Deckhand updates

This PS makes the following changes:

- uses deploy-k8s.sh from treasuremap
- makes sure the airskiff-deploy playbook is using 80Gb partition if
  available
- adds available security updates to docker images

Change-Id: I0f330cb15ec32b12703f0bc6620b3f3c797a25bb
This commit is contained in:
Sergiy Markin 2023-07-05 20:04:25 +00:00
parent 06b1631d8a
commit 8d055a0aa9
15 changed files with 149 additions and 84 deletions

View File

@ -60,9 +60,9 @@
jobs:
- deckhand-upload-git-mirror
- deckhand-docker-publish-ubuntu_focal
- deckhand-docker-tag-ubuntu_focal
# - deckhand-docker-tag-ubuntu_focal
- deckhand-docker-publish-ubuntu_bionic
- deckhand-docker-tag-ubuntu_bionic
# - deckhand-docker-tag-ubuntu_bionic
- nodeset:
@ -300,7 +300,7 @@
- airship/treasuremap
vars:
CLONE_DECKHAND: false
OSH_INFRA_COMMIT: 8e96a91ffae745b952c053923aa177e615b49b74
OSH_INFRA_COMMIT: 443ff3e3e340c94c5cbb214d1e2a8b2a3937541d
DECKHAND_IMAGE_DISTRO: ubuntu_focal
distro: ubuntu_focal
irrelevant-files:
@ -324,7 +324,7 @@
- airship/treasuremap
vars:
CLONE_DECKHAND: false
OSH_INFRA_COMMIT: 8e96a91ffae745b952c053923aa177e615b49b74
OSH_INFRA_COMMIT: 443ff3e3e340c94c5cbb214d1e2a8b2a3937541d
DECKHAND_IMAGE_DISTRO: ubuntu_bionic
distro: ubuntu_focal
irrelevant-files:
@ -335,7 +335,7 @@
- job:
name: deckhand-docker-build-gate-ubuntu_focal
timeout: 1800
timeout: 3600
run: tools/gate/playbooks/docker-image-build.yaml
nodeset: deckhand-single-node-focal
irrelevant-files: &non-code-files-template
@ -354,7 +354,7 @@
- job:
name: deckhand-docker-build-gate-ubuntu_bionic
timeout: 1800
timeout: 3600
run: tools/gate/playbooks/docker-image-build.yaml
nodeset: deckhand-single-node
irrelevant-files: *non-code-files-template
@ -371,7 +371,7 @@
Runs on every merge, unless files in a dictionary below are changed.
Builds and publishes container ubuntu images on quay.io with a set of tags
listed in vars section. Waits in Zuul queue for a node (VM) assignment.
timeout: 1800
timeout: 3600
run: tools/gate/playbooks/docker-image-build.yaml
nodeset: deckhand-single-node-focal
secrets:
@ -393,7 +393,7 @@
Runs on every merge, unless files in a dictionary below are changed.
Builds and publishes container ubuntu images on quay.io with a set of tags
listed in vars section. Waits in Zuul queue for a node (VM) assignment.
timeout: 1800
timeout: 3600
run: tools/gate/playbooks/docker-image-build.yaml
nodeset: deckhand-single-node
secrets:
@ -409,37 +409,37 @@
static:
- latest
- job:
name: deckhand-docker-tag-ubuntu_focal
description: |
Runs on every merge when files in a dictionalry below are changed, and
adds git commit id tag onto the ubuntu container image published on quay.io,
which has `latest` tag set. Does not wait in queue for a node (VM)
assignment, runs almost immediately.
timeout: 1800
run: tools/gate/playbooks/docker-image-tag.yaml
nodeset:
nodes: []
secrets:
- airship_deckhand_quay_creds
vars:
distro: ubuntu_focal
# - job:
# name: deckhand-docker-tag-ubuntu_focal
# description: |
# Runs on every merge when files in a dictionalry below are changed, and
# adds git commit id tag onto the ubuntu container image published on quay.io,
# which has `latest` tag set. Does not wait in queue for a node (VM)
# assignment, runs almost immediately.
# timeout: 3600
# run: tools/gate/playbooks/docker-image-tag.yaml
# nodeset:
# nodes: []
# secrets:
# - airship_deckhand_quay_creds
# vars:
# distro: ubuntu_focal
- job:
name: deckhand-docker-tag-ubuntu_bionic
description: |
Runs on every merge when files in a dictionalry below are changed, and
adds git commit id tag onto the ubuntu container image published on quay.io,
which has `latest` tag set. Does not wait in queue for a node (VM)
assignment, runs almost immediately.
timeout: 1800
run: tools/gate/playbooks/docker-image-tag.yaml
nodeset:
nodes: []
secrets:
- airship_deckhand_quay_creds
vars:
distro: ubuntu_bionic
# - job:
# name: deckhand-docker-tag-ubuntu_bionic
# description: |
# Runs on every merge when files in a dictionalry below are changed, and
# adds git commit id tag onto the ubuntu container image published on quay.io,
# which has `latest` tag set. Does not wait in queue for a node (VM)
# assignment, runs almost immediately.
# timeout: 3600
# run: tools/gate/playbooks/docker-image-tag.yaml
# nodeset:
# nodes: []
# secrets:
# - airship_deckhand_quay_creds
# vars:
# distro: ubuntu_bionic

