Commit Graph

99 Commits

Author SHA1 Message Date
jasvinder singh kwatra
f361feb69a [helm-toolkit] Update toolkit to support fqdn alias
This change add the ability to add fqdn alias to namespace and cluster ingress resources. This change is specifically required for keystone so HA of backup solution can be implemented.This change allows user to specify alias_fqdn in the endpoints section, and user can have alias configued. This change is backward compatible, so without specifying this option in charts gives one fqdn ingress rule without cname alias as default behaviour.

Change-Id: Ib1c60524e2f247bb057318b1143bfbc3bde5b73a
2024-09-26 15:27:23 -05:00
Vasyl Saienko
ef54c62fd4 Add snippet configmap_oslo_policy
Openstack policies can be applied without service restart
keep all policies in single configmap to have ability to
do not restart services on policy changes.

This patch adds a snippet of configmap that will later be used
in other helm charts.

Change-Id: I41d06df2fedb7f6cf0274c886dc9b94134507aca
2024-09-17 06:29:53 +00:00
Tadas Sutkaitis
1e5ca80385
helm-toolkit: Enable custom secret annotations
Enable custom annotations for secrets [registry, tls]

Change-Id: I811d5553f51ad2b26ea9d73db945c043ee2e7a10
2024-04-09 02:08:18 +03:00
Doug Goldstein
929ebf5200
add custom job annotations snippet and use it
Add the ability for charts that use helm-toolkit to allow the users to
set custom annotations on jobs. Use the snippet in a generic way in the
job templates provided by helm-toolkit.

Change-Id: I5d60fe849e172c19d865b614c3c44ea618f92f20
Depends-On: I3991d6984563813d5a3a776eabd52e2e89933bd8
Signed-off-by: Doug Goldstein <doug.goldstein@rackspace.com>
2024-04-05 18:52:53 -05:00
Ritchie, Frank (fr801x)
5b72041fd9 Change default ingress path type to prefix
Due to CVE-2022-4886 the default pathType for an ingress should be
either "Exact" or "Prefix". This allows for more strict path validation by
the admission controller. This PS changes the default pathType to Prefix.
This value can be overridden.

In a separate PS I will add the pathType parameter to the ingressOpts
for all helm charts that create an ingress.

See:

https://github.com/kubernetes/ingress-nginx/issues/10570

Change-Id: I8f1df594f0c86f2de6cdd7cf2ee56637bd508565
2024-01-17 13:18:25 -05:00
Anselme, Schubert
51c70e48df
Deprecating the Ingress Class Annotation
This PS replaces deprecated kubernetes.io/ingress.class annotation  with
spec.ingressClassName field that is a reference to an IngressClass
resource that contains additional Ingress configuration, including the
name of the Ingress controller.

https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/#deprecating-the-ingress-class-annotation

Change-Id: I9953d966b4f9f7b1692b39f36f434f5055317025
Co-authored-by: Sergiy Markin <smarkin@mirantis.com>
Co-authored-by: Leointii Istomin <listomin@mirantis.com>
Signed-off-by: Anselme, Schubert (sa246v) <sa246v@att.com>
2023-08-26 00:39:34 +00:00
Cedric Hnyda
6c903f6092 [helm-toolkit]: Allow tls for external ingress without specifying key and crt
It will allow using letsencrypt for a specific endpoint.
For example:

  network:
    use_external_ingress_controller: true
    api:
      ingress:
        classes:
          namespace: "nginx"
          cluster: "nginx-cluster"
        annotations:
          nginx.ingress.kubernetes.io/rewrite-target: /
          cert-manager.io/cluster-issuer: "letsencrypt"
  endpoints:
    cluster_domain_suffix: cluster.local
    image:
      port:
        api:
          public: 443
      scheme:
        public: https
      hosts:
        default: glance
        public: glance-public
      host_fqdn_override:
        public:
          host: glance.example.com
          tls:
            dnsNames:
              - glance.example.com
          issuerRef:
            name: letsencrypt
            kind: ClusterIssuer

Signed-off-by: Cedric Hnyda <ced.hnyda@gmail.com>
Change-Id: I5065213bbc25464bef596003c9967258489db455
2023-01-03 10:58:25 +01:00
Terekhin, Alexey (at4945)
54055938e6 Adjusting of getting kibana ingress value parameters.
This change fixed getting network kibana ingress parameters.

