17 Commits

Author SHA1 Message Date
Hiromu Asahina
5d59833b20 Terraform Infra-Driver
This patch provides terraform infra-driver with several unit and
functional tests and is build an environment for terraform. The
supported version of terraform is v1.4.0 or later.

To build the terraform environment that need to install as follow
components:

 - awscli
 - docker
 - localstack or moto server
 - terraform

Implements: blueprint terraform-infra-driver
Change-Id: I14414c42229dcdb8e0083d7c51d6be6b5f2fc841
2023-09-15 21:16:24 +09:00
kexuesheng
05fe9fa42c Enhancement of Tacker API resource access control
For fine-grained access control based on user and VNF information
for API resources, this patch does the following things:
1.Add three comparison attributes of area, vendor, and tenant
  for the enhanced Tacker policy.
2.Convert special roles to API attributes in context.
3.Modify the API process to support Tacker policy authorize.
4.Add the Tacker policy filter to the list API processes.

Implements: blueprint enhance-api-policy
Change-Id: I5b4c39387860133a3bcf4544f18a6353c80773f6
2023-03-14 18:01:41 +09:00
Yusuke Niimi
aac03ceffc Enhancement of HTTP Client
Provide the option to verify the SSL certificate when accessing an
external server from Tacker. Several parameters have been added to
config to allow verification of SSL certificates when accessing
external NFVO servers, heat servers, and notification endpoints from
Tacker.

Implements: blueprint enhance-http-client
Change-Id: I55b2b53cfe0dc794040d0e46ac13a20524b1d9f0
2023-03-02 20:04:48 +09:00
Ken Fujimoto
25459c2571 Placement enhancement enables to AZ reselection
This patch enables availability zone reselected by stack retry
when "instantiate" "scale" "heal" operations in v2 API fails
due to availability zone is unavailable.

Note that precondition of using these functions is to use
StandardUserData as UserData class.

Implements: blueprint enhance-placement
Change-Id: Icc9eb7a8fffbf35d2e005a9703dcefe66f097584
2023-02-16 04:23:54 +00:00
Ai Hamano
3a1ccca97d Update k8s v1.25.2 and helm 3.10.1
This patch updates the k8s version to 1.25.2 and helm version to 3.10.1.

The following changes have been made in kubernetes 1.24, so this patch
supports them.
  - Dockershim Removed from kubelet
    -> Changed from Dockershim to CRIO
  - Service account tokens are no longer auto-generated
    for every ServiceAccount
    -> Changed secrets to be created manually

Also fixes the following API versions that have already been removed
in kubernetes 1.25.
  - autoscaling/v2beta1
  - extensions/v1beta1

Implements: blueprint update-k8s-helm-prometheus
Change-Id: Ic9c2f66251c5d11a652184be5908d91e0ee3fb7d
2022-11-16 13:39:41 +09:00
Koji Shimizu
d1a23a3c28 Add support cnf auto heal and scale
Support container based VNF AutoHeal and AutoScale operation with
External Monitoring Tools.

Add the Fault Management interfaces and CLI to support AutoHeal.
Add the Performance Management interfaces and CLI to support
AutoScale. The Fault Management and Performance Management
interfaces are based on ETSI NFV-SOL 002 v3.3.1 and ETSI NFV-SOL
003 v3.3.1, which are Version "2.0.0" API of Tacker. Add the
Prometheus Plugin that has a interface between tacker and Prometheus
as a sample of External Monitoring Tool.

Implements: blueprint support-auto-lcm
Change-Id: Ib74305f0b1da4eb8d996ebae400e75902aaa1321
2022-09-15 18:59:28 +00:00
Qibin Yao
57902730d6 Add OpenID Connect Token Auth for k8s
This patch adds openid token auth support when calling k8s APIs.

Openid token auth of k8s relies on an external openid provider,
and Keycloak acts as the openid provider in this implementation.

Implements: blueprint support-openid-k8s-vim
Change-Id: Ie5e080a20cba3ba0ed514ede7955eb16729d797c
2022-09-12 01:26:53 +00:00
Tsukasa Inoue
e71fd7667c Apply Robot Framework for testing
Support ETSI NFV compliant automated testing by using
the Robot Framework and ETSI NFV-TST API test codes.

