Commit Graph

835 Commits

Author SHA1 Message Date
Zuul
05e3597cfa Merge "Check that used Ansible can see Kolla Ansible" 2020-05-24 13:39:58 +00:00
Zuul
9b8b7bf9b4 Merge "Remove post_config from the Kibana role" 2020-05-23 13:38:19 +00:00
Zuul
a24840a491 Merge "Update master for stable/ussuri" 2020-05-23 09:07:07 +00:00
xiaojueguan
fbc47e60e1 Remove post_config from the Kibana role
Since at least Stein, there is no visible effect from these tasks.
The Kibana dashboard seems to be working exactly the same,
greeting user on the first use with "please configure my index".
I tested on both Ubuntu and CentOS.
In new E*K stack (Ussuri+, CentOS8+) it even causes play errors.

Co-authored-by: Radosław Piliszek <radoslaw.piliszek@gmail.com>
Change-Id: Iafc6986cce9cbaa0ea9e219ca85d7d01a61308cf
Closes-Bug: #1799689
2020-05-23 09:47:31 +02:00
Zuul
012c0b8e6a Merge "enable prometheus-openstack-exporter to use ca cert" 2020-05-22 19:15:10 +00:00
869fed3737 Update master for stable/ussuri
Add file to the reno documentation build to show release notes for
stable/ussuri.

Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/ussuri.

Change-Id: Ic22d1f86c4527bb7153b18bf395d82a36f149d68
Sem-Ver: feature
2020-05-22 18:31:00 +00:00
xiaojueguan
964ede7171 enable prometheus-openstack-exporter to use ca cert
you might refer to:
b0167b9412/openstack/clientconfig/results.go (L41)

Change-Id: Ia326360c412aad9ca4d1735cc6486aa2fce22c1a
Closes-Bug: #1850812
2020-05-21 12:58:15 +00:00
Zuul
d15bf7d62f Merge "Add ussuri prelude to release notes" 2020-05-20 09:28:48 +00:00
Mark Goddard
63d96af45e Add ussuri prelude to release notes
Change-Id: I64d0f5e58058f3d39551e578b79027abded31174
2020-05-20 07:37:25 +00:00
Radosław Piliszek
96a5730a42 Fix pygments style
New theme of docs (Victoria+) respects pygments_style.
Since Kolla starts using Victoria reqs while being on Ussuri,
this patch ensures proper rendering both in Ussuri and Victoria.
Thanks @AJaeger for suggestion.

Change-Id: Iaf3c70b24685ab962f29007deec10b9d53c663bc
2020-05-19 20:08:46 +02:00
Zuul
4996570ee8 Merge "Tidy up release notes for Ussuri" 2020-05-19 17:10:59 +00:00
Zuul
7aef93a07a Merge "Fix cyborg api failed to load api-paste.ini file" 2020-05-19 12:06:20 +00:00
Mark Goddard
84f10f2b33 Tidy up release notes for Ussuri
Change-Id: If3129b569248eb548fcb987f30d318f59144faa7
2020-05-19 11:55:23 +01:00
Zuul
f942e93d12 Merge "Deprecate rabbitmq_hipe_compile" 2020-05-17 12:47:35 +00:00
Zuul
c07ee9af4f Merge "Configure RabbitMQ user tags in nova-cell role" 2020-05-17 12:26:56 +00:00
Zuul
50359204b4 Merge "Improve fernet_token_expiry precheck" 2020-05-16 09:34:45 +00:00
Will Szumski
810acea6b1 Improve fernet_token_expiry precheck
The pre-check was broken, see bug report for details.

Change-Id: I089f1e288bae6c093be66181c81a4373a6ef3de4
Closes-Bug: #1856021
2020-05-15 16:50:35 +00:00
Jeffrey Zhang
869e3f21c2 Configure RabbitMQ user tags in nova-cell role
The RabbitMQ 'openstack' user has the 'administrator' tag assigned via
the RabbitMQ definitions.json file.

Since the Train release, the nova-cell role also configures the RabbitMQ
user, but omits the tag. This causes the tag to be removed from the
user, which prevents it from accessing the management UI and API.

This change adds support for configuring user tags to the
service-rabbitmq role, and sets the administrator tag by default.

Change-Id: I7a5d6fe324dd133e0929804d431583e5b5c1853d
Closes-Bug: #1875786
2020-05-15 16:02:46 +01:00
Zuul
9540f22e24 Merge "Add support for encrypting Barbican API" 2020-05-13 16:36:27 +00:00
Zuul
43469d6fdb Merge "Add extras directory to prometheus config" 2020-05-13 14:31:51 +00:00
Zuul
e17cf01f82 Merge "Support customizing prometheus.cfg files" 2020-05-13 14:31:49 +00:00
James Kirsch
2e08ffd6d3 Add support for encrypting Barbican API
This patch introduces an optional backend encryption for the Barbican
API service. When used in conjunction with enabling TLS for service API
endpoints, network communcation will be encrypted end to end, from
client through HAProxy to the Barbican service.

