86 Commits

Author SHA1 Message Date
ricolin
a2fe5e1f0e Glance: Support uWSGI for API server
Currently Glance API server still using eventlet-based HTTP servers,
it is generally considered more performant and flexible to run them
using a generic HTTP server that supports WSGI.

Change-Id: I7caec5d17f33d35843b4537965bafbb9b73d62ea
2024-04-18 21:15:30 +08:00
Lucas de Ataides
6cebb49da6 Add readiness probe initial delay to some charts
In some environments, the readiness probe for the cinder-api, glance-api
and heat-api are failing, but the liveness probes are not. This change
adds a initialDelaySeconds value to the readiness probes of these
deployments.

Change-Id: Id3859cee9a2827f9c1fda9dcdca0a23879eb45d4
Signed-off-by: Lucas de Ataides <lucas.deataidesbarreto@windriver.com>
2024-04-11 14:35:13 -05:00
Tadas Sutkaitis
ccfffccbbc
Glance: Enable custom annotations
Enable custom annotations for pods [deployments, daemonsets]

Change-Id: I7f48eebec0050a614d393054ac2ac0b26c40a4ee
2024-03-26 21:38:09 +02:00
Vladimir Kozhukalov
9843d53ad7 Glance liveness/readiness params to values.yaml
Change-Id: I8d3312280374d37852680db7afbd5078d0f386c9
2023-08-12 21:22:54 +03:00
Ritchie, Frank (fr801x)
c394080738 Add exec probe timeouts
As of kubernetes 1.20 exec liveness and readiness probes default to 1
second. See the note here:

https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/

This PS adds exec probe timeouts where necessary.

Change-Id: If1de652f0b2bef8dac2e9b306e645930320c67eb
2023-08-11 12:58:56 -04:00
Mohammed Naser
8348cb0d99 feat(glance): add support for cinder
This patch adds support for using Cinder as a backend
inside Glance.

Change-Id: Ic06749b2c54fee39bd56f2d88857bf7b9614e284
2022-09-08 21:39:01 -04:00
okozachenko
f3ed56cc18 Use HTTP probe instead of TCP probe
Strictly speaking, open socket doesn't mean working API.
We experienced API stopped responding and the socket was still
open so API was unhealthy actually but kubernetes did not restart.

HTTP probe will fix this issue.

Change-Id: I95bb3ad3123d8a4a784d260477f037fa5506d290
2022-09-01 15:54:07 +10:00
josebb
3a91a50470 Distinguish between port number of internal endpoint and binding
port number in glance

Now binding ports of service and pod spec are configured using
internal endpoint values.
To support reverse proxy for internalUrl, need to distinguish
between binding ports and internal endpoint ports.

I added `service` section in endpoint items apart from admin,
public, internal and default.

Change-Id: I8fc8ea4e81648f3b98006491a7cb2aa9c0f479b6
2022-08-17 09:12:03 +03:00
josebb
1a2e660bc8 Support TLS endpoints in glance
This allows glance to consume TLS openstack endpoints.
Jobs consume openstack endpoints, typically identity endpoints.
And glance itself interact with other openstack services via
endpoints.

Change-Id: I35ab5d1bbaa20bfc73d0dc7af2710ca1d14b0627
2022-08-12 21:25:16 +03:00
Arthur Luz de Avila
3b780510be Decrease terminationGracePeriodSeconds on glance-api
The glance-api pod has a terminationGracePeriodSeconds
of 600s(10min) and the others services has 30s. This high
terminationGracePeriodSeconds may cause timeout in some
cases and there is no reason for this high
terminationGracePeriodSeconds.
The terminationGracePeriodSeconds has been introduced on
https://review.opendev.org/c/openstack/openstack-helm/+/469974
but there is no explanation why it is too high.

