From e75f443f0530e1e20ea8dba2daec94bffb27d0da Mon Sep 17 00:00:00 2001 From: portdirect Date: Thu, 28 Dec 2017 20:35:24 -0500 Subject: [PATCH] Gnocchi: many chart fixes This PS fixes ceph pool creation and secret management, RBAC and Image naming conventions for the Gnocchi chart. Change-Id: I8ad569f9420e3575d6c26c5933f23048096161f5 --- ceph/templates/templates/_admin.keyring.tpl | 1 + gnocchi/templates/bin/_clean-secrets.sh.tpl | 24 +++++ gnocchi/templates/bin/_storage-init.sh.tpl | 4 +- gnocchi/templates/configmap-bin.yaml | 2 + gnocchi/templates/daemonset-metricd.yaml | 4 +- gnocchi/templates/daemonset-statsd.yaml | 4 +- gnocchi/templates/deployment-api.yaml | 4 +- gnocchi/templates/job-clean.yaml | 99 +++++++++++++++++++ ...db-init-keystone.yaml => job-db-init.yaml} | 12 +-- gnocchi/templates/job-db-sync.yaml | 4 +- gnocchi/templates/job-storage-init.yaml | 8 +- gnocchi/templates/pod-gnocchi-test.yaml | 35 ++----- gnocchi/values.yaml | 33 ++++--- 13 files changed, 173 insertions(+), 61 deletions(-) create mode 100644 gnocchi/templates/bin/_clean-secrets.sh.tpl create mode 100644 gnocchi/templates/job-clean.yaml rename gnocchi/templates/{job-db-init-keystone.yaml => job-db-init.yaml} (86%) diff --git a/ceph/templates/templates/_admin.keyring.tpl b/ceph/templates/templates/_admin.keyring.tpl index 7c5de607b6..e012ebe858 100644 --- a/ceph/templates/templates/_admin.keyring.tpl +++ b/ceph/templates/templates/_admin.keyring.tpl @@ -4,3 +4,4 @@ caps mds = "allow" caps mon = "allow *" caps osd = "allow *" + caps mgr = "allow *" diff --git a/gnocchi/templates/bin/_clean-secrets.sh.tpl b/gnocchi/templates/bin/_clean-secrets.sh.tpl new file mode 100644 index 0000000000..d133adb517 --- /dev/null +++ b/gnocchi/templates/bin/_clean-secrets.sh.tpl @@ -0,0 +1,24 @@ +#!/bin/bash + +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +set -ex + +exec kubectl delete secret \ + --namespace ${NAMESPACE} \ + --ignore-not-found=true \ + ${RBD_POOL_SECRET} diff --git a/gnocchi/templates/bin/_storage-init.sh.tpl b/gnocchi/templates/bin/_storage-init.sh.tpl index 975ea7f232..ec40b867c9 100644 --- a/gnocchi/templates/bin/_storage-init.sh.tpl +++ b/gnocchi/templates/bin/_storage-init.sh.tpl @@ -28,8 +28,9 @@ set -ex ceph -s function ensure_pool () { ceph osd pool stats $1 || ceph osd pool create $1 $2 + ceph osd pool application enable $1 $3 } -ensure_pool ${RBD_POOL_NAME} ${RBD_POOL_CHUNK_SIZE} +ensure_pool ${RBD_POOL_NAME} ${RBD_POOL_CHUNK_SIZE} "gnocchi-metrics" if USERINFO=$(ceph auth get client.${RBD_POOL_USER}); then KEYSTR=$(echo $USERINFO | sed 's/.*\( key = .*\) caps mon.*/\1/') @@ -39,6 +40,7 @@ else ceph auth get-or-create client.${RBD_POOL_USER} \ mon "allow *" \ osd "allow *" \ + mgr "allow *" \ -o ${KEYRING} fi diff --git a/gnocchi/templates/configmap-bin.yaml b/gnocchi/templates/configmap-bin.yaml index a9ab8260dd..7600f1ff01 100644 --- a/gnocchi/templates/configmap-bin.yaml +++ b/gnocchi/templates/configmap-bin.yaml @@ -24,6 +24,8 @@ metadata: data: storage-init.sh: |+ {{ tuple "bin/_storage-init.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} + clean-secrets.sh: |+ +{{ tuple "bin/_clean-secrets.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} db-init.sh: |+ {{ tuple "bin/_db-init.