ADD openstack chart with values_overrides
* rabbitmq
* mariadb
* memcached
* keystone
* heat
* glance
This adds umbrella chart that references other charts via
symlink and include global values.
Because chart valeus_overrides yaml apply to the main chart,
the umbrella chart has a chart-scoped replacement
ADD openstack.sh deploy script
This script deploys all components with a single release.
ADD corresponding release notes
CHG wait-for-pods-sh to accept timeout arguement
CHG get-values-overrides.sh to modify file path for subchart
Change-Id: I25cd9d6785c61540d6329657c0358f27299d3647
This changes use the helm-toolkit template for toleration
in openstack services
Signed-off-by: Lucas Cavalcante <lucasmedeiros.cavalcante@windriver.com>
Story: 2009276
Task: 43531
Depends-On: I168837f962465d1c89acc511b7bf4064ac4b546c
Change-Id: I30ca8050e02a5deeec52319d45025f4af7139059
This reverts commit 73531436e975e6091df0f501239159c0df69e3e3.
Reason for revert: When the keys are rotated, the links become
broken and keystone only uses the 0 key.
Change-Id: Iffc4ab5d659b01babe7b4f9ee35b0a5789dac3ec
Keystone has default policy defined in code, this change
removes the outdated values set in values.yaml in order to fall
back onto the in code values for policy.
Change-Id: If27eb0aa312b52c6fddd3811f10bc6207c7dfe27
This change updates the image references in the keystone chart
to the latest supported releases of both openstack and ubuntu.
Change-Id: If4f30252b5d839cfe517ee57cbef96e7775e7ec5
The keystone chart recently had a change to fix the world
readable warning message, but an extra fsGroup entry causes
the chart to fail to deploy when using helm3.
This change removes the offending entry from the values file
in the keystone chart.
Change-Id: I540854da7123f413215b627d3bfb077c6f4864c6
Current implementation of Keystone prints a warning message if the
directory containing the fernet keys is world readable (o+r). As OSH
uses a volumeMount to handle fernet keys and is by default readonly,
there is no meaningful way to make the directory (not the keys) world
unreadable. Consequently, keystone just keep logging that warning,
adding no particular value besides flooding the log.
Rather than disabling the log message in keystone (as that warning is
meaningful from a security standpoint), this patch set changes the way
we deal with the secret volume so the directory is no longer world
readable, so keystone will stop issuing that warning message.
Signed-off-by: Tin Lam <t@lam.wtf>
Change-Id: Id29abe667f5ef0b61da3d3825b5bf795f2d98865
The default of 'domain_config_dir' in keystone is '/etc/keystone/domains'.
This patch adds the missing slash.
Change-Id: I30523ec3fd3144811a76b9078e915eff4ffa2b66
As of Rocky, keystone creates the member role by default. Since
our removal of pre-Train support, the logic we have in the
bootstrap script is no longer needed.
This change removes the member user and role logic.
Change-Id: Ide3af5c47c6b45c013b4dee08076d11bcfe87c53
This change modifies the keystone probe timings to be less
aggressive. This should prevent the probes from restarting any
keystone-api pods that are under a high volume of traffic as well
as reduce the amount of log spam.
Change-Id: Icce06bf2247591a7b603aa32ded254ce7b6cc67a
In the Victoria cycle oslo.policy decided to change all default policies
to yaml format. Today on openstack-helm we have a mix of json and yaml
on projects and, after having a bad time debugging policies that should
have beeing mounted somewhere but was being mounted elsewhere, I'm
proposing this change so we can unify the delivery method for all
policies across components on yaml (that is supported for quite some
time). This will also avoid having problems in the future as the
services move from json to yaml.
[1] https://specs.openstack.org/openstack/oslo-specs/specs/victoria/policy-json-to-yaml.html
Signed-off-by: Thiago Brito <thiago.brito@windriver.com>
Change-Id: Id170bf184e44fd77cd53929d474582022a5b6d4f
With keystone moving to flask back in Stein, the paste pipeline
configuration and file are no longer needed. With OSH no longer
supporting those older releases, this change removes the paste ini
settings and file mounts since they are no longer used.
Change-Id: Idacd973f090562eaee28567d9422eb761951096f
The pre-install hooks for several of the keystone templates
cause upgrade failures when using helm2. This change wraps them
in a conditional that can be toggled off for anyone still
using helm2.
Change-Id: I179583bd595bc8ed1e4c29eb7c2a744e3c6a5708
With a previous change[0] that moved rabbit-init jobs to dynamic
in helm-toolkit, this change continues that work by moving the
keystone rabbit-init job to dynamic as well.
[0] https://review.opendev.org/c/openstack/openstack-helm-infra/+/671727
Change-Id: Iec2ea3fdf36e19ac4f2e203389dbe19737d14c3a
When starting the keystone-api pod, the service checks for a
access_rules file for application credentials during startup.
If the file does not exist, keystone emits a warning saying the
file is not found:
WARNING keystone.access_rules_config.backends.json [-] No config
file found for access rules, application credential access rules
will be unavailable.: FileNotFoundError: [Errno 2] No such file
or directory: '/etc/keystone/access_rules.json'
This change adds in a blank access_rules.json file to the
keystone etc directory in order to surpress this message.
