External traffic policy "local" would be preffered when openstack
service is accessed from external via node port. This option has an
effect only when service node port is enabled.
Change-Id: Ic68cfc59dc39dc842d4790deffa70efe433dd7a6
This PS updates the values file layout for images to allow simple
parsing of the images in use by charts, allowing them to be queried
and modified much more simply. By moving the image tags to a 'tags'
key, we can extend the options used simply to accomodate extra
options simply (eg prefixing the tag for use with an internal
registry) or pre-pulling the images to reduce chart deploy failure.
Change-Id: I9ec1dbb00d997ab6cb021bf0b698f7aae740e95d
New kubernetes-entrypoint version was released. K8s-entrypoint
authors maintain images at Quay. The image uses CoreOS, which
is more lightweight than the current Ubuntu image, so it
should lessen the burden on the infrastructure.
Change-Id: Id8c2a4d065550ffbd64476377247cccf213b58e1
Partial-Implements: blueprint entrypoint-namespaces
Implemented Kubernetes jobs to drop a database for an OpenStack service
on deletion of Helm chart. This job is configurable to be enabled or
disabled in the values.yaml file for each chart.
Change-Id: Ia1a0834cb43c7e883aaf507a7c7683fa1cf4e838
This PS removes the pregenerated config templates producing using
the hacked oslo-genconfig tool. This results in both a much smaller
codebase and also more readable configuration by removing the
requirement to specify settings via oslo namespaced references.
This initial PS applies only to Keystone, A follow up will extend to
all remaining services.
Partially implements: blueprint remove-pregenerated-config-templates
See: https://blueprints.launchpad.net/openstack-helm/+spec/remove-pregenerated-config-templates
Change-Id: I3ced7ad02c703c767925a17b1a18f6158a878e83
This PS adds namespace and fqdn support to endpoint lookup functions,
it also permits over-riding of the puplic endpoint for ingress.
Change-Id: Ib61c5c00a214d75fe85fbffe9080c2ae88bd8cb9
This ps moves to use a container sultaible for use as the heat engine
for all possible admin jobs - it is lighter than the kolla-toolbox image
and makes it easy to swap out to other image sets. This is as the heat
engine container should contain the openstack client (with all required
libs for the cloud) and the oslo_db supporting libs required by the db
management jobs, as well as the oslo_messaging libs required for future
rabbitmq management expansion.
Change-Id: I5451c15c8fb49c85b4f254cc60156420bee2efea
There were some erros in the limit and requests for resources in
some of the keystone pods. This PS resolves the issue.
Change-Id: I5f8eed1a22a42621654198ab9b844914ba0aade8
This PS adds a configmap teplater helper to helm-toolkit. It makes it
simpler to write consistent charts that supports over-riding of all
values.
Change-Id: I9a587999859ea02802485eb25a3f0ebec8c712a8
Now, openstack-helm support "helm test" function, and It execute rally
container.
Rally also can test Tempest itself, so this fix will be add tempest
test in rally container.
Change-Id: I2c2f684f6583f2a3d9c7279a3d85cb242934e90e
Implements: blueprint add-tempest-in-helm-test
This PS allows the rendering of manifests to be controlled. It enables
both increased control over deployment when required but also makes
development of a feature easier to target.
Change-Id: I1716e8ee23fe5c53f935bd739ea283bc4a2a9963
Keystone is using keys to encrypt credentials saved into the database.
The mechanism is very similar to fernet tokens. This commit implements a
job setting key repository up and rotate job for those keys. All is
based on implementation of fernet tokens.
Change-Id: I88faf1d02d2b317563e8603cebba542f8b133c6a
Closes-Bug: 1693807
Keystone supports (and that's a default setting since Ocata) using
non-persistent fernet tokens instead of UUID tokens written into the DB.
This setting is in some cases better in terms of performance and
manageability (no more tokens DB table cleanups). OpenStack-Helm should
be able to support it.
General issue with fernet tokens is that keys used to encrypt them need
to be persistent and shared accross the cluster. Moreover "rotate"
operation generates a new key, so key repository will change over time.
This commit implements fernet tokens support by:
* A 'keystone-fernet-keys' secret is created to serve as keys repository.
* New fernet-setup Job will populate secret with initial keys.
* New fernet-rotate CronJob will be run periodically (weekly by default)
and perform key rotation operation and update the secret.
* Secret is attached to keystone-api pods in /etc/keystone/fernet-tokens
directory.
Turns out k8s is updating secrets attached to pods automatically, so
because of Keystone's fernet tokens implementation, we don't need to
worry about synchronization of the key repository. Everything should be
fine unless fernet-rotate job will run before all of the pods will
notice the change in the secret. As in real-world scenario you would
rotate your keys no more often than once an hour, this should be totally
fine.
Implements: blueprint keystone-fernet-tokens
Change-Id: Ifc84b8c97e1a85d30eb46260582d9c58220fbf0a
This PS updates the pod affinity function to allow customisation by
operators at the point of deployment.
Change-Id: I8b7b2f584e990e068051d9a6d5cc7b1e1adb5aa5
This PS moves the mounts key to be under the pod key in the values.
It brings further consolation of related configuration params to be
nested under common keys across all charts.
Change-Id: If9963e4f8b438847e2fcad3bdd8c0d71ca9ecdd8
This PS move s the replicas key to be under the pod key in the values.
