This PS adds emptydirs backing the /tmp directory in pods, which
is required in most cases for full operation when using a read only
filesystem backing the container.
Additionally some yaml indent issues are resolved.
Change-Id: I9df8f70e913b911ff755600fa2f669d9c5dcb928
Signed-off-by: Pete Birley <pete@port.direct>
There is currently no testing of the Leap 15 images in OSH.
This addresses it by:
- Using the values_overrides folder according to the multi-os
spec, creating value override files there for changes that
needs to happen on Leap 15 images.
- Point to the right images using the previously created folder,
to allow using those in CI easily.
- Change CI to use previously created overrides.
Depends-On: https://review.openstack.org/#/c/651501
Change-Id: I520d3676195c62b253a19397c86b0d0fbabee710
This change adds the keystonemiddleware audit paste filter[0]
and enables it for the glance-api and glance-registry services.
This provides the ability to audit API requests for glance.
[0] https://docs.openstack.org/keystonemiddleware/latest/audit.html
Change-Id: I3b42717dbc11257c21b27e7c68dedc3283e1bd34
This PS tells glance to make rabbitmq queues ha when available.
Change-Id: I675c8a80548f0d0cd9e9fea74dfaeeec632b71e3
Signed-off-by: Pete Birley <pete@port.direct>
In case of not using qemu, the cirros image can not be deployed
because of filtering hypervisor_type.
Change-Id: Ia3e6c9eb5011875aaa9b5334fb34c2c7b8ea9565
Signed-off-by: hagun.kim <hagun.kim@samsung.com>
Implement container security context for the following Glance resources:
- Glance server deployment
Change-Id: I32b63226f5f2bcfff09f0b6760f5475ef7d1b5b5
If user wants to add an extra volumeMounts/volume to a pod,
amd uses override values e.g. like this
pod:
mounts:
nova_placement:
init_container: null
nova_placement:
volumeMounts:
- name: nova-etc
...
helm template parser complains with
Warning: The destination item 'nova_placement' is a table and ignoring the source 'nova_placement' as it has a non-table value of: <nil>
So when we create empty values for such keys in values.yaml, the source
will be present and warning does not need to be shown.
Change-Id: Ib8dc53c3a54e12014025de8fafe16fbe9721c0da
In a previous patch set (https://review.openstack.org/#/c/629300/),
the "allowPrivilegeEscalation" flag was set to false for one of the
init containers, but it was intended to be used for the glance-api
container.
Change-Id: If2d83d82a720d7a1a39729bbf3bddc226af3ba20
- pass new pool replication&crush ruleset parameter to the
storage init script
- set images pool replication&crush ruleset in the storage init script
Change-Id: Idd883d4348a292c0de54c7ee47da98f11f36306f
Story: 2004921
Task: 29282
Signed-off-by: Irina Mihai <irina.mihai@windriver.com>
The current helm chart defaults drops logs of any warnings
(and above) for any logger outside of the namespace
of the deployed chart.
This is a problem, as logging could reveal important information for
operators. While this could be done with a value override, there
is no reason to hide warning, errors, or critical information that
are happening in the cycle of the operation of the software
deployed with the helm charts. For example, nothing would get
logged in oslo_service, which is a very important part of running
OpenStack.
This fixes it by logging to stdout all the warnings (and above)
for OpenStack apps.
Change-Id: I16f77f4cc64caf21b21c8519e6da34eaf5d31498
Adding this parameter to Cinder, Heat, Glance,and Neutron
config. Adding this parameter allows proper handling to resource
links in response using API services behind https proxy.
Change-Id: Ib99a16b6252b15d9f138417485731ec401cb8f81
the defaults in Python [0] and oslo.log [1] are such that when using
separate config file for logging configuration (log-config-append)
the log fomat of dates containes miliseconds twice (as in sec,ms.ms)
which is exactly what is currently seen in logs of OpenStack services
deployed by openstack-helm.
When not provided with datefmt log formatter option, Python effectively
uses '%Y-%m-%d %H:%M:%S,%f' [0] as a default time formatting string to
render `%(asctime)s`, but the defaults in oslo.log add another `.%f`
to it [1].
Since `log-date-format` oslo.log option has no effect when using
log-config-append, we need to explicitly set date format to avoid double
miliseconds rendering in date of log entries.
[0] 6ee41793d2/Lib/logging/__init__.py (L427-L428)
[1] http://git.openstack.org/cgit/openstack/oslo.log/tree/oslo_log/_options.py?id=7c5f8362b26313217b6c248e77be3dc8e2ef74a5#n148
Change-Id: I47aa7ce96770d94b905b56d6fe4abad428f01047
This adds the release-uuid annotation to the pod spec for all
replication controller templates in the openstack-helm charts
Change-Id: I0159f2741c27277fd173208e7169ff657bb33e57
- Change all tests to support Mimic and Luminous releases
- Update ceph-config-helper dockerfile to use Mimic Ceph binaries
Change-Id: I06a545c1964eaa5b983c58db48b6ad4ccaaa3b8b
cinder volume can be created with glance image.
but network policy of glance didn't allow for cinder.
so it should be added cinder podSelector on glance network policy.
ex. openstack volume create --image XXX --size 1 valume-name
Change-Id: Ia41961e16e2583ab571ed8a851a2ee2d14aa71c5
Signed-off-by: Hyunkook Cho <hk0713.cho@samsung.com>
This patchset enables and moves the securityContext: runAsUser to the pod
level, and uses a non-root user (UID != 0) wherever applicable.