Story: 2009959
Task: 44926

Signed-off-by: Arthur Luz de Avila <arthur.luzdeavila@windriver.com>
Change-Id: I9f9092e48c4f4ecf5a145dc42dbafe4f96cfa91c
2022-04-04 12:18:54 -03:00
Thiago Brito
df95eaa63a Enable taint toleration for glance
This changes use the helm-toolkit template for toleration
in openstack services

Signed-off-by: Lucas Cavalcante <lucasmedeiros.cavalcante@windriver.com>
Story: 2009276
Task: 43531
Depends-On: I168837f962465d1c89acc511b7bf4064ac4b546c
Change-Id: Ifa05d9adb69ed46177ba2e7e1707d2e46eff62e4
2022-03-22 18:47:11 +00:00
Thiago Brito
8ab6013409 Changing all policies to yaml format
In the Victoria cycle oslo.policy decided to change all default policies
to yaml format. Today on openstack-helm we have a mix of json and yaml
on projects and, after having a bad time debugging policies that should
have beeing mounted somewhere but was being mounted elsewhere, I'm
proposing this change so we can unify the delivery method for all
policies across components on yaml (that is supported for quite some
time). This will also avoid having problems in the future as the
services move from json to yaml.

[1] https://specs.openstack.org/openstack/oslo-specs/specs/victoria/policy-json-to-yaml.html

Signed-off-by: Thiago Brito <thiago.brito@windriver.com>
Change-Id: Id170bf184e44fd77cd53929d474582022a5b6d4f
2021-05-26 18:15:41 -03:00
Haider, Nafiz (nh532m)
c900712f30 feat(tls): Make openstack services compatible with rabbitmq TLS
Depends-on: https://review.opendev.org/c/openstack/openstack-helm-infra/+/770678

Co-authored-by: Sangeet Gupta <sg774j@att.com>

Change-Id: I11e9ad3f4079b0e12e498f9ed57e5b87ae9dc66a
2021-05-21 01:27:18 +00:00
PrateekDodda
16b2c8dcc4 Implement missing security context for nginx container
This change adds security context template at pod/container level

Change-Id: I2fbff7b3325f4b6dd98d9299b0daf9e230ece9ae
2020-09-09 19:38:50 +00:00
diwakar thyagaraj
9c39f2e328 Add Apparmor for Missing containers for glance and neutron pods
1)Fixed nginx container in glance.
2)Fixed rpc server in neutron.
3)Enabled Certificates for creating pods.

Change-Id: Ida510ee22808b818e256f93b11d2e1ed36f63a19
Signed-off-by: diwakar thyagaraj <diwakar.chitoor.thyagaraj@att.com>
2020-08-27 21:27:36 +00:00
sgupta
702c17eb78 feat(tls): Make openstack services compatible with mariadb with TLS
Depends-on: https://review.opendev.org/#/c/741037/
Change-Id: I21f4ede3bd18c0af8da1eba60cd0b7b932a31410
2020-07-14 23:32:03 +00:00
Tin Lam
918a307427 feat(tls): add tls support to openstack services
This patch set enables TLS for the following OpenStack services: keystone,
horizon, glance, cinder, heat, nova, placement and neutron for s- (stein)
and t- (train) release. This serves as a consolidation and clean up patch
for the following patches:

[0] https://review.opendev.org/#/c/733291
[1] https://review.opendev.org/#/c/735202
[2] https://review.opendev.org/#/c/733962
[3] https://review.opendev.org/#/c/733404
[4] https://review.opendev.org/#/c/734896

This also addresses comments mentioned in previous patches.

Co-authored-by: Gage Hugo <gagehugo@gmail.com>
Co-authored-by: sgupta <sg774j@att.com>

Depends-on: https://review.opendev.org/#/c/737194/

Change-Id: Id34ace54298660b4b151522916e929a29f5731be
Signed-off-by: Tin Lam <tin@irrational.io>
2020-07-10 09:36:31 -05:00
Gage Hugo
db79e79788 Remove OSH Authors copyright
The current copyright refers to a non-existent group
"openstack helm authors" with often out-of-date references that
are confusing when adding a new file to the repo.

This change removes all references to this copyright by the
non-existent group and any blank lines underneath.

Change-Id: Ia035037e000f1bf95202fc07b8cd1ad0fc019094
2020-04-03 20:53:32 +00:00
dt241s@att.com
6e9cd82dc4 Enable Apparmor to Glance
Uncommented glance_registry apparmor

Change-Id: I5efaab70178a12c84bf63774aa31181746f7345c
2020-02-22 08:06:16 +00:00
pd2839
9d72b805d0 Using htk for glance security policies
Overriding the values in values.yaml

Change-Id: I52dd8b5513062242ad4f2c89bb4cc998dc5ef9c5
2019-07-02 13:10:52 -05:00
Pete Birley
31bd9c832d Logs: Make it optional to use log_config_append option
This PS enables the use of simple logging options if desired.

