the defaults in Python [0] and oslo.log [1] are such that when using
separate config file for logging configuration (log-config-append)
the log fomat of dates containes miliseconds twice (as in sec,ms.ms)
which is exactly what is currently seen in logs of OpenStack services
deployed by openstack-helm.
When not provided with datefmt log formatter option, Python effectively
uses '%Y-%m-%d %H:%M:%S,%f' [0] as a default time formatting string to
render `%(asctime)s`, but the defaults in oslo.log add another `.%f`
to it [1].
Since `log-date-format` oslo.log option has no effect when using
log-config-append, we need to explicitly set date format to avoid double
miliseconds rendering in date of log entries.
[0] 6ee41793d2/Lib/logging/__init__.py (L427-L428)
[1] http://git.openstack.org/cgit/openstack/oslo.log/tree/oslo_log/_options.py?id=7c5f8362b26313217b6c248e77be3dc8e2ef74a5#n148
Change-Id: I47aa7ce96770d94b905b56d6fe4abad428f01047
This adds the release-uuid annotation to the pod spec for all
replication controller templates in the openstack-helm charts
Change-Id: I0159f2741c27277fd173208e7169ff657bb33e57
this role is not actually required since ~Kilo
I3f1b70b78b91bfac9af5fadb71140679b208c999
plus the heat chart already sets the trusts_delegated_roles option
for Heat to pass all roles to the trust
Change-Id: Icf900f318d3173d63c5967857d96f7d2a7f9aa5b
To get openstack related metrics, prometheus-openstack-exporter need to
access to keystone. So add prometheus-openstack-exporter to network
policy of keystone.
Change-Id: I31106a10e512578a35122949c3cff698b1bc482b
Signed-off-by: Deokjin Kim <deokjin81.kim@samsung.com>
This change adds a zuul check job to export any templated python
contained in the helm charts and scan it with bandit for any
potential security flaws.
This also adds two nosec comments on the instances of subprocess
used as they currently do not appear to be malicious, as well
as changing the endpoint_update python code to prevent sql
injection, which satisfies bandit code B608.
Change-Id: I2212d26514c3510353d16a4592893dd2e85cb369
Since rally 1.0, rally has been a platform for testing, and rally for
openstack has been separated by rally-openstack. The current version
of rally in openstack-helm is version 0.8 which corresponds to ocata.
This patch tests with the latest version of rally-openstack, version
1.3.0, and removes scenarios that are no longer in use.
Change-Id: I380a976c0f48c4af0796c9d866fc8787025ce548
securitycontext with non-root user is implemented at pod level
and leveraged the helm-toolkit snippet
Fix for adding allowPrivilegeEscalation flag as a blanket
policy on the pod in the keyston chart
Depends-On: I95264c933b51e2a8e38f63faa1e239bb3c1ebfda
Change-Id: I15333df4707948e50deb935ffc1ee599588e4788
This change sets lockout_failure_attempts and lockout_duration
configuration options in security_compliance group.
Change-Id: I72910e52239ace23b92d826794cd0603a061e6c3
This PS is enable the Egress policies
and enforces them in Openstack-helm.
Depends-On: Icbe2a18c98dba795d15398dcdcac64228f6a7b4c
Change-Id: I6ef3cd157749fd562acb2f89ad44e63be4f7e975
This patch set updates the gate to by default uses network policy
for all components and enforces them in Openstack-helm.
Change-Id: I70c90b5808075797f02670f21481a4f968205325
Depends-On: I78e87ef3276e948ae4dd2eb462b4b8012251c8c8
Co-Authored-By: Mike Pham <tp6510@att.com>
Signed-off-by: Tin Lam <tin@irrational.io>
This PS removes the rally ec2 credential test. As Rally left old
encrypted ec2 credentials in the database which were not being
cleaned up between upgrades and key changes.
Change-Id: Id0c5411521adebc8c977fd9a24f511f6925f16d0
Signed-off-by: Pete Birley <pete@port.direct>
This patch set moves the default deployment to ocata from newton.
Newton zuul job is now moved into its separate job.
Change-Id: Ic534c8ee02179f23c7855d93a4707e5a2fd77354
Signed-off-by: Tin Lam <tin@irrational.io>
This PS adds the ability to attach a release uuid to pods and rc
objects as desired. A follow up ps will add the ability to add arbitary
annotations to the same objects.
Depends-On: Iceedba457a03387f6fc44eb763a00fd57f9d84a5
Change-Id: I324680f10263c1aefca2be9056e70d0ff22fcaf0
Signed-off-by: Pete Birley <pete@port.direct>
This PS udpates the keystone endpoint definition to point to the
correct host for the admin endpoint when looked up using endpoint
functions from helm-toolkit.
Change-Id: Ic6b82a002cca92e37d21f594bad5f00758f1ea7a
Signed-off-by: Pete Birley <pete@port.direct>
This PS moves openstack components in OSH to use secrets to store
potentially sensitive config information.
Depends-On: https://review.openstack.org/#/c/593732
Change-Id: I9bab586c03597effea0e48a58c69efff3f980a92
Signed-off-by: Pete Birley <pete@port.direct>
This PS updates the logging config to pass null as a string though to
the rendering engine, which is required to avoid things like `<no value>`
when base64 encoding output.
Change-Id: I04d6afbc693ec1adf560c7be15704c8b7434c08f
Signed-off-by: Pete Birley <pete@port.direct>
This PS moves the keystone chart to be linine with other OSH
components and drives all config via the charts values.yaml
Change-Id: I14ee6ede0a87619ecbb2c56d0edf82ffbc5606be
Signed-off-by: Pete Birley <pete@port.direct>
This PS updates the keystoen chart to stop running the keystone api
as the root user.
