From cf34a995ac88f63605b4e76e0595ef6251b157a4 Mon Sep 17 00:00:00 2001 From: portdirect Date: Sat, 17 Feb 2018 14:55:13 -0500 Subject: [PATCH] Keystone: break domain management out of generic bootstrap This PS breaks domain management out of the generic bootstrap job. Change-Id: I9d26b58cffee0cd13f75113b2dbdf4eac16a6cf7 --- keystone/templates/bin/_bootstrap.sh.tpl | 5 +- .../templates/bin/_domain-manage-init.sh.tpl | 22 ++++ keystone/templates/bin/_domain-manage.sh.tpl | 22 ++++ keystone/templates/configmap-bin.yaml | 4 + keystone/templates/job-bootstrap.yaml | 2 +- keystone/templates/job-domain-manage.yaml | 117 ++++++++++++++++++ keystone/values.yaml | 20 ++- .../armada/multinode/armada-osh.yaml | 13 +- tools/overrides/releases/newton/kolla.yaml | 14 +-- 9 files changed, 200 insertions(+), 19 deletions(-) create mode 100644 keystone/templates/bin/_domain-manage-init.sh.tpl create mode 100644 keystone/templates/bin/_domain-manage.sh.tpl create mode 100644 keystone/templates/job-domain-manage.yaml diff --git a/keystone/templates/bin/_bootstrap.sh.tpl b/keystone/templates/bin/_bootstrap.sh.tpl index ba021d4ad1..9dc8181e67 100644 --- a/keystone/templates/bin/_bootstrap.sh.tpl +++ b/keystone/templates/bin/_bootstrap.sh.tpl @@ -17,8 +17,5 @@ limitations under the License. */}} set -ex -{{- range $k, $v := .Values.conf.ks_domains }} -openstack --debug domain create --or-show {{ $k }} -keystone-manage domain_config_upload --domain-name {{ $k }} || true -{{- end }} + {{ .Values.bootstrap.script | default "echo 'Not Enabled'" }} diff --git a/keystone/templates/bin/_domain-manage-init.sh.tpl b/keystone/templates/bin/_domain-manage-init.sh.tpl new file mode 100644 index 0000000000..a8b17e992f --- /dev/null +++ b/keystone/templates/bin/_domain-manage-init.sh.tpl @@ -0,0 +1,22 @@ +#!/bin/bash + +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +set -ex +{{- range $k, $v := .Values.conf.ks_domains }} +openstack --debug domain create --or-show {{ $k }} +{{- end }} diff --git a/keystone/templates/bin/_domain-manage.sh.tpl b/keystone/templates/bin/_domain-manage.sh.tpl new file mode 100644 index 0000000000..01a23ff792 --- /dev/null +++ b/keystone/templates/bin/_domain-manage.sh.tpl @@ -0,0 +1,22 @@ +#!/bin/bash + +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +set -ex +{{- range $k, $v := .Values.conf.ks_domains }} +keystone-manage domain_config_upload --domain-name {{ $k }} || true +{{- end }} diff --git a/keystone/templates/configmap-bin.yaml b/keystone/templates/configmap-bin.yaml index e7be23aa68..0586d49d2f 100644 --- a/keystone/templates/configmap-bin.yaml +++ b/keystone/templates/configmap-bin.yaml @@ -41,4 +41,8 @@ data: {{ tuple "bin/_keystone-api.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} fernet-manage.py: | {{ tuple "bin/_fernet-manage.py.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} + domain-manage-init.sh: | +{{ tuple "bin/_domain-manage-init.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} + domain-manage.sh: | +{{ tuple "bin/_domain-manage.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} {{- end }} diff --git a/keystone/templates/job-bootstrap.yaml b/keystone/templates/job-bootstrap.yaml index d2e375e7e0..852b47dd1d 100644 --- a/keystone/templates/job-bootstrap.yaml +++ b/keystone/templates/job-bootstrap.yaml @@ -43,7 +43,7 @@ spec: {{ tuple $envAll $dependencies $mounts_keystone_bootstrap_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: - name: keystone-bootstrap - image: {{ .Values.images.tags.keystone_bootstrap }} + image: {{ .Values.images.tags.bootstrap }} imagePullPolicy: {{ .Values.images.pull_policy }} {{ tuple $envAll $envAll.Values.pod.resources.jobs.bootstrap | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} env: diff --git a/keystone/templates/job-domain-manage.yaml b/keystone/templates/job-domain-manage.yaml new file mode 100644 index 0000000000..e868a3a5d6 --- /dev/null +++ b/keystone/templates/job-domain-manage.yaml @@ -0,0 +1,117 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.job_domain_manage }} +{{- $envAll := . }} +{{- $dependencies := .Values.dependencies.domain_manage }} + +{{- $mounts_keystone_domain_manage := .Values.pod.mounts.keystone_domain_manage.keystone_domain_manage }} +{{- $mounts_keystone_domain_manage_init := .Values.pod.mounts.keystone_domain_manage.init_container }} + +{{- $serviceAccountName := "keystone-domain-manage" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: keystone-domain-manage +spec: + template: + metadata: + labels: +{{ tuple $envAll "keystone" "domain-manage" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} + spec: + serviceAccountName: {{ $serviceAccountName }} + restartPolicy: OnFailure + nodeSelector: + {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} + initContainers: +{{ tuple $envAll $dependencies $mounts_keystone_domain_manage_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} + - name: keystone-domain-manage-init + image: {{ .Values.images.tags.bootstrap }} + imagePullPolicy: {{ .Values.images.pull_policy }} +{{ tuple $envAll $envAll.Values.pod.resources.jobs.domain_manage | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} + env: +{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }} +{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} +{{- end }} + command: + - /tmp/domain-manage-init.sh + volumeMounts: + - name: keystone-bin + mountPath: /tmp/domain-manage-init.sh + subPath: domain-manage-init.sh + readOnly: true + containers: + - name: keystone-domain-manage + image: {{ .Values.images.tags.keystone_domain_manage }} + imagePullPolicy: {{ .Values.images.pull_policy }} +{{ tuple $envAll $envAll.Values.pod.resources.jobs.domain_manage | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} + env: +{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }} +{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} +{{- end }} + command: + - /tmp/domain-manage.sh + volumeMounts: + - name: etckeystonedomains + mountPath: {{ .Values.conf.keystone.identity.domain_config_dir | default "/etc/keystonedomains" }} + - name: etckeystone + mountPath: /etc/keystone + - name: keystone-bin + mountPath: /tmp/domain-manage.sh + subPath: domain-manage.sh + readOnly: true + - name: keystone-etc + mountPath: /etc/keystone/keystone.conf + subPath: keystone.conf + readOnly: true +{{- range $k, $v := .Values.conf.ks_domains }} + - name: keystone-etc + mountPath: {{ $envAll.Values.conf.keystone.identity.domain_config_dir | default "/etc/keystonedomains" }}/keystone.{{ $k }}.conf + subPath: keystone.{{ $k }}.conf + readOnly: true +{{- end }} +{{- if eq .Values.conf.keystone.token.provider "fernet" }} + - name: keystone-fernet-keys + mountPath: {{ .Values.conf.keystone.fernet_tokens.key_repository }} +{{- end }} + - name: keystone-credential-keys + mountPath: {{ .Values.conf.keystone.credential.key_repository }} +{{ if $mounts_keystone_domain_manage.volumeMounts }}{{ toYaml $mounts_keystone_domain_manage.volumeMounts | indent 12 }}{{ end }} + volumes: + - name: etckeystone + emptyDir: {} + - name: etckeystonedomains + emptyDir: {} + - name: keystone-etc + configMap: + name: keystone-etc + defaultMode: 0444 + - name: keystone-bin + configMap: + name: keystone-bin + defaultMode: 0555 +{{- if eq .Values.conf.keystone.token.provider "fernet" }} + - name: keystone-fernet-keys + secret: + secretName: keystone-fernet-keys +{{- end }} + - name: keystone-credential-keys + secret: + secretName: keystone-credential-keys +{{ if $mounts_keystone_domain_manage.volumes }}{{ toYaml $mounts_keystone_domain_manage.volumes | indent 9 }}{{ end }} +{{- end }} diff --git a/keystone/values.yaml b/keystone/values.yaml index 107a16807e..c6f4b49179 100644 --- a/keystone/values.yaml +++ b/keystone/values.yaml @@ -25,7 +25,7 @@ release_group: null images: tags: - keystone_bootstrap: docker.io/openstackhelm/heat:newton + bootstrap: docker.io/openstackhelm/heat:newton test: docker.io/kolla/ubuntu-source-rally:4.0.0 db_init: docker.io/openstackhelm/heat:newton keystone_db_sync: docker.io/openstackhelm/keystone:newton @@ -36,6 +36,7 @@ images: keystone_credential_setup: docker.io/openstackhelm/keystone:newton keystone_credential_rotate: docker.io/openstackhelm/keystone:newton keystone_api: docker.io/openstackhelm/keystone:newton + keystone_domain_manage: docker.io/openstackhelm/keystone:newton dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.2.1 pull_policy: "IfNotPresent" @@ -112,6 +113,12 @@ dependencies: services: - service: identity endpoint: internal + jobs: + - keystone-domain-manage + domain_manage: + services: + - service: identity + endpoint: internal pod: affinity: @@ -148,6 +155,9 @@ pod: keystone_credential_rotate: init_container: null keystone_credential_rotate: + keystone_domain_manage: + init_container: null + keystone_domain_manage: replicas: api: 1 lifecycle: @@ -181,6 +191,13 @@ pod: limits: memory: "1024Mi" cpu: "2000m" + domain_manage: + requests: + memory: "128Mi" + cpu: "100m" + limits: + memory: "1024Mi" + cpu: "2000m" db_init: requests: memory: "128Mi" @@ -807,6 +824,7 @@ manifests: job_db_init: true job_db_sync: true job_db_drop: false + job_domain_manage: true job_fernet_setup: true pdb_api: true pod_rally_test: true diff --git a/tools/deployment/armada/multinode/armada-osh.yaml b/tools/deployment/armada/multinode/armada-osh.yaml index a1fa2413d0..fc06a91b2b 100644 --- a/tools/deployment/armada/multinode/armada-osh.yaml +++ b/tools/deployment/armada/multinode/armada-osh.yaml @@ -242,21 +242,22 @@ data: labels: application: keystone component: credential-setup - - name: keystone-db-init - type: job + - type: job labels: application: keystone component: db-init - - name: keystone-db-sync - type: job + - type: job labels: application: keystone component: db-sync - - name: keystone-fernet-setup - type: job + - type: job labels: application: keystone component: fernet-setup + - type: job + labels: + application: keystone + component: domain-manage values: endpoints: identity: diff --git a/tools/overrides/releases/newton/kolla.yaml b/tools/overrides/releases/newton/kolla.yaml index 345981b332..da99ceb489 100644 --- a/tools/overrides/releases/newton/kolla.yaml +++ b/tools/overrides/releases/newton/kolla.yaml @@ -35,11 +35,17 @@ images: heat_engine: 'docker.io/kolla/ubuntu-source-heat-engine:3.0.3' horizon: 'docker.io/kolla/ubuntu-source-horizon:ocata' horizon_db_sync: 'docker.io/kolla/ubuntu-source-horizon:ocata' + ironic_api: 'docker.io/kolla/ubuntu-source-ironic-api:3.0.3' + ironic_bootstrap: 'docker.io/kolla/ubuntu-source-heat-engine:3.0.3' + ironic_conductor: 'docker.io/kolla/ubuntu-source-ironic-conductor:3.0.3' + ironic_db_sync: 'docker.io/kolla/ubuntu-source-ironic-api:3.0.3' + ironic_pxe: 'docker.io/kolla/ubuntu-source-ironic-pxe:3.0.3' + ironic_pxe_init: 'docker.io/kolla/ubuntu-source-ironic-pxe:3.0.3' keystone_api: 'docker.io/kolla/ubuntu-source-keystone:3.0.3' - keystone_bootstrap: 'docker.io/kolla/ubuntu-source-keystone:3.0.3' keystone_credential_rotate: 'docker.io/kolla/ubuntu-source-keystone:3.0.3' keystone_credential_setup: 'docker.io/kolla/ubuntu-source-keystone:3.0.3' keystone_db_sync: 'docker.io/kolla/ubuntu-source-keystone:3.0.3' + keystone_domain_manage: 'docker.io/kolla/ubuntu-source-keystone:3.0.3' keystone_fernet_rotate: 'docker.io/kolla/ubuntu-source-keystone:3.0.3' keystone_fernet_setup: 'docker.io/kolla/ubuntu-source-keystone:3.0.3' ks_endpoints: 'docker.io/kolla/ubuntu-source-heat-engine:3.0.3' @@ -74,12 +80,6 @@ images: senlin_db_sync: 'docker.io/kolla/ubuntu-source-senlin-api:3.0.3' senlin_engine: 'docker.io/kolla/ubuntu-source-senlin-engine:3.0.3' test: 'docker.io/kolla/ubuntu-source-rally:4.0.0' - ironic_bootstrap: docker.io/kolla/ubuntu-source-heat-engine:3.0.3 - ironic_db_sync: docker.io/kolla/ubuntu-source-ironic-api:3.0.3 - ironic_api: docker.io/kolla/ubuntu-source-ironic-api:3.0.3 - ironic_conductor: docker.io/kolla/ubuntu-source-ironic-conductor:3.0.3 - ironic_pxe: docker.io/kolla/ubuntu-source-ironic-pxe:3.0.3 - ironic_pxe_init: docker.io/kolla/ubuntu-source-ironic-pxe:3.0.3 pod: user: barbican: