starlingx/openstack-armada-app
Code Issues Proposed changes

merge with sha d2bf7d1dc0

Browse Source 
Change-Id: I2881f4ac6f659672a7c25c3ecb7cea32ec55f70f
Signed-off-by: Scott Little <scott.little@windriver.com>
This commit is contained in:
Scott Little
2026-02-04 15:15:43 -05:00
parent a4504e7dbe d2bf7d1dc0
commit 016d7a8e74
202 changed files with 6863 additions and 7491 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.gitreview
+1
View File
@@ -2,3 +2,4 @@
host=review.opendev.org
port=29418
project=starlingx/openstack-armada-app.git
defaultbranch=master
README.rst
+21 -18
View File
@@ -14,10 +14,10 @@ This repository is divided into the following sections:
- Service clients
- Docker images
- Helm charts (openstack-helm, openstack-helm-infra and stx-openstack-helm-fluxcd)
- Helm charts (upstream/helm-charts/openstack-helm, upstream/helm-charts/ingress-nginx-helm and stx-openstack-helm-fluxcd)
- Openstack Helm (openstack-helm)
- Openstack Helm Infra (openstack-helm-infra)
- NGINX Ingress Helm chart (ingress-nginx-helm)
- STX-Openstack specific helm charts (stx-openstack-helm-fluxcd)
- FluxCD manifests (stx-openstack-helm-fluxcd)
@@ -130,14 +130,13 @@ Example stx-openstackclients_:
Helm Charts
-----------
The OpenStack community provides two upstream repositories delivering helm-charts
for its services (openstack-helm_) and for its required infrastructure
(openstack-helm-infra_).
The OpenStack community provides an upstream repository delivering Helm charts
for OpenStack services and their required infrastructure (openstack-helm_).
Both repositories are used by STX-Openstack. Since it might be needed to control
the version of Helm charts we are using and/or apply specific patches to the Helm
charts source, both repositories points to a fixed base commit SHA and are
delivered as any other StarlignX Debian package.
This repository is used by STX-Openstack. Since it might be necessary to control
the version of Helm charts being used and/or apply specific patches to the Helm
chart sources, the repository points to a fixed base commit SHA and is delivered
as any other StarlingX Debian package.
The common approach when developing a patch for such Helm charts is to first
understand if it is a StarlingX specific patch (i.e., for STX-Openstack use case
@@ -146,19 +145,23 @@ patch is described on the `StarlingX Debian package build structure docs. <BUILD
Whenever it is a generic code enhancement, the approach is to create the patch to
quickly fix the STX-Openstack issue/feature but also propose it upstream to the
openstack-helm and/or openstack-helm-infra community. If the change is accepted,
later it will be available on a newest base commit SHA, and when STX-Openstack
uprevs its base version for such packages, the patch can be deleted.
openstack-helm community. If the change is accepted, later it will be available
on a newest base commit SHA, and when STX-Openstack uprevs its base version for
the package, the patch can be deleted.
There are also cases when the issue can be solved by simply changing the Helm
override values for the chart, in that case, you can go for the static overrides
route described in the "FluxCD Manifests" section below.
Additionally, not all the Helm charts used by STX-Openstack are delivered by the
OpenStack community as part of openstack-helm and openstack-helm-infra repositories.
Some charts are custom to the application and are therefore developed/maintained
by the StarlingX community itself.
Such helm-charts can be found under `the stx-openstack-helm-fluxcd folder <STX-CHARTS>`__.
In addition to the OpenStack Helm charts, STX-Openstack also consumes the NGINX
Ingress Controller Helm chart from its upstream community. This chart follows
the same general principles regarding version pinning, patching, and override
management when used within STX-Openstack.
Additionally, not all Helm charts used by STX-Openstack are delivered by upstream
communities. Some charts are custom to the application and are therefore
developed/maintained by the StarlingX community itself. Such helm-charts can be
found under `the stx-openstack-helm-fluxcd folder <STX-CHARTS>`__.
Currently the list contains the following charts:
- Clients
@@ -266,7 +269,7 @@ This directory contains a series of examples for YAML overrides in order to cust
.. _BUILD: https://wiki.openstack.org/wiki/StarlingX/DebianBuildStructure
.. _SALSA: https://salsa.debian.org/openstack-team
.. _openstack-helm: https://opendev.org/openstack/openstack-helm
.. _openstack-helm-infra: https://opendev.org/openstack/openstack-helm-infra
.. _ingress-nginx-helm: https://github.com/kubernetes/ingress-nginx
.. _STX-CHARTS: https://opendev.org/starlingx/openstack-armada-app/src/branch/master/stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/helm-charts
.. _STX-O-APP-METADATA: https://opendev.org/starlingx/openstack-armada-app/src/branch/master/stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/files/metadata.yaml
.. _STX-O-APP-KUSTOMIZATION: https://opendev.org/starlingx/openstack-armada-app/src/branch/master/stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/manifests/kustomization.yaml
debian_pkg_dirs
+1 -2
View File
@@ -1,7 +1,6 @@
openstack-helm
openstack-helm-infra
python3-k8sapp-openstack
stx-openstack-helm-fluxcd
upstream/helm-charts/openstack-helm
upstream/helm-charts/ingress-nginx-helm
upstream/openstack/openstack-pkg-tools
upstream/openstack/python-cinderclient
openstack-helm-infra/Readme.rst
-8
View File
@@ -1,8 +0,0 @@
This repo is for https://github.com/openstack/openstack-helm-infra
Changes to this repo are needed for StarlingX and those changes are
not yet merged.
Rather than clone and diverge the repo, the repo is extracted at a particular
git SHA, and patches are applied on top.
As those patches are merged, the SHA can be updated and the local patches removed.
openstack-helm-infra/debian/deb_folder/changelog
-11
View File
@@ -1,11 +0,0 @@
openstack-helm-infra (1.1-0) unstable; urgency=medium
* Upversion to Caracal release.
-- Daniel Caires <DanielMarques.Caires@windriver.com> Wed, 29 Jan 2025 08:50:31 +0000
openstack-helm-infra (1.0-1) unstable; urgency=medium
* Initial release.
-- Tracey Bogue <tracey.bogue@windriver.com> Wed, 27 Oct 2021 13:42:42 +0000
openstack-helm-infra/debian/deb_folder/control
-17
View File
@@ -1,17 +0,0 @@
Source: openstack-helm-infra
Section: libs
Priority: optional
Maintainer: StarlingX Developers <starlingx-discuss@lists.starlingx.io>
Build-Depends: debhelper-compat (= 13),
helm,
procps
Standards-Version: 4.5.1
Homepage: https://www.starlingx.io
Package: openstack-helm-infra
Section: libs
Architecture: all
Depends: ${misc:Depends}
Description: StarlingX Openstack Helm Infrastructure
This package contains a patched version of the openstack-helm-infra
repo.
openstack-helm-infra/debian/deb_folder/copyright
-41
View File
@@ -1,41 +0,0 @@
Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Upstream-Name: openstack-helm-infra
Source: https://opendev.org/starlingx/openstack-armada-app/
Files: *
Copyright: (c) 2013-2025 Wind River Systems, Inc
License: Apache-2
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
.
https://www.apache.org/licenses/LICENSE-2.0
.
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
.
On Debian-based systems the full text of the Apache version 2.0 license
can be found in `/usr/share/common-licenses/Apache-2.0'.
# If you want to use GPL v2 or later for the /debian/* files use
# the following clauses, or change it to suit. Delete these two lines
Files: debian/*
Copyright: 2021-2025 Wind River Systems, Inc
License: Apache-2
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
.
https://www.apache.org/licenses/LICENSE-2.0
.
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
.
On Debian-based systems the full text of the Apache version 2.0 license
can be found in `/usr/share/common-licenses/Apache-2.0'.
openstack-helm-infra/debian/deb_folder/openstack-helm-infra.install
-1
View File
@@ -1 +0,0 @@
usr/lib/helm/*
openstack-helm-infra/debian/deb_folder/patches/0010-Remove-mariadb-tls.patch
-192
View File
@@ -1,192 +0,0 @@
From 6fa2814271b7806aece4fb44f6d8eabe8c5ab6aa Mon Sep 17 00:00:00 2001
From: Lucas Cavalcante <lucasmedeiros.cavalcante@windriver.com>
Date: Tue, 8 Feb 2022 09:18:02 -0300
Subject: Remove mariadb tls
Change-Id: I37405da8faab3495ebe55c81389e0d769aaeb1d1
[ Upversioned openstack-helm-infra base commit to Caracal ]
Signed-off-by: Daniel Caires <DanielMarques.Caires@windriver.com>
---
.../templates/manifests/_job-db-drop-mysql.tpl | 7 -------
.../templates/manifests/_job-db-init-mysql.tpl | 7 -------
helm-toolkit/templates/manifests/_job-db-sync.tpl | 3 ---
helm-toolkit/templates/scripts/_db-drop.py.tpl | 11 ++---------
helm-toolkit/templates/scripts/_db-init.py.tpl | 14 ++++----------
5 files changed, 6 insertions(+), 36 deletions(-)
diff --git a/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl b/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl
index 2b7ff2cd..5e31a04d 100644
--- a/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl
+++ b/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl
@@ -37,7 +37,6 @@ limitations under the License.
{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
-{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-drop" }}
{{ tuple $envAll "db_drop" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
@@ -135,9 +134,6 @@ spec:
subPath: {{ base $dbToDrop.logConfigFile | quote }}
readOnly: true
{{- end }}
-{{- if $envAll.Values.manifests.certificates }}
-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
-{{- end }}
{{- end }}
volumes:
- name: pod-tmp
@@ -152,9 +148,6 @@ spec:
name: {{ $configMapBin | quote }}
defaultMode: 0555
{{- end }}
-{{- if $envAll.Values.manifests.certificates }}
-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
-{{- end }}
{{- $local := dict "configMapBinFirst" true -}}
{{- range $key1, $dbToDrop := $dbsToDrop }}
{{- $dbToDropType := default "oslo" $dbToDrop.inputType }}
diff --git a/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl b/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl
index b8a1dce3..ff5d54ba 100644
--- a/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl
+++ b/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl
@@ -37,7 +37,6 @@ limitations under the License.
{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
-{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-init" }}
{{ tuple $envAll "db_init" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
@@ -134,9 +133,6 @@ spec:
subPath: {{ base $dbToInit.logConfigFile | quote }}
readOnly: true
{{- end }}
-{{- if $envAll.Values.manifests.certificates }}
-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
-{{- end }}
{{- end }}
volumes:
- name: pod-tmp
@@ -151,9 +147,6 @@ spec:
name: {{ $configMapBin | quote }}
defaultMode: 0555
{{- end }}
-{{- if $envAll.Values.manifests.certificates }}
-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
-{{- end }}
{{- $local := dict "configMapBinFirst" true -}}
{{- range $key1, $dbToInit := $dbsToInit }}
{{- $dbToInitType := default "oslo" $dbToInit.inputType }}
diff --git a/helm-toolkit/templates/manifests/_job-db-sync.tpl b/helm-toolkit/templates/manifests/_job-db-sync.tpl
index 4696c88f..364a7fe8 100644
--- a/helm-toolkit/templates/manifests/_job-db-sync.tpl
+++ b/helm-toolkit/templates/manifests/_job-db-sync.tpl
@@ -34,7 +34,6 @@ limitations under the License.
{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
-{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-sync" }}
{{ tuple $envAll "db_sync" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
@@ -108,7 +107,6 @@ spec:
mountPath: {{ $dbToSync.logConfigFile | quote }}
subPath: {{ base $dbToSync.logConfigFile | quote }}
readOnly: true
-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{- if $podVolMounts }}
{{ $podVolMounts | toYaml | indent 12 }}
{{- end }}
@@ -131,7 +129,6 @@ spec:
secret:
secretName: {{ $configMapEtc | quote }}
defaultMode: 0444
-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{- if $podVols }}
{{ $podVols | toYaml | indent 8 }}
{{- end }}
diff --git a/helm-toolkit/templates/scripts/_db-drop.py.tpl b/helm-toolkit/templates/scripts/_db-drop.py.tpl
index 1e28da9c..86464714 100644
--- a/helm-toolkit/templates/scripts/_db-drop.py.tpl
+++ b/helm-toolkit/templates/scripts/_db-drop.py.tpl
@@ -54,13 +54,6 @@ else:
logger.critical('environment variable ROOT_DB_CONNECTION not set')
sys.exit(1)
-mysql_x509 = os.getenv('MARIADB_X509', "")
-ssl_args = {}
-if mysql_x509:
- ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt',
- 'key': '/etc/mysql/certs/tls.key',
- 'cert': '/etc/mysql/certs/tls.crt'}}
-
# Get the connection string for the service db
if "OPENSTACK_CONFIG_FILE" in os.environ:
os_conf = os.environ['OPENSTACK_CONFIG_FILE']
@@ -101,7 +94,7 @@ try:
host = root_engine_full.url.host
port = root_engine_full.url.port
root_engine_url = ''.join([drivername, '://', root_user, ':', root_password, '@', host, ':', str (port)])
- root_engine = create_engine(root_engine_url, connect_args=ssl_args)
+ root_engine = create_engine(root_engine_url)
connection = root_engine.connect()
connection.close()
logger.info("Tested connection to DB @ {0}:{1} as {2}".format(
@@ -112,7 +105,7 @@ except:
# User DB engine
try:
- user_engine = create_engine(user_db_conn, connect_args=ssl_args)
+ user_engine = create_engine(user_db_conn)
# Get our user data out of the user_engine
database = user_engine.url.database
user = user_engine.url.username
diff --git a/helm-toolkit/templates/scripts/_db-init.py.tpl b/helm-toolkit/templates/scripts/_db-init.py.tpl
index 110cd98e..60b1c5a3 100644
--- a/helm-toolkit/templates/scripts/_db-init.py.tpl
+++ b/helm-toolkit/templates/scripts/_db-init.py.tpl
@@ -54,12 +54,6 @@ else:
logger.critical('environment variable ROOT_DB_CONNECTION not set')
sys.exit(1)
-mysql_x509 = os.getenv('MARIADB_X509', "")
-ssl_args = {}
-if mysql_x509:
- ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt',
- 'key': '/etc/mysql/certs/tls.key',
- 'cert': '/etc/mysql/certs/tls.crt'}}
# Get the connection string for the service db
if "OPENSTACK_CONFIG_FILE" in os.environ:
@@ -101,7 +95,7 @@ try:
host = root_engine_full.url.host
port = root_engine_full.url.port
root_engine_url = ''.join([drivername, '://', root_user, ':', root_password, '@', host, ':', str (port)])
- root_engine = create_engine(root_engine_url, connect_args=ssl_args)
+ root_engine = create_engine(root_engine_url)
connection = root_engine.connect()
connection.close()
logger.info("Tested connection to DB @ {0}:{1} as {2}".format(
@@ -112,7 +106,7 @@ except:
# User DB engine
try:
- user_engine = create_engine(user_db_conn, connect_args=ssl_args)
+ user_engine = create_engine(user_db_conn)
# Get our user data out of the user_engine
database = user_engine.url.database
user = user_engine.url.username
@@ -139,8 +133,8 @@ except:
try:
with root_engine.connect() as connection:
connection.execute(
- "CREATE USER IF NOT EXISTS \'{0}\'@\'%%\' IDENTIFIED BY \'{1}\' {2}".format(
- user, password, mysql_x509))
+ "CREATE USER IF NOT EXISTS \'{0}\'@\'%%\' IDENTIFIED BY \'{1}\'".format(
+ user, password))
connection.execute(
"GRANT ALL ON `{0}`.* TO \'{1}\'@\'%%\'".format(database, user))
try:
--
2.34.1
openstack-helm-infra/debian/deb_folder/patches/0011-Remove-rabbitmq-tls.patch
-91
View File
@@ -1,91 +0,0 @@
From 4b2cc6a3c4b9af9dd2688d52b493828cef97cdb6 Mon Sep 17 00:00:00 2001
From: Lucas Cavalcante <lucasmedeiros.cavalcante@windriver.com>
Date: Tue, 8 Feb 2022 09:20:36 -0300
Subject: [PATCH] Remove rabbit tls
Change-Id: I04c4c25c72b10b87e71c2f286e21526e5e062b67
---
.../templates/manifests/_job-rabbit-init.yaml.tpl | 15 ---------------
.../templates/scripts/_rabbit-init.sh.tpl | 15 ---------------
2 files changed, 30 deletions(-)
diff --git a/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl b/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl
index 69820642..1501563e 100644
--- a/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl
+++ b/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl
@@ -25,9 +25,6 @@ limitations under the License.
{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
{{- $serviceUserPretty := $serviceUser | replace "_" "-" -}}
-{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
-{{- $tlsPath := index . "tlsPath" | default "/etc/rabbitmq/certs" -}}
-{{- $tlsSecret := index . "tlsSecret" | default "" -}}
{{- $serviceAccountName := printf "%s-%s" $serviceUserPretty "rabbit-init" }}
{{ tuple $envAll "rabbit_init" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
@@ -86,9 +83,6 @@ spec:
mountPath: /tmp/rabbit-init.sh
subPath: rabbit-init.sh
readOnly: true
-{{- if $envAll.Values.manifests.certificates }}
-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret "path" $tlsPath | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
-{{- end }}
env:
- name: RABBITMQ_ADMIN_CONNECTION
valueFrom:
@@ -103,12 +97,6 @@ spec:
{{- if $envAll.Values.conf.rabbitmq }}
- name: RABBITMQ_AUXILIARY_CONFIGURATION
value: {{ toJson $envAll.Values.conf.rabbitmq | quote }}
-{{- end }}
-{{- if and $envAll.Values.manifests.certificates (ne $tlsSecret "") }}
- - name: RABBITMQ_X509
- value: "REQUIRE X509"
- - name: USER_CERT_PATH
- value: {{ $tlsPath | quote }}
{{- end }}
volumes:
- name: pod-tmp
@@ -123,7 +111,4 @@ spec:
name: {{ $configMapBin | quote }}
defaultMode: 0555
{{- end }}
-{{- if $envAll.Values.manifests.certificates }}
-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
-{{- end }}
{{- end -}}
diff --git a/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl b/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
index 3739f955..75be73fe 100644
--- a/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
+++ b/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
@@ -47,27 +47,12 @@ RABBITMQ_VHOST=$(echo "${RABBITMQ_USER_CONNECTION}" | \
RABBITMQ_VHOST="${RABBITMQ_VHOST:-/}"
function rabbitmqadmin_cli () {
- if [ -n "$RABBITMQ_X509" ]
- then
rabbitmqadmin \
- --ssl \
- --ssl-disable-hostname-verification \
- --ssl-ca-cert-file="${USER_CERT_PATH}/ca.crt" \
- --ssl-cert-file="${USER_CERT_PATH}/tls.crt" \
- --ssl-key-file="${USER_CERT_PATH}/tls.key" \
--host="${RABBIT_HOSTNAME}" \
--port="${RABBIT_PORT}" \
--username="${RABBITMQ_ADMIN_USERNAME}" \
--password="${RABBITMQ_ADMIN_PASSWORD}" \
${@}
- else
- rabbitmqadmin \
- --host="${RABBIT_HOSTNAME}" \
- --port="${RABBIT_PORT}" \
- --username="${RABBITMQ_ADMIN_USERNAME}" \
- --password="${RABBITMQ_ADMIN_PASSWORD}" \
- ${@}
- fi
}
echo "Managing: User: ${RABBITMQ_USERNAME}"
--
2.25.1
openstack-helm-infra/debian/deb_folder/patches/0012-Update-openstack-Ingress-for-networking-api-v1.patch
-56
View File
@@ -1,56 +0,0 @@
From 04ef9a7ff789aeda4e2e80ae6bc70beb80507d6b Mon Sep 17 00:00:00 2001
From: Rafael Falcao <rafael.vieirafalcao@windriver.com>
Date: Mon, 18 Jul 2022 09:42:01 -0300
Subject: [PATCH] Update openstack Ingress for networking api v1
This change patches the correct apiVersion for Ingress resources created
by the openstack ingress chart to work correctly when stx-openstack is
applied on stx with kubernetes 1.22+ running, fixing the problem
described in [1].
Same applies to spec changes that need to be done according to
io.k8s.api.networking.v1.IngressBackend documentation.
It could be done by upversioning openstack-helm-infra to its latest
commit (currently 1147988b8eba6ab7d1e7af262843f641be6657ff) but this
upversion has a different series of complications that are being
discussed in [2]
[1] https://bugs.launchpad.net/starlingx/+bug/1980397
[2] https://review.opendev.org/c/starlingx/openstack-armada-app/+/848336
Signed-off-by: Thales Elero Cervi <thaleselero.cervi@windriver.com>
Co-authored-by: Rafael Falcao <rafael.vieirafalcao@windriver.com>
[ upversioned openstack-helm-infra base commit ]
Signed-off-by: Thales Elero Cervi <thaleselero.cervi@windriver.com>
[ Upversioned openstack-helm-infra base commit to Caracal ]
Signed-off-by: Daniel Caires <DanielMarques.Caires@windriver.com>
Change-Id: I0bbecc097fdafdf5ebbc3a164b80ba903b5623f2
---
mariadb/templates/deployment-ingress.yaml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/mariadb/templates/deployment-ingress.yaml b/mariadb/templates/deployment-ingress.yaml
index 6fbf3389..ba0d64c9 100644
--- a/mariadb/templates/deployment-ingress.yaml
+++ b/mariadb/templates/deployment-ingress.yaml
@@ -21,7 +21,7 @@ limitations under the License.
{{- if .Values.manifests.deployment_ingress }}
{{- $envAll := . }}
-{{- $ingressClass := printf "%s-%s" .deployment_name "mariadb-ingress" }}
+{{- $ingressClass := printf "%s" "mariadb-ingress" }}
{{- $serviceAccountName := printf "%s-%s" .deployment_name "ingress" }}
{{ tuple $envAll "ingress" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
@@ -171,7 +171,7 @@ rules:
- apiGroups:
- ""
resourceNames:
- - {{ printf "%s-%s" .deployment_name $ingressClass | quote }}
+ - {{ printf "%s" .Release.Name | quote }}
resources:
- configmaps
verbs:
--
2.34.1
openstack-helm-infra/debian/deb_folder/patches/0014-Add-app.starlingx.io-component-label-to-pods.patch
-846
View File
@@ -1,846 +0,0 @@
From de4f807376a58fa6b04163bc04cdbdad14777540 Mon Sep 17 00:00:00 2001
From: dbarbosa <david.barbosabastos@windriver.com>
Date: Wed, 20 Dec 2023 06:51:59 -0300
Subject: [PATCH] Add app.starlingx.io/component label to pods
Add the label app.starlingx.io/component to the pods and allow the
value to be updated via "system helm-override-update". This change
also ensures that when changing the label value and reapplying the
app, the pod is restarted.
The value of the label can only be “platform” or “application”, if
the variable "label.isApplication" in the values.yaml file is
different from true or false, the label will not change.
By default, all pods start with the value platform.