Change-Id: If3042210f761476846da02fc8e648c700267a591
Signed-off-by: Pete Birley <pete@port.direct>
This PS disables the v2 keystone API, and finishes the migration to
full v3 support.
Change-Id: I3021ebe0bee668db9f28e7fb18e2d4b26172f209
Signed-off-by: Pete Birley <pete@port.direct>
This PS moves to use port 80 by default for the keystone
asdmin endpoint, and adjusts paths accordingly.
Change-Id: Iccae704dadc17eba269e857301654782f64763c9
Signed-off-by: Pete Birley <pete@port.direct>
As reported in OSSN-0083[0], "get_identity_providers" is invalid
and should be singular "get_identity_provider". The former rule
is ignored, this change to make the rule singular fixes this
issue.
[0] https://wiki.openstack.org/wiki/OSSN/OSSN-0083
Change-Id: I479bcda89b0be0056717864e79269b8d071d98ec
This PS removes the double logging of openstack components that
were caused by outputting to both stdout and stderr.
Change-Id: I6e0ae5861bbf5b8d736ae08251aa865e1c4ce0d8
Signed-off-by: Pete Birley <pete@port.direct>
This PS adds a script to update the keystone catalog endpoints
for keystone itself, as the keystone-bootstrap will not update
these once created.
Change-Id: Ie48c71bbdc9bbd14cebcee46285b3bf51bd28065
Signed-off-by: Pete Birley <pete@port.direct>
This PS updates keystone, and the keystone endpoints sections to use
the same layout for port declarations as other charts.
Change-Id: I7dddabee6c74bf023da4b1cdf722a409e7475f8f
Signed-off-by: Pete Birley <pete@port.direct>
This proposes changing the tags added to the openstack logs
gathered by the fluentd handler from `openstack.<service>` to
`Namespace.Release` to account for multiple instances of openstack
services being deployed into different namespaces. This allows for
fine tuning the search queries in elasticsearch/kibana to target
specific service deployments in specific namespaces
Change-Id: Ia12dceb4089e107e15d8e30c92c91f350dc31318
This adds support for executing helm tests via the armada test
directive. It enables theses tests for all services, except for
nova and neutron as executing tests with armada force a chart to
wait. Forcing nova and neutron to wait effectively sequences the
charts, which will result in a failure to deploy past those
services
Depends-On: https://review.openstack.org/#/c/581148
Change-Id: I6ac845c82d744e2f5fd79c3e2ff3c1479dd1ddab
This patch sets the notifier driver to messagingv2 so all
messages sent to RabbitMQ using the 2.0 format.
For info:
Auth notificaitons are supressed by default, to enable it
uncomment the following parameter:
conf:
DEFAULT:
notification_opt_out: ""
Change-Id: I652fc34a229612dcb8b96c8722b8c6ac1c8aba3e
Signed-off-by: Ruslan Khanbikov <rk760n@att.com>
Keystone token expiration, rotation frequency and active keys
values should follow the formula:
max_active_keys = (token_expiration / rotation_frequency) + 2
max_active_keys by default is 3
token expiration set to 43200 (12h)
rotation frequency set to 12 hours
Change-Id: Ia04daec9b2905ef2d3f2d4fbb43557dda220dc70
Signed-off-by: Ruslan Khanbikov <rk760n@att.com>
This introduces a mechanism for generating the logging.conf
file for the openstack services via the values. This allows us to
define loggers, handlers, and formatters for the services and the
modules they're composed of.
This also allows us to take advantage of the oslo fluent handler
and formatter. The fluent handler and formatter give us the
following benefits: sending logs directly to fluentd instead of
routed to stdout/stderr and then through fluentbit to fluentd,
project specific tags on the logged events (enables us to define
more robust filters in fluentd for aggregation if required),
full traceback support, and additional metadata (modules that
created logged event, etc)
Depends-On: https://review.openstack.org/577796
Change-Id: I63340ce6b03191d93a74d9ac6947f0b49b8a1a39
This PS adds support for TLS on over-ridden fqdn's for public
endpoints for core OpenStack Services. Currently this implementation
is limited, in that it does not provide support for dynamicly loading
CAs into the containers, or specifying them manually via configuration.
As a result only well known or CA's added manually to containers will
be recognised.
Change-Id: I8f1b699af29cbed2d83ad91bb6840dccce8c5146
Depends-On: I535f38a8d92c01280d79926a1f0acd06984aabbf
Signed-off-by: Tin Lam <tin@irrational.io>
Signed-off-by: Pete Birley <pete@port.direct>
As of Rocky, keystone creates a default "member" role upon bootstrap.
This change modifies any references to the manually created
"_member_" role to "member". In a future change, the manualy creation
of this role in keystone can be removed since it will no longer be
needed.
Change-Id: I65c63695976f38da21dc6dd8f40ad70e23da6f48
This PS removes the use of the `quote and truncate` approach to
suppress output from gotpl actions in templates and replaces it
with the recommended practice of defining `$_` instead.
Change-Id: I5f35c5f7e70b4f7f461d772e3b72ed1c695c56a8
Signed-off-by: Pete Birley <pete@port.direct>
This PS moves to use the current ga version for kubernetes deployments.
Story: 2002205
Task: 21735
Depends-On: Icb4e7aa2392da6867427a58926be2da6f424bd56
Change-Id: I062a8a29dff70427ee9bcf09f595011b3611b0b1
Signed-off-by: Pete Birley <pete@port.direct>
This PS adds dep checking for the rabbitmq management jobs.
Change-Id: Ibdaa1a9d6db0eb8fae83ba6390d629af7ee63571
Signed-off-by: Pete Birley <pete@port.direct>
