this chart is added as a part of "stx-openstack" application,
in the same chart group as openstack-ingress chart, so that
when "nginx-ingress-controller" starts working, http and https
ports are allowed for nginx which accepts http/https requests
and forwards to internal services accordingly.
In the following LP#1827246, the http request of opening console
of VM instance is sent to nginx 80 first, and then nginx forwards
the request to "nova-novncproxy" at port 6080 internally.
Closes-Bug: 1827246
Change-Id: I183f7edc92f1a9e0bdedad0afe35e3d03e20e7d5
Signed-off-by: yhu6 <yong.hu@intel.com>
This change allows to deploy the placement helm
chart with armada system and remove placement deployment within
nova.
Below test pass on both AIO and multi setup
1) Openstack Application apply and reapply
2) VM creation and delete
3) Active controller switch and create vm after that
Story: 2005750
Task: 33418
Depends-On: https://review.opendev.org/662371/
Change-Id: I32dc127dcbc0319e3a20703ed66c9e8119fabcba
Signed-off-by: zhipengl <zhipengs.liu@intel.com>
This reverts commit 248d3b3921024bc4cb6ad5234b34a9c2edf11599.
Change-Id: I06931b7f5ae047ec93eaa0ee553e35577ceb433b
Signed-off-by: Stefan Dinescu <stefan.dinescu@windriver.com>
To properly enable Cinder volume backup, the following configuration
changes are required:
- For Cinder, enable 'CephBackupDriver' as the Cinder backup_driver and
'cinder' as the rbd_user for each Cinder backend
- For libvirt, enable Ceph and use 'cinder-volume-rbd-keyring' for the
Ceph client user secret. This will create a libvirt secret that will
be used with the 'cinder' user.
- For nova, enable the rbd_secret_uuid shared with libvirt and set the
'rbd_user' to cinder.
- Update the chart group initialization sequence, so that
'openstack-cinder' is initialized prior to 'openstack-compute-kit'.
This is done because 'cinder-volume-rbd-keyring' is created by Cinder
and is required by libvirt to successfully initialize.
With these configuration changes:
- Cinder volumes were created
- Cinder volumes were backed up
- Instances were booted by volume (from Cinder)
- Instances were booted by image (from Ceph ephemeral disks)
Change-Id: I29c7d3ed118f4a6726f2ea887a165f256bc32fd5
Depends-On: https://review.opendev.org/#/c/664619/
Story: 2004520
Task: 28266
Signed-off-by: Robert Church <robert.church@windriver.com>
Add a helm chart for configuring and starting openstack
clients pods. The pod is configured with admin credentials
and launched on a controller node.
Change-Id: I4dea49301fd778db9a9ddf900a752831bd455fda
Signed-off-by: Stefan Dinescu <stefan.dinescu@windriver.com>
Story: 2005312
Task: 30557
Add ironic chart to stx-openstack manifest. Ironic services are
enabled when label openstack-ironic=enabled is set. A nova service
nova-compute-ironic within nova chart is referring to this label as
well. Nova-compute-ironic is configured to use ironic driver for
creating/scheduling instance to ironic node through nova service/CLI.
Ironic chart group enablement will be added by ironic meta overrides.
Story: 2004760
Task: 28869
Depends-On: https://review.opendev.org/#/c/653914/
Change-Id: I5728586c69689e32afc948009c2b8c9e2bff84e0
Signed-off-by: Mingyuan Qi <mingyuan.qi@intel.com>
http://fm.openstack.svc.cluster.local:80 can not be accessed
The ingress service is missing in helm chart
Closes-Bug: 1832155
Change-Id: I61ea514d3092e1e3fedcd8ca8001a178d65282a3
Signed-off-by: Sun Austin <austin.sun@intel.com>
A new command "system application-update" is introduced in this
commit to support updating an applied application to a new version
with a new versioned app tarfile.
The application update leverages the existing application upload
workflow to first validating/uploading the new app tarfile, then
invokes Armada apply or rollback to deploy the charts for the new
versioned application. If the version has ever applied before,
Armada rollback will be performed, otherwise, Armada apply will be
performed.
After apply/rollback to the new version is done, the files for the
old application version will be cleaned up as well as the releases
which are not in the new application version. Once the update is
completed successfully, the status will be set to "applied" so that
user can continue applying app with user overrides.
If there has any failure during updating, application recover will be
triggered to recover the app to the old version. If application recover
fails, the application status will be populated to "apply-failed" so
that user can re-apply app.
In order to use Armada rollback, a new sysinv table "kube_app_releases"
is created to record deployed helm releases versions. After each app
apply, if any helm release version changed, the corresponding release
needs to be updated in sysinv db as well.