Change-Id: I0d6609e6785566a4b6f341be0113ea80b184f7ae
2022-08-29 15:28:26 -07:00
Terekhin, Alexey (at4945)
a10c1b0c6c Fix for getting kibana ingress parameters.
This change fixed getting network kibana ingress parameters
from override value files.

Change-Id: If9931267edad2c1196e395168c562ef0d0d380d6
2022-08-15 13:36:37 -07:00
Yanos Angelopoulos
a4a2b5803b Modify use_external_ingress_controller place in openstack-helm
Having the "use_external_ingress_controller" field in
"network.server.ingress" yaml path is not a good choice as there are
services such neutron that use this path to define backend service,
named "server", options. We propose moving it to the root of the
path "network".

Change-Id: If98d6555a9c012872d3fb1a38b370a3195ea49ab
2022-07-29 16:43:19 +03:00
Brian Haley
f31cfb2ef9 support image registries with authentication
Based on spec in openstack-helm repo,
support-OCI-image-registry-with-authentication-turned-on.rst

Each Helm chart can configure an OCI image registry and
credentials to use. A Kubernetes secret is then created with these
info. Service Accounts then specify an imagePullSecret specifying
the Secret with creds for the registry. Then any pod using one
of these ServiceAccounts may pull images from an authenticated
container registry.

Change-Id: Iebda4c7a861aa13db921328776b20c14ba346269
2022-07-20 14:28:47 -05:00
Yanos Angelopoulos
772198f15d Support having a single external ingress controller
This change allows creating a single ingress resource using the
public fqdn of the service, instead of two (cluster and namespace)
that is currently the case. Every openstack-helm chart can have a
network.server.ingress.use_external_ingress_controller boolean
field to choose the creation of a single ingress resource
(ingressName-namespace-fqdn).

Signed-off-by: Yanos Angelopoulos <yanos@admin.grnet.gr>
Change-Id: I46da850fccc3fee76595a2e6c49d51197a282c3e
2022-07-05 22:32:50 +00:00
Thiago Brito
0d5b16cabb Enable taint toleration for helm-toolkit
This adds taint toleration support for openstack jobs

Signed-off-by: Lucas Cavalcante <lucasmedeiros.cavalcante@windriver.com>
Change-Id: I168837f962465d1c89acc511b7bf4064ac4b546c
2022-03-23 10:30:59 -03:00
Marlin Cremers
9d7baa9aa8 feat(helm-toolkit): add support for image pull secrets
At the moment it is very difficult to pull images from a private
registry that hasn't been configured on Kubernetes nodes as there
is no way to specify imagePullSecrets on pods.

This change introduces a snippet that can return a set of image
pull secrets using either a default or a per pod value. It also
adds this new snippet to the manifests for standard job types.

Change-Id: I710e1feffdf837627b80bc14320751f743e048cb
2021-12-21 09:03:08 +01:00
PRIYA, FNU (fp048v)
fddbb0a059 Set Security Context to ks-user job
We need flexibility to add securityContext to ks-user job at pod and containerlevel,
so that it can be executed without elevated privileges.

Change-Id: Ibd8abdc10906ca4648bfcaa91d0f122e56690606
2021-11-08 09:45:11 -06:00
Gupta, Sangeet (sg774j)
186155c296 Correct private key size input for Certificates and remove minor version support
In cert-manager v1 API, the private key size "keySize" was updated to "size"
under "privateKey".
Support of minor (less than v1) API version is also removed for certificates.

Change-Id: If3fa0e296b8a1c2ab473e67b24d4465fe42a5268
2021-11-03 14:27:23 +00:00
Gage Hugo
55e7706f7e Revert "Set Security Context to ks-user job"
This reverts commit 5407b547bb.