Signed-off-by: David Bastos <david.barbosabastos@windriver.com>
[ Updated "isApplication" labels values to "true" ]
Signed-off-by: Thales Elero Cervi <thaleselero.cervi@windriver.com>
[ Added labels to helm-toolkit job manifests ]
Signed-off-by: Daniel Caires <DanielMarques.Caires@windriver.com>
[ Add labels to helm charts and change isApplication to false ]
Signed-off-by: Giulia Melao <giulia.depaulamelao@windriver.com>
[ Upversioned openstack-helm-infra base commit to Caracal ]
Signed-off-by: Daniel Caires <DanielMarques.Caires@windriver.com>
---
ceph-rgw/templates/deployment-rgw.yaml | 2 ++
ceph-rgw/templates/job-bootstrap.yaml | 2 ++
ceph-rgw/templates/job-rgw-placement-targets.yaml | 2 ++
ceph-rgw/templates/job-rgw-restart.yaml | 2 ++
ceph-rgw/templates/job-rgw-storage-init.yaml | 2 ++
ceph-rgw/templates/job-s3-admin.yaml | 2 ++
ceph-rgw/templates/pod-helm-tests.yaml | 2 ++
ceph-rgw/values.yaml | 1 +
gnocchi/templates/cron-job-resources-cleaner.yaml | 3 +++
gnocchi/templates/daemonset-metricd.yaml | 2 ++
gnocchi/templates/daemonset-statsd.yaml | 2 ++
gnocchi/templates/deployment-api.yaml | 2 ++
gnocchi/templates/job-clean.yaml | 3 +++
gnocchi/templates/job-db-init-indexer.yaml | 3 +++
gnocchi/templates/job-db-sync.yaml | 3 +++
gnocchi/templates/job-storage-init.yaml | 3 +++
gnocchi/templates/pod-gnocchi-test.yaml | 2 ++
gnocchi/values.yaml | 1 +
helm-toolkit/templates/manifests/_job-bootstrap.tpl | 4 ++++
helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl | 5 +++++
helm-toolkit/templates/manifests/_job-db-init-mysql.tpl | 4 ++++
helm-toolkit/templates/manifests/_job-db-sync.tpl | 4 ++++
helm-toolkit/templates/manifests/_job-ks-endpoints.tpl | 4 ++++
helm-toolkit/templates/manifests/_job-ks-service.tpl | 4 ++++
helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl | 4 ++++
helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl | 4 ++++
helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl | 5 +++++
helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl | 5 +++++
helm-toolkit/templates/manifests/_job_image_repo_sync.tpl | 5 +++++
libvirt/templates/daemonset-libvirt.yaml | 2 ++
libvirt/values.yaml | 1 +
mariadb/templates/cron-job-backup-mariadb.yaml | 3 +++
mariadb/templates/deployment-error.yaml | 2 ++
mariadb/templates/deployment-ingress.yaml | 2 ++
mariadb/templates/pod-test.yaml | 2 ++
mariadb/templates/statefulset.yaml | 2 ++
mariadb/values.yaml | 1 +
memcached/templates/deployment.yaml | 2 ++
memcached/values.yaml | 1 +
mongodb/templates/statefulset.yaml | 2 ++
mongodb/values.yaml | 1 +
openvswitch/templates/daemonset.yaml | 2 ++
openvswitch/values.yaml | 1 +
rabbitmq/templates/job-cluster-wait.yaml | 2 ++
rabbitmq/templates/pod-test.yaml | 2 ++
rabbitmq/templates/statefulset.yaml | 2 ++
rabbitmq/values.yaml | 1 +
47 files changed, 118 insertions(+)
diff --git a/ceph-rgw/templates/deployment-rgw.yaml b/ceph-rgw/templates/deployment-rgw.yaml
index 1fde8afe..a62f2757 100644
--- a/ceph-rgw/templates/deployment-rgw.yaml
+++ b/ceph-rgw/templates/deployment-rgw.yaml
@@ -123,11 +123,13 @@ spec:
template:
metadata:
labels:
+ app.starlingx.io/component: {{ ternary "application" "platform" .Values.labels.isApplication }}
{{ tuple $envAll "ceph" "rgw" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
annotations:
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
configmap-etc-client-hash: {{ tuple "configmap-etc-client.yaml" . | include "helm-toolkit.utils.hash" }}
secret-keystone-rgw-hash: {{ tuple "secret-keystone-rgw.yaml" . | include "helm-toolkit.utils.hash" }}
+ configchecksum: {{ toYaml .Values.labels.isApplication | sha256sum | trunc 63 }}
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
{{ dict "envAll" $envAll "podName" "ceph-rgw" "containerNames" (list "init" "ceph-rgw" "ceph-init-dirs" "ceph-rgw-init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
spec:
diff --git a/ceph-rgw/templates/job-bootstrap.yaml b/ceph-rgw/templates/job-bootstrap.yaml
index 63689691..f75e5a43 100644
--- a/ceph-rgw/templates/job-bootstrap.yaml
+++ b/ceph-rgw/templates/job-bootstrap.yaml
@@ -58,8 +58,10 @@ spec:
template:
metadata:
labels:
+ app.starlingx.io/component: {{ ternary "application" "platform" .Values.labels.isApplication }}
{{ tuple $envAll "ceph" "bootstrap" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
annotations:
+ configchecksum: {{ toYaml .Values.labels.isApplication | sha256sum | trunc 63 }}
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
{{ dict "envAll" $envAll "podName" "ceph-rgw-bootstrap" "containerNames" (list "ceph-keyring-placement" "init" "ceph-rgw-bootstrap") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
spec:
diff --git a/ceph-rgw/templates/job-rgw-placement-targets.yaml b/ceph-rgw/templates/job-rgw-placement-targets.yaml
index 45b9486a..d092069b 100644
--- a/ceph-rgw/templates/job-rgw-placement-targets.yaml
+++ b/ceph-rgw/templates/job-rgw-placement-targets.yaml
@@ -59,8 +59,10 @@ spec:
template:
metadata:
labels:
+ app.starlingx.io/component: {{ ternary "application" "platform" .Values.labels.isApplication }}
{{ tuple $envAll "ceph" "rgw-placement-targets" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
annotations:
+ configchecksum: {{ toYaml .Values.labels.isApplication | sha256sum | trunc 63 }}
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
{{ dict "envAll" $envAll "podName" "ceph-rgw-placement-targets" "containerNames" (list "ceph-keyring-placement" "init" "create-rgw-placement-targets") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
spec:
diff --git a/ceph-rgw/templates/job-rgw-restart.yaml b/ceph-rgw/templates/job-rgw-restart.yaml
index fdbec8f9..080b5df2 100644
--- a/ceph-rgw/templates/job-rgw-restart.yaml
+++ b/ceph-rgw/templates/job-rgw-restart.yaml
@@ -59,8 +59,10 @@ spec:
template:
metadata:
labels:
+ app.starlingx.io/component: {{ ternary "application" "platform" .Values.labels.isApplication }}
{{ tuple $envAll "ceph" "rgw-restart" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
annotations:
+ configchecksum: {{ toYaml .Values.labels.isApplication | sha256sum | trunc 63 }}
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
{{ dict "envAll" $envAll "podName" "ceph-rgw-restart" "containerNames" (list "init" "ceph-rgw-restart") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
spec:
diff --git a/ceph-rgw/templates/job-rgw-storage-init.yaml b/ceph-rgw/templates/job-rgw-storage-init.yaml
index 4c3a6ed3..a2c30130 100644
--- a/ceph-rgw/templates/job-rgw-storage-init.yaml
+++ b/ceph-rgw/templates/job-rgw-storage-init.yaml
@@ -56,8 +56,10 @@ spec:
template:
metadata:
labels:
+ app.starlingx.io/component: {{ ternary "application" "platform" .Values.labels.isApplication }}
{{ tuple $envAll "ceph" "rgw-storage-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
annotations:
+ configchecksum: {{ toYaml .Values.labels.isApplication | sha256sum | trunc 63 }}
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
{{ dict "envAll" $envAll "podName" "ceph-rgw-storage-init" "containerNames" (list "ceph-keyring-placement" "init" "ceph-rgw-storage-init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
spec:
diff --git a/ceph-rgw/templates/job-s3-admin.yaml b/ceph-rgw/templates/job-s3-admin.yaml
index d796395b..94a831a9 100644
--- a/ceph-rgw/templates/job-s3-admin.yaml
+++ b/ceph-rgw/templates/job-s3-admin.yaml
@@ -60,8 +60,10 @@ spec:
template:
metadata:
labels:
+ app.starlingx.io/component: {{ ternary "application" "platform" .Values.labels.isApplication }}
{{ tuple $envAll "ceph" "rgw-s3-admin" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
annotations:
+ configchecksum: {{ toYaml .Values.labels.isApplication | sha256sum | trunc 63 }}
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
{{ dict "envAll" $envAll "podName" "ceph-rgw-s3-admin" "containerNames" (list "ceph-keyring-placement" "init" "create-s3-admin") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
spec:
diff --git a/ceph-rgw/templates/pod-helm-tests.yaml b/ceph-rgw/templates/pod-helm-tests.yaml
index 54a0f870..01c3325b 100644
--- a/ceph-rgw/templates/pod-helm-tests.yaml
+++ b/ceph-rgw/templates/pod-helm-tests.yaml
@@ -22,8 +22,10 @@ kind: Pod
metadata:
name: {{ $serviceAccountName }}
labels:
+ app.starlingx.io/component: {{ ternary "application" "platform" .Values.labels.isApplication }}
{{ tuple $envAll "ceph" "rgw-test" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
annotations:
+ configchecksum: {{ toYaml .Values.labels.isApplication | sha256sum | trunc 63 }}
"helm.sh/hook": test-success
{{ dict "envAll" $envAll "podName" "ceph-rgw-test" "containerNames" (list "ceph-rgw-ks-validation" "ceph-rgw-s3-validation") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 4 }}
spec:
diff --git a/ceph-rgw/values.yaml b/ceph-rgw/values.yaml
index c8ee0a22..a0befdf0 100644
--- a/ceph-rgw/values.yaml
+++ b/ceph-rgw/values.yaml
@@ -42,6 +42,7 @@ images:
- image_repo_sync
labels:
+ isApplication: false
job:
node_selector_key: openstack-control-plane
node_selector_value: enabled
diff --git a/gnocchi/templates/cron-job-resources-cleaner.yaml b/gnocchi/templates/cron-job-resources-cleaner.yaml
index 608bab5f..6de846f6 100644
--- a/gnocchi/templates/cron-job-resources-cleaner.yaml
+++ b/gnocchi/templates/cron-job-resources-cleaner.yaml
@@ -42,7 +42,10 @@ spec:
template:
metadata:
labels:
+ app.starlingx.io/component: {{ ternary "application" "platform" .Values.labels.isApplication }}
{{ tuple $envAll "gnocchi" "resources-cleaner" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 12 }}
+ annotation:
+ configchecksum: {{ toYaml .Values.labels.isApplication | sha256sum | trunc 63 }}
spec:
serviceAccountName: {{ $serviceAccountName }}
restartPolicy: OnFailure
diff --git a/gnocchi/templates/daemonset-metricd.yaml b/gnocchi/templates/daemonset-metricd.yaml
index 6fe77593..5d94ce26 100644
--- a/gnocchi/templates/daemonset-metricd.yaml
+++ b/gnocchi/templates/daemonset-metricd.yaml
@@ -35,11 +35,13 @@ spec:
template:
metadata:
labels:
+ app.starlingx.io/component: {{ ternary "application" "platform" .Values.labels.isApplication }}
{{ tuple $envAll "gnocchi" "metricd" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
annotations:
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+ configchecksum: {{ toYaml .Values.labels.isApplication | sha256sum | trunc 63 }}
spec:
serviceAccountName: {{ $serviceAccountName }}
nodeSelector:
diff --git a/gnocchi/templates/daemonset-statsd.yaml b/gnocchi/templates/daemonset-statsd.yaml
index 316265bc..371448ee 100644
--- a/gnocchi/templates/daemonset-statsd.yaml
+++ b/gnocchi/templates/daemonset-statsd.yaml
@@ -34,11 +34,13 @@ spec:
template:
metadata:
labels:
+ app.starlingx.io/component: {{ ternary "application" "platform" .Values.labels.isApplication }}
{{ tuple $envAll "gnocchi" "metricd" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
annotations:
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+ configchecksum: {{ toYaml .Values.labels.isApplication | sha256sum | trunc 63 }}
spec:
serviceAccountName: {{ $serviceAccountName }}
nodeSelector:
diff --git a/gnocchi/templates/deployment-api.yaml b/gnocchi/templates/deployment-api.yaml
index 68555b18..d34f7639 100644
--- a/gnocchi/templates/deployment-api.yaml
+++ b/gnocchi/templates/deployment-api.yaml
@@ -36,11 +36,13 @@ spec:
template:
metadata:
labels:
+ app.starlingx.io/component: {{ ternary "application" "platform" .Values.labels.isApplication }}
{{ tuple $envAll "gnocchi" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
annotations:
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+ configchecksum: {{ toYaml .Values.labels.isApplication | sha256sum | trunc 63 }}
spec:
serviceAccountName: {{ $serviceAccountName }}
affinity:
diff --git a/gnocchi/templates/job-clean.yaml b/gnocchi/templates/job-clean.yaml
index e1023aa3..e2635fac 100644
--- a/gnocchi/templates/job-clean.yaml
+++ b/gnocchi/templates/job-clean.yaml
@@ -57,6 +57,9 @@ spec:
template:
metadata:
labels:
+ app.starlingx.io/component: {{ ternary "application" "platform" .Values.labels.isApplication }}
+ annotations:
+ configchecksum: {{ toYaml .Values.labels.isApplication | sha256sum | trunc 63 }}
{{ tuple $envAll "gnocchi" "clean" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
spec:
serviceAccountName: {{ $serviceAccountName }}
diff --git a/gnocchi/templates/job-db-init-indexer.yaml b/gnocchi/templates/job-db-init-indexer.yaml
index 397dbee2..d1c796ac 100644
--- a/gnocchi/templates/job-db-init-indexer.yaml
+++ b/gnocchi/templates/job-db-init-indexer.yaml
@@ -28,6 +28,9 @@ spec:
template:
metadata:
labels:
+ app.starlingx.io/component: {{ ternary "application" "platform" .Values.labels.isApplication }}
+ annotations:
+ configchecksum: {{ toYaml .Values.labels.isApplication | sha256sum | trunc 63 }}
{{ tuple $envAll "gnocchi" "db-init-indexer" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
spec:
serviceAccountName: {{ $serviceAccountName }}
diff --git a/gnocchi/templates/job-db-sync.yaml b/gnocchi/templates/job-db-sync.yaml
index 123a5e16..d4a33034 100644
--- a/gnocchi/templates/job-db-sync.yaml
+++ b/gnocchi/templates/job-db-sync.yaml
@@ -28,6 +28,9 @@ spec:
template:
metadata:
labels:
+ app.starlingx.io/component: {{ ternary "application" "platform" .Values.labels.isApplication }}
+ annotations:
+ configchecksum: {{ toYaml .Values.labels.isApplication | sha256sum | trunc 63 }}
{{ tuple $envAll "gnocchi" "db-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
spec:
serviceAccountName: {{ $serviceAccountName }}
diff --git a/gnocchi/templates/job-storage-init.yaml b/gnocchi/templates/job-storage-init.yaml
index 9aaae9a5..621008cd 100644
--- a/gnocchi/templates/job-storage-init.yaml
+++ b/gnocchi/templates/job-storage-init.yaml
@@ -56,6 +56,9 @@ spec:
template:
metadata:
labels:
+ app.starlingx.io/component: {{ ternary "application" "platform" .Values.labels.isApplication }}
+ annotations:
+ configchecksum: {{ toYaml .Values.labels.isApplication | sha256sum | trunc 63 }}
{{ tuple $envAll "gnocchi" "storage-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
spec:
serviceAccountName: {{ $serviceAccountName }}
diff --git a/gnocchi/templates/pod-gnocchi-test.yaml b/gnocchi/templates/pod-gnocchi-test.yaml
index c3cbe67b..961f8a2c 100644
--- a/gnocchi/templates/pod-gnocchi-test.yaml
+++ b/gnocchi/templates/pod-gnocchi-test.yaml
@@ -26,8 +26,10 @@ kind: Pod
metadata:
name: "{{.Release.Name}}-test"
labels:
+ app.starlingx.io/component: {{ ternary "application" "platform" .Values.labels.isApplication }}
{{ tuple $envAll "gnocchi" "test" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
annotations:
+ configchecksum: {{ toYaml .Values.labels.isApplication | sha256sum | trunc 63 }}
"helm.sh/hook": test-success
spec:
nodeSelector:
diff --git a/gnocchi/values.yaml b/gnocchi/values.yaml
index 3cc684fc..bbfd4335 100644
--- a/gnocchi/values.yaml
+++ b/gnocchi/values.yaml
@@ -16,6 +16,7 @@
---
labels:
+ isApplication: false
api:
node_selector_key: openstack-control-plane
node_selector_value: enabled
diff --git a/helm-toolkit/templates/manifests/_job-bootstrap.tpl b/helm-toolkit/templates/manifests/_job-bootstrap.tpl
index 6b77004f..d061fc75 100644
--- a/helm-toolkit/templates/manifests/_job-bootstrap.tpl
+++ b/helm-toolkit/templates/manifests/_job-bootstrap.tpl
@@ -63,11 +63,15 @@ spec:
template:
metadata:
labels:
+ app.starlingx.io/component: {{ if $envAll.Values.labels.isApplication }}{{ ternary "application" "platform" $envAll.Values.labels.isApplication }}{{ else }}platform{{ end }}
{{ tuple $envAll $serviceName "bootstrap" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
{{- if $jobLabels }}
{{ toYaml $jobLabels | indent 8 }}
{{- end }}
annotations:
+ {{- if $envAll.Values.labels.isApplication }}
+ configchecksum: {{ toYaml $envAll.Values.labels.isApplication | sha256sum | trunc 63 }}
+ {{- end }}
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
spec:
serviceAccountName: {{ $serviceAccountName }}
diff --git a/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl b/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl
index 5e31a04d..404c3d49 100644
--- a/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl
+++ b/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl
@@ -65,10 +65,15 @@ spec:
template:
metadata:
labels:
+ app.starlingx.io/component: {{ if $envAll.Values.labels.isApplication }}{{ ternary "application" "platform" $envAll.Values.labels.isApplication }}{{ else }}platform{{ end }}
{{ tuple $envAll $serviceName "db-drop" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
{{- if $jobLabels }}
{{ toYaml $jobLabels | indent 8 }}
{{- end }}
+ {{- if $envAll.Values.labels.isApplication }}
+ annotations:
+ configchecksum: {{ toYaml $envAll.Values.labels.isApplication | sha256sum | trunc 63 }}
+ {{- end}}
spec:
serviceAccountName: {{ $serviceAccountName }}
restartPolicy: OnFailure
diff --git a/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl b/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl
index ff5d54ba..84b8e1a9 100644
--- a/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl
+++ b/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl
@@ -63,11 +63,15 @@ spec:
template:
metadata:
labels:
+ app.starlingx.io/component: {{ if $envAll.Values.labels.isApplication }}{{ ternary "application" "platform" $envAll.Values.labels.isApplication }}{{ else }}platform{{ end }}
{{ tuple $envAll $serviceName "db-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
{{- if $jobLabels }}
{{ toYaml $jobLabels | indent 8 }}
{{- end }}
annotations:
+ {{- if $envAll.Values.labels.isApplication }}
+ configchecksum: {{ toYaml $envAll.Values.labels.isApplication | sha256sum | trunc 63 }}
+ {{- end }}
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
spec:
serviceAccountName: {{ $serviceAccountName }}
diff --git a/helm-toolkit/templates/manifests/_job-db-sync.tpl b/helm-toolkit/templates/manifests/_job-db-sync.tpl
index 364a7fe8..c033cf39 100644
--- a/helm-toolkit/templates/manifests/_job-db-sync.tpl
+++ b/helm-toolkit/templates/manifests/_job-db-sync.tpl
@@ -60,11 +60,15 @@ spec:
template:
metadata:
labels:
+ app.starlingx.io/component: {{ if $envAll.Values.labels.isApplication }}{{ ternary "application" "platform" $envAll.Values.labels.isApplication }}{{ else }}platform{{ end }}
{{ tuple $envAll $serviceName "db-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
{{- if $jobLabels }}
{{ toYaml $jobLabels | indent 8 }}
{{- end }}
annotations:
+ {{- if $envAll.Values.labels.isApplication }}
+ configchecksum: {{ toYaml $envAll.Values.labels.isApplication | sha256sum | trunc 63 }}
+ {{- end }}
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
spec:
serviceAccountName: {{ $serviceAccountName }}
diff --git a/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl b/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl
index e4b0e45d..387716c4 100644
--- a/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl
+++ b/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl
@@ -64,11 +64,15 @@ spec:
template:
metadata:
labels:
+ app.starlingx.io/component: {{ if $envAll.Values.labels.isApplication }}{{ ternary "application" "platform" $envAll.Values.labels.isApplication }}{{ else }}platform{{ end }}
{{ tuple $envAll $serviceName "ks-endpoints" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
{{- if $jobLabels }}
{{ toYaml $jobLabels | indent 8 }}
{{- end }}
annotations:
+ {{- if $envAll.Values.labels.isApplication }}
+ configchecksum: {{ toYaml $envAll.Values.labels.isApplication | sha256sum | trunc 63 }}
+ {{- end }}
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
spec:
serviceAccountName: {{ $serviceAccountName }}
diff --git a/helm-toolkit/templates/manifests/_job-ks-service.tpl b/helm-toolkit/templates/manifests/_job-ks-service.tpl
index 9604c637..8111d37b 100644
--- a/helm-toolkit/templates/manifests/_job-ks-service.tpl
+++ b/helm-toolkit/templates/manifests/_job-ks-service.tpl
@@ -64,11 +64,15 @@ spec:
template:
metadata:
labels:
+ app.starlingx.io/component: {{ if $envAll.Values.labels.isApplication }}{{ ternary "application" "platform" $envAll.Values.labels.isApplication }}{{ else }}platform{{ end }}
{{ tuple $envAll $serviceName "ks-service" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
{{- if $jobLabels }}
{{ toYaml $jobLabels | indent 8 }}
{{- end }}
annotations:
+ {{- if $envAll.Values.labels.isApplication }}
+ configchecksum: {{ toYaml $envAll.Values.labels.isApplication | sha256sum | trunc 63 }}
+ {{- end }}
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
spec:
serviceAccountName: {{ $serviceAccountName }}
diff --git a/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl b/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl
index 58dcdc5c..f768e68e 100644
--- a/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl
+++ b/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl
@@ -86,11 +86,15 @@ spec:
template:
metadata:
labels:
+ app.starlingx.io/component: {{ if $envAll.Values.labels.isApplication }}{{ ternary "application" "platform" $envAll.Values.labels.isApplication }}{{ else }}platform{{ end }}
{{ tuple $envAll $serviceName "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
{{- if $jobLabels }}
{{ toYaml $jobLabels | indent 8 }}
{{- end }}
annotations:
+ {{- if $envAll.Values.labels.isApplication }}
+ configchecksum: {{ toYaml $envAll.Values.labels.isApplication | sha256sum | trunc 63 }}
+ {{- end }}
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
spec:
serviceAccountName: {{ $serviceAccountName | quote }}
diff --git a/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl b/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl
index f3ff145f..4fda90de 100644
--- a/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl
+++ b/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl
@@ -51,11 +51,15 @@ spec:
template:
metadata:
labels:
+ app.starlingx.io/component: {{ if $envAll.Values.labels.isApplication }}{{ ternary "application" "platform" $envAll.Values.labels.isApplication }}{{ else }}platform{{ end }}
{{ tuple $envAll $serviceName "rabbit-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
{{- if $jobLabels }}
{{ toYaml $jobLabels | indent 8 }}
{{- end }}
annotations:
+ {{- if $envAll.Values.labels.isApplication }}
+ configchecksum: {{ toYaml $envAll.Values.labels.isApplication | sha256sum | trunc 63 }}
+ {{- end }}
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
spec:
serviceAccountName: {{ $serviceAccountName | quote }}
diff --git a/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl b/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl
index b5fdc09c..7c4b605f 100644
--- a/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl
+++ b/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl
@@ -61,10 +61,15 @@ spec:
template:
metadata:
labels:
+ app.starlingx.io/component: {{ if $envAll.Values.labels.isApplication }}{{ ternary "application" "platform" $envAll.Values.labels.isApplication }}{{ else }}platform{{ end }}
{{ tuple $envAll $serviceName "s3-bucket" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
{{- if $jobLabels }}
{{ toYaml $jobLabels | indent 8 }}
{{- end }}
+ {{- if $envAll.Values.labels.isApplication }}
+ annotations:
+ configchecksum: {{ toYaml $envAll.Values.labels.isApplication | sha256sum | trunc 63 }}
+ {{- end}}
spec:
serviceAccountName: {{ $serviceAccountName | quote }}
restartPolicy: OnFailure
diff --git a/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl b/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl
index 77d1a71e..e07549c6 100644
--- a/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl
+++ b/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl
@@ -59,10 +59,15 @@ spec:
template:
metadata:
labels:
+ app.starlingx.io/component: {{ if $envAll.Values.labels.isApplication }}{{ ternary "application" "platform" $envAll.Values.labels.isApplication }}{{ else }}platform{{ end }}
{{ tuple $envAll $serviceName "s3-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
{{- if $jobLabels }}
{{ toYaml $jobLabels | indent 8 }}
{{- end }}
+ {{- if $envAll.Values.labels.isApplication }}
+ annotations:
+ configchecksum: {{ toYaml $envAll.Values.labels.isApplication | sha256sum | trunc 63 }}
+ {{- end}}
spec:
serviceAccountName: {{ $serviceAccountName | quote }}
restartPolicy: OnFailure
diff --git a/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl b/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl
index 0906df4c..bc135c64 100644
--- a/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl
+++ b/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl
@@ -57,10 +57,15 @@ spec:
template:
metadata:
labels:
+ app.starlingx.io/component: {{ if $envAll.Values.labels.isApplication }}{{ ternary "application" "platform" $envAll.Values.labels.isApplication }}{{ else }}platform{{ end }}
{{ tuple $envAll $serviceName "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
{{- if $jobLabels }}
{{ toYaml $jobLabels | indent 8 }}
{{- end }}
+ {{- if $envAll.Values.labels.isApplication }}
+ annotations:
+ configchecksum: {{ toYaml $envAll.Values.labels.isApplication | sha256sum | trunc 63 }}
+ {{- end}}
spec:
serviceAccountName: {{ $serviceAccountName }}
restartPolicy: OnFailure
diff --git a/libvirt/templates/daemonset-libvirt.yaml b/libvirt/templates/daemonset-libvirt.yaml
index 4a0b128a..050aefc0 100644
--- a/libvirt/templates/daemonset-libvirt.yaml
+++ b/libvirt/templates/daemonset-libvirt.yaml
@@ -58,12 +58,14 @@ spec:
template:
metadata:
labels:
+ app.starlingx.io/component: {{ ternary "application" "platform" .Values.labels.isApplication }}
{{ tuple $envAll .Chart.Name $daemonset | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
annotations:
{{- dict "envAll" $envAll "podName" "libvirt-libvirt-default" "containerNames" (list "libvirt") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+ configchecksum: {{ toYaml .Values.labels.isApplication | sha256sum | trunc 63 }}
spec:
{{ dict "envAll" $envAll "application" "libvirt" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
serviceAccountName: {{ $serviceAccountName }}
diff --git a/libvirt/values.yaml b/libvirt/values.yaml
index ba35a3f5..22ff231c 100644
--- a/libvirt/values.yaml
+++ b/libvirt/values.yaml
@@ -19,6 +19,7 @@
release_group: null
labels:
+ isApplication: false
agent:
libvirt:
node_selector_key: openstack-compute-node
diff --git a/mariadb/templates/cron-job-backup-mariadb.yaml b/mariadb/templates/cron-job-backup-mariadb.yaml
index cb838125..9222a086 100644
--- a/mariadb/templates/cron-job-backup-mariadb.yaml
+++ b/mariadb/templates/cron-job-backup-mariadb.yaml
@@ -47,7 +47,10 @@ spec:
template:
metadata:
labels:
+ app.starlingx.io/component: {{ ternary "application" "platform" .Values.labels.isApplication }}
{{ tuple $envAll "mariadb-backup" "backup" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 12 }}
+ annotations:
+ configchecksum: {{ toYaml .Values.labels.isApplication | sha256sum | trunc 63 }}
spec:
{{ dict "envAll" $envAll "application" "mariadb_backup" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 10 }}
serviceAccountName: {{ $serviceAccountName }}
diff --git a/mariadb/templates/deployment-error.yaml b/mariadb/templates/deployment-error.yaml
index 4f3b68bd..eaa228bc 100644
--- a/mariadb/templates/deployment-error.yaml
+++ b/mariadb/templates/deployment-error.yaml
@@ -35,8 +35,10 @@ spec:
template:
metadata:
labels:
+ app.starlingx.io/component: {{ ternary "application" "platform" .Values.labels.isApplication }}
{{ tuple $envAll "mariadb" "ingress-error-pages" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
annotations:
+ configchecksum: {{ toYaml .Values.labels.isApplication | sha256sum | trunc 63 }}
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
configmap-etc-hash: {{ tuple "configmap-ingress-etc.yaml" . | include "helm-toolkit.utils.hash" }}
diff --git a/mariadb/templates/deployment-ingress.yaml b/mariadb/templates/deployment-ingress.yaml
index ba0d64c9..cf964061 100644
--- a/mariadb/templates/deployment-ingress.yaml
+++ b/mariadb/templates/deployment-ingress.yaml
@@ -238,6 +238,7 @@ spec:
template:
metadata:
labels:
+ app.starlingx.io/component: {{ ternary "application" "platform" .Values.labels.isApplication }}
{{ tuple $envAll "mariadb" "ingress" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
app.kubernetes.io/instance: {{ $serviceAccountName }}
app.kubernetes.io/name: "mariadb"
@@ -247,6 +248,7 @@ spec:
app.kubernetes.io/version: {{ $envAll.Chart.AppVersion | quote }}
{{- end }}
annotations:
+ configchecksum: {{ toYaml .Values.labels.isApplication | sha256sum | trunc 63 }}
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
configmap-etc-hash: {{ tuple "configmap-ingress-etc.yaml" . | include "helm-toolkit.utils.hash" }}
diff --git a/mariadb/templates/pod-test.yaml b/mariadb/templates/pod-test.yaml
index c8b3c29c..2f4ef851 100644
--- a/mariadb/templates/pod-test.yaml
+++ b/mariadb/templates/pod-test.yaml
@@ -30,8 +30,10 @@ kind: Pod
metadata:
name: "{{.deployment_name}}-test"
labels:
+ app.starlingx.io/component: {{ ternary "application" "platform" .Values.labels.isApplication }}
{{ tuple $envAll "mariadb" "test" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
annotations:
+ configchecksum: {{ toYaml .Values.labels.isApplication | sha256sum | trunc 63 }}
"helm.sh/hook": test-success
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
{{ dict "envAll" $envAll "podName" "mariadb-test" "containerNames" (list "init" "mariadb-test") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 4 }}
diff --git a/mariadb/templates/statefulset.yaml b/mariadb/templates/statefulset.yaml
index 5be9ab46..b8d3f193 100644
--- a/mariadb/templates/statefulset.yaml
+++ b/mariadb/templates/statefulset.yaml
@@ -125,8 +125,10 @@ spec:
template:
metadata:
labels:
+ app.starlingx.io/component: {{ ternary "application" "platform" .Values.labels.isApplication }}
{{ tuple $envAll "mariadb" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
annotations:
+ configchecksum: {{ toYaml .Values.labels.isApplication | sha256sum | trunc 63 }}
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
diff --git a/mariadb/values.yaml b/mariadb/values.yaml
index 53789ba1..61d2d3e7 100644
--- a/mariadb/values.yaml
+++ b/mariadb/values.yaml
@@ -39,6 +39,7 @@ images:
- image_repo_sync
labels:
+ isApplication: false
server:
node_selector_key: openstack-control-plane
node_selector_value: enabled
diff --git a/memcached/templates/deployment.yaml b/memcached/templates/deployment.yaml
index b3d12eaf..a2f0d912 100644
--- a/memcached/templates/deployment.yaml
+++ b/memcached/templates/deployment.yaml
@@ -43,10 +43,12 @@ spec:
template:
metadata:
annotations:
+ configchecksum: {{ toYaml .Values.labels.isApplication | sha256sum | trunc 63 }}
{{ dict "envAll" $envAll "podName" "memcached" "containerNames" (list "init" "memcached") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
labels:
+ app.starlingx.io/component: {{ ternary "application" "platform" .Values.labels.isApplication }}
{{ tuple $envAll "memcached" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
spec:
{{ dict "envAll" $envAll "application" "server" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
diff --git a/memcached/values.yaml b/memcached/values.yaml
index c1a4cd0c..dd2bf3c6 100644
--- a/memcached/values.yaml
+++ b/memcached/values.yaml
@@ -130,6 +130,7 @@ images:
- image_repo_sync
labels:
+ isApplication: false
server:
node_selector_key: openstack-control-plane
node_selector_value: enabled
diff --git a/mongodb/templates/statefulset.yaml b/mongodb/templates/statefulset.yaml
index 7456a077..6c4c5148 100644
--- a/mongodb/templates/statefulset.yaml
+++ b/mongodb/templates/statefulset.yaml
@@ -35,10 +35,12 @@ spec:
template:
metadata:
labels:
+ app.starlingx.io/component: {{ ternary "application" "platform" .Values.labels.isApplication }}
{{ tuple $envAll "mongodb" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
annotations:
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+ configchecksum: {{ toYaml .Values.labels.isApplication | sha256sum | trunc 63 }}
spec:
serviceAccountName: {{ $serviceAccountName }}
affinity:
diff --git a/mongodb/values.yaml b/mongodb/values.yaml
index e0d353e5..00afdcfe 100644
--- a/mongodb/values.yaml
+++ b/mongodb/values.yaml
@@ -70,6 +70,7 @@ volume:
host_path: /var/lib/openstack-helm/mongodb
labels:
+ isApplication: false
server:
node_selector_key: openstack-control-plane
node_selector_value: enabled
diff --git a/openvswitch/templates/daemonset.yaml b/openvswitch/templates/daemonset.yaml
index 3a66fa51..c7aa9a05 100644
--- a/openvswitch/templates/daemonset.yaml
+++ b/openvswitch/templates/daemonset.yaml
@@ -76,9 +76,11 @@ spec:
template:
metadata:
labels:
+ app.starlingx.io/component: {{ ternary "application" "platform" .Values.labels.isApplication }}
{{ tuple $envAll "openvswitch" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
annotations:
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ configchecksum: {{ toYaml .Values.labels.isApplication | sha256sum | trunc 63 }}
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
{{ dict "envAll" $envAll "podName" "openvswitch" "containerNames" (list "openvswitch-db" "openvswitch-db-perms" "openvswitch-vswitchd" "openvswitch-vswitchd-modules" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
spec:
diff --git a/openvswitch/values.yaml b/openvswitch/values.yaml
index b350f03e..49006ea9 100644
--- a/openvswitch/values.yaml
+++ b/openvswitch/values.yaml
@@ -32,6 +32,7 @@ images:
- image_repo_sync
labels:
+ isApplication: false
ovs:
node_selector_key: openvswitch
node_selector_value: enabled
diff --git a/rabbitmq/templates/job-cluster-wait.yaml b/rabbitmq/templates/job-cluster-wait.yaml
index 1c4378c7..223291e4 100644
--- a/rabbitmq/templates/job-cluster-wait.yaml
+++ b/rabbitmq/templates/job-cluster-wait.yaml
@@ -46,11 +46,13 @@ spec:
template:
metadata:
labels:
+ app.starlingx.io/component: {{ ternary "application" "platform" .Values.labels.isApplication }}
{{ tuple $envAll "rabbitmq" "cluster-wait" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
annotations:
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+ configchecksum: {{ toYaml .Values.labels.isApplication | sha256sum | trunc 63 }}
{{ dict "envAll" $envAll "podName" "rabbitmq-cluster-wait" "containerNames" (list "init" "rabbitmq-cookie" "rabbitmq-rabbitmq-cluster-wait" ) | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
spec:
{{ dict "envAll" $envAll "application" "cluster_wait" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
diff --git a/rabbitmq/templates/pod-test.yaml b/rabbitmq/templates/pod-test.yaml
index 37d8af36..2cdc047d 100644
--- a/rabbitmq/templates/pod-test.yaml
+++ b/rabbitmq/templates/pod-test.yaml
@@ -40,10 +40,12 @@ kind: Pod
metadata:
name: "{{.deployment_name}}-test"
labels:
+ app.starlingx.io/component: {{ ternary "application" "platform" .Values.labels.isApplication }}
{{ tuple $envAll "rabbitmq" "test" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
annotations:
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
"helm.sh/hook": test-success
+ configchecksum: {{ toYaml .Values.labels.isApplication | sha256sum | trunc 63 }}
{{ dict "envAll" $envAll "podName" "rabbitmq-rabbitmq-test" "containerNames" (list "init" "rabbitmq-rabbitmq-test") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 4 }}
spec:
{{ dict "envAll" $envAll "application" "test" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 2 }}
diff --git a/rabbitmq/templates/statefulset.yaml b/rabbitmq/templates/statefulset.yaml
index 68fbac71..0bbe2a8c 100644
--- a/rabbitmq/templates/statefulset.yaml
+++ b/rabbitmq/templates/statefulset.yaml
@@ -107,6 +107,7 @@ spec:
template:
metadata:
labels:
+ app.starlingx.io/component: {{ ternary "application" "platform" .Values.labels.isApplication }}
{{ tuple $envAll "rabbitmq" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
annotations:
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
@@ -114,6 +115,7 @@ spec:
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
secret-rabbit-admin-hash: {{ tuple "secret-rabbit-admin.yaml" . | include "helm-toolkit.utils.hash" }}
secret-erlang-cookie-hash: {{ tuple "secret-erlang-cookie.yaml" . | include "helm-toolkit.utils.hash" }}
+ configchecksum: {{ toYaml .Values.labels.isApplication | sha256sum | trunc 63 }}
{{ dict "envAll" $envAll "podName" "rabbitmq" "containerNames" (list "init" "rabbitmq-password" "rabbitmq-cookie" "rabbitmq-perms" "rabbitmq") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
spec:
{{ dict "envAll" $envAll "application" "server" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
diff --git a/rabbitmq/values.yaml b/rabbitmq/values.yaml
index ca1f2036..68a963a1 100644
--- a/rabbitmq/values.yaml
+++ b/rabbitmq/values.yaml
@@ -17,6 +17,7 @@
---
labels:
+ isApplication: false
server:
node_selector_key: openstack-control-plane
node_selector_value: enabled
--
2.34.1
openstack-helm-infra/debian/deb_folder/patches/0015-Add-pre-apply-cleanup-Job-to-STX-O-Helm-charts.patch
-465
View File
@@ -1,465 +0,0 @@
From a378cbea96985e35c3b8d6bc6df1551e0cf9435b Mon Sep 17 00:00:00 2001
From: Daniel Caires <DanielMarques.Caires@windriver.com>
Date: Tue, 19 Aug 2024 14:28:05 -0300
Subject: [PATCH] Add pre-apply cleanup Job to STX-O Helm charts
After verification, it was noted that it is not possible
to reapply STX-Openstack after a helm-override that changes
a job template since the template section of job is
immutable or not updatable
Due to the use of kubernetes-entrypoint DEPENDENCY_JOBS it was
also noted that deleting the jobs after the application is applied
it is not an option. If this happened, the application would not
come back after a host reboot.
