The current copyright refers to a non-existent group
"openstack helm authors" with often out-of-date references that
are confusing when adding a new file to the repo.
This change removes all references to this copyright by the
non-existent group and any blank lines underneath.
Change-Id: Ia035037e000f1bf95202fc07b8cd1ad0fc019094
This change creates a pre-delete hook to clean out all entries
in the credential table of the keystone database when the
keystone service is deleted. Note that these are not
the typical username/password.[0]
This fixes the issue of leftover credential blobs being saved
in the database that are unable to be decrypted since the
original encryption keys are removed upon deletion of the
keystone service
[0] https://specs.openstack.org/openstack/keystone-specs/specs/keystone/newton/credential-encryption.html
Change-Id: I8adf0878af2f3b880e9194a6cb8d97b58d6895a5
This PS adds a script to update the keystone catalog endpoints
for keystone itself, as the keystone-bootstrap will not update
these once created.
Change-Id: Ie48c71bbdc9bbd14cebcee46285b3bf51bd28065
Signed-off-by: Pete Birley <pete@port.direct>
This PS adds the local registry image managment to OSH from OSH-Infra.
With this the delta between helm-toolkits in the Repo's is removed,
allowing the toolkit from OSH-Infra to be used and the one from OSH
to be depreciated.
Change-Id: If5e218cf7df17261fe5ef249d281f9d9637e2f6a
Co-Authored-By: Pete Birley <pete@port.direct>
This patch set provides PATCH capability for ldap-backed domain config,
and prevents silent failure if the configuration contains erroneous
setting. This also moves from loading .conf files into DB directly,
and uses the API endpoints.
Change-Id: I17a19046fa96e0f3e8fb029c156ba79c924a0097
Signed-off-by: Tin Lam <tin@irrational.io>
This PS removes the user managemnt from the rally driven helm tests
which allows LDAP and other read only sources being used to validate
service functionality, in addition to reducing false -ve results in
the Zuul gates.
Change-Id: I1cc0e99bf74d578648b3cd40eaf60c1804044d88
Implemented Kubernetes jobs to drop a database for an OpenStack service
on deletion of Helm chart. This job is configurable to be enabled or
disabled in the values.yaml file for each chart.
Change-Id: Ia1a0834cb43c7e883aaf507a7c7683fa1cf4e838
Now, openstack-helm support "helm test" function, and It execute rally
container.
Rally also can test Tempest itself, so this fix will be add tempest
test in rally container.
Change-Id: I2c2f684f6583f2a3d9c7279a3d85cb242934e90e
Implements: blueprint add-tempest-in-helm-test
This PS removes the licence header from rendered output from tiller,
significantly reducing the configmap size of charts deployed to the
cluster.
Change-Id: I5d1b246f2068f3b83bf59ba79fe8b88bbc9a6161
This PS allows the rendering of manifests to be controlled. It enables
both increased control over deployment when required but also makes
development of a feature easier to target.
Change-Id: I1716e8ee23fe5c53f935bd739ea283bc4a2a9963
Keystone supports (and that's a default setting since Ocata) using
non-persistent fernet tokens instead of UUID tokens written into the DB.
This setting is in some cases better in terms of performance and
manageability (no more tokens DB table cleanups). OpenStack-Helm should
be able to support it.
General issue with fernet tokens is that keys used to encrypt them need
to be persistent and shared accross the cluster. Moreover "rotate"
operation generates a new key, so key repository will change over time.
This commit implements fernet tokens support by:
* A 'keystone-fernet-keys' secret is created to serve as keys repository.
* New fernet-setup Job will populate secret with initial keys.
* New fernet-rotate CronJob will be run periodically (weekly by default)
and perform key rotation operation and update the secret.
* Secret is attached to keystone-api pods in /etc/keystone/fernet-tokens
directory.
Turns out k8s is updating secrets attached to pods automatically, so
because of Keystone's fernet tokens implementation, we don't need to
worry about synchronization of the key repository. Everything should be
fine unless fernet-rotate job will run before all of the pods will
notice the change in the secret. As in real-world scenario you would
rotate your keys no more often than once an hour, this should be totally
fine.
