104 Commits

Author SHA1 Message Date
Gage Hugo
5ffefb60c1 Remove train and ussuri overrides
We dropped train support a long time ago now, and our latest efforts
are to drop ussuri/bionic images. This change removes any leftover
train overrides as well as any ussuri overrides. This also changes
any image defaults to use wallaby.

Change-Id: I818a3a79faa631ec1b7de625f2113c6f19610760
2022-10-24 16:00:59 -05:00
josebb
52444cf3c8 Support TLS endpoints in barbican
This allows barbican to consume TLS openstack endpoints.
Jobs consume openstack endpoints, typically identity endpoints.
And barbican itself interact with other openstack services via
endpoints.

Change-Id: I890f909fc6466b696ee64aa7dfdd528934fccb2d
2022-09-02 18:30:21 +03:00
josebb
178e4ce313 Support TLS for ks jobs and oslo_db/oslo_message in deployment - barbican
Change-Id: I8bee4e7a075d8431e22941c4b88e31889bb6701c
2022-09-02 18:29:56 +03:00
josebb
497f2bbfa8 Distinguish between port number of internal endpoint and binding
port number in barbican

Now binding ports of service and pod spec are configured using
internal endpoint values.
To support reverse proxy for internalUrl, need to distinguish
between binding ports and internal endpoint ports.

I added `service` section in endpoint items apart from admin,public
,internal and default.

Change-Id: I33dbc62338ef8e21fab774e3b91bc474efd6bf36
2022-08-13 12:03:26 +03:00
Brian Haley
ced30abead Support image registries with authentication
Based on spec
support-OCI-image-registry-with-authentication-turned-on.rst

Each Helm chart can configure an OCI image registry and
credentials to use. A Kubernetes secret is then created with this
info. Service Accounts then specify an imagePullSecret specifying
the Secret with creds for the registry. Then any pod using one
of these ServiceAccounts may pull images from an authenticated
container registry.

Related OSH-infra change:
https://review.opendev.org/c/openstack/openstack-helm-infra/+/848142

Change-Id: I54540f14fed29622bc5af8d18939afd06d65e2d8
2022-08-11 00:18:37 +00:00
Gage Hugo
a0318c23a4 Remove older values overrides - barbican
This change removes several older values overrides for the barbican
chart as well as bumps the default images used to ussuri.

Change-Id: Id3dd045839147b9f6bb4f4ccb55b229abbadf774
2022-04-26 14:30:26 -05:00
Thiago Brito
77609e2722 Enable taint toleration for barbican
This changes use the helm-toolkit template for toleration
in openstack services

Signed-off-by: Lucas Cavalcante <lucasmedeiros.cavalcante@windriver.com>
Story: 2009276
Task: 43531
Depends-On: I168837f962465d1c89acc511b7bf4064ac4b546c
Change-Id: I6ca1705cc095613aa9db3375e6f203769694b31f
2022-03-22 18:47:49 +00:00
xuxant02@gmail.com
420dac178e Removed the policy from values in favor of policy in code
As services have the default policy in code, the policy in values files is removed.

Change-Id: Icc07e3915a3b07beb02e8c0845d8d6e18adfcfea
2021-11-11 20:35:06 +05:45
Haider, Nafiz (nh532m)
040aa3b774 Allow Barbican to talk to TLS'd mariadb
Barbican is NOT tls'ed, this is only for communicating with tls'd mariadb

Change-Id: Ia9598095456f35585eafa68f665d2a763e208571
2021-08-05 16:06:11 +00:00
Phil Sphicas
ce1b2630d2 Barbican: Add support for master KEK rotation
When using the simple_crypto_plugin (which is enabled by default),
secrets are encrypted with per-project keys, and those keys are
encrypted (or wrapped) with a master key encryption key (KEK, or MKEK).
The wrapped project keys are stored in the database. The KEK is stored
in the barbican configuration file.

If no KEK is specified, a well-known default is used. There is no native
Barbican support for rotating the KEK. Changing the KEK would cause loss
of access to all secrets, because Barbican would be unable to unwrap the
project keys.

This change adds support for upgrading the Helm chart while changing the
KEK. A script can be executed during the db-sync job that decrypts the
project keys with the old KEK, and rewraps them with the new KEK. Note
that no secrets are actually modified during this procedure, and the
project keys are not actually changed.