Implements: blueprint use-robot-api-tests
Spec: https://specs.openstack.org/openstack/tacker-specs/specs/victoria/use_robot_api_tests.html
Change-Id: Ic2fe5e3eb8b279f9a9d193a00e0cf9ac97fe75a2
2022-03-18 04:30:45 +00:00
Ghanshyam Mann
b4ee7d64b7 Setup multi tenants for multi-tenant job only
setup-multi-tenant-vim role is needed for only multi tenant
jobs and for existing jobs we do not need to run this role.

Current way run it for all the jobs, this commit makes it
configurable and multi tenant job will configure it to true.

Change-Id: I6ab577232b93bbb6ab8a21fe7ad5876b5a7ab7bc
2022-03-14 16:39:45 +05:30
Manpreet Kaur
724e679e93 FT Setup to test multi-tenant policy in LCM
To validate functional test cases in Zuul environment this
patch adds a new Ansible playbook. This playbook helps in
creating two different OpenStack projects, users to
validate multi tenant policy in Lifecycle Management.

In current design, tacker uses an administrator role user
"nfv_user" to execute functional test cases. Whereas this
patch adds member role (non administrator user) to newly
created users.

Generates OpenStack VIM config files using helper script and
register default VIMs to respective tenants.
Additionally copies newly generated VIM config files to
"tacker/tacker/tests/etc/samples" folder as these are required
in functional test cases.

Partial Implement: blueprint multi-tenant-policy

Change-Id: I20491eb294e5653bcdc2864885f55d04b21696a1
2022-02-17 14:02:19 +00:00
Ayumu Ueha
d7a13ce18a Update zuul environment to support helm chart
This patch changes the following to support helm chart spec and
to test instantiate/terminate cnf with helm chart.
* Add `extra` field to vims db.
* Add `setup-helm` task to ansible-playbook roles.
  [On controller-k8s node]
  * Create and setup helm user for executing helm command.
  * Install helm.
  * Create folder for putting local helm chart.
  * Enable password authentication in sshd_config and restart sshd.

  [On controller node]
  * Update Vims DB of vim-kubernetes to modify extra field that include
    helm access information.

Implements: blueprint helmchart-k8s-vim
Change-Id: Iaf7c11c5bedb77e9cd21074be2b4f73528aa2ce7
2021-09-06 02:36:06 +00:00
Toshiaki Takahashi
53b5d03f7e Restore Ceilometer installation
This reverts [1], with some complementary bits and pieces.
Historically it'd been deactivated twice on master branch.
See also [3], which was reverted in [2]. Note this reverts
[4] as well.

[1] https://review.opendev.org/c/openstack/tacker/+/757537
[2] https://review.opendev.org/c/openstack/tacker/+/754882
[3] https://review.opendev.org/c/openstack/tacker/+/751965
[4] https://review.opendev.org/c/openstack/tacker/+/760275

Change-Id: I9c9cc65772b2f88c5ed7ef8178b79aa5c7011f29
2021-01-14 15:05:24 +09:00
Koichiro Den
578b12e989 Add a seperate controller subnode to subdivide the memory load
The number of required plugins has increased to the extent that
controller on Zuul FT infrastructure almost runs out of memory [1].
This potentially induces various problems such as FT failure noises
or POST_FAILURE at the ansible task 'export-devstack-journal'.
To request expanded images such as ubuntu-focal-expanded (16GB) or
ubuntu-focal-32GB would be an option, but it turns out that would
lead us to another problematic situation. [2]

This patch, instead, addresses the issue by subdividing the memory
load. As a first step, introduce a new subnode 'tacker-controller',
on which both tacker-server and tacker-conductor are located.