Reason for revert: This outputs duplicate securityContext entries,
breaking the yamllinter in osh. This needs a slight rework.

Change-Id: I0c892be5aba7ccd6e3c378e4e45a79d2df03c06a
2021-11-01 22:35:00 +00:00
PRIYA, FNU (fp048v)
5407b547bb Set Security Context to ks-user job
We need flexibility to add securityContext to ks-user job , so that it can be executed without elevated privileges.

Change-Id: I24544015816d57d86c1e69f44b90b6b0271e76a4
2021-11-01 01:59:25 +00:00
Phil Sphicas
f4972121bc Migrate Ingress resources to networking.k8s.io/v1
This change updates the helm-toolkit and ingress charts to migrate
Ingress resources to the networking.k8s.io/v1 API version, available
since v1.19. [0]

0: https://kubernetes.io/docs/reference/using-api/deprecation-guide/#ingress-v122

Change-Id: Ic6bd6d158b1294da26c165797c90107831dcb508
2021-10-15 04:47:00 +00:00
Sean Eagan
b1a247e7f5 Helm 3 - Fix Job labels
If labels are not specified on a Job, kubernetes defaults them
to include the labels of their underlying Pod template. Helm 3
injects metadata into all resources [0] including a
`app.kubernetes.io/managed-by: Helm` label. Thus when kubernetes
sees a Job's labels they are no longer empty and thus do not get
defaulted to the underlying Pod template's labels. This is a
problem since Job labels are depended on by
- Armada pre-upgrade delete hooks
- Armada wait logic configurations
- kubernetes-entrypoint dependencies

Thus for each Job template this adds labels matching the
underlying Pod template to retain the same labels that were
present with Helm 2.

[0]: https://github.com/helm/helm/pull/7649

Change-Id: I3b6b25fcc6a1af4d56f3e2b335615074e2f04b6d
2021-09-30 16:01:31 -05:00
Haider, Nafiz (nh532m)
adab36be22 Helm-Toolkit: Make Rabbit-init job more robust
Change-Id: I36ef7b2cdcf747ed2503ca5d27bc7803349f287d
2021-07-27 20:19:56 +00:00
Haider, Nafiz (nh532m)
2dc83fdde7 feat(tls): Enable TLS for OpenStack RabbitMQ
Enable TLS for Openstack RabbitMQ upstream

Co-authored-by: Sangeet Gupta <sg774j@att.com>

Change-Id: I7c08d41b212bc5095facf5f5823521fbfa4d3c47
2021-05-21 12:36:23 +00:00
Lo, Chi (cl566n)
f7fde88b6e Remove env variable from s3 bucket job
Remove the TLS_OPTION env from helm-toolkit s3-bucket job. There
can be different option for tls connection, depending on whether
the rgw server is local or remote. This change allows the
create-s3-bucket script to customize its connection argument
which can be pulled from values.yaml.

Change-Id: I2a34c1698e02cd71905bc6ef66f4aefcd5e25e44
2021-05-14 15:12:15 -07:00
Lo, Chi (cl566n)
fd4bf57211 Enable TLS for Elasticsearch
The change enables:

(1) TLS for the Elasticsearch transport networking layer. The
    transport networking layer is used for internal communication
    between nodes in a cluster.

(2) TLS path between Elasticsearch and Ceph-rgw host.

Change-Id: Ifb6cb5db19bc5db2c8cb914f6a5887cf3d0f9434
2021-05-03 19:39:32 -07:00
Gage Hugo
4ed2a6fe53 Remove hook-delete-policy default settings from HTK
These hooks were added as part of a previous change, however tiller
does not handle these correctly, and jobs get deleted without being
recreated. This change removes the hook from default htk annotations.

Change-Id: I2aa7bb241ebbb7b54c5dc9cf21cd5ba290b7e5fd
2021-04-23 21:39:17 +00:00
Steven Fitzpatrick
6de864110e Elasticsearch S3 Update
This change updates how the Elasticsearch chart handles
S3 configuration and snapshot repository registration.