Change-Id: I62a43b36ebe4a03230bf944980b45e4b6938871b
Partially-Implements: blueprint add-ssl-internal-network
2020-05-13 10:26:09 +00:00
Will Szumski
d05578f59f Add extras directory to prometheus config
This provides a generic mechanism to include extra files
that you can reference in prometheus.yml, for example:

scrape_targets:
  - job_name: ipmi
    params:
      module: default
    scrape_interval: 1m
    scrape_timeout: 30s
    metrics_path: /ipmi
    scheme: http
    file_sd_configs:
    - files:
      - /etc/prometheus/extras/file_sd/ipmi-exporter-targets.yml
      refresh_interval: 5m

Change-Id: Ie2f085204b71725b901a179ee51541f1f383c6fa
Related: blueprint custom-prometheus-targets
2020-05-11 13:47:12 +01:00
Will Szumski
956a29f83a Support customizing prometheus.cfg files
This provides a mechanism to scrape targets defined outside of kolla-ansible.

Depends-On: https://review.opendev.org/#/c/685671/
Change-Id: I0950341b147bb374b4128f09f807ef5a756f5dfa
Related: blueprint custom-prometheus-targets
2020-05-11 13:47:12 +01:00
Pierre Riteau
4503bf2419 Add release note for CloudKitty configuration fixes
This note refers to configuration changes done in
I626dc7afe9eabfbeb6c08137a3e6bbeebde2b332.

Change-Id: I75a37b9d3b28964f353977baa3a9f49fc424d866
Closes-Bug: #1876985
2020-05-05 22:53:30 +02:00
Zuul
bc22925906 Merge "Add support for encrypting Horizon and Placement API" 2020-05-01 09:05:56 +00:00
Zuul
76b6cf9f6d Merge "Add support for encrypting Glance api" 2020-04-30 21:16:13 +00:00
James Kirsch
e3d5a91a90 Add support for encrypting Horizon and Placement API
This patch introduces an optional backend encryption for Horizon and
Placement services. When used in conjunction with enabling TLS for
service API endpoints, network communcation will be encrypted end to
end, from client through HAProxy to the Horizon and Placement services.

Change-Id: I9cb274141c95aea20e733baa623da071b30acf2d
Partially-Implements: blueprint add-ssl-internal-network
2020-04-30 20:55:07 +01:00
James Kirsch
f87814f794 Add support for encrypting Glance api
Add TLS support for Glance api using HAProxy to perform TLS termination.

Change-Id: I77051baaeb5d3f7dd9002262534e7d35f3926809
Partially-Implements: blueprint add-ssl-internal-network
2020-04-30 17:31:58 +01:00
Hongbin Lu
91678f67af Zun: Add zun-cni-daemon to compute node
Zun has a new component "zun-cni-daemon" which should be
deployed in every compute nodes. It is basically an implementation
of CNI (Container Network Interface) that performs the neutron
port binding.

If users is using the capsule (pod) API, the recommended deployment
option is using "cri" as capsule driver. This is basically to use
a CRI runtime (i.e. CRI plugin for containerd) for supporting
capsules (pods). A CRI runtime needs a CNI plugin which is what
the "zun-cni-daemon" provides.

The configuration is based on the Zun installation guide [1].
It consits of the following steps:
* Configure the containerd daemon in the host. The "zun-compute"
  container will use grpc to communicate with this service.
* Install the "zun-cni" binary at host. The containerd process
  will invoke this binary to call the CNI plugin.
* Run a "zun-cni-daemon" container. The "zun-cni" binary will
  communicate with this container via HTTP.

Relevant patches:
Blueprint: https://blueprints.launchpad.net/zun/+spec/add-support-cri-runtime
Install guide: https://review.opendev.org/#/c/707948/
Devstack plugin: https://review.opendev.org/#/c/705338/
Kolla image: https://review.opendev.org/#/c/708273/

[1] https://docs.openstack.org/zun/latest/install/index.html

Depends-On: https://review.opendev.org/#/c/721044/
Change-Id: I9c361a99b355af27907cf80f5c88d97191193495
2020-04-30 02:22:20 +00:00
Zuul
70e7b1b0d8 Merge "Add feature to support managing dynamic pollsters" 2020-04-29 17:45:34 +00:00
Zuul
059fee1ea3 Merge "Add support for encrypting heat api" 2020-04-29 17:19:51 +00:00
Zuul
8d4157a510 Merge "Adapt to Octavia Certificate Configuration Guide." 2020-04-29 11:46:54 +00:00
Noboru Iwamatsu
e84c968ed2 Adapt to Octavia Certificate Configuration Guide.
This patch updates the octavia controller deployment to use the
latest octavia certificate configuration guide [1]. The dual CA changes
were introduced in Train.