The application overrides have been changed to tie to a specific
application in commit https://review.opendev.org/#/c/660498/. Therefore,
the user overrides is preserved when updating.
Note: On the AIO-SX, always use Armada apply even it was applied issue
on AIO-SX(replicas is 1) to leverage rollback, Armada/helm
rollback --wait does not wait for pods to be ready before it
returns.
Related helm issue,
https://github.com/helm/helm/issues/4210https://github.com/helm/helm/issues/2006
Tests conducted(AIO-SX, DX, Standard):
- functional tests (both stx-openstack and simple custom app)
- upload stx-openstack-1.0-13-centos-stable-latest tarfile
which uses latest docker images
- apply stx-openstack
- update to stx-openstack-1.0-13-centos-stable-versioned
which uses versioned docker images
- update back to stx-openstack-1.0-13-centos-stable-latest
- update to a version that has less/more charts compared to
the old version
- remove stx-openstack
- delete stx-openstack
- failure tests
- application-update rejected
(app not found, update to a same version,
operation not permitted etc...)
- application-update fails that trigger recover
- upload failure
ie. invalid tarfile, manifest file validation failed ...
- apply/rollback failure
ie. download images failure, Armada apply/rollback fails
Change-Id: I4e094427e673639e2bdafd8c476b897b7b4327a3
Story: 2005350
Task: 33568
Signed-off-by: Angie Wang <angie.wang@windriver.com>
The version of existing OVS docker image is 2.8.1. StarlingX
builds its own OVS docker image with latest version
2.11.0. This patch overrides the old docker images.
Change-Id: Iec56dc89cdb7a02f9b1beed459eab230c06707ec
Story: #2004649
Task: #30281
Depends-On: https://review.opendev.org/#/c/662195
Co-Authored-By: Cheng Li<cheng1.li@intel.com>
Signed-off-by: Chenjie Xu <chenjie.xu@intel.com>
In order to get swift working on containerized openstack,
changes were needed both on platform and application side.
From platform side, settings from ceph.conf file were replaced.
A runtime manifest was added to update ceph.conf after a successful
application apply:
1. Keystone auth url was updated with keystone openstack url
2. 'rgw_keystone_admin_domain' and 'rgw_keystone_project' settings
were updated with 'service'.
From application side the following changes have been implemented:
1. Ceph-rgw chart from openstack-helm-infra repo was included
in stx-openstack
2. A chart schema for ceph-rgw was added
3. An override file was generated
Signed-off-by: Elena Taivan <elena.taivan@windriver.com>
Story: 2003909
Task: 30606
Change-Id: I01f7cf412264394f4f9bfb31f3c5a5ebd73f49dc
1) add '---' in Deployment yaml to support multi resources types.
2) change Deployment apiVersion to 'apps/v1'.
3) set serviceaccount name to 'fm' to be same as db-init etc jobs.
4) add job ks_service and ks_user dependencies.
Change-Id: I3b15da621dd5a5cc1f20e9e963abbeba54827592
Closes-Bug: 1831163
Signed-off-by: Sun Austin <austin.sun@intel.com>
Ceph audit role is to set the replication for Ceph pools to the
value configured for them in system inventory. This should happen
even if openstack application is not running. Currently the job
remains in 'pending' till openstack application is started.
Closes-Bug: #1831475
Change-Id: Ie767f69c633656f39662cd2b3be4daf3541e35d3
Signed-off-by: Ovidiu Poncea <ovidiu.poncea@windriver.com>
Override nginx "worker-processes" setting in mariadb ingress
controller. Default value is changed from auto to 4 to reduce
memory consumption by nginx worker processes. 4 worker can
give 2 per platform CPU (in AIO) to avoid blocking all users
in case that part of workers are blocked.
The static override is done in the Armada manifest.
Closes-Bug: #1823803
Depends-On: https://review.opendev.org/#/c/659464/
Change-Id: If0e6d2b2ac45dedbd9e67b4f866702d9de1db15c
Signed-off-by: Yi Wang <yi.c.wang@intel.com>
Murano is no longer installed and running on bare metal.
- Removed the system parameters related to murano.
- Removed the upgrade code for murano databases.
- Removed the murano certificate installation code from CLI
- Removed the murano puppet code
- Remove murano keystone user special handling
- Remove armada/helm code to support enabling murano in horizon
- Cleaned up comments in the code referencing murano.