This allows for
  - Multiple snapshot destinations to be configued
  - Repositories to use a specific placement target
  - Management of multiple account credentials

Change-Id: I12de918adc5964a4ded46f6f6cd3fa94c7235112
2021-04-06 15:12:34 +00:00
Chris Wedgwood
20cf2db961 [htk] Jobs; put labels only in the template spec
This is an update to address a behavior change introduced with
0ae8f4d21a.

Job labels if empty/unspecified are taken from the template.  If (any)
labels are specified on the job we do not get this behavior.

Specifically if we *apply*:

    apiVersion: batch/v1
    kind: Job
    metadata:
      # no "labels:" here
      name: placement-db-init
      namespace: openstack
    spec:
      template:
        metadata:
          labels:
            application: placement
            component: db-init
            release_group: placement
        spec:
          containers:
          # do stuffs

then *query* we see:

    apiVersion: batch/v1
    kind: Job
    metadata:
      # k8s did this for us!
      labels:
        application: placement
        component: db-init
        job-name: placement-db-init
        release_group: placement
      name: placement-db-init
      namespace: openstack
    spec:
      template:
        metadata:
          labels:
            application: placement
            component: db-init
            release_group: placement
        spec:
          containers:
          # do stuffs

The aforementioned change causes objects we apply and query to look
like:

    apiVersion: batch/v1
    kind: Job
    metadata:
      # k8s did this for us!
      labels:
        application: placement
        # nothing else!
      name: placement-db-init
      namespace: openstack
    spec:
      template:
        metadata:
          labels:
            application: placement
            component: db-init
            release_group: placement
        spec:
          containers:
          # do stuffs

Current users rely on this behavior and deployment systems use job
labels for synchronization, those labels being only specified in the
template and propagating to the job.

This change preserves functionality added recently and restores the
previous behavior.

The explicit "application" label is no longer needed as the
helm-toolkit.snippets.kubernetes_metadata_labels macro provides it.

Change-Id: I1582d008217b8848103579b826fae065c538aaf0
2021-04-02 16:54:03 -05:00
Gupta, Sangeet (sg774j)
f4ce1c8681 HTK: Override the expiry of Ingress TLS certificate
v1.2.0 of cert-manager noew supports overriding the default value
of ingress certificate expiry via annotations. This PS add the
required annotation.

Change-Id: Ic81e47f24d4e488eb4fc09688c36a6cea324e9e2
2021-03-25 22:18:57 +00:00
okozachenko
0ae8f4d21a Add metadata in job templates
- Add application label using service name
- Add before-hook-creation delete policy as a default
  (It is a default one in helmv3)
- Add custom metadata by passing params

Change-Id: Ie09f8491800031b9ff051a63feb3e018cb283342
2021-03-01 17:31:21 +02:00
Nafiz Haider
6ee06562c8 Re-enable "feat(tls): Change Issuer to ClusterIssuer""
This reverts commit 8a79d7c51b.

Reason for revert: resolved bug with cluster issuer versioning

Co-authored-by: Sangeet Gupta <sg774j@att.com>

Change-Id: I047cbfaa5aa9e7285a23e603074429180495557d
2021-02-24 20:50:24 +00:00
Travis Neely
8a79d7c51b Revert "feat(tls): Change Issuer to ClusterIssuer"
This reverts commit f60c94fc16.

Reason for revert: This introduced a bug:
https://cert-manager.io/docs/installation/upgrading/upgrading-0.15-0.16/#issue-with-older-versions-of-kubectl

Older versions of kubectl will have issues with the nested CRDs.

Change-Id: I322fc1382fe3d0a4517e4c7c5982ea50a721a1f7
2021-01-27 16:59:01 -06:00
sgupta
f60c94fc16 feat(tls): Change Issuer to ClusterIssuer
ClusterIssuer does not belong to a single namespace (unlike Issuer)
and can be referenced by Certificate resources from multiple different
namespaces. When internal TLS is added to multiple namespaces, same
ClusterIssuer can be used instead of one Issuer per namespace.

