This updates the values used for generating the pod and container
security contexts for the components of the neutron chart. This
moves to using a unique application key for each neutron service
instead of a single 'neutron' key that maps to every pod
This also removes the .pod.user.neutron.uid key in favor of using
the user key in the security_context values tree
Change-Id: I1c87a5b4b74e2a2d17b8913dd34f40dc1c38fbe0
Signed-off-by: Steve Wilkerson <sw5822@att.com>
This PS allows the probes in containers/pods to be tuned via values
overrides.
Depends-On: https://review.opendev.org/#/c/631597/
Change-Id: I439dce38a1b7df8c798f10f7fad406f9b0dfe3e6
Signed-off-by: Pete Birley <pete@port.direct>
L2 Gateway (L2GW) is an API framework that offers bridging 2+
networks together to make them look as a single broadcast domain.
A typical use case is bridging the virtual with the physical networks.
Change-Id: I95ff59ce024747f7af40c6bef0661bb3743b0af1
Implement container security context for the following Neutron resources:
- Neutron server deployment
Change-Id: Ic2600c2301bd9d7c91bc72c22a7813d07e3a8ef6
There are the changes here
1. extend current kill_metadata filter for python3 versions
2. add kill_keepalived_monitor filters (introduced for neutron with
https://review.opendev.org/#/c/636710/ )
Change-Id: If82db83bdb3bd8bebeb15382079b538fd8019376
This PS updates the charts to use the htk function recently introduced
to allow oslo.messaging clients ans servers to directly hit their
backends rather than using either DNS or K8S svc based routing.
Depends-On: I5150a64bd29fa062e30496c1f2127de138322863
Change-Id: I458b4313c57fc50c8181cedeca9919670487926a
Signed-off-by: Pete Birley <pete@port.direct>
Currently each service uses the same name for their helm test user,
"test". While this works when services are ran sequentially, when
multiple services are deployed and tested at the same time, it can
lead to a race condition where one service deletes the user before
the other is done testing, causing a failure.
This change makes it so that each service defines its own test user
in the form of [service]-test.
Change-Id: Idd7ad3bef78a039f23fb0dd79391e3588e94b73c
This patch make the db sync job template follows the same pattern
that other templates utilize the variables to make in a predictable
pattern.
Change-Id: Idbedd046c6b4fd001cf63004ffac792173a5778b
Story: 2005754
Task: 33457
We now have a process for OSH-images image building,
using Zuul, so we should point the images by default to those
images, instead of pointing to stale images.
Without this, the osh-images build process is completely not
in use, and updating the osh-images process or patching its
code has no impact on OSH.
This should fix it.
Change-Id: I672b8755bf9e182b15eff067479b662529a13477
This change adds the keystonemiddleware audit paste filter[0]
and enables it for the neutron-server service.
This provides the ability to audit API requests for neutron.
[0] https://docs.openstack.org/keystonemiddleware/latest/audit.html
Change-Id: I86b4df1436ae59bc9a151c28337af7c06c83e45f
to set local_ip in osh, you have to use nic name.
but some devices can have different nic name.
so I add new option for getting tunnel device by cidr.
Added value:
network:
interface:
tunnel: null
tunnel_network_cidr: "0/0"
Change-Id: I8bffae640dfe0086de0b5274bb8c3cdce9754160
Signed-off-by: Hyunkook Cho <hk0713.cho@samsung.com>
This PS tells neutron to make rabbitmq queues ha when available.
Change-Id: I708d354224a14e9b49be3faf1589f5a4791f5de9
Signed-off-by: Pete Birley <pete@port.direct>
If user wants to add an extra volumeMounts/volume to a pod,
amd uses override values e.g. like this
pod:
mounts:
nova_placement:
init_container: null
nova_placement:
volumeMounts:
- name: nova-etc
...
helm template parser complains with
Warning: The destination item 'nova_placement' is a table and ignoring the source 'nova_placement' as it has a non-table value of: <nil>
So when we create empty values for such keys in values.yaml, the source
will be present and warning does not need to be shown.
Change-Id: Ib8dc53c3a54e12014025de8fafe16fbe9721c0da
.Values.network.auto_bridge_add is a global config. So in multi nodes
deployment, it requires that all hosts have the same nic names. This is
a strict limit.
This patch is to support per-host auto_bridge_add, so that we can define
different auto_bridge_add for hosts.
Also, this patch move .network.auto_bridge_add to .conf.auto_bridge_add
Change-Id: I4a4d6efbbfe073d035bc5c03700fbe998e708d0f
Story: 2005059
Task: 29601
The current helm chart defaults drops logs of any warnings
(and above) for any logger outside of the namespace
of the deployed chart.