This patch creates a Job template that runs right before the Helm
chart is installed ou updated. This Job deletes all jobs that have
its status as completed.
[ Upversioned openstack-helm-infra base commit to Caracal ]
Signed-off-by: Daniel Caires <DanielMarques.Caires@windriver.com>
---
ceph-rgw/templates/job-pre-apply-cleanup.yaml | 18 ++++
ceph-rgw/values.yaml | 2 +
gnocchi/templates/job-pre-apply-cleanup.yaml | 18 ++++
gnocchi/values.yaml | 2 +
.../manifests/_job-pre-apply-cleanup.tpl | 93 +++++++++++++++++++
libvirt/templates/job-pre-apply-cleanup.yaml | 18 ++++
libvirt/values.yaml | 2 +
mariadb/templates/job-pre-apply-cleanup.yaml | 18 ++++
mariadb/values.yaml | 2 +
.../templates/job-pre-apply-cleanup.yaml | 18 ++++
memcached/values.yaml | 2 +
.../templates/job-pre-apply-cleanup.yaml | 18 ++++
openvswitch/values.yaml | 2 +
rabbitmq/templates/job-pre-apply-cleanup.yaml | 18 ++++
rabbitmq/values.yaml | 2 +
15 files changed, 233 insertions(+)
create mode 100644 ceph-rgw/templates/job-pre-apply-cleanup.yaml
create mode 100644 gnocchi/templates/job-pre-apply-cleanup.yaml
create mode 100644 helm-toolkit/templates/manifests/_job-pre-apply-cleanup.tpl
create mode 100644 libvirt/templates/job-pre-apply-cleanup.yaml
create mode 100644 mariadb/templates/job-pre-apply-cleanup.yaml
create mode 100644 memcached/templates/job-pre-apply-cleanup.yaml
create mode 100644 openvswitch/templates/job-pre-apply-cleanup.yaml
create mode 100644 rabbitmq/templates/job-pre-apply-cleanup.yaml
diff --git a/ceph-rgw/templates/job-pre-apply-cleanup.yaml b/ceph-rgw/templates/job-pre-apply-cleanup.yaml
new file mode 100644
index 00000000..2a1d6d91
--- /dev/null
+++ b/ceph-rgw/templates/job-pre-apply-cleanup.yaml
@@ -0,0 +1,18 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.job_pre_apply_cleanup }}
+{{- $preApplyCleanupJob := dict "envAll" . "serviceName" "ceph-rgw" -}}
+{{ $preApplyCleanupJob | include "helm-toolkit.manifests.job_pre_apply_cleanup" }}
+{{- end }}
\ No newline at end of file
diff --git a/ceph-rgw/values.yaml b/ceph-rgw/values.yaml
index a0befdf0..d8e52d28 100644
--- a/ceph-rgw/values.yaml
+++ b/ceph-rgw/values.yaml
@@ -35,6 +35,7 @@ images:
ks_endpoints: 'docker.io/openstackhelm/heat:2024.1-ubuntu_jammy'
ks_service: 'docker.io/openstackhelm/heat:2024.1-ubuntu_jammy'
ks_user: 'docker.io/openstackhelm/heat:2024.1-ubuntu_jammy'
+ pre_apply_cleanup: 'docker.io/starlingx/stx-vault-manager:master-debian-stable-latest'
local_registry:
active: false
exclude:
@@ -724,6 +725,7 @@ manifests:
configmap_etc: true
deployment_rgw: true
ingress_rgw: true
+ job_pre_apply_cleanup: true
job_bootstrap: false
job_rgw_restart: false
job_ceph_rgw_storage_init: true
diff --git a/gnocchi/templates/job-pre-apply-cleanup.yaml b/gnocchi/templates/job-pre-apply-cleanup.yaml
new file mode 100644
index 00000000..0e4424da
--- /dev/null
+++ b/gnocchi/templates/job-pre-apply-cleanup.yaml
@@ -0,0 +1,18 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.job_pre_apply_cleanup }}
+{{- $preApplyCleanupJob := dict "envAll" . "serviceName" "gnocchi" -}}
+{{ $preApplyCleanupJob | include "helm-toolkit.manifests.job_pre_apply_cleanup" }}
+{{- end }}
\ No newline at end of file
diff --git a/gnocchi/values.yaml b/gnocchi/values.yaml
index bbfd4335..dfab7413 100644
--- a/gnocchi/values.yaml
+++ b/gnocchi/values.yaml
@@ -52,6 +52,7 @@ images:
gnocchi_metricd: quay.io/attcomdev/ubuntu-source-gnocchi-metricd:3.0.3
gnocchi_resources_cleaner: quay.io/attcomdev/ubuntu-source-gnocchi-base:3.0.3
image_repo_sync: docker.io/library/docker:17.07.0
+ pre_apply_cleanup: docker.io/starlingx/stx-vault-manager:master-debian-stable-latest
pull_policy: "IfNotPresent"
local_registry:
active: false
@@ -639,6 +640,7 @@ manifests:
daemonset_statsd: true
deployment_api: true
ingress_api: true
+ job_pre_apply_cleanup: true
job_bootstrap: true
job_clean: true
job_db_drop: false
diff --git a/helm-toolkit/templates/manifests/_job-pre-apply-cleanup.tpl b/helm-toolkit/templates/manifests/_job-pre-apply-cleanup.tpl
new file mode 100644
index 00000000..84f88bfc
--- /dev/null
+++ b/helm-toolkit/templates/manifests/_job-pre-apply-cleanup.tpl
@@ -0,0 +1,93 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for keystone user management.
+# It can be used in charts dict created similar to the following:
+# {- $ksUserJob := dict "envAll" . "serviceName" "senlin" }
+# { $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }
+
+
+{{- define "helm-toolkit.manifests.job_pre_apply_cleanup" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "pre-apply-cleanup" }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: {{ $serviceAccountName }}
+ namespace: {{ $envAll.Release.Namespace }}
+ annotations:
+ "helm.sh/hook": pre-install
+ "helm.sh/hook-weight": "-8"
+imagePullSecrets:
+ - name: default-registry-key
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: {{ $serviceAccountName }}
+rules:
+- apiGroups:
+ - batch
+ resources:
+ - jobs
+ verbs:
+ - "*"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: {{ $serviceAccountName }}
+subjects:
+- kind: ServiceAccount
+ name: {{ $serviceAccountName }}
+ namespace: {{ $envAll.Release.Namespace }}
+roleRef:
+ kind: Role
+ name: {{ $serviceAccountName }}
+ apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "pre-apply-cleanup" | quote }}
+ annotations:
+ "helm.sh/hook": pre-install,pre-upgrade
+ "helm.sh/hook-weight": "-7"
+spec:
+ ttlSecondsAfterFinished: 200
+ template:
+ metadata:
+ labels:
+ app.starlingx.io/component: {{ if $envAll.Values.labels.isApplication }}{{ ternary "application" "platform" $envAll.Values.labels.isApplication }}{{ else }}platform{{ end }}
+ {{- if $envAll.Values.labels.isApplication }}
+ annotations:
+ configchecksum: {{ toYaml $envAll.Values.labels.isApplication | sha256sum | trunc 63 }}
+ {{- end }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ containers:
+ - name: cleanup
+ image: {{ $envAll.Values.images.tags.pre_apply_cleanup }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+ command: ["sh", "-c", "
+ for job in $(kubectl get jobs -n openstack -l 'release_group=osh-openstack-{{ $serviceNamePretty }}' -o jsonpath='{.items[?(@.status.succeeded==1)].metadata.name}'); do
+ kubectl delete job $job -n openstack;
+ done"]
+ restartPolicy: OnFailure
+{{- end }}
\ No newline at end of file
diff --git a/libvirt/templates/job-pre-apply-cleanup.yaml b/libvirt/templates/job-pre-apply-cleanup.yaml
new file mode 100644
index 00000000..7c44fd2b
--- /dev/null
+++ b/libvirt/templates/job-pre-apply-cleanup.yaml
@@ -0,0 +1,18 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.job_pre_apply_cleanup }}
+{{- $preApplyCleanupJob := dict "envAll" . "serviceName" "libvirt" -}}
+{{ $preApplyCleanupJob | include "helm-toolkit.manifests.job_pre_apply_cleanup" }}
+{{- end }}
\ No newline at end of file
diff --git a/libvirt/values.yaml b/libvirt/values.yaml
index 22ff231c..b3a4373b 100644
--- a/libvirt/values.yaml
+++ b/libvirt/values.yaml
@@ -33,6 +33,7 @@ images:
dep_check: quay.io/airshipit/kubernetes-entrypoint:latest-ubuntu_focal
image_repo_sync: docker.io/library/docker:17.07.0
kubectl: docker.io/bitnami/kubectl:latest
+ pre_apply_cleanup: docker.io/starlingx/stx-vault-manager:master-debian-stable-latest
pull_policy: "IfNotPresent"
local_registry:
active: false
@@ -317,6 +318,7 @@ manifests:
configmap_bin: true
configmap_etc: true
daemonset_libvirt: true
+ job_pre_apply_cleanup: true
job_image_repo_sync: true
network_policy: false
role_cert_manager: false
diff --git a/mariadb/templates/job-pre-apply-cleanup.yaml b/mariadb/templates/job-pre-apply-cleanup.yaml
new file mode 100644
index 00000000..4c2cef3b
--- /dev/null
+++ b/mariadb/templates/job-pre-apply-cleanup.yaml
@@ -0,0 +1,18 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.job_pre_apply_cleanup }}
+{{- $preApplyCleanupJob := dict "envAll" . "serviceName" "mariadb" -}}
+{{ $preApplyCleanupJob | include "helm-toolkit.manifests.job_pre_apply_cleanup" }}
+{{- end }}
\ No newline at end of file
diff --git a/mariadb/values.yaml b/mariadb/values.yaml
index 61d2d3e7..d348f587 100644
--- a/mariadb/values.yaml
+++ b/mariadb/values.yaml
@@ -31,6 +31,7 @@ images:
mariadb_backup: quay.io/airshipit/porthole-mysqlclient-utility:latest-ubuntu_focal
ks_user: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
scripted_test: docker.io/openstackhelm/mariadb:ubuntu_focal-20210415
+ pre_apply_cleanup: docker.io/starlingx/stx-vault-manager:master-debian-stable-latest
pull_policy: "IfNotPresent"
local_registry:
active: false
@@ -710,6 +711,7 @@ manifests:
configmap_services_tcp: true
deployment_error: false
deployment_ingress: false
+ job_pre_apply_cleanup: true
job_image_repo_sync: true
cron_job_mariadb_backup: false
job_ks_user: false
diff --git a/memcached/templates/job-pre-apply-cleanup.yaml b/memcached/templates/job-pre-apply-cleanup.yaml
new file mode 100644
index 00000000..f2d12578
--- /dev/null
+++ b/memcached/templates/job-pre-apply-cleanup.yaml
@@ -0,0 +1,18 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.job_pre_apply_cleanup }}
+{{- $preApplyCleanupJob := dict "envAll" . "serviceName" "memcached" -}}
+{{ $preApplyCleanupJob | include "helm-toolkit.manifests.job_pre_apply_cleanup" }}
+{{- end }}
\ No newline at end of file
diff --git a/memcached/values.yaml b/memcached/values.yaml
index dd2bf3c6..26875d38 100644
--- a/memcached/values.yaml
+++ b/memcached/values.yaml
@@ -123,6 +123,7 @@ images:
memcached: 'docker.io/library/memcached:1.5.5'
prometheus_memcached_exporter: docker.io/prom/memcached-exporter:v0.4.1
image_repo_sync: docker.io/library/docker:17.07.0
+ pre_apply_cleanup: docker.io/starlingx/stx-vault-manager:master-debian-stable-latest
local_registry:
active: false
exclude:
@@ -138,6 +139,7 @@ labels:
manifests:
configmap_bin: true
deployment: true
+ job_pre_apply_cleanup: true
job_image_repo_sync: true
network_policy: false
service: true
diff --git a/openvswitch/templates/job-pre-apply-cleanup.yaml b/openvswitch/templates/job-pre-apply-cleanup.yaml
new file mode 100644
index 00000000..3a29b239
--- /dev/null
+++ b/openvswitch/templates/job-pre-apply-cleanup.yaml
@@ -0,0 +1,18 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.job_pre_apply_cleanup }}
+{{- $preApplyCleanupJob := dict "envAll" . "serviceName" "openvswitch" -}}
+{{ $preApplyCleanupJob | include "helm-toolkit.manifests.job_pre_apply_cleanup" }}
+{{- end }}
\ No newline at end of file
diff --git a/openvswitch/values.yaml b/openvswitch/values.yaml
index 49006ea9..0e5a2f75 100644
--- a/openvswitch/values.yaml
+++ b/openvswitch/values.yaml
@@ -24,6 +24,7 @@ images:
openvswitch_vswitchd: docker.io/openstackhelm/openvswitch:latest-ubuntu_focal
dep_check: quay.io/airshipit/kubernetes-entrypoint:latest-ubuntu_focal
image_repo_sync: docker.io/library/docker:17.07.0
+ pre_apply_cleanup: docker.io/starlingx/stx-vault-manager:master-debian-stable-latest
pull_policy: "IfNotPresent"
local_registry:
active: false
@@ -206,6 +207,7 @@ manifests:
configmap_bin: true
daemonset: true
daemonset_ovs_vswitchd: true
+ job_pre_apply_cleanup: true
job_image_repo_sync: true
network_policy: false
secret_registry: true
diff --git a/rabbitmq/templates/job-pre-apply-cleanup.yaml b/rabbitmq/templates/job-pre-apply-cleanup.yaml
new file mode 100644
index 00000000..428d7c01
--- /dev/null
+++ b/rabbitmq/templates/job-pre-apply-cleanup.yaml
@@ -0,0 +1,18 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.job_pre_apply_cleanup }}
+{{- $preApplyCleanupJob := dict "envAll" . "serviceName" "rabbitmq" -}}
+{{ $preApplyCleanupJob | include "helm-toolkit.manifests.job_pre_apply_cleanup" }}
+{{- end }}
\ No newline at end of file
diff --git a/rabbitmq/values.yaml b/rabbitmq/values.yaml
index 68a963a1..fbb98414 100644
--- a/rabbitmq/values.yaml
+++ b/rabbitmq/values.yaml
@@ -40,6 +40,7 @@ images:
dep_check: quay.io/airshipit/kubernetes-entrypoint:latest-ubuntu_focal
scripted_test: docker.io/library/rabbitmq:3.13.0-management
image_repo_sync: docker.io/library/docker:17.07.0
+ pre_apply_cleanup: docker.io/starlingx/stx-vault-manager:master-debian-stable-latest
pull_policy: "IfNotPresent"
local_registry:
active: false
@@ -446,6 +447,7 @@ manifests:
configmap_etc: true
config_ipv6: false
ingress_management: true
+ job_pre_apply_cleanup: true
job_cluster_wait: true
job_image_repo_sync: true
monitoring:
--
2.34.1
openstack-helm-infra/debian/deb_folder/patches/0016-Add-Kubernetes-name-label-to-helm-toolkit-template.patch
-50
View File
@@ -1,50 +0,0 @@
From 3e3f00e6f9616cbe285d649966c59a392d553ad6 Mon Sep 17 00:00:00 2001
From: jchialun <johnny.chialung@windriver.com>
Date: Fri, 20 Sep 2024 11:25:24 -0500
Subject: [PATCH] Add Kubernetes name label to helm toolkit template
This change allows the application framework status to correctly
represent the pods statuses by adding the correct label to every pod.
Signed-off-by: Johnny Chia <johnny.chialung@windriver.com>
[ Upversioned openstack-helm-infra base commit to Caracal ]
Signed-off-by: Daniel Caires <DanielMarques.Caires@windriver.com>
---
helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl | 1 +
mariadb/templates/deployment-ingress.yaml | 2 --
2 files changed, 1 insertion(+), 2 deletions(-)
diff --git a/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl b/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl
index 48b53fa1..37482ebc 100644
--- a/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl
+++ b/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl
@@ -40,6 +40,7 @@ return: |
release_group: {{ $envAll.Values.release_group | default $envAll.Release.Name }}
application: {{ $application }}
component: {{ $component }}
+app.kubernetes.io/name: {{ $application }}
{{- if ($envAll.Values.pod).labels }}
{{- if hasKey $envAll.Values.pod.labels $component }}
{{ index $envAll.Values.pod "labels" $component | toYaml }}
diff --git a/mariadb/templates/deployment-ingress.yaml b/mariadb/templates/deployment-ingress.yaml
index cf964061..91f496cb 100644
--- a/mariadb/templates/deployment-ingress.yaml
+++ b/mariadb/templates/deployment-ingress.yaml
@@ -223,7 +223,6 @@ metadata:
labels:
{{ tuple $envAll "mariadb" "ingress" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
app.kubernetes.io/instance: {{ $serviceAccountName }}
- app.kubernetes.io/name: "mariadb"
app.kubernetes.io/component: "ingress"
app.kubernetes.io/managed-by: {{ $envAll.Release.Service }}
{{- if $envAll.Chart.AppVersion }}
@@ -241,7 +240,6 @@ spec:
app.starlingx.io/component: {{ ternary "application" "platform" .Values.labels.isApplication }}
{{ tuple $envAll "mariadb" "ingress" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
app.kubernetes.io/instance: {{ $serviceAccountName }}
- app.kubernetes.io/name: "mariadb"
app.kubernetes.io/component: "ingress"
app.kubernetes.io/managed-by: {{ $envAll.Release.Service }}
{{- if $envAll.Chart.AppVersion }}
--
2.34.1
openstack-helm-infra/debian/deb_folder/patches/0020-Bring-necessary-upstream-commits.patch
-796
View File
@@ -1,796 +0,0 @@
From 820f3770b4134e58c59d10eb667bd84229d82e6d Mon Sep 17 00:00:00 2001
From: Daniel Caires <DanielMarques.Caires@windriver.com>
Date: Wed, 12 Mar 2025 07:57:44 -0300
Subject: [PATCH] Bring necessary upstream commits
MariaDB Helm-chart was creating a service that had no clear
definition and had no labels. This patch brings 3 commits
from upstream OSH-I in which they changed the location
where the service is created and added the proper labels.
Commits:
https://opendev.org/openstack/openstack-helm-infra/commit/954e338d17e2dc8394dcd076cceca1e7777c8968
https://opendev.org/openstack/openstack-helm-infra/commit/475a0c4b44b9c815fbbafaf1b1d485c9d2973878
https://opendev.org/openstack/openstack-helm-infra/commit/d27ea2474504653383d005adcbc043b34d62eccd
[ Add tolerations to mariadb-controller pod definition ]
Signed-off-by: Daniel Caires <DanielMarques.Caires@windriver.com>
---
.../templates/snippets/_service_params.tpl | 61 ++++++++
.../templates/bin/_mariadb_controller.py.tpl | 112 ++++++++++++++
mariadb/templates/bin/_start.py.tpl | 143 +-----------------
mariadb/templates/configmap-bin.yaml | 4 +
mariadb/templates/deployment-controller.yaml | 122 +++++++++++++++
mariadb/templates/service-discovery.yaml | 5 +
mariadb/templates/service-master.yaml | 33 ++++
mariadb/templates/service.yaml | 1 +
mariadb/templates/statefulset.yaml | 37 +----
mariadb/values.yaml | 34 ++++-
10 files changed, 379 insertions(+), 173 deletions(-)
create mode 100644 helm-toolkit/templates/snippets/_service_params.tpl
create mode 100644 mariadb/templates/bin/_mariadb_controller.py.tpl
create mode 100644 mariadb/templates/deployment-controller.yaml
create mode 100644 mariadb/templates/service-master.yaml
diff --git a/helm-toolkit/templates/snippets/_service_params.tpl b/helm-toolkit/templates/snippets/_service_params.tpl
new file mode 100644
index 00000000..6233a935
--- /dev/null
+++ b/helm-toolkit/templates/snippets/_service_params.tpl
@@ -0,0 +1,61 @@
+{{/*
+Copyright 2017 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{/*
+abstract: |
+ Inserts kubernetes service parameters from values as is.
+values: |
+ network:
+ serviceExample:
+ service:
+ type: loadBalancer
+ loadBalancerIP: 1.1.1.1
+usage: |
+ ---
+ apiVersion: v1
+ kind: Service
+ metadata:
+ name: 'serviceExample'
+ spec:
+ ports:
+ - name: s-example
+ port: 1111
+ {{ .Values.network.serviceExample | include "helm-toolkit.snippets.service_params" | indent 2 }}
+return: |
+ type: loadBalancer
+ loadBalancerIP: 1.1.1.1
+*/}}
+
+{{- define "helm-toolkit.snippets.service_params" }}
+{{- $serviceParams := dict }}
+{{- if hasKey . "service" }}
+{{- $serviceParams = .service }}
+{{- end }}
+{{- if hasKey . "node_port" }}
+{{- if hasKey .node_port "enabled" }}
+{{- if .node_port.enabled }}
+{{- $_ := set $serviceParams "type" "NodePort" }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- if hasKey . "external_policy_local" }}
+{{- if .external_policy_local }}
+{{- $_ := set $serviceParams "externalTrafficPolicy" "Local" }}
+{{- end }}
+{{- end }}
+{{- if $serviceParams }}
+{{- $serviceParams | toYaml }}
+{{- end }}
+{{- end }}
diff --git a/mariadb/templates/bin/_mariadb_controller.py.tpl b/mariadb/templates/bin/_mariadb_controller.py.tpl
new file mode 100644
index 00000000..faf5195a
--- /dev/null
+++ b/mariadb/templates/bin/_mariadb_controller.py.tpl
@@ -0,0 +1,112 @@
+#!/usr/bin/env python3
+
+"""
+Mariadb controller
+
+The script is responsible for set mariadb_role: primary to first
+active pod in mariadb deployment.
+
+Env variables:
+MARIADB_CONTROLLER_DEBUG: Flag to enable debug when set to 1.
+MARIADB_CONTROLLER_CHECK_PODS_DELAY: The delay between check pod attempts.
+MARIADB_CONTROLLER_PYKUBE_REQUEST_TIMEOUT: The timeout for kubernetes http session
+MARIADB_CONTROLLER_PODS_NAMESPACE: The namespace to look for mariadb pods.
+MARIADB_MASTER_SERVICE_NAME: The name of master service for mariadb.
+
+Changelog:
+0.1.0: Initial varsion
+"""
+
+
+import logging
+import os
+import sys
+import time
+
+import pykube
+
+MARIADB_CONTROLLER_DEBUG = os.getenv("MARIADB_CONTROLLER_DEBUG")
+MARIADB_CONTROLLER_CHECK_PODS_DELAY = int(
+ os.getenv("MARIADB_CONTROLLER_CHECK_PODS_DELAY", 10)
+)
+MARIADB_CONTROLLER_PYKUBE_REQUEST_TIMEOUT = int(
+ os.getenv("MARIADB_CONTROLLER_PYKUBE_REQUEST_TIMEOUT", 60)
+)
+MARIADB_CONTROLLER_PODS_NAMESPACE = os.getenv(
+ "MARIADB_CONTROLLER_PODS_NAMESPACE", "openstack"
+)
+MARIADB_MASTER_SERVICE_NAME = os.getenv(
+ "MARIADB_MASTER_SERVICE_NAME", "mariadb"
+)
+
+log_level = "DEBUG" if MARIADB_CONTROLLER_DEBUG else "INFO"
+logging.basicConfig(
+ stream=sys.stdout,
+ format="%(asctime)s %(levelname)s %(name)s %(message)s",
+ datefmt="%Y-%m-%d %H:%M:%S",
+)
+LOG = logging.getLogger("mariadb-controller")
+
+LOG.setLevel(log_level)
+
+
+def login():
+ config = pykube.KubeConfig.from_env()
+ client = pykube.HTTPClient(
+ config=config, timeout=MARIADB_CONTROLLER_PYKUBE_REQUEST_TIMEOUT
+ )
+ LOG.info(f"Created k8s api client from context {config.current_context}")
+ return client
+
+
+api = login()
+
+
+def resource_list(klass, selector, namespace=None):
+ return klass.objects(api).filter(namespace=namespace, selector=selector)
+
+
+def get_mariadb_pods():
+ sorted_pods = sorted(
+ resource_list(
+ pykube.Pod,
+ {"application": "mariadb", "component": "server"},
+ MARIADB_CONTROLLER_PODS_NAMESPACE,
+ ).iterator(),
+ key=lambda i: i.name,
+ )
+ return sorted_pods
+
+
+def get_mariadb_master_service(namespace):
+ return pykube.Service.objects(api).filter(namespace=namespace).get(name=MARIADB_MASTER_SERVICE_NAME)
+
+
+def link_master_service(pod):
+ svc = get_mariadb_master_service(MARIADB_CONTROLLER_PODS_NAMESPACE)
+ svc.reload()
+ if svc.obj['spec']['selector'].get('statefulset.kubernetes.io/pod-name') == pod.name:
+ LOG.debug(f"Nothing to do, master service points to {pod.name}")
+ else:
+ svc.obj['spec']['selector']['statefulset.kubernetes.io/pod-name'] = pod.name
+ svc.update()
+ LOG.info(f"Link master service with {pod.name}")
+
+
+def is_ready(pod):
+ if pod.ready and "deletionTimestamp" not in pod.metadata:
+ return True
+
+
+def main():
+ while True:
+ for pod in get_mariadb_pods():
+ pod.reload()
+ if is_ready(pod):
+ link_master_service(pod)
+ break
+ LOG.debug(f"Sleeping for {MARIADB_CONTROLLER_CHECK_PODS_DELAY}")
+ time.sleep(MARIADB_CONTROLLER_CHECK_PODS_DELAY)
+
+
+main()
diff --git a/mariadb/templates/bin/_start.py.tpl b/mariadb/templates/bin/_start.py.tpl
index aae1294c..edf166ed 100644
--- a/mariadb/templates/bin/_start.py.tpl
+++ b/mariadb/templates/bin/_start.py.tpl
@@ -80,10 +80,6 @@ if check_env_var("STATE_CONFIGMAP"):
state_configmap_name = os.environ['STATE_CONFIGMAP']
logger.info("Will use \"{0}\" configmap for cluster state info".format(
state_configmap_name))
-if check_env_var("PRIMARY_SERVICE_NAME"):
- primary_service_name = os.environ['PRIMARY_SERVICE_NAME']
- logger.info("Will use \"{0}\" service as primary".format(
- primary_service_name))
if check_env_var("POD_NAMESPACE"):
pod_namespace = os.environ['POD_NAMESPACE']
if check_env_var("DIRECT_SVC_NAME"):
@@ -96,8 +92,6 @@ if check_env_var("DISCOVERY_DOMAIN"):
discovery_domain = os.environ['DISCOVERY_DOMAIN']
if check_env_var("WSREP_PORT"):
wsrep_port = os.environ['WSREP_PORT']
-if check_env_var("MARIADB_PORT"):
- mariadb_port = int(os.environ['MARIADB_PORT'])
if check_env_var("MYSQL_DBADMIN_USERNAME"):
mysql_dbadmin_username = os.environ['MYSQL_DBADMIN_USERNAME']
if check_env_var("MYSQL_DBADMIN_PASSWORD"):
@@ -121,8 +115,7 @@ if mysql_dbadmin_username == mysql_dbsst_username:
sys.exit(1)
# Set some variables for tuneables
-if check_env_var("CLUSTER_LEADER_TTL"):
- cluster_leader_ttl = int(os.environ['CLUSTER_LEADER_TTL'])
+cluster_leader_ttl = int(os.environ['CLUSTER_LEADER_TTL'])
state_configmap_update_period = 10
default_sleep = 20
@@ -145,25 +138,6 @@ def ensure_state_configmap(pod_namespace, configmap_name, configmap_body):
return False
-def ensure_primary_service(pod_namespace, service_name, service_body):
- """Ensure the primary service exists.
-
- Keyword arguments:
- pod_namespace -- the namespace to house the service
- service_name -- the service name
- service_body -- the service body
- """
- try:
- k8s_api_instance.read_namespaced_service(
- name=service_name, namespace=pod_namespace)
- return True
- except:
- k8s_api_instance.create_namespaced_service(
- namespace=pod_namespace, body=service_body)
-
- return False
-
-
def run_cmd_with_logging(popenargs,
logger,
@@ -414,60 +388,6 @@ def set_configmap_data(key, value):
return safe_update_configmap(
configmap_dict=configmap_dict, configmap_patch=configmap_patch)
-def safe_update_service(service_dict, service_patch):
- """Update a service with locking.
-
- Keyword arguments:
- service_dict -- a dict representing the service to be patched
- service_patch -- a dict containign the patch
- """
- logger.debug("Safe Patching service")
- # NOTE(portdirect): Explictly set the resource version we are patching to
- # ensure nothing else has modified the service since we read it.
- service_patch['metadata']['resourceVersion'] = service_dict[
- 'metadata']['resource_version']
-
- # Retry up to 8 times in case of 409 only. Each retry has a ~1 second
- # sleep in between so do not want to exceed the roughly 10 second
- # write interval per cm update.
- for i in range(8):
- try:
- api_response = k8s_api_instance.patch_namespaced_service(
- name=primary_service_name,
- namespace=pod_namespace,
- body=service_patch)
- return True
- except kubernetes.client.rest.ApiException as error:
- if error.status == 409:
- # This status code indicates a collision trying to write to the
- # service while another instance is also trying the same.