Change-Id: If6ea420c6ed595b3b6b6eedf99a0bf26a20b6abf
Signed-off-by: Pete Birley <pete@port.direct>
2019-06-17 13:51:21 -05:00
Pete Birley
623c131292 OSH: Add emptydirs for tmp
This PS adds emptydirs backing the /tmp directory in pods, which
is required in most cases for full operation when using a read only
filesystem backing the container.

Additionally some yaml indent issues are resolved.

Change-Id: I9df8f70e913b911ff755600fa2f669d9c5dcb928
Signed-off-by: Pete Birley <pete@port.direct>
2019-04-20 08:55:44 -05:00
Gage Hugo
4e4a4c389c Enable audit pipeline for glance
This change adds the keystonemiddleware audit paste filter[0]
and enables it for the glance-api and glance-registry services.
This provides the ability to audit API requests for glance.

[0] https://docs.openstack.org/keystonemiddleware/latest/audit.html

Change-Id: I3b42717dbc11257c21b27e7c68dedc3283e1bd34
2019-04-11 10:38:33 -05:00
pd2839
1d0e21e370 Implement Security Context for Glance
Implement container security context for the following Glance resources:
 - Glance server deployment

Change-Id: I32b63226f5f2bcfff09f0b6760f5475ef7d1b5b5
2019-03-22 21:32:57 +00:00
Cliff Parsons
d0a93d3370 Fix placement of privilege escalation in Glance.
In a previous patch set (https://review.openstack.org/#/c/629300/),
the "allowPrivilegeEscalation" flag was set to false for one of the
init containers, but it was intended to be used for the glance-api
container.

Change-Id: If2d83d82a720d7a1a39729bbf3bddc226af3ba20
2019-03-15 04:52:50 +00:00
Steve Wilkerson
f4c01d2461 Add release-uuid annotation to pod spec
This adds the release-uuid annotation to the pod spec for all
replication controller templates in the openstack-helm charts

Change-Id: I0159f2741c27277fd173208e7169ff657bb33e57
2019-02-12 12:31:59 -06:00
Rahul Khiyani
1e85edddfc Fix for adding allowPrivilegeEscalation flag in container
securityContext in the charts whereever needed

Change-Id: I97f17ce0631051be33038449a21efee26c572613
2019-01-09 02:39:54 +00:00
Tin Lam
a60cdbf310 Enable runAsUser in pod level
This patchset enables and moves the securityContext: runAsUser to the pod
level, and uses a non-root user (UID != 0) wherever applicable.

Depends-On: I95264c933b51e2a8e38f63faa1e239bb3c1ebfda
Change-Id: I81f6e11fe31ab7333a3805399b2e5326ec1e06a7
Signed-off-by: Tin Lam <tin@irrational.io>
2018-12-25 05:33:54 +00:00
Huang,Sophie(sh879n)
3061ae3896 Implemented livenessProbe for different OpenStack api containers
LivenessProbe is added to the below deployments:
  glance-api
  glance-registry
  heat-api
  heat-cfn
  horizon
  keystone-api
  nova-api-metadata
  nova-api-osapi
  nova-placement-api

Change-Id: I76b8cafa437855eeb42b77e88da6e3c514a3ac90
Signed-off-by: Huang,Sophie(sh879n) <sh879n@att.com>
2018-12-14 09:52:50 -06:00
Pete Birley
3ae745a10e Add release uuid to pods and rc objects
This PS adds the ability to attach a release uuid to pods and rc
objects as desired. A follow up ps will add the ability to add arbitary
annotations to the same objects.

Depends-On: Iceedba457a03387f6fc44eb763a00fd57f9d84a5
Change-Id: I324680f10263c1aefca2be9056e70d0ff22fcaf0
Signed-off-by: Pete Birley <pete@port.direct>
2018-09-13 06:29:14 -05:00
Chinasubbareddy M
b2714cb111 Ceph-storage-init : make configmap and secret names to be driven via chart values
This is make ceph configmap and admin keyring secret names using
in storage init scripts to be read  from chart values as we may
have two ceph clusters  gets activated in one namespace and
each ceph clsuter will have its own configmap and admin secret names.