Note:
* when we re-locate some other components to this new subnode, it might
  better to rename it.
* `devstack_local_conf: {}` in .zuul.yaml is to cancel out the global
  job.vars devstack_local_conf.post-config.$NEUTRON_DHCP_CONF, which
  is not present on 'tacker-controller' in the first place.
* TACKER_MODE is set to 'standalone'. 'all-in-one' supposes core
  services like nova, neutron, keystone, etc. api servers are located
  on the same host as tacker-server.
* in devstack/lib/tacker:create_tacker_accounts, SERVICE_HOST should
  have been TACKER_HOST. this minor fix is included.
* in roles/setup-default-vim/tasks/main.yaml, the same where conditions
  were scattered but all tasks in it just needed to run on 'controller'
  only. so let us wrap them all in a block.
* renamed devstack/plugin.sh:tacker_register_default_vim for clarity.
* policy file modification for Heat is now done by an ansible task.
  it frees us from the co-location requirements for Tacker and Heat.
* drop devstack/lib/tacker:is_tacker_enabled as it's no longer needed.

[1]: we investigated how severe the memory load on 'controller' was
     on Zuul FT infrastructure:
     * The highest memory-consuming processes in desc order:
       808.70MB (9.87%) 828112 /usr/sbin/mysqld
       179.81MB (2.19%) 184124 ... /usr/local/bin/tacker-server ...
       152.57MB (1.86%) 156232 ... /usr/local/bin/tacker-conductor .
       146.67MB (1.79%) 150188 ... /usr/local/bin/neutron-server ...
       132.96MB (1.62%) 136148 ... /usr/local/bin/neutron-server ...
       129.08MB (1.58%) 132180 ... /usr/local/bin/heat-engine ...
       127.48MB (1.56%) 130544 ... /usr/local/bin/heat-engine ...
       122.16MB (1.49%) 125092 nova-apiuWSGI worker 1
       121.00MB (1.48%) 123900 neutron-openvswitch-agent ...
       119.50MB (1.46%) 122368 cinder-apiuWSGI worker 1
       ---(snip)---
     * `free -m` output
               total   used   free   shared   buff/cache   available
       Mem:     7955   7427    196       16          331         219
       Swap:    1022   1019      3

[2]: http://eavesdrop.openstack.org/irclogs/%23openstack-infra/
     %23openstack-infra.2020-11-25.log.html

Change-Id: I030ffd5fd11b7ca9abca56e85e449ed4c4d709bd
2020-12-15 06:08:08 +00:00
Eduardo Gonzalez
b20812678b Add multinode jobs
Add devstack multinode job.

This job installs nova in a single cell as "late anti-affinity
[1] doesn't work in multi-cells environment.

[1] : https://docs.openstack.org/nova/latest/user/cellsv2-layout.html#operations-requiring-upcalls

Co-Author: tpatil <tushar.vitthal.patil@gmail.com>
Co-Author: yong sheng gong <gong.yongsheng@99cloud.net>

Change-Id: I56a9cf4bb553c8026eec73212a3742d5eab17420
2018-07-26 11:48:24 +08:00
Andreas Jaeger
7af0b90634 Use Zuul v3 fetch-subunit-output
We have consolidated the fetch output roles into one
fetch-subunit-output, replace useage of old roles with new one.

Depends-On: I0cdfc66ee8b046affeb0b071fef38c21cb7a4948
Change-Id: Ia86360456c5c301cee11c8d9dd515e364aad2c82
2018-01-16 08:24:02 +01:00
Monty Taylor
9e635bc0c0
Remove use of tox-siblings role
Its functionality has been merged into the tox role, so is no longer
needed.

Depends-On: Id61ae52d48b28cfc2221cb556a1c1f7c6dfd60dd
Change-Id: Iec14ffd5d6bf7bd3faefd250b0cf2f1563ec3521
2017-11-29 15:41:16 -06:00
yong sheng gong
9af2b71e07 Move to zuul3 jobs
https://docs.openstack.org/infra/manual/zuulv3.html#legacy-job-migration-details

Co-Authored-By: Duong Ha-Quang <duonghq@vn.fujitsu.com>
Co-Authored-By: yong sheng gong <gong.yongsheng@99cloud.net>

Closes-bug: #1729632
Change-Id: I2d1c4795b1a591831a12535d2f048a13258f4913
2017-11-04 22:09:42 +11:00