To use this feature, specify the following values:

    conf:
      barbican:
        simple_crypto_plugin:
          kek: # new KEK, 32-bytes of data, base64-encoded
      simple_crypto_kek_rewrap:
        old_kek: # old KEK, 32-bytes of data, base64-encoded

Change-Id: I462085b89ef80985b42149cccf865e6c5f0f5a53
2021-06-08 07:20:14 +00:00
Phil Sphicas
43f24adf57 Barbican: Add conditional wrapper to helm hook
The pre-install hooks for several of the barbican templates [0] cause
upgrade failures when using helm2. Similar to what was done for keystone
[1], this change wraps them in a conditional that can be toggled off for
anyone still using helm2.

0: https://review.opendev.org/c/openstack/openstack-helm/+/782710
1: https://review.opendev.org/c/openstack/openstack-helm/+/785517

Change-Id: I6a160916ec65d73eef1aaffb510c85ee7fb0d501
2021-06-06 02:52:11 +00:00
Thiago Brito
8ab6013409 Changing all policies to yaml format
In the Victoria cycle oslo.policy decided to change all default policies
to yaml format. Today on openstack-helm we have a mix of json and yaml
on projects and, after having a bad time debugging policies that should
have beeing mounted somewhere but was being mounted elsewhere, I'm
proposing this change so we can unify the delivery method for all
policies across components on yaml (that is supported for quite some
time). This will also avoid having problems in the future as the
services move from json to yaml.

[1] https://specs.openstack.org/openstack/oslo-specs/specs/victoria/policy-json-to-yaml.html

Signed-off-by: Thiago Brito <thiago.brito@windriver.com>
Change-Id: Id170bf184e44fd77cd53929d474582022a5b6d4f
2021-05-26 18:15:41 -03:00
okozachenko
a8fc28696d Sync logging values with upstream repos
Some OSH charts have diffferent values for logger_root
handler from upsgream repo config defaul values.
Exactly, logger_root handler values.
This leads double logging finally.
To fix this, set logger_root as null like upstream repos.

Change-Id: I20e4f48efe29ae59c56f74e0ed9a4085283de6ad
2020-09-15 19:15:05 +03:00
DODDA, PRATEEK REDDY (PD2839)
831e14d03f Add missing security context to Barbican test pods/containers
This updates the barbican chart to include the pod
security context on the pod template.

This also adds the container security context to set
readOnlyRootFilesystem flag to true

Change-Id: Ibb85435c1fa9fe577bc7a14d97e0acaf9b9513a2
2020-07-07 01:41:09 +00:00
Andrii Ostapenko
8cfa2aa390 Enable yamllint checks
- brackets
- braces
- colon
- commas
- comments
- document-end
- document-start
- empty-lines
- hyphens
- indentation
- new-line-at-end-of-file
- new-lines
- octal-values
- trailing-spaces

with corresponding code adjustment.

Also add yamllint.conf under the check.

Change-Id: Ie6251c9063c9c99ebe7c6db54c65d45d6ee7a1d4
2020-05-27 19:16:34 -05:00
Gage Hugo
f9dbba7043 Revert "Revert "Keystone Authtoken Cache: allow universal secret key to be set""
This reverts commit 90d070390db08abf9da42a2bac54397112bbcd48.

Change-Id: I017c6e9676b872e1aab21f9dc8aa2f93db58d49f
2020-02-21 11:16:55 -06:00
Vasyl Saienko
90d070390d Revert "Keystone Authtoken Cache: allow universal secret key to be set"
This reverts commit 1c85fdc390e05eb578874e77fad9d4ec942da791.

Do not use randomly generated strings in configmaps as this leads to
whole helm release redeployment even no values are changed. The random
items have to be generated outside of helm chart and provided via
values.
Also previous behaviour didn't allow to use cache during rolling upgrade
as new pods were spawned with new key.

Change-Id: I423611b18fca0d65e2e721a9c6a0c3d8df0813d2
2020-02-12 11:18:06 +00:00
Phil Sphicas
2cb3d41544 barbican: fix values overrides for stein and ocata
When the default release was switched from ocata to stein, some of the
policies were duplicated. This moves the ocata overrides back to where
they belong, and adds overrides for pike, queens, and rocky.

Change-Id: I342d69e721b2692987951055e41ed5e153a91d6c
2020-01-16 15:30:47 -08:00
Tin Lam
12bee1bb97 Migrate default release to Stein
This patch set updates the default job to use OpenStack Stein release.
The previously default Ocata release will be place in separate job.

