabbitmq memcached keystone glance horizon neutron nova cinder heat maas openstack
COMMON_TPL := common/templates/_globals.tpl
-all: common ceph bootstrap mariadb rabbitmq memcached keystone glance horizon neutron maas openstack
+all: common ceph bootstrap mariadb rabbitmq memcached keystone glance horizon neutron nova cinder heat maas openstack
common: build-common
@@ -19,6 +19,8 @@ mariadb: build-mariadb
keystone: build-keystone
+cinder: build-cinder
+
horizon: build-horizon
rabbitmq: build-rabbitmq
@@ -27,6 +29,10 @@ glance: build-glance
neutron: build-neutron
+nova: build-nova
+
+heat: build-heat
+
maas: build-maas
memcached: build-memcached
@@ -44,4 +50,3 @@ build-%:
if [ -f $*/requirements.yaml ]; then helm dep up $*; fi
helm lint $*
helm package $*
-
diff --git a/README.md b/README.md
index a84bc05f45..8c8bcae04b 100644
--- a/README.md
+++ b/README.md
@@ -1,5 +1,7 @@
# Openstack-Helm
+Join us on [freenode](https://freenode.net/): `#openstack-helm`
+
Openstack-Helm is a fully self-contained Helm-based OpenStack deployment on Kubernetes. It will provide baremetal provisioning, persistent storage, full-stack resiliency, full-stack scalability, performance monitoring and tracing, and an optional development pipeline (using Jenkins). This project, along with the tools used within are community-based and open sourced.
# Mission
diff --git a/ceph/templates/daemonset-osd.yaml b/ceph/templates/daemonset-osd.yaml
index 1ad4b24fbf..9f85d599c1 100644
--- a/ceph/templates/daemonset-osd.yaml
+++ b/ceph/templates/daemonset-osd.yaml
@@ -40,7 +40,7 @@ spec:
containers:
- name: osd-pod
image: {{ .Values.images.daemon }}
- imagePullPolicy: Always
+ imagePullPolicy: {{ .Values.images.pull_policy }}
volumeMounts:
- name: devices
mountPath: /dev
diff --git a/ceph/templates/deployment-mds.yaml b/ceph/templates/deployment-mds.yaml
index 9a4f5eadd9..0485c5e719 100644
--- a/ceph/templates/deployment-mds.yaml
+++ b/ceph/templates/deployment-mds.yaml
@@ -34,6 +34,7 @@ spec:
containers:
- name: ceph-mon
image: {{ .Values.images.daemon }}
+ imagePullPolicy: {{ .Values.images.pull_policy }}
ports:
- containerPort: 6800
env:
diff --git a/ceph/templates/deployment-moncheck.yaml b/ceph/templates/deployment-moncheck.yaml
index aa829b09c1..459074f067 100644
--- a/ceph/templates/deployment-moncheck.yaml
+++ b/ceph/templates/deployment-moncheck.yaml
@@ -34,7 +34,7 @@ spec:
containers:
- name: ceph-mon
image: {{ .Values.images.daemon }}
- imagePullPolicy: Always
+ imagePullPolicy: {{ .Values.images.pull_policy }}
ports:
- containerPort: 6789
env:
@@ -42,8 +42,8 @@ spec:
value: MON_HEALTH
- name: KV_TYPE
value: k8s
- - name: MON_IP_AUTO_DETECT
- value: "1"
+ - name: NETWORK_AUTO_DETECT
+ value: "4"
- name: CLUSTER
value: ceph
volumeMounts:
diff --git a/ceph/templates/deployment-rgw.yaml b/ceph/templates/deployment-rgw.yaml
index a22c2ad367..57ba1c9538 100644
--- a/ceph/templates/deployment-rgw.yaml
+++ b/ceph/templates/deployment-rgw.yaml
@@ -36,6 +36,7 @@ spec:
containers:
- name: ceph-rgw
image: {{ .Values.images.daemon }}
+ imagePullPolicy: {{ .Values.images.pull_policy }}
ports:
- containerPort: {{ .Values.network.port.rgw_target }}
env:
diff --git a/ceph/templates/statefulset-mon.yaml b/ceph/templates/statefulset-mon.yaml
index 5ef33cd8e2..d7971a72a2 100644
--- a/ceph/templates/statefulset-mon.yaml
+++ b/ceph/templates/statefulset-mon.yaml
@@ -58,7 +58,7 @@ spec:
containers:
- name: ceph-mon
image: {{ .Values.images.daemon }}
- imagePullPolicy: Always
+ imagePullPolicy: {{ .Values.images.pull_policy }}
lifecycle:
preStop:
exec:
@@ -73,7 +73,7 @@ spec:
- name: KV_TYPE
value: k8s
- name: NETWORK_AUTO_DETECT
- value: "1"
+ value: "4"
- name: CLUSTER
value: ceph
volumeMounts:
diff --git a/ceph/values.yaml b/ceph/values.yaml
index 33c6da2410..b88644a641 100644
--- a/ceph/values.yaml
+++ b/ceph/values.yaml
@@ -18,6 +18,7 @@ service:
images:
daemon: quay.io/attcomdev/ceph-daemon:latest
+ pull_policy: IfNotPresent
labels:
node_selector_key: ceph-storage
diff --git a/cinder/Chart.yaml b/cinder/Chart.yaml
new file mode 100644
index 0000000000..890af01e45
--- /dev/null
+++ b/cinder/Chart.yaml
@@ -0,0 +1,3 @@
+description: A Helm chart for cinder
+name: cinder
+version: 0.1.0
diff --git a/cinder/requirements.yaml b/cinder/requirements.yaml
new file mode 100644
index 0000000000..2350b1facb
--- /dev/null
+++ b/cinder/requirements.yaml
@@ -0,0 +1,4 @@
+dependencies:
+ - name: common
+ repository: http://localhost:8879/charts
+ version: 0.1.0
diff --git a/cinder/templates/_helpers.tpl b/cinder/templates/_helpers.tpl
new file mode 100644
index 0000000000..97ab3325eb
--- /dev/null
+++ b/cinder/templates/_helpers.tpl
@@ -0,0 +1,45 @@
+# This file is required because we use a slightly different endpoint layout in
+# the values yaml, until we can make this change for all services.
+
+
+# this function returns the endpoint uri for a service, it takes an tuple
+# input in the form: service-type, endpoint-class, port-name. eg:
+# { tuple "orchestration" "public" "api" . | include "endpoint_type_lookup_addr" }
+# will return the appropriate URI. Once merged this should phase out the above.
+
+{{- define "endpoint_type_lookup_addr" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointMap := index $context.Values.endpoints $type }}
+{{- $fqdn := $context.Release.Namespace -}}
+{{- if $context.Values.endpoints.fqdn -}}
+{{- $fqdn := $context.Values.endpoints.fqdn -}}
+{{- end -}}
+{{- with $endpointMap -}}
+{{- $endpointScheme := .scheme }}
+{{- $endpointHost := index .hosts $endpoint | default .hosts.default}}
+{{- $endpointPort := index .port $port }}
+{{- $endpointPath := .path }}
+{{- printf "%s://%s.%s:%1.f%s" $endpointScheme $endpointHost $fqdn $endpointPort $endpointPath | quote -}}
+{{- end -}}
+{{- end -}}
+
+
+#-------------------------------
+# endpoint name lookup
+#-------------------------------
+
+# this function is used in endpoint management templates
+# it returns the service type for an openstack service eg:
+# { tuple orchestration . | include "ks_endpoint_type" }
+# will return "heat"
+
+{{- define "endpoint_name_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $context := index . 1 -}}
+{{- $endpointMap := index $context.Values.endpoints $type }}
+{{- $endpointName := index $endpointMap "name" }}
+{{- $endpointName | quote -}}
+{{- end -}}
diff --git a/cinder/templates/bin/_db-init.sh.tpl b/cinder/templates/bin/_db-init.sh.tpl
new file mode 100644
index 0000000000..93bd518bb1
--- /dev/null
+++ b/cinder/templates/bin/_db-init.sh.tpl
@@ -0,0 +1,21 @@
+#!/bin/bash
+set -ex
+export HOME=/tmp
+
+ansible localhost -vvv \
+ -m mysql_db -a "login_host='{{ .Values.database.address }}' \
+ login_port='{{ .Values.database.port }}' \
+ login_user='{{ .Values.database.root_user }}' \
+ login_password='{{ .Values.database.root_password }}' \
+ name='{{ .Values.database.cinder_database_name }}'"
+
+ansible localhost -vvv \
+ -m mysql_user -a "login_host='{{ .Values.database.address }}' \
+ login_port='{{ .Values.database.port }}' \
+ login_user='{{ .Values.database.root_user }}' \
+ login_password='{{ .Values.database.root_password }}' \
+ name='{{ .Values.database.cinder_user }}' \
+ password='{{ .Values.database.cinder_password }}' \
+ host='%' \
+ priv='{{ .Values.database.cinder_database_name }}.*:ALL' \
+ append_privs='yes'"
diff --git a/cinder/templates/configmap-bin.yaml b/cinder/templates/configmap-bin.yaml
new file mode 100644
index 0000000000..b549121df9
--- /dev/null
+++ b/cinder/templates/configmap-bin.yaml
@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: cinder-bin
+data:
+ db-init.sh: |+
+{{ tuple "bin/_db-init.sh.tpl" . | include "template" | indent 4 }}
+ ks-service.sh: |+
+{{- include "common_keystone_service" . | indent 4 }}
+ ks-endpoints.sh: |+
+{{- include "common_keystone_endpoints" . | indent 4 }}
+ ks-user.sh: |+
+{{- include "common_keystone_user" . | indent 4 }}
diff --git a/cinder/templates/configmap-etc.yaml b/cinder/templates/configmap-etc.yaml
new file mode 100644
index 0000000000..bb3b8f8c04
--- /dev/null
+++ b/cinder/templates/configmap-etc.yaml
@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: cinder-etc
+data:
+ cinder.conf: |+
+{{ tuple "etc/_cinder.conf.tpl" . | include "template" | indent 4 }}
+ api-paste.ini: |+
+{{ tuple "etc/_cinder-api-paste.ini.tpl" . | include "template" | indent 4 }}
+ policy.json: |+
+{{ tuple "etc/_policy.json.tpl" . | include "template" | indent 4 }}
+ ceph.conf: |+
+{{ tuple "etc/_ceph.conf.tpl" . | include "template" | indent 4 }}
+ ceph.client.{{ .Values.ceph.cinder_user }}.keyring: |+
+{{ tuple "etc/_ceph-cinder.keyring.tpl" . | include "template" | indent 4 }}
diff --git a/cinder/templates/deployment-api.yaml b/cinder/templates/deployment-api.yaml
new file mode 100644
index 0000000000..b5a05f8f77
--- /dev/null
+++ b/cinder/templates/deployment-api.yaml
@@ -0,0 +1,73 @@
+{{- $envAll := . }}
+{{- $dependencies := .Values.dependencies.api }}
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+ name: cinder-api
+spec:
+ replicas: {{ .Values.replicas.api }}
+ revisionHistoryLimit: {{ .Values.upgrades.revision_history }}
+ strategy:
+ type: {{ .Values.upgrades.pod_replacement_strategy }}
+ {{ if eq .Values.upgrades.pod_replacement_strategy "RollingUpdate" }}
+ rollingUpdate:
+ maxUnavailable: {{ .Values.upgrades.rolling_update.max_unavailable }}
+ maxSurge: {{ .Values.upgrades.rolling_update.max_surge }}
+ {{ end }}
+ template:
+ metadata:
+ labels:
+ app: cinder-api
+ annotations:
+ configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "hash" }}
+ configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "hash" }}
+ pod.beta.kubernetes.io/init-containers: '[
+{{ tuple $envAll $dependencies | include "dep-check-init-cont" | indent 10 }}
+ ]'
+ spec:
+ nodeSelector:
+ {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
+ containers:
+ - name: cinder-api
+ image: {{ .Values.images.api }}
+ imagePullPolicy: {{ .Values.images.pull_policy }}
+ command:
+ - cinder-api
+ - --config-dir
+ - /etc/cinder/conf
+ ports:
+ - containerPort: {{ .Values.service.api.port }}
+ readinessProbe:
+ tcpSocket:
+ port: {{ .Values.service.api.port }}
+ volumeMounts:
+ - name: pod-etc-cinder
+ mountPath: /etc/cinder
+ - name: pod-var-cache-cinder
+ mountPath: /var/cache/cinder
+ - name: cinderconf
+ mountPath: /etc/cinder/conf/cinder.conf
+ subPath: cinder.conf
+ readOnly: true
+ - name: cinderpaste
+ mountPath: /etc/cinder/api-paste.ini
+ subPath: api-paste.ini
+ readOnly: true
+ - name: cinderpolicy
+ mountPath: /etc/cinder/policy.json
+ subPath: policy.json
+ readOnly: true
+ volumes:
+ - name: pod-etc-cinder
+ emptyDir: {}
+ - name: pod-var-cache-cinder
+ emptyDir: {}
+ - name: cinderconf
+ configMap:
+ name: cinder-etc
+ - name: cinderpaste
+ configMap:
+ name: cinder-etc
+ - name: cinderpolicy
+ configMap:
+ name: cinder-etc
diff --git a/cinder/templates/deployment-scheduler.yaml b/cinder/templates/deployment-scheduler.yaml
new file mode 100644
index 0000000000..e18425e2b1
--- /dev/null
+++ b/cinder/templates/deployment-scheduler.yaml
@@ -0,0 +1,68 @@
+{{- $envAll := . }}
+{{- $dependencies := .Values.dependencies.scheduler }}
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+ name: cinder-scheduler
+spec:
+ replicas: {{ .Values.replicas.scheduler }}
+ revisionHistoryLimit: {{ .Values.upgrades.revision_history }}
+ strategy:
+ type: {{ .Values.upgrades.pod_replacement_strategy }}
+ {{ if eq .Values.upgrades.pod_replacement_strategy "RollingUpdate" }}
+ rollingUpdate:
+ maxUnavailable: {{ .Values.upgrades.rolling_update.max_unavailable }}
+ maxSurge: {{ .Values.upgrades.rolling_update.max_surge }}
+ {{ end }}
+ template:
+ metadata:
+ labels:
+ app: cinder-scheduler
+ annotations:
+ configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "hash" }}
+ configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "hash" }}
+ pod.beta.kubernetes.io/init-containers: '[
+{{ tuple $envAll $dependencies | include "dep-check-init-cont" | indent 10 }}
+ ]'
+ spec:
+ nodeSelector:
+ {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
+ containers:
+ - name: cinder-scheduler
+ image: {{ .Values.images.scheduler }}
+ imagePullPolicy: {{ .Values.images.pull_policy }}
+ command:
+ - cinder-scheduler
+ - --config-dir
+ - /etc/cinder/conf
+ volumeMounts:
+ - name: pod-etc-cinder
+ mountPath: /etc/cinder
+ - name: pod-var-cache-cinder
+ mountPath: /var/cache/cinder
+ - name: cinderconf
+ mountPath: /etc/cinder/conf/cinder.conf
+ subPath: cinder.conf
+ readOnly: true
+ - name: cinderpaste
+ mountPath: /etc/cinder/api-paste.ini
+ subPath: api-paste.ini
+ readOnly: true
+ - name: cinderpolicy
+ mountPath: /etc/cinder/policy.json
+ subPath: policy.json
+ readOnly: true
+ volumes:
+ - name: pod-etc-cinder
+ emptyDir: {}
+ - name: pod-var-cache-cinder
+ emptyDir: {}
+ - name: cinderconf
+ configMap:
+ name: cinder-etc
+ - name: cinderpaste
+ configMap:
+ name: cinder-etc
+ - name: cinderpolicy
+ configMap:
+ name: cinder-etc
diff --git a/cinder/templates/deployment-volume.yaml b/cinder/templates/deployment-volume.yaml
new file mode 100644
index 0000000000..1545b37279
--- /dev/null
+++ b/cinder/templates/deployment-volume.yaml
@@ -0,0 +1,68 @@
+{{- $envAll := . }}
+{{- $dependencies := .Values.dependencies.volume }}
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+ name: cinder-volume
+spec:
+ replicas: {{ .Values.replicas.volume }}
+ revisionHistoryLimit: {{ .Values.upgrades.revision_history }}
+ strategy:
+ type: {{ .Values.upgrades.pod_replacement_strategy }}
+ {{ if eq .Values.upgrades.pod_replacement_strategy "RollingUpdate" }}
+ rollingUpdate:
+ maxUnavailable: {{ .Values.upgrades.rolling_update.max_unavailable }}
+ maxSurge: {{ .Values.upgrades.rolling_update.max_surge }}
+ {{ end }}
+ template:
+ metadata:
+ labels:
+ app: cinder-volume
+ annotations:
+ configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "hash" }}
+ configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "hash" }}
+ pod.beta.kubernetes.io/init-containers: '[
+{{ tuple $envAll $dependencies | include "dep-check-init-cont" | indent 10 }}
+ ]'
+ spec:
+ nodeSelector:
+ {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
+ containers:
+ - name: cinder-volume
+ image: {{ .Values.images.volume }}
+ imagePullPolicy: {{ .Values.images.pull_policy }}
+ command:
+ - cinder-volume
+ - --config-dir
+ - /etc/cinder/conf
+ volumeMounts:
+ - name: pod-etc-cinder
+ mountPath: /etc/cinder
+ - name: pod-var-cache-cinder
+ mountPath: /var/cache/cinder
+ - name: cinderconf
+ mountPath: /etc/cinder/conf/cinder.conf
+ subPath: cinder.conf
+ readOnly: true
+ - name: cephconf
+ mountPath: /etc/ceph/ceph.conf
+ subPath: ceph.conf
+ readOnly: true
+ - name: cephclientcinderkeyring
+ mountPath: /etc/ceph/ceph.client.{{ .Values.ceph.cinder_user }}.keyring
+ subPath: ceph.client.{{ .Values.ceph.cinder_user }}.keyring
+ readOnly: true
+ volumes:
+ - name: pod-etc-cinder
+ emptyDir: {}
+ - name: pod-var-cache-cinder
+ emptyDir: {}
+ - name: cinderconf
+ configMap:
+ name: cinder-etc
+ - name: cephconf
+ configMap:
+ name: cinder-etc
+ - name: cephclientcinderkeyring
+ configMap:
+ name: cinder-etc
diff --git a/cinder/templates/etc/_ceph-cinder.keyring.tpl b/cinder/templates/etc/_ceph-cinder.keyring.tpl
new file mode 100644
index 0000000000..fb65f1ff57
--- /dev/null
+++ b/cinder/templates/etc/_ceph-cinder.keyring.tpl
@@ -0,0 +1,6 @@
+[client.{{ .Values.ceph.cinder_user }}]
+{{- if .Values.ceph.cinder_keyring }}
+ key = {{ .Values.ceph.cinder_keyring }}
+{{- else }}
+ key = {{- include "secrets/ceph-client-key" . -}}
+{{- end }}
diff --git a/cinder/templates/etc/_ceph.conf.tpl b/cinder/templates/etc/_ceph.conf.tpl
new file mode 100644
index 0000000000..7d2576bf65
--- /dev/null
+++ b/cinder/templates/etc/_ceph.conf.tpl
@@ -0,0 +1,16 @@
+[global]
+rgw_thread_pool_size = 1024
+rgw_num_rados_handles = 100
+{{- if .Values.ceph.monitors }}
+[mon]
+{{ range .Values.ceph.monitors }}
+ [mon.{{ . }}]
+ host = {{ . }}
+ mon_addr = {{ . }}
+{{ end }}
+{{- else }}
+mon_host = ceph-mon.ceph
+{{- end }}
+[client]
+ rbd_cache_enabled = true
+ rbd_cache_writethrough_until_flush = true
diff --git a/cinder/templates/etc/_cinder-api-paste.ini.tpl b/cinder/templates/etc/_cinder-api-paste.ini.tpl
new file mode 100644
index 0000000000..a761f53d07
--- /dev/null
+++ b/cinder/templates/etc/_cinder-api-paste.ini.tpl
@@ -0,0 +1,75 @@
+#############
+# OpenStack #
+#############
+
+[composite:osapi_volume]
+use = call:cinder.api:root_app_factory
+/: apiversions
+/v1: openstack_volume_api_v1
+/v2: openstack_volume_api_v2
+/v3: openstack_volume_api_v3
+
+[composite:openstack_volume_api_v1]
+use = call:cinder.api.middleware.auth:pipeline_factory
+noauth = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler noauth apiv1
+keystone = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv1
+keystone_nolimit = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv1
+
+[composite:openstack_volume_api_v2]
+use = call:cinder.api.middleware.auth:pipeline_factory
+noauth = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler noauth apiv2
+keystone = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv2
+keystone_nolimit = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv2
+
+[composite:openstack_volume_api_v3]
+use = call:cinder.api.middleware.auth:pipeline_factory
+noauth = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler noauth apiv3
+keystone = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv3
+keystone_nolimit = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv3
+
+[filter:request_id]
+paste.filter_factory = oslo_middleware.request_id:RequestId.factory
+
+[filter:http_proxy_to_wsgi]
+paste.filter_factory = oslo_middleware.http_proxy_to_wsgi:HTTPProxyToWSGI.factory
+
+[filter:cors]
+paste.filter_factory = oslo_middleware.cors:filter_factory
+oslo_config_project = cinder
+
+[filter:faultwrap]
+paste.filter_factory = cinder.api.middleware.fault:FaultWrapper.factory
+
+[filter:osprofiler]
+paste.filter_factory = osprofiler.web:WsgiMiddleware.factory
+
+[filter:noauth]
+paste.filter_factory = cinder.api.middleware.auth:NoAuthMiddleware.factory
+
+[filter:sizelimit]
+paste.filter_factory = oslo_middleware.sizelimit:RequestBodySizeLimiter.factory
+
+[app:apiv1]
+paste.app_factory = cinder.api.v1.router:APIRouter.factory
+
+[app:apiv2]
+paste.app_factory = cinder.api.v2.router:APIRouter.factory
+
+[app:apiv3]
+paste.app_factory = cinder.api.v3.router:APIRouter.factory
+
+[pipeline:apiversions]
+pipeline = cors http_proxy_to_wsgi faultwrap osvolumeversionapp
+
+[app:osvolumeversionapp]
+paste.app_factory = cinder.api.versions:Versions.factory
+
+##########
+# Shared #
+##########
+
+[filter:keystonecontext]
+paste.filter_factory = cinder.api.middleware.auth:CinderKeystoneContext.factory
+
+[filter:authtoken]
+paste.filter_factory = keystonemiddleware.auth_token:filter_factory
diff --git a/cinder/templates/etc/_cinder.conf.tpl b/cinder/templates/etc/_cinder.conf.tpl
new file mode 100644
index 0000000000..a576fe1fa0
--- /dev/null
+++ b/cinder/templates/etc/_cinder.conf.tpl
@@ -0,0 +1,64 @@
+[DEFAULT]
+debug = {{ .Values.misc.debug }}
+use_syslog = False
+use_stderr = True
+
+enable_v1_api = false
+volume_name_template = %s
+
+osapi_volume_workers = {{ .Values.api.workers }}
+osapi_volume_listen = 0.0.0.0
+osapi_volume_listen_port = {{ .Values.service.api.port }}
+
+api_paste_config = /etc/cinder/api-paste.ini
+
+glance_api_servers = "{{ .Values.glance.proto }}://{{ .Values.glance.host }}:{{ .Values.glance.port }}"
+glance_api_version = {{ .Values.glance.version }}
+
+enabled_backends = {{ include "joinListWithColon" .Values.backends.enabled }}
+
+auth_strategy = keystone
+os_region_name = {{ .Values.keystone.cinder_region_name }}
+
+# ensures that our volume worker service-list doesn't
+# explode with dead agents from terminated containers
+# by pinning the agent identifier
+host=cinder-volume-worker
+
+[database]
+connection = mysql+pymysql://{{ .Values.database.cinder_user }}:{{ .Values.database.cinder_password }}@{{ .Values.database.address }}:{{ .Values.database.port }}/{{ .Values.database.cinder_database_name }}
+max_retries = -1
+
+[keystone_authtoken]
+auth_url = {{ .Values.keystone.auth_url }}
+auth_type = password
+project_domain_name = {{ .Values.keystone.cinder_project_domain }}
+user_domain_name = {{ .Values.keystone.cinder_user_domain }}
+project_name = {{ .Values.keystone.cinder_project_name }}
+username = {{ .Values.keystone.cinder_user }}
+password = {{ .Values.keystone.cinder_password }}
+
+[oslo_concurrency]
+lock_path = /var/lib/cinder/tmp
+
+[oslo_messaging_rabbit]
+rabbit_userid = {{ .Values.messaging.user }}
+rabbit_password = {{ .Values.messaging.password }}
+rabbit_ha_queues = true
+rabbit_hosts = {{ .Values.messaging.hosts }}
+
+[rbd1]
+volume_driver = cinder.volume.drivers.rbd.RBDDriver
+rbd_pool = {{ .Values.backends.rbd1.pool }}
+rbd_ceph_conf = /etc/ceph/ceph.conf
+rbd_flatten_volume_from_snapshot = false
+rbd_max_clone_depth = 5
+rbd_store_chunk_size = 4
+rados_connect_timeout = -1
+{{- if .Values.backends.rbd1.secret }}
+rbd_user = {{ .Values.backends.rbd1.user }}
+{{- else }}
+rbd_secret_uuid = {{- include "secrets/ceph-client-key" . -}}
+{{- end }}
+rbd_secret_uuid = {{ .Values.backends.rbd1.secret }}
+report_discard_supported = True
diff --git a/cinder/templates/etc/_policy.json.tpl b/cinder/templates/etc/_policy.json.tpl
new file mode 100644
index 0000000000..8818372051
--- /dev/null
+++ b/cinder/templates/etc/_policy.json.tpl
@@ -0,0 +1,138 @@
+{
+ "context_is_admin": "role:admin",
+ "admin_or_owner": "is_admin:True or project_id:%(project_id)s",
+ "default": "rule:admin_or_owner",
+
+ "admin_api": "is_admin:True",
+
+ "volume:create": "",
+ "volume:delete": "rule:admin_or_owner",
+ "volume:get": "rule:admin_or_owner",
+ "volume:get_all": "rule:admin_or_owner",
+ "volume:get_volume_metadata": "rule:admin_or_owner",
+ "volume:create_volume_metadata": "rule:admin_or_owner",
+ "volume:delete_volume_metadata": "rule:admin_or_owner",
+ "volume:update_volume_metadata": "rule:admin_or_owner",
+ "volume:get_volume_admin_metadata": "rule:admin_api",
+ "volume:update_volume_admin_metadata": "rule:admin_api",
+ "volume:get_snapshot": "rule:admin_or_owner",
+ "volume:get_all_snapshots": "rule:admin_or_owner",
+ "volume:create_snapshot": "rule:admin_or_owner",
+ "volume:delete_snapshot": "rule:admin_or_owner",
+ "volume:update_snapshot": "rule:admin_or_owner",
+ "volume:get_snapshot_metadata": "rule:admin_or_owner",
+ "volume:delete_snapshot_metadata": "rule:admin_or_owner",
+ "volume:update_snapshot_metadata": "rule:admin_or_owner",
+ "volume:extend": "rule:admin_or_owner",
+ "volume:update_readonly_flag": "rule:admin_or_owner",
+ "volume:retype": "rule:admin_or_owner",
+ "volume:update": "rule:admin_or_owner",
+
+ "volume_extension:types_manage": "rule:admin_api",
+ "volume_extension:types_extra_specs": "rule:admin_api",
+ "volume_extension:access_types_qos_specs_id": "rule:admin_api",
+ "volume_extension:access_types_extra_specs": "rule:admin_api",
+ "volume_extension:volume_type_access": "rule:admin_or_owner",
+ "volume_extension:volume_type_access:addProjectAccess": "rule:admin_api",
+ "volume_extension:volume_type_access:removeProjectAccess": "rule:admin_api",
+ "volume_extension:volume_type_encryption": "rule:admin_api",
+ "volume_extension:volume_encryption_metadata": "rule:admin_or_owner",
+ "volume_extension:extended_snapshot_attributes": "rule:admin_or_owner",
+ "volume_extension:volume_image_metadata": "rule:admin_or_owner",
+
+ "volume_extension:quotas:show": "",
+ "volume_extension:quotas:update": "rule:admin_api",
+ "volume_extension:quotas:delete": "rule:admin_api",
+ "volume_extension:quota_classes": "rule:admin_api",
+ "volume_extension:quota_classes:validate_setup_for_nested_quota_use": "rule:admin_api",
+
+ "volume_extension:volume_admin_actions:reset_status": "rule:admin_api",
+ "volume_extension:snapshot_admin_actions:reset_status": "rule:admin_api",
+ "volume_extension:backup_admin_actions:reset_status": "rule:admin_api",
+ "volume_extension:volume_admin_actions:force_delete": "rule:admin_api",
+ "volume_extension:volume_admin_actions:force_detach": "rule:admin_api",
+ "volume_extension:snapshot_admin_actions:force_delete": "rule:admin_api",
+ "volume_extension:backup_admin_actions:force_delete": "rule:admin_api",
+ "volume_extension:volume_admin_actions:migrate_volume": "rule:admin_api",
+ "volume_extension:volume_admin_actions:migrate_volume_completion": "rule:admin_api",
+
+ "volume_extension:volume_actions:upload_public": "rule:admin_api",
+ "volume_extension:volume_actions:upload_image": "rule:admin_or_owner",
+
+ "volume_extension:volume_host_attribute": "rule:admin_api",
+ "volume_extension:volume_tenant_attribute": "rule:admin_or_owner",
+ "volume_extension:volume_mig_status_attribute": "rule:admin_api",
+ "volume_extension:hosts": "rule:admin_api",
+ "volume_extension:services:index": "rule:admin_api",
+ "volume_extension:services:update" : "rule:admin_api",
+
+ "volume_extension:volume_manage": "rule:admin_api",
+ "volume_extension:volume_unmanage": "rule:admin_api",
+ "volume_extension:list_manageable": "rule:admin_api",
+
+ "volume_extension:capabilities": "rule:admin_api",
+
+ "volume:create_transfer": "rule:admin_or_owner",
+ "volume:accept_transfer": "",
+ "volume:delete_transfer": "rule:admin_or_owner",
+ "volume:get_transfer": "rule:admin_or_owner",
+ "volume:get_all_transfers": "rule:admin_or_owner",
+
+ "volume_extension:replication:promote": "rule:admin_api",
+ "volume_extension:replication:reenable": "rule:admin_api",
+
+ "volume:failover_host": "rule:admin_api",
+ "volume:freeze_host": "rule:admin_api",
+ "volume:thaw_host": "rule:admin_api",
+
+ "backup:create" : "",
+ "backup:delete": "rule:admin_or_owner",
+ "backup:get": "rule:admin_or_owner",
+ "backup:get_all": "rule:admin_or_owner",
+ "backup:restore": "rule:admin_or_owner",
+ "backup:backup-import": "rule:admin_api",
+ "backup:backup-export": "rule:admin_api",
+ "backup:update": "rule:admin_or_owner",
+
+ "snapshot_extension:snapshot_actions:update_snapshot_status": "",
+ "snapshot_extension:snapshot_manage": "rule:admin_api",
+ "snapshot_extension:snapshot_unmanage": "rule:admin_api",
+ "snapshot_extension:list_manageable": "rule:admin_api",
+
+ "consistencygroup:create" : "group:nobody",
+ "consistencygroup:delete": "group:nobody",
+ "consistencygroup:update": "group:nobody",
+ "consistencygroup:get": "group:nobody",
+ "consistencygroup:get_all": "group:nobody",
+
+ "consistencygroup:create_cgsnapshot" : "group:nobody",
+ "consistencygroup:delete_cgsnapshot": "group:nobody",
+ "consistencygroup:get_cgsnapshot": "group:nobody",
+ "consistencygroup:get_all_cgsnapshots": "group:nobody",
+
+ "group:group_types_manage": "rule:admin_api",
+ "group:group_types_specs": "rule:admin_api",
+ "group:access_group_types_specs": "rule:admin_api",
+ "group:group_type_access": "rule:admin_or_owner",
+
+ "group:create" : "",
+ "group:delete": "rule:admin_or_owner",
+ "group:update": "rule:admin_or_owner",
+ "group:get": "rule:admin_or_owner",
+ "group:get_all": "rule:admin_or_owner",
+
+ "group:create_group_snapshot": "",
+ "group:delete_group_snapshot": "rule:admin_or_owner",
+ "group:update_group_snapshot": "rule:admin_or_owner",
+ "group:get_group_snapshot": "rule:admin_or_owner",
+ "group:get_all_group_snapshots": "rule:admin_or_owner",
+
+ "scheduler_extension:scheduler_stats:get_pools" : "rule:admin_api",
+ "message:delete": "rule:admin_or_owner",
+ "message:get": "rule:admin_or_owner",
+ "message:get_all": "rule:admin_or_owner",
+
+ "clusters:get": "rule:admin_api",
+ "clusters:get_all": "rule:admin_api",
+ "clusters:update": "rule:admin_api"
+}
diff --git a/cinder/templates/job-db-init.yaml b/cinder/templates/job-db-init.yaml
new file mode 100644
index 0000000000..f731d4fcec
--- /dev/null
+++ b/cinder/templates/job-db-init.yaml
@@ -0,0 +1,36 @@
+{{- $envAll := . }}
+{{- $dependencies := .Values.dependencies.db_init }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: cinder-db-init
+spec:
+ template:
+ metadata:
+ annotations:
+ pod.beta.kubernetes.io/init-containers: '[
+{{ tuple $envAll $dependencies | include "dep-check-init-cont" | indent 10 }}
+ ]'
+ spec:
+ restartPolicy: OnFailure
+ nodeSelector:
+ {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
+ containers:
+ - name: cinder-db-init
+ image: {{ .Values.images.db_init | quote }}
+ imagePullPolicy: {{ .Values.images.pull_policy | quote }}
+ env:
+ - name: ANSIBLE_LIBRARY
+ value: /usr/share/ansible/
+ command:
+ - bash
+ - /tmp/db-init.sh
+ volumeMounts:
+ - name: dbinitsh
+ mountPath: /tmp/db-init.sh