Implements: blueprint keystone-fernet-tokens
Change-Id: Ifc84b8c97e1a85d30eb46260582d9c58220fbf0a
This PS unifies and normalises Kubernetes resource allocation and
update strategy across all OpenStack-Helm elements.
Change-Id: Ia41fc453cb5191fa447ca6e1aa0f5b431c939dc8
This PS introduces 'helm test' functionaility to keystone and
provides the basic framwork for charts to use.
Change-Id: Ie84a6ca0ed007fb55e10d503d1c3e49788908eec
Partial-Implements: blueprint implement-helm-test-for-charts
This PS add Barbican support, and moves all potentially container
specific logic into the service start script from the api manifests.
Also fixes a permissions issue with the nova-api, which incorrectly
had the NET_ADMIN capability.
Change-Id: I18fc1ea5d7aa70ea7dabb829361a3da57e905100
This PS updates the way helm-toolkit functions are named to
reference the full path they are loacted at. This should make
development and debugging easier. Addtionally unused functions
have been pruned as well.
Change-Id: I03c553f1d01bccc70c86768b416b147c90d9b2f0
* Initial Commit of Nova Configuration Overrides
This commit is an evolution of the initial keystone configuration
overrides work
It expands upon that work by introducing many of the same concepts
into nova. It differs in that a few concepts were changed. Namely
the helm-toolkit/_oslo.tpl concept was abandoned, as there are too
many unique oslo paths for configuration elements, so dynamic oslo
setting mechanism was moved locally into configmap-etc.yaml, where
it is generally used.
Secondly, in nova the mount override effort was altered to instead
provide mount "append" capability. Keeping the manifest mounts
closer to the actual pod, and keeping values.yaml a tad smaller.
This still allows the original flexibility of operators adding
mounts, but they cannot "undo" any of the charts built in mounts.
There were several manual tweaks that needd to be done to _nova.conf.tpl
after the oslo-config-gen process this time. This is because there is a
bug in the newton version of generating this file. It does not include
the proper service authentication credentials in the [keystone_authtoken]
section. Future releases have a separate service credentials section
so future config generations will likely not need these added lines.
* Remove unused values.yaml parameters
Fix references to removed helm-toolkit oslo macro
* resolve nova feedback
* bugfix nova-etc/nova-bin swap
This commit introduces several new paradigms:
* .Values driven mounts in service containers as well as jobs.
These can be overriden at runtime by manipulating .Values.mounts.*
* Authenticated Endpoint Resolution methods in helm-toolkit
to allow the database and rabbit type endpoints to be moved
under the endpoints section. Now endpoint lookup functions exist
for openstack endpoints as well as infrastructure elements such as
the database, rabbitmq, and memcache.
* Importing of upstream "out of the box" policy.json
and keystone-paste.ini files for better or worse.
* A rendering of the keystone.conf oslo generated config
using a new helm based Values generator. This provides "known"
paths to all configuration elements in the form of
"<section>.<oslo_namespace>.<element>" so that any of these can
be targeted for override via --set or values.yaml files loaded at
run time.
* Support for appending arbitrary string data to the policy.json,
keystone-paste.ini, or keystone.conf files via --set conf.keystone.append="#
some comment", or --set conf.policy.append="\"identity:list_projects\":
\"role:fake\""
* Support for complete verbatim overrides of these three
files via --set conf.keystone.override="full file contents",
or --set conf.policy.override="full file contents" for example
* Rename common chart to helm-toolkit
* Update useage of helpers to include reference to chart they come from.
* Update helm-toolkit function naming
Also catches several functions missed in previous PS
* Update remaining requirements.yaml to use helm-toolbox
* Dep Check container fix for common -> helm-toolbox renaming
* start.sh was added back, which had requiring sourcing
* the naming convention for charts is finalized with this example
landing on configmap-*.yaml to satisfy those of us with OCD
* imagePullPolicies added for init-containers, required by
helm 2.1.0 which does not supply them by default
