From 45f718bc589627b59044d16e31b2d9e1f3fb8fd6 Mon Sep 17 00:00:00 2001 From: "Anselme, Schubert (sa246v)" Date: Mon, 3 Apr 2023 09:54:18 -0400 Subject: [PATCH] MAAS region & rack controller upgrade v3.2 and enabling native-tls Signed-off-by: Anselme, Schubert (sa246v) Change-Id: If5fffa59f547d4b19d7c0f086204800e9144d952 --- charts/deps/helm-toolkit/Chart.yaml | 26 + charts/deps/helm-toolkit/requirements.yaml | 15 + .../_authenticated_endpoint_uri_lookup.tpl | 58 ++ ...nticated_transport_endpoint_uri_lookup.tpl | 121 +++ .../endpoints/_endpoint_host_lookup.tpl | 90 +++ .../endpoints/_endpoint_port_lookup.tpl | 41 + .../endpoints/_endpoint_token_lookup.tpl | 36 + .../_host_and_port_endpoint_uri_lookup.tpl | 59 ++ .../_hostname_fqdn_endpoint_lookup.tpl | 76 ++ .../_hostname_namespaced_endpoint_lookup.tpl | 40 + ...e_namespaced_endpoint_namespace_lookup.tpl | 38 + .../_hostname_short_endpoint_lookup.tpl | 61 ++ .../_keystone_endpoint_name_lookup.tpl | 34 + .../_keystone_endpoint_path_lookup.tpl | 48 ++ .../_keystone_endpoint_scheme_lookup.tpl | 55 ++ .../_keystone_endpoint_uri_lookup.tpl | 52 ++ ...ce_name_endpoint_with_namespace_lookup.tpl | 61 ++ .../manifests/_ceph-storageclass.tpl | 111 +++ .../templates/manifests/_certificates.tpl | 108 +++ .../templates/manifests/_ingress.tpl | 727 ++++++++++++++++++ .../templates/manifests/_job-bootstrap.tpl | 141 ++++ .../manifests/_job-db-drop-mysql.tpl | 170 ++++ .../manifests/_job-db-init-mysql.tpl | 169 ++++ .../templates/manifests/_job-db-sync.tpl | 137 ++++ .../templates/manifests/_job-ks-endpoints.tpl | 130 ++++ .../templates/manifests/_job-ks-service.tpl | 124 +++ .../templates/manifests/_job-ks-user.yaml.tpl | 154 ++++ .../manifests/_job-rabbit-init.yaml.tpl | 129 ++++ .../manifests/_job-s3-bucket.yaml.tpl | 147 ++++ .../templates/manifests/_job-s3-user.yaml.tpl | 159 ++++ .../manifests/_job_image_repo_sync.tpl | 119 +++ .../templates/manifests/_network_policy.tpl | 238 ++++++ .../manifests/_secret-registry.yaml.tpl | 93 +++ .../templates/manifests/_secret-tls.yaml.tpl | 108 +++ .../templates/manifests/_service-ingress.tpl | 43 ++ .../scripts/_create-s3-bucket.sh.tpl | 35 + .../templates/scripts/_create-s3-user.sh.tpl | 65 ++ .../templates/scripts/_db-drop.py.tpl | 142 ++++ .../templates/scripts/_db-init.py.tpl | 156 ++++ .../templates/scripts/_db-pg-init.sh.tpl | 69 ++ .../templates/scripts/_image-repo-sync.sh.tpl | 24 + .../templates/scripts/_ks-domain-user.sh.tpl | 72 ++ .../templates/scripts/_ks-endpoints.sh.tpl | 79 ++ .../templates/scripts/_ks-service.sh.tpl | 76 ++ .../templates/scripts/_ks-user.sh.tpl | 108 +++ .../templates/scripts/_rabbit-init.sh.tpl | 111 +++ .../templates/scripts/_rally_test.sh.tpl | 88 +++ .../db-backup-restore/_backup_main.sh.tpl | 567 ++++++++++++++ .../db-backup-restore/_restore_main.sh.tpl | 616 +++++++++++++++ .../templates/snippets/_image.tpl | 60 ++ .../snippets/_keystone_openrc_env_vars.tpl | 142 ++++ .../snippets/_keystone_secret_openrc.tpl | 32 + .../_keystone_user_create_env_vars.tpl | 90 +++ .../_kubernetes_apparmor_configmap.tpl | 68 ++ ...ernetes_apparmor_loader_init_container.tpl | 75 ++ .../snippets/_kubernetes_apparmor_volumes.tpl | 68 ++ ..._kubernetes_container_security_context.tpl | 48 ++ .../_kubernetes_entrypoint_init_container.tpl | 209 +++++ .../snippets/_kubernetes_kubectl_params.tpl | 20 + ...es_mandatory_access_control_annotation.tpl | 60 ++ .../snippets/_kubernetes_metadata_labels.tpl | 51 ++ .../_kubernetes_pod_anti_affinity.tpl | 89 +++ .../_kubernetes_pod_image_pull_secret.tpl | 45 ++ .../snippets/_kubernetes_pod_rbac_roles.tpl | 69 ++ .../_kubernetes_pod_rbac_serviceaccount.tpl | 75 ++ .../_kubernetes_pod_security_context.tpl | 67 ++ .../templates/snippets/_kubernetes_probes.tpl | 55 ++ .../snippets/_kubernetes_resources.tpl | 53 ++ .../_kubernetes_seccomp_annotation.tpl | 47 ++ .../snippets/_kubernetes_tolerations.tpl | 45 ++ .../_kubernetes_upgrades_daemonset.tpl | 33 + .../_kubernetes_upgrades_deployment.tpl | 27 + .../_kubernetes_upgrades_statefulset.tpl | 51 ++ .../snippets/_mon_host_from_k8s_ep.sh.tpl | 68 ++ .../snippets/_prometheus_pod_annotations.tpl | 33 + .../_prometheus_service_annotations.tpl | 35 + .../templates/snippets/_release_uuid.tpl | 29 + .../snippets/_rgw_s3_admin_env_vars.tpl | 32 + .../snippets/_rgw_s3_secret_creds.tpl | 29 + .../snippets/_rgw_s3_user_env_vars.tpl | 34 + .../templates/snippets/_tls_volume.tpl | 47 ++ .../templates/snippets/_tls_volume_mount.tpl | 82 ++ .../snippets/_values_template_renderer.tpl | 87 +++ .../templates/tls/_tls_generate_certs.tpl | 94 +++ .../utils/_comma_joined_service_list.tpl | 46 ++ .../templates/utils/_configmap_templater.tpl | 30 + .../templates/utils/_daemonset_overrides.tpl | 269 +++++++ .../templates/utils/_dependency_resolver.tpl | 40 + .../helm-toolkit/templates/utils/_hash.tpl | 21 + .../templates/utils/_host_list.tpl | 44 ++ .../templates/utils/_image_sync_list.tpl | 25 + .../templates/utils/_joinListWithComma.tpl | 31 + .../_joinListWithCommaAndSingleQuotes.tpl | 32 + .../templates/utils/_joinListWithPrefix.tpl | 32 + .../templates/utils/_joinListWithSpace.tpl | 31 + .../helm-toolkit/templates/utils/_merge.tpl | 135 ++++ .../templates/utils/_template.tpl | 21 + .../helm-toolkit/templates/utils/_to_ini.tpl | 51 ++ .../utils/_to_k8s_env_secret_vars.tpl | 46 ++ .../templates/utils/_to_k8s_env_vars.tpl | 39 + .../templates/utils/_to_kv_list.tpl | 42 + .../templates/utils/_to_oslo_conf.tpl | 75 ++ charts/deps/helm-toolkit/values.yaml | 16 + charts/maas/Chart.yaml | 1 + charts/maas/requirements.lock | 6 + charts/maas/templates/bin/_enable-tls.sh.tpl | 19 + .../bin/_import-boot-resources.sh.tpl | 246 +++--- charts/maas/templates/bin/_maas-test.sh.tpl | 90 ++- .../templates/certificate-maas-ingress.yaml | 32 + charts/maas/templates/certificate-maas.yaml | 35 + charts/maas/templates/configmap-bin.yaml | 4 + .../templates/deployment-ingress-errors.yaml | 2 +- charts/maas/templates/ingress-region.yaml | 9 + charts/maas/templates/job-enable-tls.yaml | 79 ++ charts/maas/templates/job-import.yaml | 14 + charts/maas/templates/secret-maas-tls.yaml | 29 + .../templates/service-ingress-headless.yaml | 4 + charts/maas/templates/statefulset-rack.yaml | 14 + charts/maas/templates/statefulset-region.yaml | 14 + .../maas/templates/tests/test-maas-init.yaml | 20 +- charts/maas/values.yaml | 27 +- ...llow_query.patch => 3.2_allow_query.patch} | 2 +- ..._ipmi_error.patch => 3.2_ipmi_error.patch} | 6 +- ..._nic_filter.patch => 3.2_nic_filter.patch} | 4 +- ...etries.patch => 3.2_redfish_retries.patch} | 6 +- ...headers.patch => 3.2_secure_headers.patch} | 6 +- images/maas-rack-controller-focal/Dockerfile | 24 +- .../3.3_allow_query.patch} | 2 +- .../3.3_ipmi_error.patch | 27 + .../3.3_nic_filter.patch | 13 + .../3.3_redfish_retries.patch | 12 + .../3.3_secure_headers.patch | 12 + images/maas-rack-controller-jammy/Dockerfile | 88 +++ images/maas-rack-controller-jammy/README.md | 1 + .../scripts/journalctl-to-tty.service | 13 + .../scripts/register-rack-controller.service | 12 + .../3.0_bios_grub_partition.patch | 13 - .../3.2_allow_query.patch | 15 + .../3.2_bios_grub_partition.patch | 12 + ...er.patch => 3.2_configure_ipmi_user.patch} | 16 +- .../3.2_kernel_package.patch | 31 + ...> 3.2_partitiontable_does_not_exist.patch} | 2 +- ....0_proxy_acl.patch => 3.2_proxy_acl.patch} | 0 ..._regex_tags.patch => 3.2_regex_tags.patch} | 16 +- ...e.patch => 3.2_region_secret_rotate.patch} | 5 +- .../{3.0_route.patch => 3.2_route.patch} | 14 +- ...headers.patch => 3.2_secure_headers.patch} | 6 +- .../maas-region-controller-focal/Dockerfile | 44 +- .../3.3_allow_query.patch | 15 + .../3.3_bios_grub_partition.patch | 12 + .../3.3_configure_ipmi_user.patch | 52 ++ .../3.3_kernel_package.patch} | 11 +- .../3.3_partitiontable_does_not_exist.patch | 13 + .../3.3_proxy_acl.patch | 10 + .../3.3_regex_tags.patch | 24 + .../3.3_route.patch | 17 + .../3.3_secure_headers.patch | 12 + .../maas-region-controller-jammy/Dockerfile | 94 +++ images/maas-region-controller-jammy/README.md | 1 + .../journalctl-to-tty.service | 13 + 160 files changed, 10348 insertions(+), 274 deletions(-) create mode 100644 charts/deps/helm-toolkit/Chart.yaml create mode 100644 charts/deps/helm-toolkit/requirements.yaml create mode 100644 charts/deps/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl create mode 100644 charts/deps/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl create mode 100644 charts/deps/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl create mode 100644 charts/deps/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl create mode 100644 charts/deps/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl create mode 100644 charts/deps/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl create mode 100644 charts/deps/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl create mode 100644 charts/deps/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl create mode 100644 charts/deps/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_namespace_lookup.tpl create mode 100644 charts/deps/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl create mode 100644 charts/deps/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl create mode 100644 charts/deps/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl create mode 100644 charts/deps/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl create mode 100644 charts/deps/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl create mode 100644 charts/deps/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl create mode 100644 charts/deps/helm-toolkit/templates/manifests/_ceph-storageclass.tpl create mode 100644 charts/deps/helm-toolkit/templates/manifests/_certificates.tpl create mode 100644 charts/deps/helm-toolkit/templates/manifests/_ingress.tpl create mode 100644 charts/deps/helm-toolkit/templates/manifests/_job-bootstrap.tpl create mode 100644 charts/deps/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl create mode 100644 charts/deps/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl create mode 100644 charts/deps/helm-toolkit/templates/manifests/_job-db-sync.tpl create mode 100644 charts/deps/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl create mode 100644 charts/deps/helm-toolkit/templates/manifests/_job-ks-service.tpl create mode 100644 charts/deps/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl create mode 100644 charts/deps/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl create mode 100644 charts/deps/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl create mode 100644 charts/deps/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl create mode 100644 charts/deps/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl create mode 100644 charts/deps/helm-toolkit/templates/manifests/_network_policy.tpl create mode 100644 charts/deps/helm-toolkit/templates/manifests/_secret-registry.yaml.tpl create mode 100644 charts/deps/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl create mode 100644 charts/deps/helm-toolkit/templates/manifests/_service-ingress.tpl create mode 100644 charts/deps/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl create mode 100644 charts/deps/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl create mode 100644 charts/deps/helm-toolkit/templates/scripts/_db-drop.py.tpl create mode 100644 charts/deps/helm-toolkit/templates/scripts/_db-init.py.tpl create mode 100644 charts/deps/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl create mode 100644 charts/deps/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl create mode 100644 charts/deps/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl create mode 100755 charts/deps/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl create mode 100644 charts/deps/helm-toolkit/templates/scripts/_ks-service.sh.tpl create mode 100644 charts/deps/helm-toolkit/templates/scripts/_ks-user.sh.tpl create mode 100644 charts/deps/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl create mode 100644 charts/deps/helm-toolkit/templates/scripts/_rally_test.sh.tpl create mode 100755 charts/deps/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl create mode 100755 charts/deps/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl create mode 100644 charts/deps/helm-toolkit/templates/snippets/_image.tpl create mode 100644 charts/deps/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl create mode 100644 charts/deps/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl create mode 100644 charts/deps/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl create mode 100644 charts/deps/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl create mode 100644 charts/deps/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl create mode 100644 charts/deps/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl create mode 100644 charts/deps/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl create mode 100644 charts/deps/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl create mode 100644 charts/deps/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl create mode 100644 charts/deps/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl create mode 100644 charts/deps/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl create mode 100644 charts/deps/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl create mode 100644 charts/deps/helm-toolkit/templates/snippets/_kubernetes_pod_image_pull_secret.tpl create mode 100644 charts/deps/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl create mode 100644 charts/deps/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl create mode 100644 charts/deps/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl create mode 100644 charts/deps/helm-toolkit/templates/snippets/_kubernetes_probes.tpl create mode 100644 charts/deps/helm-toolkit/templates/snippets/_kubernetes_resources.tpl create mode 100644 charts/deps/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl create mode 100644 charts/deps/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl create mode 100644 charts/deps/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl create mode 100644 charts/deps/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl create mode 100644 charts/deps/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl create mode 100644 charts/deps/helm-toolkit/templates/snippets/_mon_host_from_k8s_ep.sh.tpl create mode 100644 charts/deps/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl create mode 100644 charts/deps/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl create mode 100644 charts/deps/helm-toolkit/templates/snippets/_release_uuid.tpl create mode 100644 charts/deps/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl create mode 100644 charts/deps/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl create mode 100644 charts/deps/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl create mode 100644 charts/deps/helm-toolkit/templates/snippets/_tls_volume.tpl create mode 100644 charts/deps/helm-toolkit/templates/snippets/_tls_volume_mount.tpl create mode 100644 charts/deps/helm-toolkit/templates/snippets/_values_template_renderer.tpl create mode 100644 charts/deps/helm-toolkit/templates/tls/_tls_generate_certs.tpl create mode 100644 charts/deps/helm-toolkit/templates/utils/_comma_joined_service_list.tpl create mode 100644 charts/deps/helm-toolkit/templates/utils/_configmap_templater.tpl create mode 100644 charts/deps/helm-toolkit/templates/utils/_daemonset_overrides.tpl create mode 100644 charts/deps/helm-toolkit/templates/utils/_dependency_resolver.tpl create mode 100644 charts/deps/helm-toolkit/templates/utils/_hash.tpl create mode 100644 charts/deps/helm-toolkit/templates/utils/_host_list.tpl create mode 100644 charts/deps/helm-toolkit/templates/utils/_image_sync_list.tpl create mode 100644 charts/deps/helm-toolkit/templates/utils/_joinListWithComma.tpl create mode 100644 charts/deps/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl create mode 100644 charts/deps/helm-toolkit/templates/utils/_joinListWithPrefix.tpl create mode 100644 charts/deps/helm-toolkit/templates/utils/_joinListWithSpace.tpl create mode 100644 charts/deps/helm-toolkit/templates/utils/_merge.tpl create mode 100644 charts/deps/helm-toolkit/templates/utils/_template.tpl create mode 100644 charts/deps/helm-toolkit/templates/utils/_to_ini.tpl create mode 100644 charts/deps/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl create mode 100644 charts/deps/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl create mode 100644 charts/deps/helm-toolkit/templates/utils/_to_kv_list.tpl create mode 100644 charts/deps/helm-toolkit/templates/utils/_to_oslo_conf.tpl create mode 100644 charts/deps/helm-toolkit/values.yaml create mode 100644 charts/maas/requirements.lock create mode 100644 charts/maas/templates/bin/_enable-tls.sh.tpl create mode 100644 charts/maas/templates/certificate-maas-ingress.yaml create mode 100644 charts/maas/templates/certificate-maas.yaml create mode 100644 charts/maas/templates/job-enable-tls.yaml create mode 100644 charts/maas/templates/secret-maas-tls.yaml rename images/maas-rack-controller-focal/{3.0_allow_query.patch => 3.2_allow_query.patch} (94%) rename images/maas-rack-controller-focal/{3.0_ipmi_error.patch => 3.2_ipmi_error.patch} (90%) rename images/maas-rack-controller-focal/{3.0_nic_filter.patch => 3.2_nic_filter.patch} (84%) rename images/maas-rack-controller-focal/{3.0_redfish_retries.patch => 3.2_redfish_retries.patch} (82%) rename images/maas-rack-controller-focal/{3.0_secure_headers.patch => 3.2_secure_headers.patch} (91%) rename images/{maas-region-controller-focal/3.0_allow_query.patch => maas-rack-controller-jammy/3.3_allow_query.patch} (94%) create mode 100644 images/maas-rack-controller-jammy/3.3_ipmi_error.patch create mode 100644 images/maas-rack-controller-jammy/3.3_nic_filter.patch create mode 100644 images/maas-rack-controller-jammy/3.3_redfish_retries.patch create mode 100644 images/maas-rack-controller-jammy/3.3_secure_headers.patch create mode 100644 images/maas-rack-controller-jammy/Dockerfile create mode 100644 images/maas-rack-controller-jammy/README.md create mode 100644 images/maas-rack-controller-jammy/scripts/journalctl-to-tty.service create mode 100644 images/maas-rack-controller-jammy/scripts/register-rack-controller.service delete mode 100644 images/maas-region-controller-focal/3.0_bios_grub_partition.patch create mode 100644 images/maas-region-controller-focal/3.2_allow_query.patch create mode 100644 images/maas-region-controller-focal/3.2_bios_grub_partition.patch rename images/maas-region-controller-focal/{3.0_configure_ipmi_user.patch => 3.2_configure_ipmi_user.patch} (86%) create mode 100644 images/maas-region-controller-focal/3.2_kernel_package.patch rename images/maas-region-controller-focal/{3.0_partitiontable_does_not_exist.patch => 3.2_partitiontable_does_not_exist.patch} (94%) rename images/maas-region-controller-focal/{3.0_proxy_acl.patch => 3.2_proxy_acl.patch} (100%) rename images/maas-region-controller-focal/{3.0_regex_tags.patch => 3.2_regex_tags.patch} (81%) rename images/maas-region-controller-focal/{3.0_region_secret_rotate.patch => 3.2_region_secret_rotate.patch} (95%) rename images/maas-region-controller-focal/{3.0_route.patch => 3.2_route.patch} (66%) rename images/maas-region-controller-focal/{3.0_secure_headers.patch => 3.2_secure_headers.patch} (91%) create mode 100644 images/maas-region-controller-jammy/3.3_allow_query.patch create mode 100644 images/maas-region-controller-jammy/3.3_bios_grub_partition.patch create mode 100644 images/maas-region-controller-jammy/3.3_configure_ipmi_user.patch rename images/{maas-region-controller-focal/3.0_kernel_package.patch => maas-region-controller-jammy/3.3_kernel_package.patch} (77%) create mode 100644 images/maas-region-controller-jammy/3.3_partitiontable_does_not_exist.patch create mode 100644 images/maas-region-controller-jammy/3.3_proxy_acl.patch create mode 100644 images/maas-region-controller-jammy/3.3_regex_tags.patch create mode 100644 images/maas-region-controller-jammy/3.3_route.patch create mode 100644 images/maas-region-controller-jammy/3.3_secure_headers.patch create mode 100644 images/maas-region-controller-jammy/Dockerfile create mode 100644 images/maas-region-controller-jammy/README.md create mode 100644 images/maas-region-controller-jammy/journalctl-to-tty.service diff --git a/charts/deps/helm-toolkit/Chart.yaml b/charts/deps/helm-toolkit/Chart.yaml new file mode 100644 index 0000000..2df9c76 --- /dev/null +++ b/charts/deps/helm-toolkit/Chart.yaml @@ -0,0 +1,26 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +--- +apiVersion: v1 +appVersion: v1.0.0 +description: OpenStack-Helm Helm-Toolkit +name: helm-toolkit +version: 0.2.54 +home: https://docs.openstack.org/openstack-helm +icon: https://www.openstack.org/themes/openstack/images/project-mascots/OpenStack-Helm/OpenStack_Project_OpenStackHelm_vertical.png +sources: + - https://opendev.org/openstack/openstack-helm-infra + - https://opendev.org/openstack/openstack-helm +maintainers: + - name: OpenStack-Helm Authors +... diff --git a/charts/deps/helm-toolkit/requirements.yaml b/charts/deps/helm-toolkit/requirements.yaml new file mode 100644 index 0000000..27fb08a --- /dev/null +++ b/charts/deps/helm-toolkit/requirements.yaml @@ -0,0 +1,15 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +--- +dependencies: [] +... diff --git a/charts/deps/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl b/charts/deps/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl new file mode 100644 index 0000000..12b84de --- /dev/null +++ b/charts/deps/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl @@ -0,0 +1,58 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Resolves database, or basic auth, style endpoints +values: | + endpoints: + cluster_domain_suffix: cluster.local + oslo_db: + auth: + admin: + username: root + password: password + service_username: + username: username + password: password + hosts: + default: mariadb + host_fqdn_override: + default: null + path: /dbname + scheme: mysql+pymysql + port: + mysql: + default: 3306 +usage: | + {{ tuple "oslo_db" "internal" "service_username" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" }} +return: | + mysql+pymysql://serviceuser:password@mariadb.default.svc.cluster.local:3306/dbname +*/}} + +{{- define "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" -}} +{{- $type := index . 0 -}} +{{- $endpoint := index . 1 -}} +{{- $userclass := index . 2 -}} +{{- $port := index . 3 -}} +{{- $context := index . 4 -}} +{{- $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }} +{{- $userMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userclass }} +{{- $endpointUser := index $userMap "username" }} +{{- $endpointPass := index $userMap "password" }} +{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }} +{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }} +{{- $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }} +{{- printf "%s://%s:%s@%s:%s%s" $endpointScheme $endpointUser $endpointPass $endpointHost $endpointPort $endpointPath -}} +{{- end -}} diff --git a/charts/deps/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl b/charts/deps/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl new file mode 100644 index 0000000..b7cf287 --- /dev/null +++ b/charts/deps/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl @@ -0,0 +1,121 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Resolves endpoint string suitible for use with oslo.messaging transport url + See: https://docs.openstack.org/oslo.messaging/latest/reference/transport.html#oslo_messaging.TransportURL +examples: + - values: | + endpoints: + cluster_domain_suffix: cluster.local + oslo_messaging: + auth: + cinder: + username: cinder + password: password + statefulset: + replicas: 2 + name: rabbitmq-rabbitmq + hosts: + default: rabbitmq + host_fqdn_override: + default: null + path: /cinder + scheme: rabbit + port: + amqp: + default: 5672 + usage: | + {{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }} + return: | + rabbit://cinder:password@rabbitmq-rabbitmq-0.rabbitmq.default.svc.cluster.local:5672,cinder:password@rabbitmq-rabbitmq-1.rabbitmq.default.svc.cluster.local:5672/cinder + - values: | + endpoints: + cluster_domain_suffix: cluster.local + oslo_messaging: + auth: + cinder: + username: cinder + password: password + statefulset: null + hosts: + default: rabbitmq + host_fqdn_override: + default: null + path: /cinder + scheme: rabbit + port: + amqp: + default: 5672 + usage: | + {{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }} + return: | + rabbit://cinder:password@rabbitmq.default.svc.cluster.local:5672/cinder + - values: | + endpoints: + cluster_domain_suffix: cluster.local + oslo_messaging: + auth: + cinder: + username: cinder + password: password + statefulset: + replicas: 2 + name: rabbitmq-rabbitmq + hosts: + default: rabbitmq + host_fqdn_override: + default: rabbitmq.openstackhelm.org + path: /cinder + scheme: rabbit + port: + amqp: + default: 5672 + usage: | + {{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }} + return: | + rabbit://cinder:password@rabbitmq.openstackhelm.org:5672/cinder +*/}} + +{{- define "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" -}} +{{- $type := index . 0 -}} +{{- $endpoint := index . 1 -}} +{{- $userclass := index . 2 -}} +{{- $port := index . 3 -}} +{{- $context := index . 4 -}} +{{- $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }} +{{- $userMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userclass }} +{{- $ssMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "statefulset" | default false}} +{{- $hostFqdnOverride := index $context.Values.endpoints ( $type | replace "-" "_" ) "host_fqdn_override" }} +{{- $endpointUser := index $userMap "username" }} +{{- $endpointPass := index $userMap "password" }} +{{- $endpointHostSuffix := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }} +{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }} +{{- $local := dict "endpointCredsAndHosts" list -}} +{{- if not (or (index $hostFqdnOverride $endpoint | default ( index $hostFqdnOverride "default" ) ) ( not $ssMap ) ) }} +{{- $endpointHostPrefix := $ssMap.name }} +{{- range $podInt := until ( atoi (print $ssMap.replicas ) ) }} +{{- $endpointCredAndHost := printf "%s:%s@%s-%d.%s:%s" $endpointUser $endpointPass $endpointHostPrefix $podInt $endpointHostSuffix $endpointPort }} +{{- $_ := set $local "endpointCredsAndHosts" ( append $local.endpointCredsAndHosts $endpointCredAndHost ) }} +{{- end }} +{{- else }} +{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }} +{{- $endpointCredAndHost := printf "%s:%s@%s:%s" $endpointUser $endpointPass $endpointHost $endpointPort }} +{{- $_ := set $local "endpointCredsAndHosts" ( append $local.endpointCredsAndHosts $endpointCredAndHost ) }} +{{- end }} +{{- $endpointCredsAndHosts := include "helm-toolkit.utils.joinListWithComma" $local.endpointCredsAndHosts }} +{{- $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }} +{{- printf "%s://%s%s" $endpointScheme $endpointCredsAndHosts $endpointPath }} +{{- end -}} diff --git a/charts/deps/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl b/charts/deps/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl new file mode 100644 index 0000000..fb8bbe7 --- /dev/null +++ b/charts/deps/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl @@ -0,0 +1,90 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Resolves either the fully qualified hostname, of if defined in the host field + IPv4 for an endpoint. +examples: + - values: | + endpoints: + cluster_domain_suffix: cluster.local + oslo_db: + hosts: + default: mariadb + host_fqdn_override: + default: null + usage: | + {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }} + return: | + mariadb.default.svc.cluster.local + - values: | + endpoints: + cluster_domain_suffix: cluster.local + oslo_db: + hosts: + default: + host: mariadb + host_fqdn_override: + default: null + usage: | + {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }} + return: | + mariadb.default.svc.cluster.local + - values: | + endpoints: + cluster_domain_suffix: cluster.local + oslo_db: + hosts: + default: 127.0.0.1 + host_fqdn_override: + default: null + usage: | + {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }} + return: | + 127.0.0.1 + - values: | + endpoints: + cluster_domain_suffix: cluster.local + oslo_db: + hosts: + default: + host: 127.0.0.1 + host_fqdn_override: + default: null + usage: | + {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }} + return: | + 127.0.0.1 +*/}} + +{{- define "helm-toolkit.endpoints.endpoint_host_lookup" -}} +{{- $type := index . 0 -}} +{{- $endpoint := index . 1 -}} +{{- $context := index . 2 -}} +{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }} +{{- $endpointScheme := $endpointMap.scheme }} +{{- $_ := set $context.Values "__endpointHost" ( index $endpointMap.hosts $endpoint | default $endpointMap.hosts.default ) }} +{{- if kindIs "map" $context.Values.__endpointHost }} +{{- $_ := set $context.Values "__endpointHost" ( index $context.Values.__endpointHost "host" ) }} +{{- end }} +{{- $endpointHost := $context.Values.__endpointHost }} +{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointHost }} +{{- $endpointHostname := printf "%s" $endpointHost }} +{{- printf "%s" $endpointHostname -}} +{{- else }} +{{- $endpointHostname := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }} +{{- printf "%s" $endpointHostname -}} +{{- end }} +{{- end -}} diff --git a/charts/deps/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl b/charts/deps/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl new file mode 100644 index 0000000..447efe7 --- /dev/null +++ b/charts/deps/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl @@ -0,0 +1,41 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Resolves the port for an endpoint +values: | + endpoints: + cluster_domain_suffix: cluster.local + oslo_db: + port: + mysql: + default: 3306 +usage: | + {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} +return: | + 3306 +*/}} + +{{- define "helm-toolkit.endpoints.endpoint_port_lookup" -}} +{{- $type := index . 0 -}} +{{- $endpoint := index . 1 -}} +{{- $port := index . 2 -}} +{{- $context := index . 3 -}} +{{- $typeYamlSafe := $type | replace "-" "_" }} +{{- $endpointMap := index $context.Values.endpoints $typeYamlSafe }} +{{- $endpointPortMAP := index $endpointMap.port $port }} +{{- $endpointPort := index $endpointPortMAP $endpoint | default ( index $endpointPortMAP "default" ) }} +{{- printf "%1.f" $endpointPort -}} +{{- end -}} diff --git a/charts/deps/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl b/charts/deps/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl new file mode 100644 index 0000000..3a268c0 --- /dev/null +++ b/charts/deps/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl @@ -0,0 +1,36 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Gets the token for an endpoint +values: | + endpoints: + keystone: + auth: + admin: + token: zh78JzXgw6YUKy2e +usage: | + {{ tuple "keystone" "admin" . | include "helm-toolkit.endpoints.endpoint_token_lookup" }} +return: | + zh78JzXgw6YUKy2e +*/}} + +{{- define "helm-toolkit.endpoints.endpoint_token_lookup" -}} +{{- $type := index . 0 -}} +{{- $userName := index . 1 -}} +{{- $context := index . 2 -}} +{{- $serviceToken := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userName "token" }} +{{- printf "%s" $serviceToken -}} +{{- end -}} diff --git a/charts/deps/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl b/charts/deps/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl new file mode 100644 index 0000000..6877b7b --- /dev/null +++ b/charts/deps/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl @@ -0,0 +1,59 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Resolves 'hostname:port' for an endpoint +examples: + - values: | + endpoints: + cluster_domain_suffix: cluster.local + oslo_db: + hosts: + default: mariadb + host_fqdn_override: + default: null + port: + mysql: + default: 3306 + usage: | + {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }} + return: | + mariadb.default.svc.cluster.local:3306 + - values: | + endpoints: + cluster_domain_suffix: cluster.local + oslo_db: + hosts: + default: 127.0.0.1 + host_fqdn_override: + default: null + port: + mysql: + default: 3306 + usage: | + {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }} + return: | + 127.0.0.1:3306 +*/}} + +{{- define "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" -}} +{{- $type := index . 0 -}} +{{- $endpoint := index . 1 -}} +{{- $port := index . 2 -}} +{{- $context := index . 3 -}} +{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }} +{{- $endpointHostname := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }} +{{- printf "%s:%s" $endpointHostname $endpointPort -}} +{{- end -}} diff --git a/charts/deps/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl b/charts/deps/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl new file mode 100644 index 0000000..26374e3 --- /dev/null +++ b/charts/deps/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl @@ -0,0 +1,76 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Resolves the fully qualified hostname for an endpoint +examples: + - values: | + endpoints: + cluster_domain_suffix: cluster.local + oslo_db: + hosts: + default: mariadb + host_fqdn_override: + default: null + usage: | + {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }} + return: | + mariadb.default.svc.cluster.local + - values: | + endpoints: + cluster_domain_suffix: cluster.local + oslo_db: + hosts: + default: mariadb + host_fqdn_override: + default: mariadb.openstackhelm.openstack.org + usage: | + {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }} + return: | + mariadb.openstackhelm.openstack.org + - values: | + endpoints: + cluster_domain_suffix: cluster.local + oslo_db: + hosts: + default: mariadb + host_fqdn_override: + default: + host: mariadb.openstackhelm.openstack.org + usage: | + {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }} + return: | + mariadb.openstackhelm.openstack.org +*/}} + +{{- define "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" -}} +{{- $type := index . 0 -}} +{{- $endpoint := index . 1 -}} +{{- $context := index . 2 -}} +{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }} +{{- $endpointHostNamespaced := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }} +{{- $endpointClusterHostname := printf "%s.svc.%s" $endpointHostNamespaced $context.Values.endpoints.cluster_domain_suffix }} +{{- $_ := set $context.Values "__FQDNendpointHostDefault" ( index $endpointMap.host_fqdn_override "default" | default "" ) }} +{{- if kindIs "map" $context.Values.__FQDNendpointHostDefault }} +{{- $_ := set $context.Values "__FQDNendpointHostDefault" ( index $context.Values.__FQDNendpointHostDefault "host" ) }} +{{- end }} +{{- if kindIs "map" (index $endpointMap.host_fqdn_override $endpoint) }} +{{- $endpointHostname := index $endpointMap.host_fqdn_override $endpoint "host" | default $context.Values.__FQDNendpointHostDefault | default $endpointClusterHostname }} +{{- printf "%s" $endpointHostname -}} +{{- else }} +{{- $endpointHostname := index $endpointMap.host_fqdn_override $endpoint | default $context.Values.__FQDNendpointHostDefault | default $endpointClusterHostname }} +{{- printf "%s" $endpointHostname -}} +{{- end -}} +{{- end -}} diff --git a/charts/deps/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl b/charts/deps/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl new file mode 100644 index 0000000..9d60393 --- /dev/null +++ b/charts/deps/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl @@ -0,0 +1,40 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Resolves the namespace scoped hostname for an endpoint +values: | + endpoints: + oslo_db: + hosts: + default: mariadb + host_fqdn_override: + default: null +usage: | + {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }} +return: | + mariadb.default +*/}} + +{{- define "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" -}} +{{- $type := index . 0 -}} +{{- $endpoint := index . 1 -}} +{{- $context := index . 2 -}} +{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }} +{{- $namespace := $endpointMap.namespace | default $context.Release.Namespace }} +{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} +{{- $endpointClusterHostname := printf "%s.%s" $endpointHost $namespace }} +{{- printf "%s" $endpointClusterHostname -}} +{{- end -}} diff --git a/charts/deps/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_namespace_lookup.tpl b/charts/deps/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_namespace_lookup.tpl new file mode 100644 index 0000000..cc4d4de --- /dev/null +++ b/charts/deps/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_namespace_lookup.tpl @@ -0,0 +1,38 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Resolves the namespace scoped hostname for an endpoint +values: | + endpoints: + oslo_db: + hosts: + default: mariadb + host_fqdn_override: + default: null +usage: | + {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_namespace_lookup" }} +return: | + default +*/}} + +{{- define "helm-toolkit.endpoints.hostname_namespaced_endpoint_namespace_lookup" -}} +{{- $type := index . 0 -}} +{{- $endpoint := index . 1 -}} +{{- $context := index . 2 -}} +{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }} +{{- $namespace := $endpointMap.namespace | default $context.Release.Namespace }} +{{- printf "%s" $namespace -}} +{{- end -}} diff --git a/charts/deps/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl b/charts/deps/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl new file mode 100644 index 0000000..f23c624 --- /dev/null +++ b/charts/deps/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl @@ -0,0 +1,61 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Resolves the short hostname for an endpoint +examples: + - values: | + endpoints: + oslo_db: + hosts: + default: mariadb + host_fqdn_override: + default: null + usage: | + {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} + return: | + mariadb + - values: | + endpoints: + oslo_db: + hosts: + default: + host: mariadb + host_fqdn_override: + default: null + usage: | + {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} + return: | + mariadb +*/}} + +{{- define "helm-toolkit.endpoints.hostname_short_endpoint_lookup" -}} +{{- $type := index . 0 -}} +{{- $endpoint := index . 1 -}} +{{- $context := index . 2 -}} +{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }} +{{- $endpointScheme := $endpointMap.scheme }} +{{- $_ := set $context.Values "__endpointHost" ( index $endpointMap.hosts $endpoint | default $endpointMap.hosts.default ) }} +{{- if kindIs "map" $context.Values.__endpointHost }} +{{- $_ := set $context.Values "__endpointHost" ( index $context.Values.__endpointHost "host" ) }} +{{- end }} +{{- $endpointHost := $context.Values.__endpointHost }} +{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointHost }} +{{- printf "%s" $type -}} +{{- else }} +{{- $endpointHostname := printf "%s" $endpointHost }} +{{- printf "%s" $endpointHostname -}} +{{- end }} +{{- end -}} diff --git a/charts/deps/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl b/charts/deps/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl new file mode 100644 index 0000000..e31c0eb --- /dev/null +++ b/charts/deps/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl @@ -0,0 +1,34 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Resolves the service name for an service type +values: | + endpoints: + identity: + name: keystone +usage: | + {{ tuple identity . | include "keystone_endpoint_name_lookup" }} +return: | + "keystone" +*/}} + +{{- define "helm-toolkit.endpoints.keystone_endpoint_name_lookup" -}} +{{- $type := index . 0 -}} +{{- $context := index . 1 -}} +{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }} +{{- $endpointName := index $endpointMap "name" }} +{{- $endpointName | quote -}} +{{- end -}} diff --git a/charts/deps/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl b/charts/deps/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl new file mode 100644 index 0000000..b2ec648 --- /dev/null +++ b/charts/deps/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl @@ -0,0 +1,48 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +# FIXME(portdirect): it appears the port input here serves no purpose, +# and should be removed. In addition this function is bugged, do we use it? + +{{/* +abstract: | + Resolves the path for an endpoint +values: | + endpoints: + cluster_domain_suffix: cluster.local + oslo_db: + path: + default: /dbname + port: + mysql: + default: 3306 +usage: | + {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }} +return: | + /dbname +*/}} + +{{- define "helm-toolkit.endpoints.keystone_endpoint_path_lookup" -}} +{{- $type := index . 0 -}} +{{- $endpoint := index . 1 -}} +{{- $port := index . 2 -}} +{{- $context := index . 3 -}} +{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }} +{{- if kindIs "string" $endpointMap.path }} +{{- printf "%s" $endpointMap.path | default "/" -}} +{{- else -}} +{{- $endpointPath := index $endpointMap.path $endpoint | default $endpointMap.path.default | default "/" }} +{{- printf "%s" $endpointPath -}} +{{- end -}} +{{- end -}} diff --git a/charts/deps/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl b/charts/deps/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl new file mode 100644 index 0000000..b35cb0b --- /dev/null +++ b/charts/deps/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl @@ -0,0 +1,55 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +# FIXME(portdirect): it appears the port input here serves no purpose, +# and should be removed. In addition this function is bugged, do we use it? + +{{/* +abstract: | + Resolves the scheme for an endpoint +values: | + endpoints: + cluster_domain_suffix: cluster.local + oslo_db: + scheme: + default: + mysql+pymysql + port: + mysql: + default: 3306 +usage: | + {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }} +return: | + mysql+pymysql +*/}} + +# This function returns the scheme for a service, it takes an tuple +# input in the form: service-type, endpoint-class, port-name. eg: +# { tuple "etcd" "internal" "client" . | include "helm-toolkit.endpoints.keystone_scheme_lookup" } +# will return the scheme setting for this particular endpoint. In other words, for most endpoints +# it will return either 'http' or 'https' + +{{- define "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" -}} +{{- $type := index . 0 -}} +{{- $endpoint := index . 1 -}} +{{- $port := index . 2 -}} +{{- $context := index . 3 -}} +{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }} +{{- if kindIs "string" $endpointMap.scheme }} +{{- printf "%s" $endpointMap.scheme | default "http" -}} +{{- else -}} +{{- $endpointScheme := index $endpointMap.scheme $endpoint | default $endpointMap.scheme.default | default "http" }} +{{- printf "%s" $endpointScheme -}} +{{- end -}} +{{- end -}} diff --git a/charts/deps/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl b/charts/deps/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl new file mode 100644 index 0000000..8d0819c --- /dev/null +++ b/charts/deps/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl @@ -0,0 +1,52 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + This function helps resolve uri style endpoints. It will omit the port for + http when 80 is used, and 443 in the case of https. +values: | + endpoints: + cluster_domain_suffix: cluster.local + oslo_db: + hosts: + default: mariadb + host_fqdn_override: + default: null + path: /dbname + scheme: mysql+pymysql + port: + mysql: + default: 3306 +usage: | + {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }} +return: | + mysql+pymysql://mariadb.default.svc.cluster.local:3306/dbname +*/}} + +{{- define "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" -}} +{{- $type := index . 0 -}} +{{- $endpoint := index . 1 -}} +{{- $port := index . 2 -}} +{{- $context := index . 3 -}} +{{- $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }} +{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }} +{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }} +{{- $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }} +{{- if or ( and ( eq $endpointScheme "http" ) ( eq $endpointPort "80" ) ) ( and ( eq $endpointScheme "https" ) ( eq $endpointPort "443" ) ) -}} +{{- printf "%s://%s%s" $endpointScheme $endpointHost $endpointPath -}} +{{- else -}} +{{- printf "%s://%s:%s%s" $endpointScheme $endpointHost $endpointPort $endpointPath -}} +{{- end -}} +{{- end -}} diff --git a/charts/deps/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl b/charts/deps/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl new file mode 100644 index 0000000..cf2ef38 --- /dev/null +++ b/charts/deps/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl @@ -0,0 +1,61 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + This function returns endpoint ":" pair from an endpoint + definition. This is used in kubernetes-entrypoint to support dependencies + between different services in different namespaces. + returns: the endpoint namespace and the service name, delimited by a colon + + Normally, the service name is constructed dynamically from the hostname + however when an ip address is used as the hostname, we default to + namespace:endpointCategoryName in order to construct a valid service name + however this can be overridden to a custom service name by defining + .service.name within the endpoint definition +values: | + endpoints: + cluster_domain_suffix: cluster.local + oslo_db: + namespace: foo + hosts: + default: mariadb + host_fqdn_override: + default: null +usage: | + {{ tuple oslo_db internal . | include "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" }} +return: | + foo:mariadb +*/}} + +{{- define "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" -}} +{{- $type := index . 0 -}} +{{- $endpoint := index . 1 -}} +{{- $context := index . 