- logger.warning("Collision writing service: {0}".format(error))
- # This often happens when the replicas were started at the same
- # time, and tends to be persistent. Sleep with some random
- # jitter value briefly to break the synchronization.
- naptime = secretsGen.uniform(0.8,1.2)
- time.sleep(naptime)
- else:
- logger.error("Failed to set service: {0}".format(error))
- return error
- logger.info("Retry writing service attempt={0} sleep={1}".format(
- i+1, naptime))
- return True
-
-def set_primary_service_spec(key, value):
- """Update a service's endpoint via patching.
-
- Keyword arguments:
- key -- the key to be patched
- value -- the value to give the key
- """
- logger.debug("Setting service spec.selector key={0} to value={1}".format(key, value))
- service_dict = k8s_api_instance.read_namespaced_service(
- name=primary_service_name, namespace=pod_namespace).to_dict()
- service_patch = {'spec': {'selector': {}}, 'metadata': {}}
- service_patch['spec']['selector'][key] = value
- return safe_update_service(
- service_dict=service_dict, service_patch=service_patch)
def get_configmap_value(key, type='data'):
"""Get a configmap's key's value.
@@ -549,35 +469,6 @@ def get_cluster_state():
pod_namespace=pod_namespace,
configmap_name=state_configmap_name,
configmap_body=initial_configmap_body)
-
-
- initial_primary_service_body = {
- "apiVersion": "v1",
- "kind": "Service",
- "metadata": {
- "name": primary_service_name,
- },
- "spec": {
- "ports": [
- {
- "name": "mysql",
- "port": mariadb_port
- }
- ],
- "selector": {
- "application": "mariadb",
- "component": "server",
- "statefulset.kubernetes.io/pod-name": leader
- }
- }
- }
- if ensure_primary_service(
- pod_namespace=pod_namespace,
- service_name=primary_service_name,
- service_body=initial_primary_service_body):
- logger.info("Service {0} already exists".format(primary_service_name))
- else:
- logger.info("Service {0} has been successfully created".format(primary_service_name))
return state
@@ -589,38 +480,6 @@ def declare_myself_cluster_leader():
leader_expiry = "{0}Z".format(leader_expiry_raw.isoformat("T"))
set_configmap_annotation(
key='openstackhelm.openstack.org/leader.node', value=local_hostname)
- logger.info("Setting primary_service's spec.selector to {0}".format(local_hostname))
- try:
- set_primary_service_spec(
- key='statefulset.kubernetes.io/pod-name', value=local_hostname)
- except:
- initial_primary_service_body = {
- "apiVersion": "v1",
- "kind": "Service",
- "metadata": {
- "name": primary_service_name,
- },
- "spec": {
- "ports": [
- {
- "name": "mysql",
- "port": mariadb_port
- }
- ],
- "selector": {
- "application": "mariadb",
- "component": "server",
- "statefulset.kubernetes.io/pod-name": local_hostname
- }
- }
- }
- if ensure_primary_service(
- pod_namespace=pod_namespace,
- service_name=primary_service_name,
- service_body=initial_primary_service_body):
- logger.info("Service {0} already exists".format(primary_service_name))
- else:
- logger.info("Service {0} has been successfully created".format(primary_service_name))
set_configmap_annotation(
key='openstackhelm.openstack.org/leader.expiry', value=leader_expiry)
diff --git a/mariadb/templates/configmap-bin.yaml b/mariadb/templates/configmap-bin.yaml
index cc92eb69..7b6e18ab 100644
--- a/mariadb/templates/configmap-bin.yaml
+++ b/mariadb/templates/configmap-bin.yaml
@@ -53,4 +53,8 @@ data:
ks-user.sh: |
{{ include "helm-toolkit.scripts.keystone_user" . | indent 4 }}
{{- end }}
+{{- if .Values.manifests.deployment_controller }}
+ mariadb_controller.py: |
+{{ tuple "bin/_mariadb_controller.py.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+{{- end }}
{{- end }}
diff --git a/mariadb/templates/deployment-controller.yaml b/mariadb/templates/deployment-controller.yaml
new file mode 100644
index 00000000..39ec8627
--- /dev/null
+++ b/mariadb/templates/deployment-controller.yaml
@@ -0,0 +1,122 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.deployment_controller }}
+{{- if .Values.manifests.deployment_ingress }}
+{{- fail ".Values.manifests.deployment_ingress and .Values.manifests.deployment_controlle are mutually exclusive" }}
+{{- end }}
+{{- $envAll := . }}
+
+{{- $serviceAccountName := "mariadb-controller" }}
+{{ tuple $envAll "controller" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: {{ $envAll.Release.Name }}-{{ $serviceAccountName }}-pod
+ namespace: {{ $envAll.Release.Namespace }}
+rules:
+ - apiGroups:
+ - ""
+ resources:
+ - pods
+ verbs:
+ - get
+ - list
+ - apiGroups:
+ - ""
+ resources:
+ - services
+ verbs:
+ - update
+ - patch
+ - get
+ - list
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: {{ $envAll.Release.Name }}-{{ $serviceAccountName }}-pod
+ namespace: {{ $envAll.Release.Namespace }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: {{ $envAll.Release.Name }}-{{ $serviceAccountName }}-pod
+subjects:
+ - kind: ServiceAccount
+ name: {{ $serviceAccountName }}
+ namespace: {{ $envAll.Release.Namespace }}
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: mariadb-controller
+ annotations:
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+ labels:
+{{ tuple $envAll "mariadb" "controller" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+ replicas: {{ .Values.pod.replicas.controller }}
+ selector:
+ matchLabels:
+{{ tuple $envAll "mariadb" "controller" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll "mariadb" "controller" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+{{ dict "envAll" $envAll "application" "controller" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+ affinity:
+{{ tuple $envAll "mariadb" "controller" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
+{{ if $envAll.Values.pod.tolerations.mariadb.enabled }}
+{{ tuple $envAll "mariadb" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{ end }}
+ nodeSelector:
+ {{ .Values.labels.controller.node_selector_key }}: {{ .Values.labels.controller.node_selector_value }}
+ initContainers:
+{{ tuple $envAll "controller" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: controller
+{{ tuple $envAll "mariadb_controller" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ dict "envAll" $envAll "application" "controller" "container" "controller" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.controller | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ command:
+ - /tmp/mariadb_controller.py
+ env:
+{{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.pod.env.mariadb_controller | indent 12 }}
+ - name: MARIADB_CONTROLLER_PODS_NAMESPACE
+ value: {{ $envAll.Release.Namespace }}
+ - name: MARIADB_MASTER_SERVICE_NAME
+ value: {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - mountPath: /tmp/mariadb_controller.py
+ name: mariadb-bin
+ readOnly: true
+ subPath: mariadb_controller.py
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: mariadb-bin
+ configMap:
+ name: mariadb-bin
+ defaultMode: 365
+{{- end }}
diff --git a/mariadb/templates/service-discovery.yaml b/mariadb/templates/service-discovery.yaml
index dec979ef..378878c0 100644
--- a/mariadb/templates/service-discovery.yaml
+++ b/mariadb/templates/service-discovery.yaml
@@ -25,8 +25,13 @@ spec:
port: {{ tuple "oslo_db" "direct" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
- name: wsrep
port: {{ tuple "oslo_db" "direct" "wsrep" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+ - name: ist
+ port: {{ tuple "oslo_db" "direct" "ist" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+ - name: sst
+ port: {{ tuple "oslo_db" "direct" "sst" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
clusterIP: None
publishNotReadyAddresses: true
selector:
{{ tuple $envAll "mariadb" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{ .Values.network.mariadb_discovery | include "helm-toolkit.snippets.service_params" | indent 2 }}
{{- end }}
diff --git a/mariadb/templates/service-master.yaml b/mariadb/templates/service-master.yaml
new file mode 100644
index 00000000..1472e6a3
--- /dev/null
+++ b/mariadb/templates/service-master.yaml
@@ -0,0 +1,33 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.service_master }}
+{{- if .Values.manifests.service_ingress }}
+{{- fail ".Values.manifests.service_ingress and .Values.manifests.service_master are mutually exclusive" }}
+{{- end }}
+
+{{- $envAll := . }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+spec:
+ ports:
+ - name: mysql
+ port: {{ tuple "oslo_db" "direct" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+ selector:
+{{ tuple $envAll "mariadb" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{ .Values.network.mariadb_master | include "helm-toolkit.snippets.service_params" | indent 2 }}
+{{- end }}
diff --git a/mariadb/templates/service.yaml b/mariadb/templates/service.yaml
index 3f7a7190..e68cbc49 100644
--- a/mariadb/templates/service.yaml
+++ b/mariadb/templates/service.yaml
@@ -25,4 +25,5 @@ spec:
port: {{ tuple "oslo_db" "direct" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
selector:
{{ tuple $envAll "mariadb" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{ .Values.network.mariadb | include "helm-toolkit.snippets.service_params" | indent 2 }}
{{- end }}
diff --git a/mariadb/templates/statefulset.yaml b/mariadb/templates/statefulset.yaml
index b8d3f193..b35d2d01 100644
--- a/mariadb/templates/statefulset.yaml
+++ b/mariadb/templates/statefulset.yaml
@@ -47,29 +47,6 @@ rules:
- configmaps
verbs:
- create
- - apiGroups:
- - ""
- resources:
- - services
- verbs:
- - create
- - apiGroups:
- - ""
- resourceNames:
- - {{ tuple "oslo_db" "primary" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
- resources:
- - services
- verbs:
- - get
- - patch
- - apiGroups:
- - ""
- resourceNames:
- - {{ tuple "oslo_db" "primary" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
- resources:
- - endpoints
- verbs:
- - get
- apiGroups:
- ""
resourceNames:
@@ -190,12 +167,6 @@ spec:
value: {{ tuple "oslo_db" "direct" "wsrep" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | quote }}
- name: STATE_CONFIGMAP
value: {{ printf "%s-%s" .deployment_name "mariadb-state" | quote }}
- - name: PRIMARY_SERVICE_NAME
- value: {{ tuple "oslo_db" "primary" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
- - name: CLUSTER_LEADER_TTL
- value: {{ .Values.conf.galera.cluster_leader_ttl | quote }}
- - name: MARIADB_PORT
- value: {{ tuple "oslo_db" "direct" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | quote }}
- name: MYSQL_DBADMIN_USERNAME
value: {{ .Values.endpoints.oslo_db.auth.admin.username }}
- name: MYSQL_DBADMIN_PASSWORD
@@ -221,6 +192,8 @@ spec:
{{- end }}
- name: MYSQL_HISTFILE
value: {{ .Values.conf.database.mysql_histfile }}
+ - name: CLUSTER_LEADER_TTL
+ value: {{ .Values.conf.galera.cluster_leader_ttl | quote }}
ports:
- name: mysql
protocol: TCP
@@ -228,6 +201,12 @@ spec:
- name: wsrep
protocol: TCP
containerPort: {{ tuple "oslo_db" "direct" "wsrep" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+ - name: ist
+ protocol: TCP
+ containerPort: {{ tuple "oslo_db" "direct" "ist" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+ - name: sst
+ protocol: TCP
+ containerPort: {{ tuple "oslo_db" "direct" "sst" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
command:
- /tmp/start.py
lifecycle:
diff --git a/mariadb/values.yaml b/mariadb/values.yaml
index d348f587..4ec66f25 100644
--- a/mariadb/values.yaml
+++ b/mariadb/values.yaml
@@ -32,6 +32,7 @@ images:
ks_user: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
scripted_test: docker.io/openstackhelm/mariadb:ubuntu_focal-20210415
pre_apply_cleanup: docker.io/starlingx/stx-vault-manager:master-debian-stable-latest
+ mariadb_controller: docker.io/openstackhelm/mariadb:latest-ubuntu_focal
pull_policy: "IfNotPresent"
local_registry:
active: false
@@ -59,8 +60,16 @@ labels:
test:
node_selector_key: openstack-control-plane
node_selector_value: enabled
+ controller:
+ node_selector_key: openstack-control-plane
+ node_selector_value: enabled
pod:
+ env:
+ mariadb_controller:
+ MARIADB_CONTROLLER_DEBUG: 0
+ MARIADB_CONTROLLER_CHECK_PODS_DELAY: 10
+ MARIADB_CONTROLLER_PYKUBE_REQUEST_TIMEOUT: 60
probes:
server:
mariadb:
@@ -146,6 +155,13 @@ pod:
test:
runAsUser: 999
readOnlyRootFilesystem: true
+ controller:
+ pod:
+ runAsUser: 65534
+ container:
+ controller:
+ allowPrivilegeEscalation: false
+ readOnlyRootFilesystem: true
affinity:
anti:
type:
@@ -169,6 +185,7 @@ pod:
ingress: 2
error_page: 1
prometheus_mysql_exporter: 1
+ controller: 1
lifecycle:
upgrades:
deployments:
@@ -292,7 +309,8 @@ dependencies:
services:
- endpoint: internal
service: oslo_db
-
+ controller:
+ services: null
volume:
# this value is used for single pod deployments of mariadb to prevent losing all data
# if the pod is restarted
@@ -621,7 +639,6 @@ endpoints:
direct: mariadb-server
discovery: mariadb-discovery
error_pages: mariadb-ingress-error-pages
- primary: mariadb
host_fqdn_override:
default: null
path: null
@@ -631,6 +648,10 @@ endpoints:
default: 3306
wsrep:
default: 4567
+ ist:
+ default: 4568
+ sst:
+ default: 4444
kube_dns:
namespace: kube-system
name: kubernetes-dns
@@ -686,6 +707,13 @@ endpoints:
default: 80
internal: 5000
+network:
+ mariadb: {}
+ mariadb_discovery: {}
+ mariadb_ingress: {}
+ mariadb_ingress_error_pages: {}
+ mariadb_master: {}
+
network_policy:
mariadb:
ingress:
@@ -739,4 +767,6 @@ manifests:
service: true
statefulset: true
config_ipv6: false
+ deployment_controller: true
+ service_master: true
...
--
2.34.1
openstack-helm-infra/debian/deb_folder/patches/0023-Update-libvirt-cgroup-controllers-initiation.patch
-162
View File
@@ -1,162 +0,0 @@
From 809afdbc5bada6acbe0e16fcd650b0fed8d4824e Mon Sep 17 00:00:00 2001
From: Daniel Caires <DanielMarques.Caires@windriver.com>
Date: Fri, 26 Sep 2025 07:07:05 -0300
Subject: [PATCH] Update libvirt cgroup controllers initialization
The libvirt cgroup initialization in the caracal version
uses a hard-coded list of controllers, that are set
in the libvirt bash file. This patch updates the .sh
to it's latest version [1], where it compares a list of
controllers set in the values file with the controllers
available in the host, and use that list to initialize
the controllers in the libvirt process. This patch also
removes a hugepage that existed in the bash file, as
it was removed from the upstream repo as well [2].
Commit's SHA that added the change in this patch, on the
upstream repository:
[1] - https://opendev.org/openstack/openstack-helm/commit/3903f54d0c1701f86f92da9023b67b7b453c4760
[2] - https://opendev.org/openstack/openstack-helm/commit/ea3c04a7d9e39d63402751353e00d21762d988e5
Signed-off-by: Daniel Caires <DanielMarques.Caires@windriver.com>
---
libvirt/templates/bin/_libvirt.sh.tpl | 76 +++++----------------------
libvirt/values.yaml | 14 +++++
2 files changed, 26 insertions(+), 64 deletions(-)
diff --git a/libvirt/templates/bin/_libvirt.sh.tpl b/libvirt/templates/bin/_libvirt.sh.tpl
index d16cdca3..af1b4f5e 100644
--- a/libvirt/templates/bin/_libvirt.sh.tpl
+++ b/libvirt/templates/bin/_libvirt.sh.tpl
@@ -24,13 +24,6 @@ if [ -f /tmp/vnc.crt ]; then
mv /tmp/vnc-ca.crt /etc/pki/libvirt-vnc/ca-cert.pem
fi
-# TODO: We disable cgroup functionality for cgroup v2, we should fix this in the future
-if $(stat -fc %T /sys/fs/cgroup/ | grep -q cgroup2fs); then
- CGROUP_VERSION=v2
-else
- CGROUP_VERSION=v1
-fi
-
if [ -n "$(cat /proc/*/comm 2>/dev/null | grep -w libvirtd)" ]; then
set +x
for proc in $(ls /proc/*/comm 2>/dev/null); do
@@ -55,16 +48,14 @@ if [ "$(cat /etc/os-release | grep -w NAME= | grep -w CentOS)" ]; then
fi
fi
-if [ $CGROUP_VERSION != "v2" ]; then
- #Setup Cgroups to use when breaking out of Kubernetes defined groups
- CGROUPS=""
- for CGROUP in cpu rdma hugetlb; do
- if [ -d /sys/fs/cgroup/${CGROUP} ]; then
- CGROUPS+="${CGROUP},"
- fi
- done
- cgcreate -g ${CGROUPS%,}:/osh-libvirt
-fi
+#Setup Cgroups to use when breaking out of Kubernetes defined groups
+CGROUPS=""
+for CGROUP in {{ .Values.conf.kubernetes.cgroup_controllers | include "helm-toolkit.utils.joinListWithSpace" }}; do
+ if [ -d /sys/fs/cgroup/${CGROUP} ] || grep -w $CGROUP /sys/fs/cgroup/cgroup.controllers; then
+ CGROUPS+="${CGROUP},"
+ fi
+done
+cgcreate -g ${CGROUPS%,}:/osh-libvirt
# We assume that if hugepage count > 0, then hugepages should be exposed to libvirt/qemu
hp_count="$(cat /proc/meminfo | grep HugePages_Total | tr -cd '[:digit:]')"
@@ -86,50 +77,11 @@ if [ 0"$hp_count" -gt 0 ]; then
echo "ERROR: Hugepages configured in kernel, but libvirtd container cannot access /dev/hugepages"
exit 1
fi
-
- if [ $CGROUP_VERSION != "v2" ]; then
- # Kubernetes 1.10.x introduced cgroup changes that caused the container's
- # hugepage byte limit quota to zero out. This workaround sets that pod limit
- # back to the total number of hugepage bytes available to the baremetal host.
- if [ -d /sys/fs/cgroup/hugetlb ]; then
- limits="$(ls /sys/fs/cgroup/hugetlb/{{ .Values.conf.kubernetes.cgroup }}/hugetlb.*.limit_in_bytes)" || \
- (echo "ERROR: Failed to locate any hugetable limits. Did you set the correct cgroup in your values used for this chart?"
- exit 1)
- for limit in $limits; do
- target="/sys/fs/cgroup/hugetlb/$(dirname $(awk -F: '($2~/hugetlb/){print $3}' /proc/self/cgroup))/$(basename $limit)"
- # Ensure the write target for the hugepage limit for the pod exists
- if [ ! -f "$target" ]; then
- echo "ERROR: Could not find write target for hugepage limit: $target"
- fi
-
- # Write hugetable limit for pod
- echo "$(cat $limit)" > "$target"
- done
- fi
-
- # Determine OS default hugepage size to use for the hugepage write test
- default_hp_kb="$(cat /proc/meminfo | grep Hugepagesize | tr -cd '[:digit:]')"
-
- # Attempt to write to the hugepage mount to ensure it is operational, but only
- # if we have at least 1 free page.
- num_free_pages="$(cat /sys/kernel/mm/hugepages/hugepages-${default_hp_kb}kB/free_hugepages | tr -cd '[:digit:]')"
- echo "INFO: '$num_free_pages' free hugepages of size ${default_hp_kb}kB"
- if [ 0"$num_free_pages" -gt 0 ]; then
- (fallocate -o0 -l "$default_hp_kb" /dev/hugepages/foo && rm /dev/hugepages/foo) || \
- (echo "ERROR: fallocate failed test at /dev/hugepages with size ${default_hp_kb}kB"
- rm /dev/hugepages/foo
- exit 1)
- fi
- fi
fi
if [ -n "${LIBVIRT_CEPH_CINDER_SECRET_UUID}" ] || [ -n "${LIBVIRT_EXTERNAL_CEPH_CINDER_SECRET_UUID}" ] ; then
- if [ $CGROUP_VERSION != "v2" ]; then
- #NOTE(portdirect): run libvirtd as a transient unit on the host with the osh-libvirt cgroups applied.
- cgexec -g ${CGROUPS%,}:/osh-libvirt systemd-run --scope --slice=system libvirtd --listen &
- else
- systemd-run --scope --slice=system libvirtd --listen &
- fi
+
+ cgexec -g ${CGROUPS%,}:/osh-libvirt systemd-run --scope --slice=system libvirtd --listen &
tmpsecret=$(mktemp --suffix .xml)
if [ -n "${LIBVIRT_EXTERNAL_CEPH_CINDER_SECRET_UUID}" ] ; then
@@ -205,9 +157,5 @@ EOF
fi
-if [ $CGROUP_VERSION != "v2" ]; then
- #NOTE(portdirect): run libvirtd as a transient unit on the host with the osh-libvirt cgroups applied.
- cgexec -g ${CGROUPS%,}:/osh-libvirt systemd-run --scope --slice=system libvirtd --listen
-else
- systemd-run --scope --slice=system libvirtd --listen
-fi
+# NOTE(vsaienko): changing CGROUP is required as restart of the pod will cause domains restarts
+cgexec -g ${CGROUPS%,}:/osh-libvirt systemd-run --scope --slice=system libvirtd --listen
diff --git a/libvirt/values.yaml b/libvirt/values.yaml
index b3a4373b..7f41ae60 100644
--- a/libvirt/values.yaml
+++ b/libvirt/values.yaml
@@ -125,6 +125,20 @@ conf:
group: "kvm"
kubernetes:
cgroup: "kubepods.slice"
+ # List of cgroup controller we want to use when breaking out of
+ # Kubernetes defined groups
+ cgroup_controllers:
+ - blkio
+ - cpu
+ - devices
+ - freezer
+ - hugetlb
+ - memory
+ - net_cls
+ - perf_event
+ - rdma
+ - misc
+ - pids
vencrypt:
# Issuer to use for the vencrypt certs.
issuer:
--
2.34.1
openstack-helm-infra/debian/deb_folder/patches/series
-25
View File
@@ -1,25 +0,0 @@
0001-Add-imagePullSecrets-in-service-account.patch
0002-Partial-revert-of-31e3469d28858d7b5eb6355e88b6f49fd6.patch
0003-Fix-pod-restarts-on-all-workers-when-worker-added.patch
0004-Add-io_thread_pool-for-rabbitmq.patch
0005-Enable-override-of-mariadb-server-probe-parameters.patch
0006-Add-mariadb-database-config-override-to-support-ipv6.patch
0007-Allow-set-public-endpoint-url-for-all-openstack-types.patch
0008-Add-GaleraDB-Secure-Replica-Traffic.patch
0009-Fix-tls-in-openstack-helm-infra.patch
0010-Remove-mariadb-tls.patch
0011-Remove-rabbitmq-tls.patch
0012-Update-openstack-Ingress-for-networking-api-v1.patch
0013-Update-libvirt-configuration-script-for-Debian.patch
0014-Add-app.starlingx.io-component-label-to-pods.patch
0015-Add-pre-apply-cleanup-Job-to-STX-O-Helm-charts.patch
0016-Add-Kubernetes-name-label-to-helm-toolkit-template.patch
0017-Add-support-for-multiple-hosts-in-a-daemonset.patch
0018-Fix-upversion-breaking-changes.patch
0019-removed-section-to-add-default-daemonset-to-global-l.patch
0020-Bring-necessary-upstream-commits.patch
0021-Add-custom-pod-annotations-to-libvirt.patch
0022-Update-ipFamilyPolicy-to-support-DualStack.patch
0023-Update-libvirt-cgroup-controllers-initiation.patch
0024-Add-cluster-host-ip-env-var-to-libvirt.patch
0025-Add-volume-storage-class-priorities.patch
openstack-helm-infra/debian/deb_folder/rules
-29
View File
@@ -1,29 +0,0 @@
#!/usr/bin/make -f
export DH_VERBOSE = 1
export ROOT = debian/tmp
export HELM_FOLDER = $(ROOT)/usr/lib/helm
%:
dh $@
override_dh_auto_build:
# Create the chart TGZ files.
make helm-toolkit
make gnocchi
make libvirt
make mariadb
make memcached
make openvswitch
make rabbitmq
make ceph-rgw
make prometheus-openstack-exporter
override_dh_auto_install:
# Install the chart tar files.
install -d -m 755 $(HELM_FOLDER)
install -p -D -m 755 *.tgz $(HELM_FOLDER)
override_dh_auto_test:
override_dh_usrlocal:
openstack-helm-infra/debian/meta_data.yaml
-16
View File
@@ -1,16 +0,0 @@
---
debname: openstack-helm-infra
debver: 1.1-0
dl_path:
name: openstack-helm-infra-05f2f45971abcf483189358d663e2b46c3fc2fe8.tar.gz
url: https://github.com/openstack/openstack-helm-infra/archive/05f2f45971abcf483189358d663e2b46c3fc2fe8.tar.gz
md5sum: 7750b4bcf5bf77ee3285cb3325a2844f
sha256sum: 27cc39582e2c78126ded05e5de43359012868be32d226cdf53b43ee2813f5d16
src_files:
- files/repositories.yaml
revision:
dist: $STX_DIST
PKG_GITREVCOUNT: true
GITREVCOUNT:
BASE_SRCREV: fbf8dd7772c43978d1b5a79c1358d64adf857c9e
SRC_DIR: ${MY_REPO}/stx/openstack-armada-app/openstack-helm-infra/files
openstack-helm-infra/files/repositories.yaml
-12
View File
@@ -1,12 +0,0 @@
---
apiVersion: v1
generated: 2019-01-02T15:19:36.215111369-06:00
repositories:
- caFile: ""
cache: /builddir/.helm/repository/cache/local-index.yaml
certFile: ""
keyFile: ""
name: local
password: ""
url: http://127.0.0.1:8879/charts
username: ""
openstack-helm/debian/deb_folder/changelog
-11
View File
@@ -1,11 +0,0 @@
openstack-helm (1.1-0) unstable; urgency=medium
* Upversion to Caracal release.
-- Daniel Caires <DanielMarques.Caires@windriver.com> Wed, 29 Jan 2025 15:31:20 +0000
openstack-helm (1.0-1) unstable; urgency=medium
* Initial release.
-- Tracey Bogue <tracey.bogue@windriver.com> Mon, 1 Nov 2021 12:22:42 +0000
openstack-helm/debian/deb_folder/control
-19
View File
@@ -1,19 +0,0 @@
Source: openstack-helm
Section: libs
Priority: optional
Maintainer: StarlingX Developers <starlingx-discuss@lists.starlingx.io>
Build-Depends: debhelper-compat (= 13),
chartmuseum,
helm,
openstack-helm-infra,
procps
Standards-Version: 4.5.1
Homepage: https://www.starlingx.io
Package: openstack-helm
Section: libs
Architecture: all
Depends: ${misc:Depends}, openstack-helm-infra
Description: StarlingX Openstack Helm
This package contains a patched version of the openstack-helm
repo.
openstack-helm/debian/deb_folder/copyright
-41
View File
@@ -1,41 +0,0 @@
Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Upstream-Name: openstack-helm
Source: https://opendev.org/starlingx/openstack-armada-app/
Files: *
Copyright: (c) 2013-2025 Wind River Systems, Inc
License: Apache-2
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
.
https://www.apache.org/licenses/LICENSE-2.0
.
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
.
On Debian-based systems the full text of the Apache version 2.0 license
can be found in `/usr/share/common-licenses/Apache-2.0'.
# If you want to use GPL v2 or later for the /debian/* files use
# the following clauses, or change it to suit. Delete these two lines
Files: debian/*
Copyright: 2021-2025 Wind River Systems, Inc
License: Apache-2
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
.
https://www.apache.org/licenses/LICENSE-2.0
.
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
.
On Debian-based systems the full text of the Apache version 2.0 license
can be found in `/usr/share/common-licenses/Apache-2.0'.
openstack-helm/debian/deb_folder/openstack-helm.install
-1
View File
@@ -1 +0,0 @@
usr/lib/helm/*
openstack-helm/debian/deb_folder/patches/0008-Remove-mariadb-and-rabbit-tls.patch
-1717
View File
File diff suppressed because it is too large Load Diff
openstack-helm/debian/deb_folder/patches/0009-Fixing-cinder-helm-release-hooks-weights-helmv3.patch
-73
View File
@@ -1,73 +0,0 @@
From e3cbbd16118349eb67b13800af1904bda4dbdb35 Mon Sep 17 00:00:00 2001
From: Thales Elero Cervi <thaleselero.cervi@windriver.com>
Date: Wed, 21 Sep 2022 16:48:54 -0300
Subject: [PATCH] Fixing cinder helm release hooks weights (helmv3)
The relation of dependency for cinder release resources is not working
with helmv3 since several jobs have post-install hooks and are
dependencies of other jobs and deployments that have no hooks.
The jobs/deployments without hooks are deployed during an installation
phase that is never complete since the dependency jobs are hooked to be
deployed on post-install phase.
This change includes helm-hooks for the boostrap job and the api,
scheduler and volume deployments. The weights will define the order each
one will be deployed.
Signed-off-by: Thales Elero Cervi <thaleselero.cervi@windriver.com>
Change-Id: I74dd271d065a7b4668845accae7476d5cbd7d363
---
cinder/templates/deployment-api.yaml | 4 ++++
cinder/templates/deployment-scheduler.yaml | 4 ++++
cinder/templates/deployment-volume.yaml | 4 ++++
3 files changed, 12 insertions(+)
diff --git a/cinder/templates/deployment-api.yaml b/cinder/templates/deployment-api.yaml
index 59d8a53c..e5ba5137 100644
--- a/cinder/templates/deployment-api.yaml
+++ b/cinder/templates/deployment-api.yaml
@@ -27,6 +27,10 @@ metadata:
name: cinder-api
annotations:
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+{{- if .Values.helm3_hook }}
+ helm.sh/hook: post-install,post-upgrade
+ helm.sh/hook-weight: "1"
+{{- end }}
labels:
{{ tuple $envAll "cinder" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
spec:
diff --git a/cinder/templates/deployment-scheduler.yaml b/cinder/templates/deployment-scheduler.yaml
index 17f379e3..9a3d4764 100644
--- a/cinder/templates/deployment-scheduler.yaml
+++ b/cinder/templates/deployment-scheduler.yaml
@@ -27,6 +27,10 @@ metadata:
name: cinder-scheduler
annotations:
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+{{- if .Values.helm3_hook }}
+ helm.sh/hook: post-install,post-upgrade
+ helm.sh/hook-weight: "2"
+{{- end }}
labels:
{{ tuple $envAll "cinder" "scheduler" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
spec:
diff --git a/cinder/templates/deployment-volume.yaml b/cinder/templates/deployment-volume.yaml
index 9b06e892..e1295a55 100755
--- a/cinder/templates/deployment-volume.yaml
+++ b/cinder/templates/deployment-volume.yaml
@@ -29,6 +29,10 @@ metadata:
name: cinder-volume
annotations:
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+{{- if .Values.helm3_hook }}
+ helm.sh/hook: post-install,post-upgrade
+ helm.sh/hook-weight: "2"
+{{- end }}
labels:
{{ tuple $envAll "cinder" "volume" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
spec:
--
2.25.1
openstack-helm/debian/deb_folder/patches/0010-Fixing-nova-helm-release-hooks-and-weights.patch
-57
View File
@@ -1,57 +0,0 @@
From 63ffa8ad9c1e212383190aa4a21bd5999a233b12 Mon Sep 17 00:00:00 2001
From: Thales Elero Cervi <thaleselero.cervi@windriver.com>
Date: Wed, 21 Sep 2022 16:43:01 -0300
Subject: [PATCH] Fixing nova helm release hooks and weights
The relation of dependency for nova resources is not working
with helmv3 since several jobs have post-install hooks and are
dependencies of other jobs that have no hooks.