View File

@ -29,7 +29,7 @@ images:
tags:
deckhand: quay.io/airshipit/deckhand:latestlatest-ubuntu_focal
dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
db_init: docker.io/postgres:14.6
db_init: docker.io/postgres:14.8
db_sync: quay.io/airshipit/deckhand:latest-ubuntu_focal
image_repo_sync: docker.io/docker:23.0.3
ks_endpoints: docker.io/openstackhelm/heat:wallaby-ubuntu_focal

View File

@ -30,7 +30,7 @@ ENV PORT 9000
EXPOSE $PORT
RUN set -x && \
apt-get -qq update && \
apt-get update && apt-get upgrade -y && \
apt-get -y install \
automake \
ca-certificates \

View File

@ -30,7 +30,7 @@ ENV PORT 9000
EXPOSE $PORT
RUN set -x && \
apt-get -qq update && \
apt-get update && apt-get upgrade -y && \
apt-get -y install \
automake \
ca-certificates \

View File

@ -16,11 +16,19 @@
roles:
- clear-firewall
- bindep
- ensure-docker
- disable-systemd-resolved
- install-test-requirements
tasks:
- name: Install Packaging python module for airship
block:
- pip:
name: packaging
executable: pip3
become: True
- name: Clone Required Repositories
shell: |
export CLONE_DECKHAND={{ CLONE_DECKHAND }}
@ -37,6 +45,17 @@
- name: Deploy Kubernetes with Minikube
shell: |
set -ex
sudo fdisk --list
df -h
sudo mkdir -p /opt/ext_vol
BIG_VOLUME=$(sudo fdisk -l 2>&1 | grep -E 80G | grep Linux | awk '{print $1}')
if ! mount | grep "${BIG_VOLUME}"
then
sudo mkfs.ext4 "${BIG_VOLUME}"
sudo mount "${BIG_VOLUME}" /opt/ext_vol
df -h
fi
./tools/deployment/airskiff/developer/010-deploy-k8s.sh
args:
chdir: "{{ zuul.projects['opendev.org/airship/treasuremap'].src_dir }}"
@ -46,15 +65,33 @@
set -ex
export DISTRO={{ DECKHAND_IMAGE_DISTRO }}
make images
if test "${DISTRO}" = 'ubuntu_bionic'
then
# this trick is needed to use bionic image instead of focal in airskiff deployment test
docker tag quay.io/airshipit/deckhand:latest-ubuntu_bionic quay.io/airshipit/deckhand:latest-ubuntu_focal
fi
docker system prune --force
args:
chdir: "{{ zuul.project.src_dir }}"
become: yes
- name: Use locally built images in manifests
shell: |
set -ex
export DISTRO={{ DECKHAND_IMAGE_DISTRO }}
docker rm registry --force || true
docker run -d -p 5000:5000 --restart=always --name registry registry:2
if test "${DISTRO}" = 'ubuntu_bionic'
then
docker tag quay.io/airshipit/deckhand:latest-ubuntu_bionic localhost:5000/deckhand:latest-ubuntu_bionic
docker push localhost:5000/deckhand:latest-ubuntu_bionic
sed -i "s#quay.io/airshipit/deckhand:latest-ubuntu_focal#localhost:5000/deckhand:latest-ubuntu_bionic#g" ./site/airskiff/software/config/versions.yaml
sed -i "s#quay.io/airshipit/deckhand:latest-ubuntu_focal#localhost:5000/deckhand:latest-ubuntu_bionic#g" ./global/software/config/versions.yaml
else
docker tag quay.io/airshipit/deckhand:latest-ubuntu_focal localhost:5000/deckhand:latest-ubuntu_focal
docker push localhost:5000/deckhand:latest-ubuntu_focal
sed -i "s#quay.io/airshipit/deckhand:latest-ubuntu_focal#localhost:5000/deckhand:latest-ubuntu_focal#g" ./site/airskiff/software/config/versions.yaml
sed -i "s#quay.io/airshipit/deckhand:latest-ubuntu_focal#localhost:5000/deckhand:latest-ubuntu_focal#g" ./global/software/config/versions.yaml
fi
args:
chdir: "{{ zuul.projects['opendev.org/airship/treasuremap'].src_dir }}"
become: yes
- name: Build all charts locally
shell: |
set -ex
@ -63,6 +100,18 @@
chdir: "{{ zuul.projects['opendev.org/airship/treasuremap'].src_dir }}"
become: yes
- name: Start artifactory
shell: |
set -ex
# start http server with artifacts
docker rm artifacts --force || true
docker run --name artifacts -p 8282:80 -v $(pwd)/../artifacts:/usr/share/nginx/html -d nginx
sleep 10
curl --verbose -I http://control-plane.minikube.internal:8282/memcached.tgz
args:
chdir: "{{ zuul.projects['opendev.org/airship/treasuremap'].src_dir }}"
become: yes
- name: Deploy Airship components using Armada
shell: |
mkdir -p ~/.kube