Change-Id: I1576f486f30d693c4bc6b15e25c238d8004b4568
2021-01-15 18:46:09 +00:00
jh629g
67618474ce Update default Kubernetes API for use with Helm v3
Updated Kubernetes api from extensions/v1beta1 to
networking.k8s.io/v1beta1 per docs[0] for kubernetes
1.16 deprecations as helm v3 linting will fail
when it parses extensions/v1beta1 seen here[1]

[0] https://kubernetes.io/blog/2019/07/18/api-deprecations-in-1-16/
[1] https://zuul.opendev.org/t/openstack/build/82f92508fb31418aa377f91d62e0d42e

Change-Id: I0439272587a2afbccc4d7c49ef6ad053c8b305e7
2021-01-05 16:43:38 +00:00
okozachenko
63b7a0cd0f Update ingress tpl in helmtoolkit
- Check issuer type to distinguish the annotation between
clusterissuer and issuer
- Add one more annotation "certmanager.k8s.io/xx" for old version

Change-Id: I320c1fe894c84ac38a2878af33e41706fb067422
2020-10-28 07:06:51 +00:00
Phil Sphicas
f7ed96c701 Add extra DNS names to Ingress (helm-toolkit 0.1.1)
The existing helm-toolkit function "helm-toolkit.manifests.ingress"
will create namespace-fqdn and cluster-fqdn Ingress objects when the
host_fqdn_override parameter is used, but only for a single hostname.

This change allows additional FQDNs to be associated with the same
Ingress, including the names defined in the list:

    endpoints.$service.host_fqdn_override.$endpoint.tls.dnsNames

For example:

    endpoints:
      grafana:
        host_fqdn_override:
          public:
            host: grafana.openstackhelm.example
            tls:
              dnsNames:
                - grafana-alt.openstackhelm.example

Will produce the following:

      spec:
        tls:
          - secretName: grafana-tls-public
            hosts:
              - grafana.openstackhelm.example
              - grafana-alt.openstackhelm.example
        rules:
          - host: grafana.openstackhelm.example
            http:
              # ...
          - host: grafana-alt.openstackhelm.example
            http:
              # ...

Change-Id: I9b068f10d25923bf61220112da98d6fbfdf7ef8a
2020-09-24 23:16:32 +00:00
Oleh Hryhorov
19ade859c2 Un-hardcode restartPolicy for ks-* jobs
The patch makes it possible to pass restartPolicy for jobs
which create different keystone resources.
However default behaviour is still the same and if restartPolicy
is undefined then it will be OnFailure as it was before.

Change-Id: I0e355cfd6947db72f77d76a0f6696e9bcef175e9
2020-08-25 08:36:27 +03:00
Gupta, Sangeet (sg774j)
fef64e266e HTK: Change formatting of TLS Secret
Changed TLS secret to include CA in tls.crt if present

Change-Id: Ieb3e182f48823e6b25ec427900b372b72f9a3b1e
2020-07-21 17:12:18 +00:00
sgupta
6e13d74c87 feat(tls): add tls to mariadb chart
This patch set makes changes for maraidb certs to be used
by all users when connecting to MariaDB.

Change-Id: Id38c9fb0b18dd8ba164a69f179d940192efc3247
2020-07-14 19:32:57 +00:00
Gage Hugo
c86526cfbc feat(tls): add tls to mariadb chart
This patch set provides capability to enable TLS termination for the
MariaDB chart. This will be used by the follow on patches in OSH
services patches.

Co-authored-by: Tin Lam <tin@irrational.io>
Co-authored-by: sgupta <sg774j@att.com>
Change-Id: I5ebc8db58c0aa7b4e9eb0b5c671b280250d3cd1f
2020-07-13 19:30:34 +00:00
Andrii Ostapenko
824f168efc Undo octal-values restriction together with corresponding code
Unrestrict octal values rule since benefits of file modes readability
exceed possible issues with yaml 1.2 adoption in future k8s versions.
These issues will be addressed when/if they occur.

Also ensure osh-infra is a required project for lint job, that matters
when running job against another project.

