This changes use the helm-toolkit template for toleration
in openstack services
Signed-off-by: Lucas Cavalcante <lucasmedeiros.cavalcante@windriver.com>
Story: 2009276
Task: 43531
Depends-On: I168837f962465d1c89acc511b7bf4064ac4b546c
Change-Id: I30ca8050e02a5deeec52319d45025f4af7139059
If labels are not specified on a Job, kubernetes defaults them
to include the labels of their underlying Pod template. Helm 3
injects metadata into all resources [0] including a
`app.kubernetes.io/managed-by: Helm` label. Thus when kubernetes
sees a Job's labels they are no longer empty and thus do not get
defaulted to the underlying Pod template's labels. This is a
problem since Job labels are depended on by
- Armada pre-upgrade delete hooks
- Armada wait logic configurations
- kubernetes-entrypoint dependencies
Thus for each Job template this adds labels matching the
underlying Pod template to retain the same labels that were
present with Helm 2.
[0]: https://github.com/helm/helm/pull/7649
Change-Id: Ib5a7eb494fb776d74e1edc767b9522b02453b19d
Keystone may communicate with other components that do not support TLS. This
patchset makes keystone more flexible and enable it to communicate successfully
with such components
Depends-on: https://review.opendev.org/c/openstack/openstack-helm-infra/+/800097
Change-Id: I5c697c1748b62a81b43e7b0d6c7f89d374a50d94
The current copyright refers to a non-existent group
"openstack helm authors" with often out-of-date references that
are confusing when adding a new file to the repo.
This change removes all references to this copyright by the
non-existent group and any blank lines underneath.
Change-Id: Ia035037e000f1bf95202fc07b8cd1ad0fc019094
In cases where mariadb is not accessable, either from being deleted
prior to deleting keystone, or some other reason, it is preferred
to fail and move on with the keystone-credential-cleanup.
This change adds hook-failed to the "hook-delete-policy" for the
keystone-credential-cleanup job. This is address cases where deleting
keystone would cause the delete task to hang while the cleanup hook
would fail to connect to mariadb, often due to mariadb being already
deleted.
Change-Id: Ice7187fe6329c8b12333f508351bd5f9e2cdc8e2
The keystone-credential-cleanup hook was previously changed to
post-delete, this can cause issues where the serviceName is deleted
prior to running and will cause this to fail. This change reverts
the hook back to pre-delete to avoid this issue.
Change-Id: I45f3e73f8a957576ef82a733c1a7b7feaba7b679
When cleaning up an entire openstack deployment, it's possible
that mariadb will be deleted prior to keystone, and as a result
keystone-credential-cleaup hook will not be able to run. This
blocks the cleanup from occuring successfully.
This change sets the keystone-credential-cleanup hook to run
"post-delete" and the pod restart policy to "Never". If
the mariadb deployment is gone, this hook is unneeded.
Change-Id: I7e2e4680e35fb243488e707cf5a4a26e05433913
This PS adds emptydirs backing the /tmp directory in pods, which
is required in most cases for full operation when using a read only
filesystem backing the container.
Additionally some yaml indent issues are resolved.
Change-Id: I9df8f70e913b911ff755600fa2f669d9c5dcb928
Signed-off-by: Pete Birley <pete@port.direct>
This change creates a pre-delete hook to clean out all entries
in the credential table of the keystone database when the
keystone service is deleted. Note that these are not
the typical username/password.[0]
This fixes the issue of leftover credential blobs being saved
in the database that are unable to be decrypted since the
original encryption keys are removed upon deletion of the
keystone service
[0] https://specs.openstack.org/openstack/keystone-specs/specs/keystone/newton/credential-encryption.html
Change-Id: I8adf0878af2f3b880e9194a6cb8d97b58d6895a5
