482 Commits

Author SHA1 Message Date
liyingjun
84a6df2e5d fix(neutron): Don't check tcp socket state for ovn metadata agent
When using ovn as neutron plugin, the health probe failed with "RabbitMQ
sockets not Established" error, because it still check TCP connection to
Rabbitmq while OVN metadata agent doesn't use Rabbitmq. This patch adds
a condition check to avoid tcp socket state check for ovn metadata agent.

Story: #2010686
Change-Id: Ic35c1b4bb3c4d1cff7b633e6f69d5269cc23eeef
2023-04-04 07:37:07 +00:00
Samuel Liu
73e696b3fb Replace node-role.kubernetes.io/master with control-plane
The master label is no longer present on kubeadm control plane nodes(v1.24). For new clusters, the label 'node-role.kubernetes.io/master' will no longer be added to control plane nodes, only the label 'node-role.kubernetes.io/control-plane' will be added. For more information, refer to KEP-2067[https://github.com/kubernetes/enhancements/tree/master/keps/sig-cluster-lifecycle/kubeadm/2067-rename-master-label-taint]: Rename the kubeadm "master" label and taint.

the kubernetes pr: https://github.com/kubernetes/kubernetes/pull/107533

Change-Id: Iad8c833371efb3ec35149c89eb8fafdf1150fa87
2023-03-21 09:02:00 +08:00
Sadegh Hayeri
c83582a866 Add ovn
Change-Id: Iacf6423399d51134af5b00b472ef6b42e17dfd6a
2023-03-17 21:31:48 +03:30
okozachenko
e03c021e70 Fix ovs dependency labels
Depends-On: https://review.opendev.org/c/openstack/openstack-helm-infra/+/866478
Change-Id: I94ba8c5143d6d243c0ba31af62639852582bd1c7
2022-12-14 01:51:32 +11:00
ricolin
b72f3d0f3c Avoid unrequired policy setup
OpenStack services already moved to use policy in code.
No need to have policy file at this point, at least no need to put
default policy rule to policy.yaml file anymore.
To put in duplicate rules, will cause unnecessay logs and process.
Also not healthy for policy in code maintain as the `default` rules in
openstack-helm might override actual default rules in code which we
might not even mean to change it at all.

Change-Id: I29ea57aa80444ed64673818e597c9ca346ba7b2f
2022-11-23 22:43:10 +08:00
Gage Hugo
5ffefb60c1 Remove train and ussuri overrides
We dropped train support a long time ago now, and our latest efforts
are to drop ussuri/bionic images. This change removes any leftover
train overrides as well as any ussuri overrides. This also changes
any image defaults to use wallaby.

Change-Id: I818a3a79faa631ec1b7de625f2113c6f19610760
2022-10-24 16:00:59 -05:00
josebb
52bdfae2bf Distinguish between port number of internal endpoint and binding
port number in neutron

Now binding ports of service and pod spec are configured using
internal endpoint values.
To support reverse proxy for internalUrl, need to distinguish
between binding ports and internal endpoint ports.

I added `service` section in endpoint items apart from admin,public
,internal and default.

Change-Id: I38dca50a8462faa4e9a7eeed56839b1b996eae06
2022-09-02 18:27:48 +03:00
okozachenko
f3ed56cc18 Use HTTP probe instead of TCP probe
Strictly speaking, open socket doesn't mean working API.
We experienced API stopped responding and the socket was still
open so API was unhealthy actually but kubernetes did not restart.

HTTP probe will fix this issue.

Change-Id: I95bb3ad3123d8a4a784d260477f037fa5506d290
2022-09-01 15:54:07 +10:00
josebb
753e43072d Support TLS endpoints in neutron
This allows neutron to consume TLS openstack endpoints.
Jobs consume openstack endpoints, typically identity endpoints.
And neutron itself interact with other openstack services via
endpoints.

Change-Id: I204b8a1a5a1fb253ea4207f5f5d76d47fac41bef
2022-08-12 21:28:56 +03:00
Brian Haley
ced30abead Support image registries with authentication
Based on spec
support-OCI-image-registry-with-authentication-turned-on.rst

Each Helm chart can configure an OCI image registry and
credentials to use. A Kubernetes secret is then created with this
info. Service Accounts then specify an imagePullSecret specifying
the Secret with creds for the registry. Then any pod using one
of these ServiceAccounts may pull images from an authenticated
container registry.

Related OSH-infra change:
https://review.opendev.org/c/openstack/openstack-helm-infra/+/848142

Change-Id: I54540f14fed29622bc5af8d18939afd06d65e2d8
2022-08-11 00:18:37 +00:00
Robel Herarso
0933141334 Add neutron_netns_cleanup_cron release image override
This will add a value override for neutron_netns_cleanup_cron release image so that we don't use stein release images by default in the respective Openstack release jobs.