The jobs without hooks are deployed during an installation phase
that is never complete since the dependency jobs are hooked to be
deployed on post-install phase.
This change includes helm-hooks for the boostrap and cell-setup jobs.
The weights will define the order each one will be deployed.
Signed-off-by: Thales Elero Cervi <thaleselero.cervi@windriver.com>
Change-Id: I924302b6fd41d4fe6fe7bae5577de7d6d590abb2
---
nova/templates/job-bootstrap.yaml | 5 +++++
nova/templates/job-cell-setup.yaml | 4 ++++
2 files changed, 9 insertions(+)
diff --git a/nova/templates/job-bootstrap.yaml b/nova/templates/job-bootstrap.yaml
index 7de7444a..3e2bfafd 100644
--- a/nova/templates/job-bootstrap.yaml
+++ b/nova/templates/job-bootstrap.yaml
@@ -31,6 +31,11 @@ metadata:
name: {{ $serviceAccountName | quote }}
labels:
{{ tuple $envAll "nova" "bootstrap" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+ annotations:
+{{- if .Values.helm3_hook }}
+ helm.sh/hook: post-install,post-upgrade
+ helm.sh/hook-weight: "2"
+{{- end }}
spec:
backoffLimit: {{ $backoffLimit }}
template:
diff --git a/nova/templates/job-cell-setup.yaml b/nova/templates/job-cell-setup.yaml
index 8d027718..2833ecae 100644
--- a/nova/templates/job-cell-setup.yaml
+++ b/nova/templates/job-cell-setup.yaml
@@ -25,6 +25,10 @@ metadata:
labels:
{{ tuple $envAll "nova" "cell-setup" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
annotations:
+{{- if .Values.helm3_hook }}
+ helm.sh/hook: post-install,post-upgrade
+ helm.sh/hook-weight: "1"
+{{- end }}
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
spec:
template:
--
2.25.1
openstack-helm/debian/deb_folder/patches/0011-Fixing-keystone-helm-release-hooks-and-weights.patch
-42
View File
@@ -1,42 +0,0 @@
From a381ce34a6d16cb6df7497503d7b7ae2ee8de316 Mon Sep 17 00:00:00 2001
From: Luan Nunes Utimura <LuanNunes.Utimura@windriver.com>
Date: Tue, 20 Dec 2022 14:07:19 -0300
Subject: [PATCH] Fixing keystone helm release hooks and weights
Change-Id: I2131b82c2ffdaec9931b63c98422dbdceb615475
---
keystone/templates/secret-credential-keys.yaml | 3 ++-
keystone/templates/secret-fernet-keys.yaml | 3 ++-
2 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/keystone/templates/secret-credential-keys.yaml b/keystone/templates/secret-credential-keys.yaml
index 8a2c5eb5..307bb72b 100644
--- a/keystone/templates/secret-credential-keys.yaml
+++ b/keystone/templates/secret-credential-keys.yaml
@@ -21,7 +21,8 @@ metadata:
name: keystone-credential-keys
{{- if .Values.helm3_hook }}
annotations:
- "helm.sh/hook": pre-install
+ "helm.sh/hook": pre-install,post-upgrade
+ "helm.sh/hook-weight": "-6"
{{- end }}
type: Opaque
data:
diff --git a/keystone/templates/secret-fernet-keys.yaml b/keystone/templates/secret-fernet-keys.yaml
index 8af09730..a7eddd14 100644
--- a/keystone/templates/secret-fernet-keys.yaml
+++ b/keystone/templates/secret-fernet-keys.yaml
@@ -22,7 +22,8 @@ metadata:
name: keystone-fernet-keys
{{- if .Values.helm3_hook }}
annotations:
- "helm.sh/hook": pre-install
+ "helm.sh/hook": pre-install,post-upgrade
+ "helm.sh/hook-weight": "-6"
{{- end }}
type: Opaque
data:
--
2.25.1
openstack-helm/debian/deb_folder/patches/0014-Update-charts-requirements-to-use-local-server.patch
-188
View File
@@ -1,188 +0,0 @@
From 03cddb8c1dd8912e15b27e5a5c1cb8edcc9350b9 Mon Sep 17 00:00:00 2001
From: Thales Elero Cervi <thaleselero.cervi@windriver.com>
Date: Fri, 7 Jul 2023 09:28:49 -0300
Subject: [PATCH] Update charts requirements to use local server
This change reverts openstack/openstack-helm commit [1] for charts that
the StarlingX OpenStack application is currently building.
That change was removing the helm-toolkit chart dependency from a local
server, since Helm v3 no longer supports "helm serve" [2], and pointing
it to a given openstack-helm-infra directory in which the helm-toolkit
chart should be placed.
The stx-openstack application does not require this change while it is
relying on chartmuseum for serving charts locally [3].
Instead of changing our build instructions and our custom charts,
including charts for other repositories [4], we simply reverts
openstack-helm requirements to use local server again.
[1] c20c1e4400f5935adf0afd0c65bef2bb12af598b
[2] https://helm.sh/docs/topics/v2_v3_migration/
[3] https://opendev.org/starlingx/openstack-armada-app/src/branch/r/
stx.8.0/stx-openstack-helm-fluxcd/debian/deb_folder/control#L6
[4] https://opendev.org/starlingx/openstack-armada-app/src/branch/r/
stx.8.0/stx-openstack-helm-fluxcd/debian/meta_data.yaml#L7
Signed-off-by: Thales Elero Cervi <thaleselero.cervi@windriver.com>
Change-Id: Id2ab4adabb21201da229e4242fe06c1ba1bfd463
---
aodh/requirements.yaml | 2 +-
barbican/requirements.yaml | 2 +-
ceilometer/requirements.yaml | 2 +-
cinder/requirements.yaml | 2 +-
glance/requirements.yaml | 2 +-
heat/requirements.yaml | 2 +-
horizon/requirements.yaml | 2 +-
ironic/requirements.yaml | 2 +-
keystone/requirements.yaml | 2 +-
magnum/requirements.yaml | 2 +-
neutron/requirements.yaml | 2 +-
nova/requirements.yaml | 2 +-
placement/requirements.yaml | 2 +-
13 files changed, 13 insertions(+), 13 deletions(-)
diff --git a/aodh/requirements.yaml b/aodh/requirements.yaml
index 36f1a6e0..fbba94ae 100644
--- a/aodh/requirements.yaml
+++ b/aodh/requirements.yaml
@@ -14,5 +14,5 @@
dependencies:
- name: helm-toolkit
- repository: file://../../openstack-helm-infra/helm-toolkit
+ repository: http://localhost:8879/charts
version: ">= 0.1.0"
diff --git a/barbican/requirements.yaml b/barbican/requirements.yaml
index 4124d014..432e28c1 100644
--- a/barbican/requirements.yaml
+++ b/barbican/requirements.yaml
@@ -12,5 +12,5 @@
dependencies:
- name: helm-toolkit
- repository: file://../../openstack-helm-infra/helm-toolkit
+ repository: http://localhost:8879/charts
version: ">= 0.1.0"
diff --git a/ceilometer/requirements.yaml b/ceilometer/requirements.yaml
index 4124d014..432e28c1 100644
--- a/ceilometer/requirements.yaml
+++ b/ceilometer/requirements.yaml
@@ -12,5 +12,5 @@
dependencies:
- name: helm-toolkit
- repository: file://../../openstack-helm-infra/helm-toolkit
+ repository: http://localhost:8879/charts
version: ">= 0.1.0"
diff --git a/cinder/requirements.yaml b/cinder/requirements.yaml
index 4124d014..432e28c1 100644
--- a/cinder/requirements.yaml
+++ b/cinder/requirements.yaml
@@ -12,5 +12,5 @@
dependencies:
- name: helm-toolkit
- repository: file://../../openstack-helm-infra/helm-toolkit
+ repository: http://localhost:8879/charts
version: ">= 0.1.0"
diff --git a/glance/requirements.yaml b/glance/requirements.yaml
index 4124d014..432e28c1 100644
--- a/glance/requirements.yaml
+++ b/glance/requirements.yaml
@@ -12,5 +12,5 @@
dependencies:
- name: helm-toolkit
- repository: file://../../openstack-helm-infra/helm-toolkit
+ repository: http://localhost:8879/charts
version: ">= 0.1.0"
diff --git a/heat/requirements.yaml b/heat/requirements.yaml
index 4124d014..432e28c1 100644
--- a/heat/requirements.yaml
+++ b/heat/requirements.yaml
@@ -12,5 +12,5 @@
dependencies:
- name: helm-toolkit
- repository: file://../../openstack-helm-infra/helm-toolkit
+ repository: http://localhost:8879/charts
version: ">= 0.1.0"
diff --git a/horizon/requirements.yaml b/horizon/requirements.yaml
index 4124d014..432e28c1 100644
--- a/horizon/requirements.yaml
+++ b/horizon/requirements.yaml
@@ -12,5 +12,5 @@
dependencies:
- name: helm-toolkit
- repository: file://../../openstack-helm-infra/helm-toolkit
+ repository: http://localhost:8879/charts
version: ">= 0.1.0"
diff --git a/ironic/requirements.yaml b/ironic/requirements.yaml
index 4124d014..432e28c1 100644
--- a/ironic/requirements.yaml
+++ b/ironic/requirements.yaml
@@ -12,5 +12,5 @@
dependencies:
- name: helm-toolkit
- repository: file://../../openstack-helm-infra/helm-toolkit
+ repository: http://localhost:8879/charts
version: ">= 0.1.0"
diff --git a/keystone/requirements.yaml b/keystone/requirements.yaml
index 4124d014..432e28c1 100644
--- a/keystone/requirements.yaml
+++ b/keystone/requirements.yaml
@@ -12,5 +12,5 @@
dependencies:
- name: helm-toolkit
- repository: file://../../openstack-helm-infra/helm-toolkit
+ repository: http://localhost:8879/charts
version: ">= 0.1.0"
diff --git a/magnum/requirements.yaml b/magnum/requirements.yaml
index 4124d014..432e28c1 100644
--- a/magnum/requirements.yaml
+++ b/magnum/requirements.yaml
@@ -12,5 +12,5 @@
dependencies:
- name: helm-toolkit
- repository: file://../../openstack-helm-infra/helm-toolkit
+ repository: http://localhost:8879/charts
version: ">= 0.1.0"
diff --git a/neutron/requirements.yaml b/neutron/requirements.yaml
index 4124d014..432e28c1 100644
--- a/neutron/requirements.yaml
+++ b/neutron/requirements.yaml
@@ -12,5 +12,5 @@
dependencies:
- name: helm-toolkit
- repository: file://../../openstack-helm-infra/helm-toolkit
+ repository: http://localhost:8879/charts
version: ">= 0.1.0"
diff --git a/nova/requirements.yaml b/nova/requirements.yaml
index 4124d014..432e28c1 100644
--- a/nova/requirements.yaml
+++ b/nova/requirements.yaml
@@ -12,5 +12,5 @@
dependencies:
- name: helm-toolkit
- repository: file://../../openstack-helm-infra/helm-toolkit
+ repository: http://localhost:8879/charts
version: ">= 0.1.0"
diff --git a/placement/requirements.yaml b/placement/requirements.yaml
index 639dab0a..7efb17a3 100644
--- a/placement/requirements.yaml
+++ b/placement/requirements.yaml
@@ -14,5 +14,5 @@
dependencies:
- name: helm-toolkit
- repository: file://../../openstack-helm-infra/helm-toolkit
+ repository: http://localhost:8879/charts
version: ">= 0.1.0"
--
2.25.1
openstack-helm/debian/deb_folder/patches/0017-Add-pre-apply-cleanup-Job-to-STX-O-Helm-charts.patch
-600
View File
@@ -1,600 +0,0 @@
From 0553e51fee8b2c57d17ab0900f31ae12eea67347 Mon Sep 17 00:00:00 2001
From: Daniel Caires <DanielMarques.Caires@windriver.com>
Date: Wed, 19 Aug 2024 08:15:57 -0300
Subject: [PATCH] Add pre-apply cleanup Job to STX-O Helm charts
After verification, it was noted that it is not possible
to reapply STX-Openstack after a helm-override that changes
a job template since the template section of job is
immutable or not updatable
Due to the use of kubernetes-entrypoint DEPENDENCY_JOBS it was
also noted that deleting the jobs after the application is applied
it is not an option. If this happened, the application would not
come back after a host reboot.
This patch creates a Job template that runs right before the Helm
chart is installed ou updated. This Job deletes all jobs that have
its status as completed.
---
aodh/templates/job-pre-apply-cleanup.yaml | 18 ++++++++++++++++++
aodh/values.yaml | 2 ++
barbican/templates/job-pre-apply-cleanup.yaml | 18 ++++++++++++++++++
barbican/values.yaml | 2 ++
.../templates/job-pre-apply-cleanup.yaml | 18 ++++++++++++++++++
ceilometer/values.yaml | 2 ++
cinder/templates/job-pre-apply-cleanup.yaml | 18 ++++++++++++++++++
cinder/values.yaml | 2 ++
glance/templates/job-pre-apply-cleanup.yaml | 18 ++++++++++++++++++
glance/values.yaml | 2 ++
heat/templates/job-pre-apply-cleanup.yaml | 18 ++++++++++++++++++
heat/values.yaml | 2 ++
horizon/templates/job-pre-apply-cleanup.yaml | 18 ++++++++++++++++++
horizon/values.yaml | 2 ++
ironic/templates/job-pre-apply-cleanup.yaml | 18 ++++++++++++++++++
ironic/values.yaml | 2 ++
keystone/templates/job-pre-apply-cleanup.yaml | 18 ++++++++++++++++++
keystone/values.yaml | 2 ++
neutron/templates/job-pre-apply-cleanup.yaml | 18 ++++++++++++++++++
neutron/values.yaml | 2 ++
nova/templates/job-pre-apply-cleanup.yaml | 18 ++++++++++++++++++
nova/values.yaml | 2 ++
placement/templates/job-pre-apply-cleanup.yaml | 18 ++++++++++++++++++
placement/values.yaml | 2 ++
24 files changed, 240 insertions(+)
create mode 100644 aodh/templates/job-pre-apply-cleanup.yaml
create mode 100644 barbican/templates/job-pre-apply-cleanup.yaml
create mode 100644 ceilometer/templates/job-pre-apply-cleanup.yaml
create mode 100644 cinder/templates/job-pre-apply-cleanup.yaml
create mode 100644 glance/templates/job-pre-apply-cleanup.yaml
create mode 100644 heat/templates/job-pre-apply-cleanup.yaml
create mode 100644 horizon/templates/job-pre-apply-cleanup.yaml
create mode 100644 ironic/templates/job-pre-apply-cleanup.yaml
create mode 100644 keystone/templates/job-pre-apply-cleanup.yaml
create mode 100644 neutron/templates/job-pre-apply-cleanup.yaml
create mode 100644 nova/templates/job-pre-apply-cleanup.yaml
create mode 100644 placement/templates/job-pre-apply-cleanup.yaml
diff --git a/aodh/templates/job-pre-apply-cleanup.yaml b/aodh/templates/job-pre-apply-cleanup.yaml
new file mode 100644
index 00000000..ba0f0df3
--- /dev/null
+++ b/aodh/templates/job-pre-apply-cleanup.yaml
@@ -0,0 +1,18 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.job_pre_apply_cleanup }}
+{{- $preApplyCleanupJob := dict "envAll" . "serviceName" "aodh" -}}
+{{ $preApplyCleanupJob | include "helm-toolkit.manifests.job_pre_apply_cleanup" }}
+{{- end }}
\ No newline at end of file
diff --git a/aodh/values.yaml b/aodh/values.yaml
index c33795e2..9661d734 100644
--- a/aodh/values.yaml
+++ b/aodh/values.yaml
@@ -59,6 +59,7 @@ images:
aodh_alarms_cleaner: docker.io/kolla/ubuntu-source-aodh-base:ocata
dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
image_repo_sync: docker.io/docker:17.07.0
+ pre_apply_cleanup: docker.io/starlingx/stx-vault-manager:master-debian-stable-latest
pull_policy: "IfNotPresent"
local_registry:
active: false
@@ -727,6 +728,7 @@ manifests:
deployment_listener: true
deployment_notifier: true
ingress_api: true
+ job_pre_apply_cleanup: true
job_bootstrap: true
job_db_drop: false
job_db_init: true
diff --git a/barbican/templates/job-pre-apply-cleanup.yaml b/barbican/templates/job-pre-apply-cleanup.yaml
new file mode 100644
index 00000000..5755d4ec
--- /dev/null
+++ b/barbican/templates/job-pre-apply-cleanup.yaml
@@ -0,0 +1,18 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.job_pre_apply_cleanup }}
+{{- $preApplyCleanupJob := dict "envAll" . "serviceName" "barbican" -}}
+{{ $preApplyCleanupJob | include "helm-toolkit.manifests.job_pre_apply_cleanup" }}
+{{- end }}
\ No newline at end of file
diff --git a/barbican/values.yaml b/barbican/values.yaml
index b3ed693c..aa9df4f0 100644
--- a/barbican/values.yaml
+++ b/barbican/values.yaml
@@ -48,6 +48,7 @@ images:
barbican_api: docker.io/openstackhelm/barbican:2024.1-ubuntu_jammy
rabbit_init: docker.io/rabbitmq:3.13-management
image_repo_sync: docker.io/docker:17.07.0
+ pre_apply_cleanup: docker.io/starlingx/stx-vault-manager:master-debian-stable-latest
pull_policy: "IfNotPresent"
local_registry:
active: false
@@ -703,6 +704,7 @@ manifests:
configmap_etc: true
deployment_api: true
ingress_api: true
+ job_pre_apply_cleanup: true
job_bootstrap: true
job_db_init: true
job_db_sync: true
diff --git a/ceilometer/templates/job-pre-apply-cleanup.yaml b/ceilometer/templates/job-pre-apply-cleanup.yaml
new file mode 100644
index 00000000..1900b9d8
--- /dev/null
+++ b/ceilometer/templates/job-pre-apply-cleanup.yaml
@@ -0,0 +1,18 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.job_pre_apply_cleanup }}
+{{- $preApplyCleanupJob := dict "envAll" . "serviceName" "ceilometer" -}}
+{{ $preApplyCleanupJob | include "helm-toolkit.manifests.job_pre_apply_cleanup" }}
+{{- end }}
\ No newline at end of file
diff --git a/ceilometer/values.yaml b/ceilometer/values.yaml
index d50722cf..9f55de78 100644
--- a/ceilometer/values.yaml
+++ b/ceilometer/values.yaml
@@ -63,6 +63,7 @@ images:
ceilometer_notification: docker.io/kolla/ubuntu-source-ceilometer-notification:wallaby
dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
image_repo_sync: docker.io/docker:17.07.0
+ pre_apply_cleanup: docker.io/starlingx/stx-vault-manager:master-debian-stable-latest
pull_policy: "IfNotPresent"
local_registry:
active: false
@@ -2128,6 +2129,7 @@ manifests:
daemonset_ipmi: false
deployment_notification: true
ingress_api: true
+ job_pre_apply_cleanup: true
job_bootstrap: true
job_db_drop: false
job_db_init: true
diff --git a/cinder/templates/job-pre-apply-cleanup.yaml b/cinder/templates/job-pre-apply-cleanup.yaml
new file mode 100644
index 00000000..db570af6
--- /dev/null
+++ b/cinder/templates/job-pre-apply-cleanup.yaml
@@ -0,0 +1,18 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.job_pre_apply_cleanup }}
+{{- $preApplyCleanupJob := dict "envAll" . "serviceName" "cinder" -}}
+{{ $preApplyCleanupJob | include "helm-toolkit.manifests.job_pre_apply_cleanup" }}
+{{- end }}
\ No newline at end of file
diff --git a/cinder/values.yaml b/cinder/values.yaml
index 16516491..ef0d9615 100644
--- a/cinder/values.yaml
+++ b/cinder/values.yaml
@@ -61,6 +61,7 @@ images:
cinder_backup_storage_init: docker.io/openstackhelm/ceph-config-helper:latest-ubuntu_jammy
dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
image_repo_sync: docker.io/docker:17.07.0
+ pre_apply_cleanup: docker.io/starlingx/stx-vault-manager:master-debian-stable-latest
pull_policy: "IfNotPresent"
local_registry:
active: false
@@ -1477,6 +1478,7 @@ manifests:
deployment_scheduler: true
deployment_volume: true
ingress_api: true
+ job_pre_apply_cleanup: true
job_backup_storage_init: true
job_bootstrap: true
job_clean: true
diff --git a/glance/templates/job-pre-apply-cleanup.yaml b/glance/templates/job-pre-apply-cleanup.yaml
new file mode 100644
index 00000000..2e4f2e11
--- /dev/null
+++ b/glance/templates/job-pre-apply-cleanup.yaml
@@ -0,0 +1,18 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.job_pre_apply_cleanup }}
+{{- $preApplyCleanupJob := dict "envAll" . "serviceName" "glance" -}}
+{{ $preApplyCleanupJob | include "helm-toolkit.manifests.job_pre_apply_cleanup" }}
+{{- end }}
\ No newline at end of file
diff --git a/glance/values.yaml b/glance/values.yaml
index 3a6a14f9..c902bcab 100644
--- a/glance/values.yaml
+++ b/glance/values.yaml
@@ -50,6 +50,7 @@ images:
bootstrap: docker.io/openstackhelm/heat:2024.1-ubuntu_jammy
dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
image_repo_sync: docker.io/docker:17.07.0
+ pre_apply_cleanup: docker.io/starlingx/stx-vault-manager:master-debian-stable-latest
pull_policy: "IfNotPresent"
local_registry:
active: false
@@ -1019,6 +1020,7 @@ manifests:
configmap_etc: true
deployment_api: true
ingress_api: true
+ job_pre_apply_cleanup: true
job_bootstrap: true
job_clean: true
job_db_init: true
diff --git a/heat/templates/job-pre-apply-cleanup.yaml b/heat/templates/job-pre-apply-cleanup.yaml
new file mode 100644
index 00000000..be97d27d
--- /dev/null
+++ b/heat/templates/job-pre-apply-cleanup.yaml
@@ -0,0 +1,18 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.job_pre_apply_cleanup }}
+{{- $preApplyCleanupJob := dict "envAll" . "serviceName" "heat" -}}
+{{ $preApplyCleanupJob | include "helm-toolkit.manifests.job_pre_apply_cleanup" }}
+{{- end }}
\ No newline at end of file
diff --git a/heat/values.yaml b/heat/values.yaml
index 24dc69d5..933d6763 100644
--- a/heat/values.yaml
+++ b/heat/values.yaml
@@ -58,6 +58,7 @@ images:
heat_purge_deleted: docker.io/openstackhelm/heat:2024.1-ubuntu_jammy
dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
image_repo_sync: docker.io/docker:17.07.0
+ pre_apply_cleanup: docker.io/starlingx/stx-vault-manager:master-debian-stable-latest
pull_policy: "IfNotPresent"
local_registry:
active: false
@@ -1293,6 +1294,7 @@ manifests:
ingress_api: true
ingress_cfn: true
ingress_cloudwatch: false
+ job_pre_apply_cleanup: true
job_bootstrap: true
job_db_init: true
job_db_sync: true
diff --git a/horizon/templates/job-pre-apply-cleanup.yaml b/horizon/templates/job-pre-apply-cleanup.yaml
new file mode 100644
index 00000000..258ad6f3
--- /dev/null
+++ b/horizon/templates/job-pre-apply-cleanup.yaml
@@ -0,0 +1,18 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.job_pre_apply_cleanup }}
+{{- $preApplyCleanupJob := dict "envAll" . "serviceName" "horizon" -}}
+{{ $preApplyCleanupJob | include "helm-toolkit.manifests.job_pre_apply_cleanup" }}
+{{- end }}
\ No newline at end of file
diff --git a/horizon/values.yaml b/horizon/values.yaml
index 3a722c6a..98f8ede2 100644
--- a/horizon/values.yaml
+++ b/horizon/values.yaml
@@ -25,6 +25,7 @@ images:
test: docker.io/openstackhelm/osh-selenium:latest-ubuntu_jammy
dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
image_repo_sync: docker.io/docker:17.07.0
+ pre_apply_cleanup: docker.io/starlingx/stx-vault-manager:master-debian-stable-latest
pull_policy: "IfNotPresent"
local_registry:
active: false
@@ -1393,6 +1394,7 @@ manifests:
configmap_logo: false
deployment: true
ingress_api: true
+ job_pre_apply_cleanup: true
job_db_init: true
job_db_sync: true
job_db_drop: false
diff --git a/ironic/templates/job-pre-apply-cleanup.yaml b/ironic/templates/job-pre-apply-cleanup.yaml
new file mode 100644
index 00000000..34c6af54
--- /dev/null
+++ b/ironic/templates/job-pre-apply-cleanup.yaml
@@ -0,0 +1,18 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.job_pre_apply_cleanup }}
+{{- $preApplyCleanupJob := dict "envAll" . "serviceName" "ironic" -}}
+{{ $preApplyCleanupJob | include "helm-toolkit.manifests.job_pre_apply_cleanup" }}
+{{- end }}
\ No newline at end of file
diff --git a/ironic/values.yaml b/ironic/values.yaml
index 6a857bb9..d21ad6c7 100644
--- a/ironic/values.yaml
+++ b/ironic/values.yaml
@@ -53,6 +53,7 @@ images:
ironic_pxe_http: docker.io/nginx:1.13.3
dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
image_repo_sync: docker.io/docker:17.07.0
+ pre_apply_cleanup: docker.io/starlingx/stx-vault-manager:master-debian-stable-latest
pull_policy: "IfNotPresent"
local_registry:
active: false
@@ -790,6 +791,7 @@ manifests:
configmap_etc: true
deployment_api: true
ingress_api: true
+ job_pre_apply_cleanup: true
job_bootstrap: true
job_db_drop: false
job_db_init: true
diff --git a/keystone/templates/job-pre-apply-cleanup.yaml b/keystone/templates/job-pre-apply-cleanup.yaml
new file mode 100644
index 00000000..259ef91f
--- /dev/null
+++ b/keystone/templates/job-pre-apply-cleanup.yaml
@@ -0,0 +1,18 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.job_pre_apply_cleanup }}
+{{- $preApplyCleanupJob := dict "envAll" . "serviceName" "keystone" -}}
+{{ $preApplyCleanupJob | include "helm-toolkit.manifests.job_pre_apply_cleanup" }}
+{{- end }}
\ No newline at end of file
diff --git a/keystone/values.yaml b/keystone/values.yaml
index d0a7a901..7e262d5f 100644
--- a/keystone/values.yaml
+++ b/keystone/values.yaml
@@ -52,6 +52,7 @@ images:
keystone_domain_manage: docker.io/openstackhelm/keystone:2024.1-ubuntu_jammy
dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
image_repo_sync: docker.io/docker:17.07.0
+ pre_apply_cleanup: docker.io/starlingx/stx-vault-manager:master-debian-stable-latest
pull_policy: "IfNotPresent"
local_registry:
active: false
@@ -1122,6 +1123,7 @@ manifests:
cron_fernet_rotate: true
deployment_api: true
ingress_api: true
+ job_pre_apply_cleanup: true
job_bootstrap: true
job_credential_cleanup: true
job_credential_setup: true
diff --git a/neutron/templates/job-pre-apply-cleanup.yaml b/neutron/templates/job-pre-apply-cleanup.yaml
new file mode 100644
index 00000000..6fd7c757
--- /dev/null
+++ b/neutron/templates/job-pre-apply-cleanup.yaml
@@ -0,0 +1,18 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.job_pre_apply_cleanup }}
+{{- $preApplyCleanupJob := dict "envAll" . "serviceName" "neutron" -}}
+{{ $preApplyCleanupJob | include "helm-toolkit.manifests.job_pre_apply_cleanup" }}
+{{- end }}
\ No newline at end of file
diff --git a/neutron/values.yaml b/neutron/values.yaml
index 2c7d8233..b7a5560d 100644
--- a/neutron/values.yaml
+++ b/neutron/values.yaml
@@ -49,6 +49,7 @@ images:
neutron_netns_cleanup_cron: docker.io/openstackhelm/neutron:2024.1-ubuntu_jammy
dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
image_repo_sync: docker.io/docker:17.07.0
+ pre_apply_cleanup: docker.io/starlingx/stx-vault-manager:master-debian-stable-latest
pull_policy: "IfNotPresent"
local_registry:
active: false
@@ -2655,6 +2656,7 @@ manifests:
deployment_server: true
deployment_rpc_server: true
ingress_server: true
+ job_pre_apply_cleanup: true
job_bootstrap: true
job_db_init: true
job_db_sync: true
diff --git a/nova/templates/job-pre-apply-cleanup.yaml b/nova/templates/job-pre-apply-cleanup.yaml
new file mode 100644
index 00000000..0eb2fbaa
--- /dev/null
+++ b/nova/templates/job-pre-apply-cleanup.yaml
@@ -0,0 +1,18 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.job_pre_apply_cleanup }}
+{{- $preApplyCleanupJob := dict "envAll" . "serviceName" "nova" -}}
+{{ $preApplyCleanupJob | include "helm-toolkit.manifests.job_pre_apply_cleanup" }}
+{{- end }}
\ No newline at end of file
diff --git a/nova/values.yaml b/nova/values.yaml
index 44bd9a74..2e748db9 100644
--- a/nova/values.yaml
+++ b/nova/values.yaml
@@ -85,6 +85,7 @@ images:
test: docker.io/xrally/xrally-openstack:2.0.0
image_repo_sync: docker.io/docker:17.07.0
nova_wait_for_computes_init: gcr.io/google_containers/hyperkube-amd64:v1.11.6
+ pre_apply_cleanup: docker.io/starlingx/stx-vault-manager:master-debian-stable-latest
local_registry:
active: false
exclude:
@@ -2586,6 +2587,7 @@ manifests:
ingress_novncproxy: true
ingress_spiceproxy: true
ingress_osapi: true
+ job_pre_apply_cleanup: true
job_bootstrap: true
job_storage_init: true
job_db_init: true
diff --git a/placement/templates/job-pre-apply-cleanup.yaml b/placement/templates/job-pre-apply-cleanup.yaml
new file mode 100644
index 00000000..6cbf5c84
--- /dev/null
+++ b/placement/templates/job-pre-apply-cleanup.yaml
@@ -0,0 +1,18 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.job_pre_apply_cleanup }}
+{{- $preApplyCleanupJob := dict "envAll" . "serviceName" "placement" -}}
+{{ $preApplyCleanupJob | include "helm-toolkit.manifests.job_pre_apply_cleanup" }}
+{{- end }}
\ No newline at end of file
diff --git a/placement/values.yaml b/placement/values.yaml
index 9d2dddfd..adf7cc98 100644
--- a/placement/values.yaml
+++ b/placement/values.yaml
@@ -40,6 +40,7 @@ images:
placement_db_sync: docker.io/openstackhelm/placement:2024.1-ubuntu_jammy
dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
image_repo_sync: docker.io/docker:17.07.0
+ pre_apply_cleanup: docker.io/starlingx/stx-vault-manager:master-debian-stable-latest
local_registry:
active: false
exclude:
@@ -476,6 +477,7 @@ manifests:
configmap_bin: true
configmap_etc: true
deployment: true
+ job_pre_apply_cleanup: true
job_image_repo_sync: true
job_db_init: true
job_db_sync: true
--
2.34.1
openstack-helm/debian/deb_folder/patches/0020-Add-service-role-to-neutron-policy.patch
-32
View File
@@ -1,32 +0,0 @@
From 5daa31fc86b59e2dbbad43f4b57caa93fd622454 Mon Sep 17 00:00:00 2001
From: vrochalo <vinicius.rochalobo@windriver.com>
Date: Fri, 7 Mar 2025 11:42:17 -0300
Subject: [PATCH] Add service role to neutron policy
Temporary openstack-helm patch bringing the code fix [1] for the reported launchpad [2].