2 -}} +{{- $typeYamlSafe := $type | replace "-" "_" }} +{{- $endpointMap := index $context.Values.endpoints $typeYamlSafe }} +{{- with $endpointMap -}} +{{- $endpointName := index .hosts $endpoint | default .hosts.default }} +{{- $endpointNamespace := .namespace | default $context.Release.Namespace }} +{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointName }} +{{- if .service.name }} +{{- printf "%s:%s" $endpointNamespace .service.name -}} +{{- else -}} +{{- printf "%s:%s" $endpointNamespace $typeYamlSafe -}} +{{- end -}} +{{- else -}} +{{- printf "%s:%s" $endpointNamespace $endpointName -}} +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/charts/deps/helm-toolkit/templates/manifests/_ceph-storageclass.tpl b/charts/deps/helm-toolkit/templates/manifests/_ceph-storageclass.tpl new file mode 100644 index 0000000..18453ee --- /dev/null +++ b/charts/deps/helm-toolkit/templates/manifests/_ceph-storageclass.tpl @@ -0,0 +1,111 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Creates a manifest for kubernete ceph storageclass +examples: + - values: | + manifests: + storageclass: true + storageclass: + rbd: + provision_storage_class: true + provisioner: "ceph.com/rbd" + metadata: + default_storage_class: true + name: general + parameters: + #We will grab the monitors value based on helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup + pool: rbd + admin_id: admin + ceph_configmap_name: "ceph-etc" + admin_secret_name: "pvc-ceph-conf-combined-storageclass" + admin_secret_namespace: ceph + user_id: admin + user_secret_name: "pvc-ceph-client-key" + image_format: "2" + image_features: layering + cephfs: + provision_storage_class: true + provisioner: "ceph.com/cephfs" + metadata: + name: cephfs + parameters: + admin_id: admin + admin_secret_name: "pvc-ceph-cephfs-client-key" + admin_secret_namespace: ceph + usage: | + {{- range $storageclass, $val := .Values.storageclass }} + {{ dict "storageclass_data" $val "envAll" $ | include "helm-toolkit.manifests.ceph-storageclass" }} + {{- end }} + return: | + --- + apiVersion: storage.k8s.io/v1 + kind: StorageClass + metadata: + annotations: + storageclass.kubernetes.io/is-default-class: "true" + name: general + provisioner: ceph.com/rbd + parameters: + monitors: ceph-mon..svc.:6789 + adminId: admin + adminSecretName: pvc-ceph-conf-combined-storageclass + adminSecretNamespace: ceph + pool: rbd + userId: admin + userSecretName: pvc-ceph-client-key + image_format: "2" + image_features: layering + --- + apiVersion: storage.k8s.io/v1 + kind: StorageClass + metadata: + name: cephfs + provisioner: ceph.com/cephfs + parameters: + monitors: ceph-mon..svc.:6789 + adminId: admin + adminSecretName: pvc-ceph-cephfs-client-key + adminSecretNamespace: ceph +*/}} + +{{- define "helm-toolkit.manifests.ceph-storageclass" -}} +{{- $envAll := index . "envAll" -}} +{{- $monHost := $envAll.Values.conf.ceph.global.mon_host -}} +{{- if empty $monHost -}} +{{- $monHost = tuple "ceph_mon" "internal" "mon" $envAll | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" -}} +{{- end -}} +{{- $storageclassData := index . "storageclass_data" -}} +--- +{{- if $storageclassData.provision_storage_class }} +apiVersion: storage.k8s.io/v1 +kind: StorageClass +metadata: +{{- if $storageclassData.metadata.default_storage_class }} + annotations: + storageclass.kubernetes.io/is-default-class: "true" +{{- end }} + name: {{ $storageclassData.metadata.name }} +provisioner: {{ $storageclassData.provisioner }} +parameters: + monitors: {{ $monHost }} +{{- range $attr, $value := $storageclassData.parameters }} + {{ $attr }}: {{ $value | quote }} +{{- end }} +allowVolumeExpansion: true + +{{- end }} +{{- end }} diff --git a/charts/deps/helm-toolkit/templates/manifests/_certificates.tpl b/charts/deps/helm-toolkit/templates/manifests/_certificates.tpl new file mode 100644 index 0000000..8be771e --- /dev/null +++ b/charts/deps/helm-toolkit/templates/manifests/_certificates.tpl @@ -0,0 +1,108 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Creates a certificate using jetstack +examples: + - values: | + endpoints: + dashboard: + host_fqdn_override: + default: + host: null + tls: + secretName: keystone-tls-api + issuerRef: + name: ca-issuer + duration: 2160h + organization: + - ACME + commonName: keystone-api.openstack.svc.cluster.local + privateKey: + size: 2048 + usages: + - server auth + - client auth + dnsNames: + - cluster.local + issuerRef: + name: ca-issuer + usage: | + {{- $opts := dict "envAll" . "service" "dashboard" "type" "internal" -}} + {{ $opts | include "helm-toolkit.manifests.certificates" }} + return: | + --- + apiVersion: cert-manager.io/v1 + kind: Certificate + metadata: + name: keystone-tls-api + namespace: NAMESPACE + spec: + commonName: keystone-api.openstack.svc.cluster.local + dnsNames: + - cluster.local + duration: 2160h + issuerRef: + name: ca-issuer + privateKey: + size: 2048 + organization: + - ACME + secretName: keystone-tls-api + usages: + - server auth + - client auth +*/}} + +{{- define "helm-toolkit.manifests.certificates" -}} +{{- $envAll := index . "envAll" -}} +{{- $service := index . "service" -}} +{{- $type := index . "type" | default "" -}} +{{- $slice := index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" -}} +{{/* Put in some sensible default value if one is not provided by values.yaml */}} +{{/* If a dnsNames list is not in the values.yaml, it can be overridden by a passed-in parameter. + This allows user to use other HTK method to determine the URI and pass that into this method.*/}} +{{- if not (hasKey $slice "dnsNames") -}} +{{- $hostName := tuple $service $type $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" -}} +{{- $dnsNames := list $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) -}} +{{- $_ := $dnsNames | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "dnsNames" -}} +{{- end -}} +{{/* Default privateKey size to 4096. This can be overridden. */}} +{{- if not (hasKey $slice "privateKey") -}} +{{- $_ := dict "size" ( printf "%d" 4096 | atoi ) | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "privateKey" -}} +{{- else if empty (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "privateKey" "size") -}} +{{- $_ := ( printf "%d" 4096 | atoi ) | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "privateKey") "size" -}} +{{- end -}} +{{/* Default duration to 3 months. Note the min is 720h. This can be overridden. */}} +{{- if not (hasKey $slice "duration") -}} +{{- $_ := printf "%s" "2190h" | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "duration" -}} +{{- end -}} +{{/* Default renewBefore to 15 days. This can be overridden. */}} +{{- if not (hasKey $slice "renewBefore") -}} +{{- $_ := printf "%s" "360h" | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "renewBefore" -}} +{{- end -}} +{{/* Default the usage to server auth and client auth. This can be overridden. */}} +{{- if not (hasKey $slice "usages") -}} +{{- $_ := (list "server auth" "client auth") | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "usages" -}} +{{- end -}} +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "secretName" }} + namespace: {{ $envAll.Release.Namespace }} +spec: +{{ $slice | toYaml | indent 2 }} +{{- end -}} diff --git a/charts/deps/helm-toolkit/templates/manifests/_ingress.tpl b/charts/deps/helm-toolkit/templates/manifests/_ingress.tpl new file mode 100644 index 0000000..4c476b2 --- /dev/null +++ b/charts/deps/helm-toolkit/templates/manifests/_ingress.tpl @@ -0,0 +1,727 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Creates a manifest for a services ingress rules. +examples: + - values: | + network: + api: + ingress: + public: true + classes: + namespace: "nginx" + cluster: "nginx-cluster" + annotations: + nginx.ingress.kubernetes.io/rewrite-target: / + secrets: + tls: + key_manager: + api: + public: barbican-tls-public + endpoints: + cluster_domain_suffix: cluster.local + key_manager: + name: barbican + hosts: + default: barbican-api + public: barbican + host_fqdn_override: + default: null + public: + host: barbican.openstackhelm.example + tls: + crt: | + FOO-CRT + key: | + FOO-KEY + ca: | + FOO-CA_CRT + path: + default: / + scheme: + default: http + public: https + port: + api: + default: 9311 + public: 80 + usage: | + {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" ) -}} + return: | + --- + apiVersion: networking.k8s.io/v1 + kind: Ingress + metadata: + name: barbican + annotations: + kubernetes.io/ingress.class: "nginx" + nginx.ingress.kubernetes.io/rewrite-target: / + + spec: + rules: + - host: barbican + http: + paths: + - path: / + pathType: ImplementationSpecific + backend: + service: + name: barbican-api + port: + name: b-api + - host: barbican.default + http: + paths: + - path: / + pathType: ImplementationSpecific + backend: + service: + name: barbican-api + port: + name: b-api + - host: barbican.default.svc.cluster.local + http: + paths: + - path: / + pathType: ImplementationSpecific + backend: + service: + name: barbican-api + port: + name: b-api + --- + apiVersion: networking.k8s.io/v1 + kind: Ingress + metadata: + name: barbican-namespace-fqdn + annotations: + kubernetes.io/ingress.class: "nginx" + nginx.ingress.kubernetes.io/rewrite-target: / + + spec: + tls: + - secretName: barbican-tls-public + hosts: + - barbican.openstackhelm.example + rules: + - host: barbican.openstackhelm.example + http: + paths: + - path: / + pathType: ImplementationSpecific + backend: + service: + name: barbican-api + port: + name: b-api + --- + apiVersion: networking.k8s.io/v1 + kind: Ingress + metadata: + name: barbican-cluster-fqdn + annotations: + kubernetes.io/ingress.class: "nginx-cluster" + nginx.ingress.kubernetes.io/rewrite-target: / + + spec: + tls: + - secretName: barbican-tls-public + hosts: + - barbican.openstackhelm.example + rules: + - host: barbican.openstackhelm.example + http: + paths: + - path: / + pathType: ImplementationSpecific + backend: + service: + name: barbican-api + port: + name: b-api + - values: | + network: + api: + ingress: + public: true + classes: + namespace: "nginx" + cluster: "nginx-cluster" + annotations: + nginx.ingress.kubernetes.io/rewrite-target: / + secrets: + tls: + key_manager: + api: + public: barbican-tls-public + endpoints: + cluster_domain_suffix: cluster.local + key_manager: + name: barbican + hosts: + default: barbican-api + public: + host: barbican + tls: + crt: | + FOO-CRT + key: | + FOO-KEY + ca: | + FOO-CA_CRT + host_fqdn_override: + default: null + path: + default: / + scheme: + default: http + public: https + port: + api: + default: 9311 + public: 80 + usage: | + {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" ) -}} + return: | + --- + apiVersion: networking.k8s.io/v1 + kind: Ingress + metadata: + name: barbican + annotations: + kubernetes.io/ingress.class: "nginx" + nginx.ingress.kubernetes.io/rewrite-target: / + + spec: + tls: + - secretName: barbican-tls-public + hosts: + - barbican + - barbican.default + - barbican.default.svc.cluster.local + rules: + - host: barbican + http: + paths: + - path: / + pathType: ImplementationSpecific + backend: + service: + name: barbican-api + port: + name: b-api + - host: barbican.default + http: + paths: + - path: / + pathType: ImplementationSpecific + backend: + service: + name: barbican-api + port: + name: b-api + - host: barbican.default.svc.cluster.local + http: + paths: + - path: / + pathType: ImplementationSpecific + backend: + service: + name: barbican-api + port: + name: b-api + - values: | + cert_issuer_type: issuer + network: + api: + ingress: + public: true + classes: + namespace: "nginx" + cluster: "nginx-cluster" + annotations: + nginx.ingress.kubernetes.io/secure-backends: "true" + nginx.ingress.kubernetes.io/backend-protocol: "https" + secrets: + tls: + key_manager: + api: + public: barbican-tls-public + internal: barbican-tls-api + endpoints: + cluster_domain_suffix: cluster.local + key_manager: + name: barbican + hosts: + default: barbican-api + public: + host: barbican + tls: + crt: | + FOO-CRT + key: | + FOO-KEY + ca: | + FOO-CA_CRT + host_fqdn_override: + default: null + path: + default: / + scheme: + default: http + public: https + port: + api: + default: 9311 + public: 80 + certs: + barbican_tls_api: + secretName: barbican-tls-api + issuerRef: + name: ca-issuer + kind: Issuer + usage: | + {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" "certIssuer" "ca-issuer" ) -}} + return: | + --- + apiVersion: networking.k8s.io/v1 + kind: Ingress + metadata: + name: barbican + annotations: + kubernetes.io/ingress.class: "nginx" + cert-manager.io/issuer: ca-issuer + certmanager.k8s.io/issuer: ca-issuer + nginx.ingress.kubernetes.io/backend-protocol: https + nginx.ingress.kubernetes.io/secure-backends: "true" + spec: + tls: + - secretName: barbican-tls-public-certmanager + hosts: + - barbican + - barbican.default + - barbican.default.svc.cluster.local + rules: + - host: barbican + http: + paths: + - path: / + pathType: ImplementationSpecific + backend: + service: + name: barbican-api + port: + name: b-api + - host: barbican.default + http: + paths: + - path: / + pathType: ImplementationSpecific + backend: + service: + name: barbican-api + port: + name: b-api + - host: barbican.default.svc.cluster.local + http: + paths: + - path: / + pathType: ImplementationSpecific + backend: + service: + name: barbican-api + port: + name: b-api + + - values: | + network: + api: + ingress: + public: true + classes: + namespace: "nginx" + cluster: "nginx-cluster" + annotations: + nginx.ingress.kubernetes.io/secure-backends: "true" + nginx.ingress.kubernetes.io/backend-protocol: "https" + secrets: + tls: + key_manager: + api: + public: barbican-tls-public + internal: barbican-tls-api + endpoints: + cluster_domain_suffix: cluster.local + key_manager: + name: barbican + hosts: + default: barbican-api + public: + host: barbican + tls: + crt: | + FOO-CRT + key: | + FOO-KEY + ca: | + FOO-CA_CRT + host_fqdn_override: + default: null + path: + default: / + scheme: + default: http + public: https + port: + api: + default: 9311 + public: 80 + certs: + barbican_tls_api: + secretName: barbican-tls-api + issuerRef: + name: ca-issuer + kind: ClusterIssuer + usage: | + {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" "certIssuer" "ca-issuer") -}} + return: | + --- + apiVersion: networking.k8s.io/v1 + kind: Ingress + metadata: + name: barbican + annotations: + kubernetes.io/ingress.class: "nginx" + cert-manager.io/cluster-issuer: ca-issuer + certmanager.k8s.io/cluster-issuer: ca-issuer + nginx.ingress.kubernetes.io/backend-protocol: https + nginx.ingress.kubernetes.io/secure-backends: "true" + spec: + tls: + - secretName: barbican-tls-public-certmanager + hosts: + - barbican + - barbican.default + - barbican.default.svc.cluster.local + rules: + - host: barbican + http: + paths: + - path: / + pathType: ImplementationSpecific + backend: + service: + name: barbican-api + port: + name: b-api + - host: barbican.default + http: + paths: + - path: / + pathType: ImplementationSpecific + backend: + service: + name: barbican-api + port: + name: b-api + - host: barbican.default.svc.cluster.local + http: + paths: + - path: / + pathType: ImplementationSpecific + backend: + service: + name: barbican-api + port: + name: b-api + # Sample usage for multiple DNS names associated with the same public + # endpoint and certificate + - values: | + endpoints: + cluster_domain_suffix: cluster.local + grafana: + name: grafana + hosts: + default: grafana-dashboard + public: grafana + host_fqdn_override: + public: + host: grafana.openstackhelm.example + tls: + dnsNames: + - grafana-alt.openstackhelm.example + crt: "BASE64 ENCODED CERT" + key: "BASE64 ENCODED KEY" + network: + grafana: + ingress: + classes: + namespace: "nginx" + cluster: "nginx-cluster" + annotations: + nginx.ingress.kubernetes.io/rewrite-target: / + secrets: + tls: + grafana: + grafana: + public: grafana-tls-public + usage: | + {{- $ingressOpts := dict "envAll" . "backendService" "grafana" "backendServiceType" "grafana" "backendPort" "dashboard" -}} + {{ $ingressOpts | include "helm-toolkit.manifests.ingress" }} + return: | + --- + apiVersion: networking.k8s.io/v1 + kind: Ingress + metadata: + name: grafana + annotations: + kubernetes.io/ingress.class: "nginx" + nginx.ingress.kubernetes.io/rewrite-target: / + + spec: + rules: + - host: grafana + http: + paths: + - path: / + pathType: ImplementationSpecific + backend: + service: + name: grafana-dashboard + port: + name: dashboard + - host: grafana.default + http: + paths: + - path: / + pathType: ImplementationSpecific + backend: + service: + name: grafana-dashboard + port: + name: dashboard + - host: grafana.default.svc.cluster.local + http: + paths: + - path: / + pathType: ImplementationSpecific + backend: + service: + name: grafana-dashboard + port: + name: dashboard + --- + apiVersion: networking.k8s.io/v1 + kind: Ingress + metadata: + name: grafana-namespace-fqdn + annotations: + kubernetes.io/ingress.class: "nginx" + nginx.ingress.kubernetes.io/rewrite-target: / + + spec: + tls: + - secretName: grafana-tls-public + hosts: + - grafana.openstackhelm.example + - grafana-alt.openstackhelm.example + rules: + - host: grafana.openstackhelm.example + http: + paths: + - path: / + pathType: ImplementationSpecific + backend: + service: + name: grafana-dashboard + port: + name: dashboard + - host: grafana-alt.openstackhelm.example + http: + paths: + - path: / + pathType: ImplementationSpecific + backend: + service: + name: grafana-dashboard + port: + name: dashboard + --- + apiVersion: networking.k8s.io/v1 + kind: Ingress + metadata: + name: grafana-cluster-fqdn + annotations: + kubernetes.io/ingress.class: "nginx-cluster" + nginx.ingress.kubernetes.io/rewrite-target: / + + spec: + tls: + - secretName: grafana-tls-public + hosts: + - grafana.openstackhelm.example + - grafana-alt.openstackhelm.example + rules: + - host: grafana.openstackhelm.example + http: + paths: + - path: / + pathType: ImplementationSpecific + backend: + service: + name: grafana-dashboard + port: + name: dashboard + - host: grafana-alt.openstackhelm.example + http: + paths: + - path: / + pathType: ImplementationSpecific + backend: + service: + name: grafana-dashboard + port: + name: dashboard + +*/}} + +{{- define "helm-toolkit.manifests.ingress._host_rules" -}} +{{- $vHost := index . "vHost" -}} +{{- $backendName := index . "backendName" -}} +{{- $backendPort := index . "backendPort" -}} +- host: {{ $vHost }} + http: + paths: + - path: / + pathType: ImplementationSpecific + backend: + service: + name: {{ $backendName }} + port: +{{- if or (kindIs "int" $backendPort) (regexMatch "^[0-9]{1,5}$" $backendPort) }} + number: {{ $backendPort | int }} +{{- else }} + name: {{ $backendPort | quote }} +{{- end }} +{{- end }} + +{{- define "helm-toolkit.manifests.ingress" -}} +{{- $envAll := index . "envAll" -}} +{{- $backendService := index . "backendService" | default "api" -}} +{{- $backendServiceType := index . "backendServiceType" -}} +{{- $backendPort := index . "backendPort" -}} +{{- $endpoint := index . "endpoint" | default "public" -}} +{{- $certIssuer := index . "certIssuer" | default "" -}} +{{- $ingressName := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} +{{- $backendName := tuple $backendServiceType "internal" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} +{{- $hostName := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} +{{- $hostNameFull := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }} +{{- $certIssuerType := "cluster-issuer" -}} +{{- if $envAll.Values.cert_issuer_type }} +{{- $certIssuerType = $envAll.Values.cert_issuer_type }} +{{- end }} +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $ingressName }} + annotations: + kubernetes.io/ingress.class: {{ index $envAll.Values.network $backendService "ingress" "classes" "namespace" | quote }} +{{- if $certIssuer }} + cert-manager.io/{{ $certIssuerType }}: {{ $certIssuer }} + certmanager.k8s.io/{{ $certIssuerType }}: {{ $certIssuer }} +{{- $slice := index $envAll.Values.endpoints $backendServiceType "host_fqdn_override" "default" "tls" -}} +{{- if (hasKey $slice "duration") }} + cert-manager.io/duration: {{ index $slice "duration" }} +{{- end }} +{{- end }} +{{ toYaml (index $envAll.Values.network $backendService "ingress" "annotations") | indent 4 }} +spec: +{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "hosts" }} +{{- if $certIssuer }} +{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }} +{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }} + tls: + - secretName: {{ printf "%s-ing" $secretName }} + hosts: +{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }} + - {{ $vHost }} +{{- end }} +{{- else }} +{{- if hasKey $host $endpoint }} +{{- $endpointHost := index $host $endpoint }} +{{- if kindIs "map" $endpointHost }} +{{- if hasKey $endpointHost "tls" }} +{{- if and ( not ( empty $endpointHost.tls.key ) ) ( not ( empty $endpointHost.tls.crt ) ) }} +{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }} +{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }} + tls: + - secretName: {{ $secretName }} + hosts: +{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }} + - {{ $vHost }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} + rules: +{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }} +{{- $hostRules := dict "vHost" $vHost "backendName" $backendName "backendPort" $backendPort }} +{{ $hostRules | include "helm-toolkit.manifests.ingress._host_rules" | indent 4 }} +{{- end }} +{{- if not ( hasSuffix ( printf ".%s.svc.%s" $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) $hostNameFull) }} +{{- $ingressConf := $envAll.Values.network -}} +{{- $ingressClasses := ternary (tuple "namespace") (tuple "namespace" "cluster") (and (hasKey $ingressConf "use_external_ingress_controller") $ingressConf.use_external_ingress_controller) }} +{{- range $key2, $ingressController := $ingressClasses }} +{{- $vHosts := list $hostNameFull }} +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ printf "%s-%s-%s" $ingressName $ingressController "fqdn" }} + annotations: + kubernetes.io/ingress.class: {{ index $envAll.Values.network $backendService "ingress" "classes" $ingressController | quote }} +{{ toYaml (index $envAll.Values.network $backendService "ingress" "annotations") | indent 4 }} +spec: +{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "host_fqdn_override" }} +{{- if hasKey $host $endpoint }} +{{- $endpointHost := index $host $endpoint }} +{{- if kindIs "map" $endpointHost }} +{{- if hasKey $endpointHost "tls" }} +{{- range $v := without (index $endpointHost.tls "dnsNames" | default list) $hostNameFull }} +{{- $vHosts = append $vHosts $v }} +{{- end }} +{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }} +{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }} + tls: + - secretName: {{ $secretName }} + hosts: +{{- range $vHost := $vHosts }} + - {{ $vHost }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} + rules: +{{- range $vHost := $vHosts }} +{{- $hostNameFullRules := dict "vHost" $vHost "backendName" $backendName "backendPort" $backendPort }} +{{ $hostNameFullRules | include "helm-toolkit.manifests.ingress._host_rules" | indent 4 }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/deps/helm-toolkit/templates/manifests/_job-bootstrap.tpl b/charts/deps/helm-toolkit/templates/manifests/_job-bootstrap.tpl new file mode 100644 index 0000000..5d98c8b --- /dev/null +++ b/charts/deps/helm-toolkit/templates/manifests/_job-bootstrap.tpl @@ -0,0 +1,141 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +# This function creates a manifest for db creation and user management. +# It can be used in charts dict created similar to the following: +# {- $bootstrapJob := dict "envAll" . "serviceName" "senlin" -} +# { $bootstrapJob | include "helm-toolkit.manifests.job_bootstrap" } + +{{- define "helm-toolkit.manifests.job_bootstrap" -}} +{{- $envAll := index . "envAll" -}} +{{- $serviceName := index . "serviceName" -}} +{{- $jobAnnotations := index . "jobAnnotations" -}} +{{- $jobLabels := index . "jobLabels" -}} +{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}} +{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}} +{{- $podVolMounts := index . "podVolMounts" | default false -}} +{{- $podVols := index . "podVols" | default false -}} +{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}} +{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}} +{{- $configFile := index . "configFile" | default (printf "/etc/%s/%s.conf" $serviceName $serviceName ) -}} +{{- $logConfigFile := index . "logConfigFile" | default (printf "/etc/%s/logging.conf" $serviceName ) -}} +{{- $tlsSecret := index . "tlsSecret" | default "" -}} +{{- $keystoneUser := index . "keystoneUser" | default $serviceName -}} +{{- $openrc := index . "openrc" | default "true" -}} +{{- $secretBin := index . "secretBin" -}} +{{- $backoffLimit := index . "backoffLimit" | default "1000" -}} +{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}} +{{- $serviceNamePretty := $serviceName | replace "_" "-" -}} + +{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "bootstrap" }} +{{ tuple $envAll "bootstrap" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ printf "%s-%s" $serviceNamePretty "bootstrap" | quote }} + labels: +{{ tuple $envAll $serviceName "bootstrap" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} +{{- if $jobLabels }} +{{ toYaml $jobLabels | indent 4 }} +{{- end }} + annotations: +{{- if $jobAnnotations }} +{{ toYaml $jobAnnotations | indent 4 }} +{{- end }} +spec: + backoffLimit: {{ $backoffLimit }} +{{- if $activeDeadlineSeconds }} + activeDeadlineSeconds: {{ $activeDeadlineSeconds }} +{{- end }} + template: + metadata: + labels: +{{ tuple $envAll $serviceName "bootstrap" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} +{{- if $jobLabels }} +{{ toYaml $jobLabels | indent 8 }} +{{- end }} + annotations: +{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }} + spec: + serviceAccountName: {{ $serviceAccountName }} + restartPolicy: OnFailure + {{ tuple $envAll "bootstrap" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }} + nodeSelector: +{{ toYaml $nodeSelector | indent 8 }} +{{- if $tolerationsEnabled }} +{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }} +{{- end}} + initContainers: +{{ tuple $envAll "bootstrap" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} + containers: + - name: bootstrap + image: {{ $envAll.Values.images.tags.bootstrap }} + imagePullPolicy: {{ $envAll.Values.images.pull_policy }} +{{ tuple $envAll $envAll.Values.pod.resources.jobs.bootstrap | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} +{{- if eq $openrc "true" }} + env: +{{- with $env := dict "ksUserSecret" ( index $envAll.Values.secrets.identity $keystoneUser ) "useCA" (ne $tlsSecret "") }} +{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} +{{- end }} +{{- end }} + command: + - /bin/bash + - -c + - /tmp/bootstrap.sh + volumeMounts: + - name: pod-tmp + mountPath: /tmp + - name: bootstrap-sh + mountPath: /tmp/bootstrap.sh + subPath: bootstrap.sh + readOnly: true + - name: etc-service + mountPath: {{ dir $configFile | quote }} + - name: bootstrap-conf + mountPath: {{ $configFile | quote }} + subPath: {{ base $configFile | quote }} + readOnly: true + - name: bootstrap-conf + mountPath: {{ $logConfigFile | quote }} + subPath: {{ base $logConfigFile | quote }} + readOnly: true +{{ dict "enabled" (ne $tlsSecret "") "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +{{- if $podVolMounts }} +{{ $podVolMounts | toYaml | indent 12 }} +{{- end }} + volumes: + - name: pod-tmp + emptyDir: {} + - name: bootstrap-sh +{{- if $secretBin }} + secret: + secretName: {{ $secretBin | quote }} + defaultMode: 0555 +{{- else }} + configMap: + name: {{ $configMapBin | quote }} + defaultMode: 0555 +{{- end }} + - name: etc-service + emptyDir: {} + - name: bootstrap-conf + secret: + secretName: {{ $configMapEtc | quote }} + defaultMode: 0444 +{{- dict "enabled" (ne $tlsSecret "") "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +{{- if $podVols }} +{{ $podVols | toYaml | indent 8 }} +{{- end }} +{{- end }} diff --git a/charts/deps/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl b/charts/deps/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl new file mode 100644 index 0000000..62ed119 --- /dev/null +++ b/charts/deps/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl @@ -0,0 +1,170 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +# This function creates a manifest for db creation and user management. +# It can be used in charts dict created similar to the following: +# {- $dbToDropJob := dict "envAll" . "serviceName" "senlin" -} +# { $dbToDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" } +# +# If the service does not use oslo then the db can be managed with: +# {- $dbToDrop := dict "inputType" "secret" "adminSecret" .Values.secrets.oslo_db.admin "userSecret" .Values.secrets.oslo_db.horizon -} +# {- $dbToDropJob := dict "envAll" . "serviceName" "horizon" "dbToDrop" $dbToDrop -} +# { $dbToDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" } + +{{- define "helm-toolkit.manifests.job_db_drop_mysql" -}} +{{- $envAll := index . "envAll" -}} +{{- $serviceName := index . "serviceName" -}} +{{- $jobAnnotations := index . "jobAnnotations" -}} +{{- $jobLabels := index . "jobLabels" -}} +{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}} +{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}} +{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}} +{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}} +{{- $dbToDrop := index . "dbToDrop" | default ( dict "adminSecret" $envAll.Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "database" "configDbKey" "connection" ) -}} +{{- $dbsToDrop := default (list $dbToDrop) (index . "dbsToDrop") }} +{{- $secretBin := index . "secretBin" -}} +{{- $backoffLimit := index . "backoffLimit" | default "1000" -}} +{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}} +{{- $serviceNamePretty := $serviceName | replace "_" "-" -}} +{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}} + +{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-drop" }} +{{ tuple $envAll "db_drop" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ printf "%s-%s" $serviceNamePretty "db-drop" | quote }} + labels: +{{ tuple $envAll $serviceName "db-drop" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} +{{- if $jobLabels }} +{{ toYaml $jobLabels | indent 4 }} +{{- end }} + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-delete-policy": hook-succeeded +{{- if $jobAnnotations }} +{{ toYaml $jobAnnotations | indent 4 }} +{{- end }} +spec: + backoffLimit: {{ $backoffLimit }} +{{- if $activeDeadlineSeconds }} + activeDeadlineSeconds: {{ $activeDeadlineSeconds }} +{{- end }} + template: + metadata: + labels: +{{ tuple $envAll $serviceName "db-drop" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} +{{- if $jobLabels }} +{{ toYaml $jobLabels | indent 8 }} +{{- end }} + spec: + serviceAccountName: {{ $serviceAccountName }} + restartPolicy: OnFailure + {{ tuple $envAll "db_drop" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }} + nodeSelector: +{{ toYaml $nodeSelector | indent 8 }} +{{- if $tolerationsEnabled }} +{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }} +{{- end}} + initContainers: +{{ tuple $envAll "db_drop" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} + containers: +{{- range $key1, $dbToDrop := $dbsToDrop }} +{{ $dbToDropType := default "oslo" $dbToDrop.inputType }} + - name: {{ printf "%s-%s-%d" $serviceNamePretty "db-drop" $key1 | quote }} + image: {{ $envAll.Values.images.tags.db_drop }} + imagePullPolicy: {{ $envAll.Values.images.pull_policy }} +{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_drop | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} + env: + - name: ROOT_DB_CONNECTION + valueFrom: + secretKeyRef: + name: {{ $dbToDrop.adminSecret | quote }} + key: DB_CONNECTION +{{- if eq $dbToDropType "oslo" }} + - name: OPENSTACK_CONFIG_FILE + value: {{ $dbToDrop.configFile | quote }} + - name: OPENSTACK_CONFIG_DB_SECTION + value: {{ $dbToDrop.configDbSection | quote }} + - name: OPENSTACK_CONFIG_DB_KEY + value: {{ $dbToDrop.configDbKey | quote }} +{{- end }} +{{- if $envAll.Values.manifests.certificates }} + - name: MARIADB_X509 + value: "REQUIRE X509" +{{- end }} +{{- if eq $dbToDropType "secret" }} + - name: DB_CONNECTION + valueFrom: + secretKeyRef: + name: {{ $dbToDrop.userSecret | quote }} + key: DB_CONNECTION +{{- end }} + command: + - /tmp/db-drop.py + volumeMounts: + - name: pod-tmp + mountPath: /tmp + - name: db-drop-sh + mountPath: /tmp/db-drop.py + subPath: db-drop.py + readOnly: true + +{{- if eq $dbToDropType "oslo" }} + - name: etc-service + mountPath: {{ dir $dbToDrop.configFile | quote }} + - name: db-drop-conf + mountPath: {{ $dbToDrop.configFile | quote }} + subPath: {{ base $dbToDrop.configFile | quote }} + readOnly: true + - name: db-drop-conf + mountPath: {{ $dbToDrop.logConfigFile | quote }} + subPath: {{ base $dbToDrop.logConfigFile | quote }} + readOnly: true +{{- end }} +{{- if $envAll.Values.manifests.certificates }} +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +{{- end }} +{{- end }} + volumes: + - name: pod-tmp + emptyDir: {} + - name: db-drop-sh +{{- if $secretBin }} + secret: + secretName: {{ $secretBin | quote }} + defaultMode: 0555 +{{- else }} + configMap: + name: {{ $configMapBin | quote }} + defaultMode: 0555 +{{- end }} +{{- if $envAll.Values.manifests.certificates }} +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +{{- end }} +{{- $local := dict "configMapBinFirst" true -}} +{{- range $key1, $dbToDrop := $dbsToDrop }} +{{- $dbToDropType := default "oslo" $dbToDrop.inputType }} +{{- if and (eq $dbToDropType "oslo") $local.configMapBinFirst }} +{{- $_ := set $local "configMapBinFirst" false }} + - name: etc-service + emptyDir: {} + - name: db-drop-conf + secret: + secretName: {{ $configMapEtc | quote }} + defaultMode: 0444 +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/charts/deps/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl b/charts/deps/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl new file mode 100644 index 0000000..745e8da --- /dev/null +++ b/charts/deps/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl @@ -0,0 +1,169 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +# This function creates a manifest for db creation and user management. +# It can be used in charts dict created similar to the following: +# {- $dbToInitJob := dict "envAll" . "serviceName" "senlin" -} +# { $dbToInitJob | include "helm-toolkit.manifests.job_db_init_mysql" } +# +# If the service does not use oslo then the db can be managed with: +# {- $dbToInit := dict "inputType" "secret" "adminSecret" .Values.secrets.oslo_db.admin "userSecret" .Values.secrets.oslo_db.horizon -} +# {- $dbToInitJob := dict "envAll" . "serviceName" "horizon" "dbToInit" $dbToInit -} +# { $dbToInitJob | include "helm-toolkit.manifests.job_db_init_mysql" } + +{{- define "helm-toolkit.manifests.job_db_init_mysql" -}} +{{- $envAll := index . "envAll" -}} +{{- $serviceName := index . "serviceName" -}} +{{- $jobAnnotations := index . "jobAnnotations" -}} +{{- $jobLabels := index . "jobLabels" -}} +{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}} +{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}} +{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}} +{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}} +{{- $dbToInit := index . "dbToInit" | default ( dict "adminSecret" $envAll.Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "database" "configDbKey" "connection" ) -}} +{{- $dbsToInit := default (list $dbToInit) (index . "dbsToInit") }} +{{- $secretBin := index . "secretBin" -}} +{{- $backoffLimit := index . "backoffLimit" | default "1000" -}} +{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}} +{{- $serviceNamePretty := $serviceName | replace "_" "-" -}} +{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}} + +{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-init" }} +{{ tuple $envAll "db_init" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ printf "%s-%s" $serviceNamePretty "db-init" | quote }} + labels: +{{ tuple $envAll $serviceName "db-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} +{{- if $jobLabels }} +{{ toYaml $jobLabels | indent 4 }} +{{- end }} + annotations: +{{- if $jobAnnotations }} +{{ toYaml $jobAnnotations | indent 4 }} +{{- end }} +spec: + backoffLimit: {{ $backoffLimit }} +{{- if $activeDeadlineSeconds }} + activeDeadlineSeconds: {{ $activeDeadlineSeconds }} +{{- end }} + template: + metadata: + labels: +{{ tuple $envAll $serviceName "db-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} +{{- if $jobLabels }} +{{ toYaml $jobLabels | indent 8 }} +{{- end }} + annotations: +{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }} + spec: + serviceAccountName: {{ $serviceAccountName }} + restartPolicy: OnFailure + {{ tuple $envAll "db_init" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }} + nodeSelector: +{{ toYaml $nodeSelector | indent 8 }} +{{- if $tolerationsEnabled }} +{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }} +{{- end}} + initContainers: +{{ tuple $envAll "db_init" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} + containers: +{{- range $key1, $dbToInit := $dbsToInit }} +{{ $dbToInitType := default "oslo" $dbToInit.inputType }} + - name: {{ printf "%s-%s-%d" $serviceNamePretty "db-init" $key1 | quote }} + image: {{ $envAll.Values.images.tags.db_init }} + imagePullPolicy: {{ $envAll.Values.images.pull_policy }} +{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_init | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} + env: + - name: ROOT_DB_CONNECTION + valueFrom: + secretKeyRef: + name: {{ $dbToInit.adminSecret | quote }} + key: DB_CONNECTION +{{- if eq $dbToInitType "oslo" }} + - name: OPENSTACK_CONFIG_FILE + value: {{ $dbToInit.configFile | quote }} + - name: OPENSTACK_CONFIG_DB_SECTION + value: {{ $dbToInit.configDbSection | quote }} + - name: OPENSTACK_CONFIG_DB_KEY + value: {{ $dbToInit.configDbKey | quote }} +{{- end }} +{{- if eq $dbToInitType "secret" }} + - name: DB_CONNECTION + valueFrom: + secretKeyRef: + name: {{ $dbToInit.userSecret | quote }} + key: DB_CONNECTION +{{- end }} +{{- if $envAll.Values.manifests.certificates }} + - name: MARIADB_X509 + value: "REQUIRE X509" +{{- end }} + command: + - /tmp/db-init.py + volumeMounts: + - name: pod-tmp + mountPath: /tmp + - name: db-init-sh + mountPath: /tmp/db-init.py + subPath: db-init.py + readOnly: true +{{- if eq $dbToInitType "oslo" }} + - name: etc-service + mountPath: {{ dir $dbToInit.configFile | quote }} + - name: db-init-conf + mountPath: {{ $dbToInit.configFile | quote }} + subPath: {{ base $dbToInit.configFile | quote }} + readOnly: true + - name: db-init-conf + mountPath: {{ $dbToInit.logConfigFile | quote }} + subPath: {{ base $dbToInit.logConfigFile | quote }} + readOnly: true +{{- end }} +{{- if $envAll.Values.manifests.certificates }} +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +{{- end }} +{{- end }} + volumes: + - name: pod-tmp + emptyDir: {} + - name: db-init-sh +{{- if $secretBin }} + secret: + secretName: {{ $secretBin | quote }} + defaultMode: 0555 +{{- else }} + configMap: + name: {{ $configMapBin | quote }} + defaultMode: 0555 +{{- end }} +{{- if $envAll.Values.manifests.certificates }} +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +{{- end }} +{{- $local := dict "configMapBinFirst" true -}} +{{- range $key1, $dbToInit := $dbsToInit }} +{{- $dbToInitType := default "oslo" $dbToInit.inputType }} +{{- if and (eq $dbToInitType "oslo") $local.configMapBinFirst }} +{{- $_ := set $local "configMapBinFirst" false }} + - name: etc-service + emptyDir: {} + - name: db-init-conf + secret: + secretName: {{ $configMapEtc | quote }} + defaultMode: 0444 +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/charts/deps/helm-toolkit/templates/manifests/_job-db-sync.tpl b/charts/deps/helm-toolkit/templates/manifests/_job-db-sync.tpl new file mode 100644 index 0000000..24d2496 --- /dev/null +++ b/charts/deps/helm-toolkit/templates/manifests/_job-db-sync.tpl @@ -0,0 +1,137 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +# This function creates a manifest for db migration and management. +# It can be used in charts dict created similar to the following: +# {- $dbSyncJob := dict "envAll" . "serviceName" "senlin" -} +# { $dbSyncJob | include "helm-toolkit.manifests.job_db_sync" } + +{{- define "helm-toolkit.manifests.job_db_sync" -}} +{{- $envAll := index . "envAll" -}} +{{- $serviceName := index . "serviceName" -}} +{{- $jobAnnotations := index . "jobAnnotations" -}} +{{- $jobLabels := index . "jobLabels" -}} +{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}} +{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}} +{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}} +{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}} +{{- $podVolMounts := index . "podVolMounts" | default false -}} +{{- $podVols := index . "podVols" | default false -}} +{{- $podEnvVars := index . "podEnvVars" | default false -}} +{{- $dbToSync := index . "dbToSync" | default ( dict "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "image" ( index $envAll.Values.images.tags ( printf "%s_db_sync" $serviceName )) ) -}} +{{- $secretBin := index . "secretBin" -}} +{{- $backoffLimit := index . "backoffLimit" | default "1000" -}} +{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}} +{{- $serviceNamePretty := $serviceName | replace "_" "-" -}} +{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}} + +{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-sync" }} +{{ tuple $envAll "db_sync" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ printf "%s-%s" $serviceNamePretty "db-sync" | quote }} + labels: +{{ tuple $envAll $serviceName "db-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} +{{- if $jobLabels }} +{{ toYaml $jobLabels | indent 4 }} +{{- end }} + annotations: +{{- if $jobAnnotations }} +{{ toYaml $jobAnnotations | indent 4 }} +{{- end }} +spec: + backoffLimit: {{ $backoffLimit }} +{{- if $activeDeadlineSeconds }} + activeDeadlineSeconds: {{ $activeDeadlineSeconds }} +{{- end }} + template: + metadata: + labels: +{{ tuple $envAll $serviceName "db-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} +{{- if $jobLabels }} +{{ toYaml $jobLabels | indent 8 }} +{{- end }} + annotations: +{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }} + spec: + serviceAccountName: {{ $serviceAccountName }} + restartPolicy: OnFailure + {{ tuple $envAll "db_sync" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }} + nodeSelector: +{{ toYaml $nodeSelector | indent 8 }} +{{- if $tolerationsEnabled }} +{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }} +{{- end}} + initContainers: +{{ tuple $envAll "db_sync" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} + containers: + - name: {{ printf "%s-%s" $serviceNamePretty "db-sync" | quote }} + image: {{ $dbToSync.image | quote }} + imagePullPolicy: {{ $envAll.Values.images.pull_policy | quote }} +{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_sync | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} +{{- if $podEnvVars }} + env: +{{ $podEnvVars | toYaml | indent 12 }} +{{- end }} + command: + - /bin/bash + - -c + - /tmp/db-sync.sh + volumeMounts: + - name: pod-tmp + mountPath: /tmp + - name: db-sync-sh + mountPath: /tmp/db-sync.sh + subPath: db-sync.sh + readOnly: true + - name: etc-service + mountPath: {{ dir $dbToSync.configFile | quote }} + - name: db-sync-conf + mountPath: {{ $dbToSync.configFile | quote }} + subPath: {{ base $dbToSync.configFile | quote }} + readOnly: true + - name: db-sync-conf + mountPath: {{ $dbToSync.logConfigFile | quote }} + subPath: {{ base $dbToSync.logConfigFile | quote }} + readOnly: true +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +{{- if $podVolMounts }} +{{ $podVolMounts | toYaml | indent 12 }} +{{- end }} + volumes: + - name: pod-tmp + emptyDir: {} + - name: db-sync-sh +{{- if $secretBin }} + secret: + secretName: {{ $secretBin | quote }} + defaultMode: 0555 +{{- else }} + configMap: + name: {{ $configMapBin | quote }} + defaultMode: 0555 +{{- end }} + - name: etc-service + emptyDir: {} + - name: db-sync-conf + secret: + secretName: {{ $configMapEtc | quote }} + defaultMode: 0444 +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +{{- if $podVols }} +{{ $podVols | toYaml | indent 8 }} +{{- end }} +{{- end }} diff --git a/charts/deps/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl b/charts/deps/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl new file mode 100644 index 0000000..3a7df7f --- /dev/null +++ b/charts/deps/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl @@ -0,0 +1,130 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +# This function creates a manifest for keystone service management. +# It can be used in charts dict created similar to the following: +# {- $ksEndpointJob := dict "envAll" . "serviceName" "senlin" "serviceTypes" ( tuple "clustering" ) -} +# { $ksEndpointJob | include "helm-toolkit.manifests.job_ks_endpoints" } + +{{- define "helm-toolkit.manifests.job_ks_endpoints" -}} +{{- $envAll := index . "envAll" -}} +{{- $serviceName := index . "serviceName" -}} +{{- $serviceTypes := index . "serviceTypes" -}} +{{- $jobAnnotations := index . "jobAnnotations" -}} +{{- $jobLabels := index . "jobLabels" -}} +{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}} +{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}} +{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}} +{{- $secretBin := index . "secretBin" -}} +{{- $tlsSecret := index . "tlsSecret" | default "" -}} +{{- $backoffLimit := index . "backoffLimit" | default "1000" -}} +{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}} +{{- $serviceNamePretty := $serviceName | replace "_" "-" -}} +{{- $restartPolicy_ := "OnFailure" -}} +{{- if hasKey $envAll.Values "jobs" -}} +{{- if hasKey $envAll.Values.jobs "ks_endpoints" -}} +{{- $restartPolicy_ = $envAll.Values.jobs.ks_endpoints.restartPolicy | default $restartPolicy_ }} +{{- end }} +{{- end }} +{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}} + +{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "ks-endpoints" }} +{{ tuple $envAll "ks_endpoints" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ printf "%s-%s" $serviceNamePretty "ks-endpoints" | quote }} + labels: +{{ tuple $envAll $serviceName "ks-endpoints" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} +{{- if $jobLabels }} +{{ toYaml $jobLabels | indent 4 }} +{{- end }} + annotations: +{{- if $jobAnnotations }} +{{ toYaml $jobAnnotations | indent 4 }} +{{- end }} +spec: + backoffLimit: {{ $backoffLimit }} +{{- if $activeDeadlineSeconds }} + activeDeadlineSeconds: {{ $activeDeadlineSeconds }} +{{- end }} + template: + metadata: + labels: +{{ tuple $envAll $serviceName "ks-endpoints" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} +{{- if $jobLabels }} +{{ toYaml $jobLabels | indent 8 }} +{{- end }} + annotations: +{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }} + spec: + serviceAccountName: {{ $serviceAccountName }} + restartPolicy: {{ $restartPolicy }} + {{ tuple $envAll "ks_endpoints" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }} + nodeSelector: +{{ toYaml $nodeSelector | indent 8 }} +{{- if $tolerationsEnabled }} +{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }} +{{- end}} + initContainers: +{{ tuple $envAll "ks_endpoints" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} + containers: +{{- range $key1, $osServiceType := $serviceTypes }} +{{- range $key2, $osServiceEndPoint := tuple "admin" "internal" "public" }} + - name: {{ printf "%s-%s-%s" $osServiceType "ks-endpoints" $osServiceEndPoint | quote }} + image: {{ $envAll.Values.images.tags.ks_endpoints }} + imagePullPolicy: {{ $envAll.Values.images.pull_policy }} +{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_endpoints | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} + command: + - /bin/bash + - -c + - /tmp/ks-endpoints.sh + volumeMounts: + - name: pod-tmp + mountPath: /tmp + - name: ks-endpoints-sh + mountPath: /tmp/ks-endpoints.sh + subPath: ks-endpoints.sh + readOnly: true +{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + env: +{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }} +{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} +{{- end }} + - name: OS_SVC_ENDPOINT + value: {{ $osServiceEndPoint | quote }} + - name: OS_SERVICE_NAME + value: {{ tuple $osServiceType $envAll | include "helm-toolkit.endpoints.keystone_endpoint_name_lookup" }} + - name: OS_SERVICE_TYPE + value: {{ $osServiceType | quote }} + - name: OS_SERVICE_ENDPOINT + value: {{ tuple $osServiceType $osServiceEndPoint "api" $envAll | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | quote }} +{{- end }} +{{- end }} + volumes: + - name: pod-tmp + emptyDir: {} + - name: ks-endpoints-sh +{{- if $secretBin }} + secret: + secretName: {{ $secretBin | quote }} + defaultMode: 0555 +{{- else }} + configMap: + name: {{ $configMapBin | quote }} + defaultMode: 0555 +{{- end }} +{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +{{- end }} diff --git a/charts/deps/helm-toolkit/templates/manifests/_job-ks-service.tpl b/charts/deps/helm-toolkit/templates/manifests/_job-ks-service.tpl new file mode 100644 index 0000000..a109e3c --- /dev/null +++ b/charts/deps/helm-toolkit/templates/manifests/_job-ks-service.tpl @@ -0,0 +1,124 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +# This function creates a manifest for keystone service management. +# It can be used in charts dict created similar to the following: +# {- $ksServiceJob := dict "envAll" . "serviceName" "senlin" "serviceTypes" ( tuple "clustering" ) -} +# { $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" } + +{{- define "helm-toolkit.manifests.job_ks_service" -}} +{{- $envAll := index . "envAll" -}} +{{- $serviceName := index . "serviceName" -}} +{{- $serviceTypes := index . "serviceTypes" -}} +{{- $jobAnnotations := index . "jobAnnotations" -}} +{{- $jobLabels := index . "jobLabels" -}} +{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}} +{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}} +{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}} +{{- $secretBin := index . "secretBin" -}} +{{- $tlsSecret := index . "tlsSecret" | default "" -}} +{{- $backoffLimit := index . "backoffLimit" | default "1000" -}} +{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}} +{{- $serviceNamePretty := $serviceName | replace "_" "-" -}} +{{- $restartPolicy_ := "OnFailure" -}} +{{- if hasKey $envAll.Values "jobs" -}} +{{- if hasKey $envAll.Values.jobs "ks_service" -}} +{{- $restartPolicy_ = $envAll.Values.jobs.ks_service.restartPolicy | default $restartPolicy_ }} +{{- end }} +{{- end }} +{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}} + +{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "ks-service" }} +{{ tuple $envAll "ks_service" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ printf "%s-%s" $serviceNamePretty "ks-service" | quote }} + labels: +{{ tuple $envAll $serviceName "ks-service" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} +{{- if $jobLabels }} +{{ toYaml $jobLabels | indent 4 }} +{{- end }} + annotations: +{{- if $jobAnnotations }} +{{ toYaml $jobAnnotations | indent 4 }} +{{- end }} +spec: + backoffLimit: {{ $backoffLimit }} +{{- if $activeDeadlineSeconds }} + activeDeadlineSeconds: {{ $activeDeadlineSeconds }} +{{- end }} + template: + metadata: + labels: +{{ tuple $envAll $serviceName "ks-service" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} +{{- if $jobLabels }} +{{ toYaml $jobLabels | indent 8 }} +{{- end }} + annotations: +{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }} + spec: + serviceAccountName: {{ $serviceAccountName }} + restartPolicy: {{ $restartPolicy }} + {{ tuple $envAll "ks_service" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }} + nodeSelector: +{{ toYaml $nodeSelector | indent 8 }} +{{- if $tolerationsEnabled }} +{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }} +{{- end}} + initContainers: +{{ tuple $envAll "ks_service" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} + containers: +{{- range $key1, $osServiceType := $serviceTypes }} + - name: {{ printf "%s-%s" $osServiceType "ks-service-registration" | quote }} + image: {{ $envAll.Values.images.tags.ks_service }} + imagePullPolicy: {{ $envAll.Values.images.pull_policy }} +{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_service | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} + command: + - /bin/bash + - -c + - /tmp/ks-service.sh + volumeMounts: + - name: pod-tmp + mountPath: /tmp + - name: ks-service-sh + mountPath: /tmp/ks-service.sh + subPath: ks-service.sh + readOnly: true +{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + env: +{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }} +{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} +{{- end }} + - name: OS_SERVICE_NAME + value: {{ tuple $osServiceType $envAll | include "helm-toolkit.endpoints.keystone_endpoint_name_lookup" }} + - name: OS_SERVICE_TYPE + value: {{ $osServiceType | quote }} +{{- end }} + volumes: + - name: pod-tmp + emptyDir: {} + - name: ks-service-sh +{{- if $secretBin }} + secret: + secretName: {{ $secretBin | quote }} + defaultMode: 0555 +{{- else }} + configMap: + name: {{ $configMapBin | quote }} + defaultMode: 0555 +{{- end }} +{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +{{- end }} diff --git a/charts/deps/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl b/charts/deps/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl new file mode 100644 index 0000000..905eb71 --- /dev/null +++ b/charts/deps/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl @@ -0,0 +1,154 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +# This function creates a manifest for keystone user management. +# It can be used in charts dict created similar to the following: +# {- $ksUserJob := dict "envAll" . "serviceName" "senlin" } +# { $ksUserJob | include "helm-toolkit.manifests.job_ks_user" } + +{{/* + # To enable PodSecuritycontext (PodSecurityContext/v1) define the below in values.yaml: + # example: + # values: | + # pod: + # security_context: + # ks_user: + # pod: + # runAsUser: 65534 + # To enable Container SecurityContext(SecurityContext/v1) for ks-user container define the values: + # example: + # values: | + # pod: + # security_context: + # ks_user: + # container: + # ks-user: + # runAsUser: 65534 + # readOnlyRootFilesystem: true + # allowPrivilegeEscalation: false +*/}} + +{{- define "helm-toolkit.manifests.job_ks_user" -}} +{{- $envAll := index . "envAll" -}} +{{- $serviceName := index . "serviceName" -}} +{{- $jobAnnotations := index . "jobAnnotations" -}} +{{- $jobLabels := index . "jobLabels" -}} +{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}} +{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}} +{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}} +{{- $serviceUser := index . "serviceUser" | default $serviceName -}} +{{- $secretBin := index . "secretBin" -}} +{{- $tlsSecret := index . "tlsSecret" | default "" -}} +{{- $backoffLimit := index . "backoffLimit" | default "1000" -}} +{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}} +{{- $serviceUserPretty := $serviceUser | replace "_" "-" -}} +{{- $restartPolicy_ := "OnFailure" -}} +{{- if hasKey $envAll.Values "jobs" -}} +{{- if hasKey $envAll.Values.jobs "ks_user" -}} +{{- $restartPolicy_ = $envAll.Values.jobs.ks_user.restartPolicy | default $restartPolicy_ }} +{{- end }} +{{- end }} +{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}} + +{{- $serviceAccountName := printf "%s-%s" $serviceUserPretty "ks-user" }} +{{ tuple $envAll "ks_user" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ printf "%s-%s" $serviceUserPretty "ks-user" | quote }} + labels: +{{ tuple $envAll $serviceName "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} +{{- if $jobLabels }} +{{ toYaml $jobLabels | indent 4 }} +{{- end }} + annotations: +{{- if $jobAnnotations }} +{{ toYaml $jobAnnotations | indent 4 }} +{{- end }} +spec: + backoffLimit: {{ $backoffLimit }} +{{- if $activeDeadlineSeconds }} + activeDeadlineSeconds: {{ $activeDeadlineSeconds }} +{{- end }} + template: + metadata: + labels: +{{ tuple $envAll $serviceName "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} +{{- if $jobLabels }} +{{ toYaml $jobLabels | indent 8 }} +{{- end }} + annotations: +{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }} + spec: + serviceAccountName: {{ $serviceAccountName | quote }} +{{ dict "envAll" $envAll "application" "ks_user" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} + restartPolicy: {{ $restartPolicy }} + {{ tuple $envAll "ks_user" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }} + nodeSelector: +{{ toYaml $nodeSelector | indent 8 }} +{{- if $tolerationsEnabled }} +{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }} +{{- end}} + initContainers: +{{ tuple $envAll "ks_user" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} + containers: + - name: ks-user + image: {{ $envAll.Values.images.tags.ks_user }} + imagePullPolicy: {{ $envAll.Values.images.pull_policy }} +{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} +{{ dict "envAll" $envAll "application" "ks_user" "container" "ks_user" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} + command: + - /bin/bash + - -c + - /tmp/ks-user.sh + volumeMounts: + - name: pod-tmp + mountPath: /tmp + - name: ks-user-sh + mountPath: /tmp/ks-user.sh + subPath: ks-user.sh + readOnly: true +{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + env: +{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }} +{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} +{{- end }} + - name: SERVICE_OS_SERVICE_NAME + value: {{ $serviceName | quote }} +{{- with $env := dict "ksUserSecret" (index $envAll.Values.secrets.identity $serviceUser ) }} +{{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 12 }} +{{- end }} + - name: SERVICE_OS_ROLES + {{- $serviceOsRoles := index $envAll.Values.endpoints.identity.auth $serviceUser "role" }} + {{- if kindIs "slice" $serviceOsRoles }} + value: {{ include "helm-toolkit.utils.joinListWithComma" $serviceOsRoles | quote }} + {{- else }} + value: {{ $serviceOsRoles | quote }} + {{- end }} + volumes: + - name: pod-tmp + emptyDir: {} + - name: ks-user-sh +{{- if $secretBin }} + secret: + secretName: {{ $secretBin | quote }} + defaultMode: 0555 +{{- else }} + configMap: + name: {{ $configMapBin | quote }} + defaultMode: 0555 +{{- end }} +{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +{{- end -}} diff --git a/charts/deps/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl b/charts/deps/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl new file mode 100644 index 0000000..6982064 --- /dev/null +++ b/charts/deps/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl @@ -0,0 +1,129 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- define "helm-toolkit.manifests.job_rabbit_init" -}} +{{- $envAll := index . "envAll" -}} +{{- $serviceName := index . "serviceName" -}} +{{- $jobAnnotations := index . "jobAnnotations" -}} +{{- $jobLabels := index . "jobLabels" -}} +{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}} +{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}} +{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}} +{{- $serviceUser := index . "serviceUser" | default $serviceName -}} +{{- $secretBin := index . "secretBin" -}} +{{- $backoffLimit := index . "backoffLimit" | default "1000" -}} +{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}} +{{- $serviceUserPretty := $serviceUser | replace "_" "-" -}} +{{- $serviceNamePretty := $serviceName | replace "_" "-" -}} +{{- $tlsPath := index . "tlsPath" | default "/etc/rabbitmq/certs" -}} +{{- $tlsSecret := index . "tlsSecret" | default "" -}} + +{{- $serviceAccountName := printf "%s-%s" $serviceUserPretty "rabbit-init" }} +{{ tuple $envAll "rabbit_init" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ printf "%s-%s" $serviceUserPretty "rabbit-init" | quote }} + labels: +{{ tuple $envAll $serviceName "rabbit-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} +{{- if $jobLabels }} +{{ toYaml $jobLabels | indent 4 }} +{{- end }} + annotations: +{{- if $jobAnnotations }} +{{ toYaml $jobAnnotations | indent 4 }} +{{- end }} +spec: + backoffLimit: {{ $backoffLimit }} +{{- if $activeDeadlineSeconds }} + activeDeadlineSeconds: {{ $activeDeadlineSeconds }} +{{- end }} + template: + metadata: + labels: +{{ tuple $envAll $serviceName "rabbit-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} +{{- if $jobLabels }} +{{ toYaml $jobLabels | indent 8 }} +{{- end }} + annotations: +{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }} + spec: + serviceAccountName: {{ $serviceAccountName | quote }} + restartPolicy: OnFailure + {{ tuple $envAll "rabbit_init" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }} + nodeSelector: +{{ toYaml $nodeSelector | indent 8 }} +{{- if $tolerationsEnabled }} +{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }} +{{- end}} + initContainers: +{{ tuple $envAll "rabbit_init" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} + containers: + - name: rabbit-init + image: {{ $envAll.Values.images.tags.rabbit_init | quote }} + imagePullPolicy: {{ $envAll.Values.images.pull_policy | quote }} +{{ tuple $envAll $envAll.Values.pod.resources.jobs.rabbit_init | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} + command: + - /bin/bash + - -c + - /tmp/rabbit-init.sh + volumeMounts: + - name: pod-tmp + mountPath: /tmp + - name: rabbit-init-sh + mountPath: /tmp/rabbit-init.sh + subPath: rabbit-init.sh + readOnly: true +{{- if $envAll.Values.manifests.certificates }} +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret "path" $tlsPath | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +{{- end }} + env: + - name: RABBITMQ_ADMIN_CONNECTION + valueFrom: + secretKeyRef: + name: {{ $envAll.Values.secrets.oslo_messaging.admin }} + key: RABBITMQ_CONNECTION + - name: RABBITMQ_USER_CONNECTION + valueFrom: + secretKeyRef: + name: {{ index $envAll.Values.secrets.oslo_messaging $serviceName }} + key: RABBITMQ_CONNECTION +{{- if $envAll.Values.conf.rabbitmq }} + - name: RABBITMQ_AUXILIARY_CONFIGURATION + value: {{ toJson $envAll.Values.conf.rabbitmq | quote }} +{{- end }} +{{- if and $envAll.Values.manifests.certificates (ne $tlsSecret "") }} + - name: RABBITMQ_X509 + value: "REQUIRE X509" + - name: USER_CERT_PATH + value: {{ $tlsPath | quote }} +{{- end }} + volumes: + - name: pod-tmp + emptyDir: {} + - name: rabbit-init-sh +{{- if $secretBin }} + secret: + secretName: {{ $secretBin | quote }} + defaultMode: 0555 +{{- else }} + configMap: + name: {{ $configMapBin | quote }} + defaultMode: 0555 +{{- end }} +{{- if $envAll.Values.manifests.certificates }} +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +{{- end }} +{{- end -}} diff --git a/charts/deps/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl b/charts/deps/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl new file mode 100644 index 0000000..29cb993 --- /dev/null +++ b/charts/deps/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl @@ -0,0 +1,147 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +# This function creates a manifest for linking an s3 bucket to an s3 user. +# It can be used in charts dict created similar to the following: +# {- $s3BucketJob := dict "envAll" . "serviceName" "elasticsearch" } +# { $s3BucketJob | include "helm-toolkit.manifests.job_s3_bucket" } + +{{- define "helm-toolkit.manifests.job_s3_bucket" -}} +{{- $envAll := index . "envAll" -}} +{{- $serviceName := index . "serviceName" -}} +{{- $jobAnnotations := index . "jobAnnotations" -}} +{{- $jobLabels := index . "jobLabels" -}} +{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}} +{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}} +{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}} +{{- $configMapCeph := index . "configMapCeph" | default (printf "ceph-etc" ) -}} +{{- $secretBin := index . "secretBin" -}} +{{- $backoffLimit := index . "backoffLimit" | default "1000" -}} +{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}} +{{- $serviceNamePretty := $serviceName | replace "_" "-" -}} +{{- $s3UserSecret := index $envAll.Values.secrets.rgw $serviceName -}} +{{- $s3Bucket := index . "s3Bucket" | default $serviceName }} +{{- $tlsCertificateSecret := index . "tlsCertificateSecret" -}} +{{- $tlsCertificatePath := index . "tlsCertificatePath" -}} + +{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "s3-bucket" }} +{{ tuple $envAll "s3_bucket" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ printf "%s-%s" $serviceNamePretty "s3-bucket" | quote }} + labels: +{{ tuple $envAll $serviceName "s3-bucket" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} +{{- if $jobLabels }} +{{ toYaml $jobLabels | indent 4 }} +{{- end }} + annotations: + {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }} +{{- if $jobAnnotations }} +{{ toYaml $jobAnnotations | indent 4 }} +{{- end }} +spec: + backoffLimit: {{ $backoffLimit }} +{{- if $activeDeadlineSeconds }} + activeDeadlineSeconds: {{ $activeDeadlineSeconds }} +{{- end }} + template: + metadata: + labels: +{{ tuple $envAll $serviceName "s3-bucket" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} +{{- if $jobLabels }} +{{ toYaml $jobLabels | indent 8 }} +{{- end }} + spec: + serviceAccountName: {{ $serviceAccountName | quote }} + restartPolicy: OnFailure + {{ tuple $envAll "s3_bucket" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }} + nodeSelector: +{{ toYaml $nodeSelector | indent 8 }} +{{- if $tolerationsEnabled }} +{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }} +{{- end}} + initContainers: +{{ tuple $envAll "s3_bucket" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} + containers: + - name: s3-bucket + image: {{ $envAll.Values.images.tags.s3_bucket }} + imagePullPolicy: {{ $envAll.Values.images.pull_policy }} +{{ tuple $envAll $envAll.Values.pod.resources.jobs.s3_bucket | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} + command: + - /bin/bash + - -c + - /tmp/create-s3-bucket.sh + env: +{{- with $env := dict "s3AdminSecret" $envAll.Values.secrets.rgw.admin }} +{{- include "helm-toolkit.snippets.rgw_s3_admin_env_vars" $env | indent 12 }} +{{- end }} +{{- include "helm-toolkit.snippets.rgw_s3_user_env_vars" $envAll | indent 12 }} + volumeMounts: + - name: pod-tmp + mountPath: /tmp + - name: s3-bucket-sh + mountPath: /tmp/create-s3-bucket.sh + subPath: create-s3-bucket.sh + readOnly: true + - name: etcceph + mountPath: /etc/ceph + - name: ceph-etc + mountPath: /etc/ceph/ceph.conf + subPath: ceph.conf + readOnly: true + {{- if empty $envAll.Values.conf.ceph.admin_keyring }} + - name: ceph-keyring + mountPath: /tmp/client-keyring + subPath: key + readOnly: true + {{ end }} +{{- if and ($tlsCertificatePath) ($tlsCertificateSecret) }} + - name: {{ $tlsCertificateSecret }} + mountPath: {{ $tlsCertificatePath }} + subPath: ca.crt + readOnly: true +{{- end }} + volumes: + - name: pod-tmp + emptyDir: {} + - name: s3-bucket-sh +{{- if $secretBin }} + secret: + secretName: {{ $secretBin | quote }} + defaultMode: 0555 +{{- else }} + configMap: + name: {{ $configMapBin | quote }} + defaultMode: 0555 +{{- end }} + - name: etcceph + emptyDir: {} + - name: ceph-etc + configMap: + name: {{ $configMapCeph | quote }} + defaultMode: 0444 + {{- if empty $envAll.Values.conf.ceph.admin_keyring }} + - name: ceph-keyring + secret: + secretName: pvc-ceph-client-key + {{ end }} +{{- if and ($tlsCertificatePath) ($tlsCertificateSecret) }} + - name: {{ $tlsCertificateSecret }} + secret: + secretName: {{ $tlsCertificateSecret }} + defaultMode: 292 +{{- end }} +{{- end -}} diff --git a/charts/deps/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl b/charts/deps/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl new file mode 100644 index 0000000..50d9af5 --- /dev/null +++ b/charts/deps/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl @@ -0,0 +1,159 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +# This function creates a manifest for s3 user management. +# It can be used in charts dict created similar to the following: +# {- $s3UserJob := dict "envAll" . "serviceName" "elasticsearch" } +# { $s3UserJob | include "helm-toolkit.manifests.job_s3_user" } + +{{- define "helm-toolkit.manifests.job_s3_user" -}} +{{- $envAll := index . "envAll" -}} +{{- $serviceName := index . "serviceName" -}} +{{- $jobAnnotations := index . "jobAnnotations" -}} +{{- $jobLabels := index . "jobLabels" -}} +{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}} +{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}} +{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}} +{{- $configMapCeph := index . "configMapCeph" | default (printf "ceph-etc" ) -}} +{{- $secretBin := index . "secretBin" -}} +{{- $backoffLimit := index . "backoffLimit" | default "1000" -}} +{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}} +{{- $serviceNamePretty := $serviceName | replace "_" "-" -}} +{{- $s3UserSecret := index $envAll.Values.secrets.rgw $serviceName -}} + +{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "s3-user" }} +{{ tuple $envAll "s3_user" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ printf "%s-%s" $serviceNamePretty "s3-user" | quote }} + labels: +{{ tuple $envAll $serviceName "s3-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} +{{- if $jobLabels }} +{{ toYaml $jobLabels | indent 4 }} +{{- end }} + annotations: + "helm.sh/hook-delete-policy": before-hook-creation + {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }} +{{- if $jobAnnotations }} +{{ toYaml $jobAnnotations | indent 4 }} +{{- end }} +spec: + backoffLimit: {{ $backoffLimit }} +{{- if $activeDeadlineSeconds }} + activeDeadlineSeconds: {{ $activeDeadlineSeconds }} +{{- end }} + template: + metadata: + labels: +{{ tuple $envAll $serviceName "s3-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} +{{- if $jobLabels }} +{{ toYaml $jobLabels | indent 8 }} +{{- end }} + spec: + serviceAccountName: {{ $serviceAccountName | quote }} + restartPolicy: OnFailure + {{ tuple $envAll "s3_user" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }} + nodeSelector: +{{ toYaml $nodeSelector | indent 8 }} +{{- if $tolerationsEnabled }} +{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }} +{{- end}} + initContainers: +{{ tuple $envAll "s3_user" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} + - name: ceph-keyring-placement + image: {{ $envAll.Values.images.tags.ceph_key_placement }} + imagePullPolicy: {{ $envAll.Values.images.pull_policy }} + command: + - /tmp/ceph-admin-keyring.sh + volumeMounts: + - name: pod-tmp + mountPath: /tmp + - name: etcceph + mountPath: /etc/ceph + - name: ceph-keyring-sh + mountPath: /tmp/ceph-admin-keyring.sh + subPath: ceph-admin-keyring.sh + readOnly: true + {{- if empty $envAll.Values.conf.ceph.admin_keyring }} + - name: ceph-keyring + mountPath: /tmp/client-keyring + subPath: key + readOnly: true + {{ end }} + containers: + - name: s3-user + image: {{ $envAll.Values.images.tags.s3_user }} + imagePullPolicy: {{ $envAll.Values.images.pull_policy }} +{{ tuple $envAll $envAll.Values.pod.resources.jobs.s3_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} + command: + - /bin/bash + - -c + - /tmp/create-s3-user.sh + env: +{{- with $env := dict "s3AdminSecret" $envAll.Values.secrets.rgw.admin }} +{{- include "helm-toolkit.snippets.rgw_s3_admin_env_vars" $env | indent 12 }} +{{- end }} +{{- include "helm-toolkit.snippets.rgw_s3_user_env_vars" $envAll | indent 12 }} + - name: RGW_HOST + value: {{ tuple "ceph_object_store" "internal" "api" $envAll | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }} + volumeMounts: + - name: pod-tmp + mountPath: /tmp + - name: create-s3-user-sh + mountPath: /tmp/create-s3-user.sh + subPath: create-s3-user.sh + readOnly: true + - name: etcceph + mountPath: /etc/ceph + - name: ceph-etc + mountPath: /etc/ceph/ceph.conf + subPath: ceph.conf + readOnly: true + {{- if empty $envAll.Values.conf.ceph.admin_keyring }} + - name: ceph-keyring + mountPath: /tmp/client-keyring + subPath: key + readOnly: true + {{ end }} + volumes: + - name: pod-tmp + emptyDir: {} + - name: create-s3-user-sh +{{- if $secretBin }} + secret: + secretName: {{ $secretBin | quote }} + defaultMode: 0555 +{{- else }} + configMap: + name: {{ $configMapBin | quote }} + defaultMode: 0555 +{{- end }} + - name: ceph-keyring-sh + configMap: + name: {{ $configMapBin | quote }} + defaultMode: 0555 + - name: etcceph + emptyDir: {} + - name: ceph-etc + configMap: + name: {{ $configMapCeph | quote }} + defaultMode: 0444 + {{- if empty $envAll.Values.conf.ceph.admin_keyring }} + - name: ceph-keyring + secret: + secretName: pvc-ceph-client-key + {{ end }} +{{- end -}} diff --git a/charts/deps/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl b/charts/deps/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl new file mode 100644 index 0000000..0906df4 --- /dev/null +++ b/charts/deps/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl @@ -0,0 +1,119 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +# This function creates a manifest for the image repo sync jobs. +# It can be used in charts dict created similar to the following: +# {- $imageRepoSyncJob := dict "envAll" . "serviceName" "prometheus" -} +# { $imageRepoSyncJob | include "helm-toolkit.manifests.job_image_repo_sync" } + +{{- define "helm-toolkit.manifests.job_image_repo_sync" -}} +{{- $envAll := index . "envAll" -}} +{{- $serviceName := index . "serviceName" -}} +{{- $jobAnnotations := index . "jobAnnotations" -}} +{{- $jobLabels := index . "jobLabels" -}} +{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}} +{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}} +{{- $podVolMounts := index . "podVolMounts" | default false -}} +{{- $podVols := index . "podVols" | default false -}} +{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}} +{{- $secretBin := index . "secretBin" -}} +{{- $backoffLimit := index . "backoffLimit" | default "1000" -}} +{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}} +{{- $serviceNamePretty := $serviceName | replace "_" "-" -}} + +{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "image-repo-sync" }} +{{ tuple $envAll "image_repo_sync" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ printf "%s-%s" $serviceNamePretty "image-repo-sync" | quote }} + labels: +{{ tuple $envAll $serviceName "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} +{{- if $jobLabels }} +{{ toYaml $jobLabels | indent 4 }} +{{- end }} + annotations: + "helm.sh/hook-delete-policy": before-hook-creation +{{- if $jobAnnotations }} +{{ toYaml $jobAnnotations | indent 4 }} +{{- end }} +spec: + backoffLimit: {{ $backoffLimit }} +{{- if $activeDeadlineSeconds }} + activeDeadlineSeconds: {{ $activeDeadlineSeconds }} +{{- end }} + template: + metadata: + labels: +{{ tuple $envAll $serviceName "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} +{{- if $jobLabels }} +{{ toYaml $jobLabels | indent 8 }} +{{- end }} + spec: + serviceAccountName: {{ $serviceAccountName }} + restartPolicy: OnFailure + {{ tuple $envAll "image_repo_sync" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }} + nodeSelector: +{{ toYaml $nodeSelector | indent 8 }} +{{- if $tolerationsEnabled }} +{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }} +{{- end}} + initContainers: +{{ tuple $envAll "image_repo_sync" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} + containers: + - name: image-repo-sync +{{ tuple $envAll "image_repo_sync" | include "helm-toolkit.snippets.image" | indent 10 }} +{{ tuple $envAll $envAll.Values.pod.resources.jobs.image_repo_sync | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} + env: + - name: LOCAL_REPO + value: "{{ tuple "local_image_registry" "node" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}:{{ tuple "local_image_registry" "node" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}" + - name: IMAGE_SYNC_LIST + value: "{{ include "helm-toolkit.utils.image_sync_list" $envAll }}" + command: + - /bin/bash + - -c + - /tmp/image-repo-sync.sh + volumeMounts: + - name: pod-tmp + mountPath: /tmp + - name: bootstrap-sh + mountPath: /tmp/image-repo-sync.sh + subPath: image-repo-sync.sh + readOnly: true + - name: docker-socket + mountPath: /var/run/docker.sock +{{- if $podVolMounts }} +{{ $podVolMounts | toYaml | indent 12 }} +{{- end }} + volumes: + - name: pod-tmp + emptyDir: {} + - name: bootstrap-sh +{{- if $secretBin }} + secret: + secretName: {{ $secretBin | quote }} + defaultMode: 0555 +{{- else }} + configMap: + name: {{ $configMapBin | quote }} + defaultMode: 0555 +{{- end }} + - name: docker-socket + hostPath: + path: /var/run/docker.sock +{{- if $podVols }} +{{ $podVols | toYaml | indent 8 }} +{{- end }} +{{- end }} diff --git a/charts/deps/helm-toolkit/templates/manifests/_network_policy.tpl b/charts/deps/helm-toolkit/templates/manifests/_network_policy.tpl new file mode 100644 index 0000000..405197a --- /dev/null +++ b/charts/deps/helm-toolkit/templates/manifests/_network_policy.tpl @@ -0,0 +1,238 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Creates a network policy manifest for services. +values: | + endpoints: + kube_dns: + namespace: kube-system + name: kubernetes-dns + hosts: + default: kube-dns + host_fqdn_override: + default: null + path: + default: null + scheme: http + port: + dns_tcp: + default: 53 + dns: + default: 53 + protocol: UDP + network_policy: + myLabel: + podSelector: + matchLabels: + component: api + ingress: + - from: + - podSelector: + matchLabels: + application: keystone + ports: + - protocol: TCP + port: 80 + egress: + - to: + - namespaceSelector: + matchLabels: + name: default + - namespaceSelector: + matchLabels: + name: kube-public + ports: + - protocol: TCP + port: 53 + - protocol: UDP + port: 53 +usage: | + {{ dict "envAll" . "name" "application" "label" "myLabel" | include "helm-toolkit.manifests.kubernetes_network_policy" }} + {{ dict "envAll" . "key" "myLabel" "labels" (dict "application" "myApp" "component" "myComp")}} +return: | + --- + apiVersion: networking.k8s.io/v1 + kind: NetworkPolicy + metadata: + name: RELEASE-NAME + namespace: NAMESPACE + spec: + policyTypes: + - Ingress + - Egress + podSelector: + matchLabels: + application: myLabel + component: api + ingress: + - from: + - podSelector: + matchLabels: + application: keystone + ports: + - protocol: TCP + port: 80 + egress: + - to: + - podSelector: + matchLabels: + name: default + - namespaceSelector: + matchLabels: + name: kube-public + ports: + - protocol: TCP + port: 53 + - protocol: UDP + port: 53 + --- + apiVersion: networking.k8s.io/v1 + kind: NetworkPolicy + metadata: + name: RELEASE-NAME + namespace: NAMESPACE + spec: + policyTypes: + - Ingress + - Egress + podSelector: + matchLabels: + application: myApp + component: myComp + ingress: + - from: + - podSelector: + matchLabels: + application: keystone + ports: + - protocol: TCP + port: 80 + egress: + - to: + - podSelector: + matchLabels: + name: default + - namespaceSelector: + matchLabels: + name: kube-public + ports: + - protocol: TCP + port: 53 + - protocol: UDP + port: 53 +*/}} + +{{- define "helm-toolkit.manifests.kubernetes_network_policy" -}} +{{- $envAll := index . "envAll" -}} +{{- $name := index . "name" -}} +{{- $labels := index . "labels" | default nil -}} +{{- $label := index . "key" | default (index . "label") -}} +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ $label | replace "_" "-" }}-netpol + namespace: {{ $envAll.Release.Namespace }} +spec: +{{- if hasKey (index $envAll.Values "network_policy") $label }} + policyTypes: +{{- $is_egress := false -}} +{{- if hasKey (index $envAll.Values.network_policy $label) "policyTypes" -}} +{{- if has "Egress" (index $envAll.Values.network_policy $label "policyTypes") -}} +{{- $is_egress = true -}} +{{- end -}} +{{- end -}} +{{- if or $is_egress (index $envAll.Values.network_policy $label "egress") }} + - Egress +{{ end -}} +{{- $is_ingress := false -}} +{{- if hasKey (index $envAll.Values.network_policy $label) "policyTypes" -}} +{{- if has "Ingress" (index $envAll.Values.network_policy $label "policyTypes") -}} +{{- $is_ingress = true -}} +{{- end -}} +{{- end -}} +{{- if or $is_ingress (index $envAll.Values.network_policy $label "ingress") }} + - Ingress +{{ end -}} +{{- end }} + podSelector: + matchLabels: +{{- if empty $labels }} + {{ $name }}: {{ $label }} +{{- else }} +{{ range $k, $v := $labels }} + {{ $k }}: {{ $v }} +{{- end }} +{{- end }} +{{- if hasKey (index $envAll.Values "network_policy") $label }} +{{- if hasKey (index $envAll.Values.network_policy $label) "podSelector" }} +{{- if index $envAll.Values.network_policy $label "podSelector" "matchLabels" }} +{{ index $envAll.Values.network_policy $label "podSelector" "matchLabels" | toYaml | indent 6 }} +{{ end }} +{{ end }} +{{ end }} +{{- if hasKey (index $envAll.Values "network_policy") $label }} + egress: +{{- range $key, $value := $envAll.Values.endpoints }} +{{- if kindIs "map" $value }} +{{- if or (hasKey $value "namespace") (hasKey $value "hosts") }} + - to: +{{- if index $value "namespace" }} + - namespaceSelector: + matchLabels: + name: {{ index $value "namespace" }} +{{- else if index $value "hosts" }} +{{- $defaultValue := index $value "hosts" "internal" }} +{{- if hasKey (index $value "hosts") "internal" }} +{{- $a := split "-" $defaultValue }} + - podSelector: + matchLabels: + application: {{ printf "%s" (index $a._0) | default $defaultValue }} +{{- else }} +{{- $defaultValue := index $value "hosts" "default" }} +{{- $a := split "-" $defaultValue }} + - podSelector: + matchLabels: + application: {{ printf "%s" (index $a._0) | default $defaultValue }} +{{- end }} +{{- end }} +{{- if index $value "port" }} + ports: +{{- range $k, $v := index $value "port" }} +{{- if $k }} +{{- range $pk, $pv := $v }} +{{- if and $pv (ne $pk "protocol") }} + - port: {{ $pv }} + protocol: {{ $v.protocol | default "TCP" }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- if index $envAll.Values.network_policy $label "egress" }} +{{ index $envAll.Values.network_policy $label "egress" | toYaml | indent 4 }} +{{- end }} +{{- end }} +{{- if hasKey (index $envAll.Values "network_policy") $label }} +{{- if index $envAll.Values.network_policy $label "ingress" }} + ingress: +{{ index $envAll.Values.network_policy $label "ingress" | toYaml | indent 4 }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/deps/helm-toolkit/templates/manifests/_secret-registry.yaml.tpl b/charts/deps/helm-toolkit/templates/manifests/_secret-registry.yaml.tpl new file mode 100644 index 0000000..4854bb1 --- /dev/null +++ b/charts/deps/helm-toolkit/templates/manifests/_secret-registry.yaml.tpl @@ -0,0 +1,93 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Creates a manifest for a authenticating a registry with a secret +examples: + - values: | + secrets: + oci_image_registry: + {{ $serviceName }}: {{ $keyName }} + endpoints: + oci_image_registry: + name: oci-image-registry + auth: + enabled: true + {{ $serviceName }}: + name: {{ $userName }} + password: {{ $password }} + usage: | + {{- include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) -}} + return: | + --- + apiVersion: v1 + kind: Secret + metadata: + name: {{ $secretName }} + type: kubernetes.io/dockerconfigjson + data: + dockerconfigjson: {{ $dockerAuth }} + + - values: | + secrets: + oci_image_registry: + {{ $serviceName }}: {{ $keyName }} + endpoints: + oci_image_registry: + name: oci-image-registry + auth: + enabled: true + {{ $serviceName }}: + name: {{ $userName }} + password: {{ $password }} + usage: | + {{- include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) -}} + return: | + --- + apiVersion: v1 + kind: Secret + metadata: + name: {{ $secretName }} + type: kubernetes.io/dockerconfigjson + data: + dockerconfigjson: {{ $dockerAuth }} +*/}} + +{{- define "helm-toolkit.manifests.secret_registry" }} +{{- $envAll := index . "envAll" }} +{{- $registryUser := index . "registryUser" }} +{{- $secretName := index $envAll.Values.secrets.oci_image_registry $registryUser }} +{{- $registryHost := tuple "oci_image_registry" "internal" $envAll | include "helm-toolkit.endpoints.endpoint_host_lookup" }} +{{/* +We only use "host:port" when port is non-null, else just use "host" +*/}} +{{- $registryPort := "" }} +{{- $port := $envAll.Values.endpoints.oci_image_registry.port.registry.default }} +{{- if $port }} +{{- $port = tuple "oci_image_registry" "internal" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }} +{{- $registryPort = printf ":%s" $port }} +{{- end }} +{{- $imageCredentials := index $envAll.Values.endpoints.oci_image_registry.auth $registryUser }} +{{- $dockerAuthToken := printf "%s:%s" $imageCredentials.username $imageCredentials.password | b64enc }} +{{- $dockerAuth := printf "{\"auths\": {\"%s%s\": {\"auth\": \"%s\"}}}" $registryHost $registryPort $dockerAuthToken | b64enc }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ $secretName }} +type: kubernetes.io/dockerconfigjson +data: + .dockerconfigjson: {{ $dockerAuth }} +{{- end -}} diff --git a/charts/deps/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl b/charts/deps/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl new file mode 100644 index 0000000..24a7045 --- /dev/null +++ b/charts/deps/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl @@ -0,0 +1,108 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Creates a manifest for a services public tls secret +examples: + - values: | + secrets: + tls: + key_manager: + api: + public: barbican-tls-public + endpoints: + key_manager: + host_fqdn_override: + public: + tls: + crt: | + FOO-CRT + key: | + FOO-KEY + ca: | + FOO-CA_CRT + usage: | + {{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "key-manager" ) -}} + return: | + --- + apiVersion: v1 + kind: Secret + metadata: + name: barbican-tls-public + type: kubernetes.io/tls + data: + tls.key: Rk9PLUtFWQo= + tls.crt: Rk9PLUNSVAoKRk9PLUNBX0NSVAo= + + - values: | + secrets: + tls: + key_manager: + api: + public: barbican-tls-public + endpoints: + key_manager: + host_fqdn_override: + public: + tls: + crt: | + FOO-CRT + FOO-INTERMEDIATE_CRT + FOO-CA_CRT + key: | + FOO-KEY + usage: | + {{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "key-manager" ) -}} + return: | + --- + apiVersion: v1 + kind: Secret + metadata: + name: barbican-tls-public + type: kubernetes.io/tls + data: + tls.key: Rk9PLUtFWQo= + tls.crt: Rk9PLUNSVApGT08tSU5URVJNRURJQVRFX0NSVApGT08tQ0FfQ1JUCg== +*/}} + +{{- define "helm-toolkit.manifests.secret_ingress_tls" }} +{{- $envAll := index . "envAll" }} +{{- $endpoint := index . "endpoint" | default "public" }} +{{- $backendServiceType := index . "backendServiceType" }} +{{- $backendService := index . "backendService" | default "api" }} +{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "host_fqdn_override" }} +{{- if hasKey $host $endpoint }} +{{- $endpointHost := index $host $endpoint }} +{{- if kindIs "map" $endpointHost }} +{{- if hasKey $endpointHost "tls" }} +{{- if and $endpointHost.tls.key $endpointHost.tls.crt }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ index $envAll.Values.secrets.tls ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }} +type: kubernetes.io/tls +data: + tls.key: {{ $endpointHost.tls.key | b64enc }} +{{- if $endpointHost.tls.ca }} + tls.crt: {{ list $endpointHost.tls.crt $endpointHost.tls.ca | join "\n" | b64enc }} +{{- else }} + tls.crt: {{ $endpointHost.tls.crt | b64enc }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/deps/helm-toolkit/templates/manifests/_service-ingress.tpl b/charts/deps/helm-toolkit/templates/manifests/_service-ingress.tpl new file mode 100644 index 0000000..d2e7c0e --- /dev/null +++ b/charts/deps/helm-toolkit/templates/manifests/_service-ingress.tpl @@ -0,0 +1,43 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +# This function creates a manifest for a services ingress rules. +# It can be used in charts dict created similar to the following: +# {- $serviceIngressOpts := dict "envAll" . "backendServiceType" "key-manager" -} +# { $serviceIngressOpts | include "helm-toolkit.manifests.service_ingress" } + +{{- define "helm-toolkit.manifests.service_ingress" -}} +{{- $envAll := index . "envAll" -}} +{{- $backendServiceType := index . "backendServiceType" -}} +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ tuple $backendServiceType "public" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} +spec: + ports: + - name: http + port: 80 + - name: https + port: 443 + selector: + app: ingress-api +{{- if index $envAll.Values.endpoints $backendServiceType }} +{{- if index $envAll.Values.endpoints $backendServiceType "ip" }} +{{- if index $envAll.Values.endpoints $backendServiceType "ip" "ingress" }} + clusterIP: {{ (index $envAll.Values.endpoints $backendServiceType "ip" "ingress") }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/deps/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl b/charts/deps/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl new file mode 100644 index 0000000..bf1465b --- /dev/null +++ b/charts/deps/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl @@ -0,0 +1,35 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- define "helm-toolkit.scripts.create_s3_bucket" }} +#!/bin/bash +set -e +CONNECTION_ARGS="--host=$RGW_HOST --host-bucket=$RGW_HOST" +if [ "$RGW_PROTO" = "http" ]; then + CONNECTION_ARGS+=" --no-ssl" +else + CONNECTION_ARGS+=" --no-check-certificate" +fi +ADMIN_AUTH_ARGS=" --access_key=$S3_ADMIN_ACCESS_KEY --secret_key=$S3_ADMIN_SECRET_KEY" +USER_AUTH_ARGS=" --access_key=$S3_ACCESS_KEY --secret_key=$S3_SECRET_KEY" +function check_rgw_s3_bucket () { + s3cmd $CONNECTION_ARGS $USER_AUTH_ARGS ls s3://$S3_BUCKET +} +function create_rgw_s3_bucket () { + s3cmd $CONNECTION_ARGS $ADMIN_AUTH_ARGS mb s3://$S3_BUCKET +} +function modify_bucket_acl () { + s3cmd $CONNECTION_ARGS $ADMIN_AUTH_ARGS setacl s3://$S3_BUCKET --acl-grant=read:$S3_USERNAME --acl-grant=write:$S3_USERNAME +} +check_rgw_s3_bucket || ( create_rgw_s3_bucket && modify_bucket_acl ) +{{- end }} \ No newline at end of file diff --git a/charts/deps/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl b/charts/deps/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl new file mode 100644 index 0000000..08796d2 --- /dev/null +++ b/charts/deps/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl @@ -0,0 +1,65 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- define "helm-toolkit.scripts.create_s3_user" }} +#!/bin/bash +set -e +function create_s3_user () { + echo "Creating s3 user and key pair" + radosgw-admin user create \ + --uid=${S3_USERNAME} \ + --display-name=${S3_USERNAME} \ + --key-type=s3 \ + --access-key ${S3_ACCESS_KEY} \ + --secret-key ${S3_SECRET_KEY} +} +function update_s3_user () { + # Retrieve old access keys, if they exist + old_access_keys=$(radosgw-admin user info --uid=${S3_USERNAME} \ + | jq -r '.keys[].access_key' || true) + + if [[ ! -z ${old_access_keys} ]]; then + for access_key in $old_access_keys; do + # If current access key is the same as the key supplied, do nothing. + if [ "$access_key" == "${S3_ACCESS_KEY}" ]; then + echo "Current user and key pair exists." + continue + else + # If keys differ, remove previous key + radosgw-admin key rm --uid=${S3_USERNAME} --key-type=s3 --access-key=$access_key + fi + done + fi + + # Perform one more additional check to account for scenarios where multiple + # key pairs existed previously, but one existing key was the supplied key + current_access_key=$(radosgw-admin user info --uid=${S3_USERNAME} \ + | jq -r '.keys[].access_key' || true) + + # If the supplied key does not exist, modify the user + if [[ -z ${current_access_key} ]]; then + # Modify user with new access and secret keys + echo "Updating existing user's key pair" + radosgw-admin user modify \ + --uid=${S3_USERNAME}\ + --access-key ${S3_ACCESS_KEY} \ + --secret-key ${S3_SECRET_KEY} + fi +} +user_exists=$(radosgw-admin user info --uid=${S3_USERNAME} || true) +if [[ -z ${user_exists} ]]; then + create_s3_user +else + update_s3_user +fi +{{- end }} \ No newline at end of file diff --git a/charts/deps/helm-toolkit/templates/scripts/_db-drop.py.tpl b/charts/deps/helm-toolkit/templates/scripts/_db-drop.py.tpl new file mode 100644 index 0000000..03884fa --- /dev/null +++ b/charts/deps/helm-toolkit/templates/scripts/_db-drop.py.tpl @@ -0,0 +1,142 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- define "helm-toolkit.scripts.db_drop" }} +#!/usr/bin/env python + +# Drops db and user for an OpenStack Service: +# Set ROOT_DB_CONNECTION and DB_CONNECTION environment variables to contain +# SQLAlchemy strings for the root connection to the database and the one you +# wish the service to use. Alternatively, you can use an ini formatted config +# at the location specified by OPENSTACK_CONFIG_FILE, and extract the string +# from the key OPENSTACK_CONFIG_DB_KEY, in the section specified by +# OPENSTACK_CONFIG_DB_SECTION. + +import os +import sys +try: + import ConfigParser + PARSER_OPTS = {} +except ImportError: + import configparser as ConfigParser + PARSER_OPTS = {"strict": False} +import logging +from sqlalchemy import create_engine + +# Create logger, console handler and formatter +logger = logging.getLogger('OpenStack-Helm DB Drop') +logger.setLevel(logging.DEBUG) +ch = logging.StreamHandler() +ch.setLevel(logging.DEBUG) +formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s') + +# Set the formatter and add the handler +ch.setFormatter(formatter) +logger.addHandler(ch) + + +# Get the connection string for the service db root user +if "ROOT_DB_CONNECTION" in os.environ: + db_connection = os.environ['ROOT_DB_CONNECTION'] + logger.info('Got DB root connection') +else: + logger.critical('environment variable ROOT_DB_CONNECTION not set') + sys.exit(1) + +mysql_x509 = os.getenv('MARIADB_X509', "") +ssl_args = {} +if mysql_x509: + ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt', + 'key': '/etc/mysql/certs/tls.key', + 'cert': '/etc/mysql/certs/tls.crt'}} + +# Get the connection string for the service db +if "OPENSTACK_CONFIG_FILE" in os.environ: + os_conf = os.environ['OPENSTACK_CONFIG_FILE'] + if "OPENSTACK_CONFIG_DB_SECTION" in os.environ: + os_conf_section = os.environ['OPENSTACK_CONFIG_DB_SECTION'] + else: + logger.critical('environment variable OPENSTACK_CONFIG_DB_SECTION not set') + sys.exit(1) + if "OPENSTACK_CONFIG_DB_KEY" in os.environ: + os_conf_key = os.environ['OPENSTACK_CONFIG_DB_KEY'] + else: + logger.critical('environment variable OPENSTACK_CONFIG_DB_KEY not set') + sys.exit(1) + try: + config = ConfigParser.RawConfigParser(**PARSER_OPTS) + logger.info("Using {0} as db config source".format(os_conf)) + config.read(os_conf) + logger.info("Trying to load db config from {0}:{1}".format( + os_conf_section, os_conf_key)) + user_db_conn = config.get(os_conf_section, os_conf_key) + logger.info("Got config from {0}".format(os_conf)) + except: + logger.critical("Tried to load config from {0} but failed.".format(os_conf)) + raise +elif "DB_CONNECTION" in os.environ: + user_db_conn = os.environ['DB_CONNECTION'] + logger.info('Got config from DB_CONNECTION env var') +else: + logger.critical('Could not get db config, either from config file or env var') + sys.exit(1) + +# Root DB engine +try: + root_engine_full = create_engine(db_connection) + root_user = root_engine_full.url.username + root_password = root_engine_full.url.password + drivername = root_engine_full.url.drivername + host = root_engine_full.url.host + port = root_engine_full.url.port + root_engine_url = ''.join([drivername, '://', root_user, ':', root_password, '@', host, ':', str (port)]) + root_engine = create_engine(root_engine_url, connect_args=ssl_args) + connection = root_engine.connect() + connection.close() + logger.info("Tested connection to DB @ {0}:{1} as {2}".format( + host, port, root_user)) +except: + logger.critical('Could not connect to database as root user') + raise + +# User DB engine +try: + user_engine = create_engine(user_db_conn, connect_args=ssl_args) + # Get our user data out of the user_engine + database = user_engine.url.database + user = user_engine.url.username + password = user_engine.url.password + logger.info('Got user db config') +except: + logger.critical('Could not get user database config') + raise + +# Delete DB +try: + root_engine.execute("DROP DATABASE IF EXISTS {0}".format(database)) + logger.info("Deleted database {0}".format(database)) +except: + logger.critical("Could not drop database {0}".format(database)) + raise + +# Delete DB User +try: + root_engine.execute("DROP USER IF EXISTS {0}".format(user)) + logger.info("Deleted user {0}".format(user)) +except: + logger.critical("Could not delete user {0}".format(user)) + raise + +logger.info('Finished DB Management') +{{- end }} diff --git a/charts/deps/helm-toolkit/templates/scripts/_db-init.py.tpl b/charts/deps/helm-toolkit/templates/scripts/_db-init.py.tpl new file mode 100644 index 0000000..6027b95 --- /dev/null +++ b/charts/deps/helm-toolkit/templates/scripts/_db-init.py.tpl @@ -0,0 +1,156 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- define "helm-toolkit.scripts.db_init" }} +#!/usr/bin/env python + +# Creates db and user for an OpenStack Service: +# Set ROOT_DB_CONNECTION and DB_CONNECTION environment variables to contain +# SQLAlchemy strings for the root connection to the database and the one you +# wish the service to use. Alternatively, you can use an ini formatted config +# at the location specified by OPENSTACK_CONFIG_FILE, and extract the string +# from the key OPENSTACK_CONFIG_DB_KEY, in the section specified by +# OPENSTACK_CONFIG_DB_SECTION. + +import os +import sys +try: + import ConfigParser + PARSER_OPTS = {} +except ImportError: + import configparser as ConfigParser + PARSER_OPTS = {"strict": False} +import logging +from sqlalchemy import create_engine + +# Create logger, console handler and formatter +logger = logging.getLogger('OpenStack-Helm DB Init') +logger.setLevel(logging.DEBUG) +ch = logging.StreamHandler() +ch.setLevel(logging.DEBUG) +formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s') + +# Set the formatter and add the handler +ch.setFormatter(formatter) +logger.addHandler(ch) + + +# Get the connection string for the service db root user +if "ROOT_DB_CONNECTION" in os.environ: + db_connection = os.environ['ROOT_DB_CONNECTION'] + logger.info('Got DB root connection') +else: + logger.critical('environment variable ROOT_DB_CONNECTION not set') + sys.exit(1) + +mysql_x509 = os.getenv('MARIADB_X509', "") +ssl_args = {} +if mysql_x509: + ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt', + 'key': '/etc/mysql/certs/tls.key', + 'cert': '/etc/mysql/certs/tls.crt'}} + +# Get the connection string for the service db +if "OPENSTACK_CONFIG_FILE" in os.environ: + os_conf = os.environ['OPENSTACK_CONFIG_FILE'] + if "OPENSTACK_CONFIG_DB_SECTION" in os.environ: + os_conf_section = os.environ['OPENSTACK_CONFIG_DB_SECTION'] + else: + logger.critical('environment variable OPENSTACK_CONFIG_DB_SECTION not set') + sys.exit(1) + if "OPENSTACK_CONFIG_DB_KEY" in os.environ: + os_conf_key = os.environ['OPENSTACK_CONFIG_DB_KEY'] + else: + logger.critical('environment variable OPENSTACK_CONFIG_DB_KEY not set') + sys.exit(1) + try: + config = ConfigParser.RawConfigParser(**PARSER_OPTS) + logger.info("Using {0} as db config source".format(os_conf)) + config.read(os_conf) + logger.info("Trying to load db config from {0}:{1}".format( + os_conf_section, os_conf_key)) + user_db_conn = config.get(os_conf_section, os_conf_key) + logger.info("Got config from {0}".format(os_conf)) + except: + logger.critical("Tried to load config from {0} but failed.".format(os_conf)) + raise +elif "DB_CONNECTION" in os.environ: + user_db_conn = os.environ['DB_CONNECTION'] + logger.info('Got config from DB_CONNECTION env var') +else: + logger.critical('Could not get db config, either from config file or env var') + sys.exit(1) + +# Root DB engine +try: + root_engine_full = create_engine(db_connection) + root_user = root_engine_full.url.username + root_password = root_engine_full.url.password + drivername = root_engine_full.url.drivername + host = root_engine_full.url.host + port = root_engine_full.url.port + root_engine_url = ''.join([drivername, '://', root_user, ':', root_password, '@', host, ':', str (port)]) + root_engine = create_engine(root_engine_url, connect_args=ssl_args) + connection = root_engine.connect() + connection.close() + logger.info("Tested connection to DB @ {0}:{1} as {2}".format( + host, port, root_user)) +except: + logger.critical('Could not connect to database as root user') + raise + +# User DB engine +try: + user_engine = create_engine(user_db_conn, connect_args=ssl_args) + # Get our user data out of the user_engine + database = user_engine.url.database + user = user_engine.url.username + password = user_engine.url.password + logger.info('Got user db config') +except: + logger.critical('Could not get user database config') + raise + +# Create DB +try: + root_engine.execute("CREATE DATABASE IF NOT EXISTS {0}".format(database)) + logger.info("Created database {0}".format(database)) +except: + logger.critical("Could not create database {0}".format(database)) + raise + +# Create DB User +try: + root_engine.execute( + "CREATE USER IF NOT EXISTS \'{0}\'@\'%%\' IDENTIFIED BY \'{1}\' {2}".format( + user, password, mysql_x509)) + root_engine.execute( + "GRANT ALL ON `{0}`.* TO \'{1}\'@\'%%\'".format(database, user)) + logger.info("Created user {0} for {1}".format(user, database)) +except: + logger.critical("Could not create user {0} for {1}".format(user, database)) + raise + +# Test connection +try: + connection = user_engine.connect() + connection.close() + logger.info("Tested connection to DB @ {0}:{1}/{2} as {3}".format( + host, port, database, user)) +except: + logger.critical('Could not connect to database as user') + raise + +logger.info('Finished DB Management') +{{- end }} diff --git a/charts/deps/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl b/charts/deps/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl new file mode 100644 index 0000000..4d7dfaa --- /dev/null +++ b/charts/deps/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl @@ -0,0 +1,69 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +{{- define "helm-toolkit.scripts.pg_db_init" }} +#!/bin/bash +set -ex + +if [[ ! -v DB_HOST ]]; then + echo "environment variable DB_HOST not set" + exit 1 +elif [[ ! -v DB_ADMIN_USER ]]; then + echo "environment variable DB_ADMIN_USER not set" + exit 1 +elif [[ ! -v PGPASSWORD ]]; then + echo "environment variable PGPASSWORD not set" + exit 1 +elif [[ ! -v DB_PORT ]]; then + echo "environment variable DB_PORT not set" + exit 1 +elif [[ ! -v USER_DB_USER ]]; then + echo "environment variable USER_DB_USER not set" + exit 1 +elif [[ ! -v USER_DB_PASS ]]; then + echo "environment variable USER_DB_PASS not set" + exit 1 +elif [[ ! -v USER_DB_NAME ]]; then + echo "environment variable USER_DB_NAME not set" + exit 1 +else + echo "Got DB connection info" +fi + +pgsql_superuser_cmd () { + DB_COMMAND="$1" + if [[ ! -z $2 ]]; then + EXPORT PGDATABASE=$2 + fi + /usr/bin/psql \ + -h ${DB_HOST} \ + -p ${DB_PORT} \ + -U ${DB_ADMIN_USER} \ + --command="${DB_COMMAND}" +} + +#create db +pgsql_superuser_cmd "SELECT 1 FROM pg_database WHERE datname = '$USER_DB_NAME'" | grep -q "(1 row)" || pgsql_superuser_cmd "CREATE DATABASE $USER_DB_NAME" + +#create db user +pgsql_superuser_cmd "SELECT * FROM pg_roles WHERE rolname = '$USER_DB_USER';" | grep -q "(1 row)" || \ + pgsql_superuser_cmd "CREATE ROLE ${USER_DB_USER} LOGIN PASSWORD '$USER_DB_PASS';" + +#Set password everytime. This is required for cases when we would want password rotation to take effect and set the updated password for a user. +pgsql_superuser_cmd "SELECT * FROM pg_roles WHERE rolname = '$USER_DB_USER';" && pgsql_superuser_cmd "ALTER USER ${USER_DB_USER} with password '$USER_DB_PASS'" + +#give permissions to user +pgsql_superuser_cmd "GRANT ALL PRIVILEGES ON DATABASE $USER_DB_NAME to $USER_DB_USER;" + +#revoke all privileges from PUBLIC role +pgsql_superuser_cmd "REVOKE ALL ON DATABASE $USER_DB_NAME FROM PUBLIC;" +{{- end }} diff --git a/charts/deps/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl b/charts/deps/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl new file mode 100644 index 0000000..e41abe3 --- /dev/null +++ b/charts/deps/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl @@ -0,0 +1,24 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- define "helm-toolkit.scripts.image_repo_sync" }} +#!/bin/sh +set -ex + +IFS=','; for IMAGE in ${IMAGE_SYNC_LIST}; do + docker pull ${IMAGE} + docker tag ${IMAGE} ${LOCAL_REPO}/${IMAGE} + docker push ${LOCAL_REPO}/${IMAGE} +done +{{- end }} diff --git a/charts/deps/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl b/charts/deps/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl new file mode 100644 index 0000000..8755cd5 --- /dev/null +++ b/charts/deps/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl @@ -0,0 +1,72 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- define "helm-toolkit.scripts.keystone_domain_user" }} +#!/bin/bash + +# Copyright 2017 Pete Birley +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -ex + +# Manage domain +SERVICE_OS_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \ + --description="Service Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_DOMAIN_NAME}" \ + "${SERVICE_OS_DOMAIN_NAME}") + +# Display domain +openstack domain show "${SERVICE_OS_DOMAIN_ID}" + +# Manage user +SERVICE_OS_USERID=$(openstack user create --or-show --enable -f value -c id \ + --domain="${SERVICE_OS_DOMAIN_ID}" \ + --description "Service User for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_DOMAIN_NAME}" \ + --password="${SERVICE_OS_PASSWORD}" \ + "${SERVICE_OS_USERNAME}") + +# Manage user password (we do this to ensure the password is updated if required) +openstack user set --password="${SERVICE_OS_PASSWORD}" "${SERVICE_OS_USERID}" + +# Display user +openstack user show "${SERVICE_OS_USERID}" + +# Manage role +SERVICE_OS_ROLE_ID=$(openstack role show -f value -c id \ + "${SERVICE_OS_ROLE}" || openstack role create -f value -c id \ + "${SERVICE_OS_ROLE}" ) + +# Manage user role assignment +openstack role add \ + --domain="${SERVICE_OS_DOMAIN_ID}" \ + --user="${SERVICE_OS_USERID}" \ + --user-domain="${SERVICE_OS_DOMAIN_ID}" \ + "${SERVICE_OS_ROLE_ID}" + +# Display user role assignment +openstack role assignment list \ + --role="${SERVICE_OS_ROLE_ID}" \ + --user-domain="${SERVICE_OS_DOMAIN_ID}" \ + --user="${SERVICE_OS_USERID}" +{{- end }} diff --git a/charts/deps/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl b/charts/deps/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl new file mode 100755 index 0000000..e400bcd --- /dev/null +++ b/charts/deps/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl @@ -0,0 +1,79 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- define "helm-toolkit.scripts.keystone_endpoints" }} +#!/bin/bash + +# Copyright 2017 Pete Birley +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -ex + +# Get Service ID +OS_SERVICE_ID=$( openstack service list -f csv --quote none | \ + grep ",${OS_SERVICE_NAME},${OS_SERVICE_TYPE}$" | \ + sed -e "s/,${OS_SERVICE_NAME},${OS_SERVICE_TYPE}//g" ) + +# Get Endpoint ID if it exists +OS_ENDPOINT_ID=$( openstack endpoint list -f csv --quote none | \ + grep "^[a-z0-9]*,${OS_REGION_NAME},${OS_SERVICE_NAME},${OS_SERVICE_TYPE},True,${OS_SVC_ENDPOINT}," | \ + awk -F ',' '{ print $1 }' ) + +# Making sure only a single endpoint exists for a service within a region +if [ "$(echo $OS_ENDPOINT_ID | wc -w)" -gt "1" ]; then + echo "More than one endpoint found, cleaning up" + for ENDPOINT_ID in $OS_ENDPOINT_ID; do + openstack endpoint delete ${ENDPOINT_ID} + done + unset OS_ENDPOINT_ID +fi + +# Determine if Endpoint needs updated +if [[ ${OS_ENDPOINT_ID} ]]; then + OS_ENDPOINT_URL_CURRENT=$(openstack endpoint show ${OS_ENDPOINT_ID} -f value -c url) + if [ "${OS_ENDPOINT_URL_CURRENT}" == "${OS_SERVICE_ENDPOINT}" ]; then + echo "Endpoints Match: no action required" + OS_ENDPOINT_UPDATE="False" + else + echo "Endpoints Dont Match: removing existing entries" + openstack endpoint delete ${OS_ENDPOINT_ID} + OS_ENDPOINT_UPDATE="True" + fi +else + OS_ENDPOINT_UPDATE="True" +fi + +# Update Endpoint if required +if [[ "${OS_ENDPOINT_UPDATE}" == "True" ]]; then + OS_ENDPOINT_ID=$( openstack endpoint create -f value -c id \ + --region="${OS_REGION_NAME}" \ + "${OS_SERVICE_ID}" \ + ${OS_SVC_ENDPOINT} \ + "${OS_SERVICE_ENDPOINT}" ) +fi + +# Display the Endpoint +openstack endpoint show ${OS_ENDPOINT_ID} +{{- end }} diff --git a/charts/deps/helm-toolkit/templates/scripts/_ks-service.sh.tpl b/charts/deps/helm-toolkit/templates/scripts/_ks-service.sh.tpl new file mode 100644 index 0000000..8356b36 --- /dev/null +++ b/charts/deps/helm-toolkit/templates/scripts/_ks-service.sh.tpl @@ -0,0 +1,76 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- define "helm-toolkit.scripts.keystone_service" }} +#!/bin/bash + +# Copyright 2017 Pete Birley +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -ex + +# Service boilerplate description +OS_SERVICE_DESC="${OS_REGION_NAME}: ${OS_SERVICE_NAME} (${OS_SERVICE_TYPE}) service" + +# Get Service ID if it exists +unset OS_SERVICE_ID + +# FIXME - There seems to be an issue once in a while where the +# openstack service list fails and encounters an error message such as: +# Unable to establish connection to +# https://keystone-api.openstack.svc.cluster.local:5000/v3/auth/tokens: +# ('Connection aborted.', OSError("(104, 'ECONNRESET')",)) +# During an upgrade scenario, this would cause the OS_SERVICE_ID to be blank +# and it would attempt to create a new service when it was not needed. +# This duplciate service would sometimes be used by other services such as +# Horizon and would give an 'Invalid Service Catalog' error. +# This loop allows for a 'retry' of the openstack service list in an +# attempt to get the service list as expected if it does ecounter an error. +# This loop and recheck can be reverted once the underlying issue is addressed. + +# If OS_SERVICE_ID is blank then wait a few seconds to give it +# additional time and try again +for i in $(seq 3) +do + OS_SERVICE_ID=$( openstack service list -f csv --quote none | \ + grep ",${OS_SERVICE_NAME},${OS_SERVICE_TYPE}$" | \ + sed -e "s/,${OS_SERVICE_NAME},${OS_SERVICE_TYPE}//g" ) + + # If the service was found, go ahead and exit successfully. + if [[ -n "${OS_SERVICE_ID}" ]]; then + exit 0 + fi + + sleep 2 +done + +# If we've reached this point and a Service ID was not found, +# then create the service +OS_SERVICE_ID=$(openstack service create -f value -c id \ + --name="${OS_SERVICE_NAME}" \ + --description "${OS_SERVICE_DESC}" \ + --enable \ + "${OS_SERVICE_TYPE}") +{{- end }} diff --git a/charts/deps/helm-toolkit/templates/scripts/_ks-user.sh.tpl b/charts/deps/helm-toolkit/templates/scripts/_ks-user.sh.tpl new file mode 100644 index 0000000..b45f798 --- /dev/null +++ b/charts/deps/helm-toolkit/templates/scripts/_ks-user.sh.tpl @@ -0,0 +1,108 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- define "helm-toolkit.scripts.keystone_user" }} +#!/bin/bash + +# Copyright 2017 Pete Birley +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -ex + +shopt -s nocasematch + +if [[ "${SERVICE_OS_PROJECT_DOMAIN_NAME}" == "Default" ]] +then + PROJECT_DOMAIN_ID="default" +else + # Manage project domain + PROJECT_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \ + --description="Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_PROJECT_DOMAIN_NAME}" \ + "${SERVICE_OS_PROJECT_DOMAIN_NAME}") +fi + +if [[ "${SERVICE_OS_USER_DOMAIN_NAME}" == "Default" ]] +then + USER_DOMAIN_ID="default" +else + # Manage user domain + USER_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \ + --description="Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_USER_DOMAIN_NAME}" \ + "${SERVICE_OS_USER_DOMAIN_NAME}") +fi + +shopt -u nocasematch + +# Manage user project +USER_PROJECT_DESC="Service Project for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_PROJECT_DOMAIN_NAME}" +USER_PROJECT_ID=$(openstack project create --or-show --enable -f value -c id \ + --domain="${PROJECT_DOMAIN_ID}" \ + --description="${USER_PROJECT_DESC}" \ + "${SERVICE_OS_PROJECT_NAME}"); + +# Manage user +USER_DESC="Service User for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_USER_DOMAIN_NAME}/${SERVICE_OS_SERVICE_NAME}" +USER_ID=$(openstack user create --or-show --enable -f value -c id \ + --domain="${USER_DOMAIN_ID}" \ + --project-domain="${PROJECT_DOMAIN_ID}" \ + --project="${USER_PROJECT_ID}" \ + --description="${USER_DESC}" \ + "${SERVICE_OS_USERNAME}"); + +# Manage user password (we do this in a seperate step to ensure the password is updated if required) +set +x +echo "Setting user password via: openstack user set --password=xxxxxxx ${USER_ID}" +openstack user set --password="${SERVICE_OS_PASSWORD}" "${USER_ID}" +set -x + +function ks_assign_user_role () { + if [[ "$SERVICE_OS_ROLE" == "admin" ]] + then + USER_ROLE_ID="$SERVICE_OS_ROLE" + else + USER_ROLE_ID=$(openstack role create --or-show -f value -c id "${SERVICE_OS_ROLE}"); + fi + + # Manage user role assignment + openstack role add \ + --user="${USER_ID}" \ + --user-domain="${USER_DOMAIN_ID}" \ + --project-domain="${PROJECT_DOMAIN_ID}" \ + --project="${USER_PROJECT_ID}" \ + "${USER_ROLE_ID}" +} + +# Manage user service role +IFS=',' +for SERVICE_OS_ROLE in ${SERVICE_OS_ROLES}; do + ks_assign_user_role +done + +# Manage user member role +: ${MEMBER_OS_ROLE:="member"} +export USER_ROLE_ID=$(openstack role create --or-show -f value -c id \ + "${MEMBER_OS_ROLE}"); +ks_assign_user_role +{{- end }} diff --git a/charts/deps/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl b/charts/deps/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl new file mode 100644 index 0000000..3739f95 --- /dev/null +++ b/charts/deps/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl @@ -0,0 +1,111 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- define "helm-toolkit.scripts.rabbit_init" }} +#!/bin/bash +set -e +# Extract connection details +RABBIT_HOSTNAME=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \ + awk -F'[@]' '{print $2}' | \ + awk -F'[:/]' '{print $1}') +RABBIT_PORT=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \ + awk -F'[@]' '{print $2}' | \ + awk -F'[:/]' '{print $2}') + +# Extract Admin User creadential +RABBITMQ_ADMIN_USERNAME=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \ + awk -F'[@]' '{print $1}' | \ + awk -F'[//:]' '{print $4}') +RABBITMQ_ADMIN_PASSWORD=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \ + awk -F'[@]' '{print $1}' | \ + awk -F'[//:]' '{print $5}') + +# Extract User creadential +RABBITMQ_USERNAME=$(echo "${RABBITMQ_USER_CONNECTION}" | \ + awk -F'[@]' '{print $1}' | \ + awk -F'[//:]' '{print $4}') +RABBITMQ_PASSWORD=$(echo "${RABBITMQ_USER_CONNECTION}" | \ + awk -F'[@]' '{print $1}' | \ + awk -F'[//:]' '{print $5}') + +# Extract User vHost +RABBITMQ_VHOST=$(echo "${RABBITMQ_USER_CONNECTION}" | \ + awk -F'[@]' '{print $2}' | \ + awk -F'[:/]' '{print $3}') +# Resolve vHost to / if no value is set +RABBITMQ_VHOST="${RABBITMQ_VHOST:-/}" + +function rabbitmqadmin_cli () { + if [ -n "$RABBITMQ_X509" ] + then + rabbitmqadmin \ + --ssl \ + --ssl-disable-hostname-verification \ + --ssl-ca-cert-file="${USER_CERT_PATH}/ca.crt" \ + --ssl-cert-file="${USER_CERT_PATH}/tls.crt" \ + --ssl-key-file="${USER_CERT_PATH}/tls.key" \ + --host="${RABBIT_HOSTNAME}" \ + --port="${RABBIT_PORT}" \ + --username="${RABBITMQ_ADMIN_USERNAME}" \ + --password="${RABBITMQ_ADMIN_PASSWORD}" \ + ${@} + else + rabbitmqadmin \ + --host="${RABBIT_HOSTNAME}" \ + --port="${RABBIT_PORT}" \ + --username="${RABBITMQ_ADMIN_USERNAME}" \ + --password="${RABBITMQ_ADMIN_PASSWORD}" \ + ${@} + fi +} + +echo "Managing: User: ${RABBITMQ_USERNAME}" +rabbitmqadmin_cli \ + declare user \ + name="${RABBITMQ_USERNAME}" \ + password="${RABBITMQ_PASSWORD}" \ + tags="user" + +echo "Deleting Guest User" +rabbitmqadmin_cli \ + delete user \ + name="guest" || true + +if [ "${RABBITMQ_VHOST}" != "/" ] +then + echo "Managing: vHost: ${RABBITMQ_VHOST}" + rabbitmqadmin_cli \ + declare vhost \ + name="${RABBITMQ_VHOST}" +else + echo "Skipping root vHost declaration: vHost: ${RABBITMQ_VHOST}" +fi + +echo "Managing: Permissions: ${RABBITMQ_USERNAME} on ${RABBITMQ_VHOST}" +rabbitmqadmin_cli \ + declare permission \ + vhost="${RABBITMQ_VHOST}" \ + user="${RABBITMQ_USERNAME}" \ + configure=".*" \ + write=".*" \ + read=".*" + +if [ ! -z "$RABBITMQ_AUXILIARY_CONFIGURATION" ] +then + echo "Applying additional configuration" + echo "${RABBITMQ_AUXILIARY_CONFIGURATION}" > /tmp/rmq_definitions.json + rabbitmqadmin_cli import /tmp/rmq_definitions.json +fi + +{{- end }} diff --git a/charts/deps/helm-toolkit/templates/scripts/_rally_test.sh.tpl b/charts/deps/helm-toolkit/templates/scripts/_rally_test.sh.tpl new file mode 100644 index 0000000..c08d320 --- /dev/null +++ b/charts/deps/helm-toolkit/templates/scripts/_rally_test.sh.tpl @@ -0,0 +1,88 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- define "helm-toolkit.scripts.rally_test" -}} +#!/bin/bash +set -ex +{{- $rallyTests := index . 0 }} + +: "${RALLY_ENV_NAME:="openstack-helm"}" +: "${OS_INTERFACE:="public"}" +: "${RALLY_CLEANUP:="true"}" + +if [ "x$RALLY_CLEANUP" == "xtrue" ]; then + function rally_cleanup { + openstack user delete \ + --domain="${SERVICE_OS_USER_DOMAIN_NAME}" \ + "${SERVICE_OS_USERNAME}" +{{ $rallyTests.clean_up | default "" | indent 4 }} + } + trap rally_cleanup EXIT +fi + +function create_or_update_db () { + revisionResults=$(rally db revision) + if [ $revisionResults = "None" ] + then + rally db create + else + rally db upgrade + fi +} + +create_or_update_db + +cat > /tmp/rally-config.json << EOF +{ + "openstack": { + "auth_url": "${OS_AUTH_URL}", + "region_name": "${OS_REGION_NAME}", + "endpoint_type": "${OS_INTERFACE}", + "admin": { + "username": "${OS_USERNAME}", + "password": "${OS_PASSWORD}", + "user_domain_name": "${OS_USER_DOMAIN_NAME}", + "project_name": "${OS_PROJECT_NAME}", + "project_domain_name": "${OS_PROJECT_DOMAIN_NAME}" + }, + "users": [ + { + "username": "${SERVICE_OS_USERNAME}", + "password": "${SERVICE_OS_PASSWORD}", + "project_name": "${SERVICE_OS_PROJECT_NAME}", + "user_domain_name": "${SERVICE_OS_USER_DOMAIN_NAME}", + "project_domain_name": "${SERVICE_OS_PROJECT_DOMAIN_NAME}" + } + ], + "https_insecure": false, + "https_cacert": "${OS_CACERT}" + } +} +EOF +rally deployment create --file /tmp/rally-config.json --name "${RALLY_ENV_NAME}" +rm -f /tmp/rally-config.json +rally deployment use "${RALLY_ENV_NAME}" +rally deployment check +{{- if $rallyTests.run_tempest }} +rally verify create-verifier --name "${RALLY_ENV_NAME}-tempest" --type tempest +SERVICE_TYPE="$(rally deployment check | grep "${RALLY_ENV_NAME}" | awk -F \| '{print $3}' | tr -d ' ' | tr -d '\n')" +rally verify start --pattern "tempest.api.${SERVICE_TYPE}*" +rally verify delete-verifier --id "${RALLY_ENV_NAME}-tempest" --force +{{- end }} +rally task validate /etc/rally/rally_tests.yaml +rally task start /etc/rally/rally_tests.yaml +rally task sla-check +rally env cleanup +rally deployment destroy --deployment "${RALLY_ENV_NAME}" +{{- end }} diff --git a/charts/deps/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl b/charts/deps/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl new file mode 100755 index 0000000..3963bd4 --- /dev/null +++ b/charts/deps/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl @@ -0,0 +1,567 @@ +{{- define "helm-toolkit.scripts.db-backup-restore.backup_main" }} +#!/bin/bash + +# This file contains a database backup framework which database scripts +# can use to perform a backup. The idea here is that the database-specific +# functions will be implemented by the various databases using this script +# (like mariadb, postgresql or etcd for example). The database-specific +# script will need to first "source" this file like this: +# source /tmp/backup_main.sh +# +# Then the script should call the main backup function (backup_databases): +# backup_databases [scope] +# [scope] is an optional parameter, defaulted to "all". If only one specific +# database is required to be backed up then this parameter will +# contain the name of the database; otherwise all are backed up. +# +# The framework will require the following variables to be exported: +# +# export DB_NAMESPACE Namespace where the database(s) reside +# export DB_NAME Name of the database system +# export LOCAL_DAYS_TO_KEEP Number of days to keep the local backups +# export REMOTE_DAYS_TO_KEEP Number of days to keep the remote backups +# export ARCHIVE_DIR Local location where the backup tarballs should +# be stored. (full directory path) +# export BACK_UP_MODE Determines the mode of backup taken. +# export REMOTE_BACKUP_ENABLED "true" if remote backup enabled; false +# otherwise +# export CONTAINER_NAME Name of the container on the RGW to store +# the backup tarball. +# export STORAGE_POLICY Name of the storage policy defined on the +# RGW which is intended to store backups. +# RGW access variables: +# export OS_REGION_NAME Name of the region the RGW resides in +# export OS_AUTH_URL Keystone URL associated with the RGW +# export OS_PROJECT_NAME Name of the project associated with the +# keystone user +# export OS_USERNAME Name of the keystone user +# export OS_PASSWORD Password of the keystone user +# export OS_USER_DOMAIN_NAME Keystone domain the project belongs to +# export OS_PROJECT_DOMAIN_NAME Keystone domain the user belongs to +# export OS_IDENTITY_API_VERSION Keystone API version to use +# +# export REMOTE_BACKUP_RETRIES Number of retries to send backup to remote +# in case of any temporary failures. +# export MIN_DELAY_SEND_REMOTE Minimum seconds to delay before sending backup +# to remote to stagger backups being sent to RGW +# export MAX_DELAY_SEND_REMOTE Maximum seconds to delay before sending backup +# to remote to stagger backups being sent to RGW. +# A random number between min and max delay is generated +# to set the delay. +# +# The database-specific functions that need to be implemented are: +# dump_databases_to_directory [scope] +# where: +# is the full directory path to dump the database files +# into. This is a temporary directory for this backup only. +# is the full directory path where error logs are to be +# written by the application. +# [scope] set to "all" if all databases are to be backed up; or +# set to the name of a specific database to be backed up. +# This optional parameter is defaulted to "all". +# returns: 0 if no errors; 1 if any errors occurred +# +# This function is expected to dump the database file(s) to the specified +# directory path. If this function completes successfully (returns 0), the +# framework will automatically tar/zip the files in that directory and +# name the tarball appropriately according to the proper conventions. +# +# verify_databases_backup_archives [scope] +# returns: 0 if no errors; 1 if any errors occurred +# +# This function is expected to verify the database backup archives. If this function +# completes successfully (returns 0), the +# framework will automatically starts remote backup upload. +# +# +# The functions in this file will take care of: +# 1) Calling "dump_databases_to_directory" and then compressing the files, +# naming the tarball properly, and then storing it locally at the specified +# local directory. +# 2) Sending the tarball built to the remote gateway, to be stored in the +# container configured to store database backups. +# 3) Removing local backup tarballs which are older than the number of days +# specified by the "LOCAL_DAYS_TO_KEEP" variable. +# 4) Removing remote backup tarballs (from the remote gateway) which are older +# than the number of days specified by the "REMOTE_DAYS_TO_KEEP" variable. +# + +# Note: not using set -e in this script because more elaborate error handling +# is needed. + +log_backup_error_exit() { + MSG=$1 + ERRCODE=${2:-0} + log ERROR "${DB_NAME}_backup" "${DB_NAMESPACE} namespace: ${MSG}" + rm -f $ERR_LOG_FILE + rm -rf $TMP_DIR + exit $ERRCODE +} + +log_verify_backup_exit() { + MSG=$1 + ERRCODE=${2:-0} + log ERROR "${DB_NAME}_verify_backup" "${DB_NAMESPACE} namespace: ${MSG}" + rm -f $ERR_LOG_FILE + # rm -rf $TMP_DIR + exit $ERRCODE +} + + +log() { + #Log message to a file or stdout + #TODO: This can be convert into mail alert of alert send to a monitoring system + #Params: $1 log level + #Params: $2 service + #Params: $3 message + #Params: $4 Destination + LEVEL=$1 + SERVICE=$2 + MSG=$3 + DEST=$4 + DATE=$(date +"%m-%d-%y %H:%M:%S") + if [[ -z "$DEST" ]]; then + echo "${DATE} ${LEVEL}: $(hostname) ${SERVICE}: ${MSG}" + else + echo "${DATE} ${LEVEL}: $(hostname) ${SERVICE}: ${MSG}" >>$DEST + fi +} + +# Generate a random number between MIN_DELAY_SEND_REMOTE and +# MAX_DELAY_SEND_REMOTE +random_number() { + diff=$((${MAX_DELAY_SEND_REMOTE} - ${MIN_DELAY_SEND_REMOTE} + 1)) + echo $(($(( ${RANDOM} % ${diff} )) + ${MIN_DELAY_SEND_REMOTE} )) +} + +#Get the day delta since the archive file backup +seconds_difference() { + ARCHIVE_DATE=$( date --date="$1" +%s ) + if [[ $? -ne 0 ]]; then + SECOND_DELTA=0 + fi + CURRENT_DATE=$( date +%s ) + SECOND_DELTA=$(($CURRENT_DATE-$ARCHIVE_DATE)) + if [[ "$SECOND_DELTA" -lt 0 ]]; then + SECOND_DELTA=0 + fi + echo $SECOND_DELTA +} + +# Send the specified tarball file at the specified filepath to the +# remote gateway. +send_to_remote_server() { + FILEPATH=$1 + FILE=$2 + + # Grab the list of containers on the remote site + RESULT=$(openstack container list 2>&1) + + if [[ $? -eq 0 ]]; then + echo $RESULT | grep $CONTAINER_NAME + if [[ $? -ne 0 ]]; then + # Find the swift URL from the keystone endpoint list + SWIFT_URL=$(openstack catalog show object-store -c endpoints | grep public | awk '{print $4}') + if [[ $? -ne 0 ]]; then + log WARN "${DB_NAME}_backup" "Unable to get object-store enpoints from keystone catalog." + return 2 + fi + + # Get a token from keystone + TOKEN=$(openstack token issue -f value -c id) + if [[ $? -ne 0 ]]; then + log WARN "${DB_NAME}_backup" "Unable to get keystone token." + return 2 + fi + + # Create the container + RES_FILE=$(mktemp -p /tmp) + curl -g -i -X PUT ${SWIFT_URL}/${CONTAINER_NAME} \ + -H "X-Auth-Token: ${TOKEN}" \ + -H "X-Storage-Policy: ${STORAGE_POLICY}" 2>&1 > $RES_FILE + + if [[ $? -ne 0 || $(grep "HTTP" $RES_FILE | awk '{print $2}') -ge 400 ]]; then + log WARN "${DB_NAME}_backup" "Unable to create container ${CONTAINER_NAME}" + cat $RES_FILE + rm -f $RES_FILE + return 2 + fi + rm -f $RES_FILE + + swift stat $CONTAINER_NAME + if [[ $? -ne 0 ]]; then + log WARN "${DB_NAME}_backup" "Unable to retrieve container ${CONTAINER_NAME} details after creation." + return 2 + fi + fi + else + echo $RESULT | grep -E "HTTP 401|HTTP 403" + if [[ $? -eq 0 ]]; then + log ERROR "${DB_NAME}_backup" "Access denied by keystone: ${RESULT}" + return 1 + else + echo $RESULT | grep -E "ConnectionError|Failed to discover available identity versions|Service Unavailable|HTTP 50" + if [[ $? -eq 0 ]]; then + log WARN "${DB_NAME}_backup" "Could not reach the RGW: ${RESULT}" + # In this case, keystone or the site/node may be temporarily down. + # Return slightly different error code so the calling code can retry + return 2 + else + log ERROR "${DB_NAME}_backup" "Could not get container list: ${RESULT}" + return 1 + fi + fi + fi + + # load balance delay + DELAY=$((1 + ${RANDOM} % 30)) + echo "Sleeping for ${DELAY} seconds to spread the load in time..." + sleep ${DELAY} + + # Create an object to store the file + openstack object create --name $FILE $CONTAINER_NAME $FILEPATH/$FILE + if [[ $? -ne 0 ]]; then + log WARN "${DB_NAME}_backup" "Cannot create container object ${FILE}!" + return 2 + fi + + openstack object show $CONTAINER_NAME $FILE + if [[ $? -ne 0 ]]; then + log WARN "${DB_NAME}_backup" "Unable to retrieve container object $FILE after creation." + return 2 + fi + + # Remote backup verification + MD5_REMOTE=$(openstack object show $CONTAINER_NAME $FILE -f json | jq -r ".etag") + MD5_LOCAL=$(cat ${FILEPATH}/${FILE} | md5sum | awk '{print $1}') + log INFO "${DB_NAME}_backup" "Obtained MD5 hash for the file $FILE in container $CONTAINER_NAME." + log INFO "${DB_NAME}_backup" "Local MD5 hash is ${MD5_LOCAL}." + log INFO "${DB_NAME}_backup" "Remote MD5 hash is ${MD5_REMOTE}." + if [[ "${MD5_LOCAL}" == "${MD5_REMOTE}" ]]; then + log INFO "${DB_NAME}_backup" "The local backup & remote backup MD5 hash values are matching for file $FILE in container $CONTAINER_NAME." + else + log ERROR "${DB_NAME}_backup" "Mismatch between the local backup & remote backup MD5 hash values" + return 2 + fi + rm -rf ${REMOTE_FILE} + + log INFO "${DB_NAME}_backup" "Created file $FILE in container $CONTAINER_NAME successfully." + return 0 +} + +# This function attempts to store the built tarball to the remote gateway, +# with built-in logic to handle error cases like: +# 1) Network connectivity issues - retries for a specific amount of time +# 2) Authorization errors - immediately logs an ERROR and returns +store_backup_remotely() { + FILEPATH=$1 + FILE=$2 + + count=1 + while [[ ${count} -le ${REMOTE_BACKUP_RETRIES} ]]; do + # Store the new archive to the remote backup storage facility. + send_to_remote_server $FILEPATH $FILE + SEND_RESULT="$?" + + # Check if successful + if [[ $SEND_RESULT -eq 0 ]]; then + log INFO "${DB_NAME}_backup" "Backup file ${FILE} successfully sent to RGW." + return 0 + elif [[ $SEND_RESULT -eq 2 ]]; then + if [[ ${count} -ge ${REMOTE_BACKUP_RETRIES} ]]; then + log ERROR "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to the RGW in " \ + "${REMOTE_BACKUP_RETRIES} retries. Errors encountered. Exiting." + break + fi + # Temporary failure occurred. We need to retry + log WARN "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to RGW due to connection issue." + sleep_time=$(random_number) + log INFO "${DB_NAME}_backup" "Sleeping ${sleep_time} seconds waiting for RGW to become available..." + sleep ${sleep_time} + log INFO "${DB_NAME}_backup" "Retrying..." + else + log ERROR "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to the RGW. Errors encountered. Exiting." + break + fi + + # Increment the counter + count=$((count+1)) + done + + return 1 +} + + +function get_archive_date(){ +# get_archive_date function returns correct archive date +# for different formats of archives' names +# the old one: ....tar.gz +# the new one: ..
...tar.gz + local A_FILE="$1" + awk -F. '{print $(NF-2)}' <<< ${A_FILE} | tr -d "Z" +} + +# This function takes a list of archives' names as an input +# and creates a hash table where keys are number of seconds +# between current date and archive date (see seconds_difference), +# and values are space separated archives' names +# +# +------------+---------------------------------------------------------------------------------------------------------+ +# | 1265342678 | "tmp/mysql.backup.auto.2022-02-14T10:13:13Z.tar.gz" | +# +------------+---------------------------------------------------------------------------------------------------------+ +# | 2346254257 | "tmp/mysql.backup.auto.2022-02-11T10:13:13Z.tar.gz tmp/mysql.backup.manual.2022-02-11T10:13:13Z.tar.gz" | +# +------------+---------------------------------------------------------------------------------------------------------+ +# <...> +# +------------+---------------------------------------------------------------------------------------------------------+ +# | 6253434567 | "tmp/mysql.backup.manual.2022-02-01T10:13:13Z.tar.gz" | +# +------------+---------------------------------------------------------------------------------------------------------+ +# We will use the explained above data stracture to cover rare, but still +# possible case, when we have several backups of the same date. E.g. +# one manual, and one automatic. + +declare -A fileTable +create_hash_table() { +unset fileTable +fileList=$@ + for ARCHIVE_FILE in ${fileList}; do + # Creating index, we will round given ARCHIVE_DATE to the midnight (00:00:00) + # to take in account a possibility, that we can have more than one scheduled + # backup per day. + ARCHIVE_DATE=$(get_archive_date ${ARCHIVE_FILE}) + ARCHIVE_DATE=$(date --date=${ARCHIVE_DATE} +%D) + log INFO "${DB_NAME}_backup" "Archive date to build index: ${ARCHIVE_DATE}" + INDEX=$(seconds_difference ${ARCHIVE_DATE}) + if [[ -z fileTable[${INDEX}] ]]; then + fileTable[${INDEX}]=${ARCHIVE_FILE} + else + fileTable[${INDEX}]="${fileTable[${INDEX}]} ${ARCHIVE_FILE}" + fi + echo "INDEX: ${INDEX} VALUE: ${fileTable[${INDEX}]}" + done +} + +function get_backup_prefix() { +# Create list of all possible prefixes in a format: +# . to cover a possible situation +# when different backups of different databases and/or +# namespaces share the same local or remote storage. + ALL_FILES=($@) + PREFIXES=() + for fname in ${ALL_FILES[@]}; do + prefix=$(basename ${fname} | cut -d'.' -f1,2 ) + for ((i=0; i<${#PREFIXES[@]}; i++)) do + if [[ ${PREFIXES[${i}]} == ${prefix} ]]; then + prefix="" + break + fi + done + if [[ ! -z ${prefix} ]]; then + PREFIXES+=(${prefix}) + fi + done +} + +remove_old_local_archives() { + SECONDS_TO_KEEP=$(( $((${LOCAL_DAYS_TO_KEEP}))*86400)) + log INFO "${DB_NAME}_backup" "Deleting backups older than ${LOCAL_DAYS_TO_KEEP} days (${SECONDS_TO_KEEP} seconds)" + if [[ -d $ARCHIVE_DIR ]]; then + count=0 + # We iterate over the hash table, checking the delta in seconds (hash keys), + # and minimum number of backups we must have in place. List of keys has to be sorted. + for INDEX in $(tr " " "\n" <<< ${!fileTable[@]} | sort -n -); do + ARCHIVE_FILE=${fileTable[${INDEX}]} + if [[ ${INDEX} -lt ${SECONDS_TO_KEEP} || ${count} -lt ${LOCAL_DAYS_TO_KEEP} ]]; then + ((count++)) + log INFO "${DB_NAME}_backup" "Keeping file(s) ${ARCHIVE_FILE}." + else + log INFO "${DB_NAME}_backup" "Deleting file(s) ${ARCHIVE_FILE}." + rm -f ${ARCHIVE_FILE} + if [[ $? -ne 0 ]]; then + # Log error but don't exit so we can finish the script + # because at this point we haven't sent backup to RGW yet + log ERROR "${DB_NAME}_backup" "Failed to cleanup local backup. Cannot remove some of ${ARCHIVE_FILE}" + fi + fi + done + else + log WARN "${DB_NAME}_backup" "The local backup directory ${$ARCHIVE_DIR} does not exist." + fi +} + +prepare_list_of_remote_backups() { + BACKUP_FILES=$(mktemp -p /tmp) + DB_BACKUP_FILES=$(mktemp -p /tmp) + openstack object list $CONTAINER_NAME > $BACKUP_FILES + if [[ $? -ne 0 ]]; then + log_backup_error_exit \ + "Failed to cleanup remote backup. Could not obtain a list of current backup files in the RGW" + fi + # Filter out other types of backup files + cat $BACKUP_FILES | grep $DB_NAME | grep $DB_NAMESPACE | awk '{print $2}' > $DB_BACKUP_FILES +} + +# The logic implemented with this function is absolutely similar +# to the function remove_old_local_archives (see above) +remove_old_remote_archives() { + count=0 + SECONDS_TO_KEEP=$((${REMOTE_DAYS_TO_KEEP}*86400)) + log INFO "${DB_NAME}_backup" "Deleting backups older than ${REMOTE_DAYS_TO_KEEP} days (${SECONDS_TO_KEEP} seconds)" + for INDEX in $(tr " " "\n" <<< ${!fileTable[@]} | sort -n -); do + ARCHIVE_FILE=${fileTable[${INDEX}]} + if [[ ${INDEX} -lt ${SECONDS_TO_KEEP} || ${count} -lt ${REMOTE_DAYS_TO_KEEP} ]]; then + ((count++)) + log INFO "${DB_NAME}_backup" "Keeping remote backup(s) ${ARCHIVE_FILE}." + else + log INFO "${DB_NAME}_backup" "Deleting remote backup(s) ${ARCHIVE_FILE} from the RGW" + openstack object delete ${CONTAINER_NAME} ${ARCHIVE_FILE} || log WARN "${DB_NAME}_backup" \ + "Failed to cleanup remote backup. Cannot delete container object ${ARCHIVE_FILE}" + fi + done + + # Cleanup now that we're done. + for fd in ${BACKUP_FILES} ${DB_BACKUP_FILES}; do + if [[ -f ${fd} ]]; then + rm -f ${fd} + else + log WARN "${DB_NAME}_backup" "Can not delete a temporary file ${fd}" + fi + done +} + +# Main function to backup the databases. Calling functions need to supply: +# 1) The directory where the final backup will be kept after it is compressed. +# 2) A temporary directory to use for placing database files to be compressed. +# Note: this temp directory will be deleted after backup is done. +# 3) Optional "scope" parameter indicating what database to back up. Defaults +# to "all". +backup_databases() { + SCOPE=${1:-"all"} + + # Create necessary directories if they do not exist. + mkdir -p $ARCHIVE_DIR || log_backup_error_exit \ + "Backup of the ${DB_NAME} database failed. Cannot create directory ${ARCHIVE_DIR}!" + export TMP_DIR=$(mktemp -d) || log_backup_error_exit \ + "Backup of the ${DB_NAME} database failed. Cannot create temp directory!" + + # Create temporary log file + export ERR_LOG_FILE=$(mktemp -p /tmp) || log_backup_error_exit \ + "Backup of the ${DB_NAME} database failed. Cannot create log file!" + + # It is expected that this function will dump the database files to the $TMP_DIR + dump_databases_to_directory $TMP_DIR $ERR_LOG_FILE $SCOPE + + # If successful, there should be at least one file in the TMP_DIR + if [[ $? -ne 0 || $(ls $TMP_DIR | wc -w) -eq 0 ]]; then + cat $ERR_LOG_FILE + log_backup_error_exit "Backup of the ${DB_NAME} database failed and needs attention." + fi + + log INFO "${DB_NAME}_backup" "Databases dumped successfully. Creating tarball..." + + NOW=$(date +"%Y-%m-%dT%H:%M:%SZ") + if [[ -z "${BACK_UP_MODE}" ]]; then + TARBALL_FILE="${DB_NAME}.${DB_NAMESPACE}.${SCOPE}.${NOW}.tar.gz" + else + TARBALL_FILE="${DB_NAME}.${DB_NAMESPACE}.${SCOPE}.${BACK_UP_MODE}.${NOW}.tar.gz" + fi + + cd $TMP_DIR || log_backup_error_exit \ + "Backup of the ${DB_NAME} database failed. Cannot change to directory $TMP_DIR" + + #Archive the current database files + tar zcvf $ARCHIVE_DIR/$TARBALL_FILE * + if [[ $? -ne 0 ]]; then + log_backup_error_exit \ + "Backup ${DB_NAME} to local file system failed. Backup tarball could not be created." + fi + + # Get the size of the file + ARCHIVE_SIZE=$(ls -l $ARCHIVE_DIR/$TARBALL_FILE | awk '{print $5}') + + log INFO "${DB_NAME}_backup" "Tarball $TARBALL_FILE created successfully." + + cd $ARCHIVE_DIR + + #Only delete the old archive after a successful archive + export LOCAL_DAYS_TO_KEEP=$(echo $LOCAL_DAYS_TO_KEEP | sed 's/"//g') + if [[ "$LOCAL_DAYS_TO_KEEP" -gt 0 ]]; then + get_backup_prefix $(ls -1 ${ARCHIVE_DIR}/*.gz) + for ((i=0; i<${#PREFIXES[@]}; i++)); do + echo "Working with prefix: ${PREFIXES[i]}" + create_hash_table $(ls -1 ${ARCHIVE_DIR}/${PREFIXES[i]}*.gz) + remove_old_local_archives + done + fi + + # Local backup verification process + + # It is expected that this function will verify the database backup files + if verify_databases_backup_archives ${SCOPE}; then + log INFO "${DB_NAME}_backup_verify" "Databases backup verified successfully. Uploading verified backups to remote location..." + else + # If successful, there should be at least one file in the TMP_DIR + if [[ $(ls $TMP_DIR | wc -w) -eq 0 ]]; then + cat $ERR_LOG_FILE + fi + log_verify_backup_exit "Verify of the ${DB_NAME} database backup failed and needs attention." + exit 1 + fi + + # Remove the temporary directory and files as they are no longer needed. + rm -rf $TMP_DIR + rm -f $ERR_LOG_FILE + + # Remote backup + REMOTE_BACKUP=$(echo $REMOTE_BACKUP_ENABLED | sed 's/"//g') + if $REMOTE_BACKUP; then + # Remove Quotes from the constants which were added due to reading + # from secret. + export REMOTE_BACKUP_RETRIES=$(echo $REMOTE_BACKUP_RETRIES | sed 's/"//g') + export MIN_DELAY_SEND_REMOTE=$(echo $MIN_DELAY_SEND_REMOTE | sed 's/"//g') + export MAX_DELAY_SEND_REMOTE=$(echo $MAX_DELAY_SEND_REMOTE | sed 's/"//g') + export REMOTE_DAYS_TO_KEEP=$(echo $REMOTE_DAYS_TO_KEEP | sed 's/"//g') + + store_backup_remotely $ARCHIVE_DIR $TARBALL_FILE + if [[ $? -ne 0 ]]; then + # This error should print first, then print the summary as the last + # thing that the user sees in the output. + log ERROR "${DB_NAME}_backup" "Backup ${TARBALL_FILE} could not be sent to remote RGW." + echo "==================================================================" + echo "Local backup successful, but could not send to remote RGW." + echo "Backup archive name: $TARBALL_FILE" + echo "Backup archive size: $ARCHIVE_SIZE" + echo "==================================================================" + # Because the local backup was successful, exit with 0 so the pod will not + # continue to restart and fill the disk with more backups. The ERRORs are + # logged and alerting system should catch those errors and flag the operator. + exit 0 + fi + + #Only delete the old archive after a successful archive + if [[ "$REMOTE_DAYS_TO_KEEP" -gt 0 ]]; then + prepare_list_of_remote_backups + get_backup_prefix $(cat $DB_BACKUP_FILES) + for ((i=0; i<${#PREFIXES[@]}; i++)); do + echo "Working with prefix: ${PREFIXES[i]}" + create_hash_table $(cat ${DB_BACKUP_FILES} | grep ${PREFIXES[i]}) + remove_old_remote_archives + done + fi + + echo "==================================================================" + echo "Local backup and backup to remote RGW successful!" + echo "Backup archive name: $TARBALL_FILE" + echo "Backup archive size: $ARCHIVE_SIZE" + echo "==================================================================" + else + # Remote backup is not enabled. This is ok; at least we have a local backup. + log INFO "${DB_NAME}_backup" "Skipping remote backup, as it is not enabled." + + echo "==================================================================" + echo "Local backup successful!" + echo "Backup archive name: $TARBALL_FILE" + echo "Backup archive size: $ARCHIVE_SIZE" + echo "==================================================================" + fi +} +{{- end }} \ No newline at end of file diff --git a/charts/deps/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl b/charts/deps/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl new file mode 100755 index 0000000..093dd2c --- /dev/null +++ b/charts/deps/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl @@ -0,0 +1,616 @@ +{{- define "helm-toolkit.scripts.db-backup-restore.restore_main" }} +#!/bin/bash + +# This file contains a database restore framework which database scripts +# can use to perform a backup. The idea here is that the database-specific +# functions will be implemented by the various databases using this script +# (like mariadb, postgresql or etcd for example). The database-specific +# script will need to first "source" this file like this: +# source /tmp/restore_main.sh +# +# Then the script should call the main CLI function (cli_main): +# cli_main +# where: +# is the list of arguments given by the user +# +# The framework will require the following variables to be exported: +# +# export DB_NAMESPACE Namespace where the database(s) reside +# export DB_NAME Name of the database system +# export ARCHIVE_DIR Location where the backup tarballs should +# be stored. (full directory path which +# should already exist) +# export CONTAINER_NAME Name of the container on the RGW where +# the backups are stored. +# RGW access variables: +# export OS_REGION_NAME Name of the region the RGW resides in +# export OS_AUTH_URL Keystone URL associated with the RGW +# export OS_PROJECT_NAME Name of the project associated with the +# keystone user +# export OS_USERNAME Name of the keystone user +# export OS_PASSWORD Password of the keystone user +# export OS_USER_DOMAIN_NAME Keystone domain the project belongs to +# export OS_PROJECT_DOMAIN_NAME Keystone domain the user belongs to +# export OS_IDENTITY_API_VERSION Keystone API version to use +# +# The database-specific functions that need to be implemented are: +# get_databases +# where: +# is the full directory path where the decompressed +# database files reside +# is the full path of the file to write the database +# names into, one database per line +# returns: 0 if no errors; 1 if any errors occurred +# +# This function is expected to extract the database names from the +# uncompressed database files found in the given "tmp_dir", which is +# the staging directory for database restore. The database names +# should be written to the given "db_file", one database name per +# line. +# +# get_tables +# is the name of the database to get the tables from +# is the full directory path where the decompressed +# database files reside +# is the full path of the file to write the table +# names into, one table per line +# returns: 0 if no errors; 1 if any errors occurred +# +# This function is expected to extract the table names from the given +# database, found in the uncompressed database files located in the +# given "tmp_dir", which is the staging directory for database restore. +# The table names should be written to the given "table_file", one +# table name per line. +# +# get_rows +# is the name of the table to get the rows from +# is the name of the database the table resides in +# is the full directory path where the decompressed +# database files reside +# is the full path of the file to write the table +# row data into, one row (INSERT statement) per line +# returns: 0 if no errors; 1 if any errors occurred +# +# This function is expected to extract the rows from the given table +# in the given database, found in the uncompressed database files +# located in the given "tmp_dir", which is the staging directory for +# database restore. The table rows should be written to the given +# "rows_file", one row (INSERT statement) per line. +# +# get_schema +# is the name of the table to get the schema from +# is the name of the database the table resides in +# is the full directory path where the decompressed +# database files reside +# is the full path of the file to write the table +# schema data into +# returns: 0 if no errors; 1 if any errors occurred +# +# This function is expected to extract the schema from the given table +# in the given database, found in the uncompressed database files +# located in the given "tmp_dir", which is the staging directory for +# database restore. The table schema and related alterations and +# grant information should be written to the given "schema_file". +# +# restore_single_db +# where: +# is the name of the database to be restored +# is the full directory path where the decompressed +# database files reside +# returns: 0 if no errors; 1 if any errors occurred +# +# This function is expected to restore the database given as "db_name" +# using the database files located in the "tmp_dir". The framework +# will delete the "tmp_dir" and the files in it after the restore is +# complete. +# +# restore_all_dbs +# where: +# is the full directory path where the decompressed +# database files reside +# returns: 0 if no errors; 1 if any errors occurred +# +# This function is expected to restore all of the databases which +# are backed up in the database files located in the "tmp_dir". The +# framework will delete the "tmp_dir" and the files in it after the +# restore is complete. +# +# The functions in this file will take care of: +# 1) The CLI parameter parsing for the arguments passed in by the user. +# 2) The listing of either local or remote archive files at the request +# of the user. +# 3) The retrieval/download of an archive file located either in the local +# file system or remotely stored on an RGW. +# 4) Calling either "restore_single_db" or "restore_all_dbs" when the user +# chooses to restore a database or all databases. +# 5) The framework will call "get_databases" when it needs a list of +# databases when the user requests a database list or when the user +# requests to restore a single database (to ensure it exists in the +# archive). Similarly, the framework will call "get_tables", "get_rows", +# or "get_schema" when it needs that data requested by the user. +# + +usage() { + ret_val=$1 + echo "Usage:" + echo "Restore command options" + echo "=============================" + echo "help" + echo "list_archives [remote]" + echo "list_databases [remote]" + echo "list_tables [remote]" + echo "list_rows [remote]" + echo "list_schema [remote]" + echo "restore [remote]" + echo " where = | ALL" + echo "delete_archive [remote]" + clean_and_exit $ret_val "" +} + +#Exit cleanly with some message and return code +clean_and_exit() { + RETCODE=$1 + MSG=$2 + + # Clean/remove temporary directories/files + rm -rf $TMP_DIR + rm -f $RESULT_FILE + + if [[ "x${MSG}" != "x" ]]; then + echo $MSG + fi + exit $RETCODE +} + +determine_resulting_error_code() { + RESULT="$1" + + echo ${RESULT} | grep "HTTP 404" + if [[ $? -eq 0 ]]; then + echo "Could not find the archive: ${RESULT}" + return 1 + else + echo ${RESULT} | grep "HTTP 401" + if [[ $? -eq 0 ]]; then + echo "Could not access the archive: ${RESULT}" + return 1 + else + echo ${RESULT} | grep "HTTP 503" + if [[ $? -eq 0 ]]; then + echo "RGW service is unavailable. ${RESULT}" + # In this case, the RGW may be temporarily down. + # Return slightly different error code so the calling code can retry + return 2 + else + echo ${RESULT} | grep "ConnectionError" + if [[ $? -eq 0 ]]; then + echo "Could not reach the RGW: ${RESULT}" + # In this case, keystone or the site/node may be temporarily down. + # Return slightly different error code so the calling code can retry + return 2 + else + echo "Archive ${ARCHIVE} could not be retrieved: ${RESULT}" + return 1 + fi + fi + fi + fi + return 0 +} + +# Retrieve a list of archives from the RGW. +retrieve_remote_listing() { + RESULT=$(openstack container show $CONTAINER_NAME 2>&1) + if [[ $? -eq 0 ]]; then + # Get the list, ensureing that we only pick up the right kind of backups from the + # requested namespace + openstack object list $CONTAINER_NAME | grep $DB_NAME | grep $DB_NAMESPACE | awk '{print $2}' > $TMP_DIR/archive_list + if [[ $? -ne 0 ]]; then + echo "Container object listing could not be obtained." + return 1 + else + echo "Archive listing successfully retrieved." + fi + else + determine_resulting_error_code "${RESULT}" + return $? + fi + return 0 +} + +# Retrieve a single archive from the RGW. +retrieve_remote_archive() { + ARCHIVE=$1 + + RESULT=$(openstack object save --file $TMP_DIR/$ARCHIVE $CONTAINER_NAME $ARCHIVE 2>&1) + if [[ $? -ne 0 ]]; then + determine_resulting_error_code "${RESULT}" + return $? + else + echo "Archive $ARCHIVE successfully retrieved." + fi + return 0 +} + +# Delete an archive from the RGW. +delete_remote_archive() { + ARCHIVE=$1 + + RESULT=$(openstack object delete ${CONTAINER_NAME} ${ARCHIVE} 2>&1) + if [[ $? -ne 0 ]]; then + determine_resulting_error_code "${RESULT}" + return $? + else + echo "Archive ${ARCHIVE} successfully deleted." + fi + return 0 +} + +# Display all archives +list_archives() { + REMOTE=$1 + + if [[ "x${REMOTE^^}" == "xREMOTE" ]]; then + retrieve_remote_listing + if [[ $? -eq 0 && -e $TMP_DIR/archive_list ]]; then + echo + echo "All Archives from RGW Data Store" + echo "==============================================" + cat $TMP_DIR/archive_list | sort + clean_and_exit 0 "" + else + clean_and_exit 1 "ERROR: Archives could not be retrieved from the RGW." + fi + elif [[ "x${REMOTE}" == "x" ]]; then + if [[ -d $ARCHIVE_DIR ]]; then + archives=$(find $ARCHIVE_DIR/ -iname "*.gz" -print | sort) + echo + echo "All Local Archives" + echo "==============================================" + for archive in $archives + do + echo $archive | cut -d '/' -f8- + done + clean_and_exit 0 "" + else + clean_and_exit 1 "ERROR: Local archive directory is not available." + fi + else + usage 1 + fi +} + +# Retrieve the archive from the desired location and decompress it into +# the restore directory +get_archive() { + ARCHIVE_FILE=$1 + REMOTE=$2 + + if [[ "x$REMOTE" == "xremote" ]]; then + echo "Retrieving archive ${ARCHIVE_FILE} from the remote RGW..." + retrieve_remote_archive $ARCHIVE_FILE + if [[ $? -ne 0 ]]; then + clean_and_exit 1 "ERROR: Could not retrieve remote archive: $ARCHIVE_FILE" + fi + elif [[ "x$REMOTE" == "x" ]]; then + if [[ -e $ARCHIVE_DIR/$ARCHIVE_FILE ]]; then + cp $ARCHIVE_DIR/$ARCHIVE_FILE $TMP_DIR/$ARCHIVE_FILE + if [[ $? -ne 0 ]]; then + clean_and_exit 1 "ERROR: Could not copy local archive to restore directory." + fi + else + clean_and_exit 1 "ERROR: Local archive file could not be found." + fi + else + usage 1 + fi + + echo "Decompressing archive $ARCHIVE_FILE..." + cd $TMP_DIR + tar zxvf - < $TMP_DIR/$ARCHIVE_FILE 1>/dev/null + if [[ $? -ne 0 ]]; then + clean_and_exit 1 "ERROR: Archive decompression failed." + fi +} + +# Display all databases from an archive +list_databases() { + ARCHIVE_FILE=$1 + REMOTE=$2 + WHERE="local" + + if [[ -n ${REMOTE} ]]; then + WHERE="remote" + fi + + # Get the archive from the source location (local/remote) + get_archive $ARCHIVE_FILE $REMOTE + + # Expectation is that the database listing will be put into + # the given file one database per line + get_databases $TMP_DIR $RESULT_FILE + if [[ "$?" -ne 0 ]]; then + clean_and_exit 1 "ERROR: Could not retrieve databases from $WHERE archive $ARCHIVE_FILE." + fi + + if [[ -f "$RESULT_FILE" ]]; then + echo " " + echo "Databases in the $WHERE archive $ARCHIVE_FILE" + echo "================================================================================" + cat $RESULT_FILE + else + clean_and_exit 1 "ERROR: Databases file missing. Could not list databases from $WHERE archive $ARCHIVE_FILE." + fi +} + +# Display all tables of a database from an archive +list_tables() { + ARCHIVE_FILE=$1 + DATABASE=$2 + REMOTE=$3 + WHERE="local" + + if [[ -n ${REMOTE} ]]; then + WHERE="remote" + fi + + # Get the archive from the source location (local/remote) + get_archive $ARCHIVE_FILE $REMOTE + + # Expectation is that the database listing will be put into + # the given file one table per line + get_tables $DATABASE $TMP_DIR $RESULT_FILE + if [[ "$?" -ne 0 ]]; then + clean_and_exit 1 "ERROR: Could not retrieve tables for database ${DATABASE} from $WHERE archive $ARCHIVE_FILE." + fi + + if [[ -f "$RESULT_FILE" ]]; then + echo " " + echo "Tables in database $DATABASE from $WHERE archive $ARCHIVE_FILE" + echo "================================================================================" + cat $RESULT_FILE + else + clean_and_exit 1 "ERROR: Tables file missing. Could not list tables of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE." + fi +} + +# Display all rows of the given database table from an archive +list_rows() { + ARCHIVE_FILE=$1 + DATABASE=$2 + TABLE=$3 + REMOTE=$4 + WHERE="local" + + if [[ -n ${REMOTE} ]]; then + WHERE="remote" + fi + + # Get the archive from the source location (local/remote) + get_archive $ARCHIVE_FILE $REMOTE + + # Expectation is that the database listing will be put into + # the given file one table per line + get_rows $DATABASE $TABLE $TMP_DIR $RESULT_FILE + if [[ "$?" -ne 0 ]]; then + clean_and_exit 1 "ERROR: Could not retrieve rows in table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE." + fi + + if [[ -f "$RESULT_FILE" ]]; then + echo " " + echo "Rows in table $TABLE of database $DATABASE from $WHERE archive $ARCHIVE_FILE" + echo "================================================================================" + cat $RESULT_FILE + else + clean_and_exit 1 "ERROR: Rows file missing. Could not list rows in table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE." + fi +} + +# Display the schema information of the given database table from an archive +list_schema() { + ARCHIVE_FILE=$1 + DATABASE=$2 + TABLE=$3 + REMOTE=$4 + WHERE="local" + + if [[ -n ${REMOTE} ]]; then + WHERE="remote" + fi + + # Get the archive from the source location (local/remote) + get_archive $ARCHIVE_FILE $REMOTE + + # Expectation is that the schema information will be placed into + # the given schema file. + get_schema $DATABASE $TABLE $TMP_DIR $RESULT_FILE + if [[ "$?" -ne 0 ]]; then + clean_and_exit 1 "ERROR: Could not retrieve schema for table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE." + fi + + if [[ -f "$RESULT_FILE" ]]; then + echo " " + echo "Schema for table $TABLE of database $DATABASE from $WHERE archive $ARCHIVE_FILE" + echo "================================================================================" + cat $RESULT_FILE + else + clean_and_exit 1 "ERROR: Schema file missing. Could not list schema for table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE." + fi +} + +# Delete an archive +delete_archive() { + ARCHIVE_FILE=$1 + REMOTE=$2 + WHERE="local" + + if [[ -n ${REMOTE} ]]; then + WHERE="remote" + fi + + if [[ "${WHERE}" == "remote" ]]; then + delete_remote_archive ${ARCHIVE_FILE} + if [[ $? -ne 0 ]]; then + clean_and_exit 1 "ERROR: Could not delete remote archive: ${ARCHIVE_FILE}" + fi + else # Local + if [[ -e ${ARCHIVE_DIR}/${ARCHIVE_FILE} ]]; then + rm -f ${ARCHIVE_DIR}/${ARCHIVE_FILE} + if [[ $? -ne 0 ]]; then + clean_and_exit 1 "ERROR: Could not delete local archive." + fi + else + clean_and_exit 1 "ERROR: Local archive file could not be found." + fi + fi + + echo "Successfully deleted archive ${ARCHIVE_FILE} from ${WHERE} storage." +} + + +# Return 1 if the given database exists in the database file. 0 otherwise. +database_exists() { + DB=$1 + + grep "${DB}" ${RESULT_FILE} + if [[ $? -eq 0 ]]; then + return 1 + fi + return 0 +} + +# This is the main CLI interpreter function +cli_main() { + ARGS=("$@") + + # Create the ARCHIVE DIR if it's not already there. + mkdir -p $ARCHIVE_DIR + + # Create temp directory for a staging area to decompress files into + export TMP_DIR=$(mktemp -d) + + # Create a temp file for storing list of databases (if needed) + export RESULT_FILE=$(mktemp -p /tmp) + + case "${ARGS[0]}" in + "help") + usage 0 + ;; + + "list_archives") + if [[ ${#ARGS[@]} -gt 2 ]]; then + usage 1 + elif [[ ${#ARGS[@]} -eq 1 ]]; then + list_archives + else + list_archives ${ARGS[1]} + fi + clean_and_exit 0 + ;; + + "list_databases") + if [[ ${#ARGS[@]} -lt 2 || ${#ARGS[@]} -gt 3 ]]; then + usage 1 + elif [[ ${#ARGS[@]} -eq 2 ]]; then + list_databases ${ARGS[1]} + else + list_databases ${ARGS[1]} ${ARGS[2]} + fi + ;; + + "list_tables") + if [[ ${#ARGS[@]} -lt 3 || ${#ARGS[@]} -gt 4 ]]; then + usage 1 + elif [[ ${#ARGS[@]} -eq 3 ]]; then + list_tables ${ARGS[1]} ${ARGS[2]} + else + list_tables ${ARGS[1]} ${ARGS[2]} ${ARGS[3]} + fi + ;; + + "list_rows") + if [[ ${#ARGS[@]} -lt 4 || ${#ARGS[@]} -gt 5 ]]; then + usage 1 + elif [[ ${#ARGS[@]} -eq 4 ]]; then + list_rows ${ARGS[1]} ${ARGS[2]} ${ARGS[3]} + else + list_rows ${ARGS[1]} ${ARGS[2]} ${ARGS[3]} ${ARGS[4]} + fi + ;; + + "list_schema") + if [[ ${#ARGS[@]} -lt 4 || ${#ARGS[@]} -gt 5 ]]; then + usage 1 + elif [[ ${#ARGS[@]} -eq 4 ]]; then + list_schema ${ARGS[1]} ${ARGS[2]} ${ARGS[3]} + else + list_schema ${ARGS[1]} ${ARGS[2]} ${ARGS[3]} ${ARGS[4]} + fi + ;; + + "restore") + REMOTE="" + if [[ ${#ARGS[@]} -lt 3 || ${#ARGS[@]} -gt 4 ]]; then + usage 1 + elif [[ ${#ARGS[@]} -eq 4 ]]; then + REMOTE=${ARGS[3]} + fi + + ARCHIVE=${ARGS[1]} + DB_SPEC=${ARGS[2]} + + #Get all the databases in that archive + get_archive $ARCHIVE $REMOTE + + if [[ "$( echo $DB_SPEC | tr '[a-z]' '[A-Z]')" != "ALL" ]]; then + # Expectation is that the database listing will be put into + # the given file one database per line + get_databases $TMP_DIR $RESULT_FILE + if [[ "$?" -ne 0 ]]; then + clean_and_exit 1 "ERROR: Could not get the list of databases to restore." + fi + + if [[ ! $DB_NAMESPACE == "kube-system" ]]; then + #check if the requested database is available in the archive + database_exists $DB_SPEC + if [[ $? -ne 1 ]]; then + clean_and_exit 1 "ERROR: Database ${DB_SPEC} does not exist." + fi + fi + + echo "Restoring Database $DB_SPEC And Grants" + restore_single_db $DB_SPEC $TMP_DIR + if [[ "$?" -eq 0 ]]; then + echo "Single database restored successfully." + else + clean_and_exit 1 "ERROR: Single database restore failed." + fi + clean_and_exit 0 "" + else + echo "Restoring All The Databases. This could take a few minutes..." + restore_all_dbs $TMP_DIR + if [[ "$?" -eq 0 ]]; then + echo "All databases restored successfully." + else + clean_and_exit 1 "ERROR: Database restore failed." + fi + clean_and_exit 0 "" + fi + ;; + "delete_archive") + if [[ ${#ARGS[@]} -lt 2 || ${#ARGS[@]} -gt 3 ]]; then + usage 1 + elif [[ ${#ARGS[@]} -eq 2 ]]; then + delete_archive ${ARGS[1]} + else + delete_archive ${ARGS[1]} ${ARGS[2]} + fi + ;; + *) + usage 1 + ;; + esac + + clean_and_exit 0 "" +} +{{- end }} diff --git a/charts/deps/helm-toolkit/templates/snippets/_image.tpl b/charts/deps/helm-toolkit/templates/snippets/_image.tpl new file mode 100644 index 0000000..029c93d --- /dev/null +++ b/charts/deps/helm-toolkit/templates/snippets/_image.tpl @@ -0,0 +1,60 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Resolves an image reference to a string, and its pull policy +values: | + images: + tags: + test_image: docker.io/port/test:version-foo + image_foo: quay.io/airshipit/kubernetes-entrypoint:v1.0.0 + pull_policy: IfNotPresent + local_registry: + active: true + exclude: + - image_foo + endpoints: + cluster_domain_suffix: cluster.local + local_image_registry: + name: docker-registry + namespace: docker-registry + hosts: + default: localhost + internal: docker-registry + node: localhost + host_fqdn_override: + default: null + port: + registry: + node: 5000 +usage: | + {{ tuple . "test_image" | include "helm-toolkit.snippets.image" }} +return: | + image: "localhost:5000/docker.io/port/test:version-foo" + imagePullPolicy: IfNotPresent +*/}} + +{{- define "helm-toolkit.snippets.image" -}} +{{- $envAll := index . 0 -}} +{{- $image := index . 1 -}} +{{- $imageTag := index $envAll.Values.images.tags $image -}} +{{- if and ($envAll.Values.images.local_registry.active) (not (has $image $envAll.Values.images.local_registry.exclude )) -}} +{{- $registryPrefix := printf "%s:%s" (tuple "local_image_registry" "node" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup") (tuple "local_image_registry" "node" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup") -}} +image: {{ printf "%s/%s" $registryPrefix $imageTag | quote }} +{{- else -}} +image: {{ $imageTag | quote }} +{{- end }} +imagePullPolicy: {{ $envAll.Values.images.pull_policy }} +{{- end -}} diff --git a/charts/deps/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl b/charts/deps/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl new file mode 100644 index 0000000..2f209fe --- /dev/null +++ b/charts/deps/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl @@ -0,0 +1,142 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Returns a set of container enviorment variables, equivlant to an openrc for + use with keystone based command line clients. +values: | + secrets: + identity: + admin: example-keystone-admin +usage: | + {{ include "helm-toolkit.snippets.keystone_openrc_env_vars" ( dict "ksUserSecret" .Values.secrets.identity.admin ) }} +return: | + - name: OS_IDENTITY_API_VERSION + value: "3" + - name: OS_AUTH_URL + valueFrom: + secretKeyRef: + name: example-keystone-admin + key: OS_AUTH_URL + - name: OS_REGION_NAME + valueFrom: + secretKeyRef: + name: example-keystone-admin + key: OS_REGION_NAME + - name: OS_INTERFACE + valueFrom: + secretKeyRef: + name: example-keystone-admin + key: OS_INTERFACE + - name: OS_ENDPOINT_TYPE + valueFrom: + secretKeyRef: + name: example-keystone-admin + key: OS_INTERFACE + - name: OS_PROJECT_DOMAIN_NAME + valueFrom: + secretKeyRef: + name: example-keystone-admin + key: OS_PROJECT_DOMAIN_NAME + - name: OS_PROJECT_NAME + valueFrom: + secretKeyRef: + name: example-keystone-admin + key: OS_PROJECT_NAME + - name: OS_USER_DOMAIN_NAME + valueFrom: + secretKeyRef: + name: example-keystone-admin + key: OS_USER_DOMAIN_NAME + - name: OS_USERNAME + valueFrom: + secretKeyRef: + name: example-keystone-admin + key: OS_USERNAME + - name: OS_PASSWORD + valueFrom: + secretKeyRef: + name: example-keystone-admin + key: OS_PASSWORD + - name: OS_CACERT + valueFrom: + secretKeyRef: + name: example-keystone-admin + key: OS_CACERT +*/}} + +{{- define "helm-toolkit.snippets.keystone_openrc_env_vars" }} +{{- $useCA := .useCA -}} +{{- $ksUserSecret := .ksUserSecret }} +- name: OS_IDENTITY_API_VERSION + value: "3" +- name: OS_AUTH_URL + valueFrom: + secretKeyRef: + name: {{ $ksUserSecret }} + key: OS_AUTH_URL +- name: OS_REGION_NAME + valueFrom: + secretKeyRef: + name: {{ $ksUserSecret }} + key: OS_REGION_NAME +- name: OS_INTERFACE + valueFrom: + secretKeyRef: + name: {{ $ksUserSecret }} + key: OS_INTERFACE +- name: OS_ENDPOINT_TYPE + valueFrom: + secretKeyRef: + name: {{ $ksUserSecret }} + key: OS_INTERFACE +- name: OS_PROJECT_DOMAIN_NAME + valueFrom: + secretKeyRef: + name: {{ $ksUserSecret }} + key: OS_PROJECT_DOMAIN_NAME +- name: OS_PROJECT_NAME + valueFrom: + secretKeyRef: + name: {{ $ksUserSecret }} + key: OS_PROJECT_NAME +- name: OS_USER_DOMAIN_NAME + valueFrom: + secretKeyRef: + name: {{ $ksUserSecret }} + key: OS_USER_DOMAIN_NAME +- name: OS_USERNAME + valueFrom: + secretKeyRef: + name: {{ $ksUserSecret }} + key: OS_USERNAME +- name: OS_PASSWORD + valueFrom: + secretKeyRef: + name: {{ $ksUserSecret }} + key: OS_PASSWORD +- name: OS_DEFAULT_DOMAIN + valueFrom: + secretKeyRef: + name: {{ $ksUserSecret }} + key: OS_DEFAULT_DOMAIN +{{- if $useCA }} +- name: OS_CACERT + valueFrom: + secretKeyRef: + name: {{ $ksUserSecret }} + key: OS_CACERT +{{- end }} +{{- end }} diff --git a/charts/deps/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl b/charts/deps/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl new file mode 100644 index 0000000..f627657 --- /dev/null +++ b/charts/deps/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl @@ -0,0 +1,32 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- define "helm-toolkit.snippets.keystone_secret_openrc" }} +{{- $userClass := index . 0 -}} +{{- $identityEndpoint := index . 1 -}} +{{- $context := index . 2 -}} +{{- $userContext := index $context.Values.endpoints.identity.auth $userClass }} +OS_AUTH_URL: {{ tuple "identity" $identityEndpoint "api" $context | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc }} +OS_REGION_NAME: {{ $userContext.region_name | b64enc }} +OS_INTERFACE: {{ $userContext.interface | default "internal" | b64enc }} +OS_PROJECT_DOMAIN_NAME: {{ $userContext.project_domain_name | b64enc }} +OS_PROJECT_NAME: {{ $userContext.project_name | b64enc }} +OS_USER_DOMAIN_NAME: {{ $userContext.user_domain_name | b64enc }} +OS_USERNAME: {{ $userContext.username | b64enc }} +OS_PASSWORD: {{ $userContext.password | b64enc }} +OS_DEFAULT_DOMAIN: {{ $userContext.default_domain_id | default "default" | b64enc }} +{{- if $userContext.cacert }} +OS_CACERT: {{ $userContext.cacert | b64enc }} +{{- end }} +{{- end }} diff --git a/charts/deps/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl b/charts/deps/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl new file mode 100644 index 0000000..648711b --- /dev/null +++ b/charts/deps/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl @@ -0,0 +1,90 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Returns a set of container enviorment variables, for use with the keystone + user management jobs. +values: | + secrets: + identity: + service_user: example-keystone-user +usage: | + {{ include "helm-toolkit.snippets.keystone_user_create_env_vars" ( dict "ksUserSecret" .Values.secrets.identity.service_user "useCA" true ) }} +return: | + - name: SERVICE_OS_REGION_NAME + valueFrom: + secretKeyRef: + name: example-keystone-user + key: OS_REGION_NAME + - name: SERVICE_OS_PROJECT_DOMAIN_NAME + valueFrom: + secretKeyRef: + name: example-keystone-user + key: OS_PROJECT_DOMAIN_NAME + - name: SERVICE_OS_PROJECT_NAME + valueFrom: + secretKeyRef: + name: example-keystone-user + key: OS_PROJECT_NAME + - name: SERVICE_OS_USER_DOMAIN_NAME + valueFrom: + secretKeyRef: + name: example-keystone-user + key: OS_USER_DOMAIN_NAME + - name: SERVICE_OS_USERNAME + valueFrom: + secretKeyRef: + name: example-keystone-user + key: OS_USERNAME + - name: SERVICE_OS_PASSWORD + valueFrom: + secretKeyRef: + name: example-keystone-user + key: OS_PASSWORD +*/}} + +{{- define "helm-toolkit.snippets.keystone_user_create_env_vars" }} +{{- $ksUserSecret := .ksUserSecret }} +- name: SERVICE_OS_REGION_NAME + valueFrom: + secretKeyRef: + name: {{ $ksUserSecret }} + key: OS_REGION_NAME +- name: SERVICE_OS_PROJECT_DOMAIN_NAME + valueFrom: + secretKeyRef: + name: {{ $ksUserSecret }} + key: OS_PROJECT_DOMAIN_NAME +- name: SERVICE_OS_PROJECT_NAME + valueFrom: + secretKeyRef: + name: {{ $ksUserSecret }} + key: OS_PROJECT_NAME +- name: SERVICE_OS_USER_DOMAIN_NAME + valueFrom: + secretKeyRef: + name: {{ $ksUserSecret }} + key: OS_USER_DOMAIN_NAME +- name: SERVICE_OS_USERNAME + valueFrom: + secretKeyRef: + name: {{ $ksUserSecret }} + key: OS_USERNAME +- name: SERVICE_OS_PASSWORD + valueFrom: + secretKeyRef: + name: {{ $ksUserSecret }} + key: OS_PASSWORD +{{- end }} diff --git a/charts/deps/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl b/charts/deps/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl new file mode 100644 index 0000000..8ca1028 --- /dev/null +++ b/charts/deps/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl @@ -0,0 +1,68 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Renders a configmap used for loading custom AppArmor profiles. +values: | + pod: + mandatory_access_control: + type: apparmor + configmap_apparmor: true + apparmor_profiles: |- + my_apparmor-v1.profile: |- + #include + profile my-apparmor-v1 flags=(attach_disconnected,mediate_deleted) { + + } +usage: | + {{ dict "envAll" . "component" "myComponent" | include "helm-toolkit.snippets.kubernetes_apparmor_configmap" }} +return: | +apiVersion: v1 +kind: ConfigMap +metadata: + name: releaseName-myComponent-apparmor + namespace: myNamespace +data: + my_apparmor-v1.profile: |- + #include + profile my-apparmor-v1 flags=(attach_disconnected,mediate_deleted) { + + } +*/}} +{{- define "helm-toolkit.snippets.kubernetes_apparmor_configmap" -}} +{{- $envAll := index . "envAll" -}} +{{- $component := index . "component" -}} +{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}} +{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}} +{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}} +{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}} +{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }} +{{- $mapName := printf "%s-%s-%s" $envAll.Release.Name $component "apparmor" -}} +{{- if $envAll.Values.conf.apparmor_profiles }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ $mapName }} + namespace: {{ $envAll.Release.Namespace }} +data: +{{ $envAll.Values.conf.apparmor_profiles | toYaml | indent 2 }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/deps/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl b/charts/deps/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl new file mode 100644 index 0000000..f231fe6 --- /dev/null +++ b/charts/deps/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl @@ -0,0 +1,75 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Renders the init container used for apparmor loading. +values: | + images: + tags: + apparmor_loader: my-repo.io/apparmor-loader:1.0.0 + pod: + mandatory_access_control: + type: apparmor + configmap_apparmor: true + apparmor-loader: unconfined +usage: | + {{ dict "envAll" . | include "helm-toolkit.snippets.kubernetes_apparmor_loader_init_container" }} +return: | + - name: apparmor-loader + image: my-repo.io/apparmor-loader:1.0.0 + args: + - /profiles + securityContext: + privileged: true + volumeMounts: + - name: sys + mountPath: /sys + readOnly: true + - name: includes + mountPath: /etc/apparmor.d + readOnly: true + - name: profiles + mountPath: /profiles + readOnly: true +*/}} +{{- define "helm-toolkit.snippets.kubernetes_apparmor_loader_init_container" -}} +{{- $envAll := index . "envAll" -}} +{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}} +{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}} +{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}} +{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}} +{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }} +- name: apparmor-loader + image: {{ $envAll.Values.images.tags.apparmor_loader }} + args: + - /profiles + securityContext: + privileged: true + volumeMounts: + - name: sys + mountPath: /sys + readOnly: true + - name: includes + mountPath: /etc/apparmor.d + readOnly: true + - name: profiles + mountPath: /profiles + readOnly: true +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/deps/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl b/charts/deps/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl new file mode 100644 index 0000000..baebaa3 --- /dev/null +++ b/charts/deps/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl @@ -0,0 +1,68 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Renders the volumes used by the apparmor loader. +values: | + pod: + mandatory_access_control: + type: apparmor + configmap_apparmor: true +inputs: | + envAll: "Environment or Context." + component: "Name of the component used for the name of configMap." + requireSys: "Boolean. True if it needs the hostpath /sys in volumes." +usage: | + {{ dict "envAll" . "component" "keystone" "requireSys" true | include "helm-toolkit.snippets.kubernetes_apparmor_volumes" }} +return: | +- name: sys + hostPath: + path: /sys +- name: includes + hostPath: + path: /etc/apparmor.d +- name: profiles + configMap: + name: RELEASENAME-keystone-apparmor + defaultMode: 0555 +*/}} +{{- define "helm-toolkit.snippets.kubernetes_apparmor_volumes" -}} +{{- $envAll := index . "envAll" -}} +{{- $component := index . "component" -}} +{{- $requireSys := index . "requireSys" | default false -}} +{{- $configName := printf "%s-%s-%s" $envAll.Release.Name $component "apparmor" -}} +{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}} +{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}} +{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}} +{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}} +{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }} +{{- if $requireSys }} +- name: sys + hostPath: + path: /sys +{{- end }} +- name: includes + hostPath: + path: /etc/apparmor.d +- name: profiles + configMap: + name: {{ $configName | quote }} + defaultMode: 0555 +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/deps/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl b/charts/deps/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl new file mode 100644 index 0000000..4741497 --- /dev/null +++ b/charts/deps/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl @@ -0,0 +1,48 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Renders securityContext for a Kubernetes container. + For container level, see here: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.13/#securitycontext-v1-core +examples: + - values: | + pod: + security_context: + myApp: + container: + foo: + runAsUser: 34356 + readOnlyRootFilesystem: true + usage: | + {{ dict "envAll" . "application" "myApp" "container" "foo" | include "helm-toolkit.snippets.kubernetes_container_security_context" }} + return: | + securityContext: + readOnlyRootFilesystem: true + runAsUser: 34356 +*/}} + +{{- define "helm-toolkit.snippets.kubernetes_container_security_context" -}} +{{- $envAll := index . "envAll" -}} +{{- $application := index . "application" -}} +{{- $container := index . "container" -}} +{{- if hasKey $envAll.Values.pod "security_context" }} +{{- if hasKey ( index $envAll.Values.pod.security_context ) $application }} +{{- if hasKey ( index $envAll.Values.pod.security_context $application "container" ) $container }} +securityContext: +{{ toYaml ( index $envAll.Values.pod.security_context $application "container" $container ) | indent 2 }} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/charts/deps/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl b/charts/deps/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl new file mode 100644 index 0000000..bed712e --- /dev/null +++ b/charts/deps/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl @@ -0,0 +1,209 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Returns a container definition for use with the kubernetes-entrypoint image + from stackanetes. +values: | + images: + tags: + dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0 + pull_policy: IfNotPresent + local_registry: + active: true + exclude: + - dep_check + dependencies: + dynamic: + common: + local_image_registry: + jobs: + - calico-image-repo-sync + services: + - endpoint: node + service: local_image_registry + static: + calico_node: + services: + - endpoint: internal + service: etcd + custom_resources: + - apiVersion: argoproj.io/v1alpha1 + kind: Workflow + name: wf-example + fields: + - key: "status.phase" + value: "Succeeded" + endpoints: + local_image_registry: + namespace: docker-registry + hosts: + default: localhost + node: localhost + etcd: + hosts: + default: etcd + # NOTE (portdirect): if the stanza, or a portion of it, under `pod` is not + # specififed then the following will be used as defaults: + # pod: + # security_context: + # kubernetes_entrypoint: + # container: + # kubernetes_entrypoint: + # runAsUser: 65534 + # readOnlyRootFilesystem: true + # allowPrivilegeEscalation: false + pod: + security_context: + kubernetes_entrypoint: + container: + kubernetes_entrypoint: + runAsUser: 0 + readOnlyRootFilesystem: false +usage: | + {{ tuple . "calico_node" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" }} +return: | + - name: init + image: "quay.io/airshipit/kubernetes-entrypoint:v1.0.0" + imagePullPolicy: IfNotPresent + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: false + runAsUser: 0 + + env: + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: INTERFACE_NAME + value: eth0 + - name: PATH + value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/ + - name: DEPENDENCY_SERVICE + value: "default:etcd,docker-registry:localhost" + - name: DEPENDENCY_JOBS + value: "calico-image-repo-sync" + - name: DEPENDENCY_DAEMONSET + value: "" + - name: DEPENDENCY_CONTAINER + value: "" + - name: DEPENDENCY_POD_JSON + value: "" + - name: DEPENDENCY_CUSTOM_RESOURCE + value: "[{\"apiVersion\":\"argoproj.io/v1alpha1\",\"kind\":\"Workflow\",\"namespace\":\"default\",\"name\":\"wf-example\",\"fields\":[{\"key\":\"status.phase\",\"value\":\"Succeeded\"}]}]" + command: + - kubernetes-entrypoint + volumeMounts: + [] +*/}} + +{{- define "helm-toolkit.snippets.kubernetes_entrypoint_init_container._default_security_context" -}} +Values: + pod: + security_context: + kubernetes_entrypoint: + container: + kubernetes_entrypoint: + runAsUser: 65534 + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false +{{- end -}} + +{{- define "helm-toolkit.snippets.kubernetes_entrypoint_init_container" -}} +{{- $envAll := index . 0 -}} +{{- $component := index . 1 -}} +{{- $mounts := index . 2 -}} + +{{- $_ := set $envAll.Values "__kubernetes_entrypoint_init_container" dict -}} +{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" dict -}} +{{- if and ($envAll.Values.images.local_registry.active) (ne $component "image_repo_sync") -}} +{{- if eq $component "pod_dependency" -}} +{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}} +{{- else -}} +{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}} +{{- end -}} +{{- else -}} +{{- if eq $component "pod_dependency" -}} +{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.pod_dependency ) -}} +{{- else -}} +{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.dependencies.static $component ) -}} +{{- end -}} +{{- end -}} + +{{- if and ($envAll.Values.manifests.job_rabbit_init) (hasKey $envAll.Values.dependencies "dynamic") -}} +{{- if $envAll.Values.dependencies.dynamic.job_rabbit_init -}} +{{- if eq $component "pod_dependency" -}} +{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) (index $envAll.Values.dependencies.dynamic.job_rabbit_init $component) ) -}} +{{- else -}} +{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) (index $envAll.Values.dependencies.dynamic.job_rabbit_init $component)) -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{- $deps := $envAll.Values.__kubernetes_entrypoint_init_container.deps }} +{{- range $deps.custom_resources }} +{{- $_ := set . "namespace" $envAll.Release.Namespace -}} +{{- end -}} +{{- $default_security_context := include "helm-toolkit.snippets.kubernetes_entrypoint_init_container._default_security_context" . | fromYaml }} +{{- $patchedEnvAll := mergeOverwrite $default_security_context $envAll }} +- name: init +{{ tuple $envAll "dep_check" | include "helm-toolkit.snippets.image" | indent 2 }} +{{- dict "envAll" $patchedEnvAll "application" "kubernetes_entrypoint" "container" "kubernetes_entrypoint" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 2 }} + env: + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: INTERFACE_NAME + value: eth0 + - name: PATH + value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/ + - name: DEPENDENCY_SERVICE + value: "{{ tuple $deps.services $envAll | include "helm-toolkit.utils.comma_joined_service_list" }}" +{{- if $deps.jobs -}} + {{- if kindIs "string" (index $deps.jobs 0) }} + - name: DEPENDENCY_JOBS + value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.jobs }}" + {{- else }} + - name: DEPENDENCY_JOBS_JSON + value: {{- toJson $deps.jobs | quote -}} + {{- end -}} +{{- end }} + - name: DEPENDENCY_DAEMONSET + value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.daemonset }}" + - name: DEPENDENCY_CONTAINER + value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.container }}" + - name: DEPENDENCY_POD_JSON + value: {{ if $deps.pod }}{{ toJson $deps.pod | quote }}{{ else }}""{{ end }} + - name: DEPENDENCY_CUSTOM_RESOURCE + value: {{ if $deps.custom_resources }}{{ toJson $deps.custom_resources | quote }}{{ else }}""{{ end }} + command: + - kubernetes-entrypoint + volumeMounts: +{{ toYaml $mounts | indent 4 }} +{{- end -}} diff --git a/charts/deps/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl b/charts/deps/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl new file mode 100644 index 0000000..34a7da3 --- /dev/null +++ b/charts/deps/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl @@ -0,0 +1,20 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- define "helm-toolkit.snippets.kubernetes_kubectl_params" -}} +{{- $envAll := index . 0 -}} +{{- $application := index . 1 -}} +{{- $component := index . 2 -}} +{{ print "-l application=" $application " -l component=" $component }} +{{- end -}} diff --git a/charts/deps/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl b/charts/deps/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl new file mode 100644 index 0000000..92d3ea5 --- /dev/null +++ b/charts/deps/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl @@ -0,0 +1,60 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Renders mandatory access control annotations for a list of containers + driven by values.yaml. As of now, it can only generate an apparmor + annotation, but in the future could generate others. +values: | + pod: + mandatory_access_control: + type: apparmor + myPodName: + myContainerName: localhost/myAppArmor + mySecondContainerName: localhost/secondProfile # optional + myThirdContainerName: localhost/thirdProfile # optional +usage: | + {{ dict "envAll" . "podName" "myPodName" "containerNames" (list "myContainerName" "mySecondContainerName" "myThirdContainerName") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" }} +return: | + container.apparmor.security.beta.kubernetes.io/myContainerName: localhost/myAppArmor + container.apparmor.security.beta.kubernetes.io/mySecondContainerName: localhost/secondProfile + container.apparmor.security.beta.kubernetes.io/myThirdContainerName: localhost/thirdProfile +note: | + The number of container underneath is a variable arguments. It loops through + all the container names specified. +*/}} +{{- define "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" -}} +{{- $envAll := index . "envAll" -}} +{{- $podName := index . "podName" -}} +{{- $containerNames := index . "containerNames" -}} +{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}} +{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}} +{{- $macType := $envAll.Values.pod.mandatory_access_control.type -}} +{{- if $macType -}} +{{- if eq $macType "apparmor" -}} +{{- if hasKey $envAll.Values.pod.mandatory_access_control $podName -}} +{{- range $name := $containerNames -}} +{{- $apparmorProfile := index $envAll.Values.pod.mandatory_access_control $podName $name -}} +{{- if $apparmorProfile }} +container.apparmor.security.beta.kubernetes.io/{{ $name }}: {{ $apparmorProfile }} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} + diff --git a/charts/deps/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl b/charts/deps/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl new file mode 100644 index 0000000..48b53fa --- /dev/null +++ b/charts/deps/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl @@ -0,0 +1,51 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Renders a set of standardised labels +values: | + release_group: null + pod: + labels: + default: + label1.example.com: value + bar: + label2.example.com: bar +usage: | + {{ tuple . "foo" "bar" | include "helm-toolkit.snippets.kubernetes_metadata_labels" }} +return: | + release_group: RELEASE-NAME + application: foo + component: bar + label1.example.com: value + label2.example.com: bar +*/}} + +{{- define "helm-toolkit.snippets.kubernetes_metadata_labels" -}} +{{- $envAll := index . 0 -}} +{{- $application := index . 1 -}} +{{- $component := index . 2 -}} +release_group: {{ $envAll.Values.release_group | default $envAll.Release.Name }} +application: {{ $application }} +component: {{ $component }} +{{- if ($envAll.Values.pod).labels }} +{{- if hasKey $envAll.Values.pod.labels $component }} +{{ index $envAll.Values.pod "labels" $component | toYaml }} +{{- end -}} +{{- if hasKey $envAll.Values.pod.labels "default" }} +{{ $envAll.Values.pod.labels.default | toYaml }} +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/charts/deps/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl b/charts/deps/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl new file mode 100644 index 0000000..fabbcf8 --- /dev/null +++ b/charts/deps/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl @@ -0,0 +1,89 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Renders kubernetes anti affinity rules, this function supports both hard + 'requiredDuringSchedulingIgnoredDuringExecution' and soft + 'preferredDuringSchedulingIgnoredDuringExecution' types. +values: | + pod: + affinity: + anti: + topologyKey: + default: kubernetes.io/hostname + type: + default: requiredDuringSchedulingIgnoredDuringExecution + weight: + default: 10 +usage: | + {{ tuple . "appliction_x" "component_y" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" }} +return: | + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: release_group + operator: In + values: + - RELEASE-NAME + - key: application + operator: In + values: + - appliction_x + - key: component + operator: In + values: + - component_y + topologyKey: kubernetes.io/hostname +*/}} + +{{- define "helm-toolkit.snippets.kubernetes_pod_anti_affinity._match_expressions" -}} +{{- $envAll := index . "envAll" -}} +{{- $application := index . "application" -}} +{{- $component := index . "component" -}} +{{- $expressionRelease := dict "key" "release_group" "operator" "In" "values" ( list ( $envAll.Values.release_group | default $envAll.Release.Name ) ) -}} +{{- $expressionApplication := dict "key" "application" "operator" "In" "values" ( list $application ) -}} +{{- $expressionComponent := dict "key" "component" "operator" "In" "values" ( list $component ) -}} +{{- list $expressionRelease $expressionApplication $expressionComponent | toYaml }} +{{- end -}} + +{{- define "helm-toolkit.snippets.kubernetes_pod_anti_affinity" -}} +{{- $envAll := index . 0 -}} +{{- $application := index . 1 -}} +{{- $component := index . 2 -}} +{{- $antiAffinityType := index $envAll.Values.pod.affinity.anti.type $component | default $envAll.Values.pod.affinity.anti.type.default }} +{{- $antiAffinityKey := index $envAll.Values.pod.affinity.anti.topologyKey $component | default $envAll.Values.pod.affinity.anti.topologyKey.default }} +podAntiAffinity: +{{- $matchExpressions := include "helm-toolkit.snippets.kubernetes_pod_anti_affinity._match_expressions" ( dict "envAll" $envAll "application" $application "component" $component ) -}} +{{- if eq $antiAffinityType "preferredDuringSchedulingIgnoredDuringExecution" }} + {{ $antiAffinityType }}: + - podAffinityTerm: + labelSelector: + matchExpressions: +{{ $matchExpressions | indent 10 }} + topologyKey: {{ $antiAffinityKey }} +{{- if $envAll.Values.pod.affinity.anti.weight }} + weight: {{ index $envAll.Values.pod.affinity.anti.weight $component | default $envAll.Values.pod.affinity.anti.weight.default }} +{{- else }} + weight: 10 +{{- end -}} +{{- else if eq $antiAffinityType "requiredDuringSchedulingIgnoredDuringExecution" }} + {{ $antiAffinityType }}: + - labelSelector: + matchExpressions: +{{ $matchExpressions | indent 8 }} + topologyKey: {{ $antiAffinityKey }} +{{- end -}} +{{- end -}} diff --git a/charts/deps/helm-toolkit/templates/snippets/_kubernetes_pod_image_pull_secret.tpl b/charts/deps/helm-toolkit/templates/snippets/_kubernetes_pod_image_pull_secret.tpl new file mode 100644 index 0000000..74173dc --- /dev/null +++ b/charts/deps/helm-toolkit/templates/snippets/_kubernetes_pod_image_pull_secret.tpl @@ -0,0 +1,45 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Renders image pull secrets for a pod +values: | + pod: + image_pull_secrets: + default: + - name: some-pull-secret + bar: + - name: another-pull-secret +usage: | + {{ tuple . "bar" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" }} +return: | + imagePullSecrets: + - name: some-pull-secret + - name: another-pull-secret +*/}} + +{{- define "helm-toolkit.snippets.kubernetes_image_pull_secrets" -}} +{{- $envAll := index . 0 -}} +{{- $application := index . 1 -}} +{{- if ($envAll.Values.pod).image_pull_secrets }} +imagePullSecrets: +{{- if hasKey $envAll.Values.pod.image_pull_secrets $application }} +{{ index $envAll.Values.pod "image_pull_secrets" $application | toYaml | indent 2 }} +{{- end -}} +{{- if hasKey $envAll.Values.pod.image_pull_secrets "default" }} +{{ $envAll.Values.pod.image_pull_secrets.default | toYaml | indent 2 }} +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/charts/deps/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl b/charts/deps/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl new file mode 100644 index 0000000..90a7a65 --- /dev/null +++ b/charts/deps/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl @@ -0,0 +1,69 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- define "helm-toolkit.snippets.kubernetes_pod_rbac_roles" -}} +{{- $envAll := index . 0 -}} +{{- $deps := index . 1 -}} +{{- $saName := index . 2 | replace "_" "-" }} +{{- $saNamespace := index . 