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} db-init.py: |+ diff --git a/gnocchi/templates/daemonset-metricd.yaml b/gnocchi/templates/daemonset-metricd.yaml index f85137ac99..a71d206430 100644 --- a/gnocchi/templates/daemonset-metricd.yaml +++ b/gnocchi/templates/daemonset-metricd.yaml @@ -44,7 +44,7 @@ spec: initContainers: {{ tuple $envAll $dependencies $mounts_gnocchi_metricd_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} - name: ceph-keyring-placement - image: {{ .Values.images.tags.api }} + image: {{ .Values.images.tags.gnocchi_api }} imagePullPolicy: {{ .Values.images.pull_policy }} command: - /tmp/ceph-keyring.sh @@ -61,7 +61,7 @@ spec: readOnly: true containers: - name: gnocchi-metricd - image: {{ .Values.images.tags.metricd }} + image: {{ .Values.images.tags.gnocchi_metricd }} imagePullPolicy: {{ .Values.images.pull_policy }} {{ tuple $envAll $envAll.Values.pod.resources.metricd | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} command: diff --git a/gnocchi/templates/daemonset-statsd.yaml b/gnocchi/templates/daemonset-statsd.yaml index 791b3e0363..167ffcd3ce 100644 --- a/gnocchi/templates/daemonset-statsd.yaml +++ b/gnocchi/templates/daemonset-statsd.yaml @@ -43,7 +43,7 @@ spec: initContainers: {{ tuple $envAll $dependencies $mounts_gnocchi_statsd_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} - name: ceph-keyring-placement - image: {{ .Values.images.tags.api }} + image: {{ .Values.images.tags.gnocchi_api }} imagePullPolicy: {{ .Values.images.pull_policy }} command: - /tmp/ceph-keyring.sh @@ -60,7 +60,7 @@ spec: readOnly: true containers: - name: gnocchi-statsd - image: {{ .Values.images.tags.statsd }} + image: {{ .Values.images.tags.gnocchi_statsd }} imagePullPolicy: {{ .Values.images.pull_policy }} {{ tuple $envAll $envAll.Values.pod.resources.statsd | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} command: diff --git a/gnocchi/templates/deployment-api.yaml b/gnocchi/templates/deployment-api.yaml index 1179091a8e..b20fcc786d 100644 --- a/gnocchi/templates/deployment-api.yaml +++ b/gnocchi/templates/deployment-api.yaml @@ -48,7 +48,7 @@ spec: initContainers: {{ tuple $envAll $dependencies $mounts_gnocchi_api_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} - name: ceph-keyring-placement - image: {{ .Values.images.tags.api }} + image: {{ .Values.images.tags.gnocchi_api }} imagePullPolicy: {{ .Values.images.pull_policy }} command: - /tmp/ceph-keyring.sh @@ -65,7 +65,7 @@ spec: readOnly: true containers: - name: gnocchi-api - image: {{ .Values.images.tags.api }} + image: {{ .Values.images.tags.gnocchi_api }} imagePullPolicy: {{ .Values.images.pull_policy }} {{ tuple $envAll $envAll.Values.pod.resources.api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} command: diff --git a/gnocchi/templates/job-clean.yaml b/gnocchi/templates/job-clean.yaml new file mode 100644 index 0000000000..c50d6f6bb8 --- /dev/null +++ b/gnocchi/templates/job-clean.yaml @@ -0,0 +1,99 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.job_clean }} +{{- $envAll := . }} +{{- $dependencies := .Values.dependencies.clean }} + +{{- $randStringSuffix := randAlphaNum 5 | lower }} + +{{- $serviceAccountName := print "gnocchi-clean-" $randStringSuffix }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: Role +metadata: + name: {{ $serviceAccountName }} + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-delete-policy": hook-succeeded +rules: + - apiGroups: + - "" + resources: + - secrets + verbs: + - get + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: RoleBinding +metadata: + name: {{ $serviceAccountName }} + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-delete-policy": hook-succeeded +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ $serviceAccountName }} +subjects: + - kind: ServiceAccount + name: {{ $serviceAccountName }} + namespace: {{ $envAll.Release.Namespace }} +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ print "gnocchi-clean-" $randStringSuffix }} + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-delete-policy": hook-succeeded +spec: + template: + metadata: + labels: +{{ tuple $envAll "gnocchi" "clean" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} + spec: + serviceAccountName: {{ $serviceAccountName }} + restartPolicy: OnFailure + initContainers: +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} + containers: + - name: gnocchi-rbd-secret-clean + image: {{ .Values.images.tags.gnocchi_storage_init }} + imagePullPolicy: {{ .Values.images.pull_policy }} +{{ tuple $envAll $envAll.Values.pod.resources.jobs.clean | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: RBD_POOL_SECRET + value: {{ .Values.secrets.rbd | quote }} + command: + - /tmp/clean-secrets.sh + volumeMounts: + - name: gnocchi-bin + mountPath: /tmp/clean-secrets.sh + subPath: clean-secrets.sh + readOnly: true + volumes: + - name: gnocchi-bin + configMap: + name: gnocchi-bin + defaultMode: 0555 +{{- end }} diff --git a/gnocchi/templates/job-db-init-keystone.yaml b/gnocchi/templates/job-db-init.yaml similarity index 86% rename from gnocchi/templates/job-db-init-keystone.yaml rename to gnocchi/templates/job-db-init.yaml index cc041be362..87d65c3110 100644 --- a/gnocchi/templates/job-db-init-keystone.yaml +++ b/gnocchi/templates/job-db-init.yaml @@ -14,22 +14,22 @@ See the License for the specific language governing permissions and limitations under the License. */}} -{{- if .Values.manifests.job_db_init_keystone }} +{{- if .Values.manifests.job_db_init }} {{- $envAll := . }} -{{- $dependencies := .Values.dependencies.db_init_keystone }} +{{- $dependencies := .Values.dependencies.db_init }} -{{- $serviceAccountName := "gnocchi-db-init-keystone" }} +{{- $serviceAccountName := "gnocchi-db-init" }} {{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job metadata: - name: gnocchi-db-init-keystone + name: gnocchi-db-init spec: template: metadata: labels: -{{ tuple $envAll "gnocchi" "db-init-keystone" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} +{{ tuple $envAll "gnocchi" "db-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure @@ -39,7 +39,7 @@ spec: {{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: - name: keystone-db-init - image: {{ .Values.images.tags.db_init_keystone | quote }} + image: {{ .Values.images.tags.db_init | quote }} imagePullPolicy: {{ .Values.images.pull_policy | quote }} {{ tuple $envAll $envAll.Values.pod.resources.jobs.db_init | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} env: diff --git a/gnocchi/templates/job-db-sync.yaml b/gnocchi/templates/job-db-sync.yaml index 219ec6e6b5..7811799bfe 