Cinder default format of policy file is changed from
"json" to "yaml" in stein. This patch set modifies
Cinder chart templates to load policies in yaml format.
Change-Id: I28f3d5be6609cd28bbc1ce8e5fc1d1cf4730b760
This reverts commit 1c85fdc390e05eb578874e77fad9d4ec942da791.
Do not use randomly generated strings in configmaps as this leads to
whole helm release redeployment even no values are changed. The random
items have to be generated outside of helm chart and provided via
values.
Also previous behaviour didn't allow to use cache during rolling upgrade
as new pods were spawned with new key.
Change-Id: I423611b18fca0d65e2e721a9c6a0c3d8df0813d2
The gotpl script that determines if a cinder backend is ceph-backed
is not properly handling additional backends that does not have the
driver "cinder.volume.drivers.rbd.RBDDriver". This patch set fixes
the gotpl so it no longer causes a rendering problem.
Change-Id: I902e82301019531832afebce7a1e2f0b28bac8f3
Signed-off-by: Tin Lam <tin@irrational.io>
- Change all tests to support Nautilus,Mimic and Luminous releases
- Update ceph-config-helper image
Change-Id: I557b1efa12529d0ee51d4c5b9d4beb4abf1b0574
This PS makes the image conversion directory an emptydir, so that
we can use read only containers and sill convert images from glance
into volumes.
Change-Id: Id3cda737895451c2261bf9adfe54995db28c2f63
Signed-off-by: Pete Birley <pete@port.direct>
Wrap code making the assumption there is only one Ceph backend
(using is_ceph_volume_configured) in a "range" and use
ceph_backend_list helper to iterate all available Ceph backends.
Move Ceph pool application name in values.yaml from
conf.software.rbd.rbd_pool_app_name* to conf.ceph.pools.*.app_name
Change-Id: If1126e51fe9ebb85185e375dc282e83db63d934c
Depends-On: Iaa67061b05a9d355228ad7d3f5ee0f4f04dbdc66
Signed-off-by: Daniel Badea <daniel.badea@windriver.com>
This commit changes the cinder template bootstrap script
to use the openstack client instead of the cinder client
to list volume types.
Change-Id: I5a4b22ab4475d503b3e8fa46cd3c56a0b40863e0
Signed-off-by: Teresa Ho <teresa.ho@windriver.com>
In preparation for supporting multiple Ceph backends
replace is_ceph_volume_configured with has_ceph_backend.
has_ceph_backend returns true when at least one
backend is using RBDDriver.
Change-Id: Iaa67061b05a9d355228ad7d3f5ee0f4f04dbdc66
Signed-off-by: Daniel Badea <daniel.badea@windriver.com>.
This PS updates the charts to use the htk function recently introduced
to allow oslo.messaging clients ans servers to directly hit their
backends rather than using either DNS or K8S svc based routing.
Depends-On: I5150a64bd29fa062e30496c1f2127de138322863
Change-Id: I458b4313c57fc50c8181cedeca9919670487926a
Signed-off-by: Pete Birley <pete@port.direct>
During the Queens cycle, Cinder introduced the ability to specify the
backup driver via class name and deprecated backup driver initialization
using the module name. (Id6bee9e7d0da8ead224a04f86fe79ddfb5b286cf)
Legacy support for initialization by module name was dropped in Stein.
(I3ada2dee1857074746b1893b82dd5f6641c6e579)
This change will support both methods of initialization and leave the
driver defaults enabled for module based initialization (valid through
Rocky images).
This change has been tested using the OSH default Cinder (Ocata) images
and StarlingX images based on master (Train).
Change-Id: Iec7bc6f4dd089aaa08ca652bebd9a10ef49da556
Signed-off-by: Robert Church <robert.church@windriver.com>
This PS enables the use of simple logging options if desired.
Change-Id: If6ea420c6ed595b3b6b6eedf99a0bf26a20b6abf
Signed-off-by: Pete Birley <pete@port.direct>
This patch make the db sync job template follows the same pattern
that other templates utilize the variables to make in a predictable
pattern.
Change-Id: Idbedd046c6b4fd001cf63004ffac792173a5778b
Story: 2005754
Task: 33457
This PS adds emptydirs backing the /tmp directory in pods, which
is required in most cases for full operation when using a read only
filesystem backing the container.
Additionally some yaml indent issues are resolved.
Change-Id: I9df8f70e913b911ff755600fa2f669d9c5dcb928
Signed-off-by: Pete Birley <pete@port.direct>
Cinder raw cache feature requires internal tenant id be set in
/etc/cinder/cinder.conf, something like:
cinder_internal_tenant_project_id = b7455b8974bb4064ad247c8f375eae6c
cinder_internal_tenant_user_id = f46924c112a14c80ab0a24a613d95eef
This patch get or create if not exist intenal user id and project id, and then
set in cinder.conf
reference: Cinder cache feature:
https://docs.openstack.org/cinder/latest/admin/blockstorage-image-volume-cache.html
Story: 2004869
Task: 29121
Change-Id: I07954d2efa905a56ca8482d0ec147534c97d01ea
Signed-off-by: Liang Fang <liang.a.fang@intel.com>
This change adds the keystonemiddleware audit paste filter[0]
and enables it for the cinder-api and cinder-scheduler services.
This provides the ability to audit API requests for cinder.