Depends-On: I95264c933b51e2a8e38f63faa1e239bb3c1ebfda
Change-Id: I81f6e11fe31ab7333a3805399b2e5326ec1e06a7
Signed-off-by: Tin Lam <tin@irrational.io>
Since rally 1.0, rally has been a platform for testing, and rally for
openstack has been separated by rally-openstack. The current version
of rally in openstack-helm is version 0.8 which corresponds to ocata.
This patch tests with the latest version of rally-openstack, version
1.3.0, and removes scenarios that are no longer in use.
Change-Id: I380a976c0f48c4af0796c9d866fc8787025ce548
This PS is enable the Egress policies
and enforces them in Openstack-helm.
Depends-On: Icbe2a18c98dba795d15398dcdcac64228f6a7b4c
Change-Id: I6ef3cd157749fd562acb2f89ad44e63be4f7e975
Random job names mean `helm upgrade` or indeed anything looks for
changes from rendered templates will see changes when there are none
causing churn and restarts.
Change-Id: I44331e00c288b517fccf69a4b60435efa2e13d61
The update makes sure the Openstack service's cephx
user capabilities match best practices in terms of
security permissions after a site or software update.
Change-Id: I70e7f620accb186da2013ba95472777c25739cc1
This patch set updates the gate to by default uses network policy
for all components and enforces them in Openstack-helm.
Change-Id: I70c90b5808075797f02670f21481a4f968205325
Depends-On: I78e87ef3276e948ae4dd2eb462b4b8012251c8c8
Co-Authored-By: Mike Pham <tp6510@att.com>
Signed-off-by: Tin Lam <tin@irrational.io>
This patch set moves the default deployment to ocata from newton.
Newton zuul job is now moved into its separate job.
Change-Id: Ic534c8ee02179f23c7855d93a4707e5a2fd77354
Signed-off-by: Tin Lam <tin@irrational.io>
This updates the glance chart to disable the service for the
glance registry by default, as we disable the other glance
registry templates by default. This updates the gates to enable
the service when newton is deployed
Change-Id: I453d28d9c552754b66e94d9da2e2b9ea6549a5aa
This PS adds the ability to attach a release uuid to pods and rc
objects as desired. A follow up ps will add the ability to add arbitary
annotations to the same objects.
Depends-On: Iceedba457a03387f6fc44eb763a00fd57f9d84a5
Change-Id: I324680f10263c1aefca2be9056e70d0ff22fcaf0
Signed-off-by: Pete Birley <pete@port.direct>
This is make ceph configmap and admin keyring secret names using
in storage init scripts to be read from chart values as we may
have two ceph clusters gets activated in one namespace and
each ceph clsuter will have its own configmap and admin secret names.
Change-Id: I84d94f3ac21e602c50619e456ff327ae1da53622
This PS udpates the keystone endpoint definition to point to the
correct host for the admin endpoint when looked up using endpoint
functions from helm-toolkit.
Change-Id: Ic6b82a002cca92e37d21f594bad5f00758f1ea7a
Signed-off-by: Pete Birley <pete@port.direct>
This PS moves openstack components in OSH to use secrets to store
potentially sensitive config information.
Depends-On: https://review.openstack.org/#/c/593732
Change-Id: I9bab586c03597effea0e48a58c69efff3f980a92
Signed-off-by: Pete Birley <pete@port.direct>
This PS updates the logging config to pass null as a string though to
the rendering engine, which is required to avoid things like `<no value>`
when base64 encoding output.
Change-Id: I04d6afbc693ec1adf560c7be15704c8b7434c08f
Signed-off-by: Pete Birley <pete@port.direct>
This PS updates the keystoen chart to stop running the keystone api
as the root user.
Change-Id: If3042210f761476846da02fc8e648c700267a591
Signed-off-by: Pete Birley <pete@port.direct>
This PS disables the v2 keystone API, and finishes the migration to
full v3 support.
Change-Id: I3021ebe0bee668db9f28e7fb18e2d4b26172f209
Signed-off-by: Pete Birley <pete@port.direct>
This PS moves to use port 80 by default for the keystone
asdmin endpoint, and adjusts paths accordingly.
Change-Id: Iccae704dadc17eba269e857301654782f64763c9
Signed-off-by: Pete Birley <pete@port.direct>
This PS disables the depreciated glance V1 API and registry
by default. For newton gates the registry is enabled, as newton
heat still used it.
Change-Id: Ia6bd4382750bde1b0a0e4db174d2de11626a1826
Signed-off-by: Pete Birley <pete@port.direct>
This PS removes the double logging of openstack components that
were caused by outputting to both stdout and stderr.
Change-Id: I6e0ae5861bbf5b8d736ae08251aa865e1c4ce0d8
Signed-off-by: Pete Birley <pete@port.direct>
In a jewel version, egrep -c "12.2|luminous" returns "0",
but execution will be error.
So, add pipe and echo command to make a success.
Change-Id: I94f45855f6510e747884d8b6a629a62c3d96adbd