+ subPath: db-init.sh
+ readOnly: true
+ volumes:
+ - name: dbinitsh
+ configMap:
+ name: cinder-bin
diff --git a/cinder/templates/job-db-sync.yaml b/cinder/templates/job-db-sync.yaml
new file mode 100644
index 0000000000..f38c18cfa9
--- /dev/null
+++ b/cinder/templates/job-db-sync.yaml
@@ -0,0 +1,41 @@
+{{- $envAll := . }}
+{{- $dependencies := .Values.dependencies.db_sync }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: cinder-db-sync
+spec:
+ template:
+ metadata:
+ annotations:
+ pod.beta.kubernetes.io/init-containers: '[
+{{ tuple $envAll $dependencies | include "dep-check-init-cont" | indent 10 }}
+ ]'
+ spec:
+ restartPolicy: OnFailure
+ nodeSelector:
+ {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
+ containers:
+ - name: cinder-db-sync
+ image: {{ .Values.images.db_sync }}
+ imagePullPolicy: {{ .Values.images.pull_policy }}
+ command:
+ - cinder-manage
+ args:
+ - --config-dir
+ - /etc/cinder/conf
+ - db
+ - sync
+ volumeMounts:
+ - name: pod-etc-cinder
+ mountPath: /etc/cinder
+ - name: cinderconf
+ mountPath: /etc/cinder/conf/cinder.conf
+ subPath: cinder.conf
+ readOnly: true
+ volumes:
+ - name: pod-etc-cinder
+ emptyDir: {}
+ - name: cinderconf
+ configMap:
+ name: cinder-etc
diff --git a/cinder/templates/job-ks-endpoints.yaml.yaml b/cinder/templates/job-ks-endpoints.yaml.yaml
new file mode 100644
index 0000000000..0d91fccf6a
--- /dev/null
+++ b/cinder/templates/job-ks-endpoints.yaml.yaml
@@ -0,0 +1,50 @@
+{{- $envAll := . }}
+{{- $ksAdminSecret := $envAll.Values.keystone.admin_secret | default "cinder-env-keystone-admin" }}
+{{- $dependencies := .Values.dependencies.ks_endpoints }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: cinder-ks-endpoints
+spec:
+ template:
+ metadata:
+ annotations:
+ pod.beta.kubernetes.io/init-containers: '[
+{{ tuple $envAll $dependencies | include "dep-check-init-cont" | indent 10 }}
+ ]'
+ spec:
+ restartPolicy: OnFailure
+ nodeSelector:
+ {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
+ containers:
+{{- range $key1, $osServiceType := tuple "volume" "volumev2" "volumev3" }}
+{{- range $key2, $osServiceEndPoint := tuple "admin" "internal" "public" }}
+ - name: {{ $osServiceType }}-ks-endpoints-{{ $osServiceEndPoint }}
+ image: {{ $envAll.Values.images.ks_endpoints }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+ command:
+ - bash
+ - /tmp/ks-endpoints.sh
+ volumeMounts:
+ - name: ks-endpoints-sh
+ mountPath: /tmp/ks-endpoints.sh
+ subPath: ks-endpoints.sh
+ readOnly: true
+ env:
+{{- with $env := dict "ksUserSecret" $ksAdminSecret }}
+{{- include "env_ks_openrc_tpl" $env | indent 12 }}
+{{- end }}
+ - name: OS_SVC_ENDPOINT
+ value: {{ $osServiceEndPoint }}
+ - name: OS_SERVICE_NAME
+ value: {{ tuple $osServiceType $envAll | include "endpoint_name_lookup" }}
+ - name: OS_SERVICE_TYPE
+ value: {{ $osServiceType }}
+ - name: OS_SERVICE_ENDPOINT
+ value: {{ tuple $osServiceType $osServiceEndPoint "api" $envAll | include "endpoint_type_lookup_addr" }}
+{{- end }}
+{{- end }}
+ volumes:
+ - name: ks-endpoints-sh
+ configMap:
+ name: cinder-bin
diff --git a/cinder/templates/job-ks-service.yaml b/cinder/templates/job-ks-service.yaml
new file mode 100644
index 0000000000..52585cf0f5
--- /dev/null
+++ b/cinder/templates/job-ks-service.yaml
@@ -0,0 +1,44 @@
+{{- $envAll := . }}
+{{- $ksAdminSecret := .Values.keystone.admin_secret | default "cinder-env-keystone-admin" }}
+{{- $dependencies := .Values.dependencies.ks_service }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: cinder-ks-service
+spec:
+ template:
+ metadata:
+ annotations:
+ pod.beta.kubernetes.io/init-containers: '[
+{{ tuple $envAll $dependencies | include "dep-check-init-cont" | indent 10 }}
+ ]'
+ spec:
+ restartPolicy: OnFailure
+ nodeSelector:
+ {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
+ containers:
+{{- range $key1, $osServiceType := tuple "volume" "volumev2" "volumev3" }}
+ - name: {{ $osServiceType }}-ks-service-registration
+ image: {{ $envAll.Values.images.ks_service }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+ command:
+ - bash
+ - /tmp/ks-service.sh
+ volumeMounts:
+ - name: ks-service-sh
+ mountPath: /tmp/ks-service.sh
+ subPath: ks-service.sh
+ readOnly: true
+ env:
+{{- with $env := dict "ksUserSecret" $ksAdminSecret }}
+{{- include "env_ks_openrc_tpl" $env | indent 12 }}
+{{- end }}
+ - name: OS_SERVICE_NAME
+ value: {{ tuple $osServiceType $envAll | include "endpoint_name_lookup" }}
+ - name: OS_SERVICE_TYPE
+ value: {{ $osServiceType }}
+{{- end }}
+ volumes:
+ - name: ks-service-sh
+ configMap:
+ name: cinder-bin
diff --git a/cinder/templates/job-ks-user.yaml b/cinder/templates/job-ks-user.yaml
new file mode 100644
index 0000000000..9937ca2642
--- /dev/null
+++ b/cinder/templates/job-ks-user.yaml
@@ -0,0 +1,46 @@
+{{- $ksAdminSecret := .Values.keystone.admin_secret | default "cinder-env-keystone-admin" }}
+{{- $ksUserSecret := .Values.keystone.user_secret | default "cinder-env-keystone-user" }}
+{{- $envAll := . }}
+{{- $dependencies := .Values.dependencies.ks_user }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: cinder-ks-user
+spec:
+ template:
+ metadata:
+ annotations:
+ pod.beta.kubernetes.io/init-containers: '[
+{{ tuple $envAll $dependencies | include "dep-check-init-cont" | indent 10 }}
+ ]'
+ spec:
+ restartPolicy: OnFailure
+ nodeSelector:
+ {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
+ containers:
+ - name: cinder-ks-user
+ image: {{ .Values.images.ks_user }}
+ imagePullPolicy: {{ .Values.images.pull_policy }}
+ command:
+ - bash
+ - /tmp/ks-user.sh
+ volumeMounts:
+ - name: ks-user-sh
+ mountPath: /tmp/ks-user.sh
+ subPath: ks-user.sh
+ readOnly: true
+ env:
+{{- with $env := dict "ksUserSecret" $ksAdminSecret }}
+{{- include "env_ks_openrc_tpl" $env | indent 12 }}
+{{- end }}
+ - name: SERVICE_OS_SERVICE_NAME
+ value: "cinder"
+{{- with $env := dict "ksUserSecret" $ksUserSecret }}
+{{- include "env_ks_user_create_openrc_tpl" $env | indent 12 }}
+{{- end }}
+ - name: SERVICE_OS_ROLE
+ value: {{ .Values.keystone.cinder_user_role | quote }}
+ volumes:
+ - name: ks-user-sh
+ configMap:
+ name: cinder-bin
diff --git a/cinder/templates/secret-keystone-admin.env.yaml b/cinder/templates/secret-keystone-admin.env.yaml
new file mode 100644
index 0000000000..885c58076b
--- /dev/null
+++ b/cinder/templates/secret-keystone-admin.env.yaml
@@ -0,0 +1,20 @@
+apiVersion: v1
+kind: Secret
+metadata:
+ name: cinder-env-keystone-admin
+type: Opaque
+data:
+ OS_AUTH_URL: |
+{{ .Values.keystone.auth_url | b64enc | indent 4 }}
+ OS_REGION_NAME: |
+{{ .Values.keystone.admin_region_name | b64enc | indent 4 }}
+ OS_PROJECT_DOMAIN_NAME: |
+{{ .Values.keystone.admin_project_domain | b64enc | indent 4 }}
+ OS_PROJECT_NAME: |
+{{ .Values.keystone.admin_project_name | b64enc | indent 4 }}
+ OS_USER_DOMAIN_NAME: |
+{{ .Values.keystone.admin_user_domain | b64enc | indent 4 }}
+ OS_USERNAME: |
+{{ .Values.keystone.admin_user | b64enc | indent 4 }}
+ OS_PASSWORD: |
+{{ .Values.keystone.admin_password | b64enc | indent 4 }}
diff --git a/cinder/templates/secret-keystone-user.env.yaml b/cinder/templates/secret-keystone-user.env.yaml
new file mode 100644
index 0000000000..e0f5ad63af
--- /dev/null
+++ b/cinder/templates/secret-keystone-user.env.yaml
@@ -0,0 +1,20 @@
+apiVersion: v1
+kind: Secret
+metadata:
+ name: cinder-env-keystone-user
+type: Opaque
+data:
+ OS_AUTH_URL: |
+{{ .Values.keystone.auth_url | b64enc | indent 4 }}
+ OS_REGION_NAME: |
+{{ .Values.keystone.cinder_region_name | b64enc | indent 4 }}
+ OS_PROJECT_DOMAIN_NAME: |
+{{ .Values.keystone.cinder_project_domain | b64enc | indent 4 }}
+ OS_PROJECT_NAME: |
+{{ .Values.keystone.cinder_project_name | b64enc | indent 4 }}
+ OS_USER_DOMAIN_NAME: |
+{{ .Values.keystone.cinder_user_domain | b64enc | indent 4 }}
+ OS_USERNAME: |
+{{ .Values.keystone.cinder_user | b64enc | indent 4 }}
+ OS_PASSWORD: |
+{{ .Values.keystone.cinder_password | b64enc | indent 4 }}
diff --git a/cinder/templates/service-api.yaml b/cinder/templates/service-api.yaml
new file mode 100644
index 0000000000..809211c92a
--- /dev/null
+++ b/cinder/templates/service-api.yaml
@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Service
+metadata:
+ name: {{ .Values.service.api.name }}
+spec:
+ ports:
+ - port: {{ .Values.service.api.port }}
+ selector:
+ app: cinder-api
diff --git a/cinder/values.yaml b/cinder/values.yaml
new file mode 100644
index 0000000000..120d4d484f
--- /dev/null
+++ b/cinder/values.yaml
@@ -0,0 +1,185 @@
+# Default values for keystone.
+# This is a YAML-formatted file.
+# Declare name/value pairs to be passed into your templates.
+# name: value
+
+replicas:
+ api: 1
+ volume: 1
+ scheduler: 1
+
+labels:
+ node_selector_key: openstack-control-plane
+ node_selector_value: enabled
+
+images:
+ dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.1.0
+ ks_user: quay.io/stackanetes/stackanetes-kolla-toolbox:newton
+ ks_service: quay.io/stackanetes/stackanetes-kolla-toolbox:newton
+ ks_endpoints: quay.io/stackanetes/stackanetes-kolla-toolbox:newton
+ db_init: quay.io/stackanetes/stackanetes-kolla-toolbox:newton
+ db_sync: quay.io/stackanetes/stackanetes-cinder-api:newton
+ api: quay.io/stackanetes/stackanetes-cinder-api:newton
+ scheduler: quay.io/stackanetes/stackanetes-cinder-scheduler:newton
+ volume: quay.io/stackanetes/stackanetes-cinder-volume:newton
+ pull_policy: "IfNotPresent"
+
+upgrades:
+ revision_history: 3
+ pod_replacement_strategy: RollingUpdate
+ rolling_update:
+ max_unavailable: 1
+ max_surge: 3
+
+keystone:
+ auth_uri: "http://keystone-api:5000"
+ auth_url: "http://keystone-api:35357"
+ admin_user: "admin"
+ admin_user_domain: "default"
+ admin_password: "password"
+ admin_project_name: "admin"
+ admin_project_domain: "default"
+ admin_region_name: "RegionOne"
+
+ cinder_user: "cinder"
+ cinder_user_domain: "default"
+ cinder_user_role: "admin"
+ cinder_password: "password"
+ cinder_project_name: "service"
+ cinder_project_domain: "default"
+ cinder_region_name: "RegionOne"
+
+service:
+ api:
+ name: "cinder-api"
+ port: 8776
+ proto: "http"
+
+database:
+ address: mariadb
+ port: 3306
+ root_user: root
+ root_password: password
+ cinder_database_name: cinder
+ cinder_password: password
+ cinder_user: cinder
+
+ceph:
+ enabled: true
+ monitors: []
+ cinder_user: "admin"
+ # a null value for the keyring will
+ # attempt to use the key from
+ # common/secrets/ceph-client-key
+ cinder_keyring: null
+
+backends:
+ enabled:
+ - rbd1
+ rbd1:
+ secret: null
+ user: "admin"
+ pool: "volumes"
+
+glance:
+ proto: "http"
+ host: "glance-api"
+ port: 9292
+ version: 2
+
+messaging:
+ hosts: rabbitmq
+ user: rabbitmq
+ password: password
+
+
+api:
+ workers: 8
+
+misc:
+ debug: false
+
+dependencies:
+ db_init:
+ jobs:
+ - mariadb-seed
+ service:
+ - mariadb
+ db_sync:
+ jobs:
+ - cinder-db-init
+ service:
+ - mariadb
+ ks_user:
+ service:
+ - keystone-api
+ ks_service:
+ service:
+ - keystone-api
+ ks_endpoints:
+ jobs:
+ - cinder-ks-service
+ service:
+ - keystone-api
+ api:
+ jobs:
+ - cinder-db-sync
+ - cinder-ks-user
+ - cinder-ks-endpoints
+ service:
+ - mariadb
+ - keystone-api
+ volume:
+ jobs:
+ - cinder-db-sync
+ - cinder-ks-user
+ - cinder-ks-endpoints
+ service:
+ - keystone-api
+ - cinder-api
+ scheduler:
+ jobs:
+ - cinder-db-sync
+ - cinder-ks-user
+ - cinder-ks-endpoints
+ service:
+ - keystone-api
+ - cinder-api
+
+# We use a different layout of the endpoints here to account for versioning
+# this swaps the service name and type, and should be rolled out to other
+# services.
+endpoints:
+ identity:
+ name: keystone
+ hosts:
+ default: keystone-api
+ path: /v3
+ scheme: 'http'
+ port:
+ admin: 35357
+ public: 5000
+ volume:
+ name: cinder
+ hosts:
+ default: cinder-api
+ path: '/v1/%(tenant_id)s'
+ scheme: 'http'
+ port:
+ api: 8776
+ volumev2:
+ name: cinder
+ hosts:
+ default: cinder-api
+ path: '/v2/%(tenant_id)s'
+ scheme: 'http'
+ port:
+ api: 8776
+ volumev3:
+ name: cinder
+ hosts:
+ default: cinder-api
+ path: '/v3/%(tenant_id)s'
+ scheme: 'http'
+ port:
+ api: 8776
diff --git a/common/templates/_endpoints.tpl b/common/templates/_endpoints.tpl
index 68914d6dfc..fe0a7d1888 100644
--- a/common/templates/_endpoints.tpl
+++ b/common/templates/_endpoints.tpl
@@ -87,8 +87,51 @@
{{- end -}}
{{- end -}}
+# this function returns the endpoint uri for a service, it takes an tuple
+# input in the form: service-name, endpoint-class, port-name. eg:
+# { tuple "heat" "public" "api" . | include "endpoint_addr_lookup" }
+# will return the appropriate URI. Once merged this should phase out the above.
+
+{{- define "endpoint_addr_lookup" -}}
+{{- $name := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $nameNorm := $name | replace "-" "_" }}
+{{- $endpointMap := index $context.Values.endpoints $nameNorm }}
+{{- $fqdn := $context.Release.Namespace -}}
+{{- if $context.Values.endpoints.fqdn -}}
+{{- $fqdn := $context.Values.endpoints.fqdn -}}
+{{- end -}}
+{{- with $endpointMap -}}
+{{- $endpointScheme := .scheme }}
+{{- $endpointHost := index .hosts $endpoint | default .hosts.default}}
+{{- $endpointPort := index .port $port }}
+{{- $endpointPath := .path }}
+{{- printf "%s://%s.%s:%1.f%s" $endpointScheme $endpointHost $fqdn $endpointPort $endpointPath | quote -}}
+{{- end -}}
+{{- end -}}
+
+
+#-------------------------------
+# endpoint type lookup
+#-------------------------------
+
+# this function is used in endpoint management templates
+# it returns the service type for an openstack service eg:
+# { tuple heat . | include "ks_endpoint_type" }
+# will return "orchestration"
+
+{{- define "endpoint_type_lookup" -}}
+{{- $name := index . 0 -}}
+{{- $context := index . 1 -}}
+{{- $nameNorm := $name | replace "-" "_" }}
+{{- $endpointMap := index $context.Values.endpoints $nameNorm }}
+{{- $endpointType := index $endpointMap "type" }}
+{{- $endpointType | quote -}}
+{{- end -}}
+
#-------------------------------
# kolla helpers
#-------------------------------
{{ define "keystone_auth" }}{'auth_url':'{{ include "endpoint_keystone_internal" . }}', 'username':'{{ .Values.keystone.admin_user }}','password':'{{ .Values.keystone.admin_password }}','project_name':'{{ .Values.keystone.admin_project_name }}','domain_name':'default'}{{end}}
-
diff --git a/common/templates/_funcs.tpl b/common/templates/_funcs.tpl
index e83d171a97..115892b10d 100644
--- a/common/templates/_funcs.tpl
+++ b/common/templates/_funcs.tpl
@@ -22,3 +22,34 @@
{{- include $wtf $context | sha256sum | quote -}}
{{- end -}}
+{{- define "dep-check-init-cont" -}}
+{{- $envAll := index . 0 -}}
+{{- $deps := index . 1 -}}
+{
+ "name": "init",
+ "image": {{ $envAll.Values.images.dep_check | quote }},
+ "imagePullPolicy": {{ $envAll.Values.images.pull_policy | quote }},
+ "env": [
+ {
+ "name": "NAMESPACE",
+ "value": "{{ $envAll.Release.Namespace }}"
+ },
+ {
+ "name": "INTERFACE_NAME",
+ "value": "eth0"
+ },
+ {
+ "name": "DEPENDENCY_SERVICE",
+ "value": "{{ include "joinListWithColon" $deps.service }}"
+ },
+ {
+ "name": "DEPENDENCY_JOBS",
+ "value": "{{ include "joinListWithColon" $deps.jobs }}"
+ },
+ {
+ "name": "COMMAND",
+ "value": "echo done"
+ }
+ ]
+}
+{{- end -}}
diff --git a/common/templates/scripts/_ks-domain-user.sh.tpl b/common/templates/scripts/_ks-domain-user.sh.tpl
new file mode 100644
index 0000000000..44bfd27684
--- /dev/null
+++ b/common/templates/scripts/_ks-domain-user.sh.tpl
@@ -0,0 +1,57 @@
+{{- define "common_keystone_domain_user" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+# Manage domain
+SERVICE_OS_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \
+ --description="Service Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_DOMAIN_NAME}" \
+ "${SERVICE_OS_DOMAIN_NAME}")
+
+# Display domain
+openstack domain show "${SERVICE_OS_DOMAIN_ID}"
+
+# Manage user
+SERVICE_OS_USERID=$(openstack user create --or-show --enable -f value -c id \
+ --domain="${SERVICE_OS_DOMAIN_ID}" \
+ --description "Service User for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_DOMAIN_NAME}" \
+ --password="${SERVICE_OS_PASSWORD}" \
+ "${SERVICE_OS_USERNAME}")
+
+# Display user
+openstack user show "${SERVICE_OS_USERID}"
+
+# Manage role
+SERVICE_OS_ROLE_ID=$(openstack role show -f value -c id \
+ --domain="${SERVICE_OS_DOMAIN_ID}" \
+ "${SERVICE_OS_ROLE}" || openstack role create -f value -c id \
+ --domain="${SERVICE_OS_DOMAIN_ID}" \
+ "${SERVICE_OS_ROLE}" )
+
+# Manage user role assignment
+openstack role add \
+ --domain="${SERVICE_OS_DOMAIN_ID}" \
+ --user="${SERVICE_OS_USERID}" \
+ --user-domain="${SERVICE_OS_DOMAIN_ID}" \
+ "${SERVICE_OS_ROLE_ID}"
+
+# Display user role assignment
+openstack role assignment list \
+ --role="${SERVICE_OS_ROLE_ID}" \
+ --user-domain="${SERVICE_OS_DOMAIN_ID}" \
+ --user="${SERVICE_OS_USERID}"
+{{- end }}
diff --git a/common/templates/scripts/_ks-endpoints.sh.tpl b/common/templates/scripts/_ks-endpoints.sh.tpl
new file mode 100755
index 0000000000..1c70a499a1
--- /dev/null
+++ b/common/templates/scripts/_ks-endpoints.sh.tpl
@@ -0,0 +1,65 @@
+{{- define "common_keystone_endpoints" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+# Get Service ID
+OS_SERVICE_ID=$( openstack service list -f csv --quote none | \
+ grep ",${OS_SERVICE_NAME},${OS_SERVICE_TYPE}$" | \
+ sed -e "s/,${OS_SERVICE_NAME},${OS_SERVICE_TYPE}//g" )
+
+# Get Endpoint ID if it exists
+OS_ENDPOINT_ID=$( openstack endpoint list -f csv --quote none | \
+ grep "^[a-z0-9]*,${OS_REGION_NAME},${OS_SERVICE_NAME},${OS_SERVICE_TYPE},True,${OS_SVC_ENDPOINT}," | \
+ awk -F ',' '{ print $1 }' )
+
+# Making sure only a single endpoint exists for a service within a region
+if [ "$(echo $OS_ENDPOINT_ID | wc -w)" -gt "1" ]; then
+ echo "More than one endpoint found, cleaning up"
+ for ENDPOINT_ID in $OS_ENDPOINT_ID; do
+ openstack endpoint delete ${ENDPOINT_ID}
+ done
+ unset OS_ENDPOINT_ID
+fi
+
+# Determine if Endpoint needs updated
+if [[ ${OS_ENDPOINT_ID} ]]; then
+ OS_ENDPOINT_URL_CURRENT=$(openstack endpoint show ${OS_ENDPOINT_ID} --f value -c url)
+ if [ "${OS_ENDPOINT_URL_CURRENT}" == "${OS_SERVICE_ENDPOINT}" ]; then
+ echo "Endpoints Match: no action required"
+ OS_ENDPOINT_UPDATE="False"
+ else
+ echo "Endpoints Dont Match: removing existing entries"
+ openstack endpoint delete ${OS_ENDPOINT_ID}
+ OS_ENDPOINT_UPDATE="True"
+ fi
+else
+ OS_ENDPOINT_UPDATE="True"
+fi
+
+# Update Endpoint if required
+if [[ "${OS_ENDPOINT_UPDATE}" == "True" ]]; then
+ OS_ENDPOINT_ID=$( openstack endpoint create -f value -c id \
+ --region="${OS_REGION_NAME}" \
+ "${OS_SERVICE_ID}" \
+ ${OS_SVC_ENDPOINT} \
+ "${OS_SERVICE_ENDPOINT}" )
+fi
+
+# Display the Endpoint
+openstack endpoint show ${OS_ENDPOINT_ID}
+{{- end }}
diff --git a/common/templates/scripts/_ks-service.sh.tpl b/common/templates/scripts/_ks-service.sh.tpl
new file mode 100644
index 0000000000..7c6f2580f3
--- /dev/null
+++ b/common/templates/scripts/_ks-service.sh.tpl
@@ -0,0 +1,37 @@
+{{- define "common_keystone_service" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+# Service boilerplate description
+OS_SERVICE_DESC="${OS_REGION_NAME}: ${OS_SERVICE_NAME} (${OS_SERVICE_TYPE}) service"
+
+# Get Service ID if it exists
+unset OS_SERVICE_ID
+OS_SERVICE_ID=$( openstack service list -f csv --quote none | \
+ grep ",${OS_SERVICE_NAME},${OS_SERVICE_TYPE}$" | \
+ sed -e "s/,${OS_SERVICE_NAME},${OS_SERVICE_TYPE}//g" )
+
+# If a Service ID was not found, then create the service
+if [[ -z ${OS_SERVICE_ID} ]]; then
+ OS_SERVICE_ID=$(openstack service create -f value -c id \
+ --name="${OS_SERVICE_NAME}" \
+ --description "${OS_SERVICE_DESC}" \
+ --enable \
+ "${OS_SERVICE_TYPE}")
+fi
+{{- end }}
diff --git a/common/templates/scripts/_ks-user.sh.tpl b/common/templates/scripts/_ks-user.sh.tpl
new file mode 100644
index 0000000000..e815da3049
--- /dev/null
+++ b/common/templates/scripts/_ks-user.sh.tpl
@@ -0,0 +1,60 @@
+{{- define "common_keystone_user" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+# Manage user project
+USER_PROJECT_DESC="Service Project for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_PROJECT_DOMAIN_NAME}"
+USER_PROJECT_ID=$(openstack project create --or-show --enable -f value -c id \
+ --domain="${SERVICE_OS_PROJECT_DOMAIN_NAME}" \
+ --description="${USER_PROJECT_DESC}" \
+ "${SERVICE_OS_PROJECT_NAME}");
+
+# Display project
+openstack project show "${USER_PROJECT_ID}"
+
+# Manage user
+USER_DESC="Service User for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_USER_DOMAIN_NAME}/${SERVICE_OS_SERVICE_NAME}"
+USER_ID=$(openstack user create --or-show --enable -f value -c id \
+ --domain="${SERVICE_OS_USER_DOMAIN_NAME}" \
+ --project-domain="${SERVICE_OS_PROJECT_DOMAIN_NAME}" \
+ --project="${USER_PROJECT_ID}" \
+ --description="${USER_DESC}" \
+ --password="${SERVICE_OS_PASSWORD}" \
+ "${SERVICE_OS_USERNAME}");
+
+# Display user
+openstack user show "${USER_ID}"
+
+# Manage user role
+USER_ROLE_ID=$(openstack role create --or-show -f value -c id \
+ "${SERVICE_OS_ROLE}");
+
+# Manage user role assignment
+openstack role add \
+ --user="${USER_ID}" \
+ --user-domain="${SERVICE_OS_USER_DOMAIN_NAME}" \
+ --project-domain="${SERVICE_OS_PROJECT_DOMAIN_NAME}" \
+ --project="${USER_PROJECT_ID}" \
+ "${USER_ROLE_ID}"
+
+# Display user role assignment
+openstack role assignment list \
+ --role="${SERVICE_OS_ROLE}" \
+ --user-domain="${SERVICE_OS_USER_DOMAIN_NAME}" \
+ --user="${USER_ID}"
+{{- end }}
diff --git a/common/templates/snippets/_ks_env_openrc.tpl b/common/templates/snippets/_ks_env_openrc.tpl
new file mode 100644
index 0000000000..140ce25c97
--- /dev/null
+++ b/common/templates/snippets/_ks_env_openrc.tpl
@@ -0,0 +1,40 @@
+{{- define "env_ks_openrc_tpl" }}
+{{- $ksUserSecret := .ksUserSecret }}
+- name: OS_IDENTITY_API_VERSION
+ value: "3"
+- name: OS_AUTH_URL
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_AUTH_URL
+- name: OS_REGION_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_REGION_NAME
+- name: OS_PROJECT_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_PROJECT_DOMAIN_NAME
+- name: OS_PROJECT_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_PROJECT_NAME
+- name: OS_USER_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_USER_DOMAIN_NAME
+- name: OS_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_USERNAME
+- name: OS_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_PASSWORD
+{{- end }}
diff --git a/common/templates/snippets/_ks_env_user_create_openrc.tpl b/common/templates/snippets/_ks_env_user_create_openrc.tpl
new file mode 100644
index 0000000000..5ce6e58077
--- /dev/null
+++ b/common/templates/snippets/_ks_env_user_create_openrc.tpl
@@ -0,0 +1,33 @@
+{{- define "env_ks_user_create_openrc_tpl" }}
+{{- $ksUserSecret := .ksUserSecret }}
+- name: SERVICE_OS_REGION_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_REGION_NAME
+- name: SERVICE_OS_PROJECT_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_PROJECT_DOMAIN_NAME
+- name: SERVICE_OS_PROJECT_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_PROJECT_NAME
+- name: SERVICE_OS_USER_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_USER_DOMAIN_NAME
+- name: SERVICE_OS_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_USERNAME
+- name: SERVICE_OS_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_PASSWORD
+{{- end }}
diff --git a/docs/developer/minikube.md b/docs/developer/minikube.md
index 6e1216659f..1058a984ed 100644
--- a/docs/developer/minikube.md
+++ b/docs/developer/minikube.md
@@ -1,9 +1,9 @@
# Development of Openstack-Helm
-Community development is extremely important to us. As an open source development team, we want the development of Openstack-Helm to be an easy experience. Please evaluate, and make recommendations. We want developers to feel welcomed to contribute to this project. Below are some instructions and suggestions to help you get started.
+Community development is extremely important to us. As an open source development team, we want the development of Openstack-Helm to be an easy experience. Please evaluate, and make recommendations. We want developers to feel welcome to contribute to this project. Below are some instructions and suggestions to help you get started.
# Requirements
-We've tried to minimize the amount of prerequisites required in order to get started. The main prerequisite is to install the most recent versions of Minikube and Helm.
+We've tried to minimize the number of prerequisites required in order to get started. The main prerequisite is to install the most recent versions of Minikube and Helm.
**Kubernetes Minikube:**
Ensure that you have installed a recent version of [Kubernetes/Minikube](http://kubernetes.io/docs/getting-started-guides/minikube/).
@@ -75,7 +75,7 @@ kube-system tiller-deploy-3299276078-n98ct 1/1 Running 0
With Helm installed, you will need to start a local [Helm server](https://github.com/kubernetes/helm/blob/7a15ad381eae794a36494084972e350306e498fd/docs/helm/helm_serve.md#helm-serve) (in the background), and point to a locally configured Helm [repository](https://github.com/kubernetes/helm/blob/7a15ad381eae794a36494084972e350306e498fd/docs/helm/helm_repo_index.md#helm-repo-index):
```
-$ helm serve . &
+$ helm serve &
$ helm repo add local http://localhost:8879/charts
"local" has been added to your repositories
```
@@ -107,13 +107,13 @@ Perfect! You’re ready to install, develop, deploy, destroy, and repeat (when n
# Installation and Testing
-After following the instructions above you're environment is in a state where you can enhance the current charts, or develop new charts for the project. If you need to make changes to a chart, simply re-run `make` against the project in the top-tier directory. The charts will be updated and automatically re-pushed to your local repository.
+After following the instructions above your environment is in a state where you can enhance the current charts, or develop new charts for the project. If you need to make changes to a chart, simply re-run `make` against the project in the top-tier directory. The charts will be updated and automatically re-pushed to your local repository.
Consider the following when using Minikube and development mode:
* Persistent Storage used for Minikube development mode is `hostPath`. The Ceph PVC's included with this project are not intended to work with Minikube.
* There is *no need* to install the `common` `ceph` or `bootstrap` charts. These charts are required for deploying Ceph PVC's.
-* Familiarize yourself wtih `values.yaml` included wtih the MariaDB chart. You will will want to have the `hostPath` directory created prior to deploying MariaDB.
+* Familiarize yourself with `values.yaml` included with the MariaDB chart. You will want to have the `hostPath` directory created prior to deploying MariaDB.
* If Ceph development is required, you will need to follow the [getting started guide](https://github.com/att-comdev/openstack-helm/blob/master/docs/installation/getting-started.md) rather than this development mode documentation.
To deploy Openstack-Helm in development mode, ensure you've created a minikube-approved `hostPath` volume. Minikube is very specific about what is expected for `hostPath` volumes. The following volumes are acceptable for minikube deployments:
@@ -160,20 +160,22 @@ $ helm install --name=memcached local/memcached --namespace=openstack
$ helm install --name=rabbitmq local/rabbitmq --namespace=openstack
$ helm install --name=keystone local/keystone --namespace=openstack
$ helm install --name=horizon local/horizon --namespace=openstack
+$ helm install --name=cinder local/cinder --namespace=openstack
$ helm install --name=glance local/glance --namespace=openstack
$ helm install --name=nova local/nova --namespace=openstack
$ helm install --name=neutron local/neutron --namespace=openstack
+$ helm install --name=heat local/heat --namespace=openstack
```
# Horizon Management
-After each of the chart is deployed, you may wish to change the typical service endpoint for Horizon to a `nodePort` service endpoint (this is unique to Minikube deployments). Use the `kubectl edit` command to edit this service manually.
+After each chart is deployed, you may wish to change the typical service endpoint for Horizon to a `nodePort` service endpoint (this is unique to Minikube deployments). Use the `kubectl edit` command to edit this service manually.
```
$ sudo kubectl edit svc horizon -n openstack
```
-With the deployed manifest in edit mode, you can enable `nodePort` by replicating some of the fields below (specifically, the `nodePort` lines).
+With the deployed manifest in edit mode, you can enable `nodePort` by replicating some of the fields below (specifically, the `nodePort` lines).