It brings further consolation of related configuration params to be
nested under common keys across all charts.
Change-Id: I420b06debd0a62ba5d83497be43ff6c49c49d339
This PS unifies and normalises Kubernetes resource allocation and
update strategy across all OpenStack-Helm elements.
Change-Id: Ia41fc453cb5191fa447ca6e1aa0f5b431c939dc8
This PS moves keystone credentials to the endpoints section within
the values.yaml, and also adds a 'secrets' key, allowing standardiation
of secrets and credential management across OpenStack-Helm.
Change-Id: I86a21e625afd822379ac11351603b2c606a3769f
This PS makes the initial Keystone Admin and Service account users
members of the projects that they are in.
Change-Id: I2de081a216b7e7b99d301ab605c84d882cdb5840
The existing entrypoint logic used static names to reolve dependencies.
This prevented the service names, and thus the hostnames of services
being altered. This PS resolves that issue by looking up the service name
from the endpoints specified in the values for a chart.
Partial-Implements: blueprint enhance-entrypoint-dependency-checking
External-Tracking-Id: OSH-21
Change-Id: Ib49490f332f8cd88e98c50d9335dfd314a170936
Currently, the memory and cpu limits are identical to the requests.
This patch set ups the limits to be similar to other services
such as nova and neutron.
Change-Id: I16985e622bdca95d88585d2f1e5bbb09e7dc766b
Memcached is required by keystone to work optimally, this PS adds
it as a requirement. It could be argued that RabbitMQ should be
added as well, but this is only required when using Ceilometer AFAIK.
Change-Id: If2eec45455e05972c0fbb534262e5b1b69cef3b3
This PS introduces 'helm test' functionaility to keystone and
provides the basic framwork for charts to use.
Change-Id: Ie84a6ca0ed007fb55e10d503d1c3e49788908eec
Partial-Implements: blueprint implement-helm-test-for-charts
This commit fixes some warnings shown by `keystone-manage doctor`
command that are present in Keystone installed with default chart
configuration. In particular:
* Set max_toke_size=32 as this is correct value for uuid token provider.
* Enable caching using memcache by setting [cache] memcache_servers
option correctly in configmap-etc.yaml
Change-Id: I38cc7be577e0a7cd9be715e633f3637baafcc21b
Closes-Bug: 1693806
This commit adds graceful termination to all existing charts.
It also adds a setting in the values.yaml file for clarity and
the ability to override if wished.
Change-Id: I42025e4be86d248be467c1d2f0980f864c4d440e
With pod disruption budget set it is not possible to drain nodes
and perform other expected operations. This PS changes the default
value to 0, restoring the typically expected operation of pods.
Change-Id: I43ef35638c98caee2cf567487173399157000ada
Addresses consistency issues that appear with autoincrement fields in
the existing chart, as demonstrated in [1]. It should allow automatic
recovery of 2 out of the 3 (default) cluster members.
It does not address automatic recovery of a complete shutdown of all
cluster nodes.
[1] https://review.openstack.org/#/c/465977/
Change-Id: I84c86e1862f03a6d381bf219b821ea3636049f0b
This is the initial pod disruption budget that will serve as the template
for all services in OpenStack-Helm.
Partially-Implements: blueprint add-pod-disruption-budgets
Change-Id: I67eeaa66257e793f77a089f3bc0dd4b700638c63
This patch set moves the required keystone config files to the manifests, and
allows users to specify their own additional volume mounts if necessary.
Change-Id: I622abbba3e19390ce1003441eb9c0a3477754b82
This commit introduces several new paradigms:
* .Values driven mounts in service containers as well as jobs.
These can be overriden at runtime by manipulating .Values.mounts.*
* Authenticated Endpoint Resolution methods in helm-toolkit
to allow the database and rabbit type endpoints to be moved
under the endpoints section. Now endpoint lookup functions exist
for openstack endpoints as well as infrastructure elements such as
the database, rabbitmq, and memcache.
* Importing of upstream "out of the box" policy.json
and keystone-paste.ini files for better or worse.
* A rendering of the keystone.conf oslo generated config
using a new helm based Values generator. This provides "known"
paths to all configuration elements in the form of
"<section>.<oslo_namespace>.<element>" so that any of these can
be targeted for override via --set or values.yaml files loaded at
run time.
* Support for appending arbitrary string data to the policy.json,
keystone-paste.ini, or keystone.conf files via --set conf.keystone.append="#
some comment", or --set conf.policy.append="\"identity:list_projects\":
\"role:fake\""
* Support for complete verbatim overrides of these three
files via --set conf.keystone.override="full file contents",
or --set conf.policy.override="full file contents" for example
* Add resources limits and requests for each chart
* Refactor the resources limits and requests to follow a patern
* Fix some coding issues
* fix issues resulting from feedback on the resources PR
* Reset some variables to a static value in the neutron chart.
* Substituting variable entrypoint by dependency_check in the concerned files
* Few adjustments
* Update deploy-region.yaml
* Update deployment.yaml
* Add resources limits and requests for each chart
Squah all commits in one.
* Add resources limits and requests for some charts
* cleaning
* Fix indendation issue
* Update deployment.yaml
* Update daemonset-ovs-vswitchd.yaml