[0] https://docs.openstack.org/keystonemiddleware/latest/audit.html
Change-Id: If81b88a4003bc4394ef4a378626cf5d6edb9c4ae
Implement container security context for the following Cinder resources:
- Cinder server deployment
Change-Id: Ic319fc8ccfea4c8d640ceecd0bbc93912173d172
During the Stein development cycle, Cinder removed the deprecated
query_volume_filters configuration option with
Icd311db7f88c3c274d9a362eb96519e46c7e4d17.
This chart update will add resource_filters.json to the configmap and
provides the default values for the filter keys to enable filtering in
the list APIs.
Change-Id: I31263e9ce06d31773e961ae5d1252e062a38a4e5
Signed-off-by: Robert Church <robert.church@windriver.com>
This patch set adds "startingDeadlineSeconds" field to cronJobs.
When the field is not set, the controller counts how many missed
jobs occured from the last scheduled time till now. And if it happends
more than 100 time the job will not be scheduled. To avoid this
the "startingDeadlineSeconds" field should be set to sufficient period
of time. In this case the controller counts how many missed jobs occured
during this period of time. The value of the field should be less than
time (in seconds) needed for running >100 jobs (according to schedule).
Change-Id: I3bf7c7077b55ca5a3421052bd0b59b70c9bbcf24
This adds the release-uuid annotation to the pod spec for all
replication controller templates in the openstack-helm charts
Change-Id: I0159f2741c27277fd173208e7169ff657bb33e57
This PS updates the cinder volume template to restore rootwrap
operation.
Change-Id: Ifc6d2442e536e22dca0563bb16634fd9accf44e1
Signed-off-by: Pete Birley <pete@port.direct>
cinder-backup container should reference cinder-backup-rbd-keyring
not cinder-volume-rbd-keyring if the backend driver of cinder backup
is ceph.
Change-Id: Icb7f80a01fc332ee13a42533f8e41e447008c2f4
- Change all tests to support Mimic and Luminous releases
- Update ceph-config-helper dockerfile to use Mimic Ceph binaries
Change-Id: I06a545c1964eaa5b983c58db48b6ad4ccaaa3b8b
This patchset enables and moves the securityContext: runAsUser to the pod
level, and uses a non-root user (UID != 0) wherever applicable.
Depends-On: I95264c933b51e2a8e38f63faa1e239bb3c1ebfda
Change-Id: I81f6e11fe31ab7333a3805399b2e5326ec1e06a7
Signed-off-by: Tin Lam <tin@irrational.io>
Random job names mean `helm upgrade` or indeed anything looks for
changes from rendered templates will see changes when there are none
causing churn and restarts.
Change-Id: I44331e00c288b517fccf69a4b60435efa2e13d61
This patch set deploys a livenessProbe
for the Cinder API container.
Change-Id: Ice932f3209b9bbff0b54fadc79a99cfc1c2f1ee5
Signed-off-by: Huang,Sophie(sh879n) <sh879n@att.com>
The update makes sure the Openstack service's cephx
user capabilities match best practices in terms of
security permissions after a site or software update.
Change-Id: I70e7f620accb186da2013ba95472777c25739cc1
This patch set updates the gate to by default uses network policy
for all components and enforces them in Openstack-helm.
Change-Id: I70c90b5808075797f02670f21481a4f968205325
Depends-On: I78e87ef3276e948ae4dd2eb462b4b8012251c8c8
Co-Authored-By: Mike Pham <tp6510@att.com>
Signed-off-by: Tin Lam <tin@irrational.io>
While implementing network policies, we noticed a handful of pods created
as part of a CronJobs are missing labels causing them to be unable to
targed by the policy. This patch set adds in the missing labels found
in that effort.
Change-Id: I1ca3cfd68ff20dc39a1e952414f3dddd3fc8d3b4
This PS adds the ability to attach a release uuid to pods and rc
objects as desired. A follow up ps will add the ability to add arbitary
annotations to the same objects.
Depends-On: Iceedba457a03387f6fc44eb763a00fd57f9d84a5
Change-Id: I324680f10263c1aefca2be9056e70d0ff22fcaf0
Signed-off-by: Pete Birley <pete@port.direct>
This is make ceph configmap and admin keyring secret names using
in storage init scripts to be read from chart values as we may
have two ceph clusters gets activated in one namespace and
each ceph clsuter will have its own configmap and admin secret names.
Change-Id: I84d94f3ac21e602c50619e456ff327ae1da53622
This PS moves openstack components in OSH to use secrets to store
potentially sensitive config information.
Depends-On: https://review.openstack.org/#/c/593732
Change-Id: I9bab586c03597effea0e48a58c69efff3f980a92
Signed-off-by: Pete Birley <pete@port.direct>
In a jewel version, egrep -c "12.2|luminous" returns "0",
but execution will be error.
So, add pipe and echo command to make a success.
Change-Id: I94f45855f6510e747884d8b6a629a62c3d96adbd
This proposes changing the tags added to the openstack logs
gathered by the fluentd handler from `openstack.<service>` to
`Namespace.Release` to account for multiple instances of openstack
services being deployed into different namespaces. This allows for
fine tuning the search queries in elasticsearch/kibana to target
specific service deployments in specific namespaces
Change-Id: Ia12dceb4089e107e15d8e30c92c91f350dc31318