```
apiVersion: v1
@@ -201,7 +203,7 @@ status:
```
**Accessing Horizon:**
-*Now you're ready to manage Openstack! Point your browser to the following:*
+*Now you're ready to manage OpenStack! Point your browser to the following:*
***URL:*** *http://192.168.99.100:31537/*
***User:*** *admin*
***Pass:*** *password*
@@ -210,7 +212,7 @@ If you have any questions, comments, or find any bugs, please submit an issue so
# Troubleshooting
-In order to protect your general sanity, we've included a currated list of verification and troubleshooting steps that may help you avoid some potential issues while developing Openstack-Helm.
+In order to protect your general sanity, we've included a curated list of verification and troubleshooting steps that may help you avoid some potential issues while developing Openstack-Helm.
**MariaDB**
To verify the state of MariaDB, use the following command:
@@ -224,7 +226,7 @@ $ kubectl exec mariadb-0 -it -n openstack -- mysql -uroot -ppassword -e 'show da
| mysql |
| performance_schema |
+--------------------+
-$
+$
```
**Helm Server/Repository**
@@ -251,7 +253,7 @@ $ helm repo list
NAME URL
stable https://kubernetes-charts.storage.googleapis.com/
local http://localhost:8879/charts
-$
+$
$ helm repo remove local
```
diff --git a/glance/templates/api.yaml b/glance/templates/api.yaml
deleted file mode 100644
index 659e53a399..0000000000
--- a/glance/templates/api.yaml
+++ /dev/null
@@ -1,81 +0,0 @@
-apiVersion: extensions/v1beta1
-kind: Deployment
-metadata:
- name: glance-api
-spec:
- replicas: {{ .Values.replicas }}
- template:
- metadata:
- labels:
- app: glance-api
- annotations:
- pod.beta.kubernetes.io/init-containers: '[
- {
- "name": "init",
- "image": "quay.io/stackanetes/kubernetes-entrypoint:v0.1.0",
- "imagePullPolicy": "{{ .Values.images.pull_policy }}",
- "env": [
- {
- "name": "NAMESPACE",
- "value": "{{ .Release.Namespace }}"
- },
- {
- "name": "DEPENDENCY_SERVICE",
- "value": "{{ include "joinListWithColon" .Values.dependencies.api.service }}"
- },
- {
- "name": "DEPENDENCY_JOBS",
- "value": "{{ include "joinListWithColon" .Values.dependencies.api.jobs }}"
- },
- {
- "name": "COMMAND",
- "value": "echo done"
- }
- ]
- }
- ]'
- spec:
- nodeSelector:
- {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
- containers:
- - name: glance-api
- image: {{ .Values.images.api }}
- imagePullPolicy: {{ .Values.images.pull_policy }}
- command:
- - bash
- - /tmp/start.sh
- ports:
- - containerPort: {{ .Values.network.port.api }}
- readinessProbe:
- tcpSocket:
- port: {{ .Values.network.port.api }}
- volumeMounts:
- - name: glanceapiconf
- mountPath: /etc/glance/glance-api.conf
- subPath: glance-api.conf
- - name: startsh
- mountPath: /tmp/start.sh
- subPath: start.sh
- - name: etcglance
- mountPath: /etc/glance
- - name: cephconf
- mountPath: /etc/ceph/ceph.conf
- subPath: ceph.conf
- - name: cephclientglancekeyring
- mountPath: /etc/ceph/ceph.client.{{ .Values.ceph.glance_user }}.keyring
- subPath: ceph.client.{{ .Values.ceph.glance_user }}.keyring
- volumes:
- - name: glanceapiconf
- configMap:
- name: glance-glanceapiconf
- - name: startsh
- configMap:
- name: glance-startsh
- - name: cephconf
- configMap:
- name: glance-cephconf
- - name: cephclientglancekeyring
- configMap:
- name: glance-cephclientglancekeyring
- - name: etcglance
- emptyDir: {}
diff --git a/glance/templates/bin/_init.sh.tpl b/glance/templates/bin/_init.sh.tpl
new file mode 100644
index 0000000000..9c0daef9b4
--- /dev/null
+++ b/glance/templates/bin/_init.sh.tpl
@@ -0,0 +1,17 @@
+#!/bin/bash
+set -ex
+export HOME=/tmp
+
+ansible localhost -vvv -m mysql_db -a "login_host='{{ .Values.database.address }}' \
+login_port='{{ .Values.database.port }}' \
+login_user='{{ .Values.database.root_user }}' \
+login_password='{{ .Values.database.root_password }}' \
+name='{{ .Values.database.glance_database_name }}'"
+
+ansible localhost -vvv -m mysql_user -a "login_host='{{ .Values.database.address }}' \
+login_port='{{ .Values.database.port }}' \
+login_user='{{ .Values.database.root_user }}' \
+login_password='{{ .Values.database.root_password }}' \
+name='{{ .Values.database.glance_user }}' \
+password='{{ .Values.database.glance_password }}' \
+host='%' priv='{{ .Values.database.glance_database_name }}.*:ALL' append_privs='yes'"
diff --git a/glance/templates/bin/_post.sh.tpl b/glance/templates/bin/_post.sh.tpl
new file mode 100644
index 0000000000..d46e924974
--- /dev/null
+++ b/glance/templates/bin/_post.sh.tpl
@@ -0,0 +1,42 @@
+#!/bin/bash
+set -ex
+export HOME=/tmp
+
+ansible localhost -vvv -m kolla_keystone_service -a "service_name=glance \
+service_type=image \
+description='Openstack Image' \
+endpoint_region='{{ .Values.keystone.glance_region_name }}' \
+url='{{ include "endpoint_glance_api_internal" . }}' \
+interface=admin \
+region_name='{{ .Values.keystone.admin_region_name }}' \
+auth='{{ include "keystone_auth" . }}'" \
+-e "{'openstack_glance_auth': {{ include "keystone_auth" . }}}"
+
+ansible localhost -vvv -m kolla_keystone_service -a "service_name=glance \
+service_type=image \
+description='Openstack Image' \
+endpoint_region='{{ .Values.keystone.glance_region_name }}' \
+url='{{ include "endpoint_glance_api_internal" . }}' \
+interface=internal \
+region_name='{{ .Values.keystone.admin_region_name }}' \
+auth='{{ include "keystone_auth" . }}'" \
+-e "{ 'openstack_glance_auth': {{ include "keystone_auth" . }} }"
+
+ansible localhost -vvv -m kolla_keystone_service -a "service_name=glance \
+service_type=image \
+description='Openstack Image' \
+endpoint_region='{{ .Values.keystone.glance_region_name }}' \
+url='{{ include "endpoint_glance_api_internal" . }}' \
+interface=public \
+region_name='{{ .Values.keystone.admin_region_name }}' \
+auth='{{ include "keystone_auth" . }}'" \
+-e "{ 'openstack_glance_auth': {{ include "keystone_auth" . }} }"
+
+ansible localhost -vvv -m kolla_keystone_user -a "project=service \
+user={{ .Values.keystone.glance_user }} \
+password={{ .Values.keystone.glance_password }} \
+role=admin \
+region_name={{ .Values.keystone.admin_region_name }} \
+auth='{{ include "keystone_auth" . }}'" \
+-e "{ 'openstack_glance_auth': {{ include "keystone_auth" . }} }"
+
diff --git a/glance/templates/ceph.client.glance.keyring.yaml b/glance/templates/ceph.client.glance.keyring.yaml
deleted file mode 100644
index 915324809b..0000000000
--- a/glance/templates/ceph.client.glance.keyring.yaml
+++ /dev/null
@@ -1,13 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
- name: glance-cephclientglancekeyring
-data:
- ceph.client.{{ .Values.ceph.glance_user }}.keyring: |+
- [client.{{ .Values.ceph.glance_user }}]
- {{- if .Values.ceph.glance_keyring }}
- key = {{ .Values.ceph.glance_keyring }}
- {{- else }}
- key = {{- include "secrets/ceph-client-key" . -}}
- {{- end }}
-
diff --git a/glance/templates/ceph.conf.yaml b/glance/templates/ceph.conf.yaml
deleted file mode 100644
index 3c3aed3074..0000000000
--- a/glance/templates/ceph.conf.yaml
+++ /dev/null
@@ -1,23 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
- name: glance-cephconf
-data:
- ceph.conf: |+
- [global]
- rgw_thread_pool_size = 1024
- rgw_num_rados_handles = 100
- {{- if .Values.ceph.monitors }}
- [mon]
- {{ range .Values.ceph.monitors }}
- [mon.{{ . }}]
- host = {{ . }}
- mon_addr = {{ . }}
- {{ end }}
- {{- else }}
- mon_host = ceph-mon.ceph
- {{- end }}
- [client]
- rbd_cache_enabled = true
- rbd_cache_writethrough_until_flush = true
-
diff --git a/glance/templates/configmap-bin.yaml b/glance/templates/configmap-bin.yaml
new file mode 100644
index 0000000000..fe1e9d9858
--- /dev/null
+++ b/glance/templates/configmap-bin.yaml
@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: glance-bin
+data:
+ init.sh: |+
+{{ tuple "bin/_init.sh.tpl" . | include "template" | indent 4 }}
+ post.sh: |+
+{{ tuple "bin/_post.sh.tpl" . | include "template" | indent 4 }}
diff --git a/glance/templates/configmap-etc.yaml b/glance/templates/configmap-etc.yaml
new file mode 100644
index 0000000000..ae34308b9a
--- /dev/null
+++ b/glance/templates/configmap-etc.yaml
@@ -0,0 +1,19 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: glance-etc
+data:
+ ceph.conf: |+
+{{ tuple "etc/_ceph.conf.tpl" . | include "template" | indent 4 }}
+ ceph.client.{{ .Values.ceph.glance_user }}.keyring: |+
+{{ tuple "etc/_ceph.client.glance.keyring.tpl" . | include "template" | indent 4 }}
+ glance-api.conf: |+
+{{ tuple "etc/_glance-api.conf.tpl" . | include "template" | indent 4 }}
+ glance-api-paste.ini: |+
+{{ tuple "etc/_glance-api-paste.ini.tpl" . | include "template" | indent 4 }}
+ glance-registry.conf: |+
+{{ tuple "etc/_glance-registry.conf.tpl" . | include "template" | indent 4 }}
+ glance-registry-paste.ini: |+
+{{ tuple "etc/_glance-registry-paste.ini.tpl" . | include "template" | indent 4 }}
+ policy.json: |+
+{{ tuple "etc/_policy.json.tpl" . | include "template" | indent 4 }}
diff --git a/glance/templates/db-sync.sh.yaml b/glance/templates/db-sync.sh.yaml
deleted file mode 100644
index 78a95b4cd4..0000000000
--- a/glance/templates/db-sync.sh.yaml
+++ /dev/null
@@ -1,10 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
- name: glance-dbsyncsh
-data:
- db-sync.sh: |+
- #!/bin/bash
- set -ex
-
- glance-manage db_sync
diff --git a/glance/templates/db-sync.yaml b/glance/templates/db-sync.yaml
deleted file mode 100644
index 1b65da9e1e..0000000000
--- a/glance/templates/db-sync.yaml
+++ /dev/null
@@ -1,56 +0,0 @@
-apiVersion: batch/v1
-kind: Job
-metadata:
- name: glance-db-sync
-spec:
- template:
- metadata:
- annotations:
- pod.beta.kubernetes.io/init-containers: '[
- {
- "name": "init",
- "image": "quay.io/stackanetes/kubernetes-entrypoint:v0.1.0",
- "imagePullPolicy": "{{ .Values.images.pull_policy }}",
- "env": [
- {
- "name": "NAMESPACE",
- "value": "{{ .Release.Namespace }}"
- },
- {
- "name": "DEPENDENCY_SERVICE",
- "value": "{{ include "joinListWithColon" .Values.dependencies.db_sync.service }}"
- },
- {
- "name": "DEPENDENCY_JOBS",
- "value": "{{ include "joinListWithColon" .Values.dependencies.db_sync.jobs }}"
- },
- {
- "name": "COMMAND",
- "value": "echo done"
- }
- ]
- }
- ]'
- spec:
- restartPolicy: OnFailure
- containers:
- - name: glance-db-sync
- image: {{ .Values.images.db_sync }}
- imagePullPolicy: {{ .Values.images.pull_policy }}
- command:
- - bash
- - /tmp/db-sync.sh
- volumeMounts:
- - name: glanceapiconf
- mountPath: /etc/glance/glance-api.conf
- subPath: glance-api.conf
- - name: dbsyncsh
- mountPath: /tmp/db-sync.sh
- subPath: db-sync.sh
- volumes:
- - name: glanceapiconf
- configMap:
- name: glance-glanceapiconf
- - name: dbsyncsh
- configMap:
- name: glance-dbsyncsh
diff --git a/glance/templates/deployment-api.yaml b/glance/templates/deployment-api.yaml
new file mode 100644
index 0000000000..e4431c0460
--- /dev/null
+++ b/glance/templates/deployment-api.yaml
@@ -0,0 +1,98 @@
+{{- $envAll := . }}
+{{- $dependencies := .Values.dependencies.api }}
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+ name: glance-api
+spec:
+{{- if .Values.development.enabled }}
+ replicas: 1
+{{- else }}
+ replicas: {{ .Values.replicas.api }}
+{{- end }}
+ revisionHistoryLimit: {{ .Values.upgrades.revision_history }}
+ strategy:
+ type: {{ .Values.upgrades.pod_replacement_strategy }}
+ {{ if eq .Values.upgrades.pod_replacement_strategy "RollingUpdate" }}
+ rollingUpdate:
+ maxUnavailable: {{ .Values.upgrades.rolling_update.max_unavailable }}
+ maxSurge: {{ .Values.upgrades.rolling_update.max_surge }}
+ {{ end }}
+ template:
+ metadata:
+ labels:
+ app: glance-api
+ annotations:
+ configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "hash" }}
+ configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "hash" }}
+ pod.beta.kubernetes.io/init-containers: '[
+{{ tuple $envAll $dependencies | include "dep-check-init-cont" | indent 10 }}
+ ]'
+ spec:
+ nodeSelector:
+ {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
+ containers:
+ - name: glance-api
+ image: {{ .Values.images.api }}
+ imagePullPolicy: {{ .Values.images.pull_policy }}
+ command:
+ - glance-api
+ - --config-file
+ - /etc/glance/glance-api.conf
+ ports:
+ - containerPort: {{ .Values.network.port.api }}
+ readinessProbe:
+ tcpSocket:
+ port: {{ .Values.network.port.api }}
+ volumeMounts:
+ - name: etcglance
+ mountPath: /etc/glance
+ - name: glanceapiconf
+ mountPath: /etc/glance/glance-api.conf
+ subPath: glance-api.conf
+ readOnly: true
+ - name: glanceapipaste
+ mountPath: /etc/glance/glance-api-paste.ini
+ subPath: glance-api-paste.ini
+ readOnly: true
+ - name: glancepolicy
+ mountPath: /etc/glance/policy.json
+ subPath: policy.json
+ readOnly: true
+{{- if .Values.development.enabled }}
+ - name: glance-data
+ mountPath: /var/lib/glance/images
+{{- else }}
+ - name: cephconf
+ mountPath: /etc/ceph/ceph.conf
+ subPath: ceph.conf
+ readOnly: true
+ - name: cephclientglancekeyring
+ mountPath: /etc/ceph/ceph.client.{{ .Values.ceph.glance_user }}.keyring
+ subPath: ceph.client.{{ .Values.ceph.glance_user }}.keyring
+ readOnly: true
+{{- end }}
+ volumes:
+ - name: glanceapiconf
+ configMap:
+ name: glance-etc
+ - name: glanceapipaste
+ configMap:
+ name: glance-etc
+{{- if .Values.development.enabled }}
+ - name: glance-data
+ hostPath:
+ path: {{ .Values.development.storage_path }}
+{{- else }}
+ - name: cephconf
+ configMap:
+ name: glance-etc
+ - name: cephclientglancekeyring
+ configMap:
+ name: glance-etc
+{{- end }}
+ - name: etcglance
+ emptyDir: {}
+ - name: glancepolicy
+ configMap:
+ name: glance-etc
diff --git a/glance/templates/deployment-registry.yaml b/glance/templates/deployment-registry.yaml
new file mode 100644
index 0000000000..3df9090a0e
--- /dev/null
+++ b/glance/templates/deployment-registry.yaml
@@ -0,0 +1,65 @@
+{{- $envAll := . }}
+{{- $dependencies := .Values.dependencies.registry }}
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+ name: glance-registry
+spec:
+{{- if .Values.development.enabled }}
+ replicas: 1
+{{- else }}
+ replicas: {{ .Values.replicas.registry }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+ app: glance-registry
+ annotations:
+ configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "hash" }}
+ configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "hash" }}
+ pod.beta.kubernetes.io/init-containers: '[
+{{ tuple $envAll $dependencies | include "dep-check-init-cont" | indent 10 }}
+ ]'
+ spec:
+ nodeSelector:
+ {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
+ containers:
+ - name: glance-registry
+ image: {{ .Values.images.registry }}
+ imagePullPolicy: {{ .Values.images.pull_policy }}
+ command:
+ - glance-registry
+ - --config-file
+ - /etc/glance/glance-registry.conf
+ ports:
+ - containerPort: {{ .Values.network.port.registry }}
+ readinessProbe:
+ tcpSocket:
+ port: {{ .Values.network.port.registry }}
+ volumeMounts:
+ - name: etcglance
+ mountPath: /etc/glance
+ - name: glanceregistryconf
+ mountPath: /etc/glance/glance-registry.conf
+ subPath: glance-registry.conf
+ readOnly: true
+ - name: glanceregistrypaste
+ mountPath: /etc/glance/glance-registry-paste.ini
+ subPath: glance-registry-paste.ini
+ readOnly: true
+ - name: glancepolicy
+ mountPath: /etc/glance/policy.json
+ subPath: policy.json
+ readOnly: true
+ volumes:
+ - name: etcglance
+ emptyDir: {}
+ - name: glanceregistryconf
+ configMap:
+ name: glance-etc
+ - name: glanceregistrypaste
+ configMap:
+ name: glance-etc
+ - name: glancepolicy
+ configMap:
+ name: glance-etc
diff --git a/glance/templates/etc/_ceph.client.glance.keyring.tpl b/glance/templates/etc/_ceph.client.glance.keyring.tpl
new file mode 100644
index 0000000000..4f625b2ba6
--- /dev/null
+++ b/glance/templates/etc/_ceph.client.glance.keyring.tpl
@@ -0,0 +1,6 @@
+[client.{{ .Values.ceph.glance_user }}]
+{{- if .Values.ceph.glance_keyring }}
+ key = {{ .Values.ceph.glance_keyring }}
+{{- else }}
+ key = {{- include "secrets/ceph-client-key" . -}}
+{{- end }}
diff --git a/glance/templates/etc/_ceph.conf.tpl b/glance/templates/etc/_ceph.conf.tpl
new file mode 100644
index 0000000000..7d2576bf65
--- /dev/null
+++ b/glance/templates/etc/_ceph.conf.tpl
@@ -0,0 +1,16 @@
+[global]
+rgw_thread_pool_size = 1024
+rgw_num_rados_handles = 100
+{{- if .Values.ceph.monitors }}
+[mon]
+{{ range .Values.ceph.monitors }}
+ [mon.{{ . }}]
+ host = {{ . }}
+ mon_addr = {{ . }}
+{{ end }}
+{{- else }}
+mon_host = ceph-mon.ceph
+{{- end }}
+[client]
+ rbd_cache_enabled = true
+ rbd_cache_writethrough_until_flush = true
diff --git a/glance/templates/etc/_glance-api-paste.ini.tpl b/glance/templates/etc/_glance-api-paste.ini.tpl
new file mode 100644
index 0000000000..687902743a
--- /dev/null
+++ b/glance/templates/etc/_glance-api-paste.ini.tpl
@@ -0,0 +1,90 @@
+# Use this pipeline for no auth or image caching - DEFAULT
+[pipeline:glance-api]
+pipeline = cors healthcheck http_proxy_to_wsgi versionnegotiation osprofiler unauthenticated-context rootapp
+
+# Use this pipeline for image caching and no auth
+[pipeline:glance-api-caching]
+pipeline = cors healthcheck http_proxy_to_wsgi versionnegotiation osprofiler unauthenticated-context cache rootapp
+
+# Use this pipeline for caching w/ management interface but no auth
+[pipeline:glance-api-cachemanagement]
+pipeline = cors healthcheck http_proxy_to_wsgi versionnegotiation osprofiler unauthenticated-context cache cachemanage rootapp
+
+# Use this pipeline for keystone auth
+[pipeline:glance-api-keystone]
+pipeline = cors healthcheck http_proxy_to_wsgi versionnegotiation osprofiler authtoken context rootapp
+
+# Use this pipeline for keystone auth with image caching
+[pipeline:glance-api-keystone+caching]
+pipeline = cors healthcheck http_proxy_to_wsgi versionnegotiation osprofiler authtoken context cache rootapp
+
+# Use this pipeline for keystone auth with caching and cache management
+[pipeline:glance-api-keystone+cachemanagement]
+pipeline = cors healthcheck http_proxy_to_wsgi versionnegotiation osprofiler authtoken context cache cachemanage rootapp
+
+# Use this pipeline for authZ only. This means that the registry will treat a
+# user as authenticated without making requests to keystone to reauthenticate
+# the user.
+[pipeline:glance-api-trusted-auth]
+pipeline = cors healthcheck http_proxy_to_wsgi versionnegotiation osprofiler context rootapp
+
+# Use this pipeline for authZ only. This means that the registry will treat a
+# user as authenticated without making requests to keystone to reauthenticate
+# the user and uses cache management
+[pipeline:glance-api-trusted-auth+cachemanagement]
+pipeline = cors healthcheck http_proxy_to_wsgi versionnegotiation osprofiler context cache cachemanage rootapp
+
+[composite:rootapp]
+paste.composite_factory = glance.api:root_app_factory
+/: apiversions
+/v1: apiv1app
+/v2: apiv2app
+
+[app:apiversions]
+paste.app_factory = glance.api.versions:create_resource
+
+[app:apiv1app]
+paste.app_factory = glance.api.v1.router:API.factory
+
+[app:apiv2app]
+paste.app_factory = glance.api.v2.router:API.factory
+
+[filter:healthcheck]
+paste.filter_factory = oslo_middleware:Healthcheck.factory
+backends = disable_by_file
+disable_by_file_path = /etc/glance/healthcheck_disable
+
+[filter:versionnegotiation]
+paste.filter_factory = glance.api.middleware.version_negotiation:VersionNegotiationFilter.factory
+
+[filter:cache]
+paste.filter_factory = glance.api.middleware.cache:CacheFilter.factory
+
+[filter:cachemanage]
+paste.filter_factory = glance.api.middleware.cache_manage:CacheManageFilter.factory
+
+[filter:context]
+paste.filter_factory = glance.api.middleware.context:ContextMiddleware.factory
+
+[filter:unauthenticated-context]
+paste.filter_factory = glance.api.middleware.context:UnauthenticatedContextMiddleware.factory
+
+[filter:authtoken]
+paste.filter_factory = keystonemiddleware.auth_token:filter_factory
+delay_auth_decision = true
+
+[filter:gzip]
+paste.filter_factory = glance.api.middleware.gzip:GzipMiddleware.factory
+
+[filter:osprofiler]
+paste.filter_factory = osprofiler.web:WsgiMiddleware.factory
+hmac_keys = SECRET_KEY #DEPRECATED
+enabled = yes #DEPRECATED
+
+[filter:cors]
+paste.filter_factory = oslo_middleware.cors:filter_factory
+oslo_config_project = glance
+oslo_config_program = glance-api
+
+[filter:http_proxy_to_wsgi]
+paste.filter_factory = oslo_middleware:HTTPProxyToWSGI.factory
diff --git a/glance/templates/etc/_glance-api.conf.tpl b/glance/templates/etc/_glance-api.conf.tpl
new file mode 100644
index 0000000000..84134e653a
--- /dev/null
+++ b/glance/templates/etc/_glance-api.conf.tpl
@@ -0,0 +1,44 @@
+[DEFAULT]
+debug = {{ .Values.misc.debug }}
+use_syslog = False
+use_stderr = True
+
+bind_port = {{ .Values.network.port.api }}
+workers = {{ .Values.misc.workers }}
+registry_host = glance-registry
+# Enable Copy-on-Write
+show_image_direct_url = True
+
+[database]
+connection = mysql+pymysql://{{ .Values.database.glance_user }}:{{ .Values.database.glance_password }}@{{ .Values.database.address }}/{{ .Values.database.glance_database_name }}
+max_retries = -1
+
+[keystone_authtoken]
+auth_uri = {{ .Values.keystone.auth_uri }}
+auth_url = {{ .Values.keystone.auth_url }}
+auth_type = password
+project_domain_id = default
+user_domain_id = default
+project_name = service
+username = {{ .Values.keystone.glance_user }}
+password = {{ .Values.keystone.glance_password }}
+
+[paste_deploy]
+flavor = keystone
+
+[oslo_messaging_notifications]
+driver = noop
+
+[glance_store]
+filesystem_store_datadir = /var/lib/glance/images/
+{{- if .Values.development.enabled }}
+stores = file, http
+default_store = file
+{{- else }}
+stores = file, http, rbd
+default_store = rbd
+rbd_store_pool = {{ .Values.ceph.glance_pool }}
+rbd_store_user = {{ .Values.ceph.glance_user }}
+rbd_store_ceph_conf = /etc/ceph/ceph.conf
+rbd_store_chunk_size = 8
+{{- end }}
diff --git a/glance/templates/etc/_glance-registry-paste.ini.tpl b/glance/templates/etc/_glance-registry-paste.ini.tpl
new file mode 100644
index 0000000000..492dbc6f53
--- /dev/null
+++ b/glance/templates/etc/_glance-registry-paste.ini.tpl
@@ -0,0 +1,35 @@
+# Use this pipeline for no auth - DEFAULT
+[pipeline:glance-registry]
+pipeline = healthcheck osprofiler unauthenticated-context registryapp
+
+# Use this pipeline for keystone auth
+[pipeline:glance-registry-keystone]
+pipeline = healthcheck osprofiler authtoken context registryapp
+
+# Use this pipeline for authZ only. This means that the registry will treat a
+# user as authenticated without making requests to keystone to reauthenticate
+# the user.