This is a problem, as logging could reveal important information for
operators. While this could be done with a value override, there
is no reason to hide warning, errors, or critical information that
are happening in the cycle of the operation of the software
deployed with the helm charts. For example, nothing would get
logged in oslo_service, which is a very important part of running
OpenStack.
This fixes it by logging to stdout all the warnings (and above)
for OpenStack apps.
Change-Id: I16f77f4cc64caf21b21c8519e6da34eaf5d31498
Adding this parameter to Cinder, Heat, Glance,and Neutron
config. Adding this parameter allows proper handling to resource
links in response using API services behind https proxy.
Change-Id: Ib99a16b6252b15d9f138417485731ec401cb8f81
the defaults in Python [0] and oslo.log [1] are such that when using
separate config file for logging configuration (log-config-append)
the log fomat of dates containes miliseconds twice (as in sec,ms.ms)
which is exactly what is currently seen in logs of OpenStack services
deployed by openstack-helm.
When not provided with datefmt log formatter option, Python effectively
uses '%Y-%m-%d %H:%M:%S,%f' [0] as a default time formatting string to
render `%(asctime)s`, but the defaults in oslo.log add another `.%f`
to it [1].
Since `log-date-format` oslo.log option has no effect when using
log-config-append, we need to explicitly set date format to avoid double
miliseconds rendering in date of log entries.
[0] 6ee41793d2/Lib/logging/__init__.py (L427-L428)
[1] http://git.openstack.org/cgit/openstack/oslo.log/tree/oslo_log/_options.py?id=7c5f8362b26313217b6c248e77be3dc8e2ef74a5#n148
Change-Id: I47aa7ce96770d94b905b56d6fe4abad428f01047
Resolve issue with sriov dependency removal.
sriov key is required even if there are no dependencies.
Change-Id: I978b411502af575579e4f4a56e0974ef2baf5f52
Since rally 1.0, rally has been a platform for testing, and rally for
openstack has been separated by rally-openstack. The current version
of rally in openstack-helm is version 0.8 which corresponds to ocata.
This patch tests with the latest version of rally-openstack, version
1.3.0, and removes scenarios that are no longer in use.
Change-Id: I380a976c0f48c4af0796c9d866fc8787025ce548
This PS is enable the Egress policies
and enforces them in Openstack-helm.
Depends-On: Icbe2a18c98dba795d15398dcdcac64228f6a7b4c
Change-Id: I6ef3cd157749fd562acb2f89ad44e63be4f7e975
This patch set updates the gate to by default uses network policy
for all components and enforces them in Openstack-helm.
Change-Id: I70c90b5808075797f02670f21481a4f968205325
Depends-On: I78e87ef3276e948ae4dd2eb462b4b8012251c8c8
Co-Authored-By: Mike Pham <tp6510@att.com>
Signed-off-by: Tin Lam <tin@irrational.io>
This patch set moves the default deployment to ocata from newton.
Newton zuul job is now moved into its separate job.
Change-Id: Ic534c8ee02179f23c7855d93a4707e5a2fd77354
Signed-off-by: Tin Lam <tin@irrational.io>
Need to adjust taas rootwrap filter for i40e_sysfs_command.
Add code to allow sriov agent init script to run best effort.
Update way to set nic promisc mode.
Change-Id: Id1e22ea4b636ae7e05b880739a88c410a4da587c
This PS exposes the ability to set the vf device mtu.
Change-Id: If1193a71f1da391918e122c3d60f967023b732e1
Signed-off-by: Pete Birley <pete@port.direct>
The current default for exclude_devices is null, which will
render suboptimally when using secret-based configmaps.
This changes it to "" (empty string) which will render correctly
when SRIOV is enabled.
Change-Id: Ib33181943d90278e1e1e9498bb0d77fd6c029ce5
This is the second draft to enhance neutron in ocata to support
Tap-as-a-service (TaaS) as a L2 Extension.
Change-Id: I96951b38dd43ab4904339b778b5726a579c76a4c
This PS udpates the keystone endpoint definition to point to the
correct host for the admin endpoint when looked up using endpoint
functions from helm-toolkit.
Change-Id: Ic6b82a002cca92e37d21f594bad5f00758f1ea7a
Signed-off-by: Pete Birley <pete@port.direct>
This PS updates the logging config to pass null as a string though to
the rendering engine, which is required to avoid things like `<no value>`
when base64 encoding output.
Change-Id: I04d6afbc693ec1adf560c7be15704c8b7434c08f
Signed-off-by: Pete Birley <pete@port.direct>