Change-Id: Ie856090ac3ed2f8c60afeacc2ed729c36b7d3372
2022-07-19 15:02:27 -07:00
Samuel Liu
b1182ebfd8 Fix /run/xtables.lock may be a directory
By default, hostPath does not specify type. Instead, it creates a directory. If the Neutron container starts earlier than CNI(Calico), Calico may fail.

Change-Id: I56498a91461214bf591c7dfe6f9445ffe2e6d7d0
2022-07-05 17:54:19 -04:00
Alexey Terekhin
7b05f28e82 Fix for neutron-netns-cleanup-cron.py script.
Change-Id: I40a9b42204db4455f656e2711dda8ca136b201cb
2022-06-29 15:36:51 +00:00
Gage Hugo
89addfd4e1 Add Xena and Yoga values overrides
This change adds the overrides needed to run both the Xena and
Yoga releases in the OSH zuul jobs.

Change-Id: I65e016a4cb3fd52707ab29c37f025818fcb6c405
2022-06-08 17:21:57 +00:00
Alexey Terekhin
32afc483e5 Modified neutron-netns-cleanup-cron.py script.
We needed to terminate qdhcp namespaces which aren't satisfied hosts in neutron db.
It happens after people interrupt neutron agents work and after restart agents, they can start ns on different hosts,
but nothing tracks previous hosts. Previous version of the script checked only IPs inside ns but didn't validate hosts.

Change-Id: I9968f627ce3ab1596711fe9e8d3345d0a5fc42c8
2022-05-25 18:13:19 +00:00
Graham Steffaniak
2e5b7f9cb7 add compute-kit to openstack umbrella chart
ADD: include new charts to the umbrella chart for comprehensive
     deployment of openstack-helm.

       * openvswitch
       * libvirt
       * neutron
       * nova
       * placement

Change-Id: I78d1c7c629024c3f9530239dff9f8eb9da598764
2022-05-19 17:07:31 -05:00
Schubert Anselme
8d5ddc9035
Migrate CronJob resources to batch/v1 and PodDisruptionBudget resources to policy/v1
This change updates the following charts to migrate CronJob resources to the batch/v1 API version, available since v1.21. [0]
and to migrate PodDisruptionBudget to the policy/v1 API version, also available since v1.21. [1]

- aodh (CronJob & PodDisruptionBudget)
- barbican (PodDisruptionBudget)
- ceilometer (PodDisruptionBudget)
- cinder (CronJob & PodDisruptionBudget)
- cyborg (PodDisruptionBudget)
- designate (PodDisruptionBudget)
- glance (PodDisruptionBudget)
- heat (CronJob & PodDisruptionBudget)
- horizon (PodDisruptionBudget)
- Ironic (PodDisruptionBudget)
- Keystone (CronJob & PodDisruptionBudget)
- magnum (PodDisruptionBudget)
- masakari (PodDisruptionBudget)
- mistral (PodDisruptionBudget)
- neutron (PodDisruptionBudget)
- nova (CronJob & PodDisruptionBudget)
- octavia (PodDisruptionBudget)
- placement (PodDisruptionBudget)
- rally (PodDisruptionBudget)
- senlin (CronJob & PodDisruptionBudget)

0: https://kubernetes.io/docs/reference/using-api/deprecation-guide/#cronjob-v125
1: https://kubernetes.io/docs/reference/using-api/deprecation-guide/#poddisruptionbudget-v125

Change-Id: I2fc0692e1c8e2c4fa4d4ca1da96b5c6a832343fa
2022-05-19 10:08:18 -04:00
songwenping
5d33d80371 Remove usage of six
Six is not used anymore for python3

Change-Id: I2734efe490014d164b53caa164ac491c53c8e09c
2022-04-20 10:07:51 +08:00
Gage Hugo
1473bfe29c Remove unsupported values overrides - neutron
The neutron chart contains several values overrides for openstack
releases that are no longer supported by openstack-helm. This
change removes these overrides from the neutron chart.

Change-Id: I9d2c73ca4a0157a77a1a73406a7e53dc44124547
2022-04-11 18:43:25 -05:00
Mohammed Naser
89bf3cf7b8 neutron: migrate IP for bridges
This patch makes a change to the Helm chart so that it migrates the
IP addresse assigned to an interface to `br-ex`.  It's assumed that
if the operator put an IP address on that interface, they likely
need it, and if they just had no IP address then it's there for L2
connectivity so nothing won't happen anyways.