Story: 2004764
Task: 30667
Change-Id: I4d9f82414043a8cad22220556181b5454572d42d
Signed-off-by: Al Bailey <Al.Bailey@windriver.com>
Addresses several issues with deploying IPv6 based network deployments:
- kubelet node IP assignment for IP version detection
- calico upversion to fix router ID generation from hash
- calico configuration specific to IPv6
- multus configuration specific to IPv6
- ansible bootstrap playbook updates to wrap IPv6 addresses
- ansible bootstrap updated to use Jinja2 templates
- puppet configuration for platform services with IPv6 addresses
- IPv4 and IPv6 IP forwarding sysctl setup
- docker registry does not support URL encoded IPv6
- armada does not support IPv6 address binding
NOTE:
The Puppet ERB templates were updated to maintain config_controller
functionality, but the files moved to Jinja2 templates should be removed
once config_controller is completely removed.
Change-Id: I815035c679e61250099c74b1239f19bcc72733a0
Depends-On: https://review.opendev.org/662292
Closes-Bug: #1830779
Signed-off-by: Matt Peters <matt.peters@windriver.com>
Openstack-helm upstream removed this flag by default. Since we
have had requests from user, we need enable it again.
Closes-Bug: #1824412
Change-Id: Ib8a07d41405f838fd79a3b16f3dac9923514a06d
Signed-off-by: zhipengl <zhipengs.liu@intel.com>
Override nginx "worker-processes" setting in ingress controller.
Default value is changed from auto to 4 to reduce memory
consumption by nginx worker processes. 4 worker can give 2 per
platform CPU (in AIO) to avoid blocking all users in case that
part of workers are blocked.
The static override is done in the Armada manifest.
Closes-Bug: #1823803
Change-Id: I1f92cf0c3fdfde41364abe65e4747d2091c4c3ea
Signed-off-by: Yi Wang <yi.c.wang@intel.com>
Currently the number of rbd-provisioner replicas is driven by the
stx-openstack application's 'openstack-control-plane' labels.
On systems where this label has not been applied to the controllers,
this will result in zero provisioners being installed.
Break the dependency on the stx-openstack app and set the number of
replicas based on the number of installed controllers as the
rbd-provisioner node selector will install in k8s masters (i.e.
controllers).
Also update the provisioner's storage-init pod to align with the same
node selection criteria as the rbd-provisioner pod.
Change-Id: Ida180fd12a4923c8cdd5bccf25a1a1e2af4f8a90
Closes-Bug: #1830290
Signed-off-by: Robert Church <robert.church@windriver.com>
This config will enable log output to host
/var/log/containers/fm-rest-api-xxx.log
Story: 2004008
Task: 33499
Change-Id: I5b4b76af59fd8d87e6874a31fbb43f576c81a526
Signed-off-by: Sun Austin <austin.sun@intel.com>
For the case vswitch_type!='none', ovs doesn't run in container. So ovs
pod/container should not run. We controlled ovs container by label, but
a patch[1] broke it.
This patch is to change the method in which we control ovs container.
With this patch, we remove openvswitch chart from compute-kit chart
group so that no ovs container created. If we need to run ovs in
container, we add the openvswitch chart.
[1]
https://review.opendev.org/#/c/651380/2/kubernetes/applications/stx-openstack/stx-openstack-helm/stx-openstack-helm/manifests/manifest.yaml
Change-Id: I3ba8a3ab45a6e6c1a67b78d335656ed5c0d654a7
Closes-bug: #1824829
Signed-off-by: chengli3 <cheng1.li@intel.com>
container fm-rest-api endpoint service type should be same as
platform fm-rest-api endpoint service type.
Story: 2004008
Task: 33501
Change-Id: Iccb0f0544f388ca51f015c6b11e49f8058db4829
Signed-off-by: Sun Austin <austin.sun@intel.com>
Update the chart to get the 'crush_rule' for various pools instead of
the Jewel compliant 'crush_ruleset'
Further chart clean up is done to be bashate compliant and also provide
cleaner logging.
Change-Id: I37186fa3e78ebc63f27fd43b373f9e82004199de
Closes-Bug: #1828760
Signed-off-by: Robert Church <robert.church@windriver.com>
This commit will provide more predictable behavior with regards to the
platform-integ-apps app and specifically the rbd-provisioner that it
installs.
- Add an additional apply check for the platform-integ-apps app. The
check will required a healthy ceph cluster before applying (and
installing the rbd-provisioner).
- Add an application apply check to define and check for inter-app
dependencies. For the stx-openstack app, reject the application apply
if the platform-integ-apps has not been successfully applied. This
locks out the app from being applied since the rbd provisioner is not
available.
