We didn't have an annotation label, so there's no way for things
to automatically reload when config changes.
Change-Id: I5d142c8d3c2bb11b955d4c4e2fd2e95e3a1e522a
There was a mistake in the script for the archive_delete_rows cron for
rendering the values from the values files. Fix for taking the values
from the values file for --max-rows and --before options when enabled
using the values.yaml file.
Change-Id: Ib63920c497bbf9ac74e41bdfd0b2e580b95bebb0
At the moment, the multidomain support selector is broken because
it always puts the value of a boolean inside a string which always
evaluates to true, which means setting it to false does nothing.
This patch drops the quotes around the templated configuration,
that way, it is taken for the literal boolean value.
Change-Id: I02c0a0ece680ecb55e83f3da5a992398c3ab6390
Script has been created with archve_deleted_rows which will run as
cronjob to move the deleted rows from production table to shadow table.
Change-Id: I1cd3e523301b1aaeb3366288d128e23aae5e0780
This change modifies the keystone probe timings to be less
aggressive. This should prevent the probes from restarting any
keystone-api pods that are under a high volume of traffic as well
as reduce the amount of log spam.
Change-Id: Icce06bf2247591a7b603aa32ded254ce7b6cc67a
This change modifies the default values for all of the readiness
and liveness probes to something a bit less aggressive, namely
the default timeout of 1 second.
Change-Id: Ib389aebb2450f8ed134ef8f75110b559d1a4f2ee
Mount rabbitmq TLS secret to openstack services which support internal
TLS. Once internal TLS support is added to other service, the TLSed
rabbitmq support should be added.
Depends-on: https://review.opendev.org/c/openstack/openstack-helm-infra/+/795188
Change-Id: I9aa272e365f846746f2e06aa7b7010db730e17df
When using the simple_crypto_plugin (which is enabled by default),
secrets are encrypted with per-project keys, and those keys are
encrypted (or wrapped) with a master key encryption key (KEK, or MKEK).
The wrapped project keys are stored in the database. The KEK is stored
in the barbican configuration file.
If no KEK is specified, a well-known default is used. There is no native
Barbican support for rotating the KEK. Changing the KEK would cause loss
of access to all secrets, because Barbican would be unable to unwrap the
project keys.
This change adds support for upgrading the Helm chart while changing the
KEK. A script can be executed during the db-sync job that decrypts the
project keys with the old KEK, and rewraps them with the new KEK. Note
that no secrets are actually modified during this procedure, and the
project keys are not actually changed.
To use this feature, specify the following values:
conf:
barbican:
simple_crypto_plugin:
kek: # new KEK, 32-bytes of data, base64-encoded
simple_crypto_kek_rewrap:
old_kek: # old KEK, 32-bytes of data, base64-encoded
Change-Id: I462085b89ef80985b42149cccf865e6c5f0f5a53
The dnsPolicy not being set to "ClusterFirstWithHostNet" results in
the housekeeping service failing to connect to the database.
Change-Id: I23c9f0c561ea61695fbc7ce333a3f331cf31a7a4
``[vnc]/vncserver_proxyclient_address`` was deprecated, so we replace it with ``server_proxyclient_address``
Change-Id: I142710ffab2aa407a09318e4b8517938ed28f3c8
In the Victoria cycle oslo.policy decided to change all default policies
to yaml format. Today on openstack-helm we have a mix of json and yaml
on projects and, after having a bad time debugging policies that should
have beeing mounted somewhere but was being mounted elsewhere, I'm
proposing this change so we can unify the delivery method for all
policies across components on yaml (that is supported for quite some
time). This will also avoid having problems in the future as the
services move from json to yaml.
[1] https://specs.openstack.org/openstack/oslo-specs/specs/victoria/policy-json-to-yaml.html
Signed-off-by: Thiago Brito <thiago.brito@windriver.com>
Change-Id: Id170bf184e44fd77cd53929d474582022a5b6d4f
Some nova gotpl files have +x permission. This changes it so they are
consistent with the other gotpl files.
Change-Id: Ifcd4c1032b41363ea8b1d43407315d68d7e9eec8
Signed-off-by: Tin <tin@irrational.io>
With keystone moving to flask back in Stein, the paste pipeline
configuration and file are no longer needed. With OSH no longer
supporting those older releases, this change removes the paste ini
settings and file mounts since they are no longer used.
Change-Id: Idacd973f090562eaee28567d9422eb761951096f
This is to fix the ceph version checks for enabling the applications
on newly created pools for openstack services like cinder and glance.
Change-Id: I2c007f728180cf7753255463ebf2f8dc5dc6fa5b
This change bumps each openstack chart version up to the next
greatest minor version of 0.2.0, signifying that openstack-helm
will no longer support older, EOL releases for each chart.
Change-Id: I7ce80c7bdc779c1de4472079f18102f506bfbb90
Ironic does not need to reserve system resources, otherwise it will cause flavor to be unable to schedule.
Change-Id: I454d0468ae3424cc92d470c15a40ad96c01cf311
The pre-install hooks for several of the keystone templates
cause upgrade failures when using helm2. This change wraps them
in a conditional that can be toggled off for anyone still
using helm2.
Change-Id: I179583bd595bc8ed1e4c29eb7c2a744e3c6a5708
The nova-compute-ironic label is "compute", but the label chosen by affinity is "compute-ironic", which results in multiple replicas on the same node.
Change-Id: If947be6cd400e32d3455f07a85f4263c4b17cb87
