openstack/openstack-helm
Code Issues Proposed changes
5549a3bf9b
openstack-helm/glance/templates/job-storage-init.yaml
Vladimir Kozhukalov c4c80371f9 Do not attach PVC to glance-storage-init job 
When PVC is used as glance storage backend we
don't need to attach it to the storage init pod
because anyway the init script does nothing with the PVC.

On the other hand when PVC is used as the backend
there is a race condition when this PVC is attached to
the API pod and to the storage init pod. It breaks the
deployment because storage init pod never starts
and API pod waits for the storage init job to finish.

Also this PR adds the test job that deploys compute-kit
with Ceph as storageclass backend. In this job Mariadb, Rabbit,
Glance, Cinder all use Ceph while usually we test charts
with in-memory volumes. This job is heavy and we run it
periodically.

Change-Id: I7fd1a4a47472bd81cda43cb50b1e3dc448619598
2024-06-21 01:20:49 -05:00

190 lines
7.8 KiB
YAML
Raw Blame History

{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.job_storage_init }}
{{- $envAll := . }}
{{- $serviceAccountName := "glance-storage-init" }}
{{ tuple $envAll "storage_init" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ $serviceAccountName }}
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- create
- update
- patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ $serviceAccountName }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ $serviceAccountName }}
subjects:
- kind: ServiceAccount
name: {{ $serviceAccountName }}
namespace: {{ $envAll.Release.Namespace }}
---
apiVersion: batch/v1
kind: Job
metadata:
name: glance-storage-init
labels:
{{ tuple $envAll "glance" "storage-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
annotations:
{{- if .Values.helm3_hook }}
helm.sh/hook: post-install,post-upgrade
{{- end }}
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
spec:
template:
metadata:
labels:
{{ tuple $envAll "glance" "storage-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
annotations:
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
{{ dict "envAll" $envAll "podName" "glance-storage-init" "containerNames" (list "init" "glance-storage-init" ) | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
spec:
serviceAccountName: {{ $serviceAccountName }}
{{ dict "envAll" $envAll "application" "storage_init" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
restartPolicy: OnFailure
{{ if $envAll.Values.pod.tolerations.glance.enabled }}
{{ tuple $envAll "glance" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
{{ end }}
nodeSelector:
{{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }}
initContainers:
{{ tuple $envAll "storage_init" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
{{ if or (eq .Values.storage "rbd") (eq .Values.storage "radosgw") }}
- name: ceph-keyring-placement
{{ tuple $envAll "glance_api" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ dict "envAll" $envAll "application" "storage_init" "container" "ceph_keyring_placement" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
command:
- /tmp/ceph-admin-keyring.sh
volumeMounts:
- name: pod-tmp
mountPath: /tmp
- name: etcceph
mountPath: /etc/ceph
- name: glance-bin
mountPath: /tmp/ceph-admin-keyring.sh
subPath: ceph-admin-keyring.sh
readOnly: true
{{- if empty .Values.conf.ceph.admin_keyring }}
- name: ceph-keyring
mountPath: /tmp/client-keyring
subPath: key
readOnly: true
{{ end }}
{{ end }}
containers:
- name: glance-storage-init
{{ tuple $envAll "glance_storage_init" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.jobs.storage_init | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
{{ dict "envAll" $envAll "application" "storage_init" "container" "glance_storage_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
env:
- name: NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: STORAGE_BACKEND
value: {{ .Values.storage | quote }}
{{- if eq .Values.storage "rbd" }}
- name: RBD_POOL_NAME
value: {{ .Values.conf.glance.glance_store.rbd_store_pool | quote }}
- name: RBD_POOL_APP_NAME
value: {{ .Values.conf.software.rbd.rbd_store_pool_app_name | quote }}
- name: RBD_POOL_USER
value: {{ .Values.conf.glance.glance_store.rbd_store_user | quote }}
- name: RBD_POOL_REPLICATION
value: {{ .Values.conf.glance.glance_store.rbd_store_replication | quote }}
- name: RBD_POOL_CRUSH_RULE
value: {{ .Values.conf.glance.glance_store.rbd_store_crush_rule | quote }}
- name: RBD_POOL_CHUNK_SIZE
value: {{ .Values.conf.glance.glance_store.rbd_store_chunk_size | quote }}
- name: RBD_POOL_SECRET
value: {{ .Values.secrets.rbd | quote }}
{{ end }}
{{- if eq .Values.storage "radosgw" }}
- name: RADOSGW_USERNAME
value: {{ .Values.endpoints.ceph_object_store.auth.glance.username | quote }}
- name: RADOSGW_PASSWORD
value: {{ .Values.endpoints.ceph_object_store.auth.glance.password | quote }}
- name: RADOSGW_TMPURL_KEY
value: {{ .Values.endpoints.ceph_object_store.auth.glance.tmpurlkey | quote }}
{{ end }}
{{- if eq .Values.storage "swift" }}
- name: SWIFT_TMPURL_KEY
value: {{ .Values.endpoints.object_store.auth.glance.tmpurlkey | quote }}
{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.glance "useCA" .Values.manifests.certificates }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
{{- end }}
{{ end }}
command:
- /tmp/storage-init.sh
volumeMounts:
- name: pod-tmp
mountPath: /tmp
- name: glance-bin
mountPath: /tmp/storage-init.sh
subPath: storage-init.sh
readOnly: true
{{ if or (eq .Values.storage "rbd") (eq .Values.storage "radosgw") }}
- name: etcceph
mountPath: /etc/ceph
- name: ceph-etc
mountPath: /etc/ceph/ceph.conf
subPath: ceph.conf
readOnly: true
{{- if empty .Values.conf.ceph.admin_keyring }}
- name: ceph-keyring
mountPath: /tmp/client-keyring
subPath: key
readOnly: true
{{ end }}
{{ end }}
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.image.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
volumes:
- name: pod-tmp
emptyDir: {}
- name: glance-bin
configMap:
name: glance-bin
defaultMode: 0555
{{ if or (eq .Values.storage "rbd") (eq .Values.storage "radosgw") }}
- name: etcceph
emptyDir: {}
- name: ceph-etc
configMap:
name: {{ .Values.ceph_client.configmap }}
defaultMode: 0444
{{- if empty .Values.conf.ceph.admin_keyring }}
- name: ceph-keyring
secret:
secretName: {{ .Values.ceph_client.user_secret_name }}
{{ end }}
{{ end }}
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.image.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{- end }}
View Git Blame Copy Permalink