254 Commits

Author SHA1 Message Date
Tin Lam
2ec17153c6 Revert "feat(tls): Change Issuer to ClusterIssuer"
This reverts commit 43e75eaa83cc6958fa0a6af55783cbe2645cfde7.

Reason for revert: Doing this as part of the revert here - https://review.opendev.org/c/openstack/openstack-helm-infra/+/772733

Change-Id: I9c04a35c179d23ec1b7612b4f87d9d16352985cc
2021-01-27 17:09:42 -06:00
sgupta
43e75eaa83 feat(tls): Change Issuer to ClusterIssuer
ClusterIssuer does not belong to a single namespace (unlike Issuer)
and can be referenced by Certificate resources from multiple different
namespaces. When internal TLS is added to multiple namespaces, same
ClusterIssuer can be used instead of one Issuer per namespace.

Depends-on: https://review.opendev.org/c/openstack/openstack-helm-infra/+/766359

Change-Id: I6585d5a8c2ccb507a5c99784c0190502b55a5bcf
2021-01-19 13:47:09 +00:00
Haider, Nafiz (nh532m)
68f0791f56 [HEAT] Remove tls override for clients_heat
Enable public endpoint for Heat Client for WaitCondition Functionality
by removing tls override for clients_heat section in heat.conf

Change-Id: I94e339a01e6dd4f82d4348805f02676190082a5d
2020-10-07 21:04:32 +00:00
Andrii Ostapenko
20b6b9a236
Change helm-toolkit dependency version to ">= 0.1.0"
Since we introduced chart version check in gates, requirements are not
satisfied with strict check of 0.1.0

Change-Id: If537f69dec7e3360f6bffcc4424f10c248919ece
Signed-off-by: Andrii Ostapenko <andrii.ostapenko@att.com>
2020-09-24 12:20:13 -05:00
Zuul
28669f8854 Merge "Sync logging values with upstream repos" 2020-09-17 04:08:40 +00:00
Mohammed Naser
89969ade3a Add chart-testing linter
Added chart lint in zuul CI to enhance the stability for charts.
Fixed some lint errors in the current charts.

Change-Id: I7e4b191fb9e355ab5d5a233e8ed121346519df62
2020-09-16 21:12:17 +03:00
okozachenko
a8fc28696d Sync logging values with upstream repos
Some OSH charts have diffferent values for logger_root
handler from upsgream repo config defaul values.
Exactly, logger_root handler values.
This leads double logging finally.
To fix this, set logger_root as null like upstream repos.

Change-Id: I20e4f48efe29ae59c56f74e0ed9a4085283de6ad
2020-09-15 19:15:05 +03:00
Andrii Ostapenko
e5d600fdee [tls] Add missing mysql certs to heat-purge-deleted cj
Change-Id: Id434ddcb28f10a5d95550236a892676626c14123
Signed-off-by: Andrii Ostapenko <andrii.ostapenko@att.com>
2020-09-10 02:04:51 +00:00
Gage Hugo
44882d60e2 Update xrally version to 2.0.0
This change updates the xrally image from 1.3.0 to 2.0.0
in order to better match the current versions of openstack
we are running in the gate.

Change-Id: I3f417a20e0f6d34b9e7ed569207a3df90c6ddfd2
2020-07-31 20:00:24 +00:00
Gupta, Sangeet (sg774j)
7b720184e3 feat(tls): Make openstack services compatible with mariadb with TLS
Change database scerets.

Change-Id: I068dfcb23d596d4b9bcde1944fb4def010490452
2020-07-24 23:02:09 +00:00
Zuul
eafe48a136 Merge "Add missing security context to Heat pods/containers" 2020-07-17 16:18:05 +00:00
DODDA, PRATEEK REDDY (PD2839)
2e752d180a Add missing security context to Heat pods/containers
This updates the heat chart to include the pod
security context on the pod template.

This also adds the container security context to set
readOnlyRootFilesystem flag to true

Change-Id: I7ba17382059dfc23ab125a49b2b302166915c350
2020-07-17 06:01:39 +00:00
sgupta
702c17eb78 feat(tls): Make openstack services compatible with mariadb with TLS
Depends-on: https://review.opendev.org/#/c/741037/
Change-Id: I21f4ede3bd18c0af8da1eba60cd0b7b932a31410
2020-07-14 23:32:03 +00:00
Andrii Ostapenko
44d263b2bf Enable templates linting
- braces
- brackets
- colons
- commas
- comments
- hyphens
- indentation
- key-duplicates

with corresponding code changes.

Also disable enforcement for document-(start|end) rules and
disables warnings to increase readability.

* Unrestrict octal values rule since benefits of file modes readability
  exceed possible issues with yaml 1.2 adoption in future k8s versions.
  These issues will be addressed when/if they occur.