[1] https://docs.openstack.org/octavia/latest/admin/guides/certificates.html

Change-Id: If89ec0d631568db70690f1a69d00115c59abe678
Closes-Bug: #1862133
2020-04-29 08:30:12 +03:00
Zuul
2f77670f7d Merge "ironic: handle Swift object storage" 2020-04-29 00:53:48 +00:00
Marcin Juszkiewicz
fee9ff9c9d ironic: handle Swift object storage
Change-Id: I18f8855a758703968aba032add68add24b31f673
Closes-bug: #1875588
2020-04-28 13:00:16 +02:00
Xing Zhang
01ae01ec26
Make sure octavia uses internal endpoint to barbican
The octavia service communicates to the barbican service with
public endpoint_type by default[1], it should use internal
like other services.

[1] 0056b5175f/octavia/common/config.py (L533-L537)

Closes-Bug: #1875618
Change-Id: I90d2b0aeac090a3e2366341e260232fc1f0d6492
2020-04-28 18:55:32 +08:00
Zuul
0747ebf1c9 Merge "Add docs and release note for CentOS 8" 2020-04-27 15:58:13 +00:00
Radosław Piliszek
32fc2599a6 Check that used Ansible can see Kolla Ansible
Fix-feature following up on the original check [1] to make it
test the correct interpreter.

Additionally, this change removes last, unneeded call to
random python - getting script directory is perfectly
doable in bash.

All checks are done from Python, not Ansible, due to its
performance. Python version feels snappy (0.2 s to check),
compared to sluggish Ansible (2.0 s to check).
What is more, relying on Ansible would require hacky solutions
to e.g. prevent custom config from interfering with it.
We might be willing to steer Ansible from Python in the future
anyhow.

[1] Icf0399d21b3fde8d530d73e6e7ee4a57665da276

Change-Id: Ib8f2e6b6672e7c06aa94bc226c4d72640d25d8c2
Closes-Bug: #1856346
2020-04-27 17:18:31 +02:00
Zuul
1939c3ce68 Merge "[octavia] Adds region_name if enable_barbican" 2020-04-27 13:51:12 +00:00
Christian Berendt
19564b1533 Deprecate rabbitmq_hipe_compile
Erlang 22.x dropped support for HiPE so use of "rabbitmq_hipe_compile"
is deprecated.

Change-Id: I8e0173c7aa6204e5b4c60dafbb8b464482cae90b
2020-04-27 10:46:00 +00:00
ramboman
6c372312ad [octavia] Adds region_name if enable_barbican
Adds necessary "region_name" to octavia.conf when
"enable_barbican" is set to "true".

Closes-Bug: #1867926

Change-Id: Ida61cef4b9c9622a5e925bac4583fba281469a39
2020-04-27 09:53:57 +03:00
Radosław Piliszek
04effaa903 Fix haproxy restarting twice per Ansible run
Since haproxy is orchestrated via site.yml in a single play,
it does not need flushing handlers as handlers run will
happen at the end of this play.

Change-Id: Ia3743575da707325be93c39b4a2bcae9211cacb2
Related-Bug: #1864810
Closes-Bug: #1875228
2020-04-26 21:51:20 +02:00
Zuul
b1db4f5c3b Merge "[skydive] fix: Use Keystone backend to authenticate API users" 2020-04-25 11:37:10 +00:00
Nick Jones
7e5aa63728 [skydive] fix: Use Keystone backend to authenticate API users
Update Skydive Analyzer's configuration to use Keystone as its backend
for authenticating users.  Any user with a role in the project defined
by the variable skydive_admin_tenant_name will be able to access
Skydive.

Change-Id: I64c811d5eb72c7406fd52b649fa00edaf2d0c07b
Closes-Bug: 1870903
2020-04-24 19:31:57 +00:00
Mark Goddard
8cf8ab4e54 Add docs and release note for CentOS 8
Adds a support matrix page to documentation.

Change-Id: Ia783f7c42219617cde2accd3f1db013c9bda7679
2020-04-24 14:52:18 +00:00
James Kirsch
ff84292269 Add support for encrypting heat api
This patch introduces an optional backend encryption for Heat
service. When used in conjunction with enabling TLS for service API
endpoints, network communcation will be encrypted end to end, from
client through HAProxy to the Heat service.

Change-Id: Ic12f7574135dcaed2a462e902c775a55176ff03b
Partially-Implements: blueprint add-ssl-internal-network
Depends-On: https://review.opendev.org/722028/
2020-04-24 12:23:48 +01:00
Zuul
3f4103faed Merge "Fix that cyborg agent failed to start privsep daemon." 2020-04-22 15:44:33 +00:00
ya.wang
953edb870e Fix that cyborg agent failed to start privsep daemon.
Add privileged capability to cyborg agent.

Change-Id: Id237df1acb1b44c4e6442b39838058be1a95fcc6
Closes-bug: #1873715
2020-04-22 07:35:39 +00:00
Zuul
5079fa240d Merge "Manage nova scheduler workers count" 2020-04-21 19:36:44 +00:00