Since OpenStack 2023.2, Neutron user needs to be migrated to service accounts.
[1] https://github.com/openstack/openstack-helm/commit/5708319cd8acf4edbe31d8416da52b89e8a97fd5
[2] https://bugs.launchpad.net/openstack-helm/+bug/2078002
Signed-off-by: vrochalo <vinicius.rochalobo@windriver.com>
---
neutron/values.yaml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/neutron/values.yaml b/neutron/values.yaml
index b7a5560d..8a40e41b 100644
--- a/neutron/values.yaml
+++ b/neutron/values.yaml
@@ -2448,7 +2448,7 @@ endpoints:
user_domain_name: default
project_domain_name: default
neutron:
- role: admin
+ role: admin,service
region_name: RegionOne
username: neutron
password: password
--
2.34.1
openstack-helm/debian/deb_folder/patches/0021-horizon-Allows-setting-Django-s-CSRF_TRUSTED_ORIGINS.patch
-42
View File
@@ -1,42 +0,0 @@
From 776b29a26da2fae6f2aa575f401f3f4da873ab1c Mon Sep 17 00:00:00 2001
From: Nicholas Kuechler <nkuechler@gmail.com>
Date: Tue, 25 Jun 2024 11:53:09 -0500
Subject: [PATCH 21/22] horizon: Allows setting Django's CSRF_TRUSTED_ORIGINS
in helm values file
Change-Id: I8930b8df7c068c63ee19a7f3a29c66ef2b3ee820
[ Cherry-picked to stx-openstack caracal ]
Test Plan:
[PASS] build stx-openstack tarball
Related-Bug: #2103799
Signed-off-by: Alex Figueiredo <alex.fernandesfigueiredo@windriver.com>
---
horizon/values.yaml | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/horizon/values.yaml b/horizon/values.yaml
index 98f8ede2..6362ad87 100644
--- a/horizon/values.yaml
+++ b/horizon/values.yaml
@@ -217,6 +217,7 @@ conf:
show_openrc_file: "True"
csrf_cookie_secure: "False"
csrf_cookie_httponly: "False"
+ csrf_trusted_origins: []
enforce_password_check: "True"
# Set enable_pwd_validator to true to enforce password validator settings.
enable_pwd_validator: false
@@ -312,6 +313,9 @@ conf:
SESSION_COOKIE_HTTPONLY = {{ .Values.conf.horizon.local_settings.config.session_cookie_httponly }}
+ # https://docs.djangoproject.com/en/dev/ref/settings/#csrf-trusted-origins
+ CSRF_TRUSTED_ORIGINS = {{ .Values.conf.horizon.local_settings.config.csrf_trusted_origins }}
+
# Overrides for OpenStack API versions. Use this setting to force the
# OpenStack dashboard to use a specific API version for a given service API.
# Versions specified here should be integers or floats, not strings.
--
2.34.1
openstack-helm/debian/deb_folder/patches/0022-horizon-fix-templating-of-list-of-strings-for-CSRF_T.patch
-35
View File
@@ -1,35 +0,0 @@
From b49bc7619031cd35eb3b90484b7f8716eba91887 Mon Sep 17 00:00:00 2001
From: Nicholas Kuechler <nkuechler@gmail.com>
Date: Thu, 27 Jun 2024 13:57:29 -0500
Subject: [PATCH 22/22] horizon: fix templating of list of strings for
CSRF_TRUSTED_ORIGINS
Change-Id: I740cd48103950e1599e77db46c7e4d9e65677177
[ Cherry-picked to stx-openstack caracal ]
Test Plan:
[PASS] build stx-openstack tarball
[PASS] install openstack with certificate and domain_name setup, enabling HTTPs
[PASS] Access horizon via fqdn (ex: https://horizon-<domain>.com/)
Related-Bug: #2103799
Signed-off-by: Alex Figueiredo <alex.fernandesfigueiredo@windriver.com>
---
horizon/values.yaml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/horizon/values.yaml b/horizon/values.yaml
index 6362ad87..fbf465f5 100644
--- a/horizon/values.yaml
+++ b/horizon/values.yaml
@@ -314,7 +314,7 @@ conf:
SESSION_COOKIE_HTTPONLY = {{ .Values.conf.horizon.local_settings.config.session_cookie_httponly }}
# https://docs.djangoproject.com/en/dev/ref/settings/#csrf-trusted-origins
- CSRF_TRUSTED_ORIGINS = {{ .Values.conf.horizon.local_settings.config.csrf_trusted_origins }}
+ CSRF_TRUSTED_ORIGINS = [{{ include "helm-toolkit.utils.joinListWithCommaAndSingleQuotes" .Values.conf.horizon.local_settings.config.csrf_trusted_origins }}]
# Overrides for OpenStack API versions. Use this setting to force the
# OpenStack dashboard to use a specific API version for a given service API.
--
2.34.1
openstack-helm/debian/deb_folder/patches/series
-33
View File
@@ -1,33 +0,0 @@
0001-Remove-stale-Apache2-service-pids-when-a-POD-starts.patch
0002-Support-ingress-creation-for-keystone-admin-endpoint.patch
0003-Allow-set-public-endpoint-url-for-keystone-endpoints.patch
0004-Wrong-usage-of-rbd_store_chunk_size.patch
0005-Add-stx_admin-account.patch
0006-Add-flavor-extra-spec-hw-pci_irq_affinity_mask.patch
0007-Remove-TLS-from-openstack-services.patch
0008-Remove-mariadb-and-rabbit-tls.patch
0009-Fixing-cinder-helm-release-hooks-weights-helmv3.patch
0010-Fixing-nova-helm-release-hooks-and-weights.patch
0011-Fixing-keystone-helm-release-hooks-and-weights.patch
0012-Update-user-in-cinder-related-pods.patch
0013-Support-ceph-dev-version-during-pool-creation.patch
0014-Update-charts-requirements-to-use-local-server.patch
0015-Add-service-tokens-for-Cinder-auth.patch
0016-Add-app.starlingx.io-component-label-to-pods.patch
0017-Add-pre-apply-cleanup-Job-to-STX-O-Helm-charts.patch
0018-Define-values-for-NetApp-volume-backend.patch
0019-Add-cluster-host-ip-env-var-to-nova.patch
0020-Add-service-role-to-neutron-policy.patch
0021-horizon-Allows-setting-Django-s-CSRF_TRUSTED_ORIGINS.patch
0022-horizon-fix-templating-of-list-of-strings-for-CSRF_T.patch
0023-Change-uWSGI-socket-to-allow-IPv6-binding.patch
0024-Enable-ceph-pool-creation-for-AIO-systems.patch
0025-Add-IPv6-compatibility-to-neutron-openvswitch-agent.patch
0026-Copy-host-UUID-into-Nova-s-config-dir.patch
0027-Add-retry-to-hostname-reading-by-neutron-agents.patch
0028-Allow-rook-ceph-auto-estimation.patch
0029-Add-DEX-integration.patch
0030-Add-Netapp-backend-support-to-Cinder.patch
0031-Update-glance-store-config.patch
0032-Add-backend-checks-to-skip-Ceph-init-for-NetApp-stor.patch
0033-Remove-cinder-default-rbd1-backend.patch
openstack-helm/debian/deb_folder/rules
-46
View File
@@ -1,46 +0,0 @@
#!/usr/bin/make -f
# export DH_VERBOSE = 1
export ROOT = debian/tmp
export APP_FOLDER = $(ROOT)/usr/lib/helm
export HELM_FOLDER=/usr/lib/helm
export TOOLKIT_VERSION = 0.2.69
%:
dh $@
override_dh_auto_build:
# Stage helm-toolkit in the local repo.
cp $(HELM_FOLDER)/helm-toolkit-$(TOOLKIT_VERSION).tgz .
# Host a server for the helm charts.
chartmuseum --debug --port=8879 --context-path='/charts' \
--storage="local" --storage-local-rootdir="." &
sleep 2
helm repo add local http://localhost:8879/charts
# Create the chart TGZ files.
make aodh
make barbican
make ceilometer
make cinder
make glance
make heat
make horizon
make ironic
make keystone
make neutron
make nova
make placement
# Terminate the helm chart server.
pkill chartmuseum
# Remove the helm-toolkit tarball
rm helm-toolkit-$(TOOLKIT_VERSION).tgz
override_dh_auto_install:
# Install the chart tar files.
install -d -m 755 $(APP_FOLDER)
install -p -D -m 755 *.tgz $(APP_FOLDER)
override_dh_auto_test:
override_dh_usrlocal:
openstack-helm/debian/deb_folder/source/format
-1
View File
@@ -1 +0,0 @@
3.0 (quilt)
openstack-helm/debian/meta_data.yaml
-17
View File
@@ -1,17 +0,0 @@
---
debname: openstack-helm
debver: 1.1-0
dl_path:
name: openstack-helm-3013cbc94a201b48bf5b3e0bced9297ae924a133.tar.gz
url: https://github.com/openstack/openstack-helm/archive/3013cbc94a201b48bf5b3e0bced9297ae924a133.tar.gz
md5sum: dc1e3b4a42007c5c2c3a0c305a6f684e
sha256sum: 91ad30be701bcf7388c0b763635bfecfd39b771a771af779bb1864daf9175891
src_files:
- files/index.yaml
- files/repositories.yaml
revision:
dist: $STX_DIST
PKG_GITREVCOUNT: true
GITREVCOUNT:
BASE_SRCREV: 0a50ff4f895fb2d20122c23019f76d08d885a12f
SRC_DIR: ${MY_REPO}/stx/openstack-armada-app/openstack-helm/files
openstack-helm/files/index.yaml
-4
View File
@@ -1,4 +0,0 @@
---
apiVersion: v1
entries: {}
generated: 2019-01-07T12:33:46.098166523-06:00
openstack-helm/files/repositories.yaml
-12
View File
@@ -1,12 +0,0 @@
---
apiVersion: v1
generated: 2019-01-02T15:19:36.215111369-06:00
repositories:
- caFile: ""
cache: /builddir/.helm/repository/cache/local-index.yaml
certFile: ""
keyFile: ""
name: local
password: ""
url: http://127.0.0.1:8879/charts
username: ""
stx-openstack-helm-fluxcd/debian/deb_folder/control
-2
View File
@@ -5,7 +5,6 @@ Maintainer: StarlingX Developers <starlingx-discuss@lists.starlingx.io>
Build-Depends: debhelper-compat (= 13),
chartmuseum,
helm,
openstack-helm-infra,
openstack-helm,
procps,
python3-k8sapp-openstack-wheels,
@@ -17,7 +16,6 @@ Package: stx-openstack-helm-fluxcd
Section: libs
Architecture: all
Depends: ${misc:Depends},
openstack-helm-infra,
openstack-helm,
python3-k8sapp-openstack-wheels,
ingress-nginx-helm
stx-openstack-helm-fluxcd/debian/deb_folder/rules
+1 -1
View File
@@ -5,7 +5,7 @@ export ROOT = debian/tmp
export APP_FOLDER = $(ROOT)/usr/lib/application
export FLUXCD_FOLDER = $(ROOT)/usr/lib/fluxcd
export HELM_FOLDER = /usr/lib/helm
export TOOLKIT_VERSION = 0.2.69
export TOOLKIT_VERSION = 2025.1.0
%:
dh $@
stx-openstack-helm-fluxcd/debian/deb_folder/source/format
+1 -1
View File
@@ -1 +1 @@
3.0 (quilt)
3.0 (quilt)
stx-openstack-helm-fluxcd/debian/meta_data.yaml
+1 -1
View File
@@ -7,5 +7,5 @@ src_files:
revision:
dist: $STX_DIST
GITREVCOUNT:
BASE_SRCREV: daef54697f354ca8fda128c46e50771f8ee7eb45
BASE_SRCREV: 10ebb85a976fe7c81c6cb75d3b0e60145d927e4d
SRC_DIR: ${MY_REPO}/stx/openstack-armada-app/stx-openstack-helm-fluxcd
stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/helm-charts/clients/Chart.yaml
+1 -1
View File
@@ -16,4 +16,4 @@ apiVersion: v1
appVersion: "1.0"
description: Helm chart for stx-openstack containerized openstack-clients
name: clients
version: 0.2.0
version: 2025.1.0
stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/helm-charts/dcdbsync/Chart.yaml
+1 -1
View File
@@ -16,4 +16,4 @@ apiVersion: v1
appVersion: "1.0"
description: StarlingX-Helm dcdbsync
name: dcdbsync
version: 0.2.0
version: 2025.1.0
stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/helm-charts/garbd/Chart.yaml
+1 -1
View File
@@ -15,4 +15,4 @@
apiVersion: v1
description: OpenStack-Helm Garbd
name: garbd
version: 0.2.0
version: 2025.1.0
stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/helm-charts/keystone-api-proxy/Chart.yaml
+1 -1
View File
@@ -16,4 +16,4 @@ apiVersion: v1
appVersion: "1.0"
description: StarlingX-Helm keystone-api-proxy
name: keystone-api-proxy
version: 0.2.0
version: 2025.1.0
stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/helm-charts/nginx-ports-control/Chart.yaml
+1 -1
View File
@@ -7,4 +7,4 @@
apiVersion: v1
description: Nginx Ports Control
name: nginx-ports-control
version: 0.2.0
version: 2025.1.0
stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/helm-charts/nova-api-proxy/Chart.yaml
+1 -1
View File
@@ -16,4 +16,4 @@ apiVersion: v1
appVersion: "1.0"
description: StarlingX-Helm nova-api-proxy
name: nova-api-proxy
version: 0.2.0
version: 2025.1.0
stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/helm-charts/pci-irq-affinity-agent/Chart.yaml
+1 -1
View File
@@ -15,4 +15,4 @@
apiVersion: v1
description: PCI IRQ Affinity Agent
name: pci-irq-affinity-agent
version: 0.2.0
version: 2025.1.0
stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/manifests/aodh/aodh-static-overrides.yaml
+1 -1
View File
@@ -23,7 +23,7 @@ images:
image_repo_sync: null
ks_endpoints: docker.io/starlingx/stx-heat:master-debian-stable-latest
ks_service: docker.io/starlingx/stx-heat:master-debian-stable-latest
ks_user: docker.io/starlingx/stx-heat:master-debian-stable-latest
ks_user: docker.io/starlingx/stx-openstackclients:master-debian-stable-latest
rabbit_init: docker.io/library/rabbitmq:3.9.29-management
pre_apply_cleanup: docker.io/starlingx/stx-vault-manager:master-debian-stable-latest
pod:
stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/manifests/aodh/helmrelease.yaml
+1 -1
View File
@@ -16,7 +16,7 @@ spec:
chart:
spec:
chart: aodh
version: 0.2.11
version: 2025.1.0
sourceRef:
kind: HelmRepository
name: starlingx
stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/manifests/barbican/barbican-static-overrides.yaml
+1 -1
View File
@@ -25,7 +25,7 @@ images:
image_repo_sync: null
ks_endpoints: docker.io/starlingx/stx-heat:master-debian-stable-latest
ks_service: docker.io/starlingx/stx-heat:master-debian-stable-latest
ks_user: docker.io/starlingx/stx-heat:master-debian-stable-latest
ks_user: docker.io/starlingx/stx-openstackclients:master-debian-stable-latest
rabbit_init: docker.io/library/rabbitmq:3.9.29-management
scripted_test: docker.io/starlingx/stx-heat:master-debian-stable-latest
pre_apply_cleanup: docker.io/starlingx/stx-vault-manager:master-debian-stable-latest
stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/manifests/barbican/helmrelease.yaml
+1 -1
View File
@@ -16,7 +16,7 @@ spec:
chart:
spec:
chart: barbican
version: 0.3.13
version: 2025.1.0
sourceRef:
kind: HelmRepository
name: starlingx
stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/manifests/ceilometer/ceilometer-static-overrides.yaml
+1 -1
View File
@@ -23,7 +23,7 @@ images:
image_repo_sync: null
ks_endpoints: docker.io/starlingx/stx-heat:master-debian-stable-latest
ks_service: docker.io/starlingx/stx-heat:master-debian-stable-latest
ks_user: docker.io/starlingx/stx-heat:master-debian-stable-latest
ks_user: docker.io/starlingx/stx-openstackclients:master-debian-stable-latest
rabbit_init: docker.io/library/rabbitmq:3.9.29-management
pre_apply_cleanup: docker.io/starlingx/stx-vault-manager:master-debian-stable-latest
test: null
stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/manifests/ceilometer/helmrelease.yaml
+1 -1
View File
@@ -16,7 +16,7 @@ spec:
chart:
spec:
chart: ceilometer
version: 0.2.11
version: 2025.1.0
sourceRef:
kind: HelmRepository
name: starlingx
stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/manifests/ceph-rgw/ceph-rgw-static-overrides.yaml
+1 -1
View File
@@ -32,7 +32,7 @@ images:
ceph_bootstrap: null
ks_endpoints: docker.io/starlingx/stx-heat:master-debian-stable-latest
ks_service: docker.io/starlingx/stx-heat:master-debian-stable-latest
ks_user: docker.io/starlingx/stx-heat:master-debian-stable-latest
ks_user: docker.io/starlingx/stx-openstackclients:master-debian-stable-latest
rgw_placement_targets: docker.io/openstackhelm/ceph-config-helper:ubuntu_bionic-20201223
rgw_s3_admin: docker.io/openstackhelm/ceph-config-helper:ubuntu_bionic-20201223
pre_apply_cleanup: docker.io/starlingx/stx-vault-manager:master-debian-stable-latest
stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/manifests/ceph-rgw/helmrelease.yaml
+1 -1
View File
@@ -16,7 +16,7 @@ spec:
chart:
spec:
chart: ceph-rgw
version: 0.1.37
version: 2025.1.0
sourceRef:
kind: HelmRepository
name: starlingx
stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/manifests/cinder/cinder-static-overrides.yaml
+20 -5
View File
@@ -34,8 +34,9 @@ images:
db_init: docker.io/starlingx/stx-heat:master-debian-stable-latest
cinder_db_sync: docker.io/starlingx/stx-cinder:master-debian-stable-latest
db_drop: docker.io/starlingx/stx-heat:master-debian-stable-latest
rabbit_init: docker.io/library/rabbitmq:3.9.29-management
ks_user: docker.io/starlingx/stx-heat:master-debian-stable-latest
rabbit_init: docker.io/rabbitmq:3.13-management
ks_user: docker.io/starlingx/stx-openstackclients:master-debian-stable-latest
ks_service: docker.io/starlingx/stx-heat:master-debian-stable-latest
ks_endpoints: docker.io/starlingx/stx-heat:master-debian-stable-latest
cinder_api: docker.io/starlingx/stx-cinder:master-debian-stable-latest
@@ -43,9 +44,9 @@ images:
cinder_scheduler: docker.io/starlingx/stx-cinder:master-debian-stable-latest
cinder_volume: docker.io/starlingx/stx-cinder:master-debian-stable-latest
cinder_volume_usage_audit: docker.io/starlingx/stx-cinder:master-debian-stable-latest
cinder_storage_init: docker.io/openstackhelm/ceph-config-helper:ubuntu_bionic-20201223
cinder_storage_init: docker.io/openstackhelm/ceph-config-helper:latest-ubuntu_jammy
cinder_backup: docker.io/starlingx/stx-cinder:master-debian-stable-latest
cinder_backup_storage_init: docker.io/openstackhelm/ceph-config-helper:ubuntu_bionic-20201223
cinder_backup_storage_init: docker.io/openstackhelm/ceph-config-helper:latest-ubuntu_jammy
dep_check: quay.io/airshipit/kubernetes-entrypoint:9ff5d2e488ad18187bccc48e9595f197d27110c4-ubuntu_jammy
image_repo_sync: null
pre_apply_cleanup: docker.io/starlingx/stx-vault-manager:master-debian-stable-latest
@@ -55,6 +56,7 @@ images:
exclude:
- dep_check
- image_repo_sync
jobs:
volume_usage_audit:
cron: "5 * * * *"
@@ -62,6 +64,7 @@ jobs:
history:
success: 3
failed: 1
pod:
security_context:
volume_usage_audit:
@@ -356,6 +359,7 @@ pod:
limits:
memory: "1024Mi"
cpu: "2000m"
bootstrap:
enabled: true
ks_user: admin
@@ -389,6 +393,7 @@ bootstrap:
# associates:
# - volume_type_1
# - volume_type_2
network:
api:
ingress:
@@ -402,6 +407,7 @@ network:
node_port:
enabled: false
port: 30877
ceph_client:
# enable this when there is a need to create second ceph backed pointing
# to external ceph cluster
@@ -986,6 +992,8 @@ conf:
- name
- volume_type
volume_type: []
enable_conversion_tmpfs: false
conversion_tmpfs_size: "10Gi"
cinder_api_uwsgi:
uwsgi:
add-header: "Connection: close"
@@ -1002,6 +1010,7 @@ conf:
thunder-lock: true
worker-reload-mercy: 80
wsgi-file: /var/lib/openstack/bin/cinder-wsgi
backup:
external_ceph_rbd:
enabled: false
@@ -1014,6 +1023,7 @@ backup:
volume:
class_name: general
size: 10Gi
dependencies:
dynamic:
common:
@@ -1148,6 +1158,7 @@ dependencies:
services:
- endpoint: internal
service: identity
# Names of secrets used by bootstrap and environmental checks
secrets:
identity:
@@ -1165,12 +1176,13 @@ secrets:
admin: cinder-rabbitmq-admin
cinder: cinder-rabbitmq-user
tls:
volume:
volumev3:
api:
public: cinder-tls-public
internal: cinder-tls-api
oci_image_registry:
cinder: cinder-oci-image-registry
# We use a different layout of the endpoints here to account for versioning
# this swaps the service name and type, and should be rolled out to other
# services.
@@ -1421,15 +1433,18 @@ endpoints:
port:
ingress:
default: 80
network_policy:
cinder:
ingress:
- {}
egress:
- {}
# NOTE(helm_hook): helm_hook might break for helm2 binary.
# set helm3_hook: false when using the helm2 binary.
helm3_hook: true
tls:
identity: false
oslo_messaging: false
stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/manifests/cinder/helmrelease.yaml
+1 -1
View File
@@ -16,7 +16,7 @@ spec:
chart:
spec:
chart: cinder
version: 0.3.22
version: 2025.1.0
sourceRef:
kind: HelmRepository
name: starlingx
stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/manifests/clients/helmrelease.yaml
+1 -1
View File
@@ -16,7 +16,7 @@ spec:
chart:
spec:
chart: clients
version: 0.2.0
version: 2025.1.0
sourceRef:
kind: HelmRepository
name: starlingx
stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/manifests/dcdbsync/helmrelease.yaml
+1 -1
View File
@@ -16,7 +16,7 @@ spec:
chart:
spec:
chart: dcdbsync
version: 0.2.0
version: 2025.1.0
sourceRef:
kind: HelmRepository
name: starlingx
stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/manifests/fm-rest-api/fm-rest-api-static-overrides.yaml
+1 -1
View File
@@ -49,7 +49,7 @@ labels:
images:
tags:
fm_rest_api: docker.io/starlingx/stx-fm-rest-api:master-debian-stable-latest
ks_user: docker.io/starlingx/stx-heat:master-debian-stable-latest
ks_user: docker.io/starlingx/stx-openstackclients:master-debian-stable-latest
ks_service: docker.io/starlingx/stx-heat:master-debian-stable-latest
ks_endpoints: docker.io/starlingx/stx-heat:master-debian-stable-latest
fm_db_sync: docker.io/starlingx/stx-fm-rest-api:master-debian-stable-latest
stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/manifests/fm-rest-api/helmrelease.yaml
+1 -1
View File
@@ -16,7 +16,7 @@ spec:
chart:
spec:
chart: fm-rest-api
version: 0.2.0
version: 2025.1.0
sourceRef:
kind: HelmRepository
name: starlingx
stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/manifests/garbd/helmrelease.yaml
+1 -1
View File
@@ -16,7 +16,7 @@ spec:
chart:
spec:
chart: garbd
version: 0.2.0
version: 2025.1.0
sourceRef:
kind: HelmRepository
name: starlingx
stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/manifests/glance/glance-static-overrides.yaml
+46 -7
View File
@@ -7,6 +7,7 @@
---
release_group: osh-openstack-glance
storage: swift
labels:
isApplication: false
api:
@@ -24,15 +25,13 @@ labels:
images:
tags:
test: null
glance_storage_init: docker.io/openstackhelm/ceph-config-helper:ubuntu_bionic-20201223
glance_storage_init: docker.io/openstackhelm/ceph-config-helper:latest-ubuntu_jammy
glance_metadefs_load: docker.io/starlingx/stx-glance:master-debian-stable-latest
db_init: docker.io/starlingx/stx-heat:master-debian-stable-latest
glance_db_sync: docker.io/starlingx/stx-glance:master-debian-stable-latest
db_drop: docker.io/starlingx/stx-heat:master-debian-stable-latest
ks_user: docker.io/starlingx/stx-heat:master-debian-stable-latest
ks_service: docker.io/starlingx/stx-heat:master-debian-stable-latest
ks_endpoints: docker.io/starlingx/stx-heat:master-debian-stable-latest
rabbit_init: docker.io/library/rabbitmq:3.9.29-management
ks_user: docker.io/starlingx/stx-openstackclients:master-debian-stable-latest
rabbit_init: docker.io/rabbitmq:3.13-management
glance_api: docker.io/starlingx/stx-glance:master-debian-stable-latest
# Bootstrap image requires curl
bootstrap: docker.io/starlingx/stx-heat:master-debian-stable-latest
@@ -45,6 +44,7 @@ images:
exclude:
- dep_check
- image_repo_sync
bootstrap:
enabled: true
ks_user: admin
@@ -65,15 +65,18 @@ bootstrap:
# uncomment this and write specific hypervisor type.
# hypervisor_type: "qemu"
os_distro: "cirros"
ceph_client:
configmap: ceph-etc
user_secret_name: pvc-ceph-client-key
network_policy:
glance:
ingress:
- {}
egress:
- {}
conf:
software:
rbd:
@@ -165,8 +168,8 @@ conf:
paste.filter_factory: glance.api.middleware.gzip:GzipMiddleware.factory
filter:osprofiler:
paste.filter_factory: osprofiler.web:WsgiMiddleware.factory
hmac_keys: SECRET_KEY # DEPRECATED
enabled: yes # DEPRECATED
hmac_keys: SECRET_KEY # DEPRECATED
enabled: yes # DEPRECATED
filter:cors:
paste.filter_factory: oslo_middleware.cors:filter_factory
oslo_config_project: glance
@@ -272,6 +275,10 @@ conf:
auth_uri: http://keystone.openstack.svc.cluster.local:80/v3
auth_url: http://keystone.openstack.svc.cluster.local:80/v3
glance_store:
# Since 2024.1 this section must contain the only key 'default_backend'.
# Other keys should be defined in the corresponding per-backend sections.
# This is for backward compatibility.
filesystem_store_datadir: /var/lib/glance/images
cinder_catalog_info: volumev3::internalURL
chunk_size: 8
rbd_store_replication: 3
@@ -279,7 +286,28 @@ conf:
rbd_store_pool: glance.images
rbd_store_user: glance
rbd_store_ceph_conf: /etc/ceph/ceph.conf
default_swift_reference: ref1
swift_store_container: glance
swift_store_create_container_on_put: true
swift_store_config_file: /etc/glance/swift-store.conf
swift_store_endpoint_type: internalURL
file:
filesystem_store_datadir: /var/lib/glance/images
# These two sections os_glance_tasks_store and os_glance_staging_store
# are mandatory. Glance will be unable to delete images from if these
# two are not properly configured.
os_glance_tasks_store:
filesystem_store_datadir: /var/lib/glance/tmp/os_glance_tasks_store
os_glance_staging_store:
filesystem_store_datadir: /var/lib/glance/tmp/os_glance_staging_store
rbd:
rbd_store_chunk_size: 8
rbd_store_replication: 3
rbd_store_crush_rule: replicated_rule
rbd_store_pool: glance.images
rbd_store_user: glance
rbd_store_ceph_conf: /etc/ceph/ceph.conf
swift:
default_swift_reference: ref1
swift_store_container: glance
swift_store_create_container_on_put: true
@@ -435,9 +463,13 @@ network:
node_port:
enabled: false
port: 30092
volume:
class_name: general
size: 2Gi
accessModes:
- ReadWriteOnce
dependencies:
dynamic:
common:
@@ -523,6 +555,7 @@ dependencies:
services:
- endpoint: internal
service: local_image_registry
# Names of secrets used by bootstrap and environmental checks
secrets:
identity:
@@ -543,6 +576,7 @@ secrets:
internal: glance-tls-api
oci_image_registry:
glance: glance-oci-image-registry
# typically overridden by environmental
# values, but should include all endpoints
# required by this chart
@@ -631,6 +665,7 @@ endpoints:
# key: null
path:
default: null
healthcheck: /healthcheck
scheme:
default: http
service: http
@@ -800,6 +835,7 @@ endpoints:
port:
ingress:
default: 80
pod:
security_context:
glance:
@@ -1016,9 +1052,11 @@ pod:
limits:
memory: "1024Mi"
cpu: "2000m"
