Mount rabbitmq TLS secret to openstack services which support internal
TLS. Once internal TLS support is added to other service, the TLSed
rabbitmq support should be added.
Depends-on: https://review.opendev.org/c/openstack/openstack-helm-infra/+/795188
Change-Id: I9aa272e365f846746f2e06aa7b7010db730e17df
When using the simple_crypto_plugin (which is enabled by default),
secrets are encrypted with per-project keys, and those keys are
encrypted (or wrapped) with a master key encryption key (KEK, or MKEK).
The wrapped project keys are stored in the database. The KEK is stored
in the barbican configuration file.
If no KEK is specified, a well-known default is used. There is no native
Barbican support for rotating the KEK. Changing the KEK would cause loss
of access to all secrets, because Barbican would be unable to unwrap the
project keys.
This change adds support for upgrading the Helm chart while changing the
KEK. A script can be executed during the db-sync job that decrypts the
project keys with the old KEK, and rewraps them with the new KEK. Note
that no secrets are actually modified during this procedure, and the
project keys are not actually changed.
To use this feature, specify the following values:
conf:
barbican:
simple_crypto_plugin:
kek: # new KEK, 32-bytes of data, base64-encoded
simple_crypto_kek_rewrap:
old_kek: # old KEK, 32-bytes of data, base64-encoded
Change-Id: I462085b89ef80985b42149cccf865e6c5f0f5a53
The dnsPolicy not being set to "ClusterFirstWithHostNet" results in
the housekeeping service failing to connect to the database.
Change-Id: I23c9f0c561ea61695fbc7ce333a3f331cf31a7a4
``[vnc]/vncserver_proxyclient_address`` was deprecated, so we replace it with ``server_proxyclient_address``
Change-Id: I142710ffab2aa407a09318e4b8517938ed28f3c8
In the Victoria cycle oslo.policy decided to change all default policies
to yaml format. Today on openstack-helm we have a mix of json and yaml
on projects and, after having a bad time debugging policies that should
have beeing mounted somewhere but was being mounted elsewhere, I'm
proposing this change so we can unify the delivery method for all
policies across components on yaml (that is supported for quite some
time). This will also avoid having problems in the future as the
services move from json to yaml.
[1] https://specs.openstack.org/openstack/oslo-specs/specs/victoria/policy-json-to-yaml.html
Signed-off-by: Thiago Brito <thiago.brito@windriver.com>
Change-Id: Id170bf184e44fd77cd53929d474582022a5b6d4f
Some nova gotpl files have +x permission. This changes it so they are
consistent with the other gotpl files.
Change-Id: Ifcd4c1032b41363ea8b1d43407315d68d7e9eec8
Signed-off-by: Tin <tin@irrational.io>
With keystone moving to flask back in Stein, the paste pipeline
configuration and file are no longer needed. With OSH no longer
supporting those older releases, this change removes the paste ini
settings and file mounts since they are no longer used.
Change-Id: Idacd973f090562eaee28567d9422eb761951096f
This is to fix the ceph version checks for enabling the applications
on newly created pools for openstack services like cinder and glance.
Change-Id: I2c007f728180cf7753255463ebf2f8dc5dc6fa5b
This change bumps each openstack chart version up to the next
greatest minor version of 0.2.0, signifying that openstack-helm
will no longer support older, EOL releases for each chart.
Change-Id: I7ce80c7bdc779c1de4472079f18102f506bfbb90
Ironic does not need to reserve system resources, otherwise it will cause flavor to be unable to schedule.
Change-Id: I454d0468ae3424cc92d470c15a40ad96c01cf311
The pre-install hooks for several of the keystone templates
cause upgrade failures when using helm2. This change wraps them
in a conditional that can be toggled off for anyone still
using helm2.
Change-Id: I179583bd595bc8ed1e4c29eb7c2a744e3c6a5708
The nova-compute-ironic label is "compute", but the label chosen by affinity is "compute-ironic", which results in multiple replicas on the same node.
Change-Id: If947be6cd400e32d3455f07a85f4263c4b17cb87
The PS updates Rally tests and removes "name" parameter. According to
Rally documentation [0] this parameter was always ignored. Latest version of Rally (2.1.0) is failing with a message: "Scenario plugin
'NeutronNetworks.<...>' doesn't pass restricted_parameters@default
validation. Details: You can't specify parameters 'name' in
'network_update_args/port_update_args/router_update_args/subnet_update_args'"
[0] https://github.com/openstack/rally-openstack/blob/2.1.0/CHANGELOG.rst
Change-Id: If4e80dfcb56a6e1daa1a055285329f9fc2d58332
If ClusterFirstWithHostNet does not exist, it will cause the communication between services to fail.
Change-Id: Iadac1d570e0aac1aee3361792319d825bcadc83c
When using iscsi in both cinder and nova multipath tooling access is not
currently available. This commit provides the host system access to
configure and control multipath.
This commit has been tested in our own production systems however this
is my first commit into Openstack-Helm so please review carefully and
provide me guidance on what I might be able to do better.
Change-Id: I4f017f67a5d80b9c931e2ee1653062aa503a7fd9
Currently, when users try to navigate through horizon
panels or use the command-line interface that contains
calls to /api/glance/metadefs it will pop up insufficient
permission errors due to the fact we are disabling [1]
the metadef APIs in glance addressing OSSN-0088 [2].
As a side effect on how we address the OSSN, all API calls
to metadefs will be forbidden for any user, which is not recommended
in production environments. However, we have the current
recommendation of the OSSN which allows CRUD of metadef to
admin only and provide read access to all users.
[1] aab5ee7711
[2] https://wiki.openstack.org/wiki/OSSN/OSSN-0088
Story: 2008761
Task: 42128
Change-Id: Ib1415cadbbfab874a8d44ac6b5c6fba3c7502242