Change-Id: I84d94f3ac21e602c50619e456ff327ae1da53622
2018-09-05 14:56:00 +00:00
Jean-Philippe Evrard
05d0e2b4b8 Revert "Update OSH Author copyrights to OSF"
This reverts commit b1755c399341388627a668ab9fd6f43b7416f65a.

Change-Id: I215a172f2ff4220340292b95f5323847944baeb7
2018-08-28 17:25:13 +00:00
Matt McEuen
b1755c3993 Update OSH Author copyrights to OSF
This PS updates the "Openstack-Helm Authors" copyright attribution
to be the "OpenStack Foundation", as decided in the 2018-03-20
team meeting:
http://eavesdrop.openstack.org/meetings/openstack_helm/2018/openstack_helm.2018-03-20-15.00.log.html

No other copyright attributions were changed.

Change-Id: I167ceedab8fadee28c19514fad6f125d0a521caf
2018-08-26 17:17:41 -05:00
Pete Birley
83b91e6e1b Openstack: Use k8s secret to store config
This PS moves openstack components in OSH to use secrets to store
potentially sensitive config information.

Depends-On: https://review.openstack.org/#/c/593732

Change-Id: I9bab586c03597effea0e48a58c69efff3f980a92
Signed-off-by: Pete Birley <pete@port.direct>
2018-08-22 20:39:52 -05:00
Steve Wilkerson
da7bc575ec Add logging.conf files to enabled loggers/handlers/formatters
This introduces a mechanism for generating the logging.conf
file for the openstack services via the values. This allows us to
define loggers, handlers, and formatters for the services and the
modules they're composed of.

This also allows us to take advantage of the oslo fluent handler
and formatter. The fluent handler and formatter give us the
following benefits: sending logs directly to fluentd instead of
routed to stdout/stderr and then through fluentbit to fluentd,
project specific tags on the logged events (enables us to define
more robust filters in fluentd for aggregation if required),
full traceback support, and additional metadata (modules that
created logged event, etc)

Depends-On: https://review.openstack.org/577796

Change-Id: I63340ce6b03191d93a74d9ac6947f0b49b8a1a39
2018-06-26 09:51:14 -05:00
Pete Birley
67aed694c4 Deployments: Use current kubernetes deployment version
This PS moves to use the current ga version for kubernetes deployments.

Story: 2002205
Task: 21735
Depends-On: Icb4e7aa2392da6867427a58926be2da6f424bd56

Change-Id: I062a8a29dff70427ee9bcf09f595011b3611b0b1
Signed-off-by: Pete Birley <pete@port.direct>
2018-06-13 21:29:59 -05:00
Pete Birley
460675bf7f Add image management function to manifests
When removing helm-toolkit from OSH and swithcing to use the
toolkit from OSH-Infra, the image declaration function was missed.

Depends-On: I2f2012590d81ffcb159d49d8a76eedd4441744cd
Change-Id: I0f1118bb748f3fe1b6bb73acfc00e77c5cca9c7d
Signed-off-by: Pete Birley <pete@port.direct>
2018-05-20 10:10:16 -05:00
Steve Wilkerson
354b311ec5 Add local-registry image managment to OSH from OSH-Infra
This PS adds the local registry image managment to OSH from OSH-Infra.
With this the delta between helm-toolkits in the Repo's is removed,
allowing the toolkit from OSH-Infra to be used and the one from OSH
to be depreciated.

Change-Id: If5e218cf7df17261fe5ef249d281f9d9637e2f6a
Co-Authored-By: Pete Birley <pete@port.direct>
2018-05-12 14:35:48 +00:00
Pete Birley
b696c25d5d Glance: use endpoints section and lookups to set port
This PS moves glance to use the endpoints section and lookups to
set the port it serves on.