Change-Id: I17dc2e532dc8b472a5c5c16ff2ec2bdcfb5bfac5
2022-04-08 11:46:51 -03:00
Thiago Brito
c6c58102d3 Enable taint toleration for neutron
This changes use the helm-toolkit template for toleration
in openstack services

Signed-off-by: Lucas Cavalcante <lucasmedeiros.cavalcante@windriver.com>
Story: 2009276
Task: 43531
Depends-On: I168837f962465d1c89acc511b7bf4064ac4b546c
Change-Id: Ib33118af841b3273f146d94c6499c232b793a0be
2022-03-22 18:44:40 +00:00
Thiago Brito
151c03d5ec Fix infinite recursion deadlock on netns cleanup
When, for some reason, the neutron netns agent is misconfigured and is
producing errors, this infinite recursion is generating a deadlock on
cpu usage since it repeats with no interval. This fix adds some shorter
sleeps to work around it.

Signed-off-by: Thiago Brito <thiago.brito@windriver.com>
Change-Id: Icf840ea965d0652d6118a1b840168df95ba95fac
2022-03-10 15:02:11 -03:00
Anderson, Craig (ca846m)
d514395d81 Improve health probe logging for nova and neutron
1. Log specific compute services failing rabbitMQ socket tests in nova
   health probe
2. Log specific compute services failing Database socket tests in nova
   health probe
3. Make log level configurable for nova and neutron health probes

Change-Id: I5e5d909d598af734596eb1732ae42808c1f6cd12
2022-02-22 10:05:15 +00:00
Gage Hugo
c20c1e4400 Update htk requirements repo
As part of the move to helm v3, all the charts in the OSH repos
will no longer lint/build properly due to a lack of helm serve
in helm v3.

This change modifies the helm-toolkit repo location to the
osh-infra repo in order to account for the removal oh helm serve.

This work is part of the migration to helm v3 and will be utilized
in future changes.

Change-Id: I90d25943d69ad6c76455f7778a4894f00c525c46
2021-10-10 18:45:28 -05:00
Thiago Brito
21157f8e6a Add option to disable helm.sh/hook annotations
Adding a helm3_hook in values.yaml file in case hooks needs
to be disabled (e.g. on Helm v2).

Signed-off-by: Thiago Brito <thiago.brito@windriver.com>
Change-Id: I1c03ea9ee88d1306283ce577b100c9864bec5d1b
2021-09-29 18:40:15 -03:00
Andrii Ostapenko
3ac3caa013 Add support for Victoria and Wallaby
Defines compute kit and cinder jobs for new releases with
corresponding values overrides.

Disables compute agent list test for Wallaby since related API
is removed [0].

Since Wallaby with switch of osc to sdk '--id auto' is no longer
treated specially in 'openstack flavor create'. The same behavior
can be achieved w/o specifying --id flag for flavor creation [1].

Starting Wallaby 'nova-manage api_db version' returns init version
for empty database greater than 0 [2]. _db-sync.sh.tpl logic prior to
this commit does not work due to this. We need to either remove
(done in current commit) or justify and alter previous logic.

[0] https://review.opendev.org/749309
[1] https://review.opendev.org/750151
[2] https://opendev.org/openstack/nova/src/branch/stable/wallaby/nova/db/sqlalchemy/migration.py#L32

Change-Id: I361431d9aa8c1a06c5d59f479fb161ecd87e2ee2
Signed-off-by: Andrii Ostapenko <andrii.ostapenko@att.com>
2021-08-02 15:46:07 +00:00
xuxant02@gmail.com
ee0c142748 Made dnsmasq.conf overridable in configmap-etc secret
As dnsmasq.conf data in configmap-etc secret was empty, there was no option
to override it. Added the section in the values.yaml file where the dnsmasq.conf
config can be added which will be reflected in dhcp-agent.

Change-Id: If11c33f6f837dbf0d16e54cc92cabf399e773968
2021-07-14 14:24:05 +05:45
MirgDenis
27e12b88ad Fix neutron-openvswitch-agent-init script
Using local variables outside of function is not allowed
in bash. During adding route it tries to delete cached
route and fails with "Not found" because it can delete only
user created routes, so we need to omit Cached routes
in ovs/route/show listing.

Change-Id: Ifc8da7fc36206f7ebd2e6198dbf192a5a40261af
2021-07-13 14:48:40 +03:00
Mohammed Naser
44be41440c Wire up rootwrap daemon
This patch allow Neutron to start taking advantage of the rootwrap
daemon which should significantly increase performance.