View File

@ -54,6 +54,13 @@
executable: pip3
become: True
- name: Install tox python module for ansible docker login
block:
- pip:
name: tox
version: 3.28.0
executable: pip3
become: True
- name: Make images
when: not publish

View File

@ -16,7 +16,7 @@
tasks:
- name: Git config
shell: |
set -xe;
set -xe
tee .git/config << EOF
[remote "origin"]
url = https://opendev.org/airship/treasuremap.git

View File

@ -16,10 +16,12 @@
vars_files:
- vars.yaml
roles:
- clear-firewall
- bindep
- ensure-docker
- ensure-python
- ensure-pip
- disable-systemd-resolved
- install-test-requirements
- build-images
- deploy-keystone-dependencies

View File

@ -12,13 +12,6 @@
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Set modprobe br_netfilter
shell: |
set -xe;
sudo modprobe br_netfilter
sudo sysctl net.bridge.bridge-nf-call-iptables=1
sudo sysctl net.bridge.bridge-nf-call-ip6tables=1
- name: Install pip3 and gabbi
shell: |
set -xe;

View File

@ -62,6 +62,16 @@
else
sudo -E -H pip3 install -r requirements-frozen.txt
fi
sudo fdisk --list
df -h
sudo mkdir -p /opt/ext_vol
BIG_VOLUME=$(sudo fdisk -l 2>&1 | grep -E 80G | grep Linux | awk '{print $1}')
if ! mount | grep "${BIG_VOLUME}"
then
sudo mkfs.ext4 "${BIG_VOLUME}"
sudo mount "${BIG_VOLUME}" /opt/ext_vol
df -h
fi
pifpaf run postgresql -- ./tools/integration-tests.sh
args:
chdir: "{{ zuul.project.src_dir }}"

View File

@ -23,7 +23,7 @@ POSTGRES_ID=$(
-e POSTGRES_DB=deckhand \
-e POSTGRES_USER=deckhand \
-e POSTGRES_PASSWORD=password \
postgres:14.6
postgres:14.8
)
POSTGRES_IP=$(

View File

@ -17,7 +17,7 @@
set -x
HELM=$1
HELM_ARTIFACT_URL=${HELM_ARTIFACT_URL:-"https://get.helm.sh/helm-v3.11.1-linux-amd64.tar.gz"}
HELM_ARTIFACT_URL=${HELM_ARTIFACT_URL:-"https://get.helm.sh/helm-v3.12.2-linux-amd64.tar.gz"}
function install_helm_binary {

