If application credentials with access rules are required,
an OpenStack service using keystonemiddleware to authenticate
with keystone, needs to define service_type in its configuration
file.
Change-Id: I7034e82837d724f12d57969857f79d67c962cebe
The configFile path shouble be /etc/glance/glance-api.conf,
not default /etc/glance/glance.conf defined by helm-toolkit,
since secrets mounted in '/etc/glance' have glance-api.conf not glance.conf in it.
The wrong path '/etc/glance/glance.conf' would be a dir in bootstarp container,
and lead to all config files in /etc/glance dir unreachable.
This bug may not affect bootstrap,
but should be fixed in case the config files are needed.
Change-Id: If25966e07ca7f9a80dd0e76ff7663a945db66a23
This change updates all Ceph image references to use Focal images
for all charts in openstack-helm.
Change-Id: I67cd294e2aabf3c3af404da42204f9b6157b06f7
Beginning with the Pacific release, Ceph pools are not allowed to
use 1x replication by default. This is problematic for the
openstack-helm gate scripts, which frequently use 1x replication
for automated testing. This change adds Ceph configuration and
command overrides to allow those gate scripts to continue to use
1x replication for testing.
Change-Id: I21ed3e43f3773d5ea830959f1b66b35f38185ca7
OpenStack services already moved to use policy in code.
No need to have policy file at this point, at least no need to put
default policy rule to policy.yaml file anymore.
To put in duplicate rules, will cause unnecessay logs and process.
Also not healthy for policy in code maintain as the `default` rules in
openstack-helm might override actual default rules in code which we
might not even mean to change it at all.
Change-Id: I29ea57aa80444ed64673818e597c9ca346ba7b2f
We dropped train support a long time ago now, and our latest efforts
are to drop ussuri/bionic images. This change removes any leftover
train overrides as well as any ussuri overrides. This also changes
any image defaults to use wallaby.
Change-Id: I818a3a79faa631ec1b7de625f2113c6f19610760
Strictly speaking, open socket doesn't mean working API.
We experienced API stopped responding and the socket was still
open so API was unhealthy actually but kubernetes did not restart.
HTTP probe will fix this issue.
Change-Id: I95bb3ad3123d8a4a784d260477f037fa5506d290
port number in glance
Now binding ports of service and pod spec are configured using
internal endpoint values.
To support reverse proxy for internalUrl, need to distinguish
between binding ports and internal endpoint ports.
I added `service` section in endpoint items apart from admin,
public, internal and default.
Change-Id: I8fc8ea4e81648f3b98006491a7cb2aa9c0f479b6
This allows glance to consume TLS openstack endpoints.
Jobs consume openstack endpoints, typically identity endpoints.
And glance itself interact with other openstack services via
endpoints.
Change-Id: I35ab5d1bbaa20bfc73d0dc7af2710ca1d14b0627
Based on spec
support-OCI-image-registry-with-authentication-turned-on.rst
Each Helm chart can configure an OCI image registry and
credentials to use. A Kubernetes secret is then created with this
info. Service Accounts then specify an imagePullSecret specifying
the Secret with creds for the registry. Then any pod using one
of these ServiceAccounts may pull images from an authenticated
container registry.
Related OSH-infra change:
https://review.opendev.org/c/openstack/openstack-helm-infra/+/848142
Change-Id: I54540f14fed29622bc5af8d18939afd06d65e2d8
If a Helm upgrade is performed on the OpenStack Umbrella chart using
the exact same configuration as the first release, then it's expected
for no DaemonSets, Deployments, or StatefulSets to be updated.
This did not work as expected.
A few changes were required to support this desired behavior:
1. Update glance's configmap-etc.yaml to trim whitespace and convert
YAML comment to Helm template comment. Before this change, Helm
rendered the template with the YAML comment and a newline for the
install phase. On upgrades, Helm rendered the template without the
YAML comment and newline causing the hash of configmap-etc to change,
thus causing the glance-api Deployment to update.
2. Update openstack.sh script to create a randomly generated memcache
secret for glance. Without this change, the glance-api deployment
changes each time since Helm randomly generates a new memcache
secret if not provided.
This behavior is enforced via a new test script,
validate-umbrella-upgrade-no-side-effects.sh.
The following jobs are always recreated due to hooks:
- keystone-bootstrap
- keystone-credential-setup
- keystone-db-init
- keystone-db-sync
- keystone-domain-manage
- keystone-fernet-setup
- keystone-rabbit-init
- rabbitmq-cluster-wait
Some Jobs are created via CronJobs and could be created during
validation. So far, heat-engine-cleaner has been seen, but others
could be caught too.
So the validation script ignores these pod changes by ignoring if
Jobs were recreated. Plus Jobs being recreated should not impact
the OpenStack deployment.