Change-Id: I63ac153cc91ac45b3fd223f8a54b933b5cbffac4
Some OSH charts have diffferent values for logger_root
handler from upsgream repo config defaul values.
Exactly, logger_root handler values.
This leads double logging finally.
To fix this, set logger_root as null like upstream repos.
Change-Id: I20e4f48efe29ae59c56f74e0ed9a4085283de6ad
This updates the Keystone chart to include the pod
security context on the pod template.
This also adds the container security context to set
readOnlyRootFilesystem flag to true
Change-Id: I0e00571d4060cca914d1bdb4f36e736fa8501130
This change updates the xrally image from 1.3.0 to 2.0.0
in order to better match the current versions of openstack
we are running in the gate.
Change-Id: I3f417a20e0f6d34b9e7ed569207a3df90c6ddfd2
This updates the Keystone chart to include the pod
security context on the pod template.
This also adds the container security context to set
readOnlyRootFilesystem flag to true
Change-Id: I655ef19a3c187e3462ff8ec1a54bc9691ca64d41
This updates the Keystone chart to include the pod
security context on the pod template.
This also adds the container security context to set
readOnlyRootFilesystem flag to true.
Change-Id: I2ac3a4efa6798e263de19f0db444f37c5236d121
The current copyright refers to a non-existent group
"openstack helm authors" with often out-of-date references that
are confusing when adding a new file to the repo.
This change removes all references to this copyright by the
non-existent group and any blank lines underneath.
Change-Id: Ia035037e000f1bf95202fc07b8cd1ad0fc019094
This patch set updates the default job to use OpenStack Stein release.
The previously default Ocata release will be place in separate job.
Change-Id: I489324f762a179a2cab5499a6d8e57e97c81297f
Signed-off-by: Tin Lam <tin@irrational.io>
This patch set adds in the egress policy for core OpenStack Services.
Depends-On: https://review.opendev.org/#/c/679853/
Change-Id: I585ddabcbd640db784520c913af8eddecaee3843
Signed-off-by: Tin Lam <tlam@omegaprime.dev>
This updates the kubernetes-entrypoint image reference to consume
the publicly available kubernetes-entrypoint image that is built
and maintained under the airshipit namespace, as the stackanetes
image is no longer actively maintainedy
Depends-On: https://review.opendev.org/688435
Change-Id: I8e76cdcc9d4db8975b330e97169754a2a407341f
Signed-off-by: Steve Wilkerson <sw5822@att.com>
This change adds two network policy zuul checks, one for the compute-kit,
and one for cinder/ceph, to test network policy for each OpenStack
service. These checks will be non-voting initially.
The network policy rules for each service will initially allow all
traffic. These ingress/egress rules will be defined in future changes
to only explicitly allow traffic between services that are explicitly
allowed to communicate, other traffic will be denied.
Depends-On: https://review.opendev.org/#/c/685130/
Change-Id: Ide2998ebb2af2832f24ca7abc398a82e4a6d70e3
This PS updates the default RMQ policy to not mirror reply queues
as they cause signifigant blocking when resorting a rabbit node to
a cluster, with no advantage.
Change-Id: I6f8d4eaa482fcdf3e877bd38caa9b24358ea5be0
Signed-off-by: Pete Birley <pete@port.direct>
When deploying keystone, two pods fail with error:
Temporary failure in name resolution
These pods are executing fernet_manage.py and fetch secrets using:
https://github.com/openstack/openstack-helm/blob/master/keystone/templates/bin/_fernet-manage.py.tpl#L60
However, the current network policy blocks the connection to kube-dns.
This patch fixes it
Change-Id: I4ae6722a5bcb350e64995fbd2e1010153b0c29e6
Signed-off-by: Manuel Buil <mbuil@suse.com>
Provide the default domain id and assign the admin
role to it on bootstrap.
Currently we cannot provide domain scoped tokens with
the admin user due to it not being assigned the admin
role for the default domain.
This patch makes it so we assign the proper role on bootstrap.
Depends-on: https://review.opendev.org/662992
Change-Id: Ide1918c1ed264ccc2998008b2334542e3d683bfc
This PS updates the charts to use the htk function recently introduced
to allow oslo.messaging clients ans servers to directly hit their
backends rather than using either DNS or K8S svc based routing.
Depends-On: I5150a64bd29fa062e30496c1f2127de138322863
Change-Id: I458b4313c57fc50c8181cedeca9919670487926a
Signed-off-by: Pete Birley <pete@port.direct>
Currently each service uses the same name for their helm test user,
"test". While this works when services are ran sequentially, when
multiple services are deployed and tested at the same time, it can
lead to a race condition where one service deletes the user before
the other is done testing, causing a failure.
This change makes it so that each service defines its own test user
in the form of [service]-test.
Change-Id: Idd7ad3bef78a039f23fb0dd79391e3588e94b73c
We now have a process for OSH-images image building,
using Zuul, so we should point the images by default to those
images, instead of pointing to stale images.
Without this, the osh-images build process is completely not
in use, and updating the osh-images process or patching its
code has no impact on OSH.
This should fix it.
Change-Id: I672b8755bf9e182b15eff067479b662529a13477
This change reenables the create and list ec2 credential test.
The previous issue of undecryptable credential blobs being
left over was fixed in a previous change.
Change-Id: I81014489dd16d6c57a89ddb3ac3d205209e4acdf