Change-Id: I9d4f8dd8f9d36dc558e5e280b8f8193212345f34
2021-07-07 19:18:19 +05:45
Kabanov, Dmitrii
b1abce9a75 Add Ussuri release support
The PS adds the set of overrides for Ussuri release.

Change-Id: I6b3055e376aa14d0c2ecbea638e6e9ba3b03bde5
2021-06-30 16:47:22 -07:00
Gupta, Sangeet (sg774j)
5028aa8de1 Mount rabbitmq TLS secret
Mount rabbitmq TLS secret to openstack services which support internal
TLS. Once internal TLS support is added to other service, the TLSed 
rabbitmq support should be added.

Depends-on: https://review.opendev.org/c/openstack/openstack-helm-infra/+/795188

Change-Id: I9aa272e365f846746f2e06aa7b7010db730e17df
2021-06-10 14:12:57 +00:00
Thiago Brito
8ab6013409 Changing all policies to yaml format
In the Victoria cycle oslo.policy decided to change all default policies
to yaml format. Today on openstack-helm we have a mix of json and yaml
on projects and, after having a bad time debugging policies that should
have beeing mounted somewhere but was being mounted elsewhere, I'm
proposing this change so we can unify the delivery method for all
policies across components on yaml (that is supported for quite some
time). This will also avoid having problems in the future as the
services move from json to yaml.

[1] https://specs.openstack.org/openstack/oslo-specs/specs/victoria/policy-json-to-yaml.html

Signed-off-by: Thiago Brito <thiago.brito@windriver.com>
Change-Id: Id170bf184e44fd77cd53929d474582022a5b6d4f
2021-05-26 18:15:41 -03:00
Haider, Nafiz (nh532m)
c900712f30 feat(tls): Make openstack services compatible with rabbitmq TLS
Depends-on: https://review.opendev.org/c/openstack/openstack-helm-infra/+/770678

Co-authored-by: Sangeet Gupta <sg774j@att.com>

Change-Id: I11e9ad3f4079b0e12e498f9ed57e5b87ae9dc66a
2021-05-21 01:27:18 +00:00
Gage Hugo
5233582991 Remove support for openstack releases older than T
This change bumps each openstack chart version up to the next
greatest minor version of 0.2.0, signifying that openstack-helm
will no longer support older, EOL releases for each chart.

Change-Id: I7ce80c7bdc779c1de4472079f18102f506bfbb90
2021-04-29 12:04:34 -05:00
Kabanov, Dmitrii
46f4343f19 [Neutron] Update Rally tests
The PS updates Rally tests and removes "name" parameter. According to
Rally documentation [0] this parameter was always ignored. Latest version of Rally (2.1.0) is failing with a message: "Scenario plugin
'NeutronNetworks.<...>' doesn't pass restricted_parameters@default
validation. Details: You can't specify parameters 'name' in
'network_update_args/port_update_args/router_update_args/subnet_update_args'"

[0] https://github.com/openstack/rally-openstack/blob/2.1.0/CHANGELOG.rst

Change-Id: If4e80dfcb56a6e1daa1a055285329f9fc2d58332
2021-04-16 04:14:21 +00:00
Susanta Gautam
b4e2a85b49 Add helm.sh/hook related annotation for neutron
Chart upgrading was failing due to some immutable fields in job are needed to upgrade. So, we thought using the post-install and post-upgrade
helm hook for job to force the job resource to execute after all resources are created. And as some jobs are dependent on each other i.e.
some jobs needs to run in order for helm hook to be successful. For that we used hook-weight to control resource creation order.

Change-Id: I26881324d101a986b7367d4682e9adcd07a24b13
2021-03-18 08:49:09 +05:45
Nafiz Haider
ca47e3c974 Re-enable "feat(tls): Change Issuer to ClusterIssuer""
This reverts commit 2ec17153c6cb918dd357f71824ec59dd0d74dfba.

Reason for revert: resolved bug with cluster issuer versioning

Depends-on: https://review.opendev.org/c/openstack/openstack-helm-infra/+/772814

Co-authored-by: Sangeet Gupta <sg774j@att.com>

Change-Id: If7ebef1cebbe5b1d97ac530dd7136e3fc9232b21
2021-02-26 02:43:09 +00:00
Roy Tang
e491b838fa Update ovs agent to support host/label overrides
In the ovs agent code, some of the secret ref are hardcoded, and
it breaks the host/label overrides mechanism.  This patchset
fixes it.

Change-Id: Icf3ffc86fde77b1948e86cfd62e83fbdfe16ad8e
2021-02-16 15:49:05 -06:00
Tin Lam
2ec17153c6 Revert "feat(tls): Change Issuer to ClusterIssuer"
This reverts commit 43e75eaa83cc6958fa0a6af55783cbe2645cfde7.