Change-Id: Ic5e327cf40c4b09c90738baff56419a6cef132da
Signed-off-by: Andrii Ostapenko <andrii.ostapenko@att.com>
2020-07-11 00:52:51 +00:00
Tin Lam
918a307427 feat(tls): add tls support to openstack services
This patch set enables TLS for the following OpenStack services: keystone,
horizon, glance, cinder, heat, nova, placement and neutron for s- (stein)
and t- (train) release. This serves as a consolidation and clean up patch
for the following patches:

[0] https://review.opendev.org/#/c/733291
[1] https://review.opendev.org/#/c/735202
[2] https://review.opendev.org/#/c/733962
[3] https://review.opendev.org/#/c/733404
[4] https://review.opendev.org/#/c/734896

This also addresses comments mentioned in previous patches.

Co-authored-by: Gage Hugo <gagehugo@gmail.com>
Co-authored-by: sgupta <sg774j@att.com>

Depends-on: https://review.opendev.org/#/c/737194/

Change-Id: Id34ace54298660b4b151522916e929a29f5731be
Signed-off-by: Tin Lam <tin@irrational.io>
2020-07-10 09:36:31 -05:00
diwakar thyagaraj
0d536c5ef5 Fix Apparmor for Heat cron Job pods.
Change-Id: I7495cc0b4422615ac9527f8f6087145fc3c36c6a
Signed-off-by: diwakar thyagaraj <diwakar.chitoor.thyagaraj@att.com>
2020-06-02 20:21:46 +00:00
Zuul
6db57c36de Merge "fix(yaml): correct bad annotations" 2020-06-02 18:05:34 +00:00
Andrii Ostapenko
8cfa2aa390 Enable yamllint checks
- brackets
- braces
- colon
- commas
- comments
- document-end
- document-start
- empty-lines
- hyphens
- indentation
- new-line-at-end-of-file
- new-lines
- octal-values
- trailing-spaces

with corresponding code adjustment.

Also add yamllint.conf under the check.

Change-Id: Ie6251c9063c9c99ebe7c6db54c65d45d6ee7a1d4
2020-05-27 19:16:34 -05:00
Tin Lam
d239c70152 fix(yaml): correct bad annotations
In a recent apparmor security patch [0], additional annotations were
added to the cronjobs that were incorrectly indented. While helm v2
seems fairly tolerant and ignores these errors, running this usig helm
v3 seems to cause rendering problems as we are placing incorrect key
and value pair into the spec: field. This patch set corrects this.

[0] https://review.opendev.org/#/c/725727/8

Change-Id: I9aae94bc0a68318b2c16fedbc973f7a0a2a3729e
Signed-off-by: Tin Lam <tin@irrational.io>
2020-05-26 11:18:59 +00:00
diwakar thyagaraj
a61050c2b3 Enable Apparmor to init containers for Heat Components
Also added Ingress apparmor Fix.

Change-Id: I6f4a1e6778b16c855072c0d6583e61af86f252a6
Signed-off-by: diwakar thyagaraj <diwakar.chitoor.thyagaraj@att.com>
2020-05-07 08:30:28 -05:00
Gage Hugo
db79e79788 Remove OSH Authors copyright
The current copyright refers to a non-existent group
"openstack helm authors" with often out-of-date references that
are confusing when adding a new file to the repo.

This change removes all references to this copyright by the
non-existent group and any blank lines underneath.

Change-Id: Ia035037e000f1bf95202fc07b8cd1ad0fc019094
2020-04-03 20:53:32 +00:00
sg774j
f76a3f5e0a Heat: Add ingress network policy overrides
This patch set adds in default heat ingress overrides.

Change-Id: I4e1f2b6687a05f2bf3ca91c941c2cf11abe68f07
2020-03-19 09:08:14 +00:00
dt241s@att.com
bcb6f71894 Enable Apparmor to Heat Components
Change-Id: I706b7503520b80bf5a4f0f34cb1be3298e2ad4ca
2020-03-02 22:59:19 +00:00
Tin Lam
2aa32665b4 Add train release support
This patch set adds in job to test the OpenStack train releases.

Depends-On: https://review.opendev.org/#/c/706456/
Change-Id: I89fef1264f68dab7e921a9e5503c29d6a051f342
Signed-off-by: Tin Lam <tin@irrational.io>
2020-02-28 20:19:58 +00:00
Gage Hugo
f9dbba7043 Revert "Revert "Keystone Authtoken Cache: allow universal secret key to be set""
This reverts commit 90d070390db08abf9da42a2bac54397112bbcd48.