Change-Id: Iffaa346d814b8d0a3e2292849943219f70d50a23
This change adds the overrides needed to run both the Xena and
Yoga releases in the OSH zuul jobs.
Change-Id: I65e016a4cb3fd52707ab29c37f025818fcb6c405
ADD openstack chart with values_overrides
* rabbitmq
* mariadb
* memcached
* keystone
* heat
* glance
This adds umbrella chart that references other charts via
symlink and include global values.
Because chart valeus_overrides yaml apply to the main chart,
the umbrella chart has a chart-scoped replacement
ADD openstack.sh deploy script
This script deploys all components with a single release.
ADD corresponding release notes
CHG wait-for-pods-sh to accept timeout arguement
CHG get-values-overrides.sh to modify file path for subchart
Change-Id: I25cd9d6785c61540d6329657c0358f27299d3647
The glance-api pod has a terminationGracePeriodSeconds
of 600s(10min) and the others services has 30s. This high
terminationGracePeriodSeconds may cause timeout in some
cases and there is no reason for this high
terminationGracePeriodSeconds.
The terminationGracePeriodSeconds has been introduced on
https://review.opendev.org/c/openstack/openstack-helm/+/469974
but there is no explanation why it is too high.
Story: 2009959
Task: 44926
Signed-off-by: Arthur Luz de Avila <arthur.luzdeavila@windriver.com>
Change-Id: I9f9092e48c4f4ecf5a145dc42dbafe4f96cfa91c
This changes use the helm-toolkit template for toleration
in openstack services
Signed-off-by: Lucas Cavalcante <lucasmedeiros.cavalcante@windriver.com>
Story: 2009276
Task: 43531
Depends-On: I168837f962465d1c89acc511b7bf4064ac4b546c
Change-Id: Ifa05d9adb69ed46177ba2e7e1707d2e46eff62e4
Glance registry was deprecated in Queens and removed in Stein.
This change removes glance-registry settings and templates
from the glance chart. Also removed the overrides from older
releases that are no longer actively supported and tested.
Change-Id: I704d844b9ab96daa73ec42e29cded31fbbe3f720
As part of the move to helm v3, all the charts in the OSH repos
will no longer lint/build properly due to a lack of helm serve
in helm v3.
This change modifies the helm-toolkit repo location to the
osh-infra repo in order to account for the removal oh helm serve.
This work is part of the migration to helm v3 and will be utilized
in future changes.
Change-Id: I90d25943d69ad6c76455f7778a4894f00c525c46
If labels are not specified on a Job, kubernetes defaults them
to include the labels of their underlying Pod template. Helm 3
injects metadata into all resources [0] including a
`app.kubernetes.io/managed-by: Helm` label. Thus when kubernetes
sees a Job's labels they are no longer empty and thus do not get
defaulted to the underlying Pod template's labels. This is a
problem since Job labels are depended on by
- Armada pre-upgrade delete hooks
- Armada wait logic configurations
- kubernetes-entrypoint dependencies
Thus, for Job templates previously missed, this adds labels matching
the underlying Pod template to retain the same labels that were
present with Helm 2.
[0]: https://github.com/helm/helm/pull/7649
Change-Id: Ie438b449a3d9853d786215d40a39c32d164e9950
If labels are not specified on a Job, kubernetes defaults them
to include the labels of their underlying Pod template. Helm 3
injects metadata into all resources [0] including a
`app.kubernetes.io/managed-by: Helm` label. Thus when kubernetes
sees a Job's labels they are no longer empty and thus do not get
defaulted to the underlying Pod template's labels. This is a
problem since Job labels are depended on by
- Armada pre-upgrade delete hooks
- Armada wait logic configurations
- kubernetes-entrypoint dependencies
Thus for each Job template this adds labels matching the
underlying Pod template to retain the same labels that were
present with Helm 2.
[0]: https://github.com/helm/helm/pull/7649
Change-Id: Ib5a7eb494fb776d74e1edc767b9522b02453b19d
Chart upgrading was failing due to some immutable fields in job are needed to upgrade. So, we have added the helm.sh/hook annotations with post-install and post-upgrade values. As for hook-weight annotations, we have added these to control the flow of the jobs with hook creation as the jobs are dependent. Like, db-init jobs need to run before db-sync and so on. Also helm3_hook value is introduced in values.yaml, which can be used to disable helm hook if needed.
Change-Id: Idb4b992b4061f4a014570b7933a585df1a096299
Defines compute kit and cinder jobs for new releases with
corresponding values overrides.
Disables compute agent list test for Wallaby since related API
is removed [0].
Since Wallaby with switch of osc to sdk '--id auto' is no longer
treated specially in 'openstack flavor create'. The same behavior
can be achieved w/o specifying --id flag for flavor creation [1].
Starting Wallaby 'nova-manage api_db version' returns init version
for empty database greater than 0 [2]. _db-sync.sh.tpl logic prior to
this commit does not work due to this. We need to either remove
(done in current commit) or justify and alter previous logic.