- Update the rbd provisioner pre-install checks to add a timeout when
attempting to access the pool. This check will block if OSDs are not
installed in the cluster and will eventually cause the job exec
deadline to be reached. This should not be a failure as the
provisioner has been setup correctly at the point of the check and
will perform correctly once OSDs are added.
Change-Id: I1e11358fc613b3d1e58a749897ac25f199c8aad4
Story: 2005424
Task: 33456
Signed-off-by: Robert Church <robert.church@windriver.com>
This commit adds the required files to deploy
fm rest api service with helm.
Story: 2004008
Task: 26955
Depends-On: https://review.opendev.org/634540/
Depends-On: https://review.opendev.org/656388/
Depends-On: https://review.opendev.org/656655/
Change-Id: I566f2191914a49403c1947f3b767fae7807c43d0
Co-authored-by: Sun Austin <austin.sun@intel.com>
Signed-off-by: Mario Alfredo Carrillo Arevalo <mario.alfredo.c.arevalo@intel.com>
This makes changes in two areas: the rbd-provisioner chart to allow
successful upgrades/rollbacks and the sysinv API for helm overrides so
that charts from all supported applications are displayed by the
helm-override-list command.
Additional updates to the rbd-provisioner chart allow the storage class
to be patched to overcome an armada error on upgrade and extending the
retry and active deadline to allow more tolerance if there are ceph
client related delays on install/upgrade/rollback.
Change-Id: Ib3e0169a52f86130ae32fc31c75cea01c4c67579
Story: 2005424
Task: 31066
Signed-off-by: Robert Church <robert.church@windriver.com>
Add rbd-provisioner chart support for specifying a specific storage
class as the default system storage class.
This allows chart releases to make persistent volume claims without
specifying a specific StorageClass.
Change-Id: I74d4f39432734df7cdaba22590ed0e4b6949839f
Story: 2005424
Task: 31009
Signed-off-by: Robert Church <robert.church@windriver.com>
This functionality is no longer supported with vanilla
horizon so this config file is being removed.
Depends-On: https://review.opendev.org/#/c/659326/
Change-Id: I61e2fa1d3da3fdc303fd35da8d7e0edbfd33e9d5
Story: 2004520
Task: 30987
Signed-off-by: Tyler Smith <tyler.smith@windriver.com>
This will remove the rbd-provisioner and ceph-pools-audit charts from
the stx-openstack application and enable it to use the default platform
storage provisioner.
Changes include:
- Update the rbd-provsioner and ceph-pools-audit helm plugin to provide
overrides for the namespace defined by
HELM_NS_STORAGE_PROVISIONER (currently: kube-system).
- Update the cinder, glance, gnocchi, and nova helm plugins use the
existing ceph-pool-kube-rbd secret for Ceph client access. This
allows removing the pvc-ceph-client-key generation from the
rbd-provisioner chart.
- Add functions to kube_app.py to create/delete the required Ceph user
secret for all namespaces of a supported application. This provides
support for PVCs within the application's namespace(s). In the case
of stx-openstack, this covers any claims made from the 'openstack'
namespace.
- Add functions to kube_app.py to support creating and deleting app
specific resources that are not handled by the application charts.
Using this enables copying the 'ceph-etc' configmap from the
provisioner namespace to the openstack namespace for application use.
- Add support through the kubernetes API to copy a secret from one
namespace to another.
- Add support through the kubernetes API to get, create, delete, and
copy configmaps.
- Remove the rbd-provisioner and ceph-pools-audit stevedore plugins
from the stx-openstack application. Also, re-number the plugins.
- Update the RBD provisioner to support creating namespaces and Ceph
user secrets for additional namespaces other than that which the
provisioner is installed. Also, enable PVCs for default
namespaces (default and kube-public) against the 'general'
storageclass.
Change-Id: I387e315545d2c99a1b6baa90d30bdb2a4e08f315
Depends-On: I67dba3f1a3a6e7c8169719ee622ddd533c69be31
Story: 2005424
Task: 30679
Signed-off-by: Robert Church <robert.church@windriver.com>
This commit enables a new application tarball by:
- adding existence through the stevedore plugin framework
- register it as a system app to that system overrides can be generated
- provide initial overrides for the rbd-provisioner and
ceph_pools_audit charts
- updates the rbd-provisioner to support installation of multiple
provisioners in the same cluster.
Change-Id: I34ad8789768bfd081ab2dcd45d110d9cd8349875
Depends-On: I0caaa878a6c6781d038b48b8caa2aa507ee9568a
Story: 2005424
Task: 30646
Signed-off-by: Robert Church <robert.church@windriver.com>