Reason for revert: Doing this as part of the revert here - https://review.opendev.org/c/openstack/openstack-helm-infra/+/772733

Change-Id: I9c04a35c179d23ec1b7612b4f87d9d16352985cc
2021-01-27 17:09:42 -06:00
sgupta
43e75eaa83 feat(tls): Change Issuer to ClusterIssuer
ClusterIssuer does not belong to a single namespace (unlike Issuer)
and can be referenced by Certificate resources from multiple different
namespaces. When internal TLS is added to multiple namespaces, same
ClusterIssuer can be used instead of one Issuer per namespace.

Depends-on: https://review.opendev.org/c/openstack/openstack-helm-infra/+/766359

Change-Id: I6585d5a8c2ccb507a5c99784c0190502b55a5bcf
2021-01-19 13:47:09 +00:00
Sphicas, Phil (ps3910)
c7c19e85c0 Use HostToContainer mountPropagation
For any host mounts that include /var/lib/kubelet, use HostToContainer
mountPropagation, which avoids creating extra references to mounts in
other containers.

Affects the following resources:
* neutron-lb-agent daemonset
* neutron-ovs-agent daemonset
* neutron-sriov-agent daemonset (unused mount removed)
* nova-compute daemeonset

Change-Id: I92f1700e56517a74b1fbcc8e3a68567045a593ee
2021-01-07 20:27:08 +00:00
KHIYANI, RAHUL (rk0850)
e1fac0ba4d Add missing flags to nginx container in neutron chart
This adds readOnly-fs flag to nginx container

Change-Id: Ie75e460fe2f45f1ae908f1fe475461267251461f
2020-11-04 00:04:09 -06:00
Andrii Ostapenko
42712e1d36
Pass ovs agent config to dhcp agent
Since metadata server is accessed via dhcp namespace, dhcp relies on
conf.OVS.datapath_type for [0] logic to disable checksum offloading
that is not supported with ovs-dpdk, making metadata server not available.

[0] https://opendev.org/openstack/neutron/src/branch/stable/train/neutron/agent/linux/interface.py#L444-L446

Change-Id: I382af9d9e83b39fd9a616351e7cd5a752a603e77
Signed-off-by: Andrii Ostapenko <andrii.ostapenko@att.com>
2020-10-30 15:21:34 -05:00
KHIYANI, RAHUL (rk0850)
32c72a08ea Update neutron to use Nginx apparmor profile
neutron-rpc-server container was removed and nginx container
was added here in this commit https://review.opendev.org/#/c/758919/4

Change-Id: Ie7b3a23ea8d7a5d3b1788bce1c1419fe1f627b75
2020-10-23 10:18:10 -05:00
Tin Lam
6895a5ba7a fix(neutron): fixes tls issue
Updated neutron to use an Nginx sidecar to terminate internal TLS rather
than using Apache with a separate RPC servers. Multiple RPC servers (in
sidecar) causes communication issues with RabbitMQ causing expected
errors.

Change-Id: Iaa6d3d64b730a54b1b85a338517bcb5be1842bda
Signed-off-by: Tin Lam <tin@irrational.io>
2020-10-21 11:02:57 -05:00
Andrii Ostapenko
20b6b9a236
Change helm-toolkit dependency version to ">= 0.1.0"
Since we introduced chart version check in gates, requirements are not
satisfied with strict check of 0.1.0

Change-Id: If537f69dec7e3360f6bffcc4424f10c248919ece
Signed-off-by: Andrii Ostapenko <andrii.ostapenko@att.com>
2020-09-24 12:20:13 -05:00
Zuul
28669f8854 Merge "Sync logging values with upstream repos" 2020-09-17 04:08:40 +00:00
Zuul
239d8ddf06 Merge "Add chart-testing linter" 2020-09-17 02:12:27 +00:00
Mohammed Naser
89969ade3a Add chart-testing linter
Added chart lint in zuul CI to enhance the stability for charts.
Fixed some lint errors in the current charts.

Change-Id: I7e4b191fb9e355ab5d5a233e8ed121346519df62
2020-09-16 21:12:17 +03:00
okozachenko
a8fc28696d Sync logging values with upstream repos
Some OSH charts have diffferent values for logger_root
handler from upsgream repo config defaul values.
Exactly, logger_root handler values.
This leads double logging finally.
To fix this, set logger_root as null like upstream repos.

Change-Id: I20e4f48efe29ae59c56f74e0ed9a4085283de6ad
2020-09-15 19:15:05 +03:00