[0] https://review.opendev.org/749309
[1] https://review.opendev.org/750151
[2] https://opendev.org/openstack/nova/src/branch/stable/wallaby/nova/db/sqlalchemy/migration.py#L32
Change-Id: I361431d9aa8c1a06c5d59f479fb161ecd87e2ee2
Signed-off-by: Andrii Ostapenko <andrii.ostapenko@att.com>
Mount rabbitmq TLS secret to openstack services which support internal
TLS. Once internal TLS support is added to other service, the TLSed
rabbitmq support should be added.
Depends-on: https://review.opendev.org/c/openstack/openstack-helm-infra/+/795188
Change-Id: I9aa272e365f846746f2e06aa7b7010db730e17df
In the Victoria cycle oslo.policy decided to change all default policies
to yaml format. Today on openstack-helm we have a mix of json and yaml
on projects and, after having a bad time debugging policies that should
have beeing mounted somewhere but was being mounted elsewhere, I'm
proposing this change so we can unify the delivery method for all
policies across components on yaml (that is supported for quite some
time). This will also avoid having problems in the future as the
services move from json to yaml.
[1] https://specs.openstack.org/openstack/oslo-specs/specs/victoria/policy-json-to-yaml.html
Signed-off-by: Thiago Brito <thiago.brito@windriver.com>
Change-Id: Id170bf184e44fd77cd53929d474582022a5b6d4f
This is to fix the ceph version checks for enabling the applications
on newly created pools for openstack services like cinder and glance.
Change-Id: I2c007f728180cf7753255463ebf2f8dc5dc6fa5b
This change bumps each openstack chart version up to the next
greatest minor version of 0.2.0, signifying that openstack-helm
will no longer support older, EOL releases for each chart.
Change-Id: I7ce80c7bdc779c1de4472079f18102f506bfbb90
Currently, when users try to navigate through horizon
panels or use the command-line interface that contains
calls to /api/glance/metadefs it will pop up insufficient
permission errors due to the fact we are disabling [1]
the metadef APIs in glance addressing OSSN-0088 [2].
As a side effect on how we address the OSSN, all API calls
to metadefs will be forbidden for any user, which is not recommended
in production environments. However, we have the current
recommendation of the OSSN which allows CRUD of metadef to
admin only and provide read access to all users.
[1] aab5ee7711
[2] https://wiki.openstack.org/wiki/OSSN/OSSN-0088
Story: 2008761
Task: 42128
Change-Id: Ib1415cadbbfab874a8d44ac6b5c6fba3c7502242
There was an issue with the metadef APIs in glance, detailed in
the latest OSSN[0] that they have the potential to leak resources.
This change updates the default policy for the metadef APIs to
be disabled by default.
[0] https://wiki.openstack.org/wiki/OSSN/OSSN-0088
Change-Id: I7377b3a2f3784fe7da78bdd7aba146328cc0f406
When using a helm3 to deploy , it fails
Helm3 no more support rbac.authorization.k8s.io/v1beta1 , but v1 can
support helm2 and helm3.
This change optimized deployment.
Change-Id: I107d6e965ca00a6d8b766e91573be2c9aeb4f782
ClusterIssuer does not belong to a single namespace (unlike Issuer)
and can be referenced by Certificate resources from multiple different
namespaces. When internal TLS is added to multiple namespaces, same
ClusterIssuer can be used instead of one Issuer per namespace.
Depends-on: https://review.opendev.org/c/openstack/openstack-helm-infra/+/766359
Change-Id: I6585d5a8c2ccb507a5c99784c0190502b55a5bcf
Since we introduced chart version check in gates, requirements are not
satisfied with strict check of 0.1.0
Change-Id: If537f69dec7e3360f6bffcc4424f10c248919ece
Signed-off-by: Andrii Ostapenko <andrii.ostapenko@att.com>
Added chart lint in zuul CI to enhance the stability for charts.
Fixed some lint errors in the current charts.
Change-Id: I7e4b191fb9e355ab5d5a233e8ed121346519df62
The current copyright refers to a non-existent group
"openstack helm authors" with often out-of-date references that
are confusing when adding a new file to the repo.
This change removes all references to this copyright by the
non-existent group and any blank lines underneath.
Change-Id: Ia035037e000f1bf95202fc07b8cd1ad0fc019094
OpenStack Foundation started serving project mascots files on
openstack.org. This commit adds URLs to those files as chart icons for
OpenStack projects.
Change-Id: I2482174cd1d9a0f32df91d7d81974a0dc37f5c4d
This PS updates the chart.yaml to be consistent across the repo, and
changes the description to make clear that they are the OpenStack-Helm
derived versions of the charts while using `helm search`.
Change-Id: Iac3cfd2cddba7130b28a65c3d353712c8a3aa02b