Change-Id: Ic5e327cf40c4b09c90738baff56419a6cef132da
Signed-off-by: Andrii Ostapenko <andrii.ostapenko@att.com>
2020-07-07 15:42:53 +00:00
Tin Lam
7cb3ef69ae feat(tls): add tls support to helm-toolkit
This patch set:

- allows options in the bootstrap job to load the proper TLS secret into
  the  proper envvar so the openstack client can connect properly to
  perform bootstrap;
- adds in certificates to make rally work properly with TLS endpoints;
- adds methods to handle TLS secret volume and volumeMount;
- updates ingress to handle secure backends.

Change-Id: I322cda393f18bfeed0b9f8b1827d101f60d6bdeb
Signed-off-by: Tin Lam <tin@irrational.io>
2020-06-26 00:32:57 +00:00
Andrii Ostapenko
83e27e600c Enable key-duplicates and octal-values yamllint checks
With corresponding code changes.

Change-Id: I11cde8971b3effbb6eb2b69a7d31ecf12140434e
2020-06-17 13:14:30 -05:00
Tin Lam
03a5ae7210 feat(tls): add certificate tooling
This patch set adds in a manifest method in helm toolkit to generate
certificates and places them into a secret.

Change-Id: I50300afb0fc0ab92169ad9dd9ba66a56454fbc46
Signed-off-by: Tin Lam <tin@irrational.io>
2020-06-02 16:31:08 +00:00
Gage Hugo
d14d826b26 Remove OSH Authors copyright
The current copyright refers to a non-existent group
"openstack helm authors" with often out-of-date references that
are confusing when adding a new file to the repo.

This change removes all references to this copyright by the
non-existent group and any blank lines underneath.

Change-Id: I1882738cf9757c5350a8533876fd37b5920b5235
2020-05-07 02:11:15 +00:00
Kabanov, Dmitrii
13f54b0e03 [Ceph] Add msgr1 port for ceph-provisioners
Change-Id: Ifa9b44074d927006f47dfcc449361cf3f6aa9413
2020-03-27 08:28:58 -07:00
Chinasubbareddy Mallavarapu
7425e3e5c0 [CEPH] update all ceph daemons startup scripts to support msgr2
This is to update all ceph daemons startup scripts as per msgr2 protocol and
also to update v2 port for mon_host config.
This also removes setting mon_addr config since we already have mon_host config.

v1 default port: 6789
V2 default port: 3300

Change-Id: I3d95edbd89f5ac8b40a34f41c1099311cee4f875
2020-03-04 23:22:02 -06:00
Chris Wedgwood
578511cd39 [htk] Increase job default backoffLimit to 1000
Sometimes jobs fail, the default of 6 retries is far too brief to get
logs (which are purged after the final failure); as we need the jobs
to succeed always, having a much higher default here seems prudent.

Change-Id: I7f20a3eb9a98669ae4af657d36a776830b82dfca
2020-01-30 19:52:54 +00:00
Tin Lam
3121fc24c5 Update egress HTK method
This patch set places logic to generate kubernetes egress network policy
rule based on the dependencies specified in values.yaml. This also sets
up the necessary default network policy for the OSH gate.

Change-Id: I1ac649cc9debb5d1f4ea0a32f506dcda4d8b8536
Signed-off-by: Tin Lam <tin@irrational.io>
2019-11-21 20:05:34 +00:00
Steve Wilkerson
74f3eb5824 Ingress: Move ingress objects back to the extensions api
This updates the ingress objects to move them back to the
extensions API.  While 1.16 moves them under the networking
api, they're still rendered and deployed as extensions/ objects.
This move prevents issues from arising where older versions of
kubernetes might still be deployed during an upgrade, as the
move to the networking API is nonfunctional at this time

Change-Id: I814bbc833b5b9f79f34aefc60b9c1f9890bca826
Signed-off-by: Steve Wilkerson <sw5822@att.com>
2019-10-28 21:31:06 +00:00
Zuul
a0315caffa Merge "Update Kubernetes version to 1.16.2" 2019-10-17 16:21:23 +00:00