When using a chart with the flux operator and helm3, it fails
when encountering a volumeMount "subpath" instead of "subPath".
This change corrects the typo to the right camelcase entry.
Change-Id: Id2d9ea25445d84f89b299c7f0b24da1cc5aaf264
This patch makes the fernet and credential secret something that gets
created only once when the deployment is first done, as when using Helm,
it's possible that it overrides it's values with an empty secret in the
runs afterwards.
By making it a hook, it will instead create it and leave an owner
reference in Helm 3 to delete it later if the release is deleted. It
will not manage it afterwards as well.
Change-Id: I7c1c97f38877e0e54bea7fc09b37dd6f77c9dc8a
When starting the keystone-api pod, the service checks for a
access_rules file for application credentials during startup.
If the file does not exist, keystone emits a warning saying the
file is not found:
WARNING keystone.access_rules_config.backends.json [-] No config
file found for access rules, application credential access rules
will be unavailable.: FileNotFoundError: [Errno 2] No such file
or directory: '/etc/keystone/access_rules.json'
This change adds in a blank access_rules.json file to the
keystone etc directory in order to surpress this message.
Change-Id: I63ac153cc91ac45b3fd223f8a54b933b5cbffac4
This updates the Keystone chart to include the pod
security context on the pod template.
This also adds the container security context to set
readOnlyRootFilesystem flag to true
Change-Id: I0e00571d4060cca914d1bdb4f36e736fa8501130
This updates the Keystone chart to include the pod
security context on the pod template.
This also adds the container security context to set
readOnlyRootFilesystem flag to true
Change-Id: I655ef19a3c187e3462ff8ec1a54bc9691ca64d41
This updates the Keystone chart to include the pod
security context on the pod template.
This also adds the container security context to set
readOnlyRootFilesystem flag to true.
Change-Id: I2ac3a4efa6798e263de19f0db444f37c5236d121
The current copyright refers to a non-existent group
"openstack helm authors" with often out-of-date references that
are confusing when adding a new file to the repo.
This change removes all references to this copyright by the
non-existent group and any blank lines underneath.
Change-Id: Ia035037e000f1bf95202fc07b8cd1ad0fc019094
This patch set fixes an issue with where the keystone chart's
domain-manage job/pod always restart once due to a calculation
logic error.
Change-Id: I801d04559a526d3a7339cd5102f2e738af9f72e0
Signed-off-by: Tin Lam <tin@irrational.io>
In case of keystone-fernet-setup job rerun (delete and create),
fernet tokens are recreated. Which leads to ongoing openstack request
fail.
keystone-manage fernet_setup is idempotent, let's make the
keystone-fernet-setup job idempotent as well.
Change-Id: I62e741fe5192b7a0018bc84ccdac1ea5311a1e03
Pods for some of the CronJobs do not have correct
application and component labels applied, they are
unable to start if Network Policies are enabled.
Change-Id: Ie4eed0e9829419b4b2e40e9b712b73a86d6fc3d2
This patch set is one of many to migrate existing code/script to be
python-3 compatible as python-2 is sunsetting in January of 2020.
Change-Id: I337069203a3273e9aba6a37294ee3c25e5b4870a
Signed-off-by: Tin Lam <tin@irrational.io>
Using the direct / path for the keystone probes can lead to the
probes receiving an http 300. We want to have an http 200 so there
is no warning from the probes. Use the full v3 path so the probes
are stable
Change-Id: If8b45801bb053778bd2e1691ff8556aa73cb434d
In cases where mariadb is not accessable, either from being deleted
prior to deleting keystone, or some other reason, it is preferred
to fail and move on with the keystone-credential-cleanup.
This change adds hook-failed to the "hook-delete-policy" for the
keystone-credential-cleanup job. This is address cases where deleting
keystone would cause the delete task to hang while the cleanup hook
would fail to connect to mariadb, often due to mariadb being already
deleted.
Change-Id: Ice7187fe6329c8b12333f508351bd5f9e2cdc8e2
Python 3 renamed ConfigParser module to configparser.
This patch fixes compatibility with Python 3 for the
keystone-credential-cleanup job.
Change-Id: I6e34ba995d7a02f94b12162f0e5f8f326dfa8108
The keystone-credential-cleanup hook was previously changed to
post-delete, this can cause issues where the serviceName is deleted
prior to running and will cause this to fail. This change reverts
the hook back to pre-delete to avoid this issue.
Change-Id: I45f3e73f8a957576ef82a733c1a7b7feaba7b679
This PS updates the charts to use the htk function recently introduced
to allow oslo.messaging clients ans servers to directly hit their
backends rather than using either DNS or K8S svc based routing.
Depends-On: I5150a64bd29fa062e30496c1f2127de138322863
Change-Id: I458b4313c57fc50c8181cedeca9919670487926a
Signed-off-by: Pete Birley <pete@port.direct>
This PS enables the use of simple logging options if desired.
Change-Id: If6ea420c6ed595b3b6b6eedf99a0bf26a20b6abf
Signed-off-by: Pete Birley <pete@port.direct>
When cleaning up an entire openstack deployment, it's possible
that mariadb will be deleted prior to keystone, and as a result
keystone-credential-cleaup hook will not be able to run. This
blocks the cleanup from occuring successfully.
This change sets the keystone-credential-cleanup hook to run
"post-delete" and the pod restart policy to "Never". If
the mariadb deployment is gone, this hook is unneeded.
Change-Id: I7e2e4680e35fb243488e707cf5a4a26e05433913
This change adds a conditional to the _fernet_setup to avoid
overwriting credential-keys when keystone-manage credential-setup
is ran and there are already existing credential keys. This will
mitigate issues where encrypted credential blobs in keystone were
becoming un-decryptable when the credential keys were being
overridden or lost upon upgrading.
Change-Id: Iac2b080d5d44bdf07534126419a1d5dd86055d6b
This PS adds emptydirs backing the /tmp directory in pods, which
is required in most cases for full operation when using a read only
filesystem backing the container.
Additionally some yaml indent issues are resolved.
Change-Id: I9df8f70e913b911ff755600fa2f669d9c5dcb928
Signed-off-by: Pete Birley <pete@port.direct>
This change creates a pre-delete hook to clean out all entries
in the credential table of the keystone database when the
keystone service is deleted. Note that these are not
the typical username/password.[0]
This fixes the issue of leftover credential blobs being saved
in the database that are unable to be decrypted since the
original encryption keys are removed upon deletion of the
keystone service
[0] https://specs.openstack.org/openstack/keystone-specs/specs/keystone/newton/credential-encryption.html
Change-Id: I8adf0878af2f3b880e9194a6cb8d97b58d6895a5
With this patch we allow for a more easy way of overriding some
of the values that may be used in other distros while maintainting
the default values if those values are not overriden.
The following values are introduced to be overriden:
conf:
security:
software:
apache2:
conf_dir:
site_dir:
mods_dir:
binary:
start_flags:
a2enmod:
a2dismod:
On which:
* conf_dir: directory where to drop the config files
* site_dir: directory where to drop the enabled virtualhosts
* mods_dir: directory where to drop any mod configuration
* binary: the binary to use for launching apache
* start_flags: any flags that will be passed to the apache binary call
* a2enmod: mods to enable
* a2dismod: mods to disable
* security: security configuration for apache
Notice that if there is no overrides given, it should not affect anything
and the templates will not be changed as the default values are set to what
they used to be as to not disrupt existing deployments.
Change-Id: I7622325cf23e5afb26a5f5e887458fd58af2fab8
Implement container security context for the following Keystone resources:
- Keystone server deployment
Change-Id: Ia68b5ebe4d76e0405d67224d976fee013cc02d0b
fernet-manage:
- filter used to return a list on python2 but on python3 it returns
an iterator which has no len method
- Coherce the keys var into a list so we can run len on it on both
versions
update-endpoint:
- ConfigParser is called configparser on python3
- try/catch and import the proper configparser
Change-Id: I8296074f4d20e47afe0c7aea41bf21999685aecd
This adds the release-uuid annotation to the pod spec for all
replication controller templates in the openstack-helm charts
Change-Id: I0159f2741c27277fd173208e7169ff657bb33e57
This change adds a zuul check job to export any templated python
contained in the helm charts and scan it with bandit for any
potential security flaws.
This also adds two nosec comments on the instances of subprocess
used as they currently do not appear to be malicious, as well
as changing the endpoint_update python code to prevent sql
injection, which satisfies bandit code B608.
Change-Id: I2212d26514c3510353d16a4592893dd2e85cb369
securitycontext with non-root user is implemented at pod level
and leveraged the helm-toolkit snippet
Fix for adding allowPrivilegeEscalation flag as a blanket
policy on the pod in the keyston chart
Depends-On: I95264c933b51e2a8e38f63faa1e239bb3c1ebfda
Change-Id: I15333df4707948e50deb935ffc1ee599588e4788