3 -}} +{{- $releaseName := $envAll.Release.Name }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ $releaseName }}-{{ $saName }} + namespace: {{ $saNamespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ $releaseName }}-{{ $saNamespace }}-{{ $saName }} +subjects: + - kind: ServiceAccount + name: {{ $saName }} + namespace: {{ $saNamespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ $releaseName }}-{{ $saNamespace }}-{{ $saName }} + namespace: {{ $saNamespace }} +rules: + - apiGroups: + - "" + - extensions + - batch + - apps + verbs: + - get + - list + resources: + {{- range $k, $v := $deps -}} + {{ if eq $v "daemonsets" }} + - daemonsets + {{- end -}} + {{ if eq $v "jobs" }} + - jobs + {{- end -}} + {{ if or (eq $v "pods") (eq $v "daemonsets") (eq $v "jobs") }} + - pods + {{- end -}} + {{ if eq $v "services" }} + - services + - endpoints + {{- end -}} + {{ if eq $v "secrets" }} + - secrets + {{- end -}} + {{- end -}} +{{- end -}} diff --git a/charts/deps/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl b/charts/deps/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl new file mode 100644 index 0000000..bc2045e --- /dev/null +++ b/charts/deps/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl @@ -0,0 +1,75 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- define "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" -}} +{{- $envAll := index . 0 -}} +{{- $component := index . 1 -}} +{{- $saName := index . 2 -}} +{{- $saNamespace := $envAll.Release.Namespace }} +{{- $randomKey := randAlphaNum 32 }} +{{- $allNamespace := dict $randomKey "" }} + +{{- $_ := set $envAll.Values "__kubernetes_entrypoint_init_container" dict -}} +{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" dict -}} +{{- if and ($envAll.Values.images.local_registry.active) (ne $component "image_repo_sync") -}} +{{- if eq $component "pod_dependency" -}} +{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}} +{{- else -}} +{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}} +{{- end -}} +{{- else -}} +{{- if eq $component "pod_dependency" -}} +{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.pod_dependency ) -}} +{{- else -}} +{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.dependencies.static $component ) -}} +{{- end -}} +{{- end -}} +{{- $deps := $envAll.Values.__kubernetes_entrypoint_init_container.deps }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ $saName }} + namespace: {{ $saNamespace }} +{{- if $envAll.Values.manifests.secret_registry }} +{{- if $envAll.Values.endpoints.oci_image_registry.auth.enabled }} +imagePullSecrets: + - name: {{ index $envAll.Values.secrets.oci_image_registry $envAll.Chart.Name }} +{{- end -}} +{{- end -}} +{{- range $k, $v := $deps -}} +{{- if eq $k "services" }} +{{- range $serv := $v }} +{{- $endpointMap := index $envAll.Values.endpoints $serv.service }} +{{- $endpointNS := $endpointMap.namespace | default $saNamespace }} +{{- if not (contains "services" ((index $allNamespace $endpointNS) | default "")) }} +{{- $_ := set $allNamespace $endpointNS (printf "%s%s" "services," ((index $allNamespace $endpointNS) | default "")) }} +{{- end -}} +{{- end -}} +{{- else if and (eq $k "jobs") $v }} +{{- $_ := set $allNamespace $saNamespace (printf "%s%s" "jobs," ((index $allNamespace $saNamespace) | default "")) }} +{{- else if and (eq $k "daemonset") $v }} +{{- $_ := set $allNamespace $saNamespace (printf "%s%s" "daemonsets," ((index $allNamespace $saNamespace) | default "")) }} +{{- else if and (eq $k "pod") $v }} +{{- $_ := set $allNamespace $saNamespace (printf "%s%s" "pods," ((index $allNamespace $saNamespace) | default "")) }} +{{- else if and (eq $k "secret") $v }} +{{- $_ := set $allNamespace $saNamespace (printf "%s%s" "secrets," ((index $allNamespace $saNamespace) | default "")) }} +{{- end -}} +{{- end -}} +{{- $_ := unset $allNamespace $randomKey }} +{{- range $ns, $vv := $allNamespace }} +{{- $resourceList := (splitList "," (trimSuffix "," $vv)) }} +{{- tuple $envAll $resourceList $saName $ns | include "helm-toolkit.snippets.kubernetes_pod_rbac_roles" }} +{{- end -}} +{{- end -}} diff --git a/charts/deps/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl b/charts/deps/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl new file mode 100644 index 0000000..3a4fbaa --- /dev/null +++ b/charts/deps/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl @@ -0,0 +1,67 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Renders securityContext for a Kubernetes pod. + For pod level, seurity context see here: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.13/#podsecuritycontext-v1-core +examples: + - values: | + pod: + # NOTE: The 'user' key is deprecated, and will be removed shortly. + user: + myApp: + uid: 34356 + security_context: + myApp: + pod: + runAsNonRoot: true + usage: | + {{ dict "envAll" . "application" "myApp" | include "helm-toolkit.snippets.kubernetes_pod_security_context" }} + return: | + securityContext: + runAsUser: 34356 + runAsNonRoot: true + - values: | + pod: + security_context: + myApp: + pod: + runAsUser: 34356 + runAsNonRoot: true + usage: | + {{ dict "envAll" . "application" "myApp" | include "helm-toolkit.snippets.kubernetes_pod_security_context" }} + return: | + securityContext: + runAsNonRoot: true + runAsUser: 34356 +*/}} + +{{- define "helm-toolkit.snippets.kubernetes_pod_security_context" -}} +{{- $envAll := index . "envAll" -}} +{{- $application := index . "application" -}} +securityContext: +{{- if hasKey $envAll.Values.pod "user" }} +{{- if hasKey $envAll.Values.pod.user $application }} +{{- if hasKey ( index $envAll.Values.pod.user $application ) "uid" }} + runAsUser: {{ index $envAll.Values.pod.user $application "uid" }} +{{- end -}} +{{- end -}} +{{- end -}} +{{- if hasKey $envAll.Values.pod "security_context" }} +{{- if hasKey ( index $envAll.Values.pod.security_context ) $application }} +{{ toYaml ( index $envAll.Values.pod.security_context $application "pod" ) | indent 2 }} +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/charts/deps/helm-toolkit/templates/snippets/_kubernetes_probes.tpl b/charts/deps/helm-toolkit/templates/snippets/_kubernetes_probes.tpl new file mode 100644 index 0000000..7470760 --- /dev/null +++ b/charts/deps/helm-toolkit/templates/snippets/_kubernetes_probes.tpl @@ -0,0 +1,55 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Renders kubernetes liveness and readiness probes for containers +values: | + pod: + probes: + api: + default: + readiness: + enabled: true + params: + initialDelaySeconds: 30 + timeoutSeconds: 30 +usage: | + {{- define "probeTemplate" }} + httpGet: + path: /status + port: 9090 + {{- end }} + {{ dict "envAll" . "component" "api" "container" "default" "type" "readiness" "probeTemplate" (include "probeTemplate" . | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" }} +return: | + readinessProbe: + httpGet: + path: /status + port: 9090 + initialDelaySeconds: 30 + timeoutSeconds: 30 +*/}} + +{{- define "helm-toolkit.snippets.kubernetes_probe" -}} +{{- $envAll := index . "envAll" -}} +{{- $component := index . "component" -}} +{{- $container := index . "container" -}} +{{- $type := index . "type" -}} +{{- $probeTemplate := index . "probeTemplate" -}} +{{- $probeOpts := index $envAll.Values.pod.probes $component $container $type -}} +{{- if $probeOpts.enabled -}} +{{- $probeOverides := index $probeOpts "params" | default dict -}} +{{ dict ( printf "%sProbe" $type ) (mergeOverwrite $probeTemplate $probeOverides ) | toYaml }} +{{- end -}} +{{- end -}} diff --git a/charts/deps/helm-toolkit/templates/snippets/_kubernetes_resources.tpl b/charts/deps/helm-toolkit/templates/snippets/_kubernetes_resources.tpl new file mode 100644 index 0000000..24d30cf --- /dev/null +++ b/charts/deps/helm-toolkit/templates/snippets/_kubernetes_resources.tpl @@ -0,0 +1,53 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +Note: This function is deprecated and will be removed in the future. + +abstract: | + Renders kubernetes resource limits for pods +values: | + pod: + resources: + enabled: true + api: + requests: + memory: "128Mi" + cpu: "100m" + limits: + memory: "1024Mi" + cpu: "2000m" + hugepages-1Gi: "1Gi" + +usage: | + {{ include "helm-toolkit.snippets.kubernetes_resources" ( tuple . .Values.pod.resources.api ) }} +return: | + resources: + limits: + cpu: "2000m" + memory: "1024Mi" + hugepages-1Gi: "1Gi" + requests: + cpu: "100m" + memory: "128Mi +*/}} + +{{- define "helm-toolkit.snippets.kubernetes_resources" -}} +{{- $envAll := index . 0 -}} +{{- $component := index . 1 -}} +{{- if $envAll.Values.pod.resources.enabled -}} +resources: +{{ toYaml $component | trim | indent 2 }} +{{- end -}} +{{- end -}} diff --git a/charts/deps/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl b/charts/deps/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl new file mode 100644 index 0000000..555ffb0 --- /dev/null +++ b/charts/deps/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl @@ -0,0 +1,47 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Renders seccomp annotations for a list of containers driven by values.yaml. +values: | + pod: + seccomp: + myPodName: + myContainerName: localhost/mySeccomp + mySecondContainerName: localhost/secondProfile # optional + myThirdContainerName: localhost/thirdProfile # optional +usage: | + {{ dict "envAll" . "podName" "myPodName" "containerNames" (list "myContainerName" "mySecondContainerName" "myThirdContainerName") | include "helm-toolkit.snippets.kubernetes_seccomp_annotation" }} +return: | + container.seccomp.security.alpha.kubernetes.io/myContainerName: localhost/mySeccomp + container.seccomp.security.alpha.kubernetes.io/mySecondContainerName: localhost/secondProfile + container.seccomp.security.alpha.kubernetes.io/myThirdContainerName: localhost/thirdProfile +note: | + The number of container underneath is a variable arguments. It loops through + all the container names specified. +*/}} +{{- define "helm-toolkit.snippets.kubernetes_seccomp_annotation" -}} +{{- $envAll := index . "envAll" -}} +{{- $podName := index . "podName" -}} +{{- $containerNames := index . "containerNames" -}} +{{- if hasKey (index $envAll.Values.pod "seccomp") $podName -}} +{{- range $name := $containerNames -}} +{{- $seccompProfile := index $envAll.Values.pod.seccomp $podName $name -}} +{{- if $seccompProfile }} +container.seccomp.security.alpha.kubernetes.io/{{ $name }}: {{ $seccompProfile }} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/charts/deps/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl b/charts/deps/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl new file mode 100644 index 0000000..e4af6a6 --- /dev/null +++ b/charts/deps/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl @@ -0,0 +1,45 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Renders kubernetes tolerations for pods +values: | + pod: + tolerations: + api: + enabled: true + tolerations: + - key: node-role.kubernetes.io/master + operator: Exists + - key: node-role.kubernetes.io/node + operator: Exists + +usage: | + {{ include "helm-toolkit.snippets.kubernetes_tolerations" ( tuple . .Values.pod.tolerations.api ) }} +return: | + tolerations: + - key: node-role.kubernetes.io/master + operator: Exists + - key: node-role.kubernetes.io/node + operator: Exists +*/}} + +{{- define "helm-toolkit.snippets.kubernetes_tolerations" -}} +{{- $envAll := index . 0 -}} +{{- $component := index . 1 -}} +{{- $pod := index $envAll.Values.pod.tolerations $component }} +tolerations: +{{ toYaml $pod.tolerations }} +{{- end -}} diff --git a/charts/deps/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl b/charts/deps/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl new file mode 100644 index 0000000..69cee47 --- /dev/null +++ b/charts/deps/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl @@ -0,0 +1,33 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- define "helm-toolkit.snippets.kubernetes_upgrades_daemonset" -}} +{{- $envAll := index . 0 -}} +{{- $component := index . 1 -}} +{{- $upgradeMap := index $envAll.Values.pod.lifecycle.upgrades.daemonsets $component -}} +{{- $pod_replacement_strategy := $envAll.Values.pod.lifecycle.upgrades.daemonsets.pod_replacement_strategy -}} +{{- with $upgradeMap -}} +{{- if .enabled }} +minReadySeconds: {{ .min_ready_seconds }} +updateStrategy: + type: {{ $pod_replacement_strategy }} + {{- if $pod_replacement_strategy }} + {{- if eq $pod_replacement_strategy "RollingUpdate" }} + rollingUpdate: + maxUnavailable: {{ .max_unavailable }} + {{- end }} + {{- end }} +{{- end }} +{{- end -}} +{{- end -}} diff --git a/charts/deps/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl b/charts/deps/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl new file mode 100644 index 0000000..be28cdb --- /dev/null +++ b/charts/deps/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl @@ -0,0 +1,27 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- define "helm-toolkit.snippets.kubernetes_upgrades_deployment" -}} +{{- $envAll := index . 0 -}} +{{- with $envAll.Values.pod.lifecycle.upgrades.deployments -}} +revisionHistoryLimit: {{ .revision_history }} +strategy: + type: {{ .pod_replacement_strategy }} + {{- if eq .pod_replacement_strategy "RollingUpdate" }} + rollingUpdate: + maxUnavailable: {{ .rolling_update.max_unavailable }} + maxSurge: {{ .rolling_update.max_surge }} + {{- end }} +{{- end -}} +{{- end -}} diff --git a/charts/deps/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl b/charts/deps/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl new file mode 100644 index 0000000..f897023 --- /dev/null +++ b/charts/deps/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl @@ -0,0 +1,51 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Renders upgradeStrategy configuration for Kubernetes statefulsets. + See: https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#updating-statefulsets + Types: + - RollingUpdate (default) + - OnDelete + Partitions: + - Stage updates to a statefulset by keeping pods at current version while + allowing mutations to statefulset's .spec.template +values: | + pod: + lifecycle: + upgrades: + statefulsets: + pod_replacement_strategy: RollingUpdate + partition: 2 +usage: | + {{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_statefulset" | indent 2 }} +return: | + updateStrategy: + type: RollingUpdate + rollingUpdate: + partition: 2 +*/}} + +{{- define "helm-toolkit.snippets.kubernetes_upgrades_statefulset" -}} +{{- $envAll := index . 0 -}} +{{- with $envAll.Values.pod.lifecycle.upgrades.statefulsets -}} +updateStrategy: + type: {{ .pod_replacement_strategy }} + {{ if .partition -}} + rollingUpdate: + partition: {{ .partition }} + {{- end -}} +{{- end -}} +{{- end -}} diff --git a/charts/deps/helm-toolkit/templates/snippets/_mon_host_from_k8s_ep.sh.tpl b/charts/deps/helm-toolkit/templates/snippets/_mon_host_from_k8s_ep.sh.tpl new file mode 100644 index 0000000..fc74c6f --- /dev/null +++ b/charts/deps/helm-toolkit/templates/snippets/_mon_host_from_k8s_ep.sh.tpl @@ -0,0 +1,68 @@ +{{- define "helm-toolkit.snippets.mon_host_from_k8s_ep" -}} +{{/* + +Inserts a bash function definition mon_host_from_k8s_ep() which can be used +to construct a mon_hosts value from the given namespaced endpoint. + +Usage (e.g. in _script.sh.tpl): + #!/bin/bash + + : "${NS:=ceph}" + : "${EP:=ceph-mon-discovery}" + + {{ include "helm-toolkit.snippets.mon_host_from_k8s_ep" . }} + + MON_HOST=$(mon_host_from_k8s_ep "$NS" "$EP") + + if [ -z "$MON_HOST" ]; then + # deal with failure + else + sed -i -e "s/^mon_host = /mon_host = $MON_HOST/" /etc/ceph/ceph.conf + fi +*/}} +{{` +# Construct a mon_hosts value from the given namespaced endpoint +# IP x.x.x.x with port p named "mon-msgr2" will appear as [v2:x.x.x.x/p/0] +# IP x.x.x.x with port q named "mon" will appear as [v1:x.x.x.x/q/0] +# IP x.x.x.x with ports p and q will appear as [v2:x.x.x.x/p/0,v1:x.x.x.x/q/0] +# The entries for all IPs will be joined with commas +mon_host_from_k8s_ep() { + local ns=$1 + local ep=$2 + + if [ -z "$ns" ] || [ -z "$ep" ]; then + return 1 + fi + + # We don't want shell expansion for the go-template expression + # shellcheck disable=SC2016 + kubectl get endpoints -n "$ns" "$ep" -o go-template=' + {{- $sep := "" }} + {{- range $_,$s := .subsets }} + {{- $v2port := 0 }} + {{- $v1port := 0 }} + {{- range $_,$port := index $s "ports" }} + {{- if (eq $port.name "mon-msgr2") }} + {{- $v2port = $port.port }} + {{- else if (eq $port.name "mon") }} + {{- $v1port = $port.port }} + {{- end }} + {{- end }} + {{- range $_,$address := index $s "addresses" }} + {{- $v2endpoint := printf "v2:%s:%d/0" $address.ip $v2port }} + {{- $v1endpoint := printf "v1:%s:%d/0" $address.ip $v1port }} + {{- if (and $v2port $v1port) }} + {{- printf "%s[%s,%s]" $sep $v2endpoint $v1endpoint }} + {{- $sep = "," }} + {{- else if $v2port }} + {{- printf "%s[%s]" $sep $v2endpoint }} + {{- $sep = "," }} + {{- else if $v1port }} + {{- printf "%s[%s]" $sep $v1endpoint }} + {{- $sep = "," }} + {{- end }} + {{- end }} + {{- end }}' +} +`}} +{{- end -}} diff --git a/charts/deps/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl b/charts/deps/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl new file mode 100644 index 0000000..fec41f8 --- /dev/null +++ b/charts/deps/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl @@ -0,0 +1,33 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +# Appends annotations for configuring prometheus scrape jobs via pod +# annotations. The required annotations are: +# * `prometheus.io/scrape`: Only scrape pods that have a value of `true` +# * `prometheus.io/path`: If the metrics path is not `/metrics` override this. +# * `prometheus.io/port`: Scrape the pod on the indicated port instead of the +# pod's declared ports (default is a port-free target if none are declared). + +{{- define "helm-toolkit.snippets.prometheus_pod_annotations" -}} +{{- $config := index . 0 -}} +{{- if $config.scrape }} +prometheus.io/scrape: {{ $config.scrape | quote }} +{{- end }} +{{- if $config.path }} +prometheus.io/path: {{ $config.path | quote }} +{{- end }} +{{- if $config.port }} +prometheus.io/port: {{ $config.port | quote }} +{{- end }} +{{- end -}} diff --git a/charts/deps/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl b/charts/deps/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl new file mode 100644 index 0000000..a827c4b --- /dev/null +++ b/charts/deps/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl @@ -0,0 +1,35 @@ +{{/* +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + http://www.apache.org/licenses/LICENSE-2.0 +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +# Appends annotations for configuring prometheus scrape endpoints via +# annotations. The required annotations are: +# * `prometheus.io/scrape`: Only scrape services that have a value of `true` +# * `prometheus.io/scheme`: If the metrics endpoint is secured then you will need +# to set this to `https` & most likely set the `tls_config` of the scrape config. +# * `prometheus.io/path`: If the metrics path is not `/metrics` override this. +# * `prometheus.io/port`: If the metrics are exposed on a different port to the +# service then set this appropriately. + +{{- define "helm-toolkit.snippets.prometheus_service_annotations" -}} +{{- $config := index . 0 -}} +{{- if $config.scrape }} +prometheus.io/scrape: {{ $config.scrape | quote }} +{{- end }} +{{- if $config.scheme }} +prometheus.io/scheme: {{ $config.scheme | quote }} +{{- end }} +{{- if $config.path }} +prometheus.io/path: {{ $config.path | quote }} +{{- end }} +{{- if $config.port }} +prometheus.io/port: {{ $config.port | quote }} +{{- end }} +{{- end -}} diff --git a/charts/deps/helm-toolkit/templates/snippets/_release_uuid.tpl b/charts/deps/helm-toolkit/templates/snippets/_release_uuid.tpl new file mode 100644 index 0000000..253920b --- /dev/null +++ b/charts/deps/helm-toolkit/templates/snippets/_release_uuid.tpl @@ -0,0 +1,29 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Reneders an attonation key and value for a release +values: | + release_uuid: null +usage: | + {{ tuple . | include "helm-toolkit.snippets.release_uuid" }} +return: | + "openstackhelm.openstack.org/release_uuid": "" +*/}} + +{{- define "helm-toolkit.snippets.release_uuid" -}} +{{- $envAll := index . 0 -}} +"openstackhelm.openstack.org/release_uuid": {{ $envAll.Values.release_uuid | default "" | quote }} +{{- end -}} diff --git a/charts/deps/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl b/charts/deps/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl new file mode 100644 index 0000000..a3169ce --- /dev/null +++ b/charts/deps/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl @@ -0,0 +1,32 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- define "helm-toolkit.snippets.rgw_s3_admin_env_vars" }} +{{- $s3AdminSecret := .s3AdminSecret }} +- name: S3_ADMIN_USERNAME + valueFrom: + secretKeyRef: + name: {{ $s3AdminSecret }} + key: S3_ADMIN_USERNAME +- name: S3_ADMIN_ACCESS_KEY + valueFrom: + secretKeyRef: + name: {{ $s3AdminSecret }} + key: S3_ADMIN_ACCESS_KEY +- name: S3_ADMIN_SECRET_KEY + valueFrom: + secretKeyRef: + name: {{ $s3AdminSecret }} + key: S3_ADMIN_SECRET_KEY +{{- end }} diff --git a/charts/deps/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl b/charts/deps/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl new file mode 100644 index 0000000..a611a5e --- /dev/null +++ b/charts/deps/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl @@ -0,0 +1,29 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- define "helm-toolkit.snippets.rgw_s3_secret_creds" }} +{{- range $client, $config := .Values.storage.s3.clients -}} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ printf "%s-s3-user-secret" ( $client | replace "_" "-" | lower ) }} +type: Opaque +data: +{{- range $key, $value := $config.auth }} + {{ $key | upper }}: {{ $value | toString | b64enc}} +{{- end }} + +{{ end }} +{{- end }} diff --git a/charts/deps/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl b/charts/deps/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl new file mode 100644 index 0000000..a3dd431 --- /dev/null +++ b/charts/deps/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl @@ -0,0 +1,34 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- define "helm-toolkit.snippets.rgw_s3_user_env_vars" }} +{{- range $client, $user := .Values.storage.s3.clients }} +{{- $s3secret := printf "%s-s3-user-secret" ( $client | replace "_" "-" | lower ) }} +- name: {{ printf "%s_S3_USERNAME" ($client | replace "-" "_" | upper) }} + valueFrom: + secretKeyRef: + name: {{ $s3secret }} + key: USERNAME +- name: {{ printf "%s_S3_ACCESS_KEY" ($client | replace "-" "_" | upper) }} + valueFrom: + secretKeyRef: + name: {{ $s3secret }} + key: ACCESS_KEY +- name: {{ printf "%s_S3_SECRET_KEY" ($client | replace "-" "_" | upper) }} + valueFrom: + secretKeyRef: + name: {{ $s3secret }} + key: SECRET_KEY +{{- end }} +{{- end }} diff --git a/charts/deps/helm-toolkit/templates/snippets/_tls_volume.tpl b/charts/deps/helm-toolkit/templates/snippets/_tls_volume.tpl new file mode 100644 index 0000000..41fe3d9 --- /dev/null +++ b/charts/deps/helm-toolkit/templates/snippets/_tls_volume.tpl @@ -0,0 +1,47 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{/* +abstract: | + Renders a secret volume for tls. + + Dictionary Parameters: + enabled: boolean check if you want to conditional disable this snippet (optional) + name: name of the volume (required) + secretName: name of a kuberentes/tls secret, if not specified, use the volume name (optional) + +values: | + manifests: + certificates: true + +usage: | + {{- $opts := dict "enabled" "true" "name" "glance-tls-api" -}} + {{- $opts | include "helm-toolkit.snippets.tls_volume" -}} + +return: | + - name: glance-tls-api + secret: + secretName: glance-tls-api + defaultMode: 292 +*/}} +{{- define "helm-toolkit.snippets.tls_volume" }} +{{- $enabled := index . "enabled" -}} +{{- $name := index . "name" -}} +{{- $secretName := index . "secretName" | default $name -}} +{{- if and $enabled (ne $name "") }} +- name: {{ $name }} + secret: + secretName: {{ $secretName }} + defaultMode: 292 +{{- end }} +{{- end }} diff --git a/charts/deps/helm-toolkit/templates/snippets/_tls_volume_mount.tpl b/charts/deps/helm-toolkit/templates/snippets/_tls_volume_mount.tpl new file mode 100644 index 0000000..9cfa819 --- /dev/null +++ b/charts/deps/helm-toolkit/templates/snippets/_tls_volume_mount.tpl @@ -0,0 +1,82 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{/* +abstract: | + Renders a volume mount for TLS key, cert and CA. + + Dictionary Parameters: + enabled: boolean check if you want to conditional disable this snippet (optional) + name: name that of the volume and should match the volume name (required) + path: path to place tls.crt tls.key ca.crt, do not suffix with '/' (required) + certs: a tuple containing a nonempty subset of {tls.crt, tls.key, ca.crt}. + the default is the full set. (optional) + +values: | + manifests: + certificates: true + +usage: | + {{- $opts := dict "enabled" .Values.manifests.certificates "name" "glance-tls-api" "path" "/etc/glance/certs" -}} + {{- $opts | include "helm-toolkit.snippets.tls_volume_mount" -}} + +return: | + - name: glance-tls-api + mountPath: /etc/glance/certs/tls.crt + subPath: tls.crt + readOnly: true + - name: glance-tls-api + mountPath: /etc/glance/certs/tls.key + subPath: tls.key + readOnly: true + - name: glance-tls-api + mountPath: /etc/glance/certs/ca.crt + subPath: ca.crt + readOnly: true + +abstract: | + This mounts a specific issuing CA only for service validation + +usage: | + {{- $opts := dict "enabled" .Values.manifests.certificates "name" "glance-tls-api" "ca" true -}} + {{- $opts | include "helm-toolkit.snippets.tls_volume_mount" -}} + +return: | + - name: glance-tls-api + mountPath: /etc/ssl/certs/openstack-helm.crt + subPath: ca.crt + readOnly: true +*/}} +{{- define "helm-toolkit.snippets.tls_volume_mount" }} +{{- $enabled := index . "enabled" -}} +{{- $name := index . "name" -}} +{{- $path := index . "path" | default "" -}} +{{- $certs := index . "certs" | default ( tuple "tls.crt" "tls.key" "ca.crt" ) }} +{{- if $enabled }} +{{- if and (eq $path "") (ne $name "") }} +- name: {{ $name }} + mountPath: "/etc/ssl/certs/openstack-helm.crt" + subPath: ca.crt + readOnly: true +{{- else }} +{{- if ne $name "" }} +{{- range $key, $value := $certs }} +- name: {{ $name }} + mountPath: {{ printf "%s/%s" $path $value }} + subPath: {{ $value }} + readOnly: true +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/deps/helm-toolkit/templates/snippets/_values_template_renderer.tpl b/charts/deps/helm-toolkit/templates/snippets/_values_template_renderer.tpl new file mode 100644 index 0000000..6e9d5a1 --- /dev/null +++ b/charts/deps/helm-toolkit/templates/snippets/_values_template_renderer.tpl @@ -0,0 +1,87 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Renders out configuration sections into a format suitable for incorporation + into a config-map. Allowing various forms of input to be rendered out as + appropriate. +values: | + conf: + inputs: + - foo + - bar + some: + config_to_render: | + #We can use all of gotpl here: eg macros, ranges etc. + {{ include "helm-toolkit.utils.joinListWithComma" .Values.conf.inputs }} + config_to_complete: + #here we can fill out params, but things need to be valid yaml as input + '{{ .Release.Name }}': '{{ printf "%s-%s" .Release.Namespace "namespace" }}' + static_config: + #this is just passed though as yaml to the configmap + foo: bar +usage: | + {{- $envAll := . }} + --- + apiVersion: v1 + kind: ConfigMap + metadata: + name: application-etc + data: + {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.config_to_render "key" "config_to_render.conf") | indent 2 }} + {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.config_to_complete "key" "config_to_complete.yaml") | indent 2 }} + {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.static_config "key" "static_config.yaml") | indent 2 }} +return: | + --- + apiVersion: v1 + kind: ConfigMap + metadata: + name: application-etc + data: + config_to_render.conf: | + #We can use all of gotpl here: eg macros, ranges etc. + foo,bar + + config_to_complete.yaml: | + 'RELEASE-NAME': 'default-namespace' + + static_config.yaml: | + foo: bar +*/}} + +{{- define "helm-toolkit.snippets.values_template_renderer" -}} +{{- $envAll := index . "envAll" -}} +{{- $template := index . "template" -}} +{{- $key := index . "key" -}} +{{- $format := index . "format" | default "configMap" -}} +{{- with $envAll -}} +{{- $templateRendered := tpl ( $template | toYaml ) . }} +{{- if eq $format "Secret" }} +{{- if hasPrefix "|\n" $templateRendered }} +{{ $key }}: {{ regexReplaceAllLiteral "\n " ( $templateRendered | trimPrefix "|\n" | trimPrefix " " ) "\n" | b64enc }} +{{- else }} +{{ $key }}: {{ $templateRendered | b64enc }} +{{- end -}} +{{- else }} +{{- if hasPrefix "|\n" $templateRendered }} +{{ $key }}: | +{{ regexReplaceAllLiteral "\n " ( $templateRendered | trimPrefix "|\n" | trimPrefix " " ) "\n" | indent 2 }} +{{- else }} +{{ $key }}: | +{{ $templateRendered | indent 2 }} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/charts/deps/helm-toolkit/templates/tls/_tls_generate_certs.tpl b/charts/deps/helm-toolkit/templates/tls/_tls_generate_certs.tpl new file mode 100644 index 0000000..6d617a1 --- /dev/null +++ b/charts/deps/helm-toolkit/templates/tls/_tls_generate_certs.tpl @@ -0,0 +1,94 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Produces a certificate from a certificate authority. If the "encode" parameter + is true, base64 encode the values for inclusion in a Kubernetes secret. +values: | + test: + hosts: + names: + - barbican.openstackhelm.example + - barbican.openstack.svc.cluster.local + ips: + - 127.0.0.1 + - 192.168.0.1 + life: 3 + # Use ca.crt and ca.key to build a customized ca, if they are provided. + # Use hosts.names[0] and life to auto-generate a ca, if ca is not provided. + ca: + crt: | + + key: | + +usage: | + {{ include "helm-toolkit.utils.tls_generate_certs" (dict "params" .Values.test) }} +return: | + ca: | + + crt: | + + exp: 2018-09-01T10:56:07.895392915-00:00 + key: | + +*/}} + +{{- define "helm-toolkit.utils.tls_generate_certs" -}} +{{- $params := index . "params" -}} +{{- $encode := index . "encode" | default false -}} +{{- $local := dict -}} + +{{- $_hosts := $params.hosts.names | default list }} +{{- if kindIs "string" $params.hosts.names }} +{{- $_ := set $local "certHosts" (list $params.hosts.names) }} +{{- else }} +{{- $_ := set $local "certHosts" $_hosts }} +{{- end }} + +{{- $_ips := $params.hosts.ips | default list }} +{{- if kindIs "string" $params.hosts.ips }} +{{- $_ := set $local "certIps" (list $params.hosts.ips) }} +{{- else }} +{{- $_ := set $local "certIps" $_ips }} +{{- end }} + +{{- if hasKey $params "ca" }} +{{- if and (hasKey $params.ca "crt") (hasKey $params.ca "key") }} +{{- $ca := buildCustomCert ($params.ca.crt | b64enc ) ($params.ca.key | b64enc ) }} +{{- $_ := set $local "ca" $ca }} +{{- end }} +{{- else }} +{{- $ca := genCA (first $local.certHosts) (int $params.life) }} +{{- $_ := set $local "ca" $ca }} +{{- end }} + +{{- $expDate := date_in_zone "2006-01-02T15:04:05Z07:00" ( date_modify (printf "+%sh" (mul $params.life 24 |toString)) now ) "UTC" }} +{{- $rawCert := genSignedCert (first $local.certHosts) ($local.certIps) ($local.certHosts) (int $params.life) $local.ca }} +{{- $certificate := dict -}} +{{- if $encode -}} +{{- $_ := b64enc $rawCert.Cert | set $certificate "crt" -}} +{{- $_ := b64enc $rawCert.Key | set $certificate "key" -}} +{{- $_ := b64enc $local.ca.Cert | set $certificate "ca" -}} +{{- $_ := b64enc $local.ca.Key | set $certificate "caKey" -}} +{{- $_ := b64enc $expDate | set $certificate "exp" -}} +{{- else -}} +{{- $_ := set $certificate "crt" $rawCert.Cert -}} +{{- $_ := set $certificate "key" $rawCert.Key -}} +{{- $_ := set $certificate "ca" $local.ca.Cert -}} +{{- $_ := set $certificate "caKey" $local.ca.Key -}} +{{- $_ := set $certificate "exp" $expDate -}} +{{- end -}} +{{- $certificate | toYaml }} +{{- end -}} diff --git a/charts/deps/helm-toolkit/templates/utils/_comma_joined_service_list.tpl b/charts/deps/helm-toolkit/templates/utils/_comma_joined_service_list.tpl new file mode 100644 index 0000000..e26501f --- /dev/null +++ b/charts/deps/helm-toolkit/templates/utils/_comma_joined_service_list.tpl @@ -0,0 +1,46 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Returns a comma separated list of namespace:service pairs. +values: | + dependencies: + static: + api: + services: + - endpoint: internal + service: oslo_cache + - endpoint: internal + service: oslo_db + endpoints: + oslo_db: + namespace: foo + hosts: + default: mariadb + oslo_cache: + namespace: bar + hosts: + default: memcache +usage: | + {{ tuple .Values.dependencies.static.api.services . | include "helm-toolkit.utils.comma_joined_service_list" }} +return: | + bar:memcache,foo:mariadb +*/}} + +{{- define "helm-toolkit.utils.comma_joined_service_list" -}} +{{- $deps := index . 0 -}} +{{- $envAll := index . 1 -}} +{{- range $k, $v := $deps -}}{{- if $k -}},{{- end -}}{{ tuple $v.service $v.endpoint $envAll | include "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" }}{{- end -}} +{{- end -}} diff --git a/charts/deps/helm-toolkit/templates/utils/_configmap_templater.tpl b/charts/deps/helm-toolkit/templates/utils/_configmap_templater.tpl new file mode 100644 index 0000000..7095c19 --- /dev/null +++ b/charts/deps/helm-toolkit/templates/utils/_configmap_templater.tpl @@ -0,0 +1,30 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- define "helm-toolkit.utils.configmap_templater" }} +{{- $keyRoot := index . 0 -}} +{{- $configTemplate := index . 1 -}} +{{- $context := index . 2 -}} +{{ if $keyRoot.override -}} +{{ $keyRoot.override | indent 4 }} +{{- else -}} +{{- if $keyRoot.prefix -}} +{{ $keyRoot.prefix | indent 4 }} +{{- end }} +{{ tuple $configTemplate $context | include "helm-toolkit.utils.template" | indent 4 }} +{{- end }} +{{- if $keyRoot.append -}} +{{ $keyRoot.append | indent 4 }} +{{- end }} +{{- end -}} diff --git a/charts/deps/helm-toolkit/templates/utils/_daemonset_overrides.tpl b/charts/deps/helm-toolkit/templates/utils/_daemonset_overrides.tpl new file mode 100644 index 0000000..40359f0 --- /dev/null +++ b/charts/deps/helm-toolkit/templates/utils/_daemonset_overrides.tpl @@ -0,0 +1,269 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- define "helm-toolkit.utils.daemonset_overrides" }} + {{- $daemonset := index . 0 }} + {{- $daemonset_yaml := index . 1 }} + {{- $configmap_include := index . 2 }} + {{- $configmap_name := index . 3 }} + {{- $context := index . 4 }} + {{- $_ := unset $context ".Files" }} + {{- $daemonset_root_name := printf (print $context.Chart.Name "_" $daemonset) }} + {{- $_ := set $context.Values "__daemonset_list" list }} + {{- $_ := set $context.Values "__default" dict }} + {{- if hasKey $context.Values.conf "overrides" }} + {{- range $key, $val := $context.Values.conf.overrides }} + + {{- if eq $key $daemonset_root_name }} + {{- range $type, $type_data := . }} + + {{- if eq $type "hosts" }} + {{- range $host_data := . }} + {{/* dictionary that will contain all info needed to generate this + iteration of the daemonset */}} + {{- $current_dict := dict }} + + {{/* set daemonset name */}} + {{/* Note: long hostnames can cause the 63 char name limit to be + exceeded. Truncate the hostname if hostname > 20 char */}} + {{- if gt (len $host_data.name) 20 }} + {{- $_ := set $current_dict "name" (substr 0 20 $host_data.name) }} + {{- else }} + {{- $_ := set $current_dict "name" $host_data.name }} + {{- end }} + + {{/* apply overrides */}} + {{- $override_conf_copy := $host_data.conf }} + {{/* Deep copy to prevent https://storyboard.openstack.org/#!/story/2005936 */}} + {{- $root_conf_copy := omit ($context.Values.conf | toYaml | fromYaml) "overrides" }} + {{- $merged_dict := mergeOverwrite $root_conf_copy $override_conf_copy }} + {{- $root_conf_copy2 := dict "conf" $merged_dict }} + {{- $context_values := omit (omit ($context.Values | toYaml | fromYaml) "conf") "__daemonset_list" }} + {{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }} + {{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }} + {{- $_ := set $current_dict "nodeData" $root_conf_copy4 }} + + {{/* Schedule to this host explicitly. */}} + {{- $nodeSelector_dict := dict }} + + {{- $_ := set $nodeSelector_dict "key" "kubernetes.io/hostname" }} + {{- $_ := set $nodeSelector_dict "operator" "In" }} + + {{- $values_list := list $host_data.name }} + {{- $_ := set $nodeSelector_dict "values" $values_list }} + + {{- $list_aggregate := list $nodeSelector_dict }} + {{- $_ := set $current_dict "matchExpressions" $list_aggregate }} + + {{/* store completed daemonset entry/info into global list */}} + {{- $list_aggregate := append $context.Values.__daemonset_list $current_dict }} + {{- $_ := set $context.Values "__daemonset_list" $list_aggregate }} + + {{- end }} + {{- end }} + + {{- if eq $type "labels" }} + {{- $_ := set $context.Values "__label_list" . }} + {{- range $label_data := . }} + {{/* dictionary that will contain all info needed to generate this + iteration of the daemonset. */}} + {{- $_ := set $context.Values "__current_label" dict }} + + {{/* set daemonset name */}} + {{- $_ := set $context.Values.__current_label "name" $label_data.label.key }} + + {{/* apply overrides */}} + {{- $override_conf_copy := $label_data.conf }} + {{/* Deep copy to prevent https://storyboard.openstack.org/#!/story/2005936 */}} + {{- $root_conf_copy := omit ($context.Values.conf | toYaml | fromYaml) "overrides" }} + {{- $merged_dict := mergeOverwrite $root_conf_copy $override_conf_copy }} + {{- $root_conf_copy2 := dict "conf" $merged_dict }} + {{- $context_values := omit (omit ($context.Values | toYaml | fromYaml) "conf") "__daemonset_list" }} + {{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }} + {{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }} + {{- $_ := set $context.Values.__current_label "nodeData" $root_conf_copy4 }} + + {{/* Schedule to the provided label value(s) */}} + {{- $label_dict := omit $label_data.label "NULL" }} + {{- $_ := set $label_dict "operator" "In" }} + {{- $list_aggregate := list $label_dict }} + {{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }} + + {{/* Do not schedule to other specified labels, with higher + precedence as the list position increases. Last defined label + is highest priority. */}} + {{- $other_labels := without $context.Values.__label_list $label_data }} + {{- range $label_data2 := $other_labels }} + {{- $label_dict := omit $label_data2.label "NULL" }} + + {{- $_ := set $label_dict "operator" "NotIn" }} + + {{- $list_aggregate := append $context.Values.__current_label.matchExpressions $label_dict }} + {{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }} + {{- end }} + {{- $_ := set $context.Values "__label_list" $other_labels }} + + {{/* Do not schedule to any other specified hosts */}} + {{- range $type, $type_data := $val }} + {{- if eq $type "hosts" }} + {{- range $host_data := . }} + {{- $label_dict := dict }} + + {{- $_ := set $label_dict "key" "kubernetes.io/hostname" }} + {{- $_ := set $label_dict "operator" "NotIn" }} + + {{- $values_list := list $host_data.name }} + {{- $_ := set $label_dict "values" $values_list }} + + {{- $list_aggregate := append $context.Values.__current_label.matchExpressions $label_dict }} + {{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }} + {{- end }} + {{- end }} + {{- end }} + + {{/* store completed daemonset entry/info into global list */}} + {{- $list_aggregate := append $context.Values.__daemonset_list $context.Values.__current_label }} + {{- $_ := set $context.Values "__daemonset_list" $list_aggregate }} + {{- $_ := unset $context.Values "__current_label" }} + + {{- end }} + {{- end }} + {{- end }} + + {{/* scheduler exceptions for the default daemonset */}} + {{- $_ := set $context.Values.__default "matchExpressions" list }} + + {{- range $type, $type_data := . }} + {{/* Do not schedule to other specified labels */}} + {{- if eq $type "labels" }} + {{- range $label_data := . }} + {{- $default_dict := omit $label_data.label "NULL" }} + + {{- $_ := set $default_dict "operator" "NotIn" }} + + {{- $list_aggregate := append $context.Values.__default.matchExpressions $default_dict }} + {{- $_ := set $context.Values.__default "matchExpressions" $list_aggregate }} + {{- end }} + {{- end }} + {{/* Do not schedule to other specified hosts */}} + {{- if eq $type "hosts" }} + {{- range $host_data := . }} + {{- $default_dict := dict }} + + {{- $_ := set $default_dict "key" "kubernetes.io/hostname" }} + {{- $_ := set $default_dict "operator" "NotIn" }} + + {{- $values_list := list $host_data.name }} + {{- $_ := set $default_dict "values" $values_list }} + + {{- $list_aggregate := append $context.Values.__default.matchExpressions $default_dict }} + {{- $_ := set $context.Values.__default "matchExpressions" $list_aggregate }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + + {{/* generate the default daemonset */}} + + {{/* set name */}} + {{- $_ := set $context.Values.__default "name" "default" }} + + {{/* no overrides apply, so copy as-is */}} + {{- $root_conf_copy1 := omit $context.Values.conf "overrides" }} + {{- $root_conf_copy2 := dict "conf" $root_conf_copy1 }} + {{- $context_values := omit $context.Values "conf" }} + {{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }} + {{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }} + {{- $_ := set $context.Values.__default "nodeData" $root_conf_copy4 }} + + {{/* add to global list */}} + {{- $list_aggregate := append $context.Values.__daemonset_list $context.Values.__default }} + {{- $_ := set $context.Values "__daemonset_list" $list_aggregate }} + + {{- range $current_dict := $context.Values.__daemonset_list }} + + {{- $context_novalues := omit $context "Values" }} + {{- $merged_dict := mergeOverwrite $context_novalues $current_dict.nodeData }} + {{- $_ := set $current_dict "nodeData" $merged_dict }} + {{/* Deep copy original daemonset_yaml */}} + {{- $_ := set $context.Values "__daemonset_yaml" ($daemonset_yaml | toYaml | fromYaml) }} + + {{/* name needs to be a DNS-1123 compliant name. Ensure lower case */}} + {{- $name_format1 := printf (print $daemonset_root_name "-" $current_dict.name) | lower }} + {{/* labels may contain underscores which would be invalid here, so we replace them with dashes + there may be other valid label names which would make for an invalid DNS-1123 name + but these will be easier to handle in future with sprig regex* functions + (not availabile in helm 2.5.1) */}} + {{- $name_format2 := $name_format1 | replace "_" "-" }} + {{/* To account for the case where the same label is defined multiple times in overrides + (but with different label values), we add a sha of the scheduling data to ensure + name uniqueness */}} + {{- $_ := set $current_dict "dns_1123_name" dict }} + {{- if hasKey $current_dict "matchExpressions" }} + {{- $_ := set $current_dict "dns_1123_name" (printf (print $name_format2 "-" ($current_dict.matchExpressions | quote | sha256sum | trunc 8))) }} + {{- else }} + {{- $_ := set $current_dict "dns_1123_name" $name_format2 }} + {{- end }} + + {{/* set daemonset metadata name */}} + {{- if not $context.Values.__daemonset_yaml.metadata }}{{- $_ := set $context.Values.__daemonset_yaml "metadata" dict }}{{- end }} + {{- if not $context.Values.__daemonset_yaml.metadata.name }}{{- $_ := set $context.Values.__daemonset_yaml.metadata "name" dict }}{{- end }} + {{- $_ := set $context.Values.__daemonset_yaml.metadata "name" $current_dict.dns_1123_name }} + + {{/* cross-reference configmap name to container volume definitions */}} + {{- $_ := set $context.Values "__volume_list" list }} + {{- range $current_volume := $context.Values.__daemonset_yaml.spec.template.spec.volumes }} + {{- $_ := set $context.Values "__volume" $current_volume }} + {{- if hasKey $context.Values.__volume "secret" }} + {{- if eq $context.Values.__volume.secret.secretName $configmap_name }} + {{- $_ := set $context.Values.__volume.secret "secretName" $current_dict.dns_1123_name }} + {{- end }} + {{- end }} + {{- $updated_list := append $context.Values.__volume_list $context.Values.__volume }} + {{- $_ := set $context.Values "__volume_list" $updated_list }} + {{- end }} + {{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec "volumes" $context.Values.__volume_list }} + + + {{/* populate scheduling restrictions */}} + {{- if hasKey $current_dict "matchExpressions" }} + {{- if not $context.Values.__daemonset_yaml.spec.template.spec }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template "spec" dict }}{{- end }} + {{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec "affinity" dict }}{{- end }} + {{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity "nodeAffinity" dict }}{{- end }} + {{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity "requiredDuringSchedulingIgnoredDuringExecution" dict }}{{- end }} + {{- $match_exprs := dict }} + {{- $_ := set $match_exprs "matchExpressions" $current_dict.matchExpressions }} + {{- $appended_match_expr := list $match_exprs }} + {{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution "nodeSelectorTerms" $appended_match_expr }} + {{- end }} + + {{/* input value hash for current set of values overrides */}} + {{- if not $context.Values.__daemonset_yaml.spec }}{{- $_ := set $context.Values.__daemonset_yaml "spec" dict }}{{- end }} + {{- if not $context.Values.__daemonset_yaml.spec.template }}{{- $_ := set $context.Values.__daemonset_yaml.spec "template" dict }}{{- end }} + {{- if not $context.Values.__daemonset_yaml.spec.template.metadata }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template "metadata" dict }}{{- end }} + {{- if not $context.Values.__daemonset_yaml.spec.template.metadata.annotations }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.metadata "annotations" dict }}{{- end }} + {{- $cmap := list $current_dict.dns_1123_name $current_dict.nodeData | include $configmap_include }} + {{- $values_hash := $cmap | quote | sha256sum }} + {{- $_ := set $context.Values.__daemonset_yaml.spec.template.metadata.annotations "configmap-etc-hash" $values_hash }} + + {{/* generate configmap */}} +--- +{{ $cmap }} + {{/* generate daemonset yaml */}} +--- +{{ $context.Values.__daemonset_yaml | toYaml }} + {{- end }} +{{- end }} diff --git a/charts/deps/helm-toolkit/templates/utils/_dependency_resolver.tpl b/charts/deps/helm-toolkit/templates/utils/_dependency_resolver.tpl new file mode 100644 index 0000000..4a88dd8 --- /dev/null +++ b/charts/deps/helm-toolkit/templates/utils/_dependency_resolver.tpl @@ -0,0 +1,40 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- define "helm-toolkit.utils.dependency_resolver" }} +{{- $envAll := index . "envAll" -}} +{{- $dependencyMixinParam := index . "dependencyMixinParam" -}} +{{- $dependencyKey := index . "dependencyKey" -}} +{{- if $dependencyMixinParam -}} +{{- $_ := set $envAll.Values "pod_dependency" dict -}} +{{- if kindIs "string" $dependencyMixinParam }} +{{- if ( index $envAll.Values.dependencies.dynamic.targeted $dependencyMixinParam ) }} +{{- $_ := include "helm-toolkit.utils.merge" (tuple $envAll.Values.pod_dependency ( index $envAll.Values.dependencies.static $dependencyKey ) ( index $envAll.Values.dependencies.dynamic.targeted $dependencyMixinParam $dependencyKey ) ) -}} +{{- else }} +{{- $_ := set $envAll.Values "pod_dependency" ( index $envAll.Values.dependencies.static $dependencyKey ) }} +{{- end }} +{{- else if kindIs "slice" $dependencyMixinParam }} +{{- $_ := set $envAll.Values "__deps" ( index $envAll.Values.dependencies.static $dependencyKey ) }} +{{- range $k, $v := $dependencyMixinParam -}} +{{- if ( index $envAll.Values.dependencies.dynamic.targeted $v ) }} +{{- $_ := include "helm-toolkit.utils.merge" (tuple $envAll.Values.pod_dependency $envAll.Values.