Change-Id: I017c6e9676b872e1aab21f9dc8aa2f93db58d49f
2020-02-21 11:16:55 -06:00
Vasyl Saienko
90d070390d Revert "Keystone Authtoken Cache: allow universal secret key to be set"
This reverts commit 1c85fdc390e05eb578874e77fad9d4ec942da791.

Do not use randomly generated strings in configmaps as this leads to
whole helm release redeployment even no values are changed. The random
items have to be generated outside of helm chart and provided via
values.
Also previous behaviour didn't allow to use cache during rolling upgrade
as new pods were spawned with new key.

Change-Id: I423611b18fca0d65e2e721a9c6a0c3d8df0813d2
2020-02-12 11:18:06 +00:00
Tin Lam
12bee1bb97 Migrate default release to Stein
This patch set updates the default job to use OpenStack Stein release.
The previously default Ocata release will be place in separate job.

Change-Id: I489324f762a179a2cab5499a6d8e57e97c81297f
Signed-off-by: Tin Lam <tin@irrational.io>
2020-01-09 10:00:31 -06:00
Tin Lam
5057052c70 Fix feature gate envvar overriding
Currently using envsubst to perform substitution of value overrides in
the feature gate caused conflicts as gotpl gets templated into those
overrides. This adds in '%%%REPLACE_${var}%%%' and uses sed to perform
the substitution instead to address the issue.

This is to achieve parity with OSH-infra patch in [0].

[0] https://review.opendev.org/#/c/697749/

Depends-On: https://review.opendev.org/#/c/697749

Change-Id: I3ed504c65900e7b84728019f3acdf706a40c0427
Signed-off-by: Tin Lam <tlam@omegaprime.dev>
2019-12-17 09:49:38 +00:00
Tin Lam
a25eccb7cb Implements egress network policy
This patch set adds in the egress policy for core OpenStack Services.

Depends-On: https://review.opendev.org/#/c/679853/

Change-Id: I585ddabcbd640db784520c913af8eddecaee3843
Signed-off-by: Tin Lam <tlam@omegaprime.dev>
2019-11-22 01:16:49 +00:00
Steve Wilkerson
9736f5f544 Update kubernetes-entrypoint image reference
This updates the kubernetes-entrypoint image reference to consume
the publicly available kubernetes-entrypoint image that is built
and maintained under the airshipit namespace, as the stackanetes
image is no longer actively maintainedy

Depends-On: https://review.opendev.org/688435

Change-Id: I8e76cdcc9d4db8975b330e97169754a2a407341f
Signed-off-by: Steve Wilkerson <sw5822@att.com>
2019-10-21 13:58:22 +00:00
Gage Hugo
c3e085b800 Add network policy nonvoting checks
This change adds two network policy zuul checks, one for the compute-kit,
and one for cinder/ceph, to test network policy for each OpenStack
service. These checks will be non-voting initially.

The network policy rules for each service will initially allow all
traffic. These ingress/egress rules will be defined in future changes
to only explicitly allow traffic between services that are explicitly
allowed to communicate, other traffic will be denied.

Depends-On: https://review.opendev.org/#/c/685130/

Change-Id: Ide2998ebb2af2832f24ca7abc398a82e4a6d70e3
2019-09-26 11:57:15 -05:00
Pavlo Shchelokovskyy
688ded096d Depend on identity service in heat boostrap job
this job is actually trying to create a role in Keystone,
and thus needs it running to complete.
Without such dependency depending on cluster performance it may fail
by exhausting retry attempts.

Also depend on this bootstrap job in all Heat services so that they
are actually able to work and create arbitrary stacks once finished deploying.

Change-Id: I94ce96591b1f02d64d15c38686e9bc8bae31ddbb
2019-09-03 11:23:07 +03:00
Pete Birley
59a017d834 RabbitMQ: Dont mirror reply queues
This PS updates the default RMQ policy to not mirror reply queues
as they cause signifigant blocking when resorting a rabbit node to
a cluster, with no advantage.

Change-Id: I6f8d4eaa482fcdf3e877bd38caa9b24358ea5be0
Signed-off-by: Pete Birley <pete@port.direct>
2019-07-30 09:54:16 -05:00
Pete Birley
74e4474ec6 OpenStack: Check Stein release on Ubuntu Bionic
This PS adds checks for the Stein Release of OpenStack in Ubuntu Bionic
containers.

Depends-On: https://review.opendev.org/667726

Change-Id: Icfad3434ca496a841993b95adaf5d853728d920f
Signed-off-by: Pete Birley <pete@port.direct>
2019-07-03 00:26:30 +00:00
Pete Birley
e5f8fcf728 Container Distro: Add checks for OS (rocky) in Ubuntu Bionic
This PS adds checks for running the Rocky release of Openstack under
Python3 in Ubuntu Bionic containers.