+[pipeline:glance-registry-trusted-auth]
+pipeline = healthcheck osprofiler context registryapp
+
+[app:registryapp]
+paste.app_factory = glance.registry.api:API.factory
+
+[filter:healthcheck]
+paste.filter_factory = oslo_middleware:Healthcheck.factory
+backends = disable_by_file
+disable_by_file_path = /etc/glance/healthcheck_disable
+
+[filter:context]
+paste.filter_factory = glance.api.middleware.context:ContextMiddleware.factory
+
+[filter:unauthenticated-context]
+paste.filter_factory = glance.api.middleware.context:UnauthenticatedContextMiddleware.factory
+
+[filter:authtoken]
+paste.filter_factory = keystonemiddleware.auth_token:filter_factory
+
+[filter:osprofiler]
+paste.filter_factory = osprofiler.web:WsgiMiddleware.factory
+hmac_keys = SECRET_KEY #DEPRECATED
+enabled = yes #DEPRECATED
diff --git a/glance/templates/etc/_glance-registry.conf.tpl b/glance/templates/etc/_glance-registry.conf.tpl
new file mode 100644
index 0000000000..9e4df8d9c1
--- /dev/null
+++ b/glance/templates/etc/_glance-registry.conf.tpl
@@ -0,0 +1,26 @@
+[DEFAULT]
+debug = {{ .Values.misc.debug }}
+use_syslog = False
+use_stderr = True
+bind_port = {{ .Values.network.port.registry }}
+workers = {{ .Values.misc.workers }}
+
+[database]
+connection = mysql+pymysql://{{ .Values.database.glance_user }}:{{ .Values.database.glance_password }}@{{ .Values.database.address }}/{{ .Values.database.glance_database_name }}
+max_retries = -1
+
+[keystone_authtoken]
+auth_uri = {{ .Values.keystone.auth_uri }}
+auth_url = {{ .Values.keystone.auth_url }}
+auth_type = password
+project_domain_id = default
+user_domain_id = default
+project_name = service
+username = {{ .Values.keystone.glance_user }}
+password = {{ .Values.keystone.glance_password }}
+
+[paste_deploy]
+flavor = keystone
+
+[oslo_messaging_notifications]
+driver = noop
diff --git a/glance/templates/etc/_policy.json.tpl b/glance/templates/etc/_policy.json.tpl
new file mode 100644
index 0000000000..0a058c1c5d
--- /dev/null
+++ b/glance/templates/etc/_policy.json.tpl
@@ -0,0 +1,61 @@
+{
+ "context_is_admin": "role:admin",
+ "default": "role:admin",
+
+ "add_image": "",
+ "delete_image": "",
+ "get_image": "",
+ "get_images": "",
+ "modify_image": "",
+ "publicize_image": "role:admin",
+ "copy_from": "",
+
+ "download_image": "",
+ "upload_image": "",
+
+ "delete_image_location": "",
+ "get_image_location": "",
+ "set_image_location": "",
+
+ "add_member": "",
+ "delete_member": "",
+ "get_member": "",
+ "get_members": "",
+ "modify_member": "",
+
+ "manage_image_cache": "role:admin",
+
+ "get_task": "role:admin",
+ "get_tasks": "role:admin",
+ "add_task": "role:admin",
+ "modify_task": "role:admin",
+
+ "deactivate": "",
+ "reactivate": "",
+
+ "get_metadef_namespace": "",
+ "get_metadef_namespaces":"",
+ "modify_metadef_namespace":"",
+ "add_metadef_namespace":"",
+
+ "get_metadef_object":"",
+ "get_metadef_objects":"",
+ "modify_metadef_object":"",
+ "add_metadef_object":"",
+
+ "list_metadef_resource_types":"",
+ "get_metadef_resource_type":"",
+ "add_metadef_resource_type_association":"",
+
+ "get_metadef_property":"",
+ "get_metadef_properties":"",
+ "modify_metadef_property":"",
+ "add_metadef_property":"",
+
+ "get_metadef_tag":"",
+ "get_metadef_tags":"",
+ "modify_metadef_tag":"",
+ "add_metadef_tag":"",
+ "add_metadef_tags":""
+
+}
diff --git a/glance/templates/glance-api.conf.yaml b/glance/templates/glance-api.conf.yaml
deleted file mode 100644
index ee61d333ec..0000000000
--- a/glance/templates/glance-api.conf.yaml
+++ /dev/null
@@ -1,48 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
- name: glance-glanceapiconf
-data:
- glance-api.conf: |+
- [DEFAULT]
- debug = {{ .Values.misc.debug }}
- use_syslog = False
- use_stderr = True
-
- bind_port = {{ .Values.network.port.api }}
-
- workers = {{ .Values.misc.workers }}
- registry_host = {{ include "glance_registry_host" . }}
-
- # Enable Copy-on-Write
- show_image_direct_url = True
-
- [database]
- connection = mysql+pymysql://{{ .Values.database.glance_user }}:{{ .Values.database.glance_password }}@{{ .Values.database.address }}/{{ .Values.database.glance_database_name }}
- max_retries = -1
-
- [keystone_authtoken]
- auth_uri = {{ .Values.keystone.auth_uri }}
- auth_url = {{ .Values.keystone.auth_url }}
- auth_type = password
- project_domain_id = default
- user_domain_id = default
- project_name = service
- username = {{ .Values.keystone.glance_user }}
- password = {{ .Values.keystone.glance_password }}
-
- [paste_deploy]
- flavor = keystone
-
- [oslo_messaging_notifications]
- driver = noop
-
- [glance_store]
- filesystem_store_datadir = /var/lib/glance/images/
- stores = file, http, rbd
- default_store = rbd
- rbd_store_pool = {{ .Values.ceph.glance_pool }}
- rbd_store_user = {{ .Values.ceph.glance_user }}
- rbd_store_ceph_conf = /etc/ceph/ceph.conf
- rbd_store_chunk_size = 8
-
diff --git a/glance/templates/glance-registry.conf.yaml b/glance/templates/glance-registry.conf.yaml
deleted file mode 100644
index 81629caa46..0000000000
--- a/glance/templates/glance-registry.conf.yaml
+++ /dev/null
@@ -1,34 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
- name: glance-glanceregistryconf
-data:
- glance-registry.conf: |+
- [DEFAULT]
- debug = {{ .Values.misc.debug }}
- use_syslog = False
- use_stderr = True
-
- bind_port = {{ .Values.network.port.registry }}
-
- workers = {{ .Values.misc.workers }}
-
- [database]
- connection = mysql+pymysql://{{ .Values.database.glance_user }}:{{ .Values.database.glance_password }}@{{ .Values.database.address }}/{{ .Values.database.glance_database_name }}
- max_retries = -1
-
- [keystone_authtoken]
- auth_uri = {{ .Values.keystone.auth_uri }}
- auth_url = {{ .Values.keystone.auth_url }}
- auth_type = password
- project_domain_id = default
- user_domain_id = default
- project_name = service
- username = {{ .Values.keystone.glance_user }}
- password = {{ .Values.keystone.glance_password }}
-
- [paste_deploy]
- flavor = keystone
-
- [oslo_messaging_notifications]
- driver = noop
diff --git a/glance/templates/init.sh.yaml b/glance/templates/init.sh.yaml
deleted file mode 100644
index 8605f7c544..0000000000
--- a/glance/templates/init.sh.yaml
+++ /dev/null
@@ -1,12 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
- name: glance-initsh
-data:
- init.sh: |+
- #!/bin/bash
- set -ex
- export HOME=/tmp
-
- ansible localhost -vvv -m mysql_db -a "login_host='{{ .Values.database.address }}' login_port='{{ .Values.database.port }}' login_user='{{ .Values.database.root_user }}' login_password='{{ .Values.database.root_password }}' name='{{ .Values.database.glance_database_name }}'"
- ansible localhost -vvv -m mysql_user -a "login_host='{{ .Values.database.address }}' login_port='{{ .Values.database.port }}' login_user='{{ .Values.database.root_user }}' login_password='{{ .Values.database.root_password }}' name='{{ .Values.database.glance_user }}' password='{{ .Values.database.glance_password }}' host='%' priv='{{ .Values.database.glance_database_name }}.*:ALL' append_privs='yes'"
diff --git a/glance/templates/init.yaml b/glance/templates/init.yaml
deleted file mode 100644
index 5d8baa0c35..0000000000
--- a/glance/templates/init.yaml
+++ /dev/null
@@ -1,53 +0,0 @@
-apiVersion: batch/v1
-kind: Job
-metadata:
- name: glance-init
-spec:
- template:
- metadata:
- annotations:
- pod.beta.kubernetes.io/init-containers: '[
- {
- "name": "init",
- "image": "quay.io/stackanetes/kubernetes-entrypoint:v0.1.0",
- "imagePullPolicy": "{{ .Values.images.pull_policy }}",
- "env": [
- {
- "name": "NAMESPACE",
- "value": "{{ .Release.Namespace }}"
- },
- {
- "name": "DEPENDENCY_SERVICE",
- "value": "{{ include "joinListWithColon" .Values.dependencies.init.service }}"
- },
- {
- "name": "DEPENDENCY_JOBS",
- "value": "{{ include "joinListWithColon" .Values.dependencies.init.jobs }}"
- },
- {
- "name": "COMMAND",
- "value": "echo done"
- }
- ]
- }
- ]'
- spec:
- restartPolicy: OnFailure
- containers:
- - name: glance-init
- image: {{ .Values.images.init }}
- imagePullPolicy: {{ .Values.images.pull_policy }}
- env:
- - name: ANSIBLE_LIBRARY
- value: /usr/share/ansible/
- command:
- - bash
- - /tmp/init.sh
- volumeMounts:
- - name: initsh
- mountPath: /tmp/init.sh
- subPath: init.sh
- volumes:
- - name: initsh
- configMap:
- name: glance-initsh
diff --git a/glance/templates/job-db-sync.yaml b/glance/templates/job-db-sync.yaml
new file mode 100644
index 0000000000..6cd0dd9b6c
--- /dev/null
+++ b/glance/templates/job-db-sync.yaml
@@ -0,0 +1,32 @@
+{{- $envAll := . }}
+{{- $dependencies := .Values.dependencies.db_sync }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: glance-db-sync
+spec:
+ template:
+ metadata:
+ annotations:
+ pod.beta.kubernetes.io/init-containers: '[
+{{ tuple $envAll $dependencies | include "dep-check-init-cont" | indent 10 }}
+ ]'
+ spec:
+ restartPolicy: OnFailure
+ nodeSelector:
+ {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
+ containers:
+ - name: glance-db-sync
+ image: {{ .Values.images.db_sync }}
+ imagePullPolicy: {{ .Values.images.pull_policy }}
+ command:
+ - glance-manage
+ - db_sync
+ volumeMounts:
+ - name: glanceapiconf
+ mountPath: /etc/glance/glance-api.conf
+ subPath: glance-api.conf
+ volumes:
+ - name: glanceapiconf
+ configMap:
+ name: glance-etc
diff --git a/glance/templates/job-init.yaml b/glance/templates/job-init.yaml
new file mode 100644
index 0000000000..2fd28805eb
--- /dev/null
+++ b/glance/templates/job-init.yaml
@@ -0,0 +1,35 @@
+{{- $envAll := . }}
+{{- $dependencies := .Values.dependencies.init }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: glance-init
+spec:
+ template:
+ metadata:
+ annotations:
+ pod.beta.kubernetes.io/init-containers: '[
+{{ tuple $envAll $dependencies | include "dep-check-init-cont" | indent 10 }}
+ ]'
+ spec:
+ restartPolicy: OnFailure
+ nodeSelector:
+ {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
+ containers:
+ - name: glance-init
+ image: {{ .Values.images.init }}
+ imagePullPolicy: {{ .Values.images.pull_policy }}
+ env:
+ - name: ANSIBLE_LIBRARY
+ value: /usr/share/ansible/
+ command:
+ - bash
+ - /tmp/init.sh
+ volumeMounts:
+ - name: initsh
+ mountPath: /tmp/init.sh
+ subPath: init.sh
+ volumes:
+ - name: initsh
+ configMap:
+ name: glance-bin
diff --git a/glance/templates/job-post.yaml b/glance/templates/job-post.yaml
new file mode 100644
index 0000000000..da362afe25
--- /dev/null
+++ b/glance/templates/job-post.yaml
@@ -0,0 +1,35 @@
+{{- $envAll := . }}
+{{- $dependencies := .Values.dependencies.post }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: glance-post
+spec:
+ template:
+ metadata:
+ annotations:
+ pod.beta.kubernetes.io/init-containers: '[
+{{ tuple $envAll $dependencies | include "dep-check-init-cont" | indent 10 }}
+ ]'
+ spec:
+ nodeSelector:
+ {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
+ restartPolicy: OnFailure
+ containers:
+ - name: glance-post
+ image: {{ .Values.images.post }}
+ imagePullPolicy: {{ .Values.images.pull_policy }}
+ command:
+ - bash
+ - /tmp/post.sh
+ volumeMounts:
+ - name: postsh
+ mountPath: /tmp/post.sh
+ subPath: post.sh
+ env:
+ - name: ANSIBLE_LIBRARY
+ value: /usr/share/ansible/
+ volumes:
+ - name: postsh
+ configMap:
+ name: glance-bin
diff --git a/glance/templates/post.sh.yaml b/glance/templates/post.sh.yaml
deleted file mode 100644
index 156b60d605..0000000000
--- a/glance/templates/post.sh.yaml
+++ /dev/null
@@ -1,48 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
- name: glance-postsh
-data:
- post.sh: |+
- #!/bin/bash
- set -ex
- export HOME=/tmp
-
- ansible localhost -vvv -m kolla_keystone_service -a "service_name=glance \
- service_type=image \
- description='Openstack Image' \
- endpoint_region='{{ .Values.keystone.glance_region_name }}' \
- url='{{ include "endpoint_glance_api_internal" . }}' \
- interface=admin \
- region_name='{{ .Values.keystone.admin_region_name }}' \
- auth='{{ include "keystone_auth" . }}'" \
- -e "{'openstack_glance_auth': {{ include "keystone_auth" . }}}"
-
- ansible localhost -vvv -m kolla_keystone_service -a "service_name=glance \
- service_type=image \
- description='Openstack Image' \
- endpoint_region='{{ .Values.keystone.glance_region_name }}' \
- url='{{ include "endpoint_glance_api_internal" . }}' \
- interface=internal \
- region_name='{{ .Values.keystone.admin_region_name }}' \
- auth='{{ include "keystone_auth" . }}'" \
- -e "{ 'openstack_glance_auth': {{ include "keystone_auth" . }} }"
-
- ansible localhost -vvv -m kolla_keystone_service -a "service_name=glance \
- service_type=image \
- description='Openstack Image' \
- endpoint_region='{{ .Values.keystone.glance_region_name }}' \
- url='{{ include "endpoint_glance_api_internal" . }}' \
- interface=public \
- region_name='{{ .Values.keystone.admin_region_name }}' \
- auth='{{ include "keystone_auth" . }}'" \
- -e "{ 'openstack_glance_auth': {{ include "keystone_auth" . }} }"
-
- ansible localhost -vvv -m kolla_keystone_user -a "project=service \
- user={{ .Values.keystone.glance_user }} \
- password={{ .Values.keystone.glance_password }} \
- role=admin \
- region_name={{ .Values.keystone.admin_region_name }} \
- auth='{{ include "keystone_auth" . }}'" \
- -e "{ 'openstack_glance_auth': {{ include "keystone_auth" . }} }"
-
diff --git a/glance/templates/post.yaml b/glance/templates/post.yaml
deleted file mode 100644
index 4fe1c195bf..0000000000
--- a/glance/templates/post.yaml
+++ /dev/null
@@ -1,56 +0,0 @@
-apiVersion: batch/v1
-kind: Job
-metadata:
- name: glance-post
-spec:
- template:
- metadata:
- annotations:
- pod.beta.kubernetes.io/init-containers: '[
- {
- "name": "init",
- "image": "quay.io/stackanetes/kubernetes-entrypoint:v0.1.0",
- "imagePullPolicy": "{{ .Values.images.pull_policy }}",
- "env": [
- {
- "name": "NAMESPACE",
- "value": "{{ .Release.Namespace }}"
- },
- {
- "name": "DEPENDENCY_SERVICE",
- "value": "{{ include "joinListWithColon" .Values.dependencies.post.service }}"
- },
- {
- "name": "DEPENDENCY_JOBS",
- "value": "{{ include "joinListWithColon" .Values.dependencies.post.jobs }}"
- },
- {
- "name": "COMMAND",
- "value": "echo done"
- }
- ]
- }
- ]'
- spec:
- nodeSelector:
- {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
- restartPolicy: OnFailure
- containers:
- - name: glance-post
- image: {{ .Values.images.post }}
- imagePullPolicy: {{ .Values.images.pull_policy }}
- command:
- - bash
- - /tmp/post.sh
- volumeMounts:
- - name: postsh
- mountPath: /tmp/post.sh
- subPath: post.sh
- env:
- - name: ANSIBLE_LIBRARY
- value: /usr/share/ansible/
- volumes:
- - name: postsh
- configMap:
- name: glance-postsh
-
diff --git a/glance/templates/registry.yaml b/glance/templates/registry.yaml
deleted file mode 100644
index 998d64ad32..0000000000
--- a/glance/templates/registry.yaml
+++ /dev/null
@@ -1,58 +0,0 @@
-apiVersion: extensions/v1beta1
-kind: Deployment
-metadata:
- name: glance-registry
-spec:
- replicas: {{ .Values.replicas }}
- template:
- metadata:
- labels:
- app: glance-registry
- annotations:
- pod.beta.kubernetes.io/init-containers: '[
- {
- "name": "init",
- "image": "quay.io/stackanetes/kubernetes-entrypoint:v0.1.0",
- "imagePullPolicy": "{{ .Values.images.pull_policy }}",
- "env": [
- {
- "name": "NAMESPACE",
- "value": "{{ .Release.Namespace }}"
- },
- {
- "name": "DEPENDENCY_SERVICE",
- "value": "{{ include "joinListWithColon" .Values.dependencies.registry.service }}"
- },
- {
- "name": "DEPENDENCY_JOBS",
- "value": "{{ include "joinListWithColon" .Values.dependencies.registry.jobs }}"
- },
- {
- "name": "COMMAND",
- "value": "echo done"
- }
- ]
- }
- ]'
- spec:
- nodeSelector:
- {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
- containers:
- - name: glance-registry
- image: {{ .Values.images.registry }}
- imagePullPolicy: {{ .Values.images.pull_policy }}
- command:
- - glance-registry
- ports:
- - containerPort: {{ .Values.network.port.registry }}
- readinessProbe:
- tcpSocket:
- port: {{ .Values.network.port.registry }}
- volumeMounts:
- - name: glanceregistryconf
- mountPath: /etc/glance/glance-registry.conf
- subPath: glance-registry.conf
- volumes:
- - name: glanceregistryconf
- configMap:
- name: glance-glanceregistryconf
diff --git a/glance/templates/start.sh.yaml b/glance/templates/start.sh.yaml
deleted file mode 100644
index e9b3d40ec9..0000000000
--- a/glance/templates/start.sh.yaml
+++ /dev/null
@@ -1,12 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
- name: glance-startsh
-data:
- start.sh: |+
- #!/bin/bash
- set -ex
-
- cp `find / -not -path "/etc/*" -name glance-api-paste.ini` /etc/glance/
-
- glance-api
diff --git a/glance/values.yaml b/glance/values.yaml
index a94a1bcc1c..d10670fea6 100644
--- a/glance/values.yaml
+++ b/glance/values.yaml
@@ -3,7 +3,13 @@
# Declare name/value pairs to be passed into your templates.
# name: value
-replicas: 1
+replicas:
+ api: 1
+ registry: 1
+
+development:
+ enabled: false
+ storage_path: /data/openstack-helm/glance/images
labels:
node_selector_key: openstack-control-plane
@@ -15,8 +21,16 @@ images:
init: quay.io/stackanetes/stackanetes-kolla-toolbox:newton
registry: quay.io/stackanetes/stackanetes-glance-registry:newton
post: quay.io/stackanetes/stackanetes-kolla-toolbox:newton
+ dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.1.0
pull_policy: "IfNotPresent"
+upgrades:
+ revision_history: 3
+ pod_replacement_strategy: RollingUpdate
+ rolling_update:
+ max_unavailable: 1
+ max_surge: 3
+
keystone:
auth_uri: "http://keystone-api:5000"
auth_url: "http://keystone-api:35357"
diff --git a/heat/Chart.yaml b/heat/Chart.yaml
new file mode 100644
index 0000000000..65c0ea4b74
--- /dev/null
+++ b/heat/Chart.yaml
@@ -0,0 +1,3 @@
+description: A Helm chart for heat
+name: heat
+version: 0.1.0
diff --git a/heat/requirements.yaml b/heat/requirements.yaml
new file mode 100644
index 0000000000..2350b1facb
--- /dev/null
+++ b/heat/requirements.yaml
@@ -0,0 +1,4 @@
+dependencies:
+ - name: common
+ repository: http://localhost:8879/charts
+ version: 0.1.0
diff --git a/heat/templates/bin/_db-init.sh.tpl b/heat/templates/bin/_db-init.sh.tpl
new file mode 100644
index 0000000000..ba1c302c03
--- /dev/null
+++ b/heat/templates/bin/_db-init.sh.tpl
@@ -0,0 +1,21 @@
+#!/bin/bash
+set -ex
+export HOME=/tmp
+
+ansible localhost -vvv \
+ -m mysql_db -a "login_host='{{ .Values.database.address }}' \
+ login_port='{{ .Values.database.port }}' \
+ login_user='{{ .Values.database.root_user }}' \
+ login_password='{{ .Values.database.root_password }}' \
+ name='{{ .Values.database.heat_database_name }}'"
+
+ansible localhost -vvv \
+ -m mysql_user -a "login_host='{{ .Values.database.address }}' \
+ login_port='{{ .Values.database.port }}' \
+ login_user='{{ .Values.database.root_user }}' \
+ login_password='{{ .Values.database.root_password }}' \
+ name='{{ .Values.database.heat_user }}' \
+ password='{{ .Values.database.heat_password }}' \
+ host='%' \
+ priv='{{ .Values.database.heat_database_name }}.*:ALL' \
+ append_privs='yes'"
diff --git a/heat/templates/configmap-bin.yaml b/heat/templates/configmap-bin.yaml
new file mode 100644
index 0000000000..27da8c6947
--- /dev/null
+++ b/heat/templates/configmap-bin.yaml
@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: heat-bin
+data:
+ db-init.sh: |+
+{{ tuple "bin/_db-init.sh.tpl" . | include "template" | indent 4 }}
+ ks-service.sh: |+
+{{- include "common_keystone_service" . | indent 4 }}
+ ks-endpoints.sh: |+
+{{- include "common_keystone_endpoints" . | indent 4 }}
+ ks-user.sh: |+
+{{- include "common_keystone_user" . | indent 4 }}
+ ks-domain-user.sh: |+
+{{- include "common_keystone_domain_user" . | indent 4 }}
diff --git a/heat/templates/configmap-etc.yaml b/heat/templates/configmap-etc.yaml
new file mode 100644
index 0000000000..c3039714c8
--- /dev/null
+++ b/heat/templates/configmap-etc.yaml
@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: heat-etc
+data:
+ heat.conf: |+
+{{ tuple "etc/_heat.conf.tpl" . | include "template" | indent 4 }}
+ api-paste.ini: |+
+{{ tuple "etc/_heat-api-paste.ini.tpl" . | include "template" | indent 4 }}
+ policy.json: |+
+{{ tuple "etc/_heat-policy.json.tpl" . | include "template" | indent 4 }}
diff --git a/heat/templates/deployment-api.yaml b/heat/templates/deployment-api.yaml
new file mode 100755
index 0000000000..2b2d4d5b18
--- /dev/null
+++ b/heat/templates/deployment-api.yaml
@@ -0,0 +1,63 @@
+{{- $envAll := . }}
+{{- $dependencies := .Values.dependencies.api }}
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+ name: heat-api
+spec:
+ replicas: {{ .Values.replicas.api }}
+ template:
+ metadata:
+ labels:
+ app: heat-api
+ annotations:
+ pod.beta.kubernetes.io/init-containers: '[
+{{ tuple $envAll $dependencies | include "dep-check-init-cont" | indent 10 }}
+ ]'
+ spec:
+ nodeSelector:
+ {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
+ containers:
+ - name: heat-api
+ image: {{ .Values.images.api }}
+ imagePullPolicy: {{ .Values.images.pull_policy }}
+ command:
+ - heat-api
+ - --config-dir
+ - /etc/heat/conf
+ ports:
+ - containerPort: {{ .Values.service.api.port }}
+ readinessProbe:
+ tcpSocket:
+ port: {{ .Values.service.api.port }}
+ volumeMounts:
+ - name: pod-etc-heat
+ mountPath: /etc/heat
+ - name: pod-var-cache-heat
+ mountPath: /var/cache/heat
+ - name: heatconf
+ mountPath: /etc/heat/conf/heat.conf
+ subPath: heat.conf
+ readOnly: true
+ - name: heatpaste
+ mountPath: /etc/heat/api-paste.ini
+ subPath: api-paste.ini
+ readOnly: true
+ - name: heatpolicy
+ mountPath: /etc/heat/policy.json
+ subPath: policy.json
+ readOnly: true
+ volumes:
+ - name: pod-etc-heat
+ emptyDir: {}
+ - name: pod-var-cache-heat
+ emptyDir: {}
+ - name: heatconf
+ configMap:
+ name: heat-etc
+ - name: heatpaste
+ configMap:
+ name: heat-etc
+ - name: heatpolicy
+ configMap:
+ name: heat-etc
diff --git a/heat/templates/deployment-cfn.yaml b/heat/templates/deployment-cfn.yaml
new file mode 100644
index 0000000000..d90355513d
--- /dev/null
+++ b/heat/templates/deployment-cfn.yaml
@@ -0,0 +1,63 @@
+{{- $envAll := . }}
+{{- $dependencies := .Values.dependencies.cfn }}
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+ name: heat-cfn
+spec:
+ replicas: {{ .Values.replicas.cfn }}
+ template:
+ metadata:
+ labels:
+ app: heat-cfn
+ annotations:
+ pod.beta.kubernetes.io/init-containers: '[
+{{ tuple $envAll $dependencies | include "dep-check-init-cont" | indent 10 }}
+ ]'
+ spec:
+ nodeSelector:
+ {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
+ containers:
+ - name: heat-cfn
+ image: {{ .Values.images.cfn }}
+ imagePullPolicy: {{ .Values.images.pull_policy }}
+ command:
+ - heat-api-cfn
+ - --config-dir
+ - /etc/heat/conf
+ ports:
+ - containerPort: {{ .Values.service.cfn.port }}
+ readinessProbe:
+ tcpSocket:
+ port: {{ .Values.service.cfn.port }}
+ volumeMounts:
+ - name: pod-etc-heat
+ mountPath: /etc/heat
+ - name: pod-var-cache-heat
+ mountPath: /var/cache/heat
+ - name: heatconf
+ mountPath: /etc/heat/conf/heat.conf
+ subPath: heat.conf
+ readOnly: true
+ - name: heatpaste
+ mountPath: /etc/heat/api-paste.ini
+ subPath: api-paste.ini
+ readOnly: true
+ - name: heatpolicy
+ mountPath: /etc/heat/policy.json
+ subPath: policy.json
+ readOnly: true
+ volumes:
+ - name: pod-etc-heat
+ emptyDir: {}
+ - name: pod-var-cache-heat
+ emptyDir: {}
+ - name: heatconf
+ configMap:
+ name: heat-etc
+ - name: heatpaste
+ configMap:
+ name: heat-etc
+ - name: heatpolicy
+ configMap:
+ name: heat-etc
diff --git a/heat/templates/deployment-cloudwatch.yaml b/heat/templates/deployment-cloudwatch.yaml
new file mode 100644
index 0000000000..ccb6647980
--- /dev/null
+++ b/heat/templates/deployment-cloudwatch.yaml
@@ -0,0 +1,63 @@
+{{- $envAll := . }}
+{{- $dependencies := .Values.dependencies.cloudwatch }}
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+ name: heat-cloudwatch
+spec:
+ replicas: {{ .Values.replicas.cloudwatch }}
+ template:
+ metadata:
+ labels:
+ app: heat-cloudwatch
+ annotations:
+ pod.beta.kubernetes.io/init-containers: '[
+{{ tuple $envAll $dependencies | include "dep-check-init-cont" | indent 10 }}
+ ]'
+ spec:
+ nodeSelector:
+ {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
+ containers:
+ - name: heat-cloudwatch
+ image: {{ .Values.images.cloudwatch }}
+ imagePullPolicy: {{ .Values.images.pull_policy }}
+ command:
+ - heat-api-cloudwatch
+ - --config-dir
+ - /etc/heat/conf
+ ports:
+ - containerPort: {{ .Values.service.cloudwatch.port }}
+ readinessProbe:
+ tcpSocket:
+ port: {{ .Values.service.cloudwatch.port }}
+ volumeMounts:
+ - name: pod-etc-heat
+ mountPath: /etc/heat
+ - name: pod-var-cache-heat
+ mountPath: /var/cache/heat
+ - name: heatconf
+ mountPath: /etc/heat/conf/heat.conf
+ subPath: heat.conf
+ readOnly: true
+ - name: heatpaste
+ mountPath: /etc/heat/api-paste.ini
+ subPath: api-paste.ini
+ readOnly: true
+ - name: heatpolicy
+ mountPath: /etc/heat/policy.json
+ subPath: policy.json
+ readOnly: true
+ volumes:
+ - name: pod-etc-heat
+ emptyDir: {}
+ - name: pod-var-cache-heat
+ emptyDir: {}
+ - name: heatconf
+ configMap:
+ name: heat-etc
+ - name: heatpaste
+ configMap:
+ name: heat-etc
+ - name: heatpolicy
+ configMap:
+ name: heat-etc
diff --git a/heat/templates/etc/_heat-api-paste.ini.tpl b/heat/templates/etc/_heat-api-paste.ini.tpl
new file mode 100644
index 0000000000..ad6501e662
--- /dev/null
+++ b/heat/templates/etc/_heat-api-paste.ini.tpl
@@ -0,0 +1,104 @@
+# heat-api pipeline
+[pipeline:heat-api]
+pipeline = cors request_id faultwrap http_proxy_to_wsgi versionnegotiation osprofiler authurl authtoken context apiv1app
+
+# heat-api pipeline for standalone heat
+# ie. uses alternative auth backend that authenticates users against keystone
+# using username and password instead of validating token (which requires
+# an admin/service token).
+# To enable, in heat.conf:
+# [paste_deploy]
+# flavor = standalone
+#
+[pipeline:heat-api-standalone]
+pipeline = cors request_id faultwrap http_proxy_to_wsgi versionnegotiation authurl authpassword context apiv1app
+
+# heat-api pipeline for custom cloud backends
+# i.e. in heat.conf:
+# [paste_deploy]
+# flavor = custombackend
+#
+[pipeline:heat-api-custombackend]
+pipeline = cors request_id faultwrap versionnegotiation context custombackendauth apiv1app
+
+# heat-api-cfn pipeline
+[pipeline:heat-api-cfn]
+pipeline = cors cfnversionnegotiation osprofiler ec2authtoken authtoken context apicfnv1app
+
+# heat-api-cfn pipeline for standalone heat
+# relies exclusively on authenticating with ec2 signed requests
+[pipeline:heat-api-cfn-standalone]
+pipeline = cors cfnversionnegotiation ec2authtoken context apicfnv1app
+
+# heat-api-cloudwatch pipeline
+[pipeline:heat-api-cloudwatch]
+pipeline = cors versionnegotiation osprofiler ec2authtoken authtoken context apicwapp
+
+# heat-api-cloudwatch pipeline for standalone heat
+# relies exclusively on authenticating with ec2 signed requests
+[pipeline:heat-api-cloudwatch-standalone]
+pipeline = cors versionnegotiation ec2authtoken context apicwapp
+
+[app:apiv1app]
+paste.app_factory = heat.common.wsgi:app_factory
+heat.app_factory = heat.api.openstack.v1:API
+
+[app:apicfnv1app]
+paste.app_factory = heat.common.wsgi:app_factory
+heat.app_factory = heat.api.cfn.v1:API
+
+[app:apicwapp]
+paste.app_factory = heat.common.wsgi:app_factory
+heat.app_factory = heat.api.cloudwatch:API
+
+[filter:versionnegotiation]
+paste.filter_factory = heat.common.wsgi:filter_factory
+heat.filter_factory = heat.api.openstack:version_negotiation_filter
+
+[filter:cors]
+paste.filter_factory = oslo_middleware.cors:filter_factory
+oslo_config_project = heat
+
+[filter:faultwrap]
+paste.filter_factory = heat.common.wsgi:filter_factory
+heat.filter_factory = heat.api.openstack:faultwrap_filter
+
+[filter:cfnversionnegotiation]
+paste.filter_factory = heat.common.wsgi:filter_factory
+heat.filter_factory = heat.api.cfn:version_negotiation_filter
+
+[filter:cwversionnegotiation]
+paste.filter_factory = heat.common.wsgi:filter_factory
+heat.filter_factory = heat.api.cloudwatch:version_negotiation_filter
+
+[filter:context]
+paste.filter_factory = heat.common.context:ContextMiddleware_filter_factory
+
+[filter:ec2authtoken]
+paste.filter_factory = heat.api.aws.ec2token:EC2Token_filter_factory
+
+[filter:http_proxy_to_wsgi]
+paste.filter_factory = oslo_middleware:HTTPProxyToWSGI.factory
+
+# Middleware to set auth_url header appropriately
+[filter:authurl]
+paste.filter_factory = heat.common.auth_url:filter_factory
+
+# Auth middleware that validates token against keystone
+[filter:authtoken]
+paste.filter_factory = keystonemiddleware.auth_token:filter_factory
+
+# Auth middleware that validates username/password against keystone
+[filter:authpassword]
+paste.filter_factory = heat.common.auth_password:filter_factory
+
+# Auth middleware that validates against custom backend
+[filter:custombackendauth]
+paste.filter_factory = heat.common.custom_backend_auth:filter_factory
+
+# Middleware to set x-openstack-request-id in http response header
+[filter:request_id]
+paste.filter_factory = oslo_middleware.request_id:RequestId.factory
+
+[filter:osprofiler]
+paste.filter_factory = osprofiler.web:WsgiMiddleware.factory
diff --git a/heat/templates/etc/_heat-policy.json.tpl b/heat/templates/etc/_heat-policy.json.tpl
new file mode 100644
index 0000000000..c9aae5ff79
--- /dev/null
+++ b/heat/templates/etc/_heat-policy.json.tpl
@@ -0,0 +1,96 @@
+{
+ "context_is_admin": "role:admin and is_admin_project:True",
+ "project_admin": "role:admin",
+ "deny_stack_user": "not role:heat_stack_user",
+ "deny_everybody": "!",
+
+ "cloudformation:ListStacks": "rule:deny_stack_user",
+ "cloudformation:CreateStack": "rule:deny_stack_user",
+ "cloudformation:DescribeStacks": "rule:deny_stack_user",
+ "cloudformation:DeleteStack": "rule:deny_stack_user",
+ "cloudformation:UpdateStack": "rule:deny_stack_user",
+ "cloudformation:CancelUpdateStack": "rule:deny_stack_user",
+ "cloudformation:DescribeStackEvents": "rule:deny_stack_user",
+ "cloudformation:ValidateTemplate": "rule:deny_stack_user",
+ "cloudformation:GetTemplate": "rule:deny_stack_user",
+ "cloudformation:EstimateTemplateCost": "rule:deny_stack_user",
+ "cloudformation:DescribeStackResource": "",
+ "cloudformation:DescribeStackResources": "rule:deny_stack_user",
+ "cloudformation:ListStackResources": "rule:deny_stack_user",
+
+ "cloudwatch:DeleteAlarms": "rule:deny_stack_user",
+ "cloudwatch:DescribeAlarmHistory": "rule:deny_stack_user",
+ "cloudwatch:DescribeAlarms": "rule:deny_stack_user",
+ "cloudwatch:DescribeAlarmsForMetric": "rule:deny_stack_user",
+ "cloudwatch:DisableAlarmActions": "rule:deny_stack_user",
+ "cloudwatch:EnableAlarmActions": "rule:deny_stack_user",
+ "cloudwatch:GetMetricStatistics": "rule:deny_stack_user",
+ "cloudwatch:ListMetrics": "rule:deny_stack_user",
+ "cloudwatch:PutMetricAlarm": "rule:deny_stack_user",
+ "cloudwatch:PutMetricData": "",
+ "cloudwatch:SetAlarmState": "rule:deny_stack_user",
+
+ "actions:action": "rule:deny_stack_user",
+ "build_info:build_info": "rule:deny_stack_user",
+ "events:index": "rule:deny_stack_user",
+ "events:show": "rule:deny_stack_user",
+ "resource:index": "rule:deny_stack_user",
+ "resource:metadata": "",
+ "resource:signal": "",
+ "resource:mark_unhealthy": "rule:deny_stack_user",
+ "resource:show": "rule:deny_stack_user",
+ "stacks:abandon": "rule:deny_stack_user",
+ "stacks:create": "rule:deny_stack_user",
+ "stacks:delete": "rule:deny_stack_user",
+ "stacks:detail": "rule:deny_stack_user",
+ "stacks:export": "rule:deny_stack_user",
+ "stacks:generate_template": "rule:deny_stack_user",
+ "stacks:global_index": "rule:deny_everybody",
+ "stacks:index": "rule:deny_stack_user",
+ "stacks:list_resource_types": "rule:deny_stack_user",
+ "stacks:list_template_versions": "rule:deny_stack_user",
+ "stacks:list_template_functions": "rule:deny_stack_user",
+ "stacks:lookup": "",
+ "stacks:preview": "rule:deny_stack_user",
+ "stacks:resource_schema": "rule:deny_stack_user",
+ "stacks:show": "rule:deny_stack_user",
+ "stacks:template": "rule:deny_stack_user",
+ "stacks:environment": "rule:deny_stack_user",
+ "stacks:files": "rule:deny_stack_user",
+ "stacks:update": "rule:deny_stack_user",
+ "stacks:update_patch": "rule:deny_stack_user",
+ "stacks:preview_update": "rule:deny_stack_user",
+ "stacks:preview_update_patch": "rule:deny_stack_user",
+ "stacks:validate_template": "rule:deny_stack_user",
+ "stacks:snapshot": "rule:deny_stack_user",
+ "stacks:show_snapshot": "rule:deny_stack_user",
+ "stacks:delete_snapshot": "rule:deny_stack_user",
+ "stacks:list_snapshots": "rule:deny_stack_user",
+ "stacks:restore_snapshot": "rule:deny_stack_user",
+ "stacks:list_outputs": "rule:deny_stack_user",
+ "stacks:show_output": "rule:deny_stack_user",
+
+ "software_configs:global_index": "rule:deny_everybody",
+ "software_configs:index": "rule:deny_stack_user",
+ "software_configs:create": "rule:deny_stack_user",
+ "software_configs:show": "rule:deny_stack_user",
+ "software_configs:delete": "rule:deny_stack_user",
+ "software_deployments:index": "rule:deny_stack_user",
+ "software_deployments:create": "rule:deny_stack_user",
+ "software_deployments:show": "rule:deny_stack_user",
+ "software_deployments:update": "rule:deny_stack_user",
+ "software_deployments:delete": "rule:deny_stack_user",
+ "software_deployments:metadata": "",
+
+ "service:index": "rule:context_is_admin",
+
+ "resource_types:OS::Nova::Flavor": "rule:project_admin",
+ "resource_types:OS::Cinder::EncryptedVolumeType": "rule:project_admin",
+ "resource_types:OS::Cinder::VolumeType": "rule:project_admin",
+ "resource_types:OS::Cinder::Quota": "rule:project_admin",
+ "resource_types:OS::Manila::ShareType": "rule:project_admin",
+ "resource_types:OS::Neutron::QoSPolicy": "rule:project_admin",
+ "resource_types:OS::Neutron::QoSBandwidthLimitRule": "rule:project_admin",
+ "resource_types:OS::Nova::HostAggregate": "rule:project_admin",
+ "resource_types:OS::Cinder::QoSSpecs": "rule:project_admin"
+}
diff --git a/heat/templates/etc/_heat.conf.tpl b/heat/templates/etc/_heat.conf.tpl
new file mode 100644
index 0000000000..b268a6ecfd
--- /dev/null
+++ b/heat/templates/etc/_heat.conf.tpl
@@ -0,0 +1,90 @@
+[DEFAULT]
+debug = {{ .Values.misc.debug }}
+use_syslog = False
+use_stderr = True
+
+deferred_auth_method = "trusts"
+
+enable_stack_adopt = "True"
+enable_stack_abandon = "True"
+
+heat_metadata_server_url = {{ .Values.service.cfn.proto }}://{{ .Values.service.cfn.name }}:{{ .Values.service.cfn.port }}
+heat_waitcondition_server_url = {{ .Values.service.cfn.proto }}://{{ .Values.service.cfn.name }}:{{ .Values.service.cfn.port }}/v1/waitcondition
+heat_watch_server_url = {{ .Values.service.cloudwatch.proto }}://{{ .Values.service.cloudwatch.name }}:{{ .Values.service.cloudwatch.port }}
+
+num_engine_workers = {{ .Values.resources.engine.workers }}
+
+stack_user_domain_name = {{ .Values.keystone.heat_stack_user_domain }}
+stack_domain_admin = {{ .Values.keystone.heat_stack_user }}
+stack_domain_admin_password = {{ .Values.keystone.heat_stack_password }}
+
+trusts_delegated_roles = "Member"
+
+[cache]
+enabled = "True"
+backend = oslo_cache.memcache_pool
+memcache_servers = "{{ .Values.memcached.host }}:{{ .Values.memcached.port }}"
+
+[database]
+connection = mysql+pymysql://{{ .Values.database.heat_user }}:{{ .Values.database.heat_password }}@{{ .Values.database.address }}:{{ .Values.database.port }}/{{ .Values.database.heat_database_name }}
+max_retries = -1
+
+[keystone_authtoken]
+signing_dir = "/var/cache/heat"
+memcached_servers = "{{ .Values.memcached.host }}:{{ .Values.memcached.port }}"
+auth_version = v3
+auth_url = {{ include "endpoint_keystone_internal" . }}
+auth_type = password
+region_name = {{ .Values.keystone.heat_region_name }}
+project_domain_name = {{ .Values.keystone.heat_project_domain }}
+project_name = {{ .Values.keystone.heat_project_name }}
+user_domain_name = {{ .Values.keystone.heat_user_domain }}
+username = {{ .Values.keystone.heat_user }}
+password = {{ .Values.keystone.heat_password }}
+
+[heat_api]
+bind_port = {{ .Values.service.api.port }}
+bind_host = 0.0.0.0
+workers = {{ .Values.resources.api.workers }}
+
+[heat_api_cloudwatch]
+bind_port = {{ .Values.service.cloudwatch.port }}
+bind_host = 0.0.0.0
+workers = {{ .Values.resources.cloudwatch.workers }}
+
+[heat_api_cfn]
+bind_port = {{ .Values.service.cfn.port }}
+bind_host = 0.0.0.0
+workers = {{ .Values.resources.cfn.workers }}
+
+[oslo_messaging_rabbit]
+rabbit_userid = {{ .Values.messaging.user }}
+rabbit_password = {{ .Values.messaging.password }}
+rabbit_ha_queues = true
+rabbit_hosts = {{ .Values.messaging.hosts }}
+
+[paste_deploy]
+config_file = /etc/heat/api-paste.ini
+
+[trustee]
+auth_type = "password"
+auth_section = "trustee_keystone"
+
+[trustee_keystone]
+signing_dir = "/var/cache/heat"
+memcached_servers = "{{ .Values.memcached.host }}:{{ .Values.memcached.port }}"
+auth_version = v3
+auth_url = {{ include "endpoint_keystone_internal" . }}
+auth_type = password
+region_name = {{ .Values.keystone.heat_trustee_region_name }}
+user_domain_name = {{ .Values.keystone.heat_trustee_user_domain }}
+username = {{ .Values.keystone.heat_trustee_user }}
+password = {{ .Values.keystone.heat_trustee_password }}
+
+
+[clients]
+endpoint_type = internalURL
+
+[clients_keystone]
+endpoint_type = internalURL
+auth_uri = {{ include "endpoint_keystone_internal" . }}
diff --git a/heat/templates/job-db-init.yaml b/heat/templates/job-db-init.yaml
new file mode 100644
index 0000000000..6a7e343cae
--- /dev/null
+++ b/heat/templates/job-db-init.yaml
@@ -0,0 +1,36 @@
+{{- $envAll := . }}
+{{- $dependencies := .Values.dependencies.init }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: heat-db-init
+spec:
+ template:
+ metadata:
+ annotations:
+ pod.beta.kubernetes.io/init-containers: '[
+{{ tuple $envAll $dependencies | include "dep-check-init-cont" | indent 10 }}
+ ]'
+ spec:
+ restartPolicy: OnFailure
+ nodeSelector:
+ {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
+ containers:
+ - name: heat-db-init
+ image: {{ .Values.images.db_init | quote }}
+ imagePullPolicy: {{ .Values.images.pull_policy | quote }}
+ env:
+ - name: ANSIBLE_LIBRARY
+ value: /usr/share/ansible/
+ command:
+ - bash
+ - /tmp/db-init.sh
+ volumeMounts:
+ - name: dbinitsh
+ mountPath: /tmp/db-init.sh
+ subPath: db-init.sh
+ readOnly: true
+ volumes:
+ - name: dbinitsh
+ configMap:
+ name: heat-bin
diff --git a/heat/templates/job-db-sync.yaml b/heat/templates/job-db-sync.yaml
new file mode 100644
index 0000000000..4a9b004db2
--- /dev/null
+++ b/heat/templates/job-db-sync.yaml
@@ -0,0 +1,40 @@
+{{- $envAll := . }}
+{{- $dependencies := .Values.dependencies.db_sync }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: heat-db-sync
+spec:
+ template:
+ metadata:
+ annotations:
+ pod.beta.kubernetes.io/init-containers: '[
+{{ tuple $envAll $dependencies | include "dep-check-init-cont" | indent 10 }}
+ ]'
+ spec:
+ restartPolicy: OnFailure
+ nodeSelector:
+ {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
+ containers:
+ - name: heat-db-sync
+ image: {{ .Values.images.db_sync }}
+ imagePullPolicy: {{ .Values.images.pull_policy }}
+ command:
+ - heat-manage
+ args:
+ - --config-dir
+ - /etc/heat/conf
+ - db_sync
+ volumeMounts:
+ - name: pod-etc-heat
+ mountPath: /etc/heat
+ - name: heatconf
+ mountPath: /etc/heat/conf/heat.conf
+ subPath: heat.conf
+ readOnly: true
+ volumes:
+ - name: pod-etc-heat
+ emptyDir: {}
+ - name: heatconf
+ configMap:
+ name: heat-etc
diff --git a/heat/templates/job-ks-endpoints.yaml.yaml b/heat/templates/job-ks-endpoints.yaml.yaml
new file mode 100644
index 0000000000..e0a90d6a28
--- /dev/null
+++ b/heat/templates/job-ks-endpoints.yaml.yaml
@@ -0,0 +1,50 @@
+{{- $envAll := . }}
+{{- $ksAdminSecret := .Values.keystone_secrets.admin }}
+{{- $dependencies := .Values.dependencies.ks_endpoints }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: heat-ks-endpoints
+spec:
+ template:
+ metadata:
+ annotations:
+ pod.beta.kubernetes.io/init-containers: '[
+{{ tuple $envAll $dependencies | include "dep-check-init-cont" | indent 10 }}
+ ]'
+ spec:
+ restartPolicy: OnFailure
+ nodeSelector:
+ {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
+ containers:
+{{- range $key1, $osServiceName := tuple "heat" "heat-cfn" }}
+{{- range $key2, $osServiceEndPoint := tuple "admin" "internal" "public" }}
+ - name: {{ $osServiceName }}-ks-endpoints-{{ $osServiceEndPoint }}
+ image: {{ $envAll.Values.images.ks_endpoints }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+ command:
+ - bash
+ - /tmp/ks-endpoints.sh
+ volumeMounts:
+ - name: ks-endpoints-sh
+ mountPath: /tmp/ks-endpoints.sh
+ subPath: ks-endpoints.sh
+ readOnly: true
+ env:
+{{- with $env := dict "ksUserSecret" $ksAdminSecret }}
+{{- include "env_ks_openrc_tpl" $env | indent 12 }}
+{{- end }}
+ - name: OS_SVC_ENDPOINT
+ value: {{ $osServiceEndPoint }}
+ - name: OS_SERVICE_NAME
+ value: {{ $osServiceName }}
+ - name: OS_SERVICE_TYPE
+ value: {{ tuple $osServiceName $envAll | include "endpoint_type_lookup" }}
+ - name: OS_SERVICE_ENDPOINT
+ value: {{ tuple $osServiceName $osServiceEndPoint "api" $envAll | include "endpoint_addr_lookup" }}
+{{- end }}
+{{- end }}
+ volumes:
+ - name: ks-endpoints-sh
+ configMap:
+ name: heat-bin
diff --git a/heat/templates/job-ks-service.yaml b/heat/templates/job-ks-service.yaml
new file mode 100644
index 0000000000..06738e162c
--- /dev/null
+++ b/heat/templates/job-ks-service.yaml
@@ -0,0 +1,44 @@
+{{- $envAll := . }}
+{{- $ksAdminSecret := .Values.keystone_secrets.admin }}
+{{- $dependencies := .Values.dependencies.ks_service }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: heat-ks-service
+spec:
+ template:
+ metadata:
+ annotations:
+ pod.beta.kubernetes.io/init-containers: '[
+{{ tuple $envAll $dependencies | include "dep-check-init-cont" | indent 10 }}
+ ]'
+ spec:
+ restartPolicy: OnFailure
+ nodeSelector:
+ {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
+ containers:
+{{- range $key1, $osServiceName := tuple "heat" "heat-cfn" }}
+ - name: {{ $osServiceName }}-ks-service-registration
+ image: {{ $envAll.Values.images.ks_service }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+ command:
+ - bash
+ - /tmp/ks-service.sh
+ volumeMounts:
+ - name: ks-service-sh
+ mountPath: /tmp/ks-service.sh
+ subPath: ks-service.sh
+ readOnly: true
+ env:
+{{- with $env := dict "ksUserSecret" $ksAdminSecret }}
+{{- include "env_ks_openrc_tpl" $env | indent 12 }}
+{{- end }}
+ - name: OS_SERVICE_NAME
+ value: {{ $osServiceName }}
+ - name: OS_SERVICE_TYPE
+ value: {{ tuple $osServiceName $envAll | include "endpoint_type_lookup" }}
+{{- end }}
+ volumes:
+ - name: ks-service-sh
+ configMap:
+ name: heat-bin
diff --git a/heat/templates/job-ks-user.yaml b/heat/templates/job-ks-user.yaml
new file mode 100644
index 0000000000..270154045b
--- /dev/null
+++ b/heat/templates/job-ks-user.yaml
@@ -0,0 +1,110 @@
+{{- $envAll := . }}
+{{- $dependencies := .Values.dependencies.ks_user }}
+{{- $ksAdminSecret := .Values.keystone_secrets.admin }}
+{{- $ksUserSecret := .Values.keystone_secrets.user }}
+# The heat user management job is a bit different from other services as it also needs to create a stack domain and trusts user
+{{- $ksTrusteeUserSecret := .Values.keystone_secrets.trustee }}
+{{- $ksStackUserSecret := .Values.keystone_secrets.stack }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: heat-ks-user
+spec:
+ template:
+ metadata:
+ annotations:
+ pod.beta.kubernetes.io/init-containers: '[
+{{ tuple $envAll $dependencies | include "dep-check-init-cont" | indent 10 }}
+ ]'
+ spec:
+ restartPolicy: OnFailure
+ nodeSelector:
+ {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
+ containers:
+ - name: heat-ks-user
+ image: {{ .Values.images.ks_user }}
+ imagePullPolicy: {{ .Values.images.pull_policy }}
+ command:
+ - bash
+ - /tmp/ks-user.sh
+ volumeMounts:
+ - name: ks-user-sh
+ mountPath: /tmp/ks-user.sh
+ subPath: ks-user.sh
+ readOnly: true
+ env:
+{{- with $env := dict "ksUserSecret" $ksAdminSecret }}
+{{- include "env_ks_openrc_tpl" $env | indent 12 }}
+{{- end }}
+ - name: SERVICE_OS_SERVICE_NAME
+ value: "heat"
+{{- with $env := dict "ksUserSecret" $ksUserSecret }}
+{{- include "env_ks_user_create_openrc_tpl" $env | indent 12 }}
+{{- end }}
+ - name: SERVICE_OS_ROLE
+ value: {{ .Values.keystone.heat_user_role | quote }}
+ - name: heat-ks-trustee-user
+ image: {{ .Values.images.ks_user }}
+ imagePullPolicy: {{ .Values.images.pull_policy }}
+ command:
+ - bash
+ - /tmp/ks-user.sh
+ volumeMounts:
+ - name: ks-user-sh
+ mountPath: /tmp/ks-user.sh
+ subPath: ks-user.sh
+ readOnly: true
+ env:
+{{- with $env := dict "ksUserSecret" $ksAdminSecret }}
+{{- include "env_ks_openrc_tpl" $env | indent 12 }}
+{{- end }}
+ - name: SERVICE_OS_SERVICE_NAME
+ value: "heat"
+{{- with $env := dict "ksUserSecret" $ksTrusteeUserSecret }}
+{{- include "env_ks_user_create_openrc_tpl" $env | indent 12 }}
+{{- end }}
+ - name: SERVICE_OS_ROLE
+ value: {{ .Values.keystone.heat_trustee_role | quote }}
+ - name: heat-ks-domain-user
+ image: {{ .Values.images.ks_user }}
+ imagePullPolicy: {{ .Values.images.pull_policy }}
+ command:
+ - bash
+ - /tmp/ks-domain-user.sh
+ volumeMounts:
+ - name: ks-user-sh
+ mountPath: /tmp/ks-domain-user.sh
+ subPath: ks-domain-user.sh
+ readOnly: true
+ env:
+{{- with $env := dict "ksUserSecret" $ksAdminSecret }}
+{{- include "env_ks_openrc_tpl" $env | indent 12 }}
+{{- end }}
+ - name: SERVICE_OS_SERVICE_NAME
+ value: "heat"
+ - name: SERVICE_OS_REGION_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksStackUserSecret }}
+ key: OS_REGION_NAME
+ - name: SERVICE_OS_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksStackUserSecret }}
+ key: OS_DOMAIN_NAME
+ - name: SERVICE_OS_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksStackUserSecret }}
+ key: OS_USERNAME
+ - name: SERVICE_OS_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksStackUserSecret }}
+ key: OS_PASSWORD
+ - name: SERVICE_OS_ROLE
+ value: {{ .Values.keystone.heat_stack_user_role | quote }}
+ volumes:
+ - name: ks-user-sh
+ configMap:
+ name: heat-bin
diff --git a/heat/templates/secret-keystone-admin.env.yaml b/heat/templates/secret-keystone-admin.env.yaml
new file mode 100644
index 0000000000..ddbc7cece2
--- /dev/null
+++ b/heat/templates/secret-keystone-admin.env.yaml
@@ -0,0 +1,20 @@
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ .Values.keystone_secrets.admin }}
+type: Opaque
+data:
+ OS_AUTH_URL: |
+{{ .Values.keystone.auth_url | b64enc | indent 4 }}
+ OS_REGION_NAME: |
+{{ .Values.keystone.admin_region_name | b64enc | indent 4 }}
+ OS_PROJECT_DOMAIN_NAME: |
+{{ .Values.keystone.admin_project_domain | b64enc | indent 4 }}
+ OS_PROJECT_NAME: |
+{{ .Values.keystone.admin_project_name | b64enc | indent 4 }}
+ OS_USER_DOMAIN_NAME: |
+{{ .Values.keystone.admin_user_domain | b64enc | indent 4 }}
+ OS_USERNAME: |
+{{ .Values.keystone.admin_user | b64enc | indent 4 }}
+ OS_PASSWORD: |
+{{ .Values.keystone.admin_password | b64enc | indent 4 }}
diff --git a/heat/templates/secret-keystone-stack-user.env.yaml b/heat/templates/secret-keystone-stack-user.env.yaml
new file mode 100644
index 0000000000..703bd37097
--- /dev/null
+++ b/heat/templates/secret-keystone-stack-user.env.yaml
@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ .Values.keystone_secrets.stack }}
+type: Opaque
+data:
+ OS_REGION_NAME: |
+{{ .Values.keystone.heat_stack_region_name | b64enc | indent 4 }}
+ OS_DOMAIN_NAME: |
+{{ .Values.keystone.heat_stack_domain | b64enc | indent 4 }}
+ OS_USERNAME: |
+{{ .Values.keystone.heat_stack_user | b64enc | indent 4 }}
+ OS_PASSWORD: |
+{{ .Values.keystone.heat_stack_password | b64enc | indent 4 }}
diff --git a/heat/templates/secret-keystone-trustee.env.yaml b/heat/templates/secret-keystone-trustee.env.yaml
new file mode 100644
index 0000000000..63db347e87
--- /dev/null
+++ b/heat/templates/secret-keystone-trustee.env.yaml
@@ -0,0 +1,20 @@
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ .Values.keystone_secrets.trustee }}
+type: Opaque
+data:
+ OS_AUTH_URL: |
+{{ .Values.keystone.auth_url | b64enc | indent 4 }}
+ OS_REGION_NAME: |
+{{ .Values.keystone.heat_trustee_region_name | b64enc | indent 4 }}
+ OS_PROJECT_DOMAIN_NAME: |
+{{ .Values.keystone.heat_trustee_project_domain | b64enc | indent 4 }}
+ OS_PROJECT_NAME: |
+{{ .Values.keystone.heat_trustee_project_name | b64enc | indent 4 }}
+ OS_USER_DOMAIN_NAME: |
+{{ .Values.keystone.heat_trustee_user_domain | b64enc | indent 4 }}
+ OS_USERNAME: |
+{{ .Values.keystone.heat_trustee_user | b64enc | indent 4 }}
+ OS_PASSWORD: |
+{{ .Values.keystone.heat_trustee_password | b64enc | indent 4 }}
diff --git a/heat/templates/secret-keystone-user.env.yaml b/heat/templates/secret-keystone-user.env.yaml
new file mode 100644
index 0000000000..f54a264f1b
--- /dev/null
+++ b/heat/templates/secret-keystone-user.env.yaml
@@ -0,0 +1,20 @@
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ .Values.keystone_secrets.user }}
+type: Opaque
+data:
+ OS_AUTH_URL: |
+{{ .Values.keystone.auth_url | b64enc | indent 4 }}
+ OS_REGION_NAME: |
+{{ .Values.keystone.heat_region_name | b64enc | indent 4 }}
+ OS_PROJECT_DOMAIN_NAME: |
+{{ .Values.keystone.heat_project_domain | b64enc | indent 4 }}
+ OS_PROJECT_NAME: |
+{{ .Values.keystone.heat_project_name | b64enc | indent 4 }}
+ OS_USER_DOMAIN_NAME: |
+{{ .Values.keystone.heat_user_domain | b64enc | indent 4 }}
+ OS_USERNAME: |
+{{ .Values.keystone.heat_user | b64enc | indent 4 }}
+ OS_PASSWORD: |
+{{ .Values.keystone.heat_password | b64enc | indent 4 }}
diff --git a/heat/templates/service-api.yaml b/heat/templates/service-api.yaml
new file mode 100644
index 0000000000..482a116bfb
--- /dev/null
+++ b/heat/templates/service-api.yaml
@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Service
+metadata:
+ name: {{ .Values.service.api.name }}
+spec:
+ ports:
+ - port: {{ .Values.service.api.port }}
+ selector:
+ app: heat-api
diff --git a/heat/templates/service-cfn.yaml b/heat/templates/service-cfn.yaml
new file mode 100644
index 0000000000..799e57d133
--- /dev/null
+++ b/heat/templates/service-cfn.yaml
@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Service
+metadata:
+ name: {{ .Values.service.cfn.name }}
+spec:
+ ports:
+ - port: {{ .Values.service.cfn.port }}
+ selector:
+ app: heat-cfn
diff --git a/heat/templates/service-cloudwatch.yaml b/heat/templates/service-cloudwatch.yaml
new file mode 100644
index 0000000000..071f2c928c
--- /dev/null
+++ b/heat/templates/service-cloudwatch.yaml
@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Service
+metadata:
+ name: {{ .Values.service.cloudwatch.name }}
+spec:
+ ports:
+ - port: {{ .Values.service.cloudwatch.port }}
+ selector:
+ app: heat-cloudwatch
diff --git a/heat/templates/statefulset-engine.yaml b/heat/templates/statefulset-engine.yaml
new file mode 100644
index 0000000000..e494378ce0
--- /dev/null
+++ b/heat/templates/statefulset-engine.yaml
@@ -0,0 +1,52 @@
+{{- $envAll := . }}
+{{- $dependencies := .Values.dependencies.engine }}
+apiVersion: apps/v1beta1
+kind: StatefulSet
+metadata:
+ name: heat-engine
+spec:
+ serviceName: heat-engine
+ replicas: {{ .Values.replicas.engine }}
+ template:
+ metadata:
+ labels:
+ app: heat-engine
+ annotations:
+ pod.beta.kubernetes.io/init-containers: '[
+{{ tuple $envAll $dependencies | include "dep-check-init-cont" | indent 10 }}
+ ]'
+ spec:
+ nodeSelector:
+ {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
+ containers:
+ - name: heat-engine
+ image: {{ .Values.images.engine }}
+ imagePullPolicy: {{ .Values.images.pull_policy }}
+ command:
+ - heat-engine
+ - --config-dir
+ - /etc/heat/conf
+ volumeMounts:
+ - name: pod-etc-heat
+ mountPath: /etc/heat
+ - name: pod-var-cache-heat
+ mountPath: /var/cache/heat
+ - name: heatconf
+ mountPath: /etc/heat/conf/heat.conf
+ subPath: heat.conf
+ readOnly: true
+ - name: heatpolicy
+ mountPath: /etc/heat/policy.json
+ subPath: policy.json
+ readOnly: true
+ volumes:
+ - name: pod-etc-heat
+ emptyDir: {}
+ - name: pod-var-cache-heat
+ emptyDir: {}
+ - name: heatconf
+ configMap:
+ name: heat-etc
+ - name: heatpolicy
+ configMap:
+ name: heat-etc
diff --git a/heat/values.yaml b/heat/values.yaml
new file mode 100644
index 0000000000..ecd9c02ccf
--- /dev/null
+++ b/heat/values.yaml
@@ -0,0 +1,208 @@
+# Default values for keystone.
+# This is a YAML-formatted file.
+# Declare name/value pairs to be passed into your templates.
+# name: value
+
+
+replicas:
+ api: 1
+ cfn: 1
+ cloudwatch: 1
+ engine: 1
+
+labels:
+ node_selector_key: openstack-control-plane
+ node_selector_value: enabled
+
+images:
+ dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.1.0
+ db_init: quay.io/stackanetes/stackanetes-kolla-toolbox:newton
+ db_sync: docker.io/kolla/ubuntu-source-heat-api:3.0.1
+ ks_user: quay.io/stackanetes/stackanetes-kolla-toolbox:newton
+ ks_service: quay.io/stackanetes/stackanetes-kolla-toolbox:newton
+ ks_endpoints: quay.io/stackanetes/stackanetes-kolla-toolbox:newton
+ api: docker.io/kolla/ubuntu-source-heat-api:3.0.1
+ cfn: docker.io/kolla/ubuntu-source-heat-api:3.0.1
+ cloudwatch: docker.io/kolla/ubuntu-source-heat-api:3.0.1
+ engine: docker.io/kolla/ubuntu-source-heat-engine:3.0.1
+ pull_policy: "IfNotPresent"
+
+keystone_secrets:
+ admin: "heat-env-keystone-admin"
+ user: "heat-env-keystone-user"
+ trustee: "heat-env-keystone-trustee"
+ stack: "heat-env-keystone-stack-user"
+
+keystone:
+ auth_uri: "http://keystone-api:5000"
+ auth_url: "http://keystone-api:35357"
+ admin_user: "admin"
+ admin_user_domain: "default"
+ admin_password: "password"
+ admin_project_name: "admin"
+ admin_project_domain: "default"
+ admin_region_name: "RegionOne"
+
+ heat_user: "heat"
+ heat_user_domain: "default"
+ heat_user_role: "admin"
+ heat_password: "password"
+ heat_project_name: "service"
+ heat_project_domain: "default"
+ heat_region_name: "RegionOne"
+
+ heat_trustee_user: "heat-trust"
+ heat_trustee_user_domain: "default"
+ heat_trustee_role: "admin"
+ heat_trustee_password: "password"
+ heat_trustee_project_name: "service"
+ heat_trustee_project_domain: "default"
+ heat_trustee_region_name: "RegionOne"
+
+ heat_stack_user: "heat-domain"
+ heat_stack_domain: "heat"
+ heat_stack_user_role: "admin"
+ heat_stack_password: "password"
+ heat_stack_region_name: "RegionOne"
+
+service:
+ api:
+ name: "heat-api"
+ port: 8004
+ proto: "http"
+ cfn:
+ name: "heat-cfn"
+ port: 8000
+ proto: "http"
+ cloudwatch:
+ name: "heat-cloudwatch"
+ port: 8003
+ proto: "http"
+
+database:
+ address: mariadb
+ port: 3306
+ root_user: root
+ root_password: password
+ heat_database_name: heat
+ heat_password: password
+ heat_user: heat
+
+messaging:
+ hosts: rabbitmq
+ user: rabbitmq
+ password: password
+
+memcached:
+ host: memcached
+ port: 11211
+
+resources:
+ api:
+ workers: 8
+ cfn:
+ workers: 8
+ cloudwatch:
+ workers: 8
+ engine:
+ workers: 8
+
+misc:
+ debug: true
+
+secrets:
+ keystone_admin:
+
+dependencies:
+ db_init:
+ jobs:
+ - mariadb-seed
+ service:
+ - mariadb
+ db_sync:
+ jobs:
+ - heat-db-init
+ service:
+ - mariadb
+ ks_user:
+ service:
+ - keystone-api
+ ks_service:
+ service:
+ - keystone-api
+ ks_endpoints:
+ jobs:
+ - heat-ks-service
+ service:
+ - keystone-api
+ api:
+ jobs:
+ - heat-db-sync
+ - heat-ks-user
+ - heat-ks-endpoints
+ service:
+ - keystone-api
+ - mariadb
+ cfn:
+ jobs:
+ - heat-db-sync
+ - heat-ks-user
+ - heat-ks-endpoints
+ service:
+ - keystone-api
+ - mariadb
+ cloudwatch:
+ jobs:
+ - heat-db-sync
+ - heat-ks-user
+ - heat-ks-endpoints
+ service:
+ - keystone-api
+ - mariadb
+ engine:
+ jobs:
+ - heat-db-sync
+ - heat-ks-user
+ - heat-ks-endpoints
+ service:
+ - keystone-api
+ - mariadb
+
+# typically overriden by environmental
+# values, but should include all endpoints
+# required by this chart
+endpoints:
+ keystone:
+ hosts:
+ default: keystone-api
+ path: /v3
+ type: identity
+ scheme: 'http'
+ port:
+ admin: 35357
+ public: 5000
+ heat:
+ hosts:
+ default: heat-api
+ path: '/v1/%(project_id)s'
+ type: orchestration
+ scheme: 'http'
+ port:
+ api: 8004
+ heat_cfn:
+ hosts:
+ default: heat-cfn
+ path: /v1
+ type: cloudformation
+ scheme: 'http'
+ port:
+ api: 8000
+# Cloudwatch does not get an entry in the keystone service catalog
+ heat_cloudwatch:
+ hosts:
+ default: heat-cloudwatch
+ path: null
+ type: null
+ scheme: 'http'
+ port:
+ api: 8003
diff --git a/horizon/templates/deployment.yaml b/horizon/templates/deployment.yaml
index 2baa6bc36f..12fe799116 100644
--- a/horizon/templates/deployment.yaml
+++ b/horizon/templates/deployment.yaml
@@ -1,9 +1,19 @@
+{{- $envAll := . }}
+{{- $dependencies := .Values.dependencies.dashboard }}
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: horizon
spec:
replicas: {{ .Values.replicas }}
+ revisionHistoryLimit: {{ .Values.upgrades.revision_history }}
+ strategy:
+ type: {{ .Values.upgrades.pod_replacement_strategy }}
+ {{ if eq .Values.upgrades.pod_replacement_strategy "RollingUpdate" }}
+ rollingUpdate:
+ maxUnavailable: {{ .Values.upgrades.rolling_update.max_unavailable }}
+ maxSurge: {{ .Values.upgrades.rolling_update.max_surge }}
+ {{ end }}
template:
metadata:
labels:
@@ -12,26 +22,8 @@ spec:
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "hash" }}
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "hash" }}
pod.beta.kubernetes.io/init-containers: '[
- {
- "name": "init",
- "image": "{{ .Values.images.entrypoint }}",
- "imagePullPolicy": "{{ .Values.images.pull_policy }}",
- "env": [
- {
- "name": "NAMESPACE",
- "value": "{{ .Release.Namespace }}"
- },
- {
- "name": "DEPENDENCY_SERVICE",
- "value": "{{ include "joinListWithColon" .Values.dependencies.dashboard.service }}"
- },
- {
- "name": "COMMAND",
- "value": "echo done"
- }
- ]
- }
- ]'
+{{ tuple $envAll $dependencies | include "dep-check-init-cont" | indent 10 }}
+ ]'
spec:
nodeSelector:
{{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
diff --git a/horizon/templates/service.yaml b/horizon/templates/service.yaml
index 1c2fe3865a..a8b59d7606 100644
--- a/horizon/templates/service.yaml
+++ b/horizon/templates/service.yaml
@@ -4,6 +4,18 @@ metadata:
name: horizon
spec:
ports:
+ {{ if .Values.network.enable_node_port }}
+ - nodePort: {{ .Values.network.node_port }}
+ port: {{ .Values.network.port }}
+ protocol: TCP
+ targetPort: {{ .Values.network.port }}
+ {{ else }}
- port: {{ .Values.network.port }}
+ protocol: TCP
+ targetPort: {{ .Values.network.port }}
+ {{ end }}
selector:
app: horizon
+ {{ if .Values.network.enable_node_port }}
+ type: NodePort
+ {{ end }}
diff --git a/horizon/values.yaml b/horizon/values.yaml
index 6de7d8e116..84caa6d950 100644
--- a/horizon/values.yaml
+++ b/horizon/values.yaml
@@ -6,16 +6,25 @@
replicas: 1
images:
- entrypoint: quay.io/stackanetes/kubernetes-entrypoint:v0.1.0
+ dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.1.0
horizon: quay.io/stackanetes/stackanetes-horizon:newton
pull_policy: "IfNotPresent"
+upgrades:
+ revision_history: 3
+ pod_replacement_strategy: RollingUpdate
+ rolling_update:
+ max_unavailable: 1
+ max_surge: 3
+
labels:
node_selector_key: openstack-control-plane
node_selector_value: enabled
network:
port: 80
+ node_port: 30000
+ enable_node_port: false
local_settings:
horizon_secret_key: 9aee62c0-5253-4a86-b189-e0fb71fa503c
diff --git a/keystone/templates/bin/_db-sync.sh.tpl b/keystone/templates/bin/_db-sync.sh.tpl
index 89c4c5de84..e4f69c7214 100644
--- a/keystone/templates/bin/_db-sync.sh.tpl
+++ b/keystone/templates/bin/_db-sync.sh.tpl
@@ -1,22 +1,13 @@
#!/bin/bash
set -ex
-# order of kolla_keystone_bootstrap urls
-# for those of looking for a little expanation
-# to a mysterious blackbox
-#
-# these will feed into the keystone endpoints
-# so it is important they are correct
-#
-# keystone_admin_url
-# keystone_internal_url
-# keystone_public_url
-
-keystone-manage db_sync
-kolla_keystone_bootstrap {{ .Values.keystone.admin_user }} {{ .Values.keystone.admin_password }} \
- {{ .Values.keystone.admin_project_name }} admin \
- {{ include "endpoint_keystone_admin" . }} \
- {{ include "endpoint_keystone_internal" . }} \
- {{ include "endpoint_keystone_internal" . }} \
- {{ .Values.keystone.admin_region_name }}
+keystone-manage --config-file=/etc/keystone/keystone.conf db_sync
+keystone-manage --config-file=/etc/keystone/keystone.conf bootstrap \
+ --bootstrap-username {{ .Values.keystone.admin_user }} \
+ --bootstrap-password {{ .Values.keystone.admin_password }} \
+ --bootstrap-project-name {{ .Values.keystone.admin_project_name }} \
+ --bootstrap-admin-url {{ include "endpoint_keystone_admin" . }} \
+ --bootstrap-public-url {{ include "endpoint_keystone_internal" . }} \
+ --bootstrap-internal-url {{ include "endpoint_keystone_internal" . }} \
+ --bootstrap-region-id {{ .Values.keystone.admin_region_name }}
diff --git a/keystone/templates/bin/_init.sh.tpl b/keystone/templates/bin/_init.sh.tpl
index 0d47c4ba71..f48157a2ce 100644
--- a/keystone/templates/bin/_init.sh.tpl
+++ b/keystone/templates/bin/_init.sh.tpl
@@ -2,5 +2,20 @@
set -ex
export HOME=/tmp
-ansible localhost -vvv -m mysql_db -a "login_host='{{ include "keystone_db_host" . }}' login_port='{{ .Values.database.port }}' login_user='{{ .Values.database.root_user }}' login_password='{{ .Values.database.root_password }}' name='{{ .Values.database.keystone_database_name }}'"
-ansible localhost -vvv -m mysql_user -a "login_host='{{ include "keystone_db_host" . }}' login_port='{{ .Values.database.port }}' login_user='{{ .Values.database.root_user }}' login_password='{{ .Values.database.root_password }}' name='{{ .Values.database.keystone_user }}' password='{{ .Values.database.keystone_password }}' host='%' priv='{{ .Values.database.keystone_database_name }}.*:ALL' append_privs='yes'"
+ansible localhost -vvv \
+ -m mysql_db -a "login_host='{{ include "keystone_db_host" . }}' \
+ login_port='{{ .Values.database.port }}' \
+ login_user='{{ .Values.database.root_user }}' \
+ login_password='{{ .Values.database.root_password }}' \
+ name='{{ .Values.database.keystone_database_name }}'"
+
+ansible localhost -vvv \
+ -m mysql_user -a "login_host='{{ include "keystone_db_host" . }}' \
+ login_port='{{ .Values.database.port }}' \
+ login_user='{{ .Values.database.root_user }}' \
+ login_password='{{ .Values.database.root_password }}' \
+ name='{{ .Values.database.keystone_user }}' \
+ password='{{ .Values.database.keystone_password }}' \
+ host='%' \
+ priv='{{ .Values.database.keystone_database_name }}.*:ALL' \
+ append_privs='yes'"
diff --git a/keystone/templates/bin/_start.sh.tpl b/keystone/templates/bin/_start.sh.tpl
index 4bafe63ee4..72529c2f32 100644
--- a/keystone/templates/bin/_start.sh.tpl
+++ b/keystone/templates/bin/_start.sh.tpl
@@ -1,8 +1,10 @@
-#!/bin/bash
-set -ex
-
-# Loading Apache2 ENV variables
-source /etc/apache2/envvars
+#!/bin/bash
+set -ex
-# start apache with any container arguments
-apache2 -DFOREGROUND $*
+if [ -f /etc/apache2/envvars ]; then
+ # Loading Apache2 ENV variables
+ source /etc/apache2/envvars
+fi
+
+# Start Apache2
+exec apache2 -DFOREGROUND
diff --git a/keystone/templates/configmap-etc.yaml b/keystone/templates/configmap-etc.yaml
index b59534ee98..3ad7dc8293 100644
--- a/keystone/templates/configmap-etc.yaml
+++ b/keystone/templates/configmap-etc.yaml
@@ -6,6 +6,12 @@ data:
keystone.conf: |+
{{ tuple "etc/_keystone.conf.tpl" . | include "template" | indent 4 }}
mpm_event.conf: |+
-{{ tuple "etc/_mpm_event.conf.tpl" . | include "template" | indent 4 }}
+{{ tuple "etc/_mpm_event.conf.tpl" . | include "template" | indent 4 }}
wsgi-keystone.conf: |+
{{ tuple "etc/_wsgi-keystone.conf.tpl" . | include "template" | indent 4 }}
+ policy.json: |+
+{{ tuple "etc/_policy.json.tpl" . | include "template" | indent 4 }}
+ keystone-paste.ini: |+
+{{ tuple "etc/_keystone-paste.ini.tpl" . | include "template" | indent 4 }}
+ sso_callback_template.html: |+
+{{ tuple "etc/_sso_callback_template.html.tpl" . | include "template" | indent 4 }}
diff --git a/keystone/templates/deployment.yaml b/keystone/templates/deployment.yaml
index 2a94d2498c..54cff70871 100644
--- a/keystone/templates/deployment.yaml
+++ b/keystone/templates/deployment.yaml
@@ -1,42 +1,28 @@
+{{- $envAll := . }}
+{{- $dependecies := .Values.dependencies.api }}
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: keystone-api
spec:
replicas: {{ .Values.replicas }}
+ revisionHistoryLimit: {{ .Values.upgrades.revision_history }}
+ strategy:
+ type: {{ .Values.upgrades.pod_replacement_strategy }}
+ {{ if eq .Values.upgrades.pod_replacement_strategy "RollingUpdate" }}
+ rollingUpdate:
+ maxUnavailable: {{ .Values.upgrades.rolling_update.max_unavailable }}
+ maxSurge: {{ .Values.upgrades.rolling_update.max_surge }}
+ {{ end }}
template:
metadata:
labels:
app: keystone-api
annotations:
+ configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "hash" }}
+ configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "hash" }}
pod.beta.kubernetes.io/init-containers: '[
- {
- "name": "init",
- "image": "{{ .Values.images.entrypoint }}",
- "imagePullPolicy": "{{ .Values.images.pull_policy }}",
- "env": [
- {
- "name": "NAMESPACE",
- "value": "{{ .Release.Namespace }}"
- },
- {
- "name": "INTERFACE_NAME",
- "value": "eth0"
- },
- {
- "name": "DEPENDENCY_SERVICE",
- "value": "{{ include "joinListWithColon" .Values.dependencies.api.service }}"
- },
- {
- "name": "DEPENDENCY_JOBS",
- "value": "{{ include "joinListWithColon" .Values.dependencies.api.jobs }}"
- },
- {
- "name": "COMMAND",
- "value": "echo done"
- }
- ]
- }
+{{ tuple $envAll $dependecies | include "dep-check-init-cont" | indent 10 }}
]'
spec:
nodeSelector:
@@ -51,26 +37,62 @@ spec:
ports:
- containerPort: {{ .Values.network.port.public }}
- containerPort: {{ .Values.network.port.admin }}
+ lifecycle:
+ preStop:
+ exec:
+ command:
+ - apachectl
+ - -k
+ - graceful-stop
readinessProbe:
tcpSocket:
port: {{ .Values.network.port.public }}
volumeMounts:
+ - name: pod-etc-keystone
+ mountPath: /etc/keystone
- name: keystoneconf
mountPath: /etc/keystone/keystone.conf
subPath: keystone.conf
+ readOnly: true
+ - name: keystonepaste
+ mountPath: /etc/keystone/keystone-paste.ini
+ subPath: keystone-paste.ini
+ readOnly: true
+ - name: keystonepolicy
+ mountPath: /etc/keystone/policy.json
+ subPath: policy.json
+ readOnly: true
+ - name: keystonessotemplate
+ mountPath: /etc/keystone/sso_callback_template.html
+ subPath: sso_callback_template.html
+ readOnly: true
- name: wsgikeystone
mountPath: /etc/apache2/conf-enabled/wsgi-keystone.conf
subPath: wsgi-keystone.conf
+ readOnly: true
- name: mpmeventconf
mountPath: /etc/apache2/mods-available/mpm_event.conf
subPath: mpm_event.conf
+ readOnly: true
- name: startsh
mountPath: /tmp/start.sh
subPath: start.sh
+ readOnly: true
volumes:
+ - name: pod-etc-keystone
+ emptyDir: {}
- name: keystoneconf
configMap:
name: keystone-etc
+ - name: keystonepaste
+ configMap:
+ name: keystone-etc
+ - name: keystonepolicy
+ configMap:
+ name: keystone-etc
+ - name: keystonessotemplate
+ configMap:
+ name: keystone-etc
- name: wsgikeystone
configMap:
name: keystone-etc
@@ -80,4 +102,3 @@ spec:
- name: startsh
configMap:
name: keystone-bin
-
diff --git a/keystone/templates/etc/_keystone-paste.ini.tpl b/keystone/templates/etc/_keystone-paste.ini.tpl
new file mode 100644
index 0000000000..0d058ac009
--- /dev/null
+++ b/keystone/templates/etc/_keystone-paste.ini.tpl
@@ -0,0 +1,97 @@
+# Keystone PasteDeploy configuration file.