__deps ( index $envAll.Values.dependencies.dynamic.targeted $v $dependencyKey ) ) -}} +{{- $_ := set $envAll.Values "__deps" $envAll.Values.pod_dependency -}} +{{- end }} +{{- end }} +{{- end }} +{{- else -}} +{{- $_ := set $envAll.Values "pod_dependency" ( index $envAll.Values.dependencies.static $dependencyKey ) -}} +{{- end -}} +{{ $envAll.Values.pod_dependency | toYaml }} +{{- end }} diff --git a/charts/deps/helm-toolkit/templates/utils/_hash.tpl b/charts/deps/helm-toolkit/templates/utils/_hash.tpl new file mode 100644 index 0000000..d871b62 --- /dev/null +++ b/charts/deps/helm-toolkit/templates/utils/_hash.tpl @@ -0,0 +1,21 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- define "helm-toolkit.utils.hash" -}} +{{- $name := index . 0 -}} +{{- $context := index . 1 -}} +{{- $last := base $context.Template.Name }} +{{- $wtf := $context.Template.Name | replace $last $name -}} +{{- include $wtf $context | sha256sum | quote -}} +{{- end -}} diff --git a/charts/deps/helm-toolkit/templates/utils/_host_list.tpl b/charts/deps/helm-toolkit/templates/utils/_host_list.tpl new file mode 100644 index 0000000..0c32136 --- /dev/null +++ b/charts/deps/helm-toolkit/templates/utils/_host_list.tpl @@ -0,0 +1,44 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Returns a list of unique hosts for an endpoint, in yaml. +values: | + endpoints: + cluster_domain_suffix: cluster.local + oslo_db: + hosts: + default: mariadb + host_fqdn_override: + default: mariadb +usage: | + {{ tuple "oslo_db" "internal" . | include "helm-toolkit.utils.host_list" }} +return: | + hosts: + - mariadb + - mariadb.default +*/}} + +{{- define "helm-toolkit.utils.host_list" -}} +{{- $type := index . 0 -}} +{{- $endpoint := index . 1 -}} +{{- $context := index . 2 -}} +{{- $host_fqdn := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }} +{{- $host_namespaced := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }} +{{- $host_short := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} +{{/* It is important that the FQDN host is 1st in this list, to ensure other function can use the 1st element for cert gen CN etc */}} +{{- $host_list := list $host_fqdn $host_namespaced $host_short | uniq }} +{{- dict "hosts" $host_list | toYaml }} +{{- end -}} diff --git a/charts/deps/helm-toolkit/templates/utils/_image_sync_list.tpl b/charts/deps/helm-toolkit/templates/utils/_image_sync_list.tpl new file mode 100644 index 0000000..51923b6 --- /dev/null +++ b/charts/deps/helm-toolkit/templates/utils/_image_sync_list.tpl @@ -0,0 +1,25 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- define "helm-toolkit.utils.image_sync_list" -}} +{{- $imageExcludeList := .Values.images.local_registry.exclude -}} +{{- $imageDict := .Values.images.tags -}} +{{- $local := dict "first" true -}} +{{- range $k, $v := $imageDict -}} +{{- if not $local.first -}},{{- end -}} +{{- if (not (has $k $imageExcludeList )) -}} +{{- index $imageDict $k -}} +{{- $_ := set $local "first" false -}} +{{- end -}}{{- end -}} +{{- end -}} diff --git a/charts/deps/helm-toolkit/templates/utils/_joinListWithComma.tpl b/charts/deps/helm-toolkit/templates/utils/_joinListWithComma.tpl new file mode 100644 index 0000000..5eb5785 --- /dev/null +++ b/charts/deps/helm-toolkit/templates/utils/_joinListWithComma.tpl @@ -0,0 +1,31 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Joins a list of values into a comma separated string +values: | + test: + - foo + - bar +usage: | + {{ include "helm-toolkit.utils.joinListWithComma" .Values.test }} +return: | + foo,bar +*/}} + +{{- define "helm-toolkit.utils.joinListWithComma" -}} +{{- $local := dict "first" true -}} +{{- range $k, $v := . -}}{{- if not $local.first -}},{{- end -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}} +{{- end -}} diff --git a/charts/deps/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl b/charts/deps/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl new file mode 100644 index 0000000..3bc6819 --- /dev/null +++ b/charts/deps/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl @@ -0,0 +1,32 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Joins a list of values into a comma seperated string with single quotes + around each value. +values: | + test: + - foo + - bar +usage: | + {{ include "helm-toolkit.utils.joinListWithCommaAndSingleQuotes" .Values.test }} +return: | + 'foo','bar' +*/}} + +{{- define "helm-toolkit.utils.joinListWithCommaAndSingleQuotes" -}} +{{- $local := dict "first" true -}} +{{- range $k, $v := . -}}{{- if not $local.first -}},{{- end -}}'{{- $v -}}'{{- $_ := set $local "first" false -}}{{- end -}} +{{- end -}} diff --git a/charts/deps/helm-toolkit/templates/utils/_joinListWithPrefix.tpl b/charts/deps/helm-toolkit/templates/utils/_joinListWithPrefix.tpl new file mode 100644 index 0000000..40ebb15 --- /dev/null +++ b/charts/deps/helm-toolkit/templates/utils/_joinListWithPrefix.tpl @@ -0,0 +1,32 @@ +{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Joins a list of prefixed values into a space separated string +values: | + test: + - foo + - bar +usage: | + {{ tuple "prefix" .Values.test | include "helm-toolkit.utils.joinListWithPrefix" }} +return: | + prefixfoo prefixbar +*/}} + +{{- define "helm-toolkit.utils.joinListWithPrefix" -}} +{{- $prefix := index . 0 -}} +{{- $local := dict "first" true -}} +{{- range $k, $v := index . 1 -}}{{- if not $local.first -}}{{- " " -}}{{- end -}}{{- $prefix -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}} +{{- end -}} diff --git a/charts/deps/helm-toolkit/templates/utils/_joinListWithSpace.tpl b/charts/deps/helm-toolkit/templates/utils/_joinListWithSpace.tpl new file mode 100644 index 0000000..5912280 --- /dev/null +++ b/charts/deps/helm-toolkit/templates/utils/_joinListWithSpace.tpl @@ -0,0 +1,31 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Joins a list of values into a space separated string +values: | + test: + - foo + - bar +usage: | + {{ include "helm-toolkit.utils.joinListWithSpace" .Values.test }} +return: | + foo bar +*/}} + +{{- define "helm-toolkit.utils.joinListWithSpace" -}} +{{- $local := dict "first" true -}} +{{- range $k, $v := . -}}{{- if not $local.first -}}{{- " " -}}{{- end -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}} +{{- end -}} diff --git a/charts/deps/helm-toolkit/templates/utils/_merge.tpl b/charts/deps/helm-toolkit/templates/utils/_merge.tpl new file mode 100644 index 0000000..ea80546 --- /dev/null +++ b/charts/deps/helm-toolkit/templates/utils/_merge.tpl @@ -0,0 +1,135 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +Takes a tuple of values and merges into the first (target) one each subsequent +(source) one in order. If all values to merge are maps, then the tuple can be +passed as is and the target will be the result, otherwise pass a map with a +"values" key containing the tuple of values to merge, and the merge result will +be assigned to the "result" key of the passed map. + +When merging maps, for each key in the source, if the target does not define +that key, the source value is assigned. If both define the key, then the key +values are merged using this algorithm (recursively) and the result is assigned +to the target key. Slices are merged by appending them and removing any +duplicates, and when passing a map to this function and including a +"merge_same_named" key set to true, then map items from the slices with the same +value for the "name" key will be merged with each other. Any other values are +merged by simply keeping the source, and throwing away the target. +*/}} + +{{- define "helm-toolkit.utils.merge" -}} + {{- $local := dict -}} + {{- $_ := set $local "merge_same_named" false -}} + {{- if kindIs "map" $ -}} + {{- $_ := set $local "values" $.values -}} + {{- if hasKey $ "merge_same_named" -}} + {{- $_ := set $local "merge_same_named" $.merge_same_named -}} + {{- end -}} + {{- else -}} + {{- $_ := set $local "values" $ -}} + {{- end -}} + + {{- $target := first $local.values -}} + {{- range $item := rest $local.values -}} + {{- $call := dict "target" $target "source" . "merge_same_named" $local.merge_same_named -}} + {{- $_ := include "helm-toolkit.utils._merge" $call -}} + {{- $_ := set $local "result" $call.result -}} + {{- end -}} + + {{- if kindIs "map" $ -}} + {{- $_ := set $ "result" $local.result -}} + {{- end -}} +{{- end -}} + +{{- define "helm-toolkit.utils._merge" -}} + {{- $local := dict -}} + + {{- $_ := set $ "result" $.source -}} + + {{/* + TODO: Should we `fail` when trying to merge a collection (map or slice) with + either a different kind of collection or a scalar? + */}} + + {{- if and (kindIs "map" $.target) (kindIs "map" $.source) -}} + {{- range $key, $sourceValue := $.source -}} + {{- if not (hasKey $.target $key) -}} + {{- $_ := set $local "newTargetValue" $sourceValue -}} + {{- if kindIs "map" $sourceValue -}} + {{- $copy := dict -}} + {{- $call := dict "target" $copy "source" $sourceValue -}} + {{- $_ := include "helm-toolkit.utils._merge.shallow" $call -}} + {{- $_ := set $local "newTargetValue" $copy -}} + {{- end -}} + {{- else -}} + {{- $targetValue := index $.target $key -}} + {{- $call := dict "target" $targetValue "source" $sourceValue "merge_same_named" $.merge_same_named -}} + {{- $_ := include "helm-toolkit.utils._merge" $call -}} + {{- $_ := set $local "newTargetValue" $call.result -}} + {{- end -}} + {{- $_ := set $.target $key $local.newTargetValue -}} + {{- end -}} + {{- $_ := set $ "result" $.target -}} + {{- else if and (kindIs "slice" $.target) (kindIs "slice" $.source) -}} + {{- $call := dict "target" $.target "source" $.source -}} + {{- $_ := include "helm-toolkit.utils._merge.append_slice" $call -}} + {{- if $.merge_same_named -}} + {{- $_ := set $local "result" list -}} + {{- $_ := set $local "named_items" dict -}} + {{- range $item := $call.result -}} + {{- $_ := set $local "has_name_key" false -}} + {{- if kindIs "map" $item -}} + {{- if hasKey $item "name" -}} + {{- $_ := set $local "has_name_key" true -}} + {{- end -}} + {{- end -}} + + {{- if $local.has_name_key -}} + {{- if hasKey $local.named_items $item.name -}} + {{- $named_item := index $local.named_items $item.name -}} + {{- $call := dict "target" $named_item "source" $item "merge_same_named" $.merge_same_named -}} + {{- $_ := include "helm-toolkit.utils._merge" $call -}} + {{- else -}} + {{- $copy := dict -}} + {{- $copy_call := dict "target" $copy "source" $item -}} + {{- $_ := include "helm-toolkit.utils._merge.shallow" $copy_call -}} + {{- $_ := set $local.named_items $item.name $copy -}} + {{- $_ := set $local "result" (append $local.result $copy) -}} + {{- end -}} + {{- else -}} + {{- $_ := set $local "result" (append $local.result $item) -}} + {{- end -}} + {{- end -}} + {{- else -}} + {{- $_ := set $local "result" $call.result -}} + {{- end -}} + {{- $_ := set $ "result" (uniq $local.result) -}} + {{- end -}} +{{- end -}} + +{{- define "helm-toolkit.utils._merge.shallow" -}} + {{- range $key, $value := $.source -}} + {{- $_ := set $.target $key $value -}} + {{- end -}} +{{- end -}} + +{{- define "helm-toolkit.utils._merge.append_slice" -}} + {{- $local := dict -}} + {{- $_ := set $local "result" $.target -}} + {{- range $value := $.source -}} + {{- $_ := set $local "result" (append $local.result $value) -}} + {{- end -}} + {{- $_ := set $ "result" $local.result -}} +{{- end -}} diff --git a/charts/deps/helm-toolkit/templates/utils/_template.tpl b/charts/deps/helm-toolkit/templates/utils/_template.tpl new file mode 100644 index 0000000..da56aa0 --- /dev/null +++ b/charts/deps/helm-toolkit/templates/utils/_template.tpl @@ -0,0 +1,21 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- define "helm-toolkit.utils.template" -}} +{{- $name := index . 0 -}} +{{- $context := index . 1 -}} +{{- $last := base $context.Template.Name }} +{{- $wtf := $context.Template.Name | replace $last $name -}} +{{ include $wtf $context }} +{{- end -}} diff --git a/charts/deps/helm-toolkit/templates/utils/_to_ini.tpl b/charts/deps/helm-toolkit/templates/utils/_to_ini.tpl new file mode 100644 index 0000000..a159364 --- /dev/null +++ b/charts/deps/helm-toolkit/templates/utils/_to_ini.tpl @@ -0,0 +1,51 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Returns INI formatted output from yaml input +values: | + conf: + paste: + filter:debug: + use: egg:oslo.middleware#debug + filter:request_id: + use: egg:oslo.middleware#request_id + filter:build_auth_context: + use: egg:keystone#build_auth_context +usage: | + {{ include "helm-toolkit.utils.to_ini" .Values.conf.paste }} +return: | + [filter:build_auth_context] + use = egg:keystone#build_auth_context + [filter:debug] + use = egg:oslo.middleware#debug + [filter:request_id] + use = egg:oslo.middleware#request_id +*/}} + +{{- define "helm-toolkit.utils.to_ini" -}} +{{- range $section, $values := . -}} +{{- if kindIs "map" $values -}} +[{{ $section }}] +{{range $key, $value := $values -}} +{{- if kindIs "slice" $value -}} +{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value }} +{{else -}} +{{ $key }} = {{ $value }} +{{end -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/charts/deps/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl b/charts/deps/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl new file mode 100644 index 0000000..885a86c --- /dev/null +++ b/charts/deps/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl @@ -0,0 +1,46 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Returns yaml formatted to be used in k8s templates as container + env vars injected via secrets. This requires a secret- template to + be defined in the chart that can be used to house the desired secret + variables. For reference, see the fluentd chart. +values: | + test: + secrets: + foo: bar + +usage: | + {{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.test }} +return: | + - name: foo + valueFrom: + secretKeyRef: + name: "my-release-name-env-secret" + key: foo +*/}} + +{{- define "helm-toolkit.utils.to_k8s_env_secret_vars" -}} +{{- $context := index . 0 -}} +{{- $secrets := index . 1 -}} +{{ range $key, $config := $secrets -}} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ printf "%s-%s" $context.Release.Name "env-secret" | quote }} + key: {{ $key }} +{{ end -}} +{{- end -}} diff --git a/charts/deps/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl b/charts/deps/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl new file mode 100644 index 0000000..829dca6 --- /dev/null +++ b/charts/deps/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl @@ -0,0 +1,39 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Returns key value pair formatted to be used in k8s templates as container + env vars. +values: | + test: + foo: bar +usage: | + {{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.test }} +return: | + - name: foo + value: "bar" +*/}} + +{{- define "helm-toolkit.utils.to_k8s_env_vars" -}} +{{range $key, $value := . -}} +{{- if kindIs "slice" $value -}} +- name: {{ $key }} + value: {{ include "helm-toolkit.utils.joinListWithComma" $value | quote }} +{{else -}} +- name: {{ $key }} + value: {{ $value | quote }} +{{ end -}} +{{- end -}} +{{- end -}} diff --git a/charts/deps/helm-toolkit/templates/utils/_to_kv_list.tpl b/charts/deps/helm-toolkit/templates/utils/_to_kv_list.tpl new file mode 100644 index 0000000..91bdeb6 --- /dev/null +++ b/charts/deps/helm-toolkit/templates/utils/_to_kv_list.tpl @@ -0,0 +1,42 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Returns key value pair in INI format (key = value) +values: | + conf: + libvirt: + log_level: 3 +usage: | + {{ include "helm-toolkit.utils.to_kv_list" .Values.conf.libvirt }} +return: | + log_level = 3 +*/}} + +{{- define "helm-toolkit.utils.to_kv_list" -}} +{{- range $key, $value := . -}} +{{- if kindIs "slice" $value }} +{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value | quote }} +{{- else if kindIs "string" $value }} +{{- if regexMatch "^[0-9]+$" $value }} +{{ $key }} = {{ $value }} +{{- else }} +{{ $key }} = {{ $value | quote }} +{{- end }} +{{- else }} +{{ $key }} = {{ $value }} +{{- end }} +{{- end -}} +{{- end -}} diff --git a/charts/deps/helm-toolkit/templates/utils/_to_oslo_conf.tpl b/charts/deps/helm-toolkit/templates/utils/_to_oslo_conf.tpl new file mode 100644 index 0000000..622a862 --- /dev/null +++ b/charts/deps/helm-toolkit/templates/utils/_to_oslo_conf.tpl @@ -0,0 +1,75 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Returns OSLO.conf formatted output from yaml input +values: | + conf: + keystone: + DEFAULT: # Keys at this level are used for section headings + max_token_size: 255 + oslo_messaging_notifications: + driver: # An example of a multistring option's syntax + type: multistring + values: + - messagingv2 + - log + oslo_messaging_notifications_stein: + driver: # An example of a csv option's syntax + type: csv + values: + - messagingv2 + - log + security_compliance: + password_expires_ignore_user_ids: + # Values in a list will be converted to a comma separated key + - "123" + - "456" +usage: | + {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.keystone }} +return: | + [DEFAULT] + max_token_size = 255 + [oslo_messaging_notifications] + driver = messagingv2 + driver = log + [oslo_messaging_notifications_stein] + driver = messagingv2,log + [security_compliance] + password_expires_ignore_user_ids = 123,456 +*/}} + +{{- define "helm-toolkit.utils.to_oslo_conf" -}} +{{- range $section, $values := . -}} +{{- if kindIs "map" $values -}} +[{{ $section }}] +{{ range $key, $value := $values -}} +{{- if kindIs "slice" $value -}} +{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value }} +{{ else if kindIs "map" $value -}} +{{- if eq $value.type "multistring" }} +{{- range $k, $multistringValue := $value.values -}} +{{ $key }} = {{ $multistringValue }} +{{ end -}} +{{ else if eq $value.type "csv" -}} +{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value.values }} +{{ end -}} +{{- else -}} +{{ $key }} = {{ $value }} +{{ end -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/charts/deps/helm-toolkit/values.yaml b/charts/deps/helm-toolkit/values.yaml new file mode 100644 index 0000000..681a92b --- /dev/null +++ b/charts/deps/helm-toolkit/values.yaml @@ -0,0 +1,16 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Default values for utils. +# This is a YAML-formatted file. +# Declare name/value pairs to be passed into your templates. +# name: value diff --git a/charts/maas/Chart.yaml b/charts/maas/Chart.yaml index 675f682..0d183dd 100755 --- a/charts/maas/Chart.yaml +++ b/charts/maas/Chart.yaml @@ -16,6 +16,7 @@ apiVersion: v1 description: Chart to run Canonical MaaS name: maas version: 0.1.4 +appVersion: 3.2.7 home: https://docs.ubuntu.com/maas sources: - https://git.launchpad.net/maas diff --git a/charts/maas/requirements.lock b/charts/maas/requirements.lock new file mode 100644 index 0000000..4ea27ba --- /dev/null +++ b/charts/maas/requirements.lock @@ -0,0 +1,6 @@ +dependencies: +- name: helm-toolkit + repository: file://../deps/helm-toolkit + version: 0.2.52 +digest: sha256:69d0ea8a5dd5f85d011846c3833dd78d5df86c47180b3dea36a312050e19d0e3 +generated: "2023-03-31T09:08:16.254104-04:00" diff --git a/charts/maas/templates/bin/_enable-tls.sh.tpl b/charts/maas/templates/bin/_enable-tls.sh.tpl new file mode 100644 index 0000000..c07f9f4 --- /dev/null +++ b/charts/maas/templates/bin/_enable-tls.sh.tpl @@ -0,0 +1,19 @@ +#!/bin/bash + +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -e + +maas config-tls enable --yes --port 5240 --cacert /etc/maas/ssl/ca.crt /etc/maas/ssl/tls.key /etc/maas/ssl/tls.crt diff --git a/charts/maas/templates/bin/_import-boot-resources.sh.tpl b/charts/maas/templates/bin/_import-boot-resources.sh.tpl index 7ca5999..0227a84 100644 --- a/charts/maas/templates/bin/_import-boot-resources.sh.tpl +++ b/charts/maas/templates/bin/_import-boot-resources.sh.tpl @@ -23,173 +23,161 @@ JOB_TIMEOUT=${JOB_TIMEOUT:-900} RETRY_TIMER=${RETRY_TIMER:-30} function timer { - retry_wait=$1 - shift + retry_wait=$1 + shift - while [[ ${JOB_TIMEOUT} -gt 0 ]] - do - "$@" - rc=$? - if [ $rc -eq 0 ] - then - return $rc - else - JOB_TIMEOUT=$(($JOB_TIMEOUT - $retry_wait)) - sleep $retry_wait - fi - done + while [[ ${JOB_TIMEOUT} -gt 0 ]]; do + "$@" + rc=$? + if [ $rc -eq 0 ]; then + return $rc + else + JOB_TIMEOUT=$((JOB_TIMEOUT - retry_wait)) + sleep $retry_wait + fi + done - return 124 + return 124 } function import_resources { - check_for_download - rc=$? + check_for_download + rc=$? - if [ $rc -ne 0 ] - then - echo "Starting image import try ${import_tries}..." - maas ${ADMIN_USERNAME} boot-resources import - sleep 30 - check_for_download - rc=$? - fi + if [ $rc -ne 0 ]; then + echo "Starting image import try ${import_tries}..." + maas ${ADMIN_USERNAME} boot-resources import + sleep 30 + check_for_download + rc=$? + fi - return $rc + return $rc } function start_import { - timer "$RETRY_TIMER" import_resources + timer "$RETRY_TIMER" import_resources } function check_for_download { - if maas ${ADMIN_USERNAME} boot-resources is-importing | grep -q 'true'; - then - echo -e '\nBoot resources currently importing\n' - return 1 - else - synced_imgs=$(maas ${ADMIN_USERNAME} boot-resources read | tail -n +1 | jq ".[] | select( .type | contains(\"Synced\")) | .name " | grep -c $MAAS_DEFAULT_DISTRO) - if [[ $synced_imgs -gt 0 ]] - then - echo 'Boot resources have completed importing' - return 0 - else - echo 'Import failed!' - return 1 - fi - fi + if maas ${ADMIN_USERNAME} boot-resources is-importing | grep -q 'true'; then + echo -e '\nBoot resources currently importing\n' + return 1 + else + synced_imgs=$(maas ${ADMIN_USERNAME} boot-resources read | tail -n +1 | jq '.[] | select( .type | contains("Synced")) | .name ' | grep -c $MAAS_DEFAULT_DISTRO) + if [[ $synced_imgs -gt 0 ]]; then + echo 'Boot resources have completed importing' + return 0 + else + echo 'Import failed!' + return 1 + fi + fi } function check_then_set_single { - option="$1" - value="$2" + option="$1" + value="$2" - cur_val=$(maas ${ADMIN_USERNAME} maas get-config name=${option} | tail -1 | tr -d '"') - desired_val=$(echo ${value} | tr -d '"') + cur_val=$(maas ${ADMIN_USERNAME} maas get-config name=${option} | tail -1 | tr -d '"') + desired_val=$(echo ${value} | tr -d '"') - if [[ $cur_val != $desired_val ]] - then - echo "Setting MAAS option ${option} to ${desired_val}" - maas ${ADMIN_USERNAME} maas set-config name=${option} value=${desired_val} - return $? - else - echo "MAAS option ${option} already set to ${cur_val}" - return 0 - fi + if [[ $cur_val != $desired_val ]]; then + echo "Setting MAAS option ${option} to ${desired_val}" + maas ${ADMIN_USERNAME} maas set-config name=${option} value=${desired_val} + return $? + else + echo "MAAS option ${option} already set to ${cur_val}" + return 0 + fi } function check_then_set { - option=$1 - value=$2 + option=$1 + value=$2 - timer "$RETRY_TIMER" check_then_set_single "$option" "$value" + timer "$RETRY_TIMER" check_then_set_single "$option" "$value" } # Get rack controllers reporting a healthy rackd function get_active_rack_controllers { - maas ${ADMIN_USERNAME} rack-controllers read | jq -r 'map({"system_id":.system_id,"service_set":(.service_set[] | select(.name=="rackd"))}) | map(select(.service_set.status == "running")) | .[] | .system_id' + maas ${ADMIN_USERNAME} rack-controllers read | jq -r 'map({"system_id":.system_id,"service_set":(.service_set[] | select(.name=="rackd"))}) | map(select(.service_set.status == "running")) | .[] | .system_id' } function check_for_rack_sync_single { - sync_list="" + sync_list="" - rack_list=$(get_active_rack_controllers) - for rack_id in ${rack_list} - do - selected_imgs=$(maas ${ADMIN_USERNAME} rack-controller list-boot-images ${rack_id} | tail -n +1 | jq ".images[] | select( .name | contains(\"${MAAS_DEFAULT_DISTRO}\")) | .name") - synced_ctlr=$(maas ${ADMIN_USERNAME} rack-controller list-boot-images ${rack_id} | tail -n +1 | jq '.status == "synced"') - if [[ $synced_ctlr == "true" && ! -z ${selected_imgs} ]] - then - sync_list=$(echo -e "${sync_list}\n${rack_id}" | sort | uniq) - else - maas ${ADMIN_USERNAME} rack-controller import-boot-images ${rack_id} - fi - if [[ $(echo -e "${rack_list}" | sort | uniq | grep -v '^$' ) == $(echo -e "${sync_list}" | sort | uniq | grep -v '^$') ]] - then - return 0 - fi - done + rack_list=$(get_active_rack_controllers) + for rack_id in ${rack_list}; do + selected_imgs=$(maas ${ADMIN_USERNAME} rack-controller list-boot-images ${rack_id} | tail -n +1 | jq ".images[] | select( .name | contains(\"${MAAS_DEFAULT_DISTRO}\")) | .name") + synced_ctlr=$(maas ${ADMIN_USERNAME} rack-controller list-boot-images ${rack_id} | tail -n +1 | jq '.status == "synced"') + if [[ $synced_ctlr == "true" && -n ${selected_imgs} ]]; then + sync_list=$(echo -e "${sync_list}\n${rack_id}" | sort | uniq) + else + maas ${ADMIN_USERNAME} rack-controller import-boot-images ${rack_id} + fi + if [[ $(echo -e "${rack_list}" | sort | uniq | grep -v '^$') == $(echo -e "${sync_list}" | sort | uniq | grep -v '^$') ]]; then + return 0 + fi + done - return 1 + return 1 } function check_for_rack_sync { - timer "$RETRY_TIMER" check_for_rack_sync_single + timer "$RETRY_TIMER" check_for_rack_sync_single } function configure_proxy { - check_then_set enable_http_proxy ${MAAS_PROXY_ENABLED} - check_then_set use_peer_proxy ${MAAS_PEER_PROXY_ENABLED} - check_then_set http_proxy ${MAAS_PROXY_SERVER} - check_then_set maas_proxy_port ${MAAS_INTERNAL_PROXY_PORT} + check_then_set enable_http_proxy ${MAAS_PROXY_ENABLED} + check_then_set use_peer_proxy ${MAAS_PEER_PROXY_ENABLED} + check_then_set http_proxy ${MAAS_PROXY_SERVER} + check_then_set maas_proxy_port ${MAAS_INTERNAL_PROXY_PORT} } function configure_ntp { - check_then_set ntp_servers ${MAAS_NTP_SERVERS} - check_then_set ntp_external_only ${MAAS_NTP_EXTERNAL_ONLY} + check_then_set ntp_servers ${MAAS_NTP_SERVERS} + check_then_set ntp_external_only ${MAAS_NTP_EXTERNAL_ONLY} } function configure_dns { - check_then_set dnssec_validation ${MAAS_DNS_DNSSEC_REQUIRED} - check_then_set upstream_dns ${MAAS_DNS_SERVERS} + check_then_set dnssec_validation ${MAAS_DNS_DNSSEC_REQUIRED} + check_then_set upstream_dns ${MAAS_DNS_SERVERS} } function configure_syslog { - check_then_set remote_syslog ${MAAS_REMOTE_SYSLOG} + check_then_set remote_syslog ${MAAS_REMOTE_SYSLOG} } function configure_images { - check_for_rack_sync + check_for_rack_sync - if [[ $? -eq 124 ]] - then - echo "Timed out waiting for rack controller sync." - return 1 - fi + if [[ $? -eq 124 ]]; then + echo "Timed out waiting for rack controller sync." + return 1 + fi - check_then_set default_osystem ${MAAS_DEFAULT_OS} - check_then_set commissioning_distro_series ${MAAS_DEFAULT_DISTRO} - check_then_set default_distro_series ${MAAS_DEFAULT_DISTRO} - check_then_set default_min_hwe_kernel ${MAAS_DEFAULT_KERNEL} + check_then_set default_osystem ${MAAS_DEFAULT_OS} + check_then_set commissioning_distro_series ${MAAS_DEFAULT_DISTRO} + check_then_set default_distro_series ${MAAS_DEFAULT_DISTRO} + check_then_set default_min_hwe_kernel ${MAAS_DEFAULT_KERNEL} } function configure_boot_sources { - if [[ $USE_IMAGE_CACHE == 'true' ]] - then - maas ${ADMIN_USERNAME} boot-source update 1 url=http://localhost:8888/maas/images/ephemeral-v3/daily/ - fi + if [[ $USE_IMAGE_CACHE == 'true' ]]; then + maas ${ADMIN_USERNAME} boot-source update 1 url=http://localhost:8888/maas/images/ephemeral-v3/daily/ + fi - selected_releases="$(maas ${ADMIN_USERNAME} boot-source-selections read 1 | jq -r '.[] | .release')" + selected_releases="$(maas ${ADMIN_USERNAME} boot-source-selections read 1 | jq -r '.[] | .release')" - if ! echo "${selected_releases}" | grep -q "${MAAS_DEFAULT_DISTRO}" - then - # Need to start an import to get the availability data - maas "$ADMIN_USERNAME" boot-resources import - if ! maas ${ADMIN_USERNAME} boot-source-selections create 1 os="${MAAS_DEFAULT_OS}" \ - release="${MAAS_DEFAULT_DISTRO}" arches="amd64" subarches='*' labels='*' | grep -q 'Success'; then - return 1 - fi - fi + if ! echo "${selected_releases}" | grep -q "${MAAS_DEFAULT_DISTRO}"; then + # Need to start an import to get the availability data + maas "$ADMIN_USERNAME" boot-resources import + if ! maas ${ADMIN_USERNAME} boot-source-selections create 1 os="${MAAS_DEFAULT_OS}" \ + release="${MAAS_DEFAULT_DISTRO}" arches="amd64" subarches='*' labels='*' | grep -q 'Success'; then + return 1 + fi + fi } function create_extra_commissioning_script { @@ -215,21 +203,24 @@ EOF } function configure_extra_settings { -{{- range $k, $v := .Values.conf.maas.extra_settings }} - check_then_set {{$k}} {{$v}} -{{- else }} - : No additional MAAS config -{{- end }} + {{- range $k, $v := .Values.conf.maas.extra_settings }} + check_then_set {{$k}} {{$v}} + {{- else }} + : No additional MAAS config + {{- end }} } function maas_login { - KEY=$(maas-region apikey --username=${ADMIN_USERNAME}) - if [ -z "$KEY" ] - then - return 1 - fi - maas login ${ADMIN_USERNAME} ${MAAS_ENDPOINT} $KEY - return $? + KEY=$(maas-region apikey --username=${ADMIN_USERNAME}) + if [ -z "$KEY" ]; then + return 1 + fi + {{- if .Values.conf.maas.tls.enabled }} + maas login --cacerts /usr/local/share/ca-certificates/maas-ca.crt ${ADMIN_USERNAME} ${MAAS_ENDPOINT} $KEY + {{- else }} + maas login ${ADMIN_USERNAME} ${MAAS_ENDPOINT} $KEY + {{- end }} + return $? } timer "$RETRY_TIMER" maas_login @@ -245,10 +236,9 @@ create_extra_commissioning_script timer "$RETRY_TIMER" configure_boot_sources start_import -if [[ $? -eq 0 ]] -then - configure_images +if [[ $? -eq 0 ]]; then + configure_images else - echo "Image import FAILED!" - exit 1 + echo "Image import FAILED!" + exit 1 fi diff --git a/charts/maas/templates/bin/_maas-test.sh.tpl b/charts/maas/templates/bin/_maas-test.sh.tpl index 4a36e81..debf41a 100644 --- a/charts/maas/templates/bin/_maas-test.sh.tpl +++ b/charts/maas/templates/bin/_maas-test.sh.tpl @@ -18,78 +18,74 @@ set -ex function check_boot_images { - if maas local boot-resources is-importing | grep -q 'true'; - then - echo -e '\nBoot resources currently importing\n' - return 1 - else - synced_imgs=$(maas local boot-resources read | tr -d '\n' | grep -oE '{[^}]+}' | grep ubuntu | grep -c Synced) - if [[ $synced_imgs -gt 0 ]] - then - echo 'Boot resources have completed importing' - return 0 - else - return 1 - fi - fi + if maas local boot-resources is-importing | grep -q 'true'; then + echo -e '\nBoot resources currently importing\n' + return 1 + else + synced_imgs=$(maas local boot-resources read | tr -d '\n' | grep -oE '{[^}]+}' | grep ubuntu | grep -c Synced) + if [[ $synced_imgs -gt 0 ]]; then + echo 'Boot resources have completed importing' + return 0 + else + return 1 + fi + fi } function check_rack_controllers { - rack_cnt=$(maas local rack-controllers read | grep -c hostname) - if [[ $rack_cnt -gt 0 ]] - then - echo "Found $rack_cnt rack controllers." - return 0 - else - return 1 - fi + rack_cnt=$(maas local rack-controllers read | grep -c hostname) + if [[ $rack_cnt -gt 0 ]]; then + echo "Found $rack_cnt rack controllers." + return 0 + else + return 1 + fi } function check_admin_api { - if maas local version read; - then - echo 'Admin API is responding' - return 0 - else - return 1 - fi + if maas local version read; then + echo 'Admin API is responding' + return 0 + else + return 1 + fi } function establish_session { - maas login local ${MAAS_URL} ${MAAS_API_KEY} - return $? + {{- if .Values.conf.maas.tls.enabled }} + maas login --cacerts /usr/local/share/ca-certificates/maas-ca.crt local ${MAAS_URL} ${MAAS_API_KEY} + {{- else }} + maas login local ${MAAS_URL} ${MAAS_API_KEY} + {{- end }} + return $? } establish_session -if [[ $? -ne 0 ]] -then - echo "MAAS API login FAILED!" - exit 1 +if [[ $? -ne 0 ]]; then + echo "MAAS API login FAILED!" + exit 1 fi check_boot_images -if [[ $? -eq 1 ]] -then - echo "Image import test FAILED!" - exit 1 +if [[ $? -eq 1 ]]; then + echo "Image import test FAILED!" + exit 1 fi check_rack_controllers -if [[ $? -eq 1 ]] -then - echo "Rack controller query FAILED!" - exit 1 +if [[ $? -eq 1 ]]; then + echo "Rack controller query FAILED!" + exit 1 fi check_admin_api -if [[ $? -eq 1 ]] -then - echo "Admin API response FAILED!" - exit 1 +if [[ $? -eq 1 ]]; then + echo "Admin API response FAILED!" + exit 1 fi echo "MAAS Validation SUCCESS!" diff --git a/charts/maas/templates/certificate-maas-ingress.yaml b/charts/maas/templates/certificate-maas-ingress.yaml new file mode 100644 index 0000000..a2b44d9 --- /dev/null +++ b/charts/maas/templates/certificate-maas-ingress.yaml @@ -0,0 +1,32 @@ +{{/* +Copyright 2017 AT&T Intellectual Property. All other rights reserved. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.conf.maas.tls.enabled .Values.conf.maas.tls.create .Values.cert_manager.enabled .Values.cert_manager.create }} +{{- $envAll := . }} +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ .Values.secrets.maas_ingress_cert }} +spec: + secretName: {{ .Values.secrets.maas_ingress_cert }} + commonName: {{ tuple "maas_region" "public" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }} + issuerRef: + kind: {{ .Values.cert_manager.issuer.kind }} + name: {{ .Values.cert_manager.issuer.name }} + dnsNames: + - {{ tuple "maas_region" "public" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }} +{{ end }} diff --git a/charts/maas/templates/certificate-maas.yaml b/charts/maas/templates/certificate-maas.yaml new file mode 100644 index 0000000..ebf9a0f --- /dev/null +++ b/charts/maas/templates/certificate-maas.yaml @@ -0,0 +1,35 @@ +{{/* +Copyright 2017 AT&T Intellectual Property. All other rights reserved. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.conf.maas.tls.enabled .Values.conf.maas.tls.create .Values.cert_manager.enabled }} +{{- $envAll := . }} +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ .Values.secrets.maas_cert }} +spec: + secretName: {{ .Values.secrets.maas_cert }} + commonName: {{ tuple "maas_region" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} + issuerRef: + kind: {{ .Values.cert_manager.issuer.kind }} + name: {{ .Values.cert_manager.issuer.name }} + dnsNames: + - {{ tuple "maas_region" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} + - {{ tuple "maas_region" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}.{{ .Release.Namespace }} + - {{ tuple "maas_region" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}.{{ .Release.Namespace }}.svc + - {{ tuple "maas_region" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}.{{ .Release.Namespace }}.svc.cluster.local +{{ end }} diff --git a/charts/maas/templates/configmap-bin.yaml b/charts/maas/templates/configmap-bin.yaml index 43d7bd7..b2980e3 100644 --- a/charts/maas/templates/configmap-bin.yaml +++ b/charts/maas/templates/configmap-bin.yaml @@ -49,3 +49,7 @@ data: {{ tuple "bin/_maas-vip-configure.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} start-syslog.sh: | {{ tuple "bin/_start-syslog.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} +{{- if .Values.conf.maas.tls.enabled }} + enable-tls.sh: | +{{ tuple "bin/_enable-tls.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} +{{ end }} diff --git a/charts/maas/templates/deployment-ingress-errors.yaml b/charts/maas/templates/deployment-ingress-errors.yaml index 0bd3d83..689ee68 100644 --- a/charts/maas/templates/deployment-ingress-errors.yaml +++ b/charts/maas/templates/deployment-ingress-errors.yaml @@ -15,7 +15,7 @@ See the License for the specific language governing permissions and limitations under the License. */}} -{{- if .Values.manifests.rack_statefulset }} +{{- if and .Values.manifests.maas_ingress .Values.manifests.rack_statefulset }} {{- $envAll := . }} {{- $labels := tuple $envAll "maas" "ingress-errors" | include "helm-toolkit.snippets.kubernetes_metadata_labels" -}} {{- $serviceAccountName := "maas-ingress-errors" }} diff --git a/charts/maas/templates/ingress-region.yaml b/charts/maas/templates/ingress-region.yaml index 939898c..1cba370 100644 --- a/charts/maas/templates/ingress-region.yaml +++ b/charts/maas/templates/ingress-region.yaml @@ -20,8 +20,17 @@ apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: maas-region-api + metadata: + annotations: +{{ toYaml .Values.network.region_api.ingress.annotations | indent 8 }} spec: ingressClassName: {{ .Values.network.region_api.ingress.classes.cluster | quote }} +{{- if .Values.conf.maas.tls.enabled }} + tls: + - secretName: maas-region-api-tls + hosts: + - {{ tuple "maas_region" "public" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }} +{{ end }} rules: - host: {{ tuple "maas_region" "public" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }} http: diff --git a/charts/maas/templates/job-enable-tls.yaml b/charts/maas/templates/job-enable-tls.yaml new file mode 100644 index 0000000..8644baf --- /dev/null +++ b/charts/maas/templates/job-enable-tls.yaml @@ -0,0 +1,79 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. +Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.conf.maas.tls.enabled }} +{{- $envAll := . }} +{{- $serviceAccountName := "maas-enable-tls" }} +{{ tuple $envAll "enable_tls" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: maas-enable-tls + labels: +{{ tuple $envAll "maas" "enable-tls" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} + annotations: + {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }} +spec: + template: + metadata: + labels: +{{ tuple $envAll "maas" "enable-tls" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} + annotations: +{{ dict "envAll" $envAll "podName" "maas-enable-tls" "containerNames" (list "init" "maas-enable-tls") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }} + spec: +{{ dict "envAll" $envAll "application" "enable_tls" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} + serviceAccountName: {{ $serviceAccountName }} + restartPolicy: OnFailure + nodeSelector: + {{ .Values.labels.region.node_selector_key }}: {{ .Values.labels.region.node_selector_value }} + initContainers: +{{ tuple $envAll "enable_tls" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} + containers: + - name: maas-enable-tls + image: {{ .Values.images.tags.enable_tls }} + imagePullPolicy: {{ .Values.images.pull_policy }} +{{ tuple $envAll $envAll.Values.pod.resources.jobs.enable_tls | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} +{{ dict "envAll" $envAll "application" "enable_tls" "container" "maas_enable_tls" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} + command: + - /tmp/enable-tls.sh + volumeMounts: + - name: maas-bin + mountPath: /tmp/enable-tls.sh + subPath: enable-tls.sh + readOnly: true + - name: maas-etc + mountPath: /etc/maas/regiond.conf + subPath: regiond.conf + readOnly: true + - name: maas-tls + mountPath: /etc/maas/ssl + readOnly: true + volumes: + - name: maas-bin + configMap: + name: maas-bin + defaultMode: 0555 + - name: maas-etc + configMap: + name: maas-etc + defaultMode: 0444 + - name: maas-tls + secret: + secretName: {{ .Values.secrets.maas_cert }} + defaultMode: 0444 +{{ end }} diff --git a/charts/maas/templates/job-import.yaml b/charts/maas/templates/job-import.yaml index 467a1c2..4a3a816 100644 --- a/charts/maas/templates/job-import.yaml +++ b/charts/maas/templates/job-import.yaml @@ -120,6 +120,12 @@ spec: mountPath: /etc/maas/regiond.conf subPath: regiond.conf readOnly: true +{{- if .Values.conf.maas.tls.enabled }} + - name: ca-cert + mountPath: /usr/local/share/ca-certificates/maas-ca.crt + subPath: maas-ca.crt + readOnly: true +{{ end }} volumes: - name: maas-bin configMap: @@ -129,3 +135,11 @@ spec: configMap: name: maas-etc defaultMode: 0444 +{{- if .Values.conf.maas.tls.enabled }} + - name: ca-cert + secret: + secretName: {{ .Values.secrets.maas_cert }} + items: + - key: ca.crt + path: maas-ca.crt +{{ end }} diff --git a/charts/maas/templates/secret-maas-tls.yaml b/charts/maas/templates/secret-maas-tls.yaml new file mode 100644 index 0000000..f7038c1 --- /dev/null +++ b/charts/maas/templates/secret-maas-tls.yaml @@ -0,0 +1,29 @@ +{{/* +Copyright 2017 AT&T Intellectual Property. All other rights reserved. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.conf.maas.tls.enabled .Values.conf.maas.tls.create (eq .Values.cert_manager.enabled false) }} +{{- $envAll := . }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Values.secrets.certificate }} +type: kubernetes/tls +data: + ca.crt: {{ .Values.conf.maas.tls.ca | b64enc }} + tls.crt: {{ .Values.conf.maas.tls.cert | b64enc }} + tls.key: {{ .Values.conf.maas.tls.key | b64enc }} +{{ end }} diff --git a/charts/maas/templates/service-ingress-headless.yaml b/charts/maas/templates/service-ingress-headless.yaml index 912ceb1..d32840b 100644 --- a/charts/maas/templates/service-ingress-headless.yaml +++ b/charts/maas/templates/service-ingress-headless.yaml @@ -24,6 +24,10 @@ spec: ports: - name: http port: 80 +{{- if .Values.conf.maas.tls.enabled }} + - name: https + port: 443 +{{- end }} selector: {{ tuple . "maas" "ingress" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} ... diff --git a/charts/maas/templates/statefulset-rack.yaml b/charts/maas/templates/statefulset-rack.yaml index f8ce48f..d2c6e51 100644 --- a/charts/maas/templates/statefulset-rack.yaml +++ b/charts/maas/templates/statefulset-rack.yaml @@ -154,6 +154,12 @@ spec: mountPath: /etc/bind/named.conf.options subPath: named.conf.options readOnly: true +{{- if .Values.conf.maas.tls.enabled }} + - name: ca-cert + mountPath: /usr/local/share/ca-certificates/maas-ca.crt + subPath: maas-ca.crt + readOnly: true +{{ end }} {{ if $mounts_maas_rack.volumeMounts }}{{ toYaml $mounts_maas_rack.volumeMounts | indent 12 }}{{ end }} volumes: - name: host-sys-fs-cgroup @@ -182,6 +188,14 @@ spec: configMap: name: maas-etc defaultMode: 0444 +{{- if .Values.conf.maas.tls.enabled }} + - name: ca-cert + secret: + secretName: {{ .Values.secrets.maas_cert }} + items: + - key: ca.crt + path: maas-ca.crt +{{ end }} {{ if $mounts_maas_rack.volumes }}{{ toYaml $mounts_maas_rack.volumes | indent 8 }}{{ end }} volumeClaimTemplates: - metadata: diff --git a/charts/maas/templates/statefulset-region.yaml b/charts/maas/templates/statefulset-region.yaml index b91c50d..173d2c8 100644 --- a/charts/maas/templates/statefulset-region.yaml +++ b/charts/maas/templates/statefulset-region.yaml @@ -177,6 +177,12 @@ spec: mountPath: /etc/default/bind9 subPath: named readOnly: true +{{- if .Values.conf.maas.tls.enabled }} + - name: ca-cert + mountPath: /usr/local/share/ca-certificates/maas-ca.crt + subPath: maas-ca.crt + readOnly: true +{{ end }} {{- if $mounts_maas_region.volumeMounts }}{{ toYaml $mounts_maas_region.volumeMounts | indent 12 }}{{ end }} volumes: - name: host-sys-fs-cgroup @@ -199,6 +205,14 @@ spec: - name: maas-region-secret secret: secretName: {{ .Values.secrets.maas_region.name }} +{{- if .Values.conf.maas.tls.enabled }} + - name: ca-cert + secret: + secretName: {{ .Values.secrets.maas_cert }} + items: + - key: ca.crt + path: maas-ca.crt +{{ end }} {{- if $mounts_maas_region.volumes }}{{ toYaml $mounts_maas_region.volumes | indent 8 }}{{ end }} {{- if .Values.manifests.maas_syslog }} volumeClaimTemplates: diff --git a/charts/maas/templates/tests/test-maas-init.yaml b/charts/maas/templates/tests/test-maas-init.yaml index 790c7c7..6c9e443 100644 --- a/charts/maas/templates/tests/test-maas-init.yaml +++ b/charts/maas/templates/tests/test-maas-init.yaml @@ -38,7 +38,11 @@ spec: - name: maas-api-test env: - name: 'MAAS_URL' - value: {{ tuple "maas_region" "internal" "region_api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | quote }} +{{- if empty .Values.conf.maas.url.maas_url }} + value: {{ tuple "maas_region" "public" "region_api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | quote }} +{{- else }} + value: {{ .Values.conf.maas.url.maas_url }} +{{- end }} - name: 'MAAS_API_KEY' valueFrom: secretKeyRef: @@ -54,10 +58,24 @@ spec: mountPath: /tmp/maas-test.sh subPath: maas-test.sh readOnly: true +{{- if .Values.conf.maas.tls.enabled }} + - name: ca-cert + mountPath: /usr/local/share/ca-certificates/maas-ca.crt + subPath: maas-ca.crt + readOnly: true +{{ end }} volumes: - name: maas-bin configMap: name: maas-bin defaultMode: 0555 +{{- if .Values.conf.maas.tls.enabled }} + - name: ca-cert + secret: + secretName: {{ .Values.secrets.maas_cert }} + items: + - key: ca.crt + path: maas-ca.crt +{{ end }} ... {{- end }} diff --git a/charts/maas/values.yaml b/charts/maas/values.yaml index 7daec84..345640c 100644 --- a/charts/maas/values.yaml +++ b/charts/maas/values.yaml @@ -74,6 +74,12 @@ dependencies: endpoint: internal - service: maas_ingress endpoint: monitor + enable_tls: + jobs: + - maas-bootstrap-admin-user + services: + - service: maas_region + endpoint: internal network_policy: maas: @@ -108,6 +114,7 @@ images: ingress_vip: docker.io/busybox:latest error_pages: gcr.io/google_containers/ingress-gce-404-server-with-metrics-amd64:v1.6.0 maas_syslog: quay.io/airshipit/maas-region-controller:latest + enable_tls: quay.io/airshipit/maas-region-controller:latest pull_policy: IfNotPresent local_registry: # TODO(portdirect): this chart does not yet support local image cacheing @@ -258,8 +265,8 @@ conf: proxy_server: null images: default_os: 'ubuntu' - default_image: 'bionic' - default_kernel: 'ga-18.04' + default_image: 'focal' + default_kernel: 'ga-20.04' credentials: secret: namespace: maas @@ -289,6 +296,12 @@ conf: # system user for console login/recovery in early phases of deployment system_user: 'root' system_passwd: 'password' + tls: + enabled: false + create: false + ca: "" + cert: "" + key: "" drivers: null #### If you populates drivers, it will replace the 3rd party driver #### info that comes with MaaS. see structure below if it is needed @@ -336,6 +349,8 @@ secrets: name: maas-region-secret value: 3858f62230ac3c915f300c664312c63f ssh_key: ssh-private-key + maas_cert: maas-region-api-tls + maas_ingress_cert: maas-region-api-ingress-tls pod: mandatory_access_control: @@ -629,7 +644,6 @@ endpoints: syslog: public: 514 podport: 514 - maas_db: auth: admin: @@ -692,3 +706,10 @@ endpoints: default: http host_fqdn_override: default: null + +cert_manager: + enabled: false + create: false + issuer: + kind: ClusterIssuer + name: ca-issuer diff --git a/images/maas-rack-controller-focal/3.0_allow_query.patch b/images/maas-rack-controller-focal/3.2_allow_query.patch similarity index 94% rename from images/maas-rack-controller-focal/3.0_allow_query.patch rename to images/maas-rack-controller-focal/3.2_allow_query.patch index bbff6a9..60d0bef 100644 --- a/images/maas-rack-controller-focal/3.0_allow_query.patch +++ b/images/maas-rack-controller-focal/3.2_allow_query.patch @@ -1,5 +1,5 @@ diff --git a/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template b/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template -index d76fcfa9a..d198e90b9 100644 +index d76fcfa..d198e90 100644 --- a/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template +++ b/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template @@ -13,8 +13,8 @@ empty-zones-enable no; diff --git a/images/maas-rack-controller-focal/3.0_ipmi_error.patch b/images/maas-rack-controller-focal/3.2_ipmi_error.patch similarity index 90% rename from images/maas-rack-controller-focal/3.0_ipmi_error.patch rename to images/maas-rack-controller-focal/3.2_ipmi_error.patch index ed26007..ac6ff18 100644 --- a/images/maas-rack-controller-focal/3.0_ipmi_error.patch +++ b/images/maas-rack-controller-focal/3.2_ipmi_error.patch @@ -1,5 +1,5 @@ diff --git a/src/provisioningserver/drivers/power/ipmi.py b/src/provisioningserver/drivers/power/ipmi.py -index acf284e9d..edcaf9e41 100644 +index 70201e8..26625e2 100644 --- a/src/provisioningserver/drivers/power/ipmi.py +++ b/src/provisioningserver/drivers/power/ipmi.py @@ -155,6 +155,13 @@ IPMI_ERRORS = { @@ -16,12 +16,12 @@ index acf284e9d..edcaf9e41 100644 "could not find inband device": { "message": ( "An inband device could not be found." -@@ -283,7 +290,7 @@ class IPMIPowerDriver(PowerDriver): +@@ -308,7 +315,7 @@ class IPMIPowerDriver(PowerDriver): ), ] ip_extractor = make_ip_extractor("power_address") - wait_time = (4, 8, 16, 32) + wait_time = (4, 4, 8, 8, 16, 16, 32, 32) - + def detect_missing_packages(self): if not shell.has_command_available("ipmipower"): diff --git a/images/maas-rack-controller-focal/3.0_nic_filter.patch b/images/maas-rack-controller-focal/3.2_nic_filter.patch similarity index 84% rename from images/maas-rack-controller-focal/3.0_nic_filter.patch rename to images/maas-rack-controller-focal/3.2_nic_filter.patch index f3c58f5..3f98078 100644 --- a/images/maas-rack-controller-focal/3.0_nic_filter.patch +++ b/images/maas-rack-controller-focal/3.2_nic_filter.patch @@ -1,8 +1,8 @@ diff --git a/src/provisioningserver/utils/network.py b/src/provisioningserver/utils/network.py -index d8c781e38..3d2e6264c 100644 +index 7895227..0f665ad 100644 --- a/src/provisioningserver/utils/network.py +++ b/src/provisioningserver/utils/network.py -@@ -1129,6 +1129,8 @@ def get_all_interfaces_definition( +@@ -1128,6 +1128,8 @@ def get_all_interfaces_definition( # interfaces for guests. By themselves, they're not useful for MAAS to # manage. "tunnel", diff --git a/images/maas-rack-controller-focal/3.0_redfish_retries.patch b/images/maas-rack-controller-focal/3.2_redfish_retries.patch similarity index 82% rename from images/maas-rack-controller-focal/3.0_redfish_retries.patch rename to images/maas-rack-controller-focal/3.2_redfish_retries.patch index 1189bf7..67865ca 100644 --- a/images/maas-rack-controller-focal/3.0_redfish_retries.patch +++ b/images/maas-rack-controller-focal/3.2_redfish_retries.patch @@ -1,12 +1,12 @@ diff --git a/src/provisioningserver/drivers/power/redfish.py b/src/provisioningserver/drivers/power/redfish.py -index 334ea2ca8..f38b05b8c 100644 +index 19d9ecd..0075997 100644 --- a/src/provisioningserver/drivers/power/redfish.py +++ b/src/provisioningserver/drivers/power/redfish.py -@@ -151,6 +151,7 @@ class RedfishPowerDriver(RedfishPowerDriverBase): +@@ -170,6 +170,7 @@ class RedfishPowerDriver(RedfishPowerDriverBase): make_setting_field("node_id", "Node ID", scope=SETTING_SCOPE.NODE), ] ip_extractor = make_ip_extractor("power_address") + wait_time = (4, 8, 16, 32) - + def detect_missing_packages(self): # no required packages diff --git a/images/maas-rack-controller-focal/3.0_secure_headers.patch b/images/maas-rack-controller-focal/3.2_secure_headers.patch similarity index 91% rename from images/maas-rack-controller-focal/3.0_secure_headers.patch rename to images/maas-rack-controller-focal/3.2_secure_headers.patch index f751649..aeb5652 100644 --- a/images/maas-rack-controller-focal/3.0_secure_headers.patch +++ b/images/maas-rack-controller-focal/3.2_secure_headers.patch @@ -1,12 +1,12 @@ diff --git a/src/twisted/web/server.py b/src/twisted/web/server.py -index 23e3e408e..8e3e5b772 100644 +index 23e3e40..8e3e5b7 100644 --- a/src/twisted/web/server.py +++ b/src/twisted/web/server.py @@ -178,7 +178,6 @@ class Request(Copyable, http.Request, components.Componentized): self.site = self.channel.site - + # set various default headers - self.setHeader(b'server', version) self.setHeader(b'date', http.datetimeToString()) - + # Resource Identification diff --git a/images/maas-rack-controller-focal/Dockerfile b/images/maas-rack-controller-focal/Dockerfile index 4005574..d974ec9 100644 --- a/images/maas-rack-controller-focal/Dockerfile +++ b/images/maas-rack-controller-focal/Dockerfile @@ -18,7 +18,7 @@ ARG no_proxy ENV DEBIAN_FRONTEND noninteractive ENV container docker -ENV MAAS_VERSION 1:3.0.1-10052-g.82c730c57-0ubuntu1~20.04.1 +ENV MAAS_VERSION 1:3.2.9-12055-g.c3d5597a7-0ubuntu1~20.04.1 RUN apt-get -qq update \ && apt-get install -y \ @@ -43,7 +43,7 @@ RUN apt-get -qq update \ -exec rm \{} \; \ && systemctl set-default multi-user.target \ # Install maas from the ppa - && add-apt-repository -yu ppa:maas/3.0 \ + && add-apt-repository -yu ppa:maas/3.2 \ && apt-get install -y \ maas-rack-controller=$MAAS_VERSION \ && rm -rf /var/lib/apt/lists/* @@ -56,20 +56,20 @@ COPY scripts/register-rack-controller.service /lib/systemd/system/register-rack- RUN systemctl enable register-rack-controller.service # Patch so that Calico interfaces are ignored -COPY 3.0_nic_filter.patch /tmp/3.0_nic_filter.patch -COPY 3.0_secure_headers.patch /tmp/3.0_secure_headers.patch +COPY 3.2_nic_filter.patch /tmp/3.2_nic_filter.patch +COPY 3.2_secure_headers.patch /tmp/3.2_secure_headers.patch # Patch so maas knows that "BMC error" is retriable -COPY 3.0_ipmi_error.patch /tmp/3.0_ipmi_error.patch +COPY 3.2_ipmi_error.patch /tmp/3.2_ipmi_error.patch # Patch to space redfish request retries apart a bit, to avoid overwhelming the BMC -COPY 3.0_redfish_retries.patch /tmp/3.0_redfish_retries.patch +COPY 3.2_redfish_retries.patch /tmp/3.2_redfish_retries.patch # Patch to allow any recursion and cache queries -COPY 3.0_allow_query.patch /tmp/3.0_allow_query.patch +COPY 3.2_allow_query.patch /tmp/3.2_allow_query.patch -RUN cd /usr/lib/python3/dist-packages/provisioningserver/utils && patch network.py < /tmp/3.0_nic_filter.patch -RUN cd /usr/lib/python3/dist-packages/twisted/web && patch server.py < /tmp/3.0_secure_headers.patch -RUN cd /usr/lib/python3/dist-packages/provisioningserver/drivers/power && patch ipmi.py < /tmp/3.0_ipmi_error.patch -RUN cd /usr/lib/python3/dist-packages/provisioningserver/drivers/power && patch redfish.py < /tmp/3.0_redfish_retries.patch -RUN cd /usr/lib/python3/dist-packages/provisioningserver/templates/dns && patch named.conf.options.inside.maas.template < /tmp/3.0_allow_query.patch +RUN cd /usr/lib/python3/dist-packages/provisioningserver/utils && patch network.py < /tmp/3.2_nic_filter.patch +RUN cd /usr/lib/python3/dist-packages/twisted/web && patch server.py < /tmp/3.2_secure_headers.patch +RUN cd /usr/lib/python3/dist-packages/provisioningserver/drivers/power && patch ipmi.py < /tmp/3.2_ipmi_error.patch +RUN cd /usr/lib/python3/dist-packages/provisioningserver/drivers/power && patch redfish.py < /tmp/3.2_redfish_retries.patch +RUN cd /usr/lib/python3/dist-packages/provisioningserver/templates/dns && patch named.conf.options.inside.maas.template < /tmp/3.2_allow_query.patch # echo journalctl logs to the container's stdout COPY scripts/journalctl-to-tty.service /etc/systemd/system/journalctl-to-tty.service diff --git a/images/maas-region-controller-focal/3.0_allow_query.patch b/images/maas-rack-controller-jammy/3.3_allow_query.patch similarity index 94% rename from images/maas-region-controller-focal/3.0_allow_query.patch rename to images/maas-rack-controller-jammy/3.3_allow_query.patch index bbff6a9..60d0bef 100644 --- a/images/maas-region-controller-focal/3.0_allow_query.patch +++ b/images/maas-rack-controller-jammy/3.3_allow_query.patch @@ -1,5 +1,5 @@ diff --git a/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template b/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template -index d76fcfa9a..d198e90b9 100644 +index d76fcfa..d198e90 100644 --- a/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template +++ b/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template @@ -13,8 +13,8 @@ empty-zones-enable no; diff --git a/images/maas-rack-controller-jammy/3.3_ipmi_error.patch b/images/maas-rack-controller-jammy/3.3_ipmi_error.patch new file mode 100644 index 0000000..1f9eb74 --- /dev/null +++ b/images/maas-rack-controller-jammy/3.3_ipmi_error.patch @@ -0,0 +1,27 @@ +diff --git a/src/provisioningserver/drivers/power/ipmi.py b/src/provisioningserver/drivers/power/ipmi.py +index 09f3295..c17213b 100644 +--- a/src/provisioningserver/drivers/power/ipmi.py ++++ b/src/provisioningserver/drivers/power/ipmi.py +@@ -155,6 +155,13 @@ IPMI_ERRORS = { + ), + "exception": PowerConnError, + }, ++ "BMC error": { ++ "message": ( ++ "Device not responding correctly while performing power action." ++ " MAAS performed several retries. Please wait and try again." ++ ), ++ "exception": PowerConnError, ++ }, + "could not find inband device": { + "message": ( + "An inband device could not be found." +@@ -310,7 +317,7 @@ class IPMIPowerDriver(PowerDriver): + ), + ] + ip_extractor = make_ip_extractor("power_address") +- wait_time = (4, 8, 16, 32) ++ wait_time = (4, 4, 8, 8, 16, 16, 32, 32) + + def detect_missing_packages(self): + if not shell.has_command_available("ipmipower"): diff --git a/images/maas-rack-controller-jammy/3.3_nic_filter.patch b/images/maas-rack-controller-jammy/3.3_nic_filter.patch new file mode 100644 index 0000000..bf61151 --- /dev/null +++ b/images/maas-rack-controller-jammy/3.3_nic_filter.patch @@ -0,0 +1,13 @@ +diff --git a/src/provisioningserver/utils/network.py b/src/provisioningserver/utils/network.py +index 4ac6962..5381bc4 100644 +--- a/src/provisioningserver/utils/network.py ++++ b/src/provisioningserver/utils/network.py +@@ -1134,6 +1134,8 @@ def get_all_interfaces_definition( + # interfaces for guests. By themselves, they're not useful for MAAS to + # manage. + "tunnel", ++ # Always exclude non-specific ethernet interfaces. ++ "ethernet", + ] + if not running_in_container(): + # When not running in a container, we should be able to identify diff --git a/images/maas-rack-controller-jammy/3.3_redfish_retries.patch b/images/maas-rack-controller-jammy/3.3_redfish_retries.patch new file mode 100644 index 0000000..21cdf8c --- /dev/null +++ b/images/maas-rack-controller-jammy/3.3_redfish_retries.patch @@ -0,0 +1,12 @@ +diff --git a/src/provisioningserver/drivers/power/redfish.py b/src/provisioningserver/drivers/power/redfish.py +index f554a22..4ff0724 100644 +--- a/src/provisioningserver/drivers/power/redfish.py ++++ b/src/provisioningserver/drivers/power/redfish.py +@@ -171,6 +171,7 @@ class RedfishPowerDriver(RedfishPowerDriverBase): + make_setting_field("node_id", "Node ID", scope=SETTING_SCOPE.NODE), + ] + ip_extractor = make_ip_extractor("power_address") ++ wait_time = (4, 8, 16, 32) + + def detect_missing_packages(self): + # no required packages diff --git a/images/maas-rack-controller-jammy/3.3_secure_headers.patch b/images/maas-rack-controller-jammy/3.3_secure_headers.patch new file mode 100644 index 0000000..ca66adf --- /dev/null +++ b/images/maas-rack-controller-jammy/3.3_secure_headers.patch @@ -0,0 +1,12 @@ +diff --git a/src/twisted/web/server.py b/src/twisted/web/server.py +index d30156b..3a04ecb 100644 +--- a/src/twisted/web/server.py ++++ b/src/twisted/web/server.py +@@ -206,7 +206,6 @@ class Request(Copyable, http.Request, components.Componentized): + self.site = self.channel.site + + # set various default headers +- self.setHeader(b"server", version) + self.setHeader(b"date", http.datetimeToString()) + + # Resource Identification diff --git a/images/maas-rack-controller-jammy/Dockerfile b/images/maas-rack-controller-jammy/Dockerfile new file mode 100644 index 0000000..b7e584a --- /dev/null +++ b/images/maas-rack-controller-jammy/Dockerfile @@ -0,0 +1,88 @@ +ARG FROM=ubuntu:22.04 +FROM ${FROM} + +LABEL org.opencontainers.image.authors='airship-discuss@lists.airshipit.org, irc://#airshipit@freenode' +LABEL org.opencontainers.image.url='https://airshipit.org' +LABEL org.opencontainers.image.documentation='https://github.com/openstack/airship-maas' +LABEL org.opencontainers.image.source='https://git.openstack.org/openstack/airship-maas' +LABEL org.opencontainers.image.vendor='The Airship Authors' +LABEL org.opencontainers.image.licenses='Apache-2.0' + +ARG HTTP_PROXY +ARG HTTPS_PROXY +ARG NO_PROXY +ARG http_proxy +ARG https_proxy +ARG no_proxy + +ENV DEBIAN_FRONTEND noninteractive +ENV container docker + +ENV MAAS_VERSION 1:3.3.4-13189-g.f88272d1e-0ubuntu1~22.04.1 + +# Remove systemd-timesyncd, which conflicts with chrony +RUN apt-get remove -y --purge systemd-timesyncd + +RUN apt-get -qq update \ + && apt-get install -y \ + avahi-daemon \ + isc-dhcp-server \ + jq \ + libvirt-clients \ + libvirt-daemon-system\ + patch \ + software-properties-common \ + sudo \ + systemd \ + ca-certificates \ +# Don't start any optional services except for the few we need. +# (specifically, don't start avahi-daemon, isc-dhcp-server, or libvirtd) + && find /etc/systemd/system \ + /lib/systemd/system \ + -path '*.wants/*' \ + -not -name '*journald*' \ + -not -name '*systemd-tmpfiles*' \ + -not -name '*systemd-user-sessions*' \ + -exec rm \{} \; \ + && systemctl set-default multi-user.target \ +# Install maas from the ppa + && add-apt-repository -yu ppa:maas/3.3 \ + && apt-get install -y \ + maas-rack-controller=$MAAS_VERSION \ + && rm -rf /var/lib/apt/lists/* + +# Preserve the directory structure, permissions, and contents of /var/lib/maas +RUN mkdir -p /opt/maas/ && tar -cvzf /opt/maas/var-lib-maas.tgz /var/lib/maas + +# register ourselves with the region controller +COPY scripts/register-rack-controller.service /lib/systemd/system/register-rack-controller.service +RUN systemctl enable register-rack-controller.service + +# Patch so that Calico interfaces are ignored +COPY 3.3_nic_filter.patch /tmp/3.3_nic_filter.patch +COPY 3.3_secure_headers.patch /tmp/3.3_secure_headers.patch +# Patch so maas knows that "BMC error" is retriable +COPY 3.3_ipmi_error.patch /tmp/3.3_ipmi_error.patch +# Patch to space redfish request retries apart a bit, to avoid overwhelming the BMC +COPY 3.3_redfish_retries.patch /tmp/3.3_redfish_retries.patch +# Patch to allow any recursion and cache queries +COPY 3.3_allow_query.patch /tmp/3.3_allow_query.patch + +RUN cd /usr/lib/python3/dist-packages/provisioningserver/utils && patch network.py < /tmp/3.3_nic_filter.patch +RUN cd /usr/lib/python3/dist-packages/twisted/web && patch server.py < /tmp/3.3_secure_headers.patch +RUN cd /usr/lib/python3/dist-packages/provisioningserver/drivers/power && patch ipmi.py < /tmp/3.3_ipmi_error.patch +RUN cd /usr/lib/python3/dist-packages/provisioningserver/drivers/power && patch redfish.py < /tmp/3.3_redfish_retries.patch +RUN cd /usr/lib/python3/dist-packages/provisioningserver/templates/dns && patch named.conf.options.inside.maas.template < /tmp/3.3_allow_query.patch + +# echo journalctl logs to the container's stdout +COPY scripts/journalctl-to-tty.service /etc/systemd/system/journalctl-to-tty.service +RUN systemctl enable journalctl-to-tty.service + +# quiet sudo for the maas user +RUN umask 0337; echo 'Defaults:maas !pam_session, !syslog' > /etc/sudoers.d/99-maas-no-log + +# avoid triggering bind9 high cpu utilization bug +RUN sed -i -e '$a\include "/etc/bind/bind.keys";' /etc/bind/named.conf + +# initalize systemd +CMD ["/bin/bash", "-c", "exec /sbin/init --log-target=console 3>&1"] diff --git a/images/maas-rack-controller-jammy/README.md b/images/maas-rack-controller-jammy/README.md new file mode 100644 index 0000000..0a11659 --- /dev/null +++ b/images/maas-rack-controller-jammy/README.md @@ -0,0 +1 @@ +[![Docker Repository on Quay](https://quay.io/repository/airshipit/maas-rack/status "Docker Repository on Quay")](https://quay.io/repository/airshipit/maas-rack) Ubuntu MaaS Rack Controller diff --git a/images/maas-rack-controller-jammy/scripts/journalctl-to-tty.service b/images/maas-rack-controller-jammy/scripts/journalctl-to-tty.service new file mode 100644 index 0000000..2725055 --- /dev/null +++ b/images/maas-rack-controller-jammy/scripts/journalctl-to-tty.service @@ -0,0 +1,13 @@ +[Unit] +Description=Journald console log streamer +Requires=systemd-journald.service +After=systemd-journald.service + +[Service] +Restart=always +RestartSec=0 +ExecStart=/bin/journalctl -f +StandardOutput=tty + +[Install] +WantedBy=basic.target diff --git a/images/maas-rack-controller-jammy/scripts/register-rack-controller.service b/images/maas-rack-controller-jammy/scripts/register-rack-controller.service new file mode 100644 index 0000000..fb439d3 --- /dev/null +++ b/images/maas-rack-controller-jammy/scripts/register-rack-controller.service @@ -0,0 +1,12 @@ +[Unit] +Description=Register with MaaS Region Controller +Wants=network-online.target +After=network-online.target + +[Service] +Type=oneshot +PassEnvironment=MAAS_ENDPOINT MAAS_REGION_SECRET MAAS_API_KEY HOST_MOUNT_PATH +ExecStart=/usr/local/bin/register-rack-controller.sh + +[Install] +WantedBy=multi-user.target diff --git a/images/maas-region-controller-focal/3.0_bios_grub_partition.patch b/images/maas-region-controller-focal/3.0_bios_grub_partition.patch deleted file mode 100644 index fc3a1c7..0000000 --- a/images/maas-region-controller-focal/3.0_bios_grub_partition.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/src/maasserver/models/partition.py b/src/maasserver/models/partition.py -index 62895f83b..832b1db4c 100644 ---- a/src/maasserver/models/partition.py -+++ b/src/maasserver/models/partition.py -@@ -248,7 +248,7 @@ class Partition(CleanSave, TimestampedModel): - return idx + 1 - elif arch == "ppc64el" and block_device.id == boot_disk.id: - return idx + 2 -- elif arch == "amd64" and bios_boot_method != "uefi": -+ elif arch == "amd64" and bios_boot_method != "uefi" and block_device.id == boot_disk.id: - if block_device.type == "physical": - # Delay the `type` check because it can cause a query. Only - # physical block devices get the bios_grub partition. diff --git a/images/maas-region-controller-focal/3.2_allow_query.patch b/images/maas-region-controller-focal/3.2_allow_query.patch new file mode 100644 index 0000000..60d0bef --- /dev/null +++ b/images/maas-region-controller-focal/3.2_allow_query.patch @@ -0,0 +1,15 @@ +diff --git a/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template b/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template +index d76fcfa..d198e90 100644 +--- a/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template ++++ b/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template +@@ -13,8 +13,8 @@ empty-zones-enable no; + allow-query { any; }; + {{endif}} + {{if not upstream_allow_recursion}} +-allow-recursion { trusted; }; ++allow-recursion { any; }; + {{endif}} + {{if not upstream_allow_query_cache}} +-allow-query-cache { trusted; }; ++allow-query-cache { any; }; + {{endif}} diff --git a/images/maas-region-controller-focal/3.2_bios_grub_partition.patch b/images/maas-region-controller-focal/3.2_bios_grub_partition.patch new file mode 100644 index 0000000..2e79cd0 --- /dev/null +++ b/images/maas-region-controller-focal/3.2_bios_grub_partition.patch @@ -0,0 +1,12 @@ +diff --git a/src/maasserver/models/partition.py b/src/maasserver/models/partition.py +index 84a8fba..c62f25f 100644 +--- a/src/maasserver/models/partition.py ++++ b/src/maasserver/models/partition.py +@@ -211,6 +211,7 @@ class Partition(CleanSave, TimestampedModel): + arch == "amd64" + and bios_boot_method != "uefi" + and block_device.type == "physical" ++ and block_device.id == boot_disk.id + ) + if need_prep_partition or need_bios_grub: + index = 2 diff --git a/images/maas-region-controller-focal/3.0_configure_ipmi_user.patch b/images/maas-region-controller-focal/3.2_configure_ipmi_user.patch similarity index 86% rename from images/maas-region-controller-focal/3.0_configure_ipmi_user.patch rename to images/maas-region-controller-focal/3.2_configure_ipmi_user.patch index 39b06ae..a417f3d 100644 --- a/images/maas-region-controller-focal/3.0_configure_ipmi_user.patch +++ b/images/maas-region-controller-focal/3.2_configure_ipmi_user.patch @@ -1,10 +1,10 @@ diff --git a/src/metadataserver/builtin_scripts/commissioning_scripts/bmc_config.py b/src/metadataserver/builtin_scripts/commissioning_scripts/bmc_config.py -index 42e4c79e4..11df96313 100755 +index 02e900d..411832a 100755 --- a/src/metadataserver/builtin_scripts/commissioning_scripts/bmc_config.py +++ b/src/metadataserver/builtin_scripts/commissioning_scripts/bmc_config.py -@@ -396,6 +396,29 @@ class IPMI(BMCConfig): +@@ -184,6 +184,29 @@ class IPMIBase(BMCConfig): return first_unused - + def add_bmc_user(self): + """Create/configure an IPMI user, but with several tries""" + attempt = 1 @@ -32,7 +32,7 @@ index 42e4c79e4..11df96313 100755 if not self.username: self.username = "maas" user_number = self._pick_user_number(self.username) -@@ -417,7 +440,7 @@ class IPMI(BMCConfig): +@@ -205,7 +228,7 @@ class IPMIBase(BMCConfig): if self._bmc_config[user_number].get(key) != value: self._bmc_set(user_number, key, value) except Exception: @@ -41,12 +41,12 @@ index 42e4c79e4..11df96313 100755 else: self.password = password # Not all user settings are available on all BMC keys, its -@@ -432,8 +455,6 @@ class IPMI(BMCConfig): +@@ -220,8 +243,6 @@ class IPMIBase(BMCConfig): "Yes", ) return - print("ERROR: Unable to add BMC user!", file=sys.stderr) - sys.exit(1) - - def _config_ipmi_lan_channel_settings(self): - """Enable IPMI-over-Lan (Lan_Channel) if it is disabled""" + + def _bmc_get_config(self, section=None): + """Fetch and cache all BMC settings.""" diff --git a/images/maas-region-controller-focal/3.2_kernel_package.patch b/images/maas-region-controller-focal/3.2_kernel_package.patch new file mode 100644 index 0000000..2c1e67e --- /dev/null +++ b/images/maas-region-controller-focal/3.2_kernel_package.patch @@ -0,0 +1,31 @@ +diff --git a/src/maasserver/preseed.py b/src/maasserver/preseed.py +index c692969..c20facf 100644 +--- a/src/maasserver/preseed.py ++++ b/src/maasserver/preseed.py +@@ -250,7 +250,26 @@ def compose_curtin_kernel_preseed(node): + if node.get_osystem() == "custom": + return [] + ++ # previous logic to retrieve kpackage parameter + kpackage = BootResource.objects.get_kpackage_for_node(node) ++ ++ # determine if thie node has kernel parameters applied by drydock ++ # and override kpackage if we discover the right properties ++ kernel_opt_tag = "%s_kp" % (node.hostname) ++ if kernel_opt_tag in node.tag_names(): ++ ++ # the tag exists, retrieve it ++ kernel_opts = node.tags.get(name=kernel_opt_tag).kernel_opts ++ ++ # parse the string and find our package param value ++ # e.g. kernel_package=linux-image-4.15.0-34-generic ++ kparams = kernel_opts.split() ++ kdict = dict( ++ kparam.split("=", 1) for kparam in kparams if "=" in kparam ++ ) ++ if "kernel_package" in kdict: ++ kpackage = kdict["kernel_package"] ++ + if kpackage: + kernel_config = {"kernel": {"package": kpackage, "mapping": {}}} + return [yaml.safe_dump(kernel_config)] diff --git a/images/maas-region-controller-focal/3.0_partitiontable_does_not_exist.patch b/images/maas-region-controller-focal/3.2_partitiontable_does_not_exist.patch similarity index 94% rename from images/maas-region-controller-focal/3.0_partitiontable_does_not_exist.patch rename to images/maas-region-controller-focal/3.2_partitiontable_does_not_exist.patch index b0f98d3..796b6db 100644 --- a/images/maas-region-controller-focal/3.0_partitiontable_does_not_exist.patch +++ b/images/maas-region-controller-focal/3.2_partitiontable_does_not_exist.patch @@ -1,5 +1,5 @@ diff --git a/src/maasserver/api/partitions.py b/src/maasserver/api/partitions.py -index 5a413fb3b..6a5ad8b47 100644 +index dd1b431..235c03f 100644 --- a/src/maasserver/api/partitions.py +++ b/src/maasserver/api/partitions.py @@ -99,7 +99,7 @@ class PartitionsHandler(OperationsHandler): diff --git a/images/maas-region-controller-focal/3.0_proxy_acl.patch b/images/maas-region-controller-focal/3.2_proxy_acl.patch similarity index 100% rename from images/maas-region-controller-focal/3.0_proxy_acl.patch rename to images/maas-region-controller-focal/3.2_proxy_acl.patch diff --git a/images/maas-region-controller-focal/3.0_regex_tags.patch b/images/maas-region-controller-focal/3.2_regex_tags.patch similarity index 81% rename from images/maas-region-controller-focal/3.0_regex_tags.patch rename to images/maas-region-controller-focal/3.2_regex_tags.patch index aa438fa..01f5778 100644 --- a/images/maas-region-controller-focal/3.0_regex_tags.patch +++ b/images/maas-region-controller-focal/3.2_regex_tags.patch @@ -1,17 +1,17 @@ diff --git a/src/maasserver/models/ownerdata.py b/src/maasserver/models/ownerdata.py -index 5d26041ca..0e208f264 100644 +index 2cbaa9d..14eeb69 100644 --- a/src/maasserver/models/ownerdata.py +++ b/src/maasserver/models/ownerdata.py -@@ -18,7 +18,7 @@ from django.db.models import ( - from maasserver import DefaultMeta +@@ -17,7 +17,7 @@ from django.db.models import ( + from maasserver.models.cleansave import CleanSave - + -DATA_KEY_RE = re.compile(r"[\w.-]+$") +#DATA_KEY_RE = re.compile(r"[\w.-]+$") - - + + class OwnerDataManager(Manager): -@@ -33,8 +33,8 @@ class OwnerDataManager(Manager): +@@ -32,8 +32,8 @@ class OwnerDataManager(Manager): if value is None: to_remove.add(key) else: @@ -19,6 +19,6 @@ index 5d26041ca..0e208f264 100644 - raise ValueError("Invalid character in key name") + # if not DATA_KEY_RE.match(key): + # raise ValueError("Invalid character in key name") - + self.update_or_create( node=node, key=key, defaults={"value": value} diff --git a/images/maas-region-controller-focal/3.0_region_secret_rotate.patch b/images/maas-region-controller-focal/3.2_region_secret_rotate.patch similarity index 95% rename from images/maas-region-controller-focal/3.0_region_secret_rotate.patch rename to images/maas-region-controller-focal/3.2_region_secret_rotate.patch index fce4a7e..fc9bee0 100644 --- a/images/maas-region-controller-focal/3.0_region_secret_rotate.patch +++ b/images/maas-region-controller-focal/3.2_region_secret_rotate.patch @@ -1,5 +1,5 @@ diff --git a/src/maasserver/security.py b/src/maasserver/security.py -index a9420e504..61c6f00c6 100644 +index a9420e5..7973120 100644 --- a/src/maasserver/security.py +++ b/src/maasserver/security.py @@ -96,11 +96,11 @@ def get_shared_secret_txn(): @@ -16,6 +16,5 @@ index a9420e504..61c6f00c6 100644 + # secret and set it in the database (set_config function) + secret = secret_on_fs + Config.objects.set_config("rpc_shared_secret", to_hex(secret)) - + return secret - diff --git a/images/maas-region-controller-focal/3.0_route.patch b/images/maas-region-controller-focal/3.2_route.patch similarity index 66% rename from images/maas-region-controller-focal/3.0_route.patch rename to images/maas-region-controller-focal/3.2_route.patch index 391c617..d1f9efc 100644 --- a/images/maas-region-controller-focal/3.0_route.patch +++ b/images/maas-region-controller-focal/3.2_route.patch @@ -1,13 +1,17 @@ diff --git a/src/maasserver/preseed_network.py b/src/maasserver/preseed_network.py -index 3851424fc..8bfa90e7d 100644 +index 7660feb..dae412d 100644 --- a/src/maasserver/preseed_network.py +++ b/src/maasserver/preseed_network.py -@@ -309,7 +309,7 @@ class InterfaceConfiguration: - +@@ -308,7 +308,11 @@ class InterfaceConfiguration: + def _get_matching_routes(self, source): """Return all route objects matching `source`.""" - return {route for route in self.routes if route.source == source} -+ return {route for route in self.routes if str(route.source.cidr) == str(source.cidr)} - ++ return { ++ route ++ for route in self.routes ++ if str(route.source.cidr) == str(source.cidr) ++ } + def _generate_addresses(self, version=1): """Generate the various addresses needed for this interface.""" diff --git a/images/maas-region-controller-focal/3.0_secure_headers.patch b/images/maas-region-controller-focal/3.2_secure_headers.patch similarity index 91% rename from images/maas-region-controller-focal/3.0_secure_headers.patch rename to images/maas-region-controller-focal/3.2_secure_headers.patch index f751649..aeb5652 100644 --- a/images/maas-region-controller-focal/3.0_secure_headers.patch +++ b/images/maas-region-controller-focal/3.2_secure_headers.patch @@ -1,12 +1,12 @@ diff --git a/src/twisted/web/server.py b/src/twisted/web/server.py -index 23e3e408e..8e3e5b772 100644 +index 23e3e40..8e3e5b7 100644 --- a/src/twisted/web/server.py +++ b/src/twisted/web/server.py @@ -178,7 +178,6 @@ class Request(Copyable, http.Request, components.Componentized): self.site = self.channel.site - + # set various default headers - self.setHeader(b'server', version) self.setHeader(b'date', http.datetimeToString()) - + # Resource Identification diff --git a/images/maas-region-controller-focal/Dockerfile b/images/maas-region-controller-focal/Dockerfile index 59e2284..ec08c22 100644 --- a/images/maas-region-controller-focal/Dockerfile +++ b/images/maas-region-controller-focal/Dockerfile @@ -18,7 +18,7 @@ ARG no_proxy ENV DEBIAN_FRONTEND noninteractive ENV container docker -ENV MAAS_VERSION 1:3.0.1-10052-g.82c730c57-0ubuntu1~20.04.1 +ENV MAAS_VERSION 1:3.2.9-12055-g.c3d5597a7-0ubuntu1~20.04.1 RUN apt-get -qq update \ && apt-get install -y \ @@ -41,7 +41,7 @@ RUN apt-get -qq update \ -exec rm \{} \; \ && systemctl set-default multi-user.target \ # Install maas from the ppa - && add-apt-repository -yu ppa:maas/3.0 \ + && add-apt-repository -yu ppa:maas/3.2 \ && apt-get install -y \ maas-region-api=$MAAS_VERSION \ # tcpdump is required by /usr/lib/maas/beacon-monitor @@ -52,32 +52,32 @@ RUN apt-get -qq update \ RUN mkdir -p /opt/maas/ && tar -cvzf /opt/maas/var-lib-maas.tgz /var/lib/maas # MAAS workarounds -COPY 3.0_route.patch /tmp/3.0_route.patch -COPY 3.0_kernel_package.patch /tmp/3.0_kernel_package.patch -COPY 3.0_bios_grub_partition.patch /tmp/3.0_bios_grub_partition.patch +COPY 3.2_route.patch /tmp/3.2_route.patch +COPY 3.2_kernel_package.patch /tmp/3.2_kernel_package.patch +COPY 3.2_bios_grub_partition.patch /tmp/3.2_bios_grub_partition.patch # sh8121att: allow all requests via the proxy to allow it to work # behind ingress -COPY 3.0_proxy_acl.patch /tmp/3.0_proxy_acl.patch +COPY 3.2_proxy_acl.patch /tmp/3.2_proxy_acl.patch # Patch to add retrying to MaaS BMC user setup, and improve exception handling -COPY 3.0_configure_ipmi_user.patch /tmp/3.0_configure_ipmi_user.patch -COPY 3.0_secure_headers.patch /tmp/3.0_secure_headers.patch -COPY 3.0_region_secret_rotate.patch /tmp/3.0_region_secret_rotate.patch -COPY 3.0_partitiontable_does_not_exist.patch /tmp/3.0_partitiontable_does_not_exist.patch +COPY 3.2_configure_ipmi_user.patch /tmp/3.2_configure_ipmi_user.patch +COPY 3.2_secure_headers.patch /tmp/3.2_secure_headers.patch +COPY 3.2_region_secret_rotate.patch /tmp/3.2_region_secret_rotate.patch +COPY 3.2_partitiontable_does_not_exist.patch /tmp/3.2_partitiontable_does_not_exist.patch # Allow tags with '/' symbols -COPY 3.0_regex_tags.patch /tmp/3.0_regex_tags.patch +COPY 3.2_regex_tags.patch /tmp/3.2_regex_tags.patch # Patch to allow any recursion and cache queries -COPY 3.0_allow_query.patch /tmp/3.0_allow_query.patch +COPY 3.2_allow_query.patch /tmp/3.2_allow_query.patch -RUN cd /usr/lib/python3/dist-packages/maasserver && patch preseed_network.py < /tmp/3.0_route.patch -RUN cd /usr/lib/python3/dist-packages/maasserver && patch preseed.py < /tmp/3.0_kernel_package.patch -RUN cd /usr/lib/python3/dist-packages/maasserver/models && patch partition.py < /tmp/3.0_bios_grub_partition.patch -RUN cd /usr/lib/python3/dist-packages/maasserver && patch security.py < /tmp/3.0_region_secret_rotate.patch -RUN cd /usr/lib/python3/dist-packages/metadataserver/builtin_scripts/commissioning_scripts && patch bmc_config.py < /tmp/3.0_configure_ipmi_user.patch -RUN cd /usr/lib/python3/dist-packages/provisioningserver/templates/proxy && patch maas-proxy.conf.template < /tmp/3.0_proxy_acl.patch -RUN cd /usr/lib/python3/dist-packages/twisted/web && patch server.py < /tmp/3.0_secure_headers.patch -RUN cd /usr/lib/python3/dist-packages/maasserver/api && patch partitions.py < /tmp/3.0_partitiontable_does_not_exist.patch -RUN cd /usr/lib/python3/dist-packages/maasserver/models && patch ownerdata.py < /tmp/3.0_regex_tags.patch -RUN cd /usr/lib/python3/dist-packages/provisioningserver/templates/dns && patch named.conf.options.inside.maas.template < /tmp/3.0_allow_query.patch +RUN cd /usr/lib/python3/dist-packages/maasserver && patch preseed_network.py < /tmp/3.2_route.patch +RUN cd /usr/lib/python3/dist-packages/maasserver && patch preseed.py < /tmp/3.2_kernel_package.patch +RUN cd /usr/lib/python3/dist-packages/maasserver/models && patch partition.py < /tmp/3.2_bios_grub_partition.patch +RUN cd /usr/lib/python3/dist-packages/maasserver && patch security.py < /tmp/3.2_region_secret_rotate.patch +RUN cd /usr/lib/python3/dist-packages/metadataserver/builtin_scripts/commissioning_scripts && patch bmc_config.py < /tmp/3.2_configure_ipmi_user.patch +RUN cd /usr/lib/python3/dist-packages/provisioningserver/templates/proxy && patch maas-proxy.conf.template < /tmp/3.2_proxy_acl.patch +RUN cd /usr/lib/python3/dist-packages/twisted/web && patch server.py < /tmp/3.2_secure_headers.patch +RUN cd /usr/lib/python3/dist-packages/maasserver/api && patch partitions.py < /tmp/3.2_partitiontable_does_not_exist.patch +RUN cd /usr/lib/python3/dist-packages/maasserver/models && patch ownerdata.py < /tmp/3.2_regex_tags.patch +RUN cd /usr/lib/python3/dist-packages/provisioningserver/templates/dns && patch named.conf.options.inside.maas.template < /tmp/3.2_allow_query.patch # echo journalctl logs to the container's stdout COPY journalctl-to-tty.service /etc/systemd/system/journalctl-to-tty.service diff --git a/images/maas-region-controller-jammy/3.3_allow_query.patch b/images/maas-region-controller-jammy/3.3_allow_query.patch new file mode 100644 index 0000000..60d0bef --- /dev/null +++ b/images/maas-region-controller-jammy/3.3_allow_query.patch @@ -0,0 +1,15 @@ +diff --git a/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template b/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template +index d76fcfa..d198e90 100644 +--- a/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template ++++ b/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template +@@ -13,8 +13,8 @@ empty-zones-enable no; + allow-query { any; }; + {{endif}} + {{if not upstream_allow_recursion}} +-allow-recursion { trusted; }; ++allow-recursion { any; }; + {{endif}} + {{if not upstream_allow_query_cache}} +-allow-query-cache { trusted; }; ++allow-query-cache { any; }; + {{endif}} diff --git a/images/maas-region-controller-jammy/3.3_bios_grub_partition.patch b/images/maas-region-controller-jammy/3.3_bios_grub_partition.patch new file mode 100644 index 0000000..2e79cd0 --- /dev/null +++ b/images/maas-region-controller-jammy/3.3_bios_grub_partition.patch @@ -0,0 +1,12 @@ +diff --git a/src/maasserver/models/partition.py b/src/maasserver/models/partition.py +index 84a8fba..c62f25f 100644 +--- a/src/maasserver/models/partition.py ++++ b/src/maasserver/models/partition.py +@@ -211,6 +211,7 @@ class Partition(CleanSave, TimestampedModel): + arch == "amd64" + and bios_boot_method != "uefi" + and block_device.type == "physical" ++ and block_device.id == boot_disk.id + ) + if need_prep_partition or need_bios_grub: + index = 2 diff --git a/images/maas-region-controller-jammy/3.3_configure_ipmi_user.patch b/images/maas-region-controller-jammy/3.3_configure_ipmi_user.patch new file mode 100644 index 0000000..68b8e9f --- /dev/null +++ b/images/maas-region-controller-jammy/3.3_configure_ipmi_user.patch @@ -0,0 +1,52 @@ +diff --git a/usr/lib/python3/dist-packages//metadataserver/builtin_scripts/commissioning_scripts/bmc_config.py b/bmc_config.py +index 02e900d..ffee0f6 100755 +--- a/usr/lib/python3/dist-packages//metadataserver/builtin_scripts/commissioning_scripts/bmc_config.py ++++ b/bmc_config.py +@@ -184,6 +184,29 @@ class IPMIBase(BMCConfig): + return first_unused + + def add_bmc_user(self): ++ """Create/configure an IPMI user, but with several tries""" ++ attempt = 1 ++ max_attempts = 5 ++ backoff_amount = 30 ++ exceptions_caught = [] ++ while attempt <= max_attempts: ++ print("INFO: Attempt to add IPMI BMC user - %s" % attempt) ++ try: ++ self._add_bmc_user() ++ except Exception as e: ++ exceptions_caught.append(e) ++ if (attempt + 1) > max_attempts: ++ # This is our last attempt, exiting ++ print("ERROR: Unable to add BMC user!\n{}".format(exceptions_caught), file=sys.stderr) ++ sys.exit(1) ++ ++ if self.password is None: ++ time.sleep(attempt * backoff_amount) ++ else: ++ return ++ attempt += 1 ++ ++ def _add_bmc_user(self): + if not self.username: + self.username = "maas" + user_number = self._pick_user_number(self.username) +@@ -205,7 +228,7 @@ class IPMIBase(BMCConfig): + if self._bmc_config[user_number].get(key) != value: + self._bmc_set(user_number, key, value) + except Exception: +- pass ++ raise + else: + self.password = password + # Not all user settings are available on all BMC keys, its +@@ -220,8 +243,6 @@ class IPMIBase(BMCConfig): + "Yes", + ) + return +- print("ERROR: Unable to add BMC user!", file=sys.stderr) +- sys.exit(1) + + def _bmc_get_config(self, section=None): + """Fetch and cache all BMC settings.""" diff --git a/images/maas-region-controller-focal/3.0_kernel_package.patch b/images/maas-region-controller-jammy/3.3_kernel_package.patch similarity index 77% rename from images/maas-region-controller-focal/3.0_kernel_package.patch rename to images/maas-region-controller-jammy/3.3_kernel_package.patch index 934d1f3..c89549a 100644 --- a/images/maas-region-controller-focal/3.0_kernel_package.patch +++ b/images/maas-region-controller-jammy/3.3_kernel_package.patch @@ -1,12 +1,11 @@ diff --git a/src/maasserver/preseed.py b/src/maasserver/preseed.py -index f9ba34a18..a9f41b9c2 100644 +index c692969..b92b6d5 100644 --- a/src/maasserver/preseed.py +++ b/src/maasserver/preseed.py -@@ -232,7 +232,27 @@ def compose_curtin_kernel_preseed(node): - The BootResourceFile table contains a mapping between hwe kernels and - Ubuntu package names. If this mapping is missing we fall back to letting - Curtin figure out which kernel should be installed""" -+ +@@ -250,7 +250,26 @@ def compose_curtin_kernel_preseed(node): + if node.get_osystem() == "custom": + return [] + + # previous logic to retrieve kpackage parameter kpackage = BootResource.objects.get_kpackage_for_node(node) + diff --git a/images/maas-region-controller-jammy/3.3_partitiontable_does_not_exist.patch b/images/maas-region-controller-jammy/3.3_partitiontable_does_not_exist.patch new file mode 100644 index 0000000..8346799 --- /dev/null +++ b/images/maas-region-controller-jammy/3.3_partitiontable_does_not_exist.patch @@ -0,0 +1,13 @@ +diff --git a/src/maasserver/api/partitions.py b/src/maasserver/api/partitions.py +index 4302d8d..f0e51c8 100644 +--- a/src/maasserver/api/partitions.py ++++ b/src/maasserver/api/partitions.py +@@ -99,7 +99,7 @@ class PartitionsHandler(OperationsHandler): + device = BlockDevice.objects.get_block_device_or_404( + system_id, device_id, request.user, NodePermission.view + ) +- partition_table = device.partitiontable_set.get() ++ partition_table = device.get_partitiontable() + if partition_table is None: + return [] + else: diff --git a/images/maas-region-controller-jammy/3.3_proxy_acl.patch b/images/maas-region-controller-jammy/3.3_proxy_acl.patch new file mode 100644 index 0000000..0de535e --- /dev/null +++ b/images/maas-region-controller-jammy/3.3_proxy_acl.patch @@ -0,0 +1,10 @@ +18,24c18 +< http_access allow maas_proxy_manager localhost +< http_access deny maas_proxy_manager +< http_access deny !Safe_ports +< http_access deny CONNECT !SSL_ports +< http_access allow localnet +< http_access allow localhost +< http_access deny all +--- +> http_access allow all diff --git a/images/maas-region-controller-jammy/3.3_regex_tags.patch b/images/maas-region-controller-jammy/3.3_regex_tags.patch new file mode 100644 index 0000000..14bf164 --- /dev/null +++ b/images/maas-region-controller-jammy/3.3_regex_tags.patch @@ -0,0 +1,24 @@ +diff --git a/src/maasserver/models/ownerdata.py b/src/maasserver/models/ownerdata.py +index 2cbaa9d..bb83b4b 100644 +--- a/src/maasserver/models/ownerdata.py ++++ b/src/maasserver/models/ownerdata.py +@@ -17,7 +17,7 @@ from django.db.models import ( + + from maasserver.models.cleansave import CleanSave + +-DATA_KEY_RE = re.compile(r"[\w.-]+$") ++#DATA_KEY_RE = re.compile(r"[\w.-]+$") + + + class OwnerDataManager(Manager): +@@ -32,8 +32,8 @@ class OwnerDataManager(Manager): + if value is None: + to_remove.add(key) + else: +- if not DATA_KEY_RE.match(key): +- raise ValueError("Invalid character in key name") ++ # if not DATA_KEY_RE.match(key): ++ # raise ValueError("Invalid character in key name") + + self.update_or_create( + node=node, key=key, defaults={"value": value} diff --git a/images/maas-region-controller-jammy/3.3_route.patch b/images/maas-region-controller-jammy/3.3_route.patch new file mode 100644 index 0000000..bd8a633 --- /dev/null +++ b/images/maas-region-controller-jammy/3.3_route.patch @@ -0,0 +1,17 @@ +diff --git a/src/maasserver/preseed_network.py b/src/maasserver/preseed_network.py +index 03073f7..c17444a 100644 +--- a/src/maasserver/preseed_network.py ++++ b/src/maasserver/preseed_network.py +@@ -309,7 +309,11 @@ class InterfaceConfiguration: + + def _get_matching_routes(self, source): + """Return all route objects matching `source`.""" +- return {route for route in self.routes if route.source == source} ++ return { ++ route ++ for route in self.routes ++ if str(route.source.cidr) == str(source.cidr) ++ } + + def _generate_addresses(self, version=1): + """Generate the various addresses needed for this interface.""" diff --git a/images/maas-region-controller-jammy/3.3_secure_headers.patch b/images/maas-region-controller-jammy/3.3_secure_headers.patch new file mode 100644 index 0000000..ca66adf --- /dev/null +++ b/images/maas-region-controller-jammy/3.3_secure_headers.patch @@ -0,0 +1,12 @@ +diff --git a/src/twisted/web/server.py b/src/twisted/web/server.py +index d30156b..3a04ecb 100644 +--- a/src/twisted/web/server.py ++++ b/src/twisted/web/server.py +@@ -206,7 +206,6 @@ class Request(Copyable, http.Request, components.Componentized): + self.site = self.channel.site + + # set various default headers +- self.setHeader(b"server", version) + self.setHeader(b"date", http.datetimeToString()) + + # Resource Identification diff --git a/images/maas-region-controller-jammy/Dockerfile b/images/maas-region-controller-jammy/Dockerfile new file mode 100644 index 0000000..0b47d9a --- /dev/null +++ b/images/maas-region-controller-jammy/Dockerfile @@ -0,0 +1,94 @@ +ARG FROM=ubuntu:22.04 +FROM ${FROM} + +LABEL org.opencontainers.image.authors='airship-discuss@lists.airshipit.org, irc://#airshipit@freenode' +LABEL org.opencontainers.image.url='https://airshipit.org' +LABEL org.opencontainers.image.documentation='https://github.com/openstack/airship-maas' +LABEL org.opencontainers.image.source='https://git.openstack.org/openstack/airship-maas' +LABEL org.opencontainers.image.vendor='The Airship Authors' +LABEL org.opencontainers.image.licenses='Apache-2.0' + +ARG HTTP_PROXY +ARG HTTPS_PROXY +ARG NO_PROXY +ARG http_proxy +ARG https_proxy +ARG no_proxy + +ENV DEBIAN_FRONTEND noninteractive +ENV container docker + +ENV MAAS_VERSION 1:3.3.4-13189-g.f88272d1e-0ubuntu1~22.04.1 + +# Remove systemd-timesyncd, which conflicts with chrony +RUN apt-get remove -y --purge systemd-timesyncd + +RUN apt-get -qq update \ + && apt-get install -y \ + avahi-daemon \ + jq \ + patch \ + software-properties-common \ + sudo \ + systemd \ + cron \ + ca-certificates \ +# Don't start any optional services except for the few we need. +# (specifically, don't start avahi-daemon) + && find /etc/systemd/system \ + /lib/systemd/system \ + -path '*.wants/*' \ + -not -name '*journald*' \ + -not -name '*systemd-tmpfiles*' \ + -not -name '*systemd-user-sessions*' \ + -exec rm \{} \; \ + && systemctl set-default multi-user.target \ +# Install maas from the ppa + && add-apt-repository -yu ppa:maas/3.3 \ + && apt-get install -y \ + maas-region-api=$MAAS_VERSION \ + # tcpdump is required by /usr/lib/maas/beacon-monitor + tcpdump \ + && rm -rf /var/lib/apt/lists/* + +# Preserve the directory structure, permissions, and contents of /var/lib/maas +RUN mkdir -p /opt/maas/ && tar -cvzf /opt/maas/var-lib-maas.tgz /var/lib/maas + +# MAAS workarounds +COPY 3.3_route.patch /tmp/3.3_route.patch +COPY 3.3_kernel_package.patch /tmp/3.3_kernel_package.patch +COPY 3.3_bios_grub_partition.patch /tmp/3.3_bios_grub_partition.patch +# sh8121att: allow all requests via the proxy to allow it to work +# behind ingress +COPY 3.3_proxy_acl.patch /tmp/3.3_proxy_acl.patch +# Patch to add retrying to MaaS BMC user setup, and improve exception handling +COPY 3.3_configure_ipmi_user.patch /tmp/3.3_configure_ipmi_user.patch +COPY 3.3_secure_headers.patch /tmp/3.3_secure_headers.patch +COPY 3.3_partitiontable_does_not_exist.patch /tmp/3.3_partitiontable_does_not_exist.patch +# Allow tags with '/' symbols +COPY 3.3_regex_tags.patch /tmp/3.3_regex_tags.patch +# Patch to allow any recursion and cache queries +COPY 3.3_allow_query.patch /tmp/3.3_allow_query.patch + +RUN cd /usr/lib/python3/dist-packages/maasserver && patch preseed_network.py < /tmp/3.3_route.patch +RUN cd /usr/lib/python3/dist-packages/maasserver && patch preseed.py < /tmp/3.3_kernel_package.patch +RUN cd /usr/lib/python3/dist-packages/maasserver/models && patch partition.py < /tmp/3.3_bios_grub_partition.patch +RUN cd /usr/lib/python3/dist-packages/metadataserver/builtin_scripts/commissioning_scripts && patch bmc_config.py < /tmp/3.3_configure_ipmi_user.patch +RUN cd /usr/lib/python3/dist-packages/provisioningserver/templates/proxy && patch maas-proxy.conf.template < /tmp/3.3_proxy_acl.patch +RUN cd /usr/lib/python3/dist-packages/twisted/web && patch server.py < /tmp/3.3_secure_headers.patch +RUN cd /usr/lib/python3/dist-packages/maasserver/api && patch partitions.py < /tmp/3.3_partitiontable_does_not_exist.patch +RUN cd /usr/lib/python3/dist-packages/maasserver/models && patch ownerdata.py < /tmp/3.3_regex_tags.patch +RUN cd /usr/lib/python3/dist-packages/provisioningserver/templates/dns && patch named.conf.options.inside.maas.template < /tmp/3.3_allow_query.patch + +# echo journalctl logs to the container's stdout +COPY journalctl-to-tty.service /etc/systemd/system/journalctl-to-tty.service +RUN systemctl enable journalctl-to-tty.service + +# quiet sudo for the maas user +RUN umask 0337; echo 'Defaults:maas !pam_session, !syslog' > /etc/sudoers.d/99-maas-no-log + +# avoid triggering bind9 high cpu utilization bug +RUN sed -i -e '$a\include "/etc/bind/bind.keys";' /etc/bind/named.conf + +# initalize systemd +CMD ["/bin/bash", "-c", "exec /sbin/init --log-target=console 3>&1"] diff --git a/images/maas-region-controller-jammy/README.md b/images/maas-region-controller-jammy/README.md new file mode 100644 index 0000000..cd33b83 --- /dev/null +++ b/images/maas-region-controller-jammy/README.md @@ -0,0 +1 @@ +[![Docker Repository on Quay](https://quay.io/repository/airshipit/maas-rack/status "Docker Repository on Quay")](https://quay.io/repository/airshipit/maas-region) Ubuntu MaaS Region Controller diff --git a/images/maas-region-controller-jammy/journalctl-to-tty.service b/images/maas-region-controller-jammy/journalctl-to-tty.service new file mode 100644 index 0000000..2725055 --- /dev/null +++ b/images/maas-region-controller-jammy/journalctl-to-tty.service @@ -0,0 +1,13 @@ +[Unit] +Description=Journald console log streamer +Requires=systemd-journald.service +After=systemd-journald.service + +[Service] +Restart=always +RestartSec=0 +ExecStart=/bin/journalctl -f +StandardOutput=tty + +[Install] +WantedBy=basic.target