Change-Id: I489324f762a179a2cab5499a6d8e57e97c81297f
Signed-off-by: Tin Lam <tin@irrational.io>
2020-01-09 10:00:31 -06:00
Tin Lam
a25eccb7cb Implements egress network policy
This patch set adds in the egress policy for core OpenStack Services.

Depends-On: https://review.opendev.org/#/c/679853/

Change-Id: I585ddabcbd640db784520c913af8eddecaee3843
Signed-off-by: Tin Lam <tlam@omegaprime.dev>
2019-11-22 01:16:49 +00:00
Evgeny L
cb1feb46e2 Add Barbican ingress Network Policy
Move Barbican Network Policies into a dedicated
override. Configure magnum to have the access to
Barbican.

Change-Id: Iad0f69666a28fabedd49b266c8a9de1ec3410dd6
2019-11-12 16:49:42 +00:00
Steve Wilkerson
9736f5f544 Update kubernetes-entrypoint image reference
This updates the kubernetes-entrypoint image reference to consume
the publicly available kubernetes-entrypoint image that is built
and maintained under the airshipit namespace, as the stackanetes
image is no longer actively maintainedy

Depends-On: https://review.opendev.org/688435

Change-Id: I8e76cdcc9d4db8975b330e97169754a2a407341f
Signed-off-by: Steve Wilkerson <sw5822@att.com>
2019-10-21 13:58:22 +00:00
Pete Birley
9bcf0df94c Messaging: use htk function to directly hit RabbitMQ servers
This PS updates the charts to use the htk function recently introduced
to allow oslo.messaging clients ans servers to directly hit their
backends rather than using either DNS or K8S svc based routing.

Depends-On: I5150a64bd29fa062e30496c1f2127de138322863

Change-Id: I458b4313c57fc50c8181cedeca9919670487926a
Signed-off-by: Pete Birley <pete@port.direct>
2019-06-18 21:47:45 +00:00
Zuul
cd460f12c2 Merge "Rafactoring volume mount variables in db sync job" 2019-06-18 18:24:18 +00:00
RAHUL KHIYANI
5ad45700f4 Barbican: Add security context to chart and read-only-fs
This PS adds the security context macros to the barbican chart,
and sets the default to read-only-rootfs

Change-Id: I2dad0a50b23f2d202d6cd89b96d308321001fbe9
2019-06-12 10:38:01 -05:00
John Haan
0ea9be7ade Rafactoring volume mount variables in db sync job
This patch make the db sync job template follows the same pattern
that other templates utilize the variables to make in a predictable
pattern.

Change-Id: Idbedd046c6b4fd001cf63004ffac792173a5778b
Story: 2005754
Task: 33457
2019-05-22 17:47:03 +09:00
Zuul
f8adab245b Merge "Point to OSH-images images" 2019-05-18 19:12:58 +00:00
Jean-Philippe Evrard
1d335146fa Point to OSH-images images
We now have a process for OSH-images image building,
using Zuul, so we should point the images by default to those
images, instead of pointing to stale images.

Without this, the osh-images build process is completely not
in use, and updating the osh-images process or patching its
code has no impact on OSH.

This should fix it.

Change-Id: I672b8755bf9e182b15eff067479b662529a13477
2019-05-13 10:58:02 +02:00
Roy Tang (rt7380)
5df6fa3789 Expose Anti-Affinity Weight Setting.
Add weight default setting to anti-affinity.

Depends-on: Id8eb303674764ef8b0664f62040723aaf77e0a54
Change-Id: I09f96522cddf3a77dae73daca4557877eda5df50
2019-05-10 22:05:24 -05:00
Jiří Suchomel
a2a5dda47c Added volume related keys to pod mounts to ease the overriding
If user wants to add an extra volumeMounts/volume to a pod,
amd uses override values e.g. like this

pod:
  mounts:
    nova_placement:
      init_container: null
      nova_placement:
        volumeMounts:
          - name: nova-etc
          ...

helm template parser complains with

Warning: The destination item 'nova_placement' is a table and ignoring the source 'nova_placement' as it has a non-table value of: <nil>

So when we create empty values for such keys in values.yaml, the source
will be present and warning does not need to be shown.

Change-Id: Ib8dc53c3a54e12014025de8fafe16fbe9721c0da
2019-03-15 16:29:19 +00:00
chnyda
3a6bf0d627 Barbican: Fix value of node_port to match default
node_port value is by default between 30000 and 32767

Change-Id: I902e7de9d9d37458b71f146ae549a0196fb8c466
2019-03-15 13:19:29 +00:00
Zuul
1ad5467252 Merge "Increase default logging" 2019-03-06 04:09:58 +00:00
Jean-Philippe Evrard
5890ebf4f8 Increase default logging
The current helm chart defaults drops logs of any warnings
(and above) for any logger outside of the namespace
of the deployed chart.

