Keystone is using keys to encrypt credentials saved into the database.
The mechanism is very similar to fernet tokens. This commit implements a
job setting key repository up and rotate job for those keys. All is
based on implementation of fernet tokens.
Change-Id: I88faf1d02d2b317563e8603cebba542f8b133c6a
Closes-Bug: 1693807
Keystone supports (and that's a default setting since Ocata) using
non-persistent fernet tokens instead of UUID tokens written into the DB.
This setting is in some cases better in terms of performance and
manageability (no more tokens DB table cleanups). OpenStack-Helm should
be able to support it.
General issue with fernet tokens is that keys used to encrypt them need
to be persistent and shared accross the cluster. Moreover "rotate"
operation generates a new key, so key repository will change over time.
This commit implements fernet tokens support by:
* A 'keystone-fernet-keys' secret is created to serve as keys repository.
* New fernet-setup Job will populate secret with initial keys.
* New fernet-rotate CronJob will be run periodically (weekly by default)
and perform key rotation operation and update the secret.
* Secret is attached to keystone-api pods in /etc/keystone/fernet-tokens
directory.
Turns out k8s is updating secrets attached to pods automatically, so
because of Keystone's fernet tokens implementation, we don't need to
worry about synchronization of the key repository. Everything should be
fine unless fernet-rotate job will run before all of the pods will
notice the change in the secret. As in real-world scenario you would
rotate your keys no more often than once an hour, this should be totally
fine.
Implements: blueprint keystone-fernet-tokens
Change-Id: Ifc84b8c97e1a85d30eb46260582d9c58220fbf0a
Adds the specs/ directory to openstack-helm for housing future
specifications for the project. It also includes an appropriate
README with directions for drafting specs, links to the openstack
resources for bp+spec lifecycle, and a template for use in
drafting specifications
Change-Id: Ice23447b358b520a8b4fb703fc836e8f09fa34d1
This enhances the stability and recovery of ceph by leveraging
hostNetworking for monitors as well as OSDs, and enables the
K8S_HOST_NETWORK variable within ceph-docker. This enhancement should
allow recovery of monitors from a complete downed cluster.
Additionally, ceph's generic "ceph-storage" node label has been
split out for mon, mds, and osd.
Co-Authored-By: Larry Rensing <lr699s@att.com>
Change-Id: I27efe5c41d04ab044dccb5f38db897cb041d4723
This PS move s the replicas key to be under the pod key in the values.
It brings further consolation of related configuration params to be
nested under common keys across all charts.
Change-Id: I420b06debd0a62ba5d83497be43ff6c49c49d339
This PS updates the Multinode Doc for Ceph deployemnt now that we
have bootstrap capability within the chart.
Change-Id: I40110db926bbbcbfb5a08300784e6a9735d32955
This PS deletes superfluous documentation and empty files from
the troubleshooting section, and also updates some of the docs
regarding persistent storage troubleshooting.
Change-Id: I60876e40ffe1a1f88ac6c761e8bf10beee92c2a0
This clarifies some of the steps in the kubeadm-aio guide, which
includes: adding minimum suggested system specs, commands to
verify success of a helm chart installation, and general clean up
and reformatting of the docs
Change-Id: I3f8cac9de7940970754e09bedf4d1d37022e7255
Adds basic expectations and explanations of openstack-helms
testing and gating approaches. This will continue to be expanded
upon but serves to provide a base on which to build
Change-Id: I689446b7124c4e11a92c73ef04e95d1840c6dc0a
Removing superfluous documentation as well as moving changing doc
structure to better reflect contents of documentation.
Change-Id: I6fa798b9c6fc542ef05c954acae8641f69f5cb2b
This removes empty documentation pages and places the
troubleshooting docs to the top of the docs/source tree. Also
places the pod disruption budget docs to the rest of the
getting-started docs, which are primarily concepts used in
openstack-helm
Change-Id: Ic3f8deefbd873ae5332e14a12351d9967eb22b1b
This PS organizes the installation document tree for easier navigation
and updating relevant content.
Change-Id: I51951d99dfc06bf441bd65ca817119cbca061851
Removes the current philosophy docs for openstack-helm. As the
repo continues to change, we should consider approaching the
philosophy for openstack-helm in a different manner.
Change-Id: I284baa6e50229f020d201875c48e8f27dc5663ca
This PS changes the install guide in order to have users pull our
custom kube-controller-manager image prior to initializing their
Kubernetes cluster. Also changes the reference in the gate to remove
redundant lines.
Change-Id: Ic32742b1df8145a99c8333a3d0711113e3cce30e
This PS makes some adjustments to the multinode install doc, removing
some steps that are no longer required.
Change-Id: I1775057c59ab8cc381398e51bb3487ca307eca83
This PS fixes some references to Helm v2.3.1, which has been
replaced by Helm v2.4.1 as the reference version.
Change-Id: I369f4846623932c2420fab2632ac1c0d8aad3cff
As we update the version information in the document, the ascii rst
table easily gets misaligned and causes the doc gate to fail. This
patch set changes the table structure, while retaining the formatting,
so future update of the document can be done easily without spending
time realigning the table cell border.
Change-Id: I84aeba3604ced255b057b7ce43f1f94a1af19b65
This PS refactors the ceph chart and secret generation process.
The updated chart replaces the existing "bootstrap" chart.
Additionally, Ceph manifests and deployment guides were modified
accordingly.
Change-Id: I6f5bb88fc0f40cfee8865d9dab83859d765e7537
Co-Authored-By: Larry Rensing <lr699s@att.com>
K8s 1.6 has affinity/antiaffinity funtionalities as a beta feature. This
means we don't need to declare them using annotations. This commit
switches usages of affinity to 1.6 syntax.
Change-Id: Ia68f4ab28a018617bd44b1295fea58cd30eb4a39
Conditionals: since the developer flag is no longer used by the
glance chart, it's no longer a good example. However, we want to
keep the flag around for future use if needed. So, replaced with
a foo/bar example.
gen-oslo-openstack-helm README: it referred to "this directory",
which doesn't make sense when the README is sourced into the
overall ops guide. Specified the directory explicitly.
Change-Id: I2ba02bd3efd87e58fcb701c8b7c2bb6af05994ba
Removed inappropriate quotes from around kube_version in
the controller manager sed command, and clarified version
info for the controller manager.
Change-Id: Ied241a2d36524951942171630647411e2d76644c
Closes-Bug: #1695021
This PS moves the dev contents to the tools directory as well
as updates the VagrantFile to use the existing scripts
for installing kubeadm-aio and deploying helm charts.
Change-Id: I6768d1f96abe6b15f66931d543e9adcc0e82829b
Addresses consistency issues that appear with autoincrement fields in
the existing chart, as demonstrated in [1]. It should allow automatic
recovery of 2 out of the 3 (default) cluster members.
It does not address automatic recovery of a complete shutdown of all
cluster nodes.
[1] https://review.openstack.org/#/c/465977/
Change-Id: I84c86e1862f03a6d381bf219b821ea3636049f0b
This is the initial pod disruption budget that will serve as the template
for all services in OpenStack-Helm.
Partially-Implements: blueprint add-pod-disruption-budgets
Change-Id: I67eeaa66257e793f77a089f3bc0dd4b700638c63
This patch set addresses readthedocs.org loading oslosphinx, which results
in some inconsistencies. It should simply use the rtd theme on the rtd
environment.
Change-Id: I35f599416d3764a2ed0961653b3ce45717335e72