Change-Id: I269cef9f8f157e22f6b857822df9a8960dac6ea8
Signed-off-by: Pete Birley <pete@port.direct>
2019-06-26 10:36:26 -05:00
Pete Birley
6606c8bc2e OpenStack: Check Rocky release on Ubuntu Xenial
This PS adds checks for the Rocky Release of OpenStack in Ubuntu Xenial
containers.

Change-Id: Ieed4a6a3afa6e3ebd9b2f72ba227aac891d65214
Signed-off-by: Pete Birley <pete@port.direct>
2019-06-25 21:14:28 +00:00
Pete Birley
ffb24e337c OpenStack: Check Queens release on Ubuntu Xenial
This PS adds checks for the Queens Release of OpenStack in Ubuntu Xenial
containers.

Change-Id: I0d4d427e43f06fa955dfd275859939d0adca113c
Signed-off-by: Pete Birley <pete@port.direct>
2019-06-25 21:10:26 +00:00
Pete Birley
184b3e4326 OpenStack: Check Pike release on Ubuntu Xenial
This PS adds checks for the Pike Release of OpenStack in Ubuntu Xenial
containers.

Change-Id: I402584bbcdd53a4a6bc21f370586b3498142bf81
Signed-off-by: Pete Birley <pete@port.direct>
2019-06-22 11:20:55 +00:00
Pete Birley
9bcf0df94c Messaging: use htk function to directly hit RabbitMQ servers
This PS updates the charts to use the htk function recently introduced
to allow oslo.messaging clients ans servers to directly hit their
backends rather than using either DNS or K8S svc based routing.

Depends-On: I5150a64bd29fa062e30496c1f2127de138322863

Change-Id: I458b4313c57fc50c8181cedeca9919670487926a
Signed-off-by: Pete Birley <pete@port.direct>
2019-06-18 21:47:45 +00:00
Zuul
cd460f12c2 Merge "Rafactoring volume mount variables in db sync job" 2019-06-18 18:24:18 +00:00
Pete Birley
d0b135cd77 AMPQ: update ha policy regex
Change-Id: I2f023c2e41a52b5753cdb77e93c9e876bc60a87d
Signed-off-by: Pete Birley <pete@port.direct>
2019-06-11 12:17:22 -05:00
Gage Hugo
976cab856c Create separate users for helm test
Currently each service uses the same name for their helm test user,
"test". While this works when services are ran sequentially, when
multiple services are deployed and tested at the same time, it can
lead to a race condition where one service deletes the user before
the other is done testing, causing a failure.

This change makes it so that each service defines its own test user
in the form of [service]-test.

Change-Id: Idd7ad3bef78a039f23fb0dd79391e3588e94b73c
2019-06-03 11:26:18 -05:00
John Haan
0ea9be7ade Rafactoring volume mount variables in db sync job
This patch make the db sync job template follows the same pattern
that other templates utilize the variables to make in a predictable
pattern.

Change-Id: Idbedd046c6b4fd001cf63004ffac792173a5778b
Story: 2005754
Task: 33457
2019-05-22 17:47:03 +09:00
Zuul
f8adab245b Merge "Point to OSH-images images" 2019-05-18 19:12:58 +00:00
Jean-Philippe Evrard
1d335146fa Point to OSH-images images
We now have a process for OSH-images image building,
using Zuul, so we should point the images by default to those
images, instead of pointing to stale images.

Without this, the osh-images build process is completely not
in use, and updating the osh-images process or patching its
code has no impact on OSH.

This should fix it.

Change-Id: I672b8755bf9e182b15eff067479b662529a13477
2019-05-13 10:58:02 +02:00
Roy Tang (rt7380)
5df6fa3789 Expose Anti-Affinity Weight Setting.
Add weight default setting to anti-affinity.

Depends-on: Id8eb303674764ef8b0664f62040723aaf77e0a54
Change-Id: I09f96522cddf3a77dae73daca4557877eda5df50
2019-05-10 22:05:24 -05:00
Pete Birley
4550ea9376 Heat: Fix cadf values key
This PS fixes the heat cadf values key, to use the correct value.

Change-Id: I3efeccc2ba9bbebd7dc4b175244f00173c39d1ef
Signed-off-by: Pete Birley <pete@port.direct>
2019-05-10 14:11:28 -05:00
Zuul
7f95467e3d Merge "Replace git.openstack.org URLs with opendev.org URLs" 2019-05-01 16:11:28 +00:00
Zuul
5361c3282a Merge "Add OpenSUSE Leap15 testing" 2019-04-26 16:44:16 +00:00
caoyuan
cb77d3adff Replace git.openstack.org URLs with opendev.org URLs
Change-Id: I9a7bcee8727cb127d57ccb4dce1183895a4130cd
2019-04-25 00:37:57 +08:00