diff --git a/.gitignore b/.gitignore index 894a44cc..38075bbf 100644 --- a/.gitignore +++ b/.gitignore @@ -1,104 +1,77 @@ -# Byte-compiled / optimized / DLL files -__pycache__/ *.py[cod] -*$py.class # C extensions *.so -# Distribution / packaging -.Python -build/ -develop-eggs/ -dist/ -downloads/ -eggs/ -.eggs/ -lib/ -lib64/ -parts/ -sdist/ -var/ -wheels/ -*.egg-info/ +# Packages +*.egg* +*.egg-info +dist +build +eggs +parts +var +sdist +develop-eggs .installed.cfg -*.egg -MANIFEST - -# PyInstaller -# Usually these files are written by a python script from a template -# before PyInstaller builds the exe, so as to inject date/other infos into it. -*.manifest -*.spec +lib +lib64 # Installer logs pip-log.txt -pip-delete-this-directory.txt # Unit test / coverage reports -htmlcov/ -.tox/ -.coverage -.coverage.* -.cache +cover/ +.coverage* +!.coveragerc +.tox nosetests.xml -coverage.xml -*.cover -.hypothesis/ -.pytest_cache/ +.testrepository +.venv # Translations *.mo -*.pot -# Django stuff: -*.log -local_settings.py -db.sqlite3 +# Mr Developer +.mr.developer.cfg +.project +.pydevproject -# Flask stuff: -instance/ -.webassets-cache +# Complexity +output/*.html +output/*/index.html -# Scrapy stuff: -.scrapy +# Sphinx +doc/build -# Sphinx documentation -docs/_build/ +# pbr generates these +AUTHORS +ChangeLog -# PyBuilder -target/ +# Editors +*~ +.*.swp +.*sw? -# Jupyter Notebook -.ipynb_checkpoints +# Files created by releasenotes build +releasenotes/build -# pyenv -.python-version +# Dev tools +.idea/ +**/.vagrant +**/*.log -# celery beat schedule file -celerybeat-schedule +# Helm internals +*.lock +*/*.lock +*.tgz +**/*.tgz +**/_partials.tpl +**/_globals.tpl -# SageMath parsed files -*.sage.py +# Gate and Check Logs +logs/ +tmp/ -# Environments -.env -.venv -env/ -venv/ -ENV/ -env.bak/ -venv.bak/ - -# Spyder project settings -.spyderproject -.spyproject - -# Rope project settings -.ropeproject - -# mkdocs documentation -/site - -# mypy -.mypy_cache/ +# Developer symlinks +helm-toolkit diff --git a/Dockerfiles/ceph-utility/Dockerfile.ubuntu b/Dockerfiles/ceph-utility/Dockerfile.ubuntu new file mode 100755 index 00000000..dcbd9db4 --- /dev/null +++ b/Dockerfiles/ceph-utility/Dockerfile.ubuntu @@ -0,0 +1,26 @@ +ARG UBUNTU_RELEASE=xenial + +FROM docker.io/ubuntu:${UBUNTU_RELEASE} +LABEL maintainer="sreejith.punnapuzha@outlook.com" + +ARG CEPH_RELEASE=mimic +ARG UBUNTU_RELEASE=xenial + +RUN set -xe \ + && echo '#!/bin/sh' > /usr/sbin/policy-rc.d \ + && echo 'exit 101' >> /usr/sbin/policy-rc.d \ + && chmod +x /usr/sbin/policy-rc.d \ + && sed -i '/nobody/d' /etc/passwd \ + && echo "nobody:x:65534:65534:nobody:/nonexistent:/bin/bash" >> /etc/passwd \ + && dpkg-divert --local --rename --add /sbin/initctl \ + && cp -a /usr/sbin/policy-rc.d /sbin/initctl \ + && sed -i 's/^exit.*/exit 0/' /sbin/initctl \ + && apt-get update && apt-get install -y wget curl apt-transport-https gnupg\ + && wget -q -O- 'https://download.ceph.com/keys/release.asc' | apt-key add - \ + && echo deb https://download.ceph.com/debian-${CEPH_RELEASE}/ ${UBUNTU_RELEASE} main | tee /etc/apt/sources.list.d/ceph.list \ + && apt-get update && apt-get install -y bash python-oslo.rootwrap moreutils vim sudo screen ceph-common python-rbd radosgw rsyslog x11-apps jq \ + && apt-get remove --purge -y wget apt-transport-https && apt-get autoremove -y && apt-get clean && rm -rf /var/lib/apt/lists/* \ + && curl -sSL https://bootstrap.pypa.io/get-pip.py | python \ + && pip --no-cache-dir install --upgrade crush + +CMD ["/bin/bash"] diff --git a/Dockerfiles/ceph-utility/Makefile b/Dockerfiles/ceph-utility/Makefile new file mode 100644 index 00000000..884d3ebe --- /dev/null +++ b/Dockerfiles/ceph-utility/Makefile @@ -0,0 +1,46 @@ +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +ifndef CEPH_RELEASE +$(error The TAG variable is missing.) +endif + +ifndef UBUNTU_RELEASE +$(error The ENV variable is missing.) +endif + +SHELL := /bin/bash + +DOCKER_REGISTRY ?= quay.io +IMAGE_NAME ?= ceph-utility +IMAGE_PREFIX ?= attcomdev +IMAGE_TAG ?= latest +LABEL ?= mimic + +IMAGE := ${DOCKER_REGISTRY}/${IMAGE_PREFIX}/${IMAGE_NAME}:${IMAGE_TAG} + +# Build ceph-utility Docker image for this project +.PHONY: images +images: build_$(IMAGE_NAME) + +# Make targets intended for use by the primary targets above. +.PHONY: build_$(IMAGE_NAME) +build_$(IMAGE_NAME): + docker build -f Dockerfile.ubuntu \ + --network host \ + --build-arg CEPH_RELEASE=$(CEPH_RELEASE) \ + --build-arg UBUNTU_RELEASE=$(UBUNTU_RELEASE) \ + -t $(IMAGE) \ + --label $(LABEL) --label CEPH_RELEASE=$(CEPH_RELEASE) \ + . diff --git a/Dockerfiles/ceph-utility/README b/Dockerfiles/ceph-utility/README new file mode 100644 index 00000000..30a24558 --- /dev/null +++ b/Dockerfiles/ceph-utility/README @@ -0,0 +1,26 @@ +Generic Docker Makefile +----------------------- + +This is a generic make and dockerfile for ceph utility container. This can be used to create docker images using different ceph releases and ubuntu releases + +Usage: + +make CEPH_RELEASE= UBUNTU_RELEASE= + +eg: + +1. Create docker image for ceph luminous release on ubuntu xenial (16.04) + + make CEPH_RELEASE=luminous UBUNTU_RELEASE=xenial + +2. Create docker image for ceph mimic release on ubuntu xenial (16.04) + + make CEPH_RELEASE=mimic UBUNTU_RELEASE=xenial + +3. Create docker image for ceph luminous release on ubuntu bionic (18.04) + + make CEPH_RELEASE=luminous UBUNTU_RELEASE=bionic + +4. Create docker image for ceph mimic release on ubuntu bionic (18.04) + + make CEPH_RELEASE=mimic UBUNTU_RELEASE=bionic diff --git a/Makefile b/Makefile new file mode 100644 index 00000000..03ead868 --- /dev/null +++ b/Makefile @@ -0,0 +1,62 @@ +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# It's necessary to set this because some environments don't link sh -> bash. +SHELL := /bin/bash + +HELM := helm +TASK := build + +EXCLUDES := helm-toolkit doc tests tools logs tmp roles playbooks releasenotes +CHARTS := helm-toolkit $(filter-out $(EXCLUDES), $(patsubst %/.,%,$(wildcard */.))) + +.PHONY: $(EXCLUDES) $(CHARTS) + +all: $(CHARTS) + +$(CHARTS): + @echo + @echo "===== Processing [$@] chart =====" + @make $(TASK)-$@ + +init-%: + if [ -f $*/Makefile ]; then make -C $*; fi + if [ -f $*/requirements.yaml ]; then helm dep up $*; fi + +lint-%: init-% + if [ -d $* ]; then $(HELM) lint $*; fi + +build-%: lint-% + if [ -d $* ]; then $(HELM) package $*; fi + +clean: + @echo "Removed .b64, _partials.tpl, and _globals.tpl files" + rm -f helm-toolkit/secrets/*.b64 + rm -f */templates/_partials.tpl + rm -f */templates/_globals.tpl + rm -f *tgz */charts/*tgz + rm -f */requirements.lock + -rm -rf */charts */tmpcharts + +pull-all-images: + @./tools/pull-images.sh + +pull-images: + @./tools/pull-images.sh $(filter-out $@,$(MAKECMDGOALS)) + +dev-deploy: + @./tools/gate/devel/start.sh $(filter-out $@,$(MAKECMDGOALS)) + +%: + @: diff --git a/README b/README new file mode 100644 index 00000000..0465e819 --- /dev/null +++ b/README @@ -0,0 +1,88 @@ +Utility Container +----------------- +1. Ceph utility Container + +Installation +------------ +1. Add the below to /etc/sudoers + +root ALL=(ALL) NOPASSWD: ALL +ubuntu ALL=(ALL) NOPASSWD: ALL + +2. Install the latest versions of Git, CA Certs & Make if necessary + +#!/bin/bash +set -xe + +sudo apt-get update +sudo apt-get install --no-install-recommends -y \ + ca-certificates \ + git \ + make \ + jq \ + nmap \ + curl \ + uuid-runtime + +3. Proxy Configuration + +In order to deploy OpenStack-Helm behind corporate proxy servers, add the following entries to openstack-helm-infra/tools/gate/devel/local-vars.yaml. + +proxy: + http: http://username:password@host:port + https: https://username:password@host:port + noproxy: 127.0.0.1,localhost,172.17.0.1,.svc.cluster.local + +Add the address of the Kubernetes API, 172.17.0.1, and .svc.cluster.local to your no_proxy and NO_PROXY environment variables. + +export no_proxy=${no_proxy},172.17.0.1,.svc.cluster.local +export NO_PROXY=${NO_PROXY},172.17.0.1,.svc.cluster.local + +4. Clone the OpenStack-Helm Repos + +#!/bin/bash +set -xe + +git clone https://git.openstack.org/openstack/openstack-helm-infra.git +git clone https://git.openstack.org/openstack/openstack-helm.git + +5. Deploy Kubernetes & Helm + +cd openstack-helm +./tools/deployment/developer/common/010-deploy-k8s.sh + +6. Install OpenStack-Helm + +Setup Clients on the host and assemble the charts +./tools/deployment/developer/common/020-setup-client.sh + +Deploy the ingress controller +./tools/deployment/developer/common/030-ingress.sh + +7. Deploy Ceph + +./tools/deployment/developer/ceph/040-ceph.sh + +Activate the OpenStack namespace to be able to use Ceph +./tools/deployment/developer/ceph/045-ceph-ns-activate.sh + +8. Deploy Porthole + +git clone https://github.com/att-comdev/porthole.git + +cd porthole +./install_utility.sh + +Usage +----- + +Get in to the utility pod using kubectl exec. To perform any operation on the ceph cluster use the below example. + +example: + nccli ceph osd tree + nccli rbd ls + nccli rados lspools + +TODO +---- +1. Customize oslo filters to restrict commands. diff --git a/ceph-utility/Chart.yaml b/ceph-utility/Chart.yaml new file mode 100644 index 00000000..b59ac251 --- /dev/null +++ b/ceph-utility/Chart.yaml @@ -0,0 +1,18 @@ +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +description: OpenStack-Helm Ceph Client +name: ceph-utility +version: 0.1.0 diff --git a/ceph-utility/requirements.yaml b/ceph-utility/requirements.yaml new file mode 100644 index 00000000..53782e69 --- /dev/null +++ b/ceph-utility/requirements.yaml @@ -0,0 +1,18 @@ +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +dependencies: + - name: helm-toolkit + repository: http://localhost:8879/charts + version: 0.1.0 diff --git a/ceph-utility/templates/bin/_bootstrap.sh.tpl b/ceph-utility/templates/bin/_bootstrap.sh.tpl new file mode 100644 index 00000000..49f9d5d5 --- /dev/null +++ b/ceph-utility/templates/bin/_bootstrap.sh.tpl @@ -0,0 +1,19 @@ +#!/bin/bash +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +set -ex +sudo ./tmp/managekey.sh +tail -f /var/log/syslog diff --git a/ceph-utility/templates/bin/_managekey.sh.tpl b/ceph-utility/templates/bin/_managekey.sh.tpl new file mode 100644 index 00000000..1042d572 --- /dev/null +++ b/ceph-utility/templates/bin/_managekey.sh.tpl @@ -0,0 +1,25 @@ +#!/bin/bash +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +set -ex +input="/opt/client-keyring" +while IFS= read -r var +do + echo -e "[client.admin]\nkey = $var"| tee /etc/ceph/ceph.client.admin.keyring > /dev/null +done < "$input" +chmod 600 /etc/ceph/ceph.client.admin.keyring +sed -i 's/$PrivDropToUser syslog/$PrivDropToUser nobody/' /etc/rsyslog.conf +/etc/init.d/rsyslog restart diff --git a/ceph-utility/templates/bin/_nccli-sudo.tpl b/ceph-utility/templates/bin/_nccli-sudo.tpl new file mode 100644 index 00000000..e2bd6c6c --- /dev/null +++ b/ceph-utility/templates/bin/_nccli-sudo.tpl @@ -0,0 +1,16 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +nobody ALL=SETENV: NOPASSWD: /tmp/managekey.sh, /usr/local/bin/ceph-utility-rootwrap diff --git a/ceph-utility/templates/bin/utility/_ceph-utility-rootwrap.tpl b/ceph-utility/templates/bin/utility/_ceph-utility-rootwrap.tpl new file mode 100644 index 00000000..07e21a7a --- /dev/null +++ b/ceph-utility/templates/bin/utility/_ceph-utility-rootwrap.tpl @@ -0,0 +1,22 @@ +#!/usr/bin/python +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +# PBR Generated from u'console_scripts' +import sys +from oslo_rootwrap.cmd import main + +if __name__ == "__main__": + sys.exit(main()) diff --git a/ceph-utility/templates/bin/utility/_nccli.tpl b/ceph-utility/templates/bin/utility/_nccli.tpl new file mode 100644 index 00000000..aef0ccff --- /dev/null +++ b/ceph-utility/templates/bin/utility/_nccli.tpl @@ -0,0 +1,17 @@ +#!/bin/bash +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +script -f -a -q /var/log/syslog -c "sudo /usr/local/bin/ceph-utility-rootwrap /etc/ceph/rootwrap.conf $*" diff --git a/ceph-utility/templates/configmap-bin.yaml b/ceph-utility/templates/configmap-bin.yaml new file mode 100644 index 00000000..baf37eee --- /dev/null +++ b/ceph-utility/templates/configmap-bin.yaml @@ -0,0 +1,44 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.manifests.configmap_bin .Values.deployment.ceph }} +{{- $envAll := . }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ printf "%s-%s" $envAll.Release.Name "bin" }} +data: +{{- if .Values.images.local_registry.active }} + image-repo-sync.sh: | +{{- include "helm-toolkit.scripts.image_repo_sync" . | indent 4 }} +{{- end }} + +{{- if .Values.bootstrap.enabled }} + bootstrap.sh: | +{{ tuple "bin/_bootstrap.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} +{{- end }} + + managekey.sh: | +{{ tuple "bin/_managekey.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} + + ceph-utility-rootwrap: | +{{ tuple "bin/utility/_ceph-utility-rootwrap.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} + + nccli: | +{{ tuple "bin/utility/_nccli.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} + +{{- end }} diff --git a/ceph-utility/templates/configmap-etc-client.yaml b/ceph-utility/templates/configmap-etc-client.yaml new file mode 100644 index 00000000..84ea4c36 --- /dev/null +++ b/ceph-utility/templates/configmap-etc-client.yaml @@ -0,0 +1,32 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if or (.Values.deployment.ceph) (.Values.deployment.client_secrets) }} +{{- $envAll := . }} + +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ printf "%s-%s" $envAll.Release.Name "etc" }} +data: + rootwrap.conf: | +{{ include "helm-toolkit.utils.to_ini" .Values.conf.cephrootwrap | indent 4 }} + + ceph-rootwrap-filter: | +{{ include "helm-toolkit.utils.to_ini" .Values.conf.cephfilter | indent 4 }} + +{{- end }} diff --git a/ceph-utility/templates/configmap-etc-sudoers.yaml b/ceph-utility/templates/configmap-etc-sudoers.yaml new file mode 100644 index 00000000..69f7d62d --- /dev/null +++ b/ceph-utility/templates/configmap-etc-sudoers.yaml @@ -0,0 +1,27 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.manifests.configmap_etc_sudoers .Values.deployment.ceph }} +{{- $envAll := . }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ printf "%s-%s" $envAll.Release.Name "sudoers" }} +data: + nccli-sudo: | +{{ tuple "bin/_nccli-sudo.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} +{{- end }} diff --git a/ceph-utility/templates/deployment-utility.yaml b/ceph-utility/templates/deployment-utility.yaml new file mode 100644 index 00000000..12ac4e4e --- /dev/null +++ b/ceph-utility/templates/deployment-utility.yaml @@ -0,0 +1,111 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.manifests.deployment_utility ( and .Values.deployment.ceph .Values.conf.features.utility) }} +{{- $envAll := . }} + +{{- $serviceAccountName := printf "%s" $envAll.Release.Name }} +{{ tuple $envAll "utility" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} +--- +kind: Deployment +apiVersion: apps/v1 +metadata: + name: {{ printf "%s" $envAll.Release.Name }} + labels: +{{ tuple $envAll "ceph" "utility" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} +spec: + replicas: {{ .Values.pod.replicas.utility }} + selector: + matchLabels: +{{ tuple $envAll "ceph" "utility" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }} + template: + metadata: + name: {{ printf "%s" $envAll.Release.Name }} + labels: +{{ tuple $envAll "ceph" "utility" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} + spec: + securityContext: + runAsUser: 65534 + serviceAccountName: {{ $serviceAccountName }} + affinity: +{{ tuple $envAll "ceph" "utility" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} + nodeSelector: + {{ .Values.labels.utility.node_selector_key }}: {{ .Values.labels.utility.node_selector_value }} + containers: + - name: {{ printf "%s" $envAll.Release.Name }} +{{ tuple $envAll "ceph_utility" | include "helm-toolkit.snippets.image" | indent 10 }} +{{ tuple $envAll $envAll.Values.pod.resources.ceph_utility | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} + command: + - /tmp/bootstrap.sh + volumeMounts: + - name: ceph-utility-bin + mountPath: /tmp/bootstrap.sh + subPath: bootstrap.sh + readOnly: true + - name: ceph-utility-bin + mountPath: /tmp/managekey.sh + subPath: managekey.sh + readOnly: true + - name: ceph-utility-bin + mountPath: /usr/local/bin/nccli + subPath: nccli + readOnly: true + - name: ceph-utility-bin + mountPath: /usr/local/bin/ceph-utility-rootwrap + subPath: ceph-utility-rootwrap + readOnly: true + - name: ceph-utility-sudoers + mountPath: /etc/sudoers.d/nccli-sudo + subPath: nccli-sudo + readOnly: true + - name: ceph-etc + mountPath: /etc/ceph/ceph.conf + subPath: ceph.conf + readOnly: true + - name: ceph-client-admin-keyring + mountPath: /opt/client-keyring + subPath: key + - name: ceph-utility-etc + mountPath: /etc/ceph/rootwrap.d/ceph-rootwrap-filter + subPath: ceph-rootwrap-filter + readOnly: true + - name: ceph-utility-etc + mountPath: /etc/ceph/rootwrap.conf + subPath: rootwrap.conf + readOnly: true + + volumes: + - name: ceph-utility-sudoers + configMap: + name: {{ printf "%s-%s" $envAll.Release.Name "sudoers" }} + defaultMode: 0644 + - name: ceph-utility-bin + configMap: + name: {{ printf "%s-%s" $envAll.Release.Name "bin" }} + defaultMode: 0555 + - name: ceph-utility-etc + configMap: + name: {{ printf "%s-%s" $envAll.Release.Name "etc" }} + defaultMode: 0555 + - name: ceph-etc + configMap: + name: {{ .Values.conf.cephconf.etc }} + defaultMode: 0600 + - name: ceph-client-admin-keyring + secret: + secretName: {{ .Values.secrets.keyrings.admin | quote }} + defaultMode: 0600 +{{- end }} diff --git a/ceph-utility/values.yaml b/ceph-utility/values.yaml new file mode 100644 index 00000000..476c5e7e --- /dev/null +++ b/ceph-utility/values.yaml @@ -0,0 +1,178 @@ +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Default values for ceph-client. +# This is a YAML-formatted file. +# Declare name/value pairs to be passed into your templates. +# name: value + +deployment: + ceph: true + +release_group: null + +images: + pull_policy: IfNotPresent + tags: + ceph_utility: 'docker.io/sreejithpunnapuzha/ceph-utility:v0.0.2' + image_repo_sync: docker.io/docker:17.07.0 + local_registry: + active: false + exclude: + - dep_check + - image_repo_sync + +labels: + utility: + node_selector_key: openstack-helm-node-class + node_selector_value: primary + +pod: + dns_policy: "ClusterFirstWithHostNet" + replicas: + utility: 1 + affinity: + anti: + type: + default: preferredDuringSchedulingIgnoredDuringExecution + topologyKey: + default: kubernetes.io/hostname + resources: + enabled: false + utility: + requests: + memory: "100Mi" + cpu: "250m" + limits: + memory: "250Mi" + cpu: "500m" + jobs: + bootstrap: + limits: + memory: "1024Mi" + cpu: "2000m" + requests: + memory: "128Mi" + cpu: "500m" + image_repo_sync: + requests: + memory: "128Mi" + cpu: "100m" + limits: + memory: "1024Mi" + cpu: "2000m" + +secrets: + keyrings: + admin: pvc-ceph-client-key + +conf: + features: + utility: true + cephconf: + etc: ceph-etc + cephfilter: + Filters: + # ceph-rootwrap command filters for ceph utility container + # This file should be owned by (and only-writeable by) the root user + # Below are example command filters. access to ceph cluster can be restricted by creating a user with less privilages + ceph: CommandFilter, ceph, root + rados: CommandFilter, rados, root + radosgw-admin: CommandFilter, radosgw-admin, root + rbd: CommandFilter, rbd, root + # Below are examples of RegExpFilter. This will restict access to ceph cluster even with admin user + #rbd00: RegExpFilter, rbd, root, rbd, (^((?!clone|copy|cp|create|export|export-diff|flatten|import|import-diff|map|merge-diff|pool|remove|rm|rename|mv|resize|unmap).)*$) + #rbd01: RegExpFilter, rbd, root, rbd, image-meta, (^((?!get|remove|set).)*$) + #rbd02: RegExpFilter, rbd, root, rbd, journal, (^((?!client|export|import|reset).)*$) + #rbd03: RegExpFilter, rbd, root, rbd, lock, (^((?!add|remove).)*$) + #rbd04: RegExpFilter, rbd, root, rbd, mirror, image, (^((?!demote|disable|enable|promote).)*$) + #rbd05: RegExpFilter, rbd, root, rbd, mirror, pool, (^((?!demote|disable|enable|peer|promote).)*$) + #rbd06: RegExpFilter, rbd, root, rbd, nbd, (^((?!map|unmap).)*$) + #rbd07: RegExpFilter, rbd, root, rbd, object-map, (^((?!rm|del).)*$) + #rbd08: RegExpFilter, rbd, root, rbd, snap, (^((?!create|limit|protect|purge|remove|rm|rename|mv|rollback|revert|unprotect).)*$) + #rbd09: RegExpFilter, rbd, root, rbd, trash, (^((?!move|mv|remove|rm|restore).)*$) + cephrootwrap: + DEFAULT: + # Configuration for ceph-rootwrap + # This file should be owned by (and only-writeable by) the root user + # List of directories to load filter definitions from (separated by ','). + # These directories MUST all be only writeable by root ! + filters_path: /etc/ceph/rootwrap.d + # List of directories to search executables in, in case filters do not + # explicitely specify a full path (separated by ',') + # If not specified, defaults to system PATH environment variable. + # These directories MUST all be only writeable by root ! + exec_dirs: /sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin + # Enable logging to syslog + # Default value is False + use_syslog: True + # Which syslog facility to use. + # Valid values include auth, authpriv, syslog, local0, local1... + # Default value is 'syslog' + syslog_log_facility: syslog + # Which messages to log. + # INFO means log all usage + # ERROR means only log unsuccessful attempts + syslog_log_level: INFO + +dependencies: + dynamic: + common: + local_image_registry: + jobs: + - ceph-utility-image-repo-sync + services: + - endpoint: node + service: local_image_registry + static: + bootstrap: + jobs: null + cephfs_client_key_generator: + jobs: null + namespace_client_key_cleaner: + jobs: null + namespace_client_key_generator: + jobs: null + image_repo_sync: + services: + - endpoint: internal + service: local_image_registry + +bootstrap: + enabled: true + +endpoints: + cluster_domain_suffix: cluster.local + local_image_registry: + name: docker-registry + namespace: docker-registry + hosts: + default: localhost + internal: docker-registry + node: localhost + host_fqdn_override: + default: null + port: + registry: + node: 5000 + +monitoring: + prometheus: + enabled: true + +manifests: + configmap_bin: true + configmap_etc_client: true + configmap_etc_sudoers: true + deployment_utility: true diff --git a/install_ceph_utility.sh b/install_ceph_utility.sh new file mode 100755 index 00000000..b78322ff --- /dev/null +++ b/install_ceph_utility.sh @@ -0,0 +1,54 @@ +#!/bin/bash +set -xe + +#NOTE: Lint and package chart +: ${OSH_INFRA_PATH:="../openstack-helm-infra"} +#: ${PORTHOLE_PATH}:="" +make -C ${OSH_INFRA_PATH} ceph-provisioners + +#NOTE: Deploy command +: ${OSH_EXTRA_HELM_ARGS:=""} +tee /tmp/ceph-utility-config.yaml <