Change-Id: Ic22e5d59b0821b8482bcbfab1a72180f0b7375a8
2018-03-06 11:31:50 +00:00
Pete Birley
f57972b5b6 dependencies: move static dependencies under a 'static' key
This PS moves static dependencies under a 'static' key to allow
expansion to cover dynamic dependencies.

Change-Id: I38990b93aa79fa1f70af6f2c78e5e5c61c63f32c
2018-02-23 12:31:15 -08:00
Pete Birley
b311f86193 Node Labels: update nodelabels to allow targeting of pods to nodes
This PS updates the node labels to allow pods to be targeted to nodes
on a per type basis.

Change-Id: I45d5383d04fcd1d98740a18d86c1cfc2cb8ec409
2018-02-19 11:51:09 -05:00
portdirect
fa2620d54b RBAC for OSH
This PS applys RBAC rules to OSH, based off the work
done in https://review.openstack.org/#/c/526464/

Change-Id: I541b0ac1a3972566ef2b66571ae32744dab70c17
2017-12-26 10:24:19 -05:00
portdirect
8a92b6f1a5 Images: Glance service specific explicit image names
This PS makes the service-specific images for Glance have
explicit names, allowing simple over-riding of images for an
entire site.

Change-Id: Ib6a5e626dd85bb04ee8599ac9b53b3d5fbaf496b
2017-11-29 04:05:42 +00:00
intlabs
fe6107cf76 Images: Update values to allow simple parse of images being used
This PS updates the values file layout for images to allow simple
parsing of the images in use by charts, allowing them to be queried
and modified much more simply. By moving the image tags to a 'tags'
key, we can extend the options used simply to accomodate extra
options simply (eg prefixing the tag for use with an internal
registry) or pre-pulling the images to reduce chart deploy failure.

Change-Id: I9ec1dbb00d997ab6cb021bf0b698f7aae740e95d
2017-10-23 10:05:20 -05:00
Pete Birley
a27e42b762 Glance: remove oslo-genconfig
This PS removes the modified oslo-genconfig from glance.

Partially implements: blueprint remove-pregenerated-config-templates

Change-Id: Ie4d5dd9e4b03ba360c62f508e98e206f6f894b63
2017-09-21 13:50:23 +00:00
Pete Birley
b3f8b812ca Glance: Backend support and auth improvements
This PS enables the following backends for glance:
 * PVC
 * RBD
 * RadosGW (direct)
 * Swift

It also moves the creation of the RBD pool when required to a storage
init job. This job also creates credentials as required for glance to
use when accessing the required backend, rather than using the admin
keyring.

Change-Id: I90fead961ff73a9263826acc794128fa73ead2e1
2017-09-09 02:13:01 +00:00
Pete Birley
27864cec04 Security: Container user for support openstack services
This PS adds user control for the service user for support openstack
services.

Change-Id: I132511bfc09d20a2f155bb9498a7fe8eeee8b6f9
2017-08-26 22:03:15 +00:00
Mateusz Blaszkowski
fc9677f718 Fix for appending custom volumes
Before this change, there was no ability to append custom volume for
any of the services. The reason was a missing new line character, so
the templates were formatted like this:
- name: pod-shared
  mountPath: /tmp/pod-shared - mountPath: /tmp/test2
  name: test2

Apart from that, for some of the services (mostly job-bootstrap) invalid
indentation for custom volumes (and their mounts) was set.

Closes-Bug: 1712745
Change-Id: Ib57c76a34c0e28ad9e67ea47d1fc250b17711a42
Signed-off-by: Mateusz Blaszkowski <mateusz.blaszkowski@intel.com>
2017-08-24 06:24:47 -04:00
Pete Birley
ff8744a9b9 Licence: Remove licence header from rendered files
This PS removes the licence header from rendered output from tiller,
significantly reducing the configmap size of charts deployed to the
cluster.

Change-Id: I5d1b246f2068f3b83bf59ba79fe8b88bbc9a6161
2017-08-07 17:16:13 -05:00
Pete Birley
35601e2bd3 Charts: make manifests optional for all OpenStack elements
This PS allows the rendering of manifests to be controlled. It enables
both increased control over deployment when required but also makes
development of a feature easier to target.

Change-Id: I1716e8ee23fe5c53f935bd739ea283bc4a2a9963
2017-08-07 14:59:48 -05:00