+
+[filter:debug]
+use = egg:oslo.middleware#debug
+
+[filter:request_id]
+use = egg:oslo.middleware#request_id
+
+[filter:build_auth_context]
+use = egg:keystone#build_auth_context
+
+[filter:token_auth]
+use = egg:keystone#token_auth
+
+[filter:admin_token_auth]
+# This is deprecated in the M release and will be removed in the O release.
+# Use `keystone-manage bootstrap` and remove this from the pipelines below.
+use = egg:keystone#admin_token_auth
+
+[filter:json_body]
+use = egg:keystone#json_body
+
+[filter:cors]
+use = egg:oslo.middleware#cors
+oslo_config_project = keystone
+
+[filter:http_proxy_to_wsgi]
+use = egg:oslo.middleware#http_proxy_to_wsgi
+
+[filter:healthcheck]
+use = egg:oslo.middleware#healthcheck
+
+[filter:ec2_extension]
+use = egg:keystone#ec2_extension
+
+[filter:ec2_extension_v3]
+use = egg:keystone#ec2_extension_v3
+
+[filter:s3_extension]
+use = egg:keystone#s3_extension
+
+[filter:url_normalize]
+use = egg:keystone#url_normalize
+
+[filter:sizelimit]
+use = egg:oslo.middleware#sizelimit
+
+[filter:osprofiler]
+use = egg:osprofiler#osprofiler
+
+[app:public_service]
+use = egg:keystone#public_service
+
+[app:service_v3]
+use = egg:keystone#service_v3
+
+[app:admin_service]
+use = egg:keystone#admin_service
+
+[pipeline:public_api]
+# The last item in this pipeline must be public_service or an equivalent
+# application. It cannot be a filter.
+pipeline = healthcheck cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id build_auth_context token_auth json_body ec2_extension public_service
+
+[pipeline:admin_api]
+# The last item in this pipeline must be admin_service or an equivalent
+# application. It cannot be a filter.
+pipeline = healthcheck cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id build_auth_context token_auth json_body ec2_extension s3_extension admin_service
+
+[pipeline:api_v3]
+# The last item in this pipeline must be service_v3 or an equivalent
+# application. It cannot be a filter.
+pipeline = healthcheck cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id build_auth_context token_auth json_body ec2_extension_v3 s3_extension service_v3
+
+[app:public_version_service]
+use = egg:keystone#public_version_service
+
+[app:admin_version_service]
+use = egg:keystone#admin_version_service
+
+[pipeline:public_version_api]
+pipeline = healthcheck cors sizelimit osprofiler url_normalize public_version_service
+
+[pipeline:admin_version_api]
+pipeline = healthcheck cors sizelimit osprofiler url_normalize admin_version_service
+
+[composite:main]
+use = egg:Paste#urlmap
+/v2.0 = public_api
+/v3 = api_v3
+/ = public_version_api
+
+[composite:admin]
+use = egg:Paste#urlmap
+/v2.0 = admin_api
+/v3 = api_v3
+/ = admin_version_api
diff --git a/keystone/templates/etc/_keystone.conf.tpl b/keystone/templates/etc/_keystone.conf.tpl
index 58603001ba..573eba9e0e 100644
--- a/keystone/templates/etc/_keystone.conf.tpl
+++ b/keystone/templates/etc/_keystone.conf.tpl
@@ -1,8 +1,7 @@
[DEFAULT]
-debug = {{ .Values.misc.debug }}
+debug = {{ .Values.api.default.debug }}
use_syslog = False
use_stderr = True
-workers = {{ .Values.misc.workers }}
[database]
connection = mysql+pymysql://{{ .Values.database.keystone_user }}:{{ .Values.database.keystone_password }}@{{ include "keystone_db_host" . }}/{{ .Values.database.keystone_database_name }}
@@ -11,6 +10,9 @@ max_retries = -1
[memcache]
servers = {{ include "memcached_host" . }}:11211
+[token]
+provider = {{ .Values.api.token.provider }}
+
[cache]
backend = dogpile.cache.memcached
memcache_servers = {{ include "memcached_host" . }}:11211
diff --git a/keystone/templates/etc/_policy.json.tpl b/keystone/templates/etc/_policy.json.tpl
new file mode 100644
index 0000000000..ddf2396272
--- /dev/null
+++ b/keystone/templates/etc/_policy.json.tpl
@@ -0,0 +1,199 @@
+{
+ "admin_required": "role:admin or is_admin:1",
+ "service_role": "role:service",
+ "service_or_admin": "rule:admin_required or rule:service_role",
+ "owner" : "user_id:%(user_id)s",
+ "admin_or_owner": "rule:admin_required or rule:owner",
+ "token_subject": "user_id:%(target.token.user_id)s",
+ "admin_or_token_subject": "rule:admin_required or rule:token_subject",
+ "service_admin_or_token_subject": "rule:service_or_admin or rule:token_subject",
+
+ "default": "rule:admin_required",
+
+ "identity:get_region": "",
+ "identity:list_regions": "",
+ "identity:create_region": "rule:admin_required",
+ "identity:update_region": "rule:admin_required",
+ "identity:delete_region": "rule:admin_required",
+
+ "identity:get_service": "rule:admin_required",
+ "identity:list_services": "rule:admin_required",
+ "identity:create_service": "rule:admin_required",
+ "identity:update_service": "rule:admin_required",
+ "identity:delete_service": "rule:admin_required",
+
+ "identity:get_endpoint": "rule:admin_required",
+ "identity:list_endpoints": "rule:admin_required",
+ "identity:create_endpoint": "rule:admin_required",
+ "identity:update_endpoint": "rule:admin_required",
+ "identity:delete_endpoint": "rule:admin_required",
+
+ "identity:get_domain": "rule:admin_required or token.project.domain.id:%(target.domain.id)s",
+ "identity:list_domains": "rule:admin_required",
+ "identity:create_domain": "rule:admin_required",
+ "identity:update_domain": "rule:admin_required",
+ "identity:delete_domain": "rule:admin_required",
+
+ "identity:get_project": "rule:admin_required or project_id:%(target.project.id)s",
+ "identity:list_projects": "rule:admin_required",
+ "identity:list_user_projects": "rule:admin_or_owner",
+ "identity:create_project": "rule:admin_required",
+ "identity:update_project": "rule:admin_required",
+ "identity:delete_project": "rule:admin_required",
+
+ "identity:get_user": "rule:admin_or_owner",
+ "identity:list_users": "rule:admin_required",
+ "identity:create_user": "rule:admin_required",
+ "identity:update_user": "rule:admin_required",
+ "identity:delete_user": "rule:admin_required",
+ "identity:change_password": "rule:admin_or_owner",
+
+ "identity:get_group": "rule:admin_required",
+ "identity:list_groups": "rule:admin_required",
+ "identity:list_groups_for_user": "rule:admin_or_owner",
+ "identity:create_group": "rule:admin_required",
+ "identity:update_group": "rule:admin_required",
+ "identity:delete_group": "rule:admin_required",
+ "identity:list_users_in_group": "rule:admin_required",
+ "identity:remove_user_from_group": "rule:admin_required",
+ "identity:check_user_in_group": "rule:admin_required",
+ "identity:add_user_to_group": "rule:admin_required",
+
+ "identity:get_credential": "rule:admin_required",
+ "identity:list_credentials": "rule:admin_required",
+ "identity:create_credential": "rule:admin_required",
+ "identity:update_credential": "rule:admin_required",
+ "identity:delete_credential": "rule:admin_required",
+
+ "identity:ec2_get_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
+ "identity:ec2_list_credentials": "rule:admin_or_owner",
+ "identity:ec2_create_credential": "rule:admin_or_owner",
+ "identity:ec2_delete_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
+
+ "identity:get_role": "rule:admin_required",
+ "identity:list_roles": "rule:admin_required",
+ "identity:create_role": "rule:admin_required",
+ "identity:update_role": "rule:admin_required",
+ "identity:delete_role": "rule:admin_required",
+ "identity:get_domain_role": "rule:admin_required",
+ "identity:list_domain_roles": "rule:admin_required",
+ "identity:create_domain_role": "rule:admin_required",
+ "identity:update_domain_role": "rule:admin_required",
+ "identity:delete_domain_role": "rule:admin_required",
+
+ "identity:get_implied_role": "rule:admin_required ",
+ "identity:list_implied_roles": "rule:admin_required",
+ "identity:create_implied_role": "rule:admin_required",
+ "identity:delete_implied_role": "rule:admin_required",
+ "identity:list_role_inference_rules": "rule:admin_required",
+ "identity:check_implied_role": "rule:admin_required",
+
+ "identity:check_grant": "rule:admin_required",
+ "identity:list_grants": "rule:admin_required",
+ "identity:create_grant": "rule:admin_required",
+ "identity:revoke_grant": "rule:admin_required",
+
+ "identity:list_role_assignments": "rule:admin_required",
+ "identity:list_role_assignments_for_tree": "rule:admin_required",
+
+ "identity:get_policy": "rule:admin_required",
+ "identity:list_policies": "rule:admin_required",
+ "identity:create_policy": "rule:admin_required",
+ "identity:update_policy": "rule:admin_required",
+ "identity:delete_policy": "rule:admin_required",
+
+ "identity:check_token": "rule:admin_or_token_subject",
+ "identity:validate_token": "rule:service_admin_or_token_subject",
+ "identity:validate_token_head": "rule:service_or_admin",
+ "identity:revocation_list": "rule:service_or_admin",
+ "identity:revoke_token": "rule:admin_or_token_subject",
+
+ "identity:create_trust": "user_id:%(trust.trustor_user_id)s",
+ "identity:list_trusts": "",
+ "identity:list_roles_for_trust": "",
+ "identity:get_role_for_trust": "",
+ "identity:delete_trust": "",
+
+ "identity:create_consumer": "rule:admin_required",
+ "identity:get_consumer": "rule:admin_required",
+ "identity:list_consumers": "rule:admin_required",
+ "identity:delete_consumer": "rule:admin_required",
+ "identity:update_consumer": "rule:admin_required",
+
+ "identity:authorize_request_token": "rule:admin_required",
+ "identity:list_access_token_roles": "rule:admin_required",
+ "identity:get_access_token_role": "rule:admin_required",
+ "identity:list_access_tokens": "rule:admin_required",
+ "identity:get_access_token": "rule:admin_required",
+ "identity:delete_access_token": "rule:admin_required",
+
+ "identity:list_projects_for_endpoint": "rule:admin_required",
+ "identity:add_endpoint_to_project": "rule:admin_required",
+ "identity:check_endpoint_in_project": "rule:admin_required",
+ "identity:list_endpoints_for_project": "rule:admin_required",
+ "identity:remove_endpoint_from_project": "rule:admin_required",
+
+ "identity:create_endpoint_group": "rule:admin_required",
+ "identity:list_endpoint_groups": "rule:admin_required",
+ "identity:get_endpoint_group": "rule:admin_required",
+ "identity:update_endpoint_group": "rule:admin_required",
+ "identity:delete_endpoint_group": "rule:admin_required",
+ "identity:list_projects_associated_with_endpoint_group": "rule:admin_required",
+ "identity:list_endpoints_associated_with_endpoint_group": "rule:admin_required",
+ "identity:get_endpoint_group_in_project": "rule:admin_required",
+ "identity:list_endpoint_groups_for_project": "rule:admin_required",
+ "identity:add_endpoint_group_to_project": "rule:admin_required",
+ "identity:remove_endpoint_group_from_project": "rule:admin_required",
+
+ "identity:create_identity_provider": "rule:admin_required",
+ "identity:list_identity_providers": "rule:admin_required",
+ "identity:get_identity_providers": "rule:admin_required",
+ "identity:update_identity_provider": "rule:admin_required",
+ "identity:delete_identity_provider": "rule:admin_required",
+
+ "identity:create_protocol": "rule:admin_required",
+ "identity:update_protocol": "rule:admin_required",
+ "identity:get_protocol": "rule:admin_required",
+ "identity:list_protocols": "rule:admin_required",
+ "identity:delete_protocol": "rule:admin_required",
+
+ "identity:create_mapping": "rule:admin_required",
+ "identity:get_mapping": "rule:admin_required",
+ "identity:list_mappings": "rule:admin_required",
+ "identity:delete_mapping": "rule:admin_required",
+ "identity:update_mapping": "rule:admin_required",
+
+ "identity:create_service_provider": "rule:admin_required",
+ "identity:list_service_providers": "rule:admin_required",
+ "identity:get_service_provider": "rule:admin_required",
+ "identity:update_service_provider": "rule:admin_required",
+ "identity:delete_service_provider": "rule:admin_required",
+
+ "identity:get_auth_catalog": "",
+ "identity:get_auth_projects": "",
+ "identity:get_auth_domains": "",
+
+ "identity:list_projects_for_user": "",
+ "identity:list_domains_for_user": "",
+
+ "identity:list_revoke_events": "rule:service_or_admin",
+
+ "identity:create_policy_association_for_endpoint": "rule:admin_required",
+ "identity:check_policy_association_for_endpoint": "rule:admin_required",
+ "identity:delete_policy_association_for_endpoint": "rule:admin_required",
+ "identity:create_policy_association_for_service": "rule:admin_required",
+ "identity:check_policy_association_for_service": "rule:admin_required",
+ "identity:delete_policy_association_for_service": "rule:admin_required",
+ "identity:create_policy_association_for_region_and_service": "rule:admin_required",
+ "identity:check_policy_association_for_region_and_service": "rule:admin_required",
+ "identity:delete_policy_association_for_region_and_service": "rule:admin_required",
+ "identity:get_policy_for_endpoint": "rule:admin_required",
+ "identity:list_endpoints_for_policy": "rule:admin_required",
+
+ "identity:create_domain_config": "rule:admin_required",
+ "identity:get_domain_config": "rule:admin_required",
+ "identity:get_security_compliance_domain_config": "",
+ "identity:update_domain_config": "rule:admin_required",
+ "identity:delete_domain_config": "rule:admin_required",
+ "identity:get_domain_config_default": "rule:admin_required"
+}
diff --git a/keystone/templates/etc/_sso_callback_template.html.tpl b/keystone/templates/etc/_sso_callback_template.html.tpl
new file mode 100644
index 0000000000..3364d69e55
--- /dev/null
+++ b/keystone/templates/etc/_sso_callback_template.html.tpl
@@ -0,0 +1,22 @@
+
+
+
+ Keystone WebSSO redirect
+
+
+
+
+
+
diff --git a/keystone/templates/etc/_wsgi-keystone.conf.tpl b/keystone/templates/etc/_wsgi-keystone.conf.tpl
index e6535eae85..54e393a223 100644
--- a/keystone/templates/etc/_wsgi-keystone.conf.tpl
+++ b/keystone/templates/etc/_wsgi-keystone.conf.tpl
@@ -1,8 +1,11 @@
Listen {{ .Values.network.ip_address }}:{{ .Values.network.port.public }}
Listen {{ .Values.network.ip_address }}:{{ .Values.network.port.admin }}
+LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
+LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy
+
- WSGIDaemonProcess keystone-public processes=16 threads=6 user=keystone group=keystone display-name=%{GROUP}
+ WSGIDaemonProcess keystone-public processes=1 threads=4 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-public
WSGIScriptAlias / /var/www/cgi-bin/keystone/main
WSGIApplicationGroup %{GLOBAL}
@@ -10,12 +13,15 @@ Listen {{ .Values.network.ip_address }}:{{ .Values.network.port.admin }}
= 2.4>
ErrorLogFormat "%{cu}t %M"
- ErrorLog "|$/bin/cat 1>&2"
- CustomLog "|/bin/cat" combined
+ ErrorLog /dev/stderr
+
+ SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
+ CustomLog /dev/stdout combined env=!forwarded
+ CustomLog /dev/stdout proxy env=forwarded
- WSGIDaemonProcess keystone-admin processes=16 threads=5 user=keystone group=keystone display-name=%{GROUP}
+ WSGIDaemonProcess keystone-admin processes=1 threads=4 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-admin
WSGIScriptAlias / /var/www/cgi-bin/keystone/admin
WSGIApplicationGroup %{GLOBAL}
@@ -23,6 +29,9 @@ Listen {{ .Values.network.ip_address }}:{{ .Values.network.port.admin }}
= 2.4>
ErrorLogFormat "%{cu}t %M"
- ErrorLog "|$/bin/cat 1>&2"
- CustomLog "|/bin/cat" combined
+ ErrorLog /dev/stderr
+
+ SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
+ CustomLog /dev/stdout combined env=!forwarded
+ CustomLog /dev/stdout proxy env=forwarded
diff --git a/keystone/templates/job-db-sync.yaml b/keystone/templates/job-db-sync.yaml
index a1fe50e1ec..e38bce91a0 100644
--- a/keystone/templates/job-db-sync.yaml
+++ b/keystone/templates/job-db-sync.yaml
@@ -1,3 +1,5 @@
+{{- $envAll := . }}
+{{- $dependecies := .Values.dependencies.db_sync }}
apiVersion: batch/v1
kind: Job
metadata:
@@ -7,32 +9,12 @@ spec:
metadata:
annotations:
pod.beta.kubernetes.io/init-containers: '[
- {
- "name": "init",
- "image": "{{ .Values.images.entrypoint }}",
- "imagePullPolicy": "{{ .Values.images.pull_policy }}",
- "env": [
- {
- "name": "NAMESPACE",
- "value": "{{ .Release.Namespace }}"
- },
- {
- "name": "DEPENDENCY_SERVICE",
- "value": "{{ include "joinListWithColon" .Values.dependencies.db_sync.service }}"
- },
- {
- "name": "DEPENDENCY_JOBS",
- "value": "{{ include "joinListWithColon" .Values.dependencies.db_sync.jobs }}"
- },
- {
- "name": "COMMAND",
- "value": "echo done"
- }
- ]
- }
+{{ tuple $envAll $dependecies | include "dep-check-init-cont" | indent 10 }}
]'
spec:
restartPolicy: OnFailure
+ nodeSelector:
+ {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
containers:
- name: keystone-db-sync
image: {{ .Values.images.db_sync }}
@@ -41,13 +23,19 @@ spec:
- bash
- /tmp/db-sync.sh
volumeMounts:
+ - name: pod-etc-keystone
+ mountPath: /etc/keystone
- name: keystoneconf
mountPath: /etc/keystone/keystone.conf
subPath: keystone.conf
+ readOnly: true
- name: keystone-bin
mountPath: /tmp/db-sync.sh
subPath: db-sync.sh
+ readOnly: true
volumes:
+ - name: pod-etc-keystone
+ emptyDir: {}
- name: keystoneconf
configMap:
name: keystone-etc
diff --git a/keystone/templates/job-init.yaml b/keystone/templates/job-init.yaml
index fa9f68081f..be64047d69 100644
--- a/keystone/templates/job-init.yaml
+++ b/keystone/templates/job-init.yaml
@@ -1,3 +1,5 @@
+{{- $envAll := . }}
+{{- $dependencies := .Values.dependencies.init }}
apiVersion: batch/v1
kind: Job
metadata:
@@ -7,32 +9,12 @@ spec:
metadata:
annotations:
pod.beta.kubernetes.io/init-containers: '[
- {
- "name": "init",
- "image": "{{ .Values.images.entrypoint }}",
- "imagePullPolicy": "{{ .Values.images.pull_policy }}",
- "env": [
- {
- "name": "NAMESPACE",
- "value": "{{ .Release.Namespace }}"
- },
- {
- "name": "DEPENDENCY_SERVICE",
- "value": "{{ include "joinListWithColon" .Values.dependencies.init.service }}"
- },
- {
- "name": "DEPENDENCY_JOBS",
- "value": "{{ include "joinListWithColon" .Values.dependencies.init.jobs }}"
- },
- {
- "name": "COMMAND",
- "value": "echo done"
- }
- ]
- }
+{{ tuple $envAll $dependencies | include "dep-check-init-cont" | indent 10 }}
]'
spec:
restartPolicy: OnFailure
+ nodeSelector:
+ {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
containers:
- name: keystone-init
image: {{ .Values.images.init }}
diff --git a/keystone/values.yaml b/keystone/values.yaml
index 80801204e7..6e7fd06dce 100644
--- a/keystone/values.yaml
+++ b/keystone/values.yaml
@@ -13,9 +13,16 @@ images:
db_sync: quay.io/stackanetes/stackanetes-keystone-api:newton
api: quay.io/stackanetes/stackanetes-keystone-api:newton
init: quay.io/stackanetes/stackanetes-kolla-toolbox:newton
- entrypoint: quay.io/stackanetes/kubernetes-entrypoint:v0.1.0
+ dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.1.0
pull_policy: "IfNotPresent"
+upgrades:
+ revision_history: 3
+ pod_replacement_strategy: RollingUpdate
+ rolling_update:
+ max_unavailable: 1
+ max_surge: 3
+
keystone:
version: v3
scheme: http
@@ -24,6 +31,12 @@ keystone:
admin_password: password
admin_project_name: admin
+api:
+ default:
+ debug: false
+ token:
+ provider: uuid
+
network:
port:
admin: 35357
@@ -31,11 +44,11 @@ network:
# alanmeadows(TODO): I seem unable to use {{ .IP }} here
# but it does work for wsrep.conf in mariadb, I have spent
# time trying to figure this out am completely stumped
- #
+ #
# helm --debug --dry-run shows me that the config map
# contains {{ .IP }} but its simply translated by K8s
# to ""
- ip_address: "0.0.0.0"
+ ip_address: "0.0.0.0"
database:
port: 3306
@@ -45,13 +58,9 @@ database:
keystone_password: password
keystone_user: keystone
-misc:
- workers: 8
- debug: false
-
dependencies:
api:
- jobs:
+ jobs:
- mariadb-seed
- keystone-db-sync
service:
@@ -81,4 +90,3 @@ endpoints:
port:
admin: 35357
public: 5000
-
diff --git a/mariadb/templates/deployment.yaml b/mariadb/templates/deployment.yaml
index 3867213fb8..8a456ee3ba 100644
--- a/mariadb/templates/deployment.yaml
+++ b/mariadb/templates/deployment.yaml
@@ -42,7 +42,7 @@ spec:
containers:
- name: {{ .Values.service_name }}
image: {{ .Values.images.mariadb }}
- imagePullPolicy: Always
+ imagePullPolicy: {{ .Values.images.pull_policy }}
env:
- name: INTERFACE_NAME
value: "eth0"
diff --git a/mariadb/templates/job-seed.yaml b/mariadb/templates/job-seed.yaml
index 3b84b283aa..c8930621a0 100644
--- a/mariadb/templates/job-seed.yaml
+++ b/mariadb/templates/job-seed.yaml
@@ -10,10 +10,12 @@ spec:
app: mariadb
spec:
restartPolicy: Never
+ nodeSelector:
+ {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
containers:
- name: mariadb-init
image: {{ .Values.images.mariadb }}
- imagePullPolicy: Always
+ imagePullPolicy: {{ .Values.images.pull_policy }}
env:
- name: INTERFACE_NAME
value: "eth0"
diff --git a/mariadb/values.yaml b/mariadb/values.yaml
index ce3656a6cc..0a13e96581 100644
--- a/mariadb/values.yaml
+++ b/mariadb/values.yaml
@@ -26,6 +26,7 @@ service_name: mariadb
images:
mariadb: quay.io/stackanetes/stackanetes-mariadb:newton
+ pull_policy: IfNotPresent
volume:
class_path: volume.beta.kubernetes.io/storage-class
diff --git a/memcached/templates/deployment.yaml b/memcached/templates/deployment.yaml
index 41dd4faa0e..020265758e 100644
--- a/memcached/templates/deployment.yaml
+++ b/memcached/templates/deployment.yaml
@@ -4,6 +4,14 @@ metadata:
name: memcached
spec:
replicas: {{ .Values.resources.memcached.replicas }}
+ revisionHistoryLimit: {{ .Values.upgrades.revision_history }}
+ strategy:
+ type: {{ .Values.upgrades.pod_replacement_strategy }}
+ {{ if eq .Values.upgrades.pod_replacement_strategy "RollingUpdate" }}
+ rollingUpdate:
+ maxUnavailable: {{ .Values.upgrades.rolling_update.max_unavailable }}
+ maxSurge: {{ .Values.upgrades.rolling_update.max_surge }}
+ {{ end }}
template:
metadata:
labels:
diff --git a/memcached/values.yaml b/memcached/values.yaml
index 16c0e7020c..8b993d9cc9 100644
--- a/memcached/values.yaml
+++ b/memcached/values.yaml
@@ -4,9 +4,16 @@
# name: value
images:
- memcached: quay.io/stackanetes/stackanetes-memcached:newton
+ memcached: docker.io/memcached:1.4
pull_policy: "IfNotPresent"
+upgrades:
+ revision_history: 3
+ pod_replacement_strategy: RollingUpdate
+ rolling_update:
+ max_unavailable: 1
+ max_surge: 3
+
labels:
node_selector_key: openstack-control-plane
node_selector_value: enabled
diff --git a/neutron/templates/bin/_neutron-openvswitch-agent.sh.tpl b/neutron/templates/bin/_neutron-openvswitch-agent.sh.tpl
index 5860e3b973..48e061a39c 100644
--- a/neutron/templates/bin/_neutron-openvswitch-agent.sh.tpl
+++ b/neutron/templates/bin/_neutron-openvswitch-agent.sh.tpl
@@ -2,6 +2,16 @@
set -x
chown neutron: /run/openvswitch/db.sock
+# ensure we can talk to openvswitch or bail early
+# this is until we can setup a proper dependency
+# on deaemonsets - note that a show is not sufficient
+# here, we need to communicate with both the db and vswitchd
+# which means we need to do a create action
+#
+# see https://github.com/att-comdev/openstack-helm/issues/88
+timeout 3m neutron-sanity-check --config-file /etc/neutron/neutron.conf --ovsdb_native --nokeepalived_ipv6_support
+
+
# determine local-ip dynamically based on interface provided but only if tunnel_types is not null
{{- if .Values.ml2.agent.tunnel_types }}
IP=$(ip a s {{ .Values.network.interface.tunnel | default .Values.network.interface.default}} | grep 'inet ' | awk '{print $2}' | awk -F "/" '{print $1}')
diff --git a/neutron/templates/daemonset-dhcp-agent.yaml b/neutron/templates/daemonset-dhcp-agent.yaml
index dfd4a94694..11ef4e05c9 100644
--- a/neutron/templates/daemonset-dhcp-agent.yaml
+++ b/neutron/templates/daemonset-dhcp-agent.yaml
@@ -7,6 +7,9 @@ spec:
metadata:
labels:
app: neutron-dhcp-agent
+ annotations:
+ configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "hash" }}
+ configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "hash" }}
spec:
nodeSelector:
{{ .Values.labels.agent.dhcp.node_selector_key }}: {{ .Values.labels.agent.dhcp.node_selector_value }}
@@ -80,4 +83,4 @@ spec:
name: neutron-etc
- name: socket
hostPath:
- path: /var/lib/neutron/openstack-helm
\ No newline at end of file
+ path: /var/lib/neutron/openstack-helm
diff --git a/neutron/templates/daemonset-l3-agent.yaml b/neutron/templates/daemonset-l3-agent.yaml
index 7fb63e7635..7428f94419 100644
--- a/neutron/templates/daemonset-l3-agent.yaml
+++ b/neutron/templates/daemonset-l3-agent.yaml
@@ -7,6 +7,9 @@ spec:
metadata:
labels:
app: neutron-l3-agent
+ annotations:
+ configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "hash" }}
+ configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "hash" }}
spec:
nodeSelector:
{{ .Values.labels.agent.l3.node_selector_key }}: {{ .Values.labels.agent.l3.node_selector_value }}
diff --git a/neutron/templates/daemonset-metadata-agent.yaml b/neutron/templates/daemonset-metadata-agent.yaml
index d8e8daaaf0..2ffc16df5c 100644
--- a/neutron/templates/daemonset-metadata-agent.yaml
+++ b/neutron/templates/daemonset-metadata-agent.yaml
@@ -7,6 +7,9 @@ spec:
metadata:
labels:
app: neutron-metadata-agent
+ annotations:
+ configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "hash" }}
+ configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "hash" }}
spec:
nodeSelector:
{{ .Values.labels.agent.metadata.node_selector_key }}: {{ .Values.labels.agent.metadata.node_selector_value }}
diff --git a/neutron/templates/daemonset-openvswitch.yaml b/neutron/templates/daemonset-openvswitch.yaml
deleted file mode 100644
index 576dd386e2..0000000000
--- a/neutron/templates/daemonset-openvswitch.yaml
+++ /dev/null
@@ -1,166 +0,0 @@
-apiVersion: extensions/v1beta1
-kind: DaemonSet
-metadata:
- name: neutron-openvswitch
-spec:
- template:
- metadata:
- labels:
- app: neutron-openvswitch
- spec:
- nodeSelector:
- {{ .Values.labels.ovs.node_selector_key }}: {{ .Values.labels.ovs.node_selector_value }}
- securityContext:
- runAsUser: 0
- dnsPolicy: ClusterFirst
- hostNetwork: true
- containers:
- - name: neutron-openvswitch-agent
- image: {{ .Values.images.neutron_openvswitch_agent }}
- imagePullPolicy: {{ .Values.images.pull_policy }}
- securityContext:
- privileged: true
- # ensures this container can can see a br-int
- # bridge before its marked as ready
- readinessProbe:
- exec:
- command:
- - bash
- - -c
- - 'ovs-vsctl list-br | grep -q br-int'
- env:
- - name: INTERFACE_NAME
- value: {{ .Values.network.interface.openvswitch | default .Values.network.interface.default }}
- - name: POD_NAME
- valueFrom:
- fieldRef:
- fieldPath: metadata.name
- - name: NAMESPACE
- valueFrom:
- fieldRef:
- fieldPath: metadata.namespace
- - name: COMMAND
- value: "bash /tmp/neutron-openvswitch-agent.sh"
- - name: DEPENDENCY_JOBS
- value: "{{ include "joinListWithColon" .Values.dependencies.openvswitchagent.jobs }}"
- - name: DEPENDENCY_SERVICE
- value: "{{ include "joinListWithColon" .Values.dependencies.openvswitchagent.service }}"
- - name: DEPENDENCY_CONTAINER
- value: "{{ include "joinListWithColon" .Values.dependencies.openvswitchagent.container }}"
- volumeMounts:
- - name: neutronopenvswitchagentsh
- mountPath: /tmp/neutron-openvswitch-agent.sh
- subPath: neutron-openvswitch-agent.sh
- - name: neutronconf
- mountPath: /etc/neutron/neutron.conf
- subPath: neutron.conf
- - name: ml2confini
- mountPath: /etc/neutron/plugins/ml2/ml2-conf.ini
- subPath: ml2-conf.ini
- - name: libmodules
- mountPath: /lib/modules
- readOnly: true
- - name: run
- mountPath: /run
- - mountPath: /etc/resolv.conf
- name: resolvconf
- subPath: resolv.conf
- - name: openvswitch-db-server
- image: {{ .Values.images.openvswitch_db_server }}
- imagePullPolicy: {{ .Values.images.pull_policy }}
- securityContext:
- privileged: true
- env:
- - name: INTERFACE_NAME
- value: {{ .Values.network.interface.openvswitch | default .Values.network.interface.default }}
- - name: POD_NAME
- valueFrom:
- fieldRef:
- fieldPath: metadata.name
- - name: NAMESPACE
- valueFrom:
- fieldRef:
- fieldPath: metadata.namespace
- - name: COMMAND
- value: "bash /tmp/openvswitch-db-server.sh"
- volumeMounts:
- - name: openvswitchdbserversh
- mountPath: /tmp/openvswitch-db-server.sh
- subPath: openvswitch-db-server.sh
- - mountPath: /etc/resolv.conf
- name: resolvconf
- subPath: resolv.conf
- - name: varlibopenvswitch
- mountPath: /var/lib/openvswitch/
- - name: run
- mountPath: /run
-
- - name: openvswitch-vswitchd
- image: {{ .Values.images.openvswitch_vswitchd }}
- imagePullPolicy: {{ .Values.images.pull_policy }}
- securityContext:
- privileged: true
- # ensures this container can speak to the ovs database
- # successfully before its marked as ready
- readinessProbe:
- exec:
- command:
- - /usr/bin/ovs-vsctl
- - show
- env:
- - name: INTERFACE_NAME
- value: {{ .Values.network.interface.openvswitch | default .Values.network.interface.default }}
- - name: POD_NAME
- valueFrom:
- fieldRef:
- fieldPath: metadata.name
- - name: NAMESPACE
- valueFrom:
- fieldRef:
- fieldPath: metadata.namespace
- - name: COMMAND
- value: "bash /tmp/openvswitch-vswitchd.sh"
- - name: DEPENDENCY_CONTAINER
- value: "openvswitch-db-server"
- volumeMounts:
- - name: openvswitchvswitchdsh
- mountPath: /tmp/openvswitch-vswitchd.sh
- subPath: openvswitch-vswitchd.sh
- - name: openvswitchensureconfiguredsh
- mountPath: /tmp/openvswitch-ensure-configured.sh
- subPath: openvswitch-ensure-configured.sh
- - name: libmodules
- mountPath: /lib/modules
- readOnly: true
- - name: run
- mountPath: /run
- volumes:
- - name: openvswitchdbserversh
- configMap:
- name: neutron-bin
- - name: openvswitchvswitchdsh
- configMap:
- name: neutron-bin
- - name: openvswitchensureconfiguredsh
- configMap:
- name: neutron-bin
- - name: varlibopenvswitch
- emptyDir: {}
- - name: neutronopenvswitchagentsh
- configMap:
- name: neutron-bin
- - name: neutronconf
- configMap:
- name: neutron-etc
- - name: ml2confini
- configMap:
- name: neutron-etc
- - name: resolvconf
- configMap:
- name: neutron-etc
- - name: libmodules
- hostPath:
- path: /lib/modules
- - name: run
- hostPath:
- path: /run
\ No newline at end of file
diff --git a/neutron/templates/daemonset-ovs-agent.yaml b/neutron/templates/daemonset-ovs-agent.yaml
new file mode 100644
index 0000000000..f1518ab3aa
--- /dev/null
+++ b/neutron/templates/daemonset-ovs-agent.yaml
@@ -0,0 +1,89 @@
+apiVersion: extensions/v1beta1
+kind: DaemonSet
+metadata:
+ name: ovs-agent
+spec:
+ template:
+ metadata:
+ labels:
+ app: ovs-agent
+ annotations:
+ configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "hash" }}
+ configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "hash" }}
+ spec:
+ nodeSelector:
+ {{ .Values.labels.ovs.node_selector_key }}: {{ .Values.labels.ovs.node_selector_value }}
+ securityContext:
+ runAsUser: 0
+ dnsPolicy: ClusterFirst
+ hostNetwork: true
+ containers:
+ - name: ovs-agent
+ image: {{ .Values.images.neutron_openvswitch_agent }}
+ imagePullPolicy: {{ .Values.images.pull_policy }}
+ securityContext:
+ privileged: true
+ # ensures this container can can see a br-int
+ # bridge before its marked as ready
+ readinessProbe:
+ exec:
+ command:
+ - bash
+ - -c
+ - 'ovs-vsctl list-br | grep -q br-int'
+ env:
+ - name: INTERFACE_NAME
+ value: {{ .Values.network.interface.openvswitch | default .Values.network.interface.default }}
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.name
+ - name: NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ - name: COMMAND
+ value: "bash /tmp/neutron-openvswitch-agent.sh"
+ - name: DEPENDENCY_JOBS
+ value: "{{ include "joinListWithColon" .Values.dependencies.ovs_agent.jobs }}"
+ - name: DEPENDENCY_SERVICE
+ value: "{{ include "joinListWithColon" .Values.dependencies.ovs_agent.service }}"
+ volumeMounts:
+ - name: neutronopenvswitchagentsh
+ mountPath: /tmp/neutron-openvswitch-agent.sh
+ subPath: neutron-openvswitch-agent.sh
+ - name: neutronconf
+ mountPath: /etc/neutron/neutron.conf
+ subPath: neutron.conf
+ - name: ml2confini
+ mountPath: /etc/neutron/plugins/ml2/ml2-conf.ini
+ subPath: ml2-conf.ini
+ - name: libmodules
+ mountPath: /lib/modules
+ readOnly: true
+ - name: run
+ mountPath: /run
+ - mountPath: /etc/resolv.conf
+ name: resolvconf
+ subPath: resolv.conf
+ volumes:
+ - name: varlibopenvswitch
+ emptyDir: {}
+ - name: neutronopenvswitchagentsh
+ configMap:
+ name: neutron-bin
+ - name: neutronconf
+ configMap:
+ name: neutron-etc
+ - name: ml2confini
+ configMap:
+ name: neutron-etc
+ - name: resolvconf
+ configMap:
+ name: neutron-etc
+ - name: libmodules
+ hostPath:
+ path: /lib/modules
+ - name: run
+ hostPath:
+ path: /run
diff --git a/neutron/templates/daemonset-ovs-db.yaml b/neutron/templates/daemonset-ovs-db.yaml
new file mode 100644
index 0000000000..6b877abff9
--- /dev/null
+++ b/neutron/templates/daemonset-ovs-db.yaml
@@ -0,0 +1,65 @@
+apiVersion: extensions/v1beta1
+kind: DaemonSet
+metadata:
+ name: ovs-db
+spec:
+ template:
+ metadata:
+ labels:
+ app: ovs-db
+ annotations:
+ configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "hash" }}
+ configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "hash" }}
+ spec:
+ nodeSelector:
+ {{ .Values.labels.ovs.node_selector_key }}: {{ .Values.labels.ovs.node_selector_value }}
+ securityContext:
+ runAsUser: 0
+ dnsPolicy: ClusterFirst
+ hostNetwork: true
+ containers:
+ - name: ovs-db
+ image: {{ .Values.images.openvswitch_db_server }}
+ imagePullPolicy: {{ .Values.images.pull_policy }}
+ securityContext:
+ privileged: true
+ env:
+ - name: INTERFACE_NAME
+ value: {{ .Values.network.interface.openvswitch | default .Values.network.interface.default }}
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.name
+ - name: NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ - name: COMMAND
+ value: "bash /tmp/openvswitch-db-server.sh"
+ volumeMounts:
+ - name: openvswitchdbserversh
+ mountPath: /tmp/openvswitch-db-server.sh
+ subPath: openvswitch-db-server.sh
+ - mountPath: /etc/resolv.conf
+ name: resolvconf
+ subPath: resolv.conf
+ - name: varlibopenvswitch
+ mountPath: /var/lib/openvswitch/
+ - name: run
+ mountPath: /run
+ volumes:
+ - name: openvswitchdbserversh
+ configMap:
+ name: neutron-bin
+ - name: varlibopenvswitch
+ emptyDir: {}
+ - name: resolvconf
+ configMap:
+ name: neutron-etc
+ - name: libmodules
+ hostPath:
+ path: /lib/modules
+ - name: run
+ hostPath:
+ path: /run
+
diff --git a/neutron/templates/daemonset-ovs-vswitchd.yaml b/neutron/templates/daemonset-ovs-vswitchd.yaml
new file mode 100644
index 0000000000..b07047e376
--- /dev/null
+++ b/neutron/templates/daemonset-ovs-vswitchd.yaml
@@ -0,0 +1,70 @@
+apiVersion: extensions/v1beta1
+kind: DaemonSet
+metadata:
+ name: ovs-vswitchd
+spec:
+ template:
+ metadata:
+ labels:
+ app: ovs-vswitchd
+ annotations:
+ configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "hash" }}
+ configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "hash" }}
+ spec:
+ nodeSelector:
+ {{ .Values.labels.ovs.node_selector_key }}: {{ .Values.labels.ovs.node_selector_value }}
+ securityContext:
+ runAsUser: 0
+ dnsPolicy: ClusterFirst
+ hostNetwork: true
+ containers:
+ - name: ovs-vswitchd
+ image: {{ .Values.images.openvswitch_vswitchd }}
+ imagePullPolicy: {{ .Values.images.pull_policy }}
+ securityContext:
+ privileged: true
+ # ensures this container can speak to the ovs database
+ # successfully before its marked as ready
+ readinessProbe:
+ exec:
+ command:
+ - /usr/bin/ovs-vsctl
+ - show
+ env:
+ - name: INTERFACE_NAME
+ value: {{ .Values.network.interface.openvswitch | default .Values.network.interface.default }}
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.name
+ - name: NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ - name: COMMAND
+ value: "bash /tmp/openvswitch-vswitchd.sh"
+ volumeMounts:
+ - name: openvswitchvswitchdsh
+ mountPath: /tmp/openvswitch-vswitchd.sh
+ subPath: openvswitch-vswitchd.sh
+ - name: openvswitchensureconfiguredsh
+ mountPath: /tmp/openvswitch-ensure-configured.sh
+ subPath: openvswitch-ensure-configured.sh
+ - name: libmodules
+ mountPath: /lib/modules
+ readOnly: true
+ - name: run
+ mountPath: /run
+ volumes:
+ - name: openvswitchvswitchdsh
+ configMap:
+ name: neutron-bin
+ - name: openvswitchensureconfiguredsh
+ configMap:
+ name: neutron-bin
+ - name: libmodules
+ hostPath:
+ path: /lib/modules
+ - name: run
+ hostPath:
+ path: /run
diff --git a/neutron/templates/deployment-server.yaml b/neutron/templates/deployment-server.yaml
index 6dcef74103..66aa7412d7 100644
--- a/neutron/templates/deployment-server.yaml
+++ b/neutron/templates/deployment-server.yaml
@@ -4,10 +4,21 @@ metadata:
name: neutron-server
spec:
replicas: {{ .Values.replicas.server }}
+ revisionHistoryLimit: {{ .Values.upgrades.revision_history }}
+ strategy:
+ type: {{ .Values.upgrades.pod_replacement_strategy }}
+ {{ if eq .Values.upgrades.pod_replacement_strategy "RollingUpdate" }}
+ rollingUpdate:
+ maxUnavailable: {{ .Values.upgrades.rolling_update.max_unavailable }}
+ maxSurge: {{ .Values.upgrades.rolling_update.max_surge }}
+ {{ end }}
template:
metadata:
labels:
app: neutron-server
+ annotations:
+ configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "hash" }}
+ configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "hash" }}
spec:
nodeSelector:
{{ .Values.labels.server.node_selector_key }}: {{ .Values.labels.server.node_selector_value }}
@@ -50,4 +61,4 @@ spec:
name: neutron-etc
- name: ml2confini
configMap:
- name: neutron-etc
\ No newline at end of file
+ name: neutron-etc
diff --git a/neutron/templates/etc/_l3-agent.ini.tpl b/neutron/templates/etc/_l3-agent.ini.tpl
index 38b17395c9..3760b3e6c6 100644
--- a/neutron/templates/etc/_l3-agent.ini.tpl
+++ b/neutron/templates/etc/_l3-agent.ini.tpl
@@ -1,4 +1,4 @@
[DEFAULT]
agent_mode = legacy
enable_metadata_proxy = True
-enable_isolated_metadata = True
\ No newline at end of file
+enable_isolated_metadata = True
diff --git a/neutron/templates/etc/_metadata-agent.ini.tpl b/neutron/templates/etc/_metadata-agent.ini.tpl
index c0239e974d..f6cd65e6d7 100644
--- a/neutron/templates/etc/_metadata-agent.ini.tpl
+++ b/neutron/templates/etc/_metadata-agent.ini.tpl
@@ -28,4 +28,4 @@ metadata_port = {{ .Values.network.port.metadata }}
metadata_workers = {{ .Values.metadata.workers }}
# Caching
-cache_url = memory://?default_ttl=5
\ No newline at end of file
+cache_url = memory://?default_ttl=5
diff --git a/neutron/templates/etc/_neutron.conf.tpl b/neutron/templates/etc/_neutron.conf.tpl
index 859dd817d8..60849d21d2 100644
--- a/neutron/templates/etc/_neutron.conf.tpl
+++ b/neutron/templates/etc/_neutron.conf.tpl
@@ -68,4 +68,4 @@ username = {{ .Values.keystone.neutron_user }}
password = {{ .Values.keystone.neutron_password }}
[oslo_messaging_notifications]
-driver = noop
\ No newline at end of file
+driver = noop
diff --git a/neutron/templates/etc/_resolv.conf.tpl b/neutron/templates/etc/_resolv.conf.tpl
index 68dc696756..7c1e9d839a 100644
--- a/neutron/templates/etc/_resolv.conf.tpl
+++ b/neutron/templates/etc/_resolv.conf.tpl
@@ -2,4 +2,4 @@ search {{ .Release.Namespace }}.svc.{{ .Values.network.dns.kubernetes_domain }}
{{- range .Values.network.dns.servers }}
nameserver {{ . | title }}
{{- end }}
-options ndots:5
\ No newline at end of file
+options ndots:5
diff --git a/neutron/templates/job-db-sync.yaml b/neutron/templates/job-db-sync.yaml
index 1514fe87a0..e34f36dc3a 100644
--- a/neutron/templates/job-db-sync.yaml
+++ b/neutron/templates/job-db-sync.yaml
@@ -6,6 +6,8 @@ spec:
template:
spec:
restartPolicy: OnFailure
+ nodeSelector:
+ {{ .Values.labels.server.node_selector_key }}: {{ .Values.labels.server.node_selector_value }}
containers:
- name: neutron-db-sync
image: {{ .Values.images.db_sync }}
@@ -40,4 +42,4 @@ spec:
name: neutron-etc
- name: ml2confini
configMap:
- name: neutron-etc
\ No newline at end of file
+ name: neutron-etc
diff --git a/neutron/templates/job-init.yaml b/neutron/templates/job-init.yaml
index c21cd69324..d7d3401714 100644
--- a/neutron/templates/job-init.yaml
+++ b/neutron/templates/job-init.yaml
@@ -6,6 +6,8 @@ spec:
template:
spec:
restartPolicy: OnFailure
+ nodeSelector:
+ {{ .Values.labels.server.node_selector_key }}: {{ .Values.labels.server.node_selector_value }}
containers:
- name: neutron-init
image: {{ .Values.images.init }}
@@ -34,4 +36,4 @@ spec:
volumes:
- name: initsh
configMap:
- name: neutron-bin
\ No newline at end of file
+ name: neutron-bin
diff --git a/neutron/templates/job-post.yaml b/neutron/templates/job-post.yaml
index 936d299fe3..6c3a05d280 100644
--- a/neutron/templates/job-post.yaml
+++ b/neutron/templates/job-post.yaml
@@ -6,6 +6,8 @@ spec:
template:
spec:
restartPolicy: OnFailure
+ nodeSelector:
+ {{ .Values.labels.server.node_selector_key }}: {{ .Values.labels.server.node_selector_value }}
containers:
- name: neutron-post
image: {{ .Values.images.post }}
@@ -36,4 +38,4 @@ spec:
volumes:
- name: postsh
configMap:
- name: neutron-bin
\ No newline at end of file
+ name: neutron-bin
diff --git a/neutron/values.yaml b/neutron/values.yaml
index 3c6268f45b..434ea41fd7 100644
--- a/neutron/values.yaml
+++ b/neutron/values.yaml
@@ -7,19 +7,26 @@ replicas:
server: 1
images:
- init: quay.io/stackanetes/stackanetes-kolla-toolbox:barcelona
- db_sync: quay.io/stackanetes/stackanetes-neutron-server:barcelona
- server: quay.io/stackanetes/stackanetes-neutron-server:barcelona
- dhcp: quay.io/stackanetes/stackanetes-neutron-dhcp-agent:barcelona
- metadata: quay.io/stackanetes/stackanetes-neutron-metadata-agent:barcelona
- l3: quay.io/stackanetes/stackanetes-neutron-l3-agent:barcelona
- neutron_openvswitch_agent: quay.io/stackanetes/stackanetes-neutron-openvswitch-agent:barcelona
+ init: quay.io/stackanetes/stackanetes-kolla-toolbox:newton
+ db_sync: quay.io/stackanetes/stackanetes-neutron-server:newton
+ server: quay.io/stackanetes/stackanetes-neutron-server:newton
+ dhcp: quay.io/stackanetes/stackanetes-neutron-dhcp-agent:newton
+ metadata: quay.io/stackanetes/stackanetes-neutron-metadata-agent:newton
+ l3: quay.io/stackanetes/stackanetes-neutron-l3-agent:newton
+ neutron_openvswitch_agent: quay.io/stackanetes/stackanetes-neutron-openvswitch-agent:newton
openvswitch_db_server: quay.io/attcomdev/openvswitch-vswitchd:latest
openvswitch_vswitchd: quay.io/attcomdev/openvswitch-vswitchd:latest
- post: quay.io/stackanetes/stackanetes-kolla-toolbox:barcelona
+ post: quay.io/stackanetes/stackanetes-kolla-toolbox:newton
entrypoint: quay.io/stackanetes/kubernetes-entrypoint:v0.1.0
pull_policy: "IfNotPresent"
+upgrades:
+ revision_history: 3
+ pod_replacement_strategy: RollingUpdate
+ rolling_update:
+ max_unavailable: 1
+ max_surge: 3
+
labels:
# ovs is a special case, requiring a special
# label that can apply to both control hosts
@@ -133,7 +140,6 @@ dependencies:
server:
jobs:
- neutron-db-sync
- - mariadb-seed
service:
- rabbitmq
- mariadb
@@ -148,18 +154,17 @@ dependencies:
- neutron-init
- nova-post
daemonset:
- - neutron-openvswitch
+ - ovs-agent
metadata:
+ service:
+ - rabbitmq
+ - nova-api
jobs:
- neutron-init
- nova-post
- service:
- - neutron-server
- - rabbitmq
- - nova-api
daemonset:
- - neutron-openvswitch
- openvswitchagent:
+ - ovs-agent
+ ovs_agent:
jobs:
- neutron-post
- nova-post
@@ -167,24 +172,20 @@ dependencies:
- keystone-api
- rabbitmq
- neutron-server
- container:
- - openvswitch-db-server
- - openvswitch-vswitchd
l3:
- jobs:
- - nova-init
- - neutron-init
- - nova-post
service:
- neutron-server
- rabbitmq
- nova-api
+ jobs:
+ - nova-init
+ - neutron-init
+ - nova-post
daemonset:
- - neutron-openvswitch
+ - ovs-agent
db_sync:
jobs:
- neutron-init
- - mariadb-seed
service:
- mariadb
init:
@@ -193,11 +194,10 @@ dependencies:
service:
- mariadb
post:
- jobs:
- - neutron-db-sync
service:
- keystone-api
- - neutron-server
+ jobs:
+ - neutron-db-sync
# typically overriden by environmental
# values, but should include all endpoints
diff --git a/nova/Chart.yaml b/nova/Chart.yaml
new file mode 100644
index 0000000000..85f08c3269
--- /dev/null
+++ b/nova/Chart.yaml
@@ -0,0 +1,3 @@
+description: A Helm chart for nova
+name: nova
+version: 0.1.0
diff --git a/nova/requirements.yaml b/nova/requirements.yaml
new file mode 100644
index 0000000000..2350b1facb
--- /dev/null
+++ b/nova/requirements.yaml
@@ -0,0 +1,4 @@
+dependencies:
+ - name: common
+ repository: http://localhost:8879/charts
+ version: 0.1.0
diff --git a/nova/templates/bin/_db-sync.sh.tpl b/nova/templates/bin/_db-sync.sh.tpl
new file mode 100644
index 0000000000..b447fad189
--- /dev/null
+++ b/nova/templates/bin/_db-sync.sh.tpl
@@ -0,0 +1,6 @@
+#!/bin/bash
+set -ex
+
+nova-manage db sync
+nova-manage api_db sync
+nova-manage db online_data_migrations
diff --git a/nova/templates/bin/_init.sh.tpl b/nova/templates/bin/_init.sh.tpl
new file mode 100644
index 0000000000..b175ca7d5a
--- /dev/null
+++ b/nova/templates/bin/_init.sh.tpl
@@ -0,0 +1,36 @@
+#!/bin/bash
+
+echo "Hello World"
+
+set -ex
+export HOME=/tmp
+
+ansible localhost -vvv -m mysql_db -a "login_host='{{ include "keystone_db_host" . }}' \
+login_port='{{ .Values.database.port }}' \
+login_user='{{ .Values.database.root_user }}' \
+login_password='{{ .Values.database.root_password }}' \
+name='{{ .Values.database.nova_database_name }}'"
+
+ansible localhost -vvv -m mysql_user -a "login_host='{{ include "keystone_db_host" . }}' \
+login_port='{{ .Values.database.port }}' \
+login_user='{{ .Values.database.root_user }}' \
+login_password='{{ .Values.database.root_password }}' \
+name='{{ .Values.database.nova_user }}' \
+password='{{ .Values.database.nova_password }}' \
+host='%' \
+priv='{{ .Values.database.nova_database_name }}.*:ALL' append_privs='yes'"
+
+ansible localhost -vvv -m mysql_db -a "login_host='{{ include "keystone_db_host" . }}' \
+login_port='{{ .Values.database.port }}' \
+login_user='{{ .Values.database.root_user }}' \
+login_password='{{ .Values.database.root_password }}' \
+name='{{ .Values.database.nova_api_database_name }}'"
+
+ansible localhost -vvv -m mysql_user -a "login_host='{{ include "keystone_db_host" . }}' \
+login_port='{{ .Values.database.port }}' \
+login_user='{{ .Values.database.root_user }}' \
+login_password='{{ .Values.database.root_password }}' \
+name='{{ .Values.database.nova_user }}' \
+password='{{ .Values.database.nova_password }}' \
+host='%' \
+priv='{{ .Values.database.nova_api_database_name }}.*:ALL' append_privs='yes'"
diff --git a/nova/templates/bin/_libvirt.sh.tpl b/nova/templates/bin/_libvirt.sh.tpl
new file mode 100644
index 0000000000..33fc015e0e
--- /dev/null
+++ b/nova/templates/bin/_libvirt.sh.tpl
@@ -0,0 +1,35 @@
+#!/bin/bash
+set -ex
+
+if [[ -f /var/run/libvirtd.pid ]]; then
+ test -d /proc/$(< /var/run/libvirtd.pid) && \
+ ( echo "Libvirtd daemon is running" && exit 10 )
+fi
+
+rm -f /var/run/libvirtd.pid
+
+if [[ -c /dev/kvm ]]; then
+ chmod 660 /dev/kvm
+ chown root:kvm /dev/kvm
+fi
+
+
+sleep 30
+
+{{- if .Values.ceph.enabled }}
+cat > /tmp/secret.xml <
+ {{ .Values.ceph.secret_uuid }}
+
+ client.{{ .Values.ceph.cinder_user }} secret
+
+
+EOF
+
+virsh secret-define --file /tmp/secret.xml
+virsh secret-set-value --secret {{ .Values.ceph.secret_uuid }} --base64 {{ .Values.ceph.cinder_keyring }}
+rm /tmp/secret.xml
+{{- end }}
+
+
+exec libvirtd -v --listen
diff --git a/nova/templates/bin/_post.sh.tpl b/nova/templates/bin/_post.sh.tpl
new file mode 100644
index 0000000000..6792568029
--- /dev/null
+++ b/nova/templates/bin/_post.sh.tpl
@@ -0,0 +1,57 @@
+#!/bin/bash
+set -ex
+export HOME=/tmp
+
+ansible localhost -vvv -m kolla_keystone_service -a "service_name=nova \
+service_type=compute \
+description='Openstack Compute' \
+endpoint_region={{ .Values.keystone.nova_region_name }} \
+url='{{ include "endpoint_nova_api_internal" . }}' \
+interface=admin \
+region_name={{ .Values.keystone.admin_region_name }} \
+auth='{{ include "keystone_auth" .}}'" \
+-e "{'openstack_nova_auth':{{ include "keystone_auth" .}}}"
+
+ansible localhost -vvv -m kolla_keystone_service -a "service_name=nova \
+service_type=compute \
+description='Openstack Compute' \
+endpoint_region={{ .Values.keystone.nova_region_name }} \
+url='{{ include "endpoint_nova_api_internal" . }}' \
+interface=internal \
+region_name={{ .Values.keystone.admin_region_name }} \
+auth='{{ include "keystone_auth" .}}'" \
+-e "{'openstack_nova_auth':{{ include "keystone_auth" .}}}"
+
+ansible localhost -vvv -m kolla_keystone_service -a "service_name=nova \
+service_type=compute \
+description='Openstack Compute' \
+endpoint_region={{ .Values.keystone.nova_region_name }} \
+url='{{ include "endpoint_nova_api_internal" . }}' \
+interface=public \
+region_name={{ .Values.keystone.admin_region_name }} \
+auth='{{ include "keystone_auth" .}}'" \
+-e "{'openstack_nova_auth':{{ include "keystone_auth" .}}}"
+
+ansible localhost -vvv -m kolla_keystone_user -a "project=service \
+user={{ .Values.keystone.nova_user }} \
+password={{ .Values.keystone.nova_password }} \
+role=admin \
+region_name={{ .Values.keystone.nova_region_name }} \
+auth='{{ include "keystone_auth" .}}'" \
+-e "{'openstack_nova_auth':{{ include "keystone_auth" .}}}"
+
+cat </tmp/openrc
+export OS_USERNAME={{.Values.keystone.admin_user}}
+export OS_PASSWORD={{.Values.keystone.admin_password}}
+export OS_PROJECT_DOMAIN_NAME={{.Values.keystone.domain_name}}
+export OS_USER_DOMAIN_NAME={{.Values.keystone.domain_name}}
+export OS_PROJECT_NAME={{.Values.keystone.admin_project_name}}
+export OS_AUTH_URL={{include "endpoint_keystone_internal" .}}
+export OS_AUTH_STRATEGY=keystone
+export OS_REGION_NAME={{.Values.keystone.admin_region_name}}
+export OS_INSECURE=1
+EOF
+
+. /tmp/openrc
+env
+openstack --debug role create _member_ --or-show
diff --git a/nova/templates/configmap-bin.yaml b/nova/templates/configmap-bin.yaml
new file mode 100644
index 0000000000..78573783b5
--- /dev/null
+++ b/nova/templates/configmap-bin.yaml
@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: nova-bin
+data:
+ db-sync.sh: |
+{{ tuple "bin/_db-sync.sh.tpl" . | include "template" | indent 4 }}
+ init.sh: |
+{{ tuple "bin/_init.sh.tpl" . | include "template" | indent 4 }}
+ post.sh: |
+{{ tuple "bin/_post.sh.tpl" . | include "template" | indent 4 }}
+ libvirt.sh: |
+{{ tuple "bin/_libvirt.sh.tpl" . | include "template" | indent 4 }}
diff --git a/nova/templates/configmap-etc.yaml b/nova/templates/configmap-etc.yaml
new file mode 100644
index 0000000000..f96fbcefea
--- /dev/null
+++ b/nova/templates/configmap-etc.yaml
@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: nova-etc
+data:
+ nova.conf: |+
+{{ tuple "etc/_nova.conf.tpl" . | include "template" | indent 4 }}
+ ceph.client.cinder.keyring.yaml: |+
+{{ tuple "etc/_ceph.client.cinder.keyring.yaml.tpl" . | include "template" | indent 4 }}
+ resolv.conf: |+
+{{ tuple "etc/_resolv.conf.tpl" . | include "template" | indent 4 }}
+ libvirtd.conf: |+
+{{ tuple "etc/_libvirtd.conf.tpl" . | include "template" | indent 4 }}
diff --git a/nova/templates/daemonset-compute.yaml b/nova/templates/daemonset-compute.yaml
new file mode 100644
index 0000000000..c40c3c5aaa
--- /dev/null
+++ b/nova/templates/daemonset-compute.yaml
@@ -0,0 +1,103 @@
+{{- $envAll := . }}
+{{- $dependencies := .Values.dependencies.compute }}
+apiVersion: extensions/v1beta1
+kind: DaemonSet
+metadata:
+ name: nova-compute
+spec:
+ template:
+ metadata:
+ labels:
+ app: nova-compute
+ annotations:
+ configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "hash" }}
+ configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "hash" }}
+ pod.beta.kubernetes.io/init-containers: '[
+{{ tuple $envAll $dependencies | include "dep-check-init-cont" | indent 10 }}
+ ]'
+ spec:
+ nodeSelector:
+ {{ .Values.labels.compute_node_selector_key }}: {{ .Values.labels.compute_node_selector_value }}
+ securityContext:
+ runAsUser: 0
+ hostNetwork: true
+ hostPID: true
+ dnsPolicy: ClusterFirst
+ containers:
+ - name: nova-compute
+ image: {{ .Values.images.compute }}
+ imagePullPolicy: {{ .Values.images.pull_policy }}
+ securityContext:
+ privileged: true
+ command:
+ - nova-compute
+ - --config-file
+ - /etc/nova/nova.conf
+ volumeMounts:
+ - name: novaconf
+ mountPath: /etc/nova/nova.conf
+ subPath: nova.conf
+ - mountPath: /lib/modules
+ name: libmodules
+ readOnly: true
+ - mountPath: /var/lib/nova
+ name: varlibnova
+ - mountPath: /var/lib/libvirt
+ name: varliblibvirt
+ - mountPath: /run
+ name: run
+ - mountPath: /sys/fs/cgroup
+ name: cgroup
+ - mountPath: /etc/resolv.conf
+ name: resolvconf
+ subPath: resolv.conf
+ {{- if .Values.ceph.enabled }}
+ - name: cephconf
+ mountPath: /etc/ceph/ceph.conf
+ subPath: ceph.conf
+ - name: cephclientcinderkeyring
+ mountPath: /etc/ceph/ceph.client.{{ .Values.ceph.cinder_user }}.keyring
+ subPath: ceph.client.{{ .Values.ceph.cinder_user }}.keyring
+ {{- end }}
+ volumes:
+ - name: novaconf
+ configMap:
+ name: nova-etc
+ items:
+ - key: nova.conf
+ path: nova.conf
+ - name: resolvconf
+ configMap:
+ name: nova-etc
+ items:
+ - key: resolv.conf
+ path: resolv.conf
+ - name: libmodules
+ hostPath:
+ path: /lib/modules
+ - name: varlibnova
+ hostPath:
+ path: /var/lib/nova
+ - name: varliblibvirt
+ hostPath:
+ path: /var/lib/libvirt
+ - name: run
+ hostPath:
+ path: /run
+ - name: cgroup
+ hostPath:
+ path: /sys/fs/cgroup
+ {{- if .Values.ceph.enabled }}
+ - name: cephconf
+ configMap:
+ name: nova-etc
+ items:
+ - key: ceph.conf
+ path: ceph.conf
+ - name: cephclientcinderkeyring
+ configMap:
+ name: nova-etc
+ items:
+ - key: ceph.client.cinder.keyring.yaml
+ path: ceph.client.cinder.keyring.yaml