This is a problem, as logging could reveal important information for
operators. While this could be done with a value override, there
is no reason to hide warning, errors, or critical information that
are happening in the cycle of the operation of the software
deployed with the helm charts. For example, nothing would get
logged in oslo_service, which is a very important part of running
OpenStack.

This fixes it by logging to stdout all the warnings (and above)
for OpenStack apps.

Change-Id: I16f77f4cc64caf21b21c8519e6da34eaf5d31498
2019-02-28 09:53:01 +00:00
Pavlo Shchelokovskyy
55645c7e73 Explicitly set datefmt for logging
the defaults in Python [0] and oslo.log [1] are such that when using
separate config file for logging configuration (log-config-append)
the log fomat of dates containes miliseconds twice (as in sec,ms.ms)
which is exactly what is currently seen in logs of OpenStack services
deployed by openstack-helm.

When not provided with datefmt log formatter option, Python effectively
uses '%Y-%m-%d %H:%M:%S,%f' [0] as a default time formatting string to
render `%(asctime)s`, but the defaults in oslo.log add another `.%f`
to it [1].

Since `log-date-format` oslo.log option has no effect when using
log-config-append, we need to explicitly set date format to avoid double
miliseconds rendering in date of log entries.

[0] 6ee41793d2/Lib/logging/__init__.py (L427-L428)
[1] http://git.openstack.org/cgit/openstack/oslo.log/tree/oslo_log/_options.py?id=7c5f8362b26313217b6c248e77be3dc8e2ef74a5#n148

Change-Id: I47aa7ce96770d94b905b56d6fe4abad428f01047
2019-02-21 08:28:35 +00:00
Tin Lam
29f32a07ac Enable network policy enforcement
This patch set updates the gate to by default uses network policy
for all components and enforces them in Openstack-helm.

Change-Id: I70c90b5808075797f02670f21481a4f968205325
Depends-On: I78e87ef3276e948ae4dd2eb462b4b8012251c8c8
Co-Authored-By: Mike Pham <tp6510@att.com>
Signed-off-by: Tin Lam <tin@irrational.io>
2018-10-23 14:58:13 +00:00
Tin Lam
3cd4d0898a Upgrade default from newton to ocata
This patch set moves the default deployment to ocata from newton.
Newton zuul job is now moved into its separate job.

Change-Id: Ic534c8ee02179f23c7855d93a4707e5a2fd77354
Signed-off-by: Tin Lam <tin@irrational.io>
2018-10-13 04:18:46 +00:00
Pete Birley
4b3cbafc9a Keystone: Correct endpoint definition
This PS udpates the keystone endpoint definition to point to the
correct host for the admin endpoint when looked up using endpoint
functions from helm-toolkit.

Change-Id: Ic6b82a002cca92e37d21f594bad5f00758f1ea7a
Signed-off-by: Pete Birley <pete@port.direct>
2018-08-23 11:33:21 -05:00
Pete Birley
7e90bb02bd Logging: update logging config to pass null as a string to oslo config
This PS updates the logging config to pass null as a string though to
the rendering engine, which is required to avoid things like `<no value>`
when base64 encoding output.

Change-Id: I04d6afbc693ec1adf560c7be15704c8b7434c08f
Signed-off-by: Pete Birley <pete@port.direct>
2018-08-20 13:28:27 -05:00
Pete Birley
4a6d740154 Keystone: Stop running keystone container with root user
This PS updates the keystoen chart to stop running the keystone api
as the root user.

Change-Id: If3042210f761476846da02fc8e648c700267a591
Signed-off-by: Pete Birley <pete@port.direct>
2018-08-04 10:06:32 -05:00
Pete Birley
5f349ae653 Keystone: Disable v2 api
This PS disables the v2 keystone API, and finishes the migration to
full v3 support.

Change-Id: I3021ebe0bee668db9f28e7fb18e2d4b26172f209
Signed-off-by: Pete Birley <pete@port.direct>
2018-08-03 14:50:45 +00:00
Pete Birley
dc7008d9a5 Keystone: enable external access to admin endpoint
This PS moves to use port 80 by default for the keystone
asdmin endpoint, and adjusts paths accordingly.

