This updates the values used for generating the pod and container
security contexts for the components of the neutron chart. This
moves to using a unique application key for each neutron service
instead of a single 'neutron' key that maps to every pod
This also removes the .pod.user.neutron.uid key in favor of using
the user key in the security_context values tree
Change-Id: I1c87a5b4b74e2a2d17b8913dd34f40dc1c38fbe0
Signed-off-by: Steve Wilkerson <sw5822@att.com>
This PS adds checks for the Stein Release of OpenStack in Ubuntu Bionic
containers.
Depends-On: https://review.opendev.org/667726
Change-Id: Icfad3434ca496a841993b95adaf5d853728d920f
Signed-off-by: Pete Birley <pete@port.direct>
This PS allows the probes in containers/pods to be tuned via values
overrides.
Depends-On: https://review.opendev.org/#/c/631597/
Change-Id: I439dce38a1b7df8c798f10f7fad406f9b0dfe3e6
Signed-off-by: Pete Birley <pete@port.direct>
There can be more than one RabbitMQ node in
transport_url in conf file when RabbitMQ is
configured in HA mode.
Change-Id: I9721e2e33212918d402bce295c02b1869dce67f7
L2 Gateway (L2GW) is an API framework that offers bridging 2+
networks together to make them look as a single broadcast domain.
A typical use case is bridging the virtual with the physical networks.
Change-Id: I95ff59ce024747f7af40c6bef0661bb3743b0af1
This PS adds checks for running the Rocky release of Openstack under
Python3 in Ubuntu Bionic containers.
Change-Id: I269cef9f8f157e22f6b857822df9a8960dac6ea8
Signed-off-by: Pete Birley <pete@port.direct>
This PS adds checks for the Rocky Release of OpenStack in Ubuntu Xenial
containers.
Change-Id: Ieed4a6a3afa6e3ebd9b2f72ba227aac891d65214
Signed-off-by: Pete Birley <pete@port.direct>
This PS adds checks for the Queens Release of OpenStack in Ubuntu Xenial
containers.
Change-Id: I0d4d427e43f06fa955dfd275859939d0adca113c
Signed-off-by: Pete Birley <pete@port.direct>
This PS adds checks for the Pike Release of OpenStack in Ubuntu Xenial
containers.
Change-Id: I402584bbcdd53a4a6bc21f370586b3498142bf81
Signed-off-by: Pete Birley <pete@port.direct>
Implement container security context for the following Neutron resources:
- Neutron server deployment
Change-Id: Ic2600c2301bd9d7c91bc72c22a7813d07e3a8ef6
There are the changes here
1. extend current kill_metadata filter for python3 versions
2. add kill_keepalived_monitor filters (introduced for neutron with
https://review.opendev.org/#/c/636710/ )
Change-Id: If82db83bdb3bd8bebeb15382079b538fd8019376
This PS updates the charts to use the htk function recently introduced
to allow oslo.messaging clients ans servers to directly hit their
backends rather than using either DNS or K8S svc based routing.
Depends-On: I5150a64bd29fa062e30496c1f2127de138322863
Change-Id: I458b4313c57fc50c8181cedeca9919670487926a
Signed-off-by: Pete Birley <pete@port.direct>
This PS enables the use of simple logging options if desired.
Change-Id: If6ea420c6ed595b3b6b6eedf99a0bf26a20b6abf
Signed-off-by: Pete Birley <pete@port.direct>
This PS updates the neutron secret to conform to K8s schema
validation.
Change-Id: Id477510873362224ba919b0c97e09664d5c1b205
Signed-off-by: Pete Birley <pete@port.direct>
Currently each service uses the same name for their helm test user,
"test". While this works when services are ran sequentially, when
multiple services are deployed and tested at the same time, it can
lead to a race condition where one service deletes the user before
the other is done testing, causing a failure.
This change makes it so that each service defines its own test user
in the form of [service]-test.
Change-Id: Idd7ad3bef78a039f23fb0dd79391e3588e94b73c
This patch make the db sync job template follows the same pattern
that other templates utilize the variables to make in a predictable
pattern.
Change-Id: Idbedd046c6b4fd001cf63004ffac792173a5778b
Story: 2005754
Task: 33457
We now have a process for OSH-images image building,
using Zuul, so we should point the images by default to those
images, instead of pointing to stale images.
Without this, the osh-images build process is completely not
in use, and updating the osh-images process or patching its
code has no impact on OSH.
