This PS removes the licence header from rendered output from tiller,
significantly reducing the configmap size of charts deployed to the
cluster.
Change-Id: I5d1b246f2068f3b83bf59ba79fe8b88bbc9a6161
Keystone is using keys to encrypt credentials saved into the database.
The mechanism is very similar to fernet tokens. This commit implements a
job setting key repository up and rotate job for those keys. All is
based on implementation of fernet tokens.
Change-Id: I88faf1d02d2b317563e8603cebba542f8b133c6a
Closes-Bug: 1693807
Keystone supports (and that's a default setting since Ocata) using
non-persistent fernet tokens instead of UUID tokens written into the DB.
This setting is in some cases better in terms of performance and
manageability (no more tokens DB table cleanups). OpenStack-Helm should
be able to support it.
General issue with fernet tokens is that keys used to encrypt them need
to be persistent and shared accross the cluster. Moreover "rotate"
operation generates a new key, so key repository will change over time.
This commit implements fernet tokens support by:
* A 'keystone-fernet-keys' secret is created to serve as keys repository.
* New fernet-setup Job will populate secret with initial keys.
* New fernet-rotate CronJob will be run periodically (weekly by default)
and perform key rotation operation and update the secret.
* Secret is attached to keystone-api pods in /etc/keystone/fernet-tokens
directory.
Turns out k8s is updating secrets attached to pods automatically, so
because of Keystone's fernet tokens implementation, we don't need to
worry about synchronization of the key repository. Everything should be
fine unless fernet-rotate job will run before all of the pods will
notice the change in the secret. As in real-world scenario you would
rotate your keys no more often than once an hour, this should be totally
fine.
Implements: blueprint keystone-fernet-tokens
Change-Id: Ifc84b8c97e1a85d30eb46260582d9c58220fbf0a
This PS moves keystone credentials to the endpoints section within
the values.yaml, and also adds a 'secrets' key, allowing standardiation
of secrets and credential management across OpenStack-Helm.
Change-Id: I86a21e625afd822379ac11351603b2c606a3769f
This PS helps improve the Image agnosticism of the Keystone chart.
This is achieved by removing the presumed locations of the Keystone
WSGI scripts, enabling support for images that either do not use a venv
or the same venv location that Kolla uses.
Change-Id: Id04f5e485d6a421b6ac7464cbb14f0e3819b778d
This PS add Barbican support, and moves all potentially container
specific logic into the service start script from the api manifests.
Also fixes a permissions issue with the nova-api, which incorrectly
had the NET_ADMIN capability.
Change-Id: I18fc1ea5d7aa70ea7dabb829361a3da57e905100
This PS updates the way helm-toolkit functions are named to
reference the full path they are loacted at. This should make
development and debugging easier. Addtionally unused functions
have been pruned as well.
Change-Id: I03c553f1d01bccc70c86768b416b147c90d9b2f0
This commit introduces several new paradigms:
* .Values driven mounts in service containers as well as jobs.
These can be overriden at runtime by manipulating .Values.mounts.*
* Authenticated Endpoint Resolution methods in helm-toolkit
to allow the database and rabbit type endpoints to be moved
under the endpoints section. Now endpoint lookup functions exist
for openstack endpoints as well as infrastructure elements such as
the database, rabbitmq, and memcache.
* Importing of upstream "out of the box" policy.json
and keystone-paste.ini files for better or worse.
* A rendering of the keystone.conf oslo generated config
using a new helm based Values generator. This provides "known"
paths to all configuration elements in the form of
"<section>.<oslo_namespace>.<element>" so that any of these can
be targeted for override via --set or values.yaml files loaded at
run time.
* Support for appending arbitrary string data to the policy.json,
keystone-paste.ini, or keystone.conf files via --set conf.keystone.append="#
some comment", or --set conf.policy.append="\"identity:list_projects\":
\"role:fake\""
* Support for complete verbatim overrides of these three
files via --set conf.keystone.override="full file contents",
or --set conf.policy.override="full file contents" for example
* Rename common chart to helm-toolkit
* Update useage of helpers to include reference to chart they come from.
* Update helm-toolkit function naming
Also catches several functions missed in previous PS
* Update remaining requirements.yaml to use helm-toolbox
* Dep Check container fix for common -> helm-toolbox renaming
This PS loads all the required keystone configuration files into a container for an apache based deployment.
It allows OpenStack-Helm to be image agnosic, meaning operators can use any Apache based Keystone image they want.
This introduces changes across several charts, for consistent
endpoint lookup routines. Today, only the internal endpoints
are defined (and copied to admin and public). This can later
be expanded to handle unique public and admin endpoints.
This ensures the catalog is populated with consistent URLs
for all services.
* start.sh was added back, which had requiring sourcing
* the naming convention for charts is finalized with this example
landing on configmap-*.yaml to satisfy those of us with OCD
* imagePullPolicies added for init-containers, required by
helm 2.1.0 which does not supply them by default