100644 --- a/gnocchi/templates/job-db-sync.yaml +++ b/gnocchi/templates/job-db-sync.yaml @@ -38,7 +38,7 @@ spec: initContainers: {{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} - name: ceph-keyring-placement - image: {{ .Values.images.tags.api }} + image: {{ .Values.images.tags.gnocchi_api }} imagePullPolicy: {{ .Values.images.pull_policy }} command: - /tmp/ceph-keyring.sh @@ -93,5 +93,5 @@ spec: name: ceph-etc - name: ceph-keyring secret: - secretName: pvc-ceph-client-key + secretName: {{ .Values.secrets.rbd | quote }} {{- end }} diff --git a/gnocchi/templates/job-storage-init.yaml b/gnocchi/templates/job-storage-init.yaml index 7dcabb151c..e4744f5800 100644 --- a/gnocchi/templates/job-storage-init.yaml +++ b/gnocchi/templates/job-storage-init.yaml @@ -25,8 +25,6 @@ apiVersion: rbac.authorization.k8s.io/v1beta1 kind: Role metadata: name: {{ $serviceAccountName }} - annotations: - "helm.sh/hook": pre-delete rules: - apiGroups: - "" @@ -41,8 +39,6 @@ apiVersion: rbac.authorization.k8s.io/v1beta1 kind: RoleBinding metadata: name: {{ $serviceAccountName }} - annotations: - "helm.sh/hook": pre-delete roleRef: apiGroup: rbac.authorization.k8s.io kind: Role @@ -69,7 +65,7 @@ spec: initContainers: {{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} - name: ceph-keyring-placement - image: {{ .Values.images.tags.api }} + image: {{ .Values.images.tags.gnocchi_api }} imagePullPolicy: {{ .Values.images.pull_policy }} securityContext: runAsUser: {{ .Values.pod.user.gnocchi.uid }} @@ -88,7 +84,7 @@ spec: readOnly: true containers: - name: gnocchi-storage-init - image: {{ .Values.images.tags.storage_init }} + image: {{ .Values.images.tags.gnocchi_storage_init }} imagePullPolicy: {{ .Values.images.pull_policy }} {{ tuple $envAll $envAll.Values.pod.resources.jobs.storage_init | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} env: diff --git a/gnocchi/templates/pod-gnocchi-test.yaml b/gnocchi/templates/pod-gnocchi-test.yaml index 5aea8eaba3..4a44230fba 100644 --- a/gnocchi/templates/pod-gnocchi-test.yaml +++ b/gnocchi/templates/pod-gnocchi-test.yaml @@ -17,8 +17,12 @@ limitations under the License. {{- if .Values.manifests.pod_gnocchi_test }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.tests }} + {{- $mounts_gnocchi_tests := .Values.pod.mounts.gnocchi_tests.gnocchi_tests }} {{- $mounts_gnocchi_tests_init := .Values.pod.mounts.gnocchi_tests.init_container }} + +{{- $serviceAccountName := print .Release.Name "-test" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: v1 kind: Pod @@ -27,28 +31,13 @@ metadata: annotations: "helm.sh/hook": test-success spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: Never initContainers: {{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 4 }} - - name: ceph-keyring-placement - image: {{ .Values.images.tags.api }} - imagePullPolicy: {{ .Values.images.pull_policy }} - command: - - /tmp/ceph-keyring.sh - volumeMounts: - - name: etcceph - mountPath: /etc/ceph - - name: gnocchi-bin - mountPath: /tmp/ceph-keyring.sh - subPath: ceph-keyring.sh - readOnly: true - - name: ceph-keyring - mountPath: /tmp/client-keyring - subPath: key - readOnly: true containers: - name: {{.Release.Name}}-helm-tests - image: {{ .Values.images.tags.api }} + image: {{ .Values.images.tags.gnocchi_api }} imagePullPolicy: {{ .Values.images.pull_policy }} {{ tuple $envAll $envAll.Values.pod.resources.jobs.tests | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }} env: @@ -72,10 +61,6 @@ spec: mountPath: /etc/gnocchi/gnocchi.conf subPath: gnocchi.conf readOnly: true - - name: ceph-etc - mountPath: /etc/ceph/ceph.conf - subPath: ceph.conf - readOnly: true - name: gnocchi-bin mountPath: /tmp/gnocchi-test.sh subPath: gnocchi-test.sh @@ -90,13 +75,5 @@ spec: configMap: name: gnocchi-bin defaultMode: 0555 - - name: ceph-etc - configMap: - name: ceph-etc - - name: ceph-keyring - secret: - secretName: pvc-ceph-client-key - - name: etcceph - emptyDir: {} {{ if $mounts_gnocchi_tests.volumes }}{{ toYaml $mounts_gnocchi_tests.volumes | indent 4 }}{{ end }} {{- end }} diff --git a/gnocchi/values.yaml b/gnocchi/values.yaml index 7c0eadbd61..137150dc90 100644 --- a/gnocchi/values.yaml +++ b/gnocchi/values.yaml @@ -9,18 +9,18 @@ labels: images: tags: dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.2.1 - storage_init: docker.io/ceph/daemon:tag-build-master-luminous-ubuntu-16.04 + gnocchi_storage_init: docker.io/ceph/daemon:tag-build-master-luminous-ubuntu-16.04 db_init_indexer: docker.io/postgres:9.5 # using non-kolla images until kolla supports postgres as # an indexer - db_init_keystone: quay.io/attcomdev/ubuntu-source-gnocchi-api:3.0.3 + db_init: quay.io/attcomdev/ubuntu-source-gnocchi-api:3.0.3 db_sync: quay.io/attcomdev/ubuntu-source-gnocchi-api:3.0.3 ks_user: docker.io/kolla/ubuntu-source-heat-engine:3.0.3 ks_service: docker.io/kolla/ubuntu-source-heat-engine:3.0.3 ks_endpoints: docker.io/kolla/ubuntu-source-heat-engine:3.0.3 - api: quay.io/attcomdev/ubuntu-source-gnocchi-api:3.0.3 - statsd: quay.io/attcomdev/ubuntu-source-gnocchi-statsd:3.0.3 - metricd: quay.io/attcomdev/ubuntu-source-gnocchi-metricd:3.0.3 + gnocchi_api: quay.io/attcomdev/ubuntu-source-gnocchi-api:3.0.3 + gnocchi_statsd: quay.io/attcomdev/ubuntu-source-gnocchi-statsd:3.0.3 + gnocchi_metricd: quay.io/attcomdev/ubuntu-source-gnocchi-metricd:3.0.3 pull_policy: "IfNotPresent" network: @@ -37,9 +37,11 @@ network: port: 8125 dependencies: + clean: + services: storage_init: services: - db_init_keystone: + db_init: services: - service: oslo_db endpoint: internal @@ -50,7 +52,8 @@ dependencies: endpoint: internal db_sync: jobs: - - gnocchi-db-init-keystone + - gnocchi-storage-init + - gnocchi-db-init - gnocchi-db-init-indexer services: - service: oslo_db_postgresql @@ -190,6 +193,13 @@ pod: memory: "1024Mi" cpu: "2000m" jobs: + clean: + requests: + memory: "124Mi" + cpu: "100m" + limits: + memory: "1024Mi" + cpu: "2000m" db_init: requests: memory: "124Mi" @@ -313,9 +323,9 @@ conf: max_retries: -1 storage: driver: ceph - ceph_pool: metrics - ceph_username: admin - ceph_keyring: /etc/ceph/ceph.client.admin.keyring + ceph_pool: gnocchi.metrics + ceph_username: gnocchi + ceph_keyring: /etc/ceph/ceph.client.gnocchi.keyring ceph_conffile: /etc/ceph/ceph.conf file_basepath: /var/lib/gnocchi provided_keyring: null @@ -441,8 +451,9 @@ manifests: daemonset_statsd: true deployment_api: true ingress_api: true + job_clean: true job_db_init_indexer: true - job_db_init_keystone: true + job_db_init: true job_db_sync: true job_ks_endpoints: true job_ks_service: true