# NOTE(helm_hook): helm_hook might break for helm2 binary.
# set helm3_hook: false when using the helm2 binary.
helm3_hook: true
tls:
identity: false
oslo_messaging: false
@@ -1062,6 +1100,7 @@ manifests:
secret_registry: true
service_ingress_api: true
service_api: true
# NOTE: This is for enable helm resource-policy to keep glance-images PVC.
# set keep_pvc: true when allow helm resource-policy to keep for PVC.
# This will requires mannual delete for PVC.
stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/manifests/glance/helmrelease.yaml
+1 -1
View File
@@ -16,7 +16,7 @@ spec:
chart:
spec:
chart: glance
version: 0.5.0
version: 2025.1.0
sourceRef:
kind: HelmRepository
name: starlingx
stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/manifests/gnocchi/gnocchi-static-overrides.yaml
+1 -1
View File
@@ -22,7 +22,7 @@ images:
image_repo_sync: null
ks_endpoints: docker.io/starlingx/stx-heat:master-debian-stable-latest
ks_service: docker.io/starlingx/stx-heat:master-debian-stable-latest
ks_user: docker.io/starlingx/stx-heat:master-debian-stable-latest
ks_user: docker.io/starlingx/stx-openstackclients:master-debian-stable-latest
pre_apply_cleanup: docker.io/starlingx/stx-vault-manager:master-debian-stable-latest
conf:
gnocchi:
stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/manifests/gnocchi/helmrelease.yaml
+1 -1
View File
@@ -16,7 +16,7 @@ spec:
chart:
spec:
chart: gnocchi
version: 0.1.16
version: 2025.1.0
sourceRef:
kind: HelmRepository
name: starlingx
stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/manifests/heat/heat-static-overrides.yaml
+17 -2
View File
@@ -26,6 +26,7 @@ labels:
test:
node_selector_key: openstack-control-plane
node_selector_value: enabled
images:
tags:
test: null
@@ -33,8 +34,8 @@ images:
db_init: docker.io/starlingx/stx-heat:master-debian-stable-latest
heat_db_sync: docker.io/starlingx/stx-heat:master-debian-stable-latest
db_drop: docker.io/starlingx/stx-heat:master-debian-stable-latest
rabbit_init: docker.io/library/rabbitmq:3.9.29-management
ks_user: docker.io/starlingx/stx-heat:master-debian-stable-latest
rabbit_init: docker.io/rabbitmq:3.13-management
ks_user: docker.io/starlingx/stx-openstackclients:master-debian-stable-latest
ks_service: docker.io/starlingx/stx-heat:master-debian-stable-latest
ks_endpoints: docker.io/starlingx/stx-heat:master-debian-stable-latest
heat_api: docker.io/starlingx/stx-heat:master-debian-stable-latest
@@ -52,6 +53,7 @@ images:
exclude:
- dep_check
- image_repo_sync
jobs:
engine_cleaner:
cron: "*/5 * * * *"
@@ -59,12 +61,14 @@ jobs:
history:
success: 3
failed: 1
purge_deleted:
cron: "20 */24 * * *"
purge_age: 60
history:
success: 3
failed: 1
conf:
rally_tests:
run_tempest: false
@@ -469,6 +473,7 @@ conf:
formatter_default:
format: "%(message)s"
datefmt: "%Y-%m-%d %H:%M:%S"
rabbitmq:
# NOTE(rk760n): adding rmq policy to mirror messages from notification queues and set expiration time for the ones
policies:
@@ -515,6 +520,7 @@ conf:
thunder-lock: true
worker-reload-mercy: 80
wsgi-file: /var/lib/openstack/bin/heat-wsgi-api-cfn
network:
api:
ingress:
@@ -550,6 +556,7 @@ network:
node_port:
enabled: false
port: 30003
bootstrap:
enabled: true
ks_user: admin
@@ -559,6 +566,7 @@ bootstrap:
# By default, this role restricts API operations. To avoid conflicts, do
# not add this role to actual users.
openstack role create --or-show heat_stack_user
dependencies:
dynamic:
common:
@@ -715,6 +723,7 @@ dependencies:
service: identity
- endpoint: internal
service: orchestration
# Names of secrets used by bootstrap and environmental checks
secrets:
identity:
@@ -740,6 +749,7 @@ secrets:
internal: heat-tls-cfn
oci_image_registry:
heat: heat-oci-image-registry
# typically overridden by environmental
# values, but should include all endpoints
# required by this chart
@@ -992,6 +1002,7 @@ endpoints:
port:
ingress:
default: 80
pod:
security_context:
heat:
@@ -1253,19 +1264,23 @@ pod:
limits:
memory: "1024Mi"
cpu: "2000m"
network_policy:
heat:
ingress:
- {}
egress:
- {}
# NOTE(helm_hook): helm_hook might break for helm2 binary.
# set helm3_hook: false when using the helm2 binary.
helm3_hook: true
tls:
identity: false
oslo_messaging: false
oslo_db: false
manifests:
certificates: false
configmap_bin: true
stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/manifests/heat/helmrelease.yaml
+1 -1
View File
@@ -16,7 +16,7 @@ spec:
chart:
spec:
chart: heat
version: 0.3.14
version: 2025.1.0
sourceRef:
kind: HelmRepository
name: starlingx
stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/manifests/horizon/helmrelease.yaml
+1 -1
View File
@@ -16,7 +16,7 @@ spec:
chart:
spec:
chart: horizon
version: 0.3.22
version: 2025.1.0
sourceRef:
kind: HelmRepository
name: starlingx
stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/manifests/horizon/horizon-static-overrides.yaml
+35 -17
View File
@@ -22,6 +22,7 @@ images:
exclude:
- dep_check
- image_repo_sync
# Use selenium v4 syntax
selenium_v4: true
labels:
@@ -35,6 +36,7 @@ labels:
test:
node_selector_key: openstack-control-plane
node_selector_value: enabled
network:
dashboard:
ingress:
@@ -49,6 +51,7 @@ network:
node_port:
enabled: 'true'
port: 31000
conf:
software:
apache2:
@@ -64,6 +67,8 @@ conf:
- status || sed -i 's/LoadModule status_module/#LoadModule status_module/' /etc/httpd/conf.modules.d/00-base.conf
horizon:
branding:
# favicon must be a base64 encoded .ico string
# logo and logo_splash must be base64 encoded .svg string
logo:
logo_splash:
favicon:
@@ -173,20 +178,20 @@ conf:
# Requires mod_headers to be enabled.
#
custom_panels: {}
## For example, _5000_disable_project_vg_snapshots.py
# _5000_disable_project_vg_snapshots: |
# PANEL = 'vg_snapshots'
# PANEL_DASHBOARD = 'project'
# PANEL_GROUP = 'volumes'
# REMOVE_PANEL = True
## https://docs.openstack.org/horizon/latest/configuration/pluggable_panels.html#id2
## For example, _5000_disable_project_vg_snapshots.py
# _5000_disable_project_vg_snapshots: |
# PANEL = 'vg_snapshots'
# PANEL_DASHBOARD = 'project'
# PANEL_GROUP = 'volumes'
# REMOVE_PANEL = True
## https://docs.openstack.org/horizon/latest/configuration/pluggable_panels.html#id2
local_settings_d: {}
## For example, _50_monasca_ui_settings.py
# _50_monasca_ui_settings: |
# from django.conf import settings
# # Grafana button titles/file names (global across all projects):
# GRAFANA_LINKS = []
# DASHBOARDS = getattr(settings, 'GRAFANA_LINKS', GRAFANA_LINKS)
## For example, _50_monasca_ui_settings.py
# _50_monasca_ui_settings: |
# from django.conf import settings
# # Grafana button titles/file names (global across all projects):
# GRAFANA_LINKS = []
# DASHBOARDS = getattr(settings, 'GRAFANA_LINKS', GRAFANA_LINKS)
local_settings:
config:
@@ -201,7 +206,7 @@ conf:
keystone_default_domain: Default
disable_password_reveal: "True"
show_openrc_file: "True"
csrf_cookie_secure: "False"
csrf_cookie_secure: "True"
csrf_cookie_httponly: "False"
# https://docs.djangoproject.com/en/dev/ref/settings/#csrf-trusted-origins
csrf_trusted_origins: []
@@ -210,7 +215,7 @@ conf:
enable_pwd_validator: false
pwd_validator_regex: '(?=.*[a-zA-Z])(?=.*\d).{8,}|(?=.*\d)(?=.*\W).{8,}|(?=.*\W)(?=.*[a-zA-Z]).{8,}'
pwd_validator_help_text: '_("Your password must be at least eight (8) characters in length and must include characters from at least two (2) of these groupings: alpha, numeric, and special characters.")'
session_cookie_secure: "False"
session_cookie_secure: "True"
session_cookie_httponly: "False"
secure_proxy_ssl_header: false
password_autocomplete: "False"
@@ -344,7 +349,7 @@ conf:
'fade_duration': 1500,
'types': ['alert-success', 'alert-info']
},
'help_url': '{{ .Values.conf.horizon.local_settings.config.help_url }}',
'help_url': "http://docs.openstack.org",
'exceptions': {'recoverable': exceptions.RECOVERABLE,
'not_found': exceptions.NOT_FOUND,
'unauthorized': exceptions.UNAUTHORIZED},
@@ -432,6 +437,11 @@ conf:
# Determines which authentication choice to show as default.
WEBSSO_INITIAL_CHOICE = "{{ .Values.conf.horizon.local_settings.config.auth.sso.initial_choice }}"
{{- if .Values.conf.horizon.local_settings.config.auth.sso.websso_keystone_url }}
# The full auth URL for the Keystone endpoint used for web single-sign-on authentication.
WEBSSO_KEYSTONE_URL = "{{ .Values.conf.horizon.local_settings.config.auth.sso.websso_keystone_url }}"
{{- end }}
# The list of authentication mechanisms
# which include keystone federation protocols.
# Current supported protocol IDs are 'saml2' and 'oidc'
@@ -485,7 +495,7 @@ conf:
# in a future release, but is available as a temporary backup setting to ensure
# compatibility with existing deployments. Further development will not be
# done on the legacy experience. Please report any problems with the new
# experience via the Launchpad tracking system.
# experience via the StoryBoard tracking system.
#
# Toggle LAUNCH_INSTANCE_LEGACY_ENABLED and LAUNCH_INSTANCE_NG_ENABLED to
# determine the experience to enable. Set them both to true to enable
@@ -1104,6 +1114,7 @@ conf:
extra_panels:
- heat_dashboard
- neutron_taas_dashboard
dependencies:
dynamic:
common:
@@ -1146,6 +1157,7 @@ dependencies:
services:
- endpoint: internal
service: dashboard
pod:
security_context:
horizon:
@@ -1282,6 +1294,7 @@ pod:
limits:
memory: "1024Mi"
cpu: "2000m"
# Names of secrets used by bootstrap and environmental checks
secrets:
identity:
@@ -1296,8 +1309,10 @@ secrets:
internal: horizon-tls-web
oci_image_registry:
horizon: horizon-oci-image-registry
tls:
identity: false
# typically overridden by environmental
# values, but should include all endpoints
# required by this chart
@@ -1426,15 +1441,18 @@ endpoints:
port:
ingress:
default: 80
network_policy:
horizon:
ingress:
- {}
egress:
- {}
# NOTE(helm_hook): helm_hook might break for helm2 binary.
# set helm3_hook: false when using the helm2 binary.
helm3_hook: true
manifests:
certificates: false
configmap_bin: true
stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/manifests/ironic/helmrelease.yaml
+1 -1
View File
@@ -16,7 +16,7 @@ spec:
chart:
spec:
chart: ironic
version: 0.2.15
version: 2025.1.0
sourceRef:
kind: HelmRepository
name: starlingx
stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/manifests/ironic/ironic-static-overrides.yaml
+1 -1
View File
@@ -65,7 +65,7 @@ images:
ironic_retrive_swift_config: docker.io/starlingx/stx-heat:master-debian-stable-latest
ks_endpoints: docker.io/starlingx/stx-heat:master-debian-stable-latest
ks_service: docker.io/starlingx/stx-heat:master-debian-stable-latest
ks_user: docker.io/starlingx/stx-heat:master-debian-stable-latest
ks_user: docker.io/starlingx/stx-openstackclients:master-debian-stable-latest
pre_apply_cleanup: docker.io/starlingx/stx-vault-manager:master-debian-stable-latest
rabbit_init: docker.io/library/rabbitmq:3.9.29-management
conf:
stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/manifests/keystone-api-proxy/helmrelease.yaml
+1 -1
View File
@@ -16,7 +16,7 @@ spec:
chart:
spec:
chart: keystone-api-proxy
version: 0.2.0
version: 2025.1.0
sourceRef:
kind: HelmRepository
name: starlingx
stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/manifests/keystone/helmrelease.yaml
+1 -1
View File
@@ -16,7 +16,7 @@ spec:
chart:
spec:
chart: keystone
version: 0.3.13
version: 2025.1.0
sourceRef:
kind: HelmRepository
name: starlingx
stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/manifests/keystone/keystone-static-overrides.yaml
+23 -5
View File
@@ -20,6 +20,7 @@ labels:
# NOTE(gagehugo): the pre-install hook breaks upgrade for helm2
# Set to false to upgrade using helm2
helm3_hook: true
images:
tags:
bootstrap: docker.io/starlingx/stx-heat:master-debian-stable-latest
@@ -27,8 +28,8 @@ images:
db_init: docker.io/starlingx/stx-heat:master-debian-stable-latest
keystone_db_sync: docker.io/starlingx/stx-keystone:master-debian-stable-latest
db_drop: docker.io/starlingx/stx-heat:master-debian-stable-latest
ks_user: docker.io/starlingx/stx-heat:master-debian-stable-latest
rabbit_init: docker.io/library/rabbitmq:3.9.29-management
ks_user: docker.io/starlingx/stx-openstackclients:master-debian-stable-latest
rabbit_init: docker.io/rabbitmq:3.13-management
keystone_fernet_setup: docker.io/starlingx/stx-keystone:master-debian-stable-latest
keystone_fernet_rotate: docker.io/starlingx/stx-keystone:master-debian-stable-latest
keystone_credential_setup: docker.io/starlingx/stx-keystone:master-debian-stable-latest
@@ -45,6 +46,7 @@ images:
exclude:
- dep_check
- image_repo_sync
bootstrap:
enabled: true
ks_user: admin
@@ -86,6 +88,7 @@ network:
node_port:
enabled: false
port: 30357
dependencies:
dynamic:
common:
@@ -160,6 +163,7 @@ dependencies:
services:
- endpoint: internal
service: local_image_registry
pod:
security_context:
keystone:
@@ -425,9 +429,10 @@ jobs:
user: keystone
group: keystone
fernet_rotate:
# NOTE(rk760n): key rotation frequency, token expiration, active keys should statisfy the formula
# max_active_keys = (token_expiration / rotation_frequency) + 2
# as expiration is 12h, and max_active_keys set to 3 by default, rotation_frequency need to be adjusted
# NOTE(rk760n): key rotation frequency, token expiration, active keys, and allow_expired_window should statisfy the formula
# max_active_keys = ((token_expiration + allow_expired_window) / rotation_frequency) + 2
# As expiration is 12h, max_active_keys is 7 and allow_expired_window is 48h by default,
# rotation_frequency need to be adjusted
# 12 hours
cron: "0 */12 * * *"
user: keystone
@@ -447,12 +452,14 @@ jobs:
history:
success: 3
failed: 1
network_policy:
keystone:
ingress:
- {}
egress:
- {}
conf:
security: |
#
@@ -544,6 +551,7 @@ conf:
domain_config_dir: /etc/keystone/domains
fernet_tokens:
key_repository: /etc/keystone/fernet-keys/
max_active_keys: 7
credential:
key_repository: /etc/keystone/credential-keys/
database:
@@ -576,6 +584,11 @@ conf:
OIDCEnableMemcached: true
# Delimiter for multi-valued claims (Keystone expects semicolon for groups)
OIDCClaimDelimiter: ";"
dex_conf:
verify: False
retries: 1
timeout: 5
probe_endpoint: "/healthz"
dex_idp:
# Enable DEX integration
enabled: false
@@ -1039,6 +1052,7 @@ conf:
formatter_default:
format: "%(message)s"
datefmt: "%Y-%m-%d %H:%M:%S"
# Names of secrets used by bootstrap and environmental checks
secrets:
identity:
@@ -1060,6 +1074,7 @@ secrets:
internal: keystone-tls-api
oci_image_registry:
keystone: keystone-oci-image-registry
# typically overridden by environmental
# values, but should include all endpoints
# required by this chart
@@ -1138,6 +1153,7 @@ endpoints:
# key: null
path:
default: /v3
healthcheck: /healthcheck
scheme:
default: http
service: http
@@ -1257,10 +1273,12 @@ endpoints:
port:
ingress:
default: 80
tls:
identity: false
oslo_messaging: false
oslo_db: false
manifests:
certificates: false
configmap_bin: true
stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/manifests/libvirt/helmrelease.yaml
+1 -1
View File
@@ -16,7 +16,7 @@ spec:
chart:
spec:
chart: libvirt
version: 0.1.31
version: 2025.1.0
sourceRef:
kind: HelmRepository
name: starlingx
stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/manifests/libvirt/libvirt-static-overrides.yaml
+81 -2
View File
@@ -12,11 +12,12 @@ labels:
libvirt:
node_selector_key: openstack-compute-node
node_selector_value: enabled
images:
tags:
libvirt: docker.io/starlingx/stx-libvirt:master-debian-stable-latest
libvirt_exporter: null
ceph_config_helper: 'docker.io/openstackhelm/ceph-config-helper:ubuntu_bionic-20201223'
ceph_config_helper: docker.io/openstackhelm/ceph-config-helper:ubuntu_jammy_19.2.2-1-20250414
dep_check: quay.io/airshipit/kubernetes-entrypoint:9ff5d2e488ad18187bccc48e9595f197d27110c4-ubuntu_jammy
image_repo_sync: null
kubectl: null
@@ -27,11 +28,13 @@ images:
exclude:
- dep_check
- image_repo_sync
network:
# provide what type of network wiring will be used
# possible options: openvswitch, linuxbridge, sriov
backend:
- openvswitch
endpoints:
cluster_domain_suffix: cluster.local
local_image_registry:
@@ -65,12 +68,14 @@ endpoints:
port:
metrics:
default: 9474
network_policy:
libvirt:
ingress:
- {}
egress:
- {}
ceph_client:
configmap: ceph-etc
user_secret_name: cinder-volume-rbd-keyring
@@ -96,9 +101,37 @@ conf:
cert_file: "/etc/pki/libvirt/servercert.pem"
key_file: "/etc/pki/libvirt/private/serverkey.pem"
auth_unix_rw: "none"
listen_addr: 127.0.0.1
listen_addr: "${LISTEN_IP_ADDRESS}"
log_level: "3"
log_outputs: "1:file:/var/log/libvirt/libvirtd.log"
# Modifies the config in which value is specified as the name of a variable
# that is computed in the script.
dynamic_options:
libvirt:
listen_interface: null
listen_address: 127.0.0.1
script: |
#!/bin/bash
set -ex
LIBVIRT_CONF_PATH=/tmp/pod-shared/libvirtd.conf
{{- if .Values.conf.dynamic_options.libvirt.listen_interface }}
LISTEN_INTERFACE="{{ .Values.conf.dynamic_options.libvirt.listen_interface }}"
LISTEN_IP_ADDRESS=$(ip address show $LISTEN_INTERFACE | grep 'inet ' | awk '{print $2}' | awk -F "/" '{print $1}')
{{- else if .Values.conf.dynamic_options.libvirt.listen_address }}
LISTEN_IP_ADDRESS={{ .Values.conf.dynamic_options.libvirt.listen_address }}
{{- end }}
if [[ -z $LISTEN_IP_ADDRESS ]]; then
echo "LISTEN_IP_ADDRESS is not set."
exit 1
fi
tee > ${LIBVIRT_CONF_PATH} << EOF
{{ include "libvirt.utils.to_libvirt_conf" .Values.conf.libvirt }}
EOF
qemu:
vnc_tls: "0"
vnc_tls_x509_verify: "0"
@@ -121,6 +154,34 @@ conf:
- rdma
- misc
- pids
init_modules:
enabled: false
script: |
#!/bin/bash
set -ex
export HOME=/tmp
KVM_QEMU_CONF_HOST="/etc/modprobe.d_host/qemu-system-x86.conf"
if [[ ! -f "${KVM_QEMU_CONF_HOST}" ]]; then
if grep vmx /proc/cpuinfo; then
cat << EOF > ${KVM_QEMU_CONF_HOST}
options kvm_intel nested=1
options kvm_intel enable_apicv=1
options kvm_intel ept=1
EOF
modprobe -r kvm_intel || true
modprobe kvm_intel nested=1
elif grep svm /proc/cpuinfo; then
cat << EOF > ${KVM_QEMU_CONF_HOST}
options kvm_amd nested=1
EOF
modprobe -r kvm_amd || true
modprobe kvm_amd nested=1
else
echo "Nested virtualization is not supported"
fi
fi
vencrypt:
# Issuer to use for the vencrypt certs.
issuer:
@@ -204,8 +265,23 @@ pod:
readOnlyRootFilesystem: false
libvirt_exporter:
privileged: true
libvirt_init_modules:
readOnlyRootFilesystem: true
privileged: true
capabilities:
drop:
- ALL
init_dynamic_options:
runAsUser: 65534
runAsNonRoot: true
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
sidecars:
libvirt_exporter: false
affinity:
anti:
type:
@@ -264,6 +340,7 @@ pod:
limits:
memory: "256Mi"
cpu: "500m"
dependencies:
dynamic:
common:
@@ -309,6 +386,7 @@ dependencies:
services:
- endpoint: internal
service: local_image_registry
manifests:
configmap_bin: true
configmap_etc: true
@@ -318,6 +396,7 @@ manifests:
network_policy: false
role_cert_manager: false
secret_registry: true
secrets:
oci_image_registry:
libvirt: libvirt-oci-image-registry-key
stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/manifests/mariadb/helmrelease.yaml
+1 -1
View File
@@ -16,7 +16,7 @@ spec:
chart:
spec:
chart: mariadb
version: 0.2.43
version: 2025.1.0
sourceRef:
kind: HelmRepository
name: starlingx
stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/manifests/mariadb/mariadb-static-overrides.yaml
+56 -84
View File
@@ -8,39 +8,32 @@
release_group: osh-openstack-mariadb
images:
tags:
mariadb: docker.io/openstackhelm/mariadb:ubuntu_focal-20250809
ingress: null
error_pages: null
mariadb: docker.io/openstackhelm/mariadb:latest-ubuntu_jammy
prometheus_create_mysql_user: null
prometheus_mysql_exporter: null
prometheus_mysql_exporter_helm_tests: null
dep_check: quay.io/airshipit/kubernetes-entrypoint:9ff5d2e488ad18187bccc48e9595f197d27110c4-ubuntu_jammy
image_repo_sync: null
mariadb_backup: null
ks_user: docker.io/starlingx/stx-heat:master-debian-stable-latest
ks_user: docker.io/starlingx/stx-openstackclients:master-debian-stable-latest
scripted_test: null
pre_apply_cleanup: docker.io/starlingx/stx-vault-manager:master-debian-stable-latest
mariadb_controller: docker.io/openstackhelm/mariadb:ubuntu_focal-20250809
mariadb_controller: docker.io/openstackhelm/mariadb:latest-ubuntu_jammy
pull_policy: "IfNotPresent"
local_registry:
active: false
exclude:
- dep_check
- image_repo_sync
labels:
isApplication: false
server:
node_selector_key: openstack-control-plane
node_selector_value: enabled
ingress:
node_selector_key: openstack-control-plane
node_selector_value: enabled
prometheus_mysql_exporter:
node_selector_key: openstack-control-plane
node_selector_value: enabled
error_server:
node_selector_key: openstack-control-plane
node_selector_value: enabled
job:
node_selector_key: openstack-control-plane
node_selector_value: enabled
@@ -50,6 +43,7 @@ labels:
controller:
node_selector_key: openstack-control-plane
node_selector_value: enabled
pod:
env:
mariadb_controller:
@@ -61,6 +55,7 @@ pod:
mariadb:
readiness:
enabled: true
disk_usage_percent: 99
params:
initialDelaySeconds: 30
periodSeconds: 30
@@ -79,6 +74,19 @@ pod:
initialDelaySeconds: 60
periodSeconds: 60
failureThreshold: 10
mariadb_exporter:
readiness:
enabled: true
params:
initialDelaySeconds: 5
periodSeconds: 60
timeoutSeconds: 10
liveness:
enabled: true
params:
initialDelaySeconds: 15
periodSeconds: 60
timeoutSeconds: 10
security_context:
server:
pod:
@@ -91,20 +99,6 @@ pod:
runAsUser: 999
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
ingress:
pod:
runAsUser: 65534
container:
server:
runAsUser: 0
readOnlyRootFilesystem: false
error_pages:
pod:
runAsUser: 65534
container:
server:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
prometheus_mysql_exporter:
pod:
runAsUser: 99
@@ -148,6 +142,16 @@ pod:
controller:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
cluster_wait:
pod:
runAsUser: 65534
runAsNonRoot: true
container:
mariadb_cluster_wait:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
affinity:
anti:
type:
@@ -171,9 +175,6 @@ pod:
effect: NoSchedule
replicas:
server: 3
ingress: 2
error_page: 1
prometheus_mysql_exporter: 1
controller: 1
lifecycle:
upgrades:
@@ -184,22 +185,13 @@ pod:
max_unavailable: 1
max_surge: 3
termination_grace_period:
prometheus_mysql_exporter:
timeout: 30
error_pages:
timeout: 10
server:
timeout: 600
disruption_budget:
mariadb:
min_available: 0
resources:
enabled: true
prometheus_mysql_exporter:
limits:
memory: "1024Mi"
cpu: "2000m"
requests:
memory: "128Mi"
cpu: "500m"
enabled: false
server:
requests:
memory: "128Mi"
@@ -207,14 +199,6 @@ pod:
limits:
memory: "1024Mi"
cpu: "2000m"
ingress:
requests:
memory: "128Mi"
cpu: "100m"
ephemeral-storage: "500Ki"
limits:
memory: "1024Mi"
cpu: "2000m"
jobs:
tests:
limits:
@@ -251,6 +235,7 @@ pod:
limits:
memory: "1024Mi"
cpu: "2000m"
dependencies:
dynamic:
common:
@@ -261,13 +246,6 @@ dependencies:
- endpoint: node
service: local_image_registry
static:
error_pages:
jobs: null
ingress:
jobs: null
services:
- endpoint: error_pages
service: oslo_db
mariadb_backup:
jobs:
- mariadb-ks-user
@@ -278,18 +256,6 @@ dependencies:
services:
- endpoint: internal
service: oslo_db
prometheus_mysql_exporter:
jobs:
- exporter-create-sql-user
services:
- endpoint: internal
service: oslo_db
prometheus_mysql_exporter_tests:
services:
- endpoint: internal
service: prometheus_mysql_exporter
- endpoint: internal
service: monitoring
image_repo_sync:
services:
- endpoint: internal
@@ -300,6 +266,10 @@ dependencies:
service: oslo_db
controller:
services: null
cluster_wait:
services:
- endpoint: internal
service: oslo_db
volume:
# this value is used for single pod deployments of mariadb to prevent losing all data
# if the pod is restarted
@@ -314,7 +284,13 @@ volume:
enabled: true
class_name: general
size: 5Gi
jobs:
cluster_wait:
clusterCheckWait: 30
clusterCheckRetries: 30
clusterStabilityCount: 30
clusterStabilityWait: 4
exporter_create_sql_user:
backoffLimit: 87600
activeDeadlineSeconds: 3600
@@ -330,10 +306,10 @@ jobs:
# activeDeadlineSeconds == 0 means no deadline
activeDeadlineSeconds: 0
backoffLimit: 6
conf:
tests:
# This may either be:
# * internal: which will hit the endpoint exposed by the ingress controller
# * direct: which will hit the backends directly via a k8s service ip
# Note, deadlocks and failure are to be expected with concurrency if
# hitting the `direct` endpoint.
@@ -345,10 +321,6 @@ conf:
- --number-of-queries=1000
- --number-char-cols=1
- --number-int-cols=1
ingress: null
ingress_conf:
worker-processes: "4"
log-format-stream: "\"$remote_addr [$time_local] $protocol $status $bytes_received $bytes_sent $upstream_addr $upstream_connect_time $upstream_first_byte_time $upstream_session_time $session_time\""
mariadb_server:
setup_wait:
iteration: 30
@@ -524,10 +496,16 @@ conf:
wsrep_provider_options="gmcast.listen_addr=tcp://[::]:{{ tuple "oslo_db" "direct" "wsrep" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}"
bind_address=::
wsrep_sst_method=rsync
{{ if .Values.manifests.certificates }}
wsrep_provider_options="socket.ssl_ca=/etc/mysql/certs/ca.crt; socket.ssl_cert=/etc/mysql/certs/tls.crt; socket.ssl_key=/etc/mysql/certs/tls.key; gmcast.listen_addr=tcp://[::]:{{ tuple "oslo_db" "direct" "wsrep" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}"
{{ else }}
wsrep_provider_options="evs.suspect_timeout=PT30S; gmcast.peer_timeout=PT15S; gmcast.listen_addr=tcp://[::]:{{ tuple "oslo_db" "direct" "wsrep" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}"
{{ end }}
99_force: |
[mysqld]
datadir=/var/lib/mysql
tmpdir=/tmp
monitoring:
prometheus:
enabled: false
@@ -552,6 +530,7 @@ secrets:
server:
public: mariadb-tls-server
internal: mariadb-tls-direct
# typically overridden by environmental
# values, but should include all endpoints
# required by this chart
@@ -632,7 +611,6 @@ endpoints:
default: mariadb
direct: mariadb-server
discovery: mariadb-discovery
error_pages: mariadb-ingress-error-pages
host_fqdn_override:
default: null
path: null
@@ -700,11 +678,10 @@ endpoints:
api:
default: 80
internal: 5000
network:
mariadb: {}
mariadb_discovery: {}
mariadb_ingress: {}
mariadb_ingress_error_pages: {}
mariadb_master: {}
ip_family_policy: PreferDualStack
network_policy:
@@ -718,18 +695,16 @@ network_policy:
- {}
egress:
- {}
# Helm hook breaks for helm2.
# Set helm3_hook: false in case helm2 is used.
helm3_hook: true
manifests:
certificates: false
configmap_bin: true
configmap_etc: true
configmap_ingress_conf: false
configmap_ingress_etc: false
configmap_services_tcp: true
deployment_error: false
deployment_ingress: false
job_pre_apply_cleanup: true
job_image_repo_sync: true
cron_job_mariadb_backup: false
@@ -738,11 +713,8 @@ manifests:
monitoring:
prometheus:
configmap_bin: true
deployment_exporter: true
job_user_create: true
secret_etc: true
service_exporter: true
network_policy_exporter: false
pdb_server: true
network_policy: false
pod_test: false
@@ -753,11 +725,11 @@ manifests:
secret_etc: true
secret_registry: true
service_discovery: true
service_ingress: false
service_error: false
service: true
statefulset: true
config_ipv6: false
deployment_controller: true
service_master: true
job_cluster_wait: false
config_ipv6: false
...
stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/manifests/memcached/helmrelease.yaml
+1 -1
View File
@@ -16,7 +16,7 @@ spec:
chart:
spec:
chart: memcached
version: 0.1.14
version: 2025.1.0
sourceRef:
kind: HelmRepository
name: starlingx
stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/manifests/memcached/memcached-static-overrides.yaml
+50 -3
View File
@@ -14,6 +14,7 @@ conf:
memory: 1024
stats_cachedump:
enabled: true
dependencies:
dynamic:
common:
@@ -30,9 +31,11 @@ dependencies:
services:
- endpoint: internal
service: local_image_registry
secrets:
oci_image_registry:
memcached: memcached-oci-image-registry-key
endpoints:
cluster_domain_suffix: cluster.local
local_image_registry:
@@ -89,22 +92,28 @@ endpoints:
dns:
default: 53
protocol: UDP
network:
memcached: {}
network_policy:
memcached:
ingress:
- {}
egress:
- {}
monitoring:
prometheus:
enabled: false
memcached_exporter:
scrape: true
images:
pull_policy: IfNotPresent
tags:
dep_check: 'quay.io/airshipit/kubernetes-entrypoint:9ff5d2e488ad18187bccc48e9595f197d27110c4-ubuntu_jammy'
memcached: 'docker.io/library/memcached:1.5.5'
dep_check: quay.io/airshipit/kubernetes-entrypoint:9ff5d2e488ad18187bccc48e9595f197d27110c4-ubuntu_jammy
memcached: docker.io/library/memcached:1.5.5
prometheus_memcached_exporter: null
image_repo_sync: null
pre_apply_cleanup: docker.io/starlingx/stx-vault-manager:master-debian-stable-latest
@@ -113,6 +122,7 @@ images:
exclude:
- dep_check
- image_repo_sync
labels:
isApplication: false
server:
@@ -123,24 +133,61 @@ labels:
node_selector_value: enabled
manifests:
configmap_bin: true
deployment: true
statefulset: true
job_pre_apply_cleanup: true
job_image_repo_sync: true
network_policy: false
service: true
secret_registry: true
pod:
security_context:
server:
pod:
runAsUser: 65534
runAsNonRoot: true
fsGroup: 65534
container:
memcached:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
memcached_exporter:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
probes:
memcached:
memcached:
readiness:
enabled: True
params:
initialDelaySeconds: 0
periodSeconds: 10
timeoutSeconds: 5
liveness:
enabled: True
params:
initialDelaySeconds: 10
periodSeconds: 15
timeoutSeconds: 10
memcached_exporter:
liveness:
enabled: True
params:
initialDelaySeconds: 15
periodSeconds: 60
timeoutSeconds: 10
readiness:
enabled: True
params:
initialDelaySeconds: 5
periodSeconds: 60
timeoutSeconds: 10
affinity:
anti:
topologyKey:
stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/manifests/neutron/helmrelease.yaml
+1 -1
View File
@@ -16,7 +16,7 @@ spec:
chart:
spec:
chart: neutron
version: 0.3.44
version: 2025.1.0
sourceRef:
kind: HelmRepository
name: starlingx
stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/manifests/neutron/neutron-static-overrides.yaml
+42 -28
View File
@@ -14,8 +14,8 @@ images:
db_init: docker.io/starlingx/stx-heat:master-debian-stable-latest
neutron_db_sync: docker.io/starlingx/stx-neutron:master-debian-stable-latest
db_drop: docker.io/starlingx/stx-heat:master-debian-stable-latest
rabbit_init: docker.io/library/rabbitmq:3.9.29-management
ks_user: docker.io/starlingx/stx-heat:master-debian-stable-latest
rabbit_init: docker.io/rabbitmq:3.13-management
ks_user: docker.io/starlingx/stx-openstackclients:master-debian-stable-latest
ks_service: docker.io/starlingx/stx-heat:master-debian-stable-latest
ks_endpoints: docker.io/starlingx/stx-heat:master-debian-stable-latest
netoffload: null
@@ -44,6 +44,7 @@ images:
exclude:
- dep_check
- image_repo_sync
labels:
isApplication: false
agent:
@@ -96,6 +97,7 @@ labels:
test:
node_selector_key: openstack-control-plane
node_selector_value: enabled
network:
# provide what type of network wiring will be used
backend:
@@ -136,11 +138,13 @@ network:
node_port:
enabled: false
port: 30096
bootstrap:
enabled: false
ks_user: neutron
script: |
openstack token issue
dependencies:
dynamic:
common:
@@ -365,6 +369,7 @@ dependencies:
services:
- endpoint: internal
service: local_image_registry
pod:
use_fqdn:
neutron_agent: true
@@ -1015,6 +1020,7 @@ pod:
limits:
memory: "1024Mi"
cpu: "2000m"
conf:
rally_tests:
force_project_purge: false
@@ -1417,13 +1423,6 @@ conf:
# INFO means log all usage
# ERROR means only log unsuccessful attempts
syslog_log_level=ERROR
[xenapi]
# XenAPI configuration is only required by the L2 agent if it is to
# target a XenServer/XCP compute host's dom0.
xenapi_connection_url=<None>
xenapi_connection_username=root
xenapi_connection_password=<None>
rootwrap_filters:
debug:
pods:
@@ -1987,6 +1986,8 @@ conf:
endpoint_type: internal
allow_reverse_dns_lookup: true
ironic:
auth_type: password
auth_version: v3
endpoint_type: internal
keystone_authtoken:
service_token_roles: service
@@ -2141,21 +2142,22 @@ conf:
enable_metadata_network: false
resync_interval: 30
dnsmasq: |
#no-hosts
#port=5353
#cache-size=500
#no-negcache
#dns-forward-max=100
#resolve-file=
#strict-order
#bind-interface
#bind-dynamic
#domain=
#dhcp-range=10.10.10.10,10.10.10.100,24h
#dhcp-lease-max=150
#dhcp-host=11:22:33:44:55:66,ignore
#dhcp-option=3,10.10.10.1
#dhcp-option-force=26,1450
#no-hosts
#port=5353
#cache-size=500
#no-negcache
#dns-forward-max=100
#resolve-file=
#strict-order
#bind-interface
#bind-dynamic
#domain=
#dhcp-range=10.10.10.10,10.10.10.100,24h
#dhcp-lease-max=150
#dhcp-host=11:22:33:44:55:66,ignore
#dhcp-option=3,10.10.10.1
#dhcp-option-force=26,1450
neutron_vpnaas: null
ovn_vpn_agent:
DEFAULT:
@@ -2174,6 +2176,7 @@ conf:
metering_agent: null
metadata_agent:
DEFAULT:
log_config_append: /etc/neutron/logging.conf
# we cannot change the proxy socket path as it is declared
# as a hostPath volume from agent daemonsets
metadata_proxy_socket: /var/lib/neutron/openstack-helm/metadata_proxy
@@ -2195,6 +2198,7 @@ conf:
ovs:
ovsdb_connection: unix:/run/openvswitch/db.sock
bgp_dragent: {}
rabbitmq:
# NOTE(rk760n): adding rmq policy to mirror messages from notification queues and set expiration time for the ones
policies:
@@ -2228,12 +2232,14 @@ conf:
# br-ex will be added by default
auto_bridge_add:
br-ex: null
# Network off-loading configuration
netoffload:
enabled: false
asap2:
# - dev: enp97s0f0
# vfs: 16
# - dev: enp97s0f0
# vfs: 16
# configuration of OVS DPDK bridges and NICs
# this is a separate section and not part of the auto_bridge_add section
# because additional parameters are needed
@@ -2268,8 +2274,8 @@ conf:
# vhost-iommu-support: true
bridges:
- name: br-phy
# optional parameter, in case tunnel traffic needs to be transported over a vlan underlay
# - tunnel_underlay_vlan: 45
# optional parameter, in case tunnel traffic needs to be transported over a vlan underlay
# - tunnel_underlay_vlan: 45
# Optional parameter for configuring bonding in OVS-DPDK
# - name: br-phy-bond0
# bonds:
@@ -2343,6 +2349,7 @@ secrets:
internal: neutron-tls-server
oci_image_registry:
neutron: neutron-oci-image-registry
# typically overridden by environmental
# values, but should include all endpoints
# required by this chart
@@ -2649,6 +2656,7 @@ endpoints:
port:
ingress:
default: 80
network_policy:
neutron:
# TODO(lamt): Need to tighten this ingress for security.
@@ -2656,14 +2664,18 @@ network_policy:
- {}
egress:
- {}
helm3_hook: true
health_probe:
logging:
level: ERROR
tls:
identity: false
oslo_messaging: false
oslo_db: false
manifests:
certificates: false
configmap_bin: true
@@ -2678,6 +2690,8 @@ manifests:
daemonset_bagpipe_bgp: false
daemonset_bgp_dragent: false
daemonset_netns_cleanup_cron: true
daemonset_ovn_metadata_agent: false
daemonset_ovn_vpn_agent: false
deployment_ironic_agent: false
deployment_server: true
deployment_rpc_server: true
stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/manifests/nginx-ports-control/helmrelease.yaml
+1 -1
View File
@@ -16,7 +16,7 @@ spec:
chart:
spec:
chart: nginx-ports-control
version: 0.2.0
version: 2025.1.0
sourceRef:
kind: HelmRepository
name: starlingx
stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/manifests/nova-api-proxy/helmrelease.yaml
+1 -1
View File
@@ -16,7 +16,7 @@ spec:
chart:
spec:
chart: nova-api-proxy
version: 0.2.0
version: 2025.1.0
sourceRef:
kind: HelmRepository
name: starlingx
stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/manifests/nova/helmrelease.yaml
+1 -1
View File
@@ -16,7 +16,7 @@ spec:
chart:
spec:
chart: nova
version: 0.3.42
version: 2025.1.0
sourceRef:
kind: HelmRepository
name: starlingx
stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/manifests/nova/nova-static-overrides.yaml
+114 -9
View File
@@ -33,15 +33,16 @@ labels:
scheduler:
node_selector_key: openstack-control-plane
node_selector_value: enabled
serialproxy:
node_selector_key: openstack-control-plane
node_selector_value: enabled
spiceproxy:
node_selector_key: openstack-control-plane
node_selector_value: enabled
test:
node_selector_key: openstack-control-plane
node_selector_value: enabled
consoleauth:
node_selector_key: openstack-control-plane
node_selector_value: enabled
images:
pull_policy: IfNotPresent
tags:
@@ -49,8 +50,8 @@ images:
db_drop: docker.io/starlingx/stx-heat:master-debian-stable-latest
db_init: docker.io/starlingx/stx-heat:master-debian-stable-latest
dep_check: 'quay.io/airshipit/kubernetes-entrypoint:9ff5d2e488ad18187bccc48e9595f197d27110c4-ubuntu_jammy'
rabbit_init: docker.io/library/rabbitmq:3.9.29-management
ks_user: docker.io/starlingx/stx-heat:master-debian-stable-latest
rabbit_init: docker.io/rabbitmq:3.13-management
ks_user: docker.io/starlingx/stx-openstackclients:master-debian-stable-latest
ks_service: docker.io/starlingx/stx-heat:master-debian-stable-latest
nova_archive_deleted_rows: docker.io/starlingx/stx-nova:master-debian-stable-latest
ks_endpoints: docker.io/starlingx/stx-heat:master-debian-stable-latest
@@ -65,10 +66,11 @@ images:
nova_novncproxy: docker.io/starlingx/stx-nova:master-debian-stable-latest
nova_novncproxy_assets: 'docker.io/starlingx/stx-nova:master-debian-stable-latest'
nova_scheduler: docker.io/starlingx/stx-nova:master-debian-stable-latest
nova_storage_init: 'docker.io/openstackhelm/ceph-config-helper:ubuntu_bionic-20201223'
nova_storage_init: docker.io/openstackhelm/ceph-config-helper:latest-ubuntu_jammy
# NOTE(portdirect): we simply use the ceph config helper here,
# as it has both oscli and jq.
nova_service_cleaner: 'docker.io/openstackhelm/ceph-config-helper:ubuntu_bionic-20201223'
nova_service_cleaner: docker.io/openstackhelm/ceph-config-helper:latest-ubuntu_jammy
nova_serialproxy: docker.io/starlingx/stx-nova:master-debian-stable-latest
nova_spiceproxy: docker.io/starlingx/stx-nova:master-debian-stable-latest
nova_spiceproxy_assets: docker.io/starlingx/stx-nova:master-debian-stable-latest
test: null
@@ -80,6 +82,7 @@ images:
exclude:
- dep_check
- image_repo_sync
jobs:
# NOTE(portdirect): When using cells new nodes will be added to the cell on the hour by default.
# TODO(portdirect): Add a post-start action to nova compute pods that registers themselves.
@@ -108,6 +111,7 @@ jobs:
history:
success: 3
failed: 1
bootstrap:
enabled: true
ks_user: admin
@@ -193,6 +197,7 @@ bootstrap:
sleep $SLEEP
fi
done
network:
# provide what type of network wiring will be used
# possible options: openvswitch, linuxbridge, sriov
@@ -235,6 +240,17 @@ network:
node_port:
enabled: false
port: 30680
serialproxy:
ingress:
public: true
classes:
namespace: "nginx-openstack"
cluster: "nginx"
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
node_port:
enabled: false
port: 30683
spiceproxy:
ingress:
public: true
@@ -257,6 +273,7 @@ network:
- ed25519
private_key: 'null'
public_key: 'null'
dependencies:
dynamic:
common:
@@ -449,6 +466,12 @@ dependencies:
services:
- endpoint: internal
service: oslo_db
serialproxy:
jobs:
- nova-db-sync
services:
- endpoint: internal
service: oslo_db
spiceproxy:
jobs:
- nova-db-sync
@@ -482,10 +505,21 @@ dependencies:
services:
- endpoint: internal
service: local_image_registry
console:
# serial | spice | novnc | none
console_kind: novnc
serial:
compute:
# IF blank, search default routing interface
server_proxyclient_interface: null
# or set network cidr
server_proxyclient_network_cidr: 0/0
proxy:
# IF blank, search default routing interface
server_proxyclient_interface: null
# or set network cidr
server_proxyclient_network_cidr: 0/0
spice:
compute:
# IF blank, search default routing interface
@@ -512,11 +546,13 @@ console:
ceph_client:
configmap: ceph-etc
user_secret_name: pvc-ceph-client-key
rbd_pool:
app_name: nova-vms
replication: 3
crush_rule: replicated_rule
chunk_size: 8
conf:
security: |
#
@@ -1424,6 +1460,10 @@ conf:
server_listen: "::"
# This would be set by each compute nodes's ip
# server_proxyclient_address: 127.0.0.1
serial_console:
serialproxy_host: "::"
# This would be set by each compute nodes's ip
# proxyclient_address: 127.0.0.1
conductor:
workers: 1
oslo_policy:
@@ -1706,8 +1746,13 @@ secrets:
spiceproxy:
public: nova-spiceproxy-tls-public
internal: nova-spiceproxy-tls-proxy
compute_serial_proxy:
serialproxy:
public: nova-serialproxy-tls-public
internal: nova-serialproxy-tls-proxy
oci_image_registry:
nova: nova-oci-image-registry
# typically overridden by environmental
# values, but should include all endpoints
# required by this chart
@@ -2001,6 +2046,21 @@ endpoints:
commonName: nova-novncproxy
usages:
- client auth
compute_serial_proxy:
name: nova
hosts:
default: nova-serialproxy
public: serialproxy
host_fqdn_override:
default: null
scheme:
default: 'ws'
path:
default: /serial_auto.html
port:
serial_proxy:
default: 6083
public: 80
compute_spice_proxy:
name: nova
hosts:
@@ -2102,6 +2162,7 @@ endpoints:
port:
ingress:
default: 80
pod:
probes:
rpc_timeout: 60
@@ -2197,6 +2258,20 @@ pod:
initialDelaySeconds: 80
periodSeconds: 90
timeoutSeconds: 70
serialproxy:
default:
liveness:
enabled: True
params:
initialDelaySeconds: 30
periodSeconds: 60
timeoutSeconds: 15
readiness:
enabled: True
params:
initialDelaySeconds: 30
periodSeconds: 60
timeoutSeconds: 15
compute-spice-proxy:
default:
liveness:
@@ -2229,6 +2304,9 @@ pod:
nova_compute_vnc_init:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
nova_compute_serial_init:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
nova_compute_spice_init:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
@@ -2264,6 +2342,12 @@ pod:
nova_scheduler:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
nova_serialproxy_init:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
nova_serialproxy:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
nova_spiceproxy_init:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
@@ -2395,6 +2479,11 @@ pod:
nova_novncproxy:
volumeMounts:
volumes:
nova_serialproxy:
init_serialproxy: null
nova_serialproxy:
volumeMounts:
volumes:
nova_spiceproxy:
init_spiceproxy: null
nova_spiceproxy:
@@ -2413,8 +2502,8 @@ pod:
conductor: 1
scheduler: 1
novncproxy: 1
serialproxy: 1
spiceproxy: 1
consoleauth: 1
lifecycle:
upgrades:
deployments:
@@ -2498,6 +2587,13 @@ pod:
limits:
memory: "1024Mi"
cpu: "2000m"
serialproxy:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
spiceproxy:
requests:
memory: "128Mi"
@@ -2604,6 +2700,7 @@ pod:
limits:
memory: "1024Mi"
cpu: "2000m"
network_policy:
nova:
# TODO(lamt): Need to tighten this ingress for security.
@@ -2611,16 +2708,20 @@ network_policy:
- {}
egress:
- {}
# NOTE(helm_hook): helm_hook might break for helm2 binary.
# set helm3_hook: false when using the helm2 binary.
helm3_hook: true
health_probe:
logging:
level: ERROR
tls:
identity: false
oslo_messaging: false
oslo_db: false
manifests:
certificates: false
compute_uuid_self_provisioning: false
@@ -2634,10 +2735,12 @@ manifests:
deployment_api_osapi: true
deployment_conductor: true
deployment_novncproxy: true
deployment_serialproxy: true
deployment_spiceproxy: true
deployment_scheduler: true
ingress_metadata: true
ingress_novncproxy: true
ingress_serialproxy: true
ingress_spiceproxy: true
ingress_osapi: true
job_pre_apply_cleanup: true
@@ -2665,10 +2768,12 @@ manifests:
secret_registry: true
service_ingress_metadata: true
service_ingress_novncproxy: true
service_ingress_serialproxy: true
service_ingress_spiceproxy: true
service_ingress_osapi: true
service_metadata: true
service_novncproxy: true
service_serialproxy: true
service_spiceproxy: true
service_osapi: true
statefulset_compute_ironic: false
@@ -2682,7 +2787,7 @@ manifests:
secret_keystone_placement: false
service_ingress_placement: false
service_placement: false
deployment_consoleauth: false
# List of hosts and uuids
hosts_uuids: []
annotations:
stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/manifests/openvswitch/helmrelease.yaml
+1 -1
View File
@@ -16,7 +16,7 @@ spec:
chart:
spec:
chart: openvswitch
version: 0.1.25
version: 2025.1.0
sourceRef:
kind: HelmRepository
name: starlingx
stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/manifests/openvswitch/openvswitch-static-overrides.yaml
+14
View File
@@ -19,11 +19,13 @@ images:
exclude:
- dep_check
- image_repo_sync
labels:
isApplication: false
ovs:
node_selector_key: openvswitch
node_selector_value: enabled
pod:
tini:
enabled: true
@@ -134,9 +136,11 @@ pod:
user:
nova:
uid: 42424
secrets:
oci_image_registry:
openvswitch: openvswitch-oci-image-registry-key
endpoints:
cluster_domain_suffix: cluster.local
local_image_registry:
@@ -166,12 +170,14 @@ endpoints:
port:
registry:
default: null
network_policy:
openvswitch:
ingress:
- {}
egress:
- {}
dependencies:
dynamic:
common:
@@ -187,6 +193,7 @@ dependencies:
services:
- endpoint: internal
service: local_image_registry
manifests:
configmap_bin: true
daemonset: true
@@ -195,6 +202,7 @@ manifests:
job_image_repo_sync: true
network_policy: false
secret_registry: true
conf:
poststart:
timeout: 5
@@ -227,4 +235,10 @@ conf:
# vHost IOMMU feature restricts the vhost memory that a virtio device
# access, available with DPDK v17.11
# vhost_iommu_support: true
## OVS supports run in non-root for both OVS and OVS DPDK mode, the user
# for OVS need to be added to container image with user id 42424.
# useradd -u 42424 openvswitch; groupmod -g 42424 openvswitch
#
# Leave empty to run as user that invokes the command (default: root)
ovs_user_name: "openvswitch:openvswitch"
...
stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/manifests/pci-irq-affinity-agent/helmrelease.yaml
+1 -1
View File
@@ -16,7 +16,7 @@ spec:
chart:
spec:
chart: pci-irq-affinity-agent
version: 0.2.0
version: 2025.1.0
sourceRef:
kind: HelmRepository
name: starlingx
stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/manifests/placement/helmrelease.yaml
+1 -1
View File
@@ -16,7 +16,7 @@ spec:
chart:
spec:
chart: placement
version: 0.3.14
version: 2025.1.0
sourceRef:
kind: HelmRepository
name: starlingx
stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/manifests/placement/placement-static-overrides.yaml
+426 -30
View File
@@ -6,67 +6,144 @@
---
release_group: osh-openstack-placement
endpoints:
identity:
force_public_endpoint: true
labels:
isApplication: false
placement:
api:
node_selector_key: openstack-control-plane
node_selector_value: enabled
job:
node_selector_key: openstack-control-plane
node_selector_value: enabled
images:
pull_policy: IfNotPresent
tags:
db_drop: docker.io/starlingx/stx-heat:master-debian-stable-latest
db_init: docker.io/starlingx/stx-heat:master-debian-stable-latest
dep_check: quay.io/airshipit/kubernetes-entrypoint:9ff5d2e488ad18187bccc48e9595f197d27110c4-ubuntu_jammy
image_repo_sync: null
ks_user: docker.io/starlingx/stx-heat:master-debian-stable-latest
ks_user: docker.io/starlingx/stx-openstackclients:master-debian-stable-latest
ks_service: docker.io/starlingx/stx-heat:master-debian-stable-latest
ks_endpoints: docker.io/starlingx/stx-heat:master-debian-stable-latest
placement: docker.io/starlingx/stx-placement:master-debian-stable-latest
placement_db_sync: docker.io/starlingx/stx-placement:master-debian-stable-latest
pre_apply_cleanup: docker.io/starlingx/stx-vault-manager:master-debian-stable-latest
local_registry:
active: false
exclude:
- dep_check
- image_repo_sync
network:
api:
port: 8778
ingress:
public: true
classes:
namespace: "nginx-openstack"
cluster: "nginx"
pod:
replicas:
placement: 1
affinity:
anti:
type:
default: requiredDuringSchedulingIgnoredDuringExecution
tolerations:
placement:
enabled: true
tolerations:
- key: node-role.kubernetes.io/master
operator: Exists
effect: NoSchedule
- key: node-role.kubernetes.io/control-plane
operator: Exists
effect: NoSchedule
- key: openstack-compute-node
operator: Exists
effect: NoSchedule
resources:
enabled: true
api:
requests:
ephemeral-storage: "250Ki"
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
external_policy_local: false
node_port:
enabled: false
port: 30778
conf:
policy: {}
placement:
DEFAULT:
debug: false
use_syslog: false
log_config_append: /etc/placement/logging.conf
placement_database:
connection: null
keystone_authtoken:
service_token_roles: service
service_token_roles_required: true
auth_version: v3
auth_type: password
memcache_security_strategy: ENCRYPT
service_type: placement
auth_uri: http://keystone.openstack.svc.cluster.local:80/v3
auth_url: http://keystone.openstack.svc.cluster.local:80/v3
logging:
loggers:
keys:
- root
- placement
handlers:
keys:
- stdout
- stderr
- "null"
formatters:
keys:
- context
- default
logger_root:
level: WARNING
handlers: 'null'
logger_placement:
level: INFO
handlers:
- stdout
qualname: placement
logger_amqp:
level: WARNING
handlers: stderr
qualname: amqp
logger_amqplib:
level: WARNING
handlers: stderr
qualname: amqplib
logger_eventletwsgi:
level: WARNING
handlers: stderr
qualname: eventlet.wsgi.server
logger_sqlalchemy:
level: WARNING
handlers: stderr
qualname: sqlalchemy
logger_boto:
level: WARNING
handlers: stderr
qualname: boto
handler_null:
class: logging.NullHandler
formatter: default
args: ()
handler_stdout:
class: StreamHandler
args: (sys.stdout,)
formatter: context
handler_stderr:
class: StreamHandler
args: (sys.stderr,)
formatter: context
formatter_context:
class: oslo_log.formatters.ContextFormatter
datefmt: "%Y-%m-%d %H:%M:%S"
formatter_default:
format: "%(message)s"
datefmt: "%Y-%m-%d %H:%M:%S"
placement_api_uwsgi:
uwsgi:
processes: 1
add-header: "Connection: close"
buffer-size: 65535
die-on-term: true
enable-threads: true
exit-on-reload: false
hook-master-start: unix_signal:15 gracefully_kill_them_all
lazy-apps: true
log-x-forwarded-for: true
master: true
procname-prefix-spaced: "placement-api:"
route-user-agent: '^kube-probe.* donotlog:'
thunder-lock: true
worker-reload-mercy: 80
wsgi-file: /var/lib/openstack/bin/placement-api
wsgi_placement: |
Listen :::{{ tuple "placement" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
@@ -97,4 +174,323 @@ conf:
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
</Location>
endpoints:
cluster_domain_suffix: cluster.local
local_image_registry:
name: docker-registry
namespace: docker-registry
hosts:
default: localhost
internal: docker-registry
node: localhost
host_fqdn_override:
default: null
port:
registry:
node: 5000
oci_image_registry:
name: oci-image-registry
namespace: oci-image-registry
auth:
enabled: false
placement:
username: placement
password: password
hosts:
default: localhost
host_fqdn_override:
default: null
port:
registry:
default: null
oslo_db:
auth:
admin:
username: root
password: password
secret:
tls:
internal: mariadb-tls-direct
placement:
username: placement
password: password
# NOTE: This should be the username/password used to access the nova_api
# database. This is required only if database migration from nova to
# placement is desired.
nova_api:
username: nova
password: password
hosts:
default: mariadb
host_fqdn_override:
default: null
path: /placement
scheme: mysql+pymysql
port:
mysql:
default: 3306
oslo_cache:
auth:
# NOTE(portdirect): this is used to define the value for keystone
# authtoken cache encryption key, if not set it will be populated
# automatically with a random value, but to take advantage of
# this feature all services should be set to use the same key,
# and memcache service.
memcache_secret_key: null
hosts:
default: memcached
host_fqdn_override:
default: null
port:
memcache:
default: 11211
identity:
force_public_endpoint: true
name: keystone
auth:
admin:
region_name: RegionOne
username: admin
password: password
project_name: admin
user_domain_name: default
project_domain_name: default
placement:
role: admin
region_name: RegionOne
username: placement
password: password
project_name: service
user_domain_name: service
project_domain_name: service
hosts:
default: keystone
internal: keystone-api
host_fqdn_override:
default: null
path:
default: /v3
scheme:
default: http
port:
api:
default: 80
internal: 5000
placement:
name: placement
hosts:
default: placement-api
public: placement
host_fqdn_override:
default: null
path:
default: /
scheme:
default: 'http'
service: 'http'
port:
api:
default: 8778
public: 80
service: 8778
pod:
security_context:
placement:
pod:
runAsUser: 42424
container:
placement_api:
readOnlyRootFilesystem: false
runAsUser: 0
placement_mysql_migration:
readOnlyRootFilesystem: false
runAsUser: 0
affinity:
anti:
type:
default: requiredDuringSchedulingIgnoredDuringExecution
topologyKey:
default: kubernetes.io/hostname
tolerations:
placement:
enabled: true
tolerations:
- key: node-role.kubernetes.io/master
operator: Exists
effect: NoSchedule
- key: node-role.kubernetes.io/control-plane
operator: Exists
effect: NoSchedule
- key: openstack-compute-node
operator: Exists
effect: NoSchedule
mounts:
placement:
init_container: null
placement:
volumeMounts:
volumes:
replicas:
api: 1
lifecycle:
upgrades:
deployments:
revision_history: 3
pod_replacement_strategy: RollingUpdate
rolling_update:
max_unavailable: 1
max_surge: 3
disruption_budget:
api:
min_available: 0
termination_grace_period:
api:
timeout: 30
resources:
enabled: true
api:
requests:
ephemeral-storage: "250Ki"
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
jobs:
db_init:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
db_sync:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
db_drop:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
ks_endpoints:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
ks_service:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
ks_user:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
secrets:
identity:
admin: placement-keystone-admin
placement: placement-keystone-user
oslo_db:
admin: placement-db-admin
placement: placement-db-user
tls:
placement:
api:
public: placement-tls-public
internal: placement-tls-api
oci_image_registry:
placement: placement-oci-image-registry
dependencies:
dynamic:
common:
local_image_registry:
jobs:
- image-repo-sync
services:
- endpoint: node
service: local_image_registry
static:
api:
jobs:
- placement-db-sync