+ {{- end }}
diff --git a/nova/templates/daemonset-libvirt.yaml b/nova/templates/daemonset-libvirt.yaml
new file mode 100644
index 0000000000..692728fa1a
--- /dev/null
+++ b/nova/templates/daemonset-libvirt.yaml
@@ -0,0 +1,110 @@
+{{- $envAll := . }}
+{{- $dependencies := .Values.dependencies.libvirt }}
+apiVersion: extensions/v1beta1
+kind: DaemonSet
+metadata:
+ name: nova-libvirt
+spec:
+ template:
+ metadata:
+ labels:
+ app: nova-libvirt
+ annotations:
+ configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "hash" }}
+ configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "hash" }}
+ pod.beta.kubernetes.io/init-containers: '[
+{{ tuple $envAll $dependencies | include "dep-check-init-cont" | indent 10 }}
+ ]'
+ spec:
+ nodeSelector:
+ {{ .Values.labels.compute_node_selector_key }}: {{ .Values.labels.compute_node_selector_value }}
+ securityContext:
+ runAsUser: 0
+ hostNetwork: true
+ dnsPolicy: ClusterFirst
+ containers:
+ - name: nova-libvirt
+ image: {{ .Values.images.libvirt }}
+ imagePullPolicy: {{ .Values.images.pull_policy }}
+ securityContext:
+ privileged: true
+ command:
+ - bash
+ - /tmp/libvirt.sh
+ volumeMounts:
+ - name: libvirtdconf
+ mountPath: /etc/libvirt/libvirtd.conf
+ subPath: libvirtd.conf
+ - name: libvirtsh
+ mountPath: /tmp/libvirt.sh
+ subPath: libvirt.sh
+ - mountPath: /lib/modules
+ name: libmodules
+ readOnly: true
+ - mountPath: /var/lib/nova
+ name: varlibnova
+ - mountPath: /var/lib/libvirt
+ name: varliblibvirt
+ - mountPath: /run
+ name: run
+ - mountPath: /sys/fs/cgroup
+ name: cgroup
+ - mountPath: /etc/resolv.conf
+ name: resolvconf
+ subPath: resolv.conf
+ {{- if .Values.ceph.enabled }}
+ - name: cephconf
+ mountPath: /etc/ceph/ceph.conf
+ subPath: ceph.conf
+ - name: cephclientcinderkeyring
+ mountPath: /etc/ceph/ceph.client.{{ .Values.ceph.cinder_user }}.keyring
+ subPath: ceph.client.{{ .Values.ceph.cinder_user }}.keyring
+ {{- end }}
+ volumes:
+ - name: libvirtdconf
+ configMap:
+ name: nova-etc
+ items:
+ - key: libvirtd.conf
+ path: libvirtd.conf
+ - name: libvirtsh
+ configMap:
+ name: nova-bin
+ items:
+ - key: libvirt.sh
+ path: libvirt.sh
+ - name: resolvconf
+ configMap:
+ name: nova-etc
+ items:
+ - key: resolv.conf
+ path: resolv.conf
+ - name: libmodules
+ hostPath:
+ path: /lib/modules
+ - name: varlibnova
+ hostPath:
+ path: /var/lib/nova
+ - name: varliblibvirt
+ hostPath:
+ path: /var/lib/libvirt
+ - name: run
+ hostPath:
+ path: /run
+ - name: cgroup
+ hostPath:
+ path: /sys/fs/cgroup
+ {{- if .Values.ceph.enabled }}
+ - name: cephconf
+ configMap:
+ name: nova-etc
+ items:
+ - key: ceph.conf
+ path: ceph.conf
+ - name: cephclientcinderkeyring
+ configMap:
+ name: nova-etc
+ items:
+ - key: ceph.client.cinder.keyring.yaml
+ path: ceph.client.cinder.keyring.yaml
+ {{- end }}
diff --git a/nova/templates/deployment-api-metadata.yaml b/nova/templates/deployment-api-metadata.yaml
new file mode 100644
index 0000000000..8543f46910
--- /dev/null
+++ b/nova/templates/deployment-api-metadata.yaml
@@ -0,0 +1,57 @@
+{{- $envAll := . }}
+{{- $dependencies := .Values.dependencies.api }}
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+ name: nova-api-metadata
+spec:
+ replicas: {{ .Values.control_replicas }}
+ revisionHistoryLimit: {{ .Values.upgrades.revision_history }}
+ strategy:
+ type: {{ .Values.upgrades.pod_replacement_strategy }}
+ {{ if eq .Values.upgrades.pod_replacement_strategy "RollingUpdate" }}
+ rollingUpdate:
+ maxUnavailable: {{ .Values.upgrades.rolling_update.max_unavailable }}
+ maxSurge: {{ .Values.upgrades.rolling_update.max_surge }}
+ {{ end }}
+ template:
+ metadata:
+ labels:
+ app: nova-api-metadata
+ annotations:
+ configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "hash" }}
+ configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "hash" }}
+ pod.beta.kubernetes.io/init-containers: '[
+{{ tuple $envAll $dependencies | include "dep-check-init-cont" | indent 10 }}
+ ]'
+ spec:
+ nodeSelector:
+ {{ .Values.labels.control_node_selector_key }}: {{ .Values.labels.control_node_selector_value }}
+ containers:
+ - name: nova-api
+ image: {{ .Values.images.api }}
+ imagePullPolicy: {{ .Values.images.pull_policy }}
+ # https://bugs.launchpad.net/kolla-mesos/+bug/1546007
+ securityContext:
+ capabilities:
+ add:
+ - NET_ADMIN
+ command:
+ - nova-api-metadata
+ - --config-file=/etc/nova/nova.conf
+ ports:
+ - containerPort: {{ .Values.network.port.metadata }}
+ readinessProbe:
+ tcpSocket:
+ port: {{ .Values.network.port.metadata }}
+ volumeMounts:
+ - name: novaconf
+ mountPath: /etc/nova/nova.conf
+ subPath: nova.conf
+ volumes:
+ - name: novaconf
+ configMap:
+ name: nova-etc
+ items:
+ - key: nova.conf
+ path: nova.conf
diff --git a/nova/templates/deployment-api-osapi.yaml b/nova/templates/deployment-api-osapi.yaml
new file mode 100644
index 0000000000..a60c4d6985
--- /dev/null
+++ b/nova/templates/deployment-api-osapi.yaml
@@ -0,0 +1,56 @@
+{{- $envAll := . }}
+{{- $dependencies := .Values.dependencies.api }}
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+ name: nova-api-osapi
+spec:
+ replicas: {{ .Values.control_replicas }}
+ revisionHistoryLimit: {{ .Values.upgrades.revision_history }}
+ strategy:
+ type: {{ .Values.upgrades.pod_replacement_strategy }}
+ {{ if eq .Values.upgrades.pod_replacement_strategy "RollingUpdate" }}
+ rollingUpdate:
+ maxUnavailable: {{ .Values.upgrades.rolling_update.max_unavailable }}
+ maxSurge: {{ .Values.upgrades.rolling_update.max_surge }}
+ {{ end }}
+ template:
+ metadata:
+ labels:
+ app: nova-osapi
+ annotations:
+ configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "hash" }}
+ configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "hash" }}
+ pod.beta.kubernetes.io/init-containers: '[
+{{ tuple $envAll $dependencies | include "dep-check-init-cont" | indent 10 }}
+ ]'
+ spec:
+ nodeSelector:
+ {{ .Values.labels.control_node_selector_key }}: {{ .Values.labels.control_node_selector_value }}
+ containers:
+ - name: nova-osapi
+ image: {{ .Values.images.api }}
+ imagePullPolicy: {{ .Values.images.pull_policy }}
+ securityContext:
+ capabilities:
+ add:
+ - NET_ADMIN
+ command:
+ - nova-api
+ - --config-file=/etc/nova/nova.conf
+ ports:
+ - containerPort: {{ .Values.network.port.osapi }}
+ readinessProbe:
+ tcpSocket:
+ port: {{ .Values.network.port.osapi }}
+ volumeMounts:
+ - name: novaconf
+ mountPath: /etc/nova/nova.conf
+ subPath: nova.conf
+ volumes:
+ - name: novaconf
+ configMap:
+ name: nova-etc
+ items:
+ - key: nova.conf
+ path: nova.conf
diff --git a/nova/templates/deployment-conductor.yaml b/nova/templates/deployment-conductor.yaml
new file mode 100644
index 0000000000..b52408cea8
--- /dev/null
+++ b/nova/templates/deployment-conductor.yaml
@@ -0,0 +1,48 @@
+{{- $envAll := . }}
+{{- $dependencies := .Values.dependencies.conductor }}
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+ name: nova-conductor
+spec:
+ replicas: {{ .Values.control_replicas }}
+ revisionHistoryLimit: {{ .Values.upgrades.revision_history }}
+ strategy:
+ type: {{ .Values.upgrades.pod_replacement_strategy }}
+ {{ if eq .Values.upgrades.pod_replacement_strategy "RollingUpdate" }}
+ rollingUpdate:
+ maxUnavailable: {{ .Values.upgrades.rolling_update.max_unavailable }}
+ maxSurge: {{ .Values.upgrades.rolling_update.max_surge }}
+ {{ end }}
+ template:
+ metadata:
+ labels:
+ app: nova-conductor
+ annotations:
+ configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "hash" }}
+ configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "hash" }}
+ pod.beta.kubernetes.io/init-containers: '[
+{{ tuple $envAll $dependencies | include "dep-check-init-cont" | indent 10 }}
+ ]'
+ spec:
+ nodeSelector:
+ {{ .Values.labels.control_node_selector_key }}: {{ .Values.labels.control_node_selector_value }}
+ containers:
+ - name: nova-conductor
+ image: {{ .Values.images.conductor }}
+ imagePullPolicy: {{ .Values.images.pull_policy }}
+ command:
+ - nova-conductor
+ - --config-file
+ - /etc/nova/nova.conf
+ volumeMounts:
+ - name: novaconf
+ mountPath: /etc/nova/nova.conf
+ subPath: nova.conf
+ volumes:
+ - name: novaconf
+ configMap:
+ name: nova-etc
+ items:
+ - key: nova.conf
+ path: nova.conf
diff --git a/nova/templates/deployment-consoleauth.yaml b/nova/templates/deployment-consoleauth.yaml
new file mode 100644
index 0000000000..6234e5368e
--- /dev/null
+++ b/nova/templates/deployment-consoleauth.yaml
@@ -0,0 +1,48 @@
+{{- $envAll := . }}
+{{- $dependencies := .Values.dependencies.consoleauth }}
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+ name: nova-consoleauth
+spec:
+ replicas: {{ .Values.control_replicas }}
+ revisionHistoryLimit: {{ .Values.upgrades.revision_history }}
+ strategy:
+ type: {{ .Values.upgrades.pod_replacement_strategy }}
+ {{ if eq .Values.upgrades.pod_replacement_strategy "RollingUpdate" }}
+ rollingUpdate:
+ maxUnavailable: {{ .Values.upgrades.rolling_update.max_unavailable }}
+ maxSurge: {{ .Values.upgrades.rolling_update.max_surge }}
+ {{ end }}
+ template:
+ metadata:
+ labels:
+ app: nova-consoleauth
+ annotations:
+ configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "hash" }}
+ configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "hash" }}
+ pod.beta.kubernetes.io/init-containers: '[
+{{ tuple $envAll $dependencies | include "dep-check-init-cont" | indent 10 }}
+ ]'
+ spec:
+ nodeSelector:
+ {{ .Values.labels.control_node_selector_key }}: {{ .Values.labels.control_node_selector_value }}
+ containers:
+ - name: nova-consoleauth
+ image: {{ .Values.images.consoleauth }}
+ imagePullPolicy: {{ .Values.images.pull_policy }}
+ command:
+ - nova-consoleauth
+ - --config-file
+ - /etc/nova/nova.conf
+ volumeMounts:
+ - name: novaconf
+ mountPath: /etc/nova/nova.conf
+ subPath: nova.conf
+ volumes:
+ - name: novaconf
+ configMap:
+ name: nova-etc
+ items:
+ - key: nova.conf
+ path: nova.conf
diff --git a/nova/templates/deployment-scheduler.yaml b/nova/templates/deployment-scheduler.yaml
new file mode 100644
index 0000000000..4db74f7798
--- /dev/null
+++ b/nova/templates/deployment-scheduler.yaml
@@ -0,0 +1,48 @@
+{{- $envAll := . }}
+{{- $dependencies := .Values.dependencies.scheduler }}
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+ name: nova-scheduler
+spec:
+ replicas: {{ .Values.control_replicas }}
+ revisionHistoryLimit: {{ .Values.upgrades.revision_history }}
+ strategy:
+ type: {{ .Values.upgrades.pod_replacement_strategy }}
+ {{ if eq .Values.upgrades.pod_replacement_strategy "RollingUpdate" }}
+ rollingUpdate:
+ maxUnavailable: {{ .Values.upgrades.rolling_update.max_unavailable }}
+ maxSurge: {{ .Values.upgrades.rolling_update.max_surge }}
+ {{ end }}
+ template:
+ metadata:
+ labels:
+ app: nova-scheduler
+ annotations:
+ configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "hash" }}
+ configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "hash" }}
+ pod.beta.kubernetes.io/init-containers: '[
+{{ tuple $envAll $dependencies | include "dep-check-init-cont" | indent 10 }}
+ ]'
+ spec:
+ nodeSelector:
+ {{ .Values.labels.control_node_selector_key }}: {{ .Values.labels.control_node_selector_value }}
+ containers:
+ - name: nova-scheduler
+ image: {{ .Values.images.scheduler }}
+ imagePullPolicy: {{ .Values.images.pull_policy }}
+ command:
+ - nova-scheduler
+ - --config-file
+ - /etc/nova/nova.conf
+ volumeMounts:
+ - name: novaconf
+ mountPath: /etc/nova/nova.conf
+ subPath: nova.conf
+ volumes:
+ - name: novaconf
+ configMap:
+ name: nova-etc
+ items:
+ - key: nova.conf
+ path: nova.conf
diff --git a/nova/templates/etc/_ceph.conf.tpl b/nova/templates/etc/_ceph.conf.tpl
new file mode 100644
index 0000000000..d41b65bd62
--- /dev/null
+++ b/nova/templates/etc/_ceph.conf.tpl
@@ -0,0 +1,18 @@
+[global]
+rgw_thread_pool_size = 1024
+rgw_num_rados_handles = 100
+{{- if .Values.ceph.enabled }}
+[mon]
+{{- if .Values.ceph.monitors }}
+{{ range .Values.ceph.monitors }}
+ [mon.{{ . }}]
+ host = {{ . }}
+ mon_addr = {{ . }}
+{{ end }}
+{{- else }}
+mon_host = ceph-mon.ceph
+{{- end }}
+{{- end }}
+[client]
+ rbd_cache_enabled = true
+ rbd_cache_writethrough_until_flush = true
diff --git a/nova/templates/etc/_libvirtd.conf.tpl b/nova/templates/etc/_libvirtd.conf.tpl
new file mode 100644
index 0000000000..d7d0c36e89
--- /dev/null
+++ b/nova/templates/etc/_libvirtd.conf.tpl
@@ -0,0 +1,6 @@
+listen_tcp = 1
+auth_tcp = "none"
+ca_file = ""
+log_level = 2
+log_outputs = "2:stderr"
+listen_addr = "{{ .Values.network.ip_address }}"
\ No newline at end of file
diff --git a/nova/templates/etc/_nova.conf.tpl b/nova/templates/etc/_nova.conf.tpl
new file mode 100644
index 0000000000..900e341ae1
--- /dev/null
+++ b/nova/templates/etc/_nova.conf.tpl
@@ -0,0 +1,108 @@
+[DEFAULT]
+debug = {{ .Values.nova.default.debug }}
+default_ephemeral_format = ext4
+host_subset_size = 30
+ram_allocation_ratio=1.0
+disk_allocation_ratio=1.0
+cpu_allocation_ratio=3.0
+force_config_drive = {{ .Values.nova.default.force_config_drive }}
+state_path = /var/lib/nova
+
+osapi_compute_listen = {{ .Values.network.ip_address }}
+osapi_compute_listen_port = {{ .Values.network.port.osapi }}
+osapi_compute_workers = {{ .Values.nova.default.osapi_workers }}
+
+workers = {{ .Values.nova.default.osapi_workers }}
+metadata_workers = {{ .Values.nova.default.metadata_workers }}
+
+use_neutron = True
+firewall_driver = nova.virt.firewall.NoopFirewallDriver
+linuxnet_interface_driver = openvswitch
+
+allow_resize_to_same_host = True
+
+compute_driver = libvirt.LibvirtDriver
+
+# Though my_ip is not used directly, lots of other variables use $my_ip
+my_ip = {{ .Values.network.ip_address }}
+
+transport_url = rabbit://{{ .Values.rabbitmq.admin_user }}:{{ .Values.rabbitmq.admin_password }}@{{ .Values.rabbitmq.address }}:{{ .Values.rabbitmq.port }}
+
+[vnc]
+novncproxy_host = {{ .Values.network.ip_address }}
+novncproxy_port = {{ .Values.network.port.novncproxy }}
+vncserver_listen = 0.0.0.0
+vncserver_proxyclient_address = {{ .Values.network.ip_address }}
+
+novncproxy_base_url = http://{{ .Values.network.external_ips }}:{{ .Values.network.port.novncproxy }}/vnc_auto.html
+
+[oslo_concurrency]
+lock_path = /var/lib/nova/tmp
+
+[conductor]
+workers = {{ .Values.nova.default.conductor_workers }}
+
+[glance]
+api_servers = {{ include "endpoint_glance_api_internal" . }}
+num_retries = 3
+
+[cinder]
+catalog_info = volume:cinder:internalURL
+
+[neutron]
+url = {{ include "endpoint_neutron_api_internal" . }}
+
+metadata_proxy_shared_secret = {{ .Values.neutron.metadata_secret }}
+service_metadata_proxy = True
+
+auth_url = {{ include "endpoint_keystone_admin" . }}
+auth_type = password
+project_domain_name = default
+user_domain_id = default
+project_name = service
+username = {{ .Values.keystone.neutron_user }}
+password = {{ .Values.keystone.neutron_password }}
+
+[database]
+connection = mysql+pymysql://{{ .Values.database.nova_user }}:{{ .Values.database.nova_password }}@{{ .Values.database.address }}/{{ .Values.database.nova_database_name }}
+max_retries = -1
+
+[api_database]
+connection = mysql+pymysql://{{ .Values.database.nova_user }}:{{ .Values.database.nova_password }}@{{ .Values.database.address }}/{{ .Values.database.nova_api_database_name }}
+max_retries = -1
+
+[keystone_authtoken]
+auth_uri = {{ include "endpoint_keystone_internal" . }}
+auth_url = {{ include "endpoint_keystone_admin" . }}
+auth_type = password
+project_domain_id = default
+user_domain_id = default
+project_name = service
+username = {{ .Values.keystone.nova_user }}
+password = {{ .Values.keystone.nova_password }}
+
+[libvirt]
+connection_uri = "qemu+tcp://127.0.0.1/system"
+images_type = qcow2
+# Enabling live-migration without hostname resolution
+# live_migration_inbound_addr = {{ .Values.network.ip_address }}
+
+{{- if .Values.ceph.enabled }}
+images_rbd_pool = {{ .Values.ceph.nova_pool }}
+images_rbd_ceph_conf = /etc/ceph/ceph.conf
+rbd_user = {{ .Values.ceph.cinder_user }}
+rbd_secret_uuid = {{ .Values.ceph.secret_uuid }}
+{{- end }}
+disk_cachemodes="network=writeback"
+hw_disk_discard = unmap
+
+[upgrade_levels]
+compute = auto
+
+[cache]
+enabled = True
+backend = oslo_cache.memcache_pool
+memcache_servers = {{ .Values.memcached.address }}
+
+[wsgi]
+api_paste_config = /etc/nova/api-paste.ini
diff --git a/nova/templates/etc/_resolv.conf.tpl b/nova/templates/etc/_resolv.conf.tpl
new file mode 100644
index 0000000000..7c1e9d839a
--- /dev/null
+++ b/nova/templates/etc/_resolv.conf.tpl
@@ -0,0 +1,5 @@
+search {{ .Release.Namespace }}.svc.{{ .Values.network.dns.kubernetes_domain }} svc.{{ .Values.network.dns.kubernetes_domain }} {{ .Values.network.dns.kubernetes_domain }}
+{{- range .Values.network.dns.servers }}
+nameserver {{ . | title }}
+{{- end }}
+options ndots:5
diff --git a/nova/templates/job-db-sync.yaml b/nova/templates/job-db-sync.yaml
new file mode 100644
index 0000000000..b8df59b65d
--- /dev/null
+++ b/nova/templates/job-db-sync.yaml
@@ -0,0 +1,38 @@
+{{- $envAll := . }}
+{{- $dependencies := .Values.dependencies.db_sync }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: nova-db-sync
+spec:
+ template:
+ metadata:
+ annotations:
+ pod.beta.kubernetes.io/init-containers: '[
+{{ tuple $envAll $dependencies | include "dep-check-init-cont" | indent 10 }}
+ ]'
+ spec:
+ restartPolicy: OnFailure
+ nodeSelector:
+ {{ .Values.labels.control_node_selector_key }}: {{ .Values.labels.control_node_selector_value }}
+ containers:
+ - name: nova-db-sync
+ image: {{ .Values.images.db_sync }}
+ imagePullPolicy: {{ .Values.images.pull_policy }}
+ command:
+ - bash
+ - /tmp/db-sync.sh
+ volumeMounts:
+ - name: novaconf
+ mountPath: /etc/nova/nova.conf
+ subPath: nova.conf
+ - name: nova-bin
+ mountPath: /tmp/db-sync.sh
+ subPath: db-sync.sh
+ volumes:
+ - name: novaconf
+ configMap:
+ name: nova-etc
+ - name: nova-bin
+ configMap:
+ name: nova-bin
diff --git a/nova/templates/job-init.yaml b/nova/templates/job-init.yaml
new file mode 100644
index 0000000000..addc34d2b5
--- /dev/null
+++ b/nova/templates/job-init.yaml
@@ -0,0 +1,32 @@
+{{- $envAll := . }}
+{{- $dependencies := .Values.dependencies.init }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: nova-init
+spec:
+ template:
+ metadata:
+ annotations:
+ pod.beta.kubernetes.io/init-containers: '[
+{{ tuple $envAll $dependencies | include "dep-check-init-cont" | indent 10 }}
+ ]'
+ spec:
+ restartPolicy: OnFailure
+ nodeSelector:
+ {{ .Values.labels.control_node_selector_key }}: {{ .Values.labels.control_node_selector_value }}
+ containers:
+ - name: nova-init
+ image: {{ .Values.images.init }}
+ imagePullPolicy: {{ .Values.images.pull_policy }}
+ command:
+ - bash
+ - /tmp/init.sh
+ volumeMounts:
+ - name: nova-bin
+ mountPath: /tmp/init.sh
+ subPath: init.sh
+ volumes:
+ - name: nova-bin
+ configMap:
+ name: nova-bin
diff --git a/nova/templates/job-post.yaml b/nova/templates/job-post.yaml
new file mode 100644
index 0000000000..4df83ae874
--- /dev/null
+++ b/nova/templates/job-post.yaml
@@ -0,0 +1,41 @@
+{{- $envAll := . }}
+{{- $dependencies := .Values.dependencies.post }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: nova-post
+spec:
+ template:
+ metadata:
+ annotations:
+ pod.beta.kubernetes.io/init-containers: '[
+{{ tuple $envAll $dependencies | include "dep-check-init-cont" | indent 10 }}
+ ]'
+ spec:
+ restartPolicy: OnFailure
+ nodeSelector:
+ {{ .Values.labels.control_node_selector_key }}: {{ .Values.labels.control_node_selector_value }}
+ containers:
+ - name: nova-post
+ image: {{ .Values.images.post }}
+ imagePullPolicy: {{ .Values.images.pull_policy }}
+ command:
+ - bash
+ - /tmp/post.sh
+ env:
+ - name: ANSIBLE_LIBRARY
+ value: /usr/share/ansible/
+ volumeMounts:
+ - name: novaconf
+ mountPath: /etc/nova/nova.conf
+ subPath: nova.conf
+ - name: nova-bin
+ mountPath: /tmp/post.sh
+ subPath: post.sh
+ volumes:
+ - name: novaconf
+ configMap:
+ name: nova-etc
+ - name: nova-bin
+ configMap:
+ name: nova-bin
diff --git a/nova/templates/service-metadata.yaml b/nova/templates/service-metadata.yaml
new file mode 100644
index 0000000000..0e0bac07f6
--- /dev/null
+++ b/nova/templates/service-metadata.yaml
@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Service
+metadata:
+ name: nova-metadata
+spec:
+ ports:
+ - name: nova-metadata
+ port: {{ .Values.network.port.metadata }}
+ selector:
+ app: nova-api
diff --git a/nova/templates/service-osapi.yaml b/nova/templates/service-osapi.yaml
new file mode 100644
index 0000000000..3821bdd633
--- /dev/null
+++ b/nova/templates/service-osapi.yaml
@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Service
+metadata:
+ # alanmeadows(TODO): refactor to nova-osapi
+ # which requires updating other charts
+ # dependencies
+ name: nova-api
+spec:
+ ports:
+ - name: nova-osapi
+ port: {{ .Values.network.port.osapi }}
+ selector:
+ app: nova-osapi
diff --git a/nova/values.yaml b/nova/values.yaml
new file mode 100644
index 0000000000..1888add52b
--- /dev/null
+++ b/nova/values.yaml
@@ -0,0 +1,219 @@
+# Default values for keystone.
+# This is a YAML-formatted file.
+# Declare name/value pairs to be passed into your templates.
+# name: value
+
+labels:
+ control_node_selector_key: openstack-control-plane
+ control_node_selector_value: enabled
+ compute_node_selector_key: openstack-compute-node
+ compute_node_selector_value: enabled
+
+control_replicas: 1
+compute_replicas: 1
+
+images:
+ init: quay.io/stackanetes/stackanetes-kolla-toolbox:newton
+ db_sync: quay.io/stackanetes/stackanetes-nova-api:newton
+ api: quay.io/stackanetes/stackanetes-nova-api:newton
+ conductor: quay.io/stackanetes/stackanetes-nova-conductor:newton
+ scheduler: quay.io/stackanetes/stackanetes-nova-scheduler:newton
+ novncproxy: quay.io/stackanetes/stackanetes-nova-novncproxy:newton
+ consoleauth: quay.io/stackanetes/stackanetes-nova-consoleauth:newton
+ compute: quay.io/stackanetes/stackanetes-nova-compute:newton
+ libvirt: quay.io/stackanetes/stackanetes-nova-libvirt:newton
+ post: quay.io/stackanetes/stackanetes-kolla-toolbox:newton
+ dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.1.0
+ pull_policy: "IfNotPresent"
+
+upgrades:
+ revision_history: 3
+ pod_replacement_strategy: RollingUpdate
+ rolling_update:
+ max_unavailable: 1
+ max_surge: 3
+
+network:
+ ip_address: "0.0.0.0"
+ # TODO(DTadrzak): move external IPs to common, this variable should be shared with
+ # horizon service
+ external_ips: ""
+ minion_interface_name: "eno1"
+ dns:
+ servers:
+ - "10.96.0.10"
+ - "8.8.8.8"
+ kubernetes_domain: "cluster.local"
+ other_domains: ""
+
+ port:
+ osapi: 8774
+ metadata: 8775
+ novncproxy: 6080
+
+nova:
+ default:
+ debug: false
+ osapi_workers: 8
+ metadata_workers: 8
+ conductor_workers: 8
+ force_config_drive: True
+
+database:
+ address: "mariadb"
+ port: 3306
+ root_user: "root"
+ root_password: "password"
+
+ nova_user: "nova"
+ nova_password: "password"
+ nova_database_name: "nova"
+ nova_api_database_name: "nova_api"
+
+keystone:
+ admin_user: "admin"
+ admin_password: "password"
+ admin_project_name: "admin"
+ admin_region_name: "RegionOne"
+ domain_name: "default"
+ tenant_name: "admin"
+
+ neutron_user: "neutron"
+ neutron_password: "password"
+ neutron_region_name: "RegionOne"
+
+ nova_user: "nova"
+ nova_password: "password"
+ nova_region_name: "RegionOne"
+
+rabbitmq:
+ address: "rabbitmq"
+ admin_user: "rabbitmq"
+ admin_password: "password"
+ port: 5672
+
+ceph:
+ enabled: false
+ monitors: []
+ cinder_user: "cinder"
+ cinder_keyring: null
+ nova_pool: "vms"
+ secret_uuid: ""
+
+neutron:
+ metadata_secret: "password"
+
+memcached:
+ address: "memcached:11211"
+
+dependencies:
+ api:
+ jobs:
+ - keystone-db-sync
+ - nova-init
+ - nova-db-sync
+ service:
+ - mariadb
+ db_sync:
+ jobs:
+ - nova-init
+ - keystone-init
+ - mariadb-seed
+ service:
+ - mariadb
+ db_sync:
+ jobs:
+ - nova-init
+ - keystone-init
+ - mariadb-seed
+ - keystone-db-sync
+ service:
+ - mariadb
+ post:
+ jobs:
+ - nova-init
+ - keystone-init
+ - mariadb-seed
+ service:
+ - mariadb
+ - keystone-api
+ init:
+ jobs:
+ - mariadb-seed
+ service:
+ - mariadb
+ compute:
+ jobs:
+ - nova-post
+ service:
+ - keystone-api
+ - nova-api
+ daemonset:
+ - ovs-agent
+ libvirt:
+ jobs:
+ - nova-init
+ - nova-post
+ - nova-db-sync
+ service:
+ - keystone-api
+ - nova-api
+ consoleauth:
+ jobs:
+ - mariadb-seed
+ - keystone-db-sync
+ - nova-init
+ - nova-db-sync
+ service:
+ - mariadb
+ scheduler:
+ jobs:
+ - nova-db-sync
+ service:
+ - mariadb
+ conductor:
+ jobs:
+ - nova-db-sync
+ service:
+ - mariadb
+
+# typically overriden by environmental
+# values, but should include all endpoints
+# required by this chart
+endpoints:
+ glance:
+ hosts:
+ default: glance-api
+ type: image
+ path: null
+ scheme: 'http'
+ port:
+ api: 9292
+ registry: 9191
+ nova:
+ hosts:
+ default: nova-api
+ path: "/v2/%(tenant_id)s"
+ type: compute
+ scheme: 'http'
+ port:
+ api: 8774
+ metadata: 8775
+ novncproxy: 6080
+ keystone:
+ hosts:
+ default: keystone-api
+ path: /v3
+ type: identity
+ scheme: 'http'
+ port:
+ admin: 35357
+ public: 5000
+ neutron:
+ hosts:
+ default: neutron-server
+ path: null
+ type: network
+ scheme: 'http'
+ port:
+ api: 9696
diff --git a/rabbitmq/templates/bin-configmap.yaml b/rabbitmq/templates/configmap-bin.yaml
similarity index 100%
rename from rabbitmq/templates/bin-configmap.yaml
rename to rabbitmq/templates/configmap-bin.yaml
diff --git a/rabbitmq/templates/deployment.yaml b/rabbitmq/templates/deployment.yaml
index 21bbd5f8fa..d622f8c56e 100644
--- a/rabbitmq/templates/deployment.yaml
+++ b/rabbitmq/templates/deployment.yaml
@@ -4,10 +4,20 @@ metadata:
name: rabbitmq
spec:
replicas: {{ .Values.replicas }}
+ revisionHistoryLimit: {{ .Values.upgrades.revision_history }}
+ strategy:
+ type: {{ .Values.upgrades.pod_replacement_strategy }}
+ {{ if eq .Values.upgrades.pod_replacement_strategy "RollingUpdate" }}
+ rollingUpdate:
+ maxUnavailable: {{ .Values.upgrades.rolling_update.max_unavailable }}
+ maxSurge: {{ .Values.upgrades.rolling_update.max_surge }}
+ {{ end }}
template:
metadata:
labels:
app: rabbitmq
+ annotations:
+ configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "hash" }}
spec:
nodeSelector:
{{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
diff --git a/rabbitmq/values.yaml b/rabbitmq/values.yaml
index 1efabe6964..8d44741b0b 100644
--- a/rabbitmq/values.yaml
+++ b/rabbitmq/values.yaml
@@ -8,7 +8,13 @@ replicas: "1" # this must be quoted to deal with atoi
labels:
node_selector_key: openstack-control-plane
node_selector_value: enabled
-
+
+upgrades:
+ revision_history: 3
+ pod_replacement_strategy: RollingUpdate
+ rolling_update:
+ max_unavailable: 1
+ max_surge: 3
auth:
default_user: openstack
default_pass: password