This should fix it.
Change-Id: I672b8755bf9e182b15eff067479b662529a13477
Create the overrides file necessary for Rocky release:
- api-paste entrypoint neutron.api.versions:Versions.factory deprecated
Deployment script needs to be executed with OSH_OPENSTACK_RELEASE value.
Change-Id: If0d3553bd004426d8e97e1fa62ee9b99f4a895a9
This PS adds emptydirs backing the /tmp directory in pods, which
is required in most cases for full operation when using a read only
filesystem backing the container.
Additionally some yaml indent issues are resolved.
Change-Id: I9df8f70e913b911ff755600fa2f669d9c5dcb928
Signed-off-by: Pete Birley <pete@port.direct>
removing readOnlyRootFilesystem flag since pods are running to
crashLoopBackOff state by implementing HTK functionality.
Change-Id: I221bdb54b1e94e4089fb079f161dcb4de4dd3571
There is currently no testing of the Leap 15 images in OSH.
This addresses it by:
- Using the values_overrides folder according to the multi-os
spec, creating value override files there for changes that
needs to happen on Leap 15 images.
- Point to the right images using the previously created folder,
to allow using those in CI easily.
- Change CI to use previously created overrides.
Depends-On: https://review.openstack.org/#/c/651501
Change-Id: I520d3676195c62b253a19397c86b0d0fbabee710
This change adds the keystonemiddleware audit paste filter[0]
and enables it for the neutron-server service.
This provides the ability to audit API requests for neutron.
[0] https://docs.openstack.org/keystonemiddleware/latest/audit.html
Change-Id: I86b4df1436ae59bc9a151c28337af7c06c83e45f
to set local_ip in osh, you have to use nic name.
but some devices can have different nic name.
so I add new option for getting tunnel device by cidr.
Added value:
network:
interface:
tunnel: null
tunnel_network_cidr: "0/0"
Change-Id: I8bffae640dfe0086de0b5274bb8c3cdce9754160
Signed-off-by: Hyunkook Cho <hk0713.cho@samsung.com>
This PS tells neutron to make rabbitmq queues ha when available.
Change-Id: I708d354224a14e9b49be3faf1589f5a4791f5de9
Signed-off-by: Pete Birley <pete@port.direct>
Under python3 an Exception no longer has the message attribute,
instead you can just str the exception to get the error message
Change-Id: I38225a76e01118b88353038ed7ef132d019dd976
If user wants to add an extra volumeMounts/volume to a pod,
amd uses override values e.g. like this
pod:
mounts:
nova_placement:
init_container: null
nova_placement:
volumeMounts:
- name: nova-etc
...
helm template parser complains with
Warning: The destination item 'nova_placement' is a table and ignoring the source 'nova_placement' as it has a non-table value of: <nil>
So when we create empty values for such keys in values.yaml, the source
will be present and warning does not need to be shown.
Change-Id: Ib8dc53c3a54e12014025de8fafe16fbe9721c0da
Previously, when adding interfaces to an ovs bridge we would set the
link state to up. Some environments assume this is the case so
restore that behavior.
This fixes the problem where external (public) IPs for routers and VMs
no longer respond.
Change-Id: I59e21bd5cde7e239320125e9a7e0a33adae578a8
Health_probe for neutron pods accomplish both liveness and
readiness probe.
Neutron DHCP/L3/OVS agents:
Sends an RPC call with a non-existence method to agent’s queue.
Assumes no other agent subscribed to tunnel-update queue other
than OVS. Probe is success if agent returns with NoSuchMethod
error.
Neutron Metadata agent:
Sends a message to Unix Domain Socket opened by Metadata agent.
Probe is success if agent returns with HTTP status 404.
In both the cases, if agent is not reachable or fails to
respond in time, returns failure to probe.
Readiness probe for Neutron L3/DHCP/Metadata/SRIOV agents
Following are the operations executed on the pod as part of
readiness probe on the neutron agents:
- Check if the agent process is up and running.
- Retrieve the sockets associated with the process from the /proc fs.
- Check the status of tcp sockets related to Rabbitmq communication.
- Check the reachability of the rabbitmq message bus from the agent.
- For SRIOV Agent, check if VFs are configured properly for the
configured NICs in sriov_agent.ini conf file
Change-Id: Ib99ceaabbad1d1e0faf34cc74314da9aa688fa0a