Change-Id: Iccae704dadc17eba269e857301654782f64763c9
Signed-off-by: Pete Birley <pete@port.direct>
2018-08-02 14:40:20 +00:00
Pete Birley
d003a082c8 Logging: Only output std logs to stdout
This PS removes the double logging of openstack components that
were caused by outputting to both stdout and stderr.

Change-Id: I6e0ae5861bbf5b8d736ae08251aa865e1c4ce0d8
Signed-off-by: Pete Birley <pete@port.direct>
2018-07-27 11:01:30 +00:00
Pete Birley
95c5b4942d Keystone: Use service domain for service users
This PS moves to use a service domain for openstack service accounts
and users.

Change-Id: Ibe7c5f83a9fc9960fb85e53f9745d24f2192a94a
Signed-off-by: Pete Birley <pete@port.direct>
2018-07-26 05:19:38 +00:00
Pete Birley
ec2f9d0808 Keystone: Update admin port declaration to use standard layout
This PS updates keystone, and the keystone endpoints sections to use
the same layout for port declarations as other charts.

Change-Id: I7dddabee6c74bf023da4b1cdf722a409e7475f8f
Signed-off-by: Pete Birley <pete@port.direct>
2018-07-25 13:00:52 -05:00
caoyuan
8f4eadcf85 Complete the Default values decription
Change-Id: I4733a72b3c9c4473dd721c39671918bb99562044
2018-06-30 05:25:57 +00:00
Zuul
e8f561127f Merge "Add logging.conf files to enabled loggers/handlers/formatters" 2018-06-26 18:02:54 +00:00
Steve Wilkerson
da7bc575ec Add logging.conf files to enabled loggers/handlers/formatters
This introduces a mechanism for generating the logging.conf
file for the openstack services via the values. This allows us to
define loggers, handlers, and formatters for the services and the
modules they're composed of.

This also allows us to take advantage of the oslo fluent handler
and formatter. The fluent handler and formatter give us the
following benefits: sending logs directly to fluentd instead of
routed to stdout/stderr and then through fluentbit to fluentd,
project specific tags on the logged events (enables us to define
more robust filters in fluentd for aggregation if required),
full traceback support, and additional metadata (modules that
created logged event, etc)

Depends-On: https://review.openstack.org/577796

Change-Id: I63340ce6b03191d93a74d9ac6947f0b49b8a1a39
2018-06-26 09:51:14 -05:00
Pete Birley
e19be77f08 Ingress: Add initial TLS Support for core service public endpoints
This PS adds support for TLS on over-ridden fqdn's for public
endpoints for core OpenStack Services. Currently this implementation
is limited, in that it does not provide support for dynamicly loading
CAs into the containers, or specifying them manually via configuration.
As a result only well known or CA's added manually to containers will
be recognised.

Change-Id: I8f1b699af29cbed2d83ad91bb6840dccce8c5146
Depends-On: I535f38a8d92c01280d79926a1f0acd06984aabbf
Signed-off-by: Tin Lam <tin@irrational.io>
Signed-off-by: Pete Birley <pete@port.direct>
2018-06-26 07:15:24 +00:00
Steve Wilkerson
354b311ec5 Add local-registry image managment to OSH from OSH-Infra
This PS adds the local registry image managment to OSH from OSH-Infra.
With this the delta between helm-toolkits in the Repo's is removed,
allowing the toolkit from OSH-Infra to be used and the one from OSH
to be depreciated.

Change-Id: If5e218cf7df17261fe5ef249d281f9d9637e2f6a
Co-Authored-By: Pete Birley <pete@port.direct>
2018-05-12 14:35:48 +00:00
Pete Birley
ab07c9ccab Barbican: Correct endpoint creation
This PS corrects the barbican endpoint creation to use the correct
(ie None) paths for the keystone service catalog. The chart as-is
does not work with many clients that expect the correct keystone
endpoint, and thus make calls to http://barbican.foo/v1/v1, even
with newton era clients.

* https://docs.openstack.org/project-install-guide/key-manager/ocata/install-ubuntu.html
* https://docs.openstack.org/project-install-guide/key-manager/newton/install-ubuntu.html
* https://docs.openstack.org/barbican/pike/install/install-ubuntu.html
* https://docs.openstack.org/barbican/queens/install/install-ubuntu.html

Change-Id: I84e8d19a682b901ecc76a2281d24f60c749577a8
2018-05-06 01:16:17 +00:00