View File

@ -17,7 +17,7 @@
set -eux
HTK_REPO=${HTK_REPO:-"https://opendev.org/openstack/openstack-helm-infra.git"}
HTK_STABLE_COMMIT=${HTK_COMMIT:-"f4972121bcb41c8d74748917804d2b239ab757f9"}
HTK_STABLE_COMMIT=${HTK_COMMIT:-"443ff3e3e340c94c5cbb214d1e2a8b2a3937541d"}
TMP_DIR=$(mktemp -d)

View File

@ -13,8 +13,18 @@
set -xe
CURRENT_DIR="$(pwd)"
: ${OSH_INFRA_PATH:="../openstack-helm-infra"}
: ${OSH_PATH:="../openstack-helm"}
: "${OSH_INFRA_PATH:="../openstack-helm-infra"}"
: "${OSH_PATH:="../openstack-helm"}"
: "${TM_PATH:="../treasuremap"}"
export MAKE_CHARTS_OPENSTACK_HELM="${MAKE_CHARTS_OPENSTACK_HELM:-true}"
export MAKE_CHARTS_OSH_INFRA="${MAKE_CHARTS_OSH_INFRA:-true}"
export MAKE_CHARTS_ARMADA="${MAKE_CHARTS_ARMADA:-false}"
export MAKE_CHARTS_DECKHAND="${MAKE_CHARTS_DECKHAND:-false}"
export MAKE_CHARTS_SHIPYARD="${MAKE_CHARTS_SHIPYARD:-false}"
export MAKE_CHARTS_MAAS="${MAKE_CHARTS_MAAS:-false}"
export MAKE_CHARTS_PORTHOLE="${MAKE_CHARTS_PORTHOLE:-false}"
export MAKE_CHARTS_PROMENADE="${MAKE_CHARTS_PROMENADE:-false}"
function deploy_barbican {
@ -46,34 +56,28 @@ function deploy_osh_keystone_barbican {
git clone https://git.openstack.org/openstack/openstack-helm.git ../openstack-helm
fi
cd ${OSH_INFRA_PATH}
# git reset --hard ${BARBICAN_STABLE_COMMIT}
if [ ! -d "$TM_PATH" ]; then
git clone https://git.openstack.org/airship/treasuremap.git ../treasuremap
pushd ../treasuremap
git checkout v1.9
popd
fi
cd "${TM_PATH}"
# Deploy required packages
./tools/deployment/common/000-install-packages.sh
./tools/deployment/common/001-setup-apparmor-profiles.sh
#
cd ${OSH_PATH}
# git reset --hard ${BARBICAN_STABLE_COMMIT}
# Deploy required packages
./tools/deployment/common/install-packages.sh
./tools/deployment/airskiff/developer/009-setup-apparmor.sh
#
# Deploy Kubernetes
sudo modprobe br_netfilter
./tools/deployment/common/deploy-k8s.sh
./tools/deployment/airskiff/developer/010-deploy-k8s.sh
#
# Make charts
./tools/deployment/airskiff/developer/015-make-all-charts.sh
#
# Deploy docker-based openstack client
./tools/deployment/airskiff/developer/020-setup-client.sh
cd ${CURRENT_DIR}
# remove systemd-resolved local stub dns from resolv.conf
sudo sed -i.bkp '/^nameserver.*127.0.0.1/d
w /dev/stdout' /etc/resolv.conf
# add external nameservers
echo "nameserver 8.8.8.8" | sudo tee -a /etc/resolv.conf
echo "nameserver 8.8.4.4" | sudo tee -a /etc/resolv.conf
cat /etc/resolv.conf
cd ${OSH_PATH}
# Setup clients on the host and assemble the charts
./tools/deployment/common/setup-client.sh
cd "${OSH_PATH}"
# Deploy the ingress controller
./tools/deployment/component/common/ingress.sh
# Deploy NFS Provisioner
@ -102,7 +106,7 @@ function deploy_deckhand {
interfaces=("admin" "public" "internal")
deckhand_endpoint="http://127.0.0.1:9000"
if [ -z "$( openstack service list --format value 2>/dev/null | grep deckhand )" ]; then
if [ -z "$( openstack_client openstack service list --format value 2>/dev/null | grep deckhand )" ]; then
openstack service create --enable --name deckhand deckhand 2>/dev/null
fi