Partial FluxCD version of stx-openstack: identity

This is continung previous work [1] of the openstack app migration to FluxCD, adding identity related services. This change includes the following charts: keystone, keystone-api-proxy, barbican Test Plan: PEND - build-helm-charts.sh builds a basic FluxCD app tarball PEND - application upload and overrides generated PEND - application apply/remove/delete [1] https://review.opendev.org/c/starlingx/openstack-armada-app/+/840432 Story: 2009138 Task: 45462 Depends-On: https://review.opendev.org/c/starlingx/openstack-armada-app/+/840432 Signed-off-by: Thales Elero Cervi <thaleselero.cervi@windriver.com> Change-Id: I70f9a2a5911f361315593efbe68f762155c4269e
2022-06-29 13:56:53 -03:00 · 2022-06-29 13:56:53 -03:00 · 1f343f0998
parent c4dc6f7a40
commit 1f343f0998
13 changed files with 358 additions and 0 deletions
--- a/stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/manifests/barbican/barbican-static-overrides.yaml
+++ b/stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/manifests/barbican/barbican-static-overrides.yaml
@ -0,0 +1,55 @@
+#
+# Copyright (c) 2022 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+labels:
+  api:
+    node_selector_key: openstack-control-plane
+    node_selector_value: enabled
+  job:
+    node_selector_key: openstack-control-plane
+    node_selector_value: enabled
+images:
+  tags:
+    barbican_api: docker.io/starlingx/stx-barbican:master-centos-stable-latest
+    barbican_db_sync: docker.io/starlingx/stx-barbican:master-centos-stable-latest
+    bootstrap: docker.io/starlingx/stx-heat:master-centos-stable-latest
+    db_drop: docker.io/starlingx/stx-heat:master-centos-stable-latest
+    db_init: docker.io/starlingx/stx-heat:master-centos-stable-latest
+    image_repo_sync: null
+    ks_endpoints: docker.io/starlingx/stx-heat:master-centos-stable-latest
+    ks_service: docker.io/starlingx/stx-heat:master-centos-stable-latest
+    ks_user: docker.io/starlingx/stx-heat:master-centos-stable-latest
+    scripted_test: docker.io/starlingx/stx-heat:master-centos-stable-latest
+pod:
+  replicas:
+    api: 2
+  affinity:
+    anti:
+      type:
+        default: requiredDuringSchedulingIgnoredDuringExecution
+  tolerations:
+    barbican:
+      enabled: true
+      tolerations:
+        - key: node-role.kubernetes.io/master
+          operator: Exists
+          effect: NoSchedule
+        - key: openstack-compute-node
+          operator: Exists
+          effect: NoSchedule
+endpoints:
+  oslo_messaging:
+    statefulset:
+      name: osh-openstack-rabbitmq-rabbitmq
+  identity:
+    force_public_endpoint: true
+conf:
+  barbican:
+    barbican_api:
+      bind_host: "::"
+    keystone_authtoken:
+      auth_uri: http://keystone.openstack.svc.cluster.local:80/v3
+      auth_url: http://keystone.openstack.svc.cluster.local:80/v3
--- a/stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/manifests/barbican/barbican-system-overrides.yaml
+++ b/stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/manifests/barbican/barbican-system-overrides.yaml
--- a/stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/manifests/barbican/helmrelease.yaml
+++ b/stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/manifests/barbican/helmrelease.yaml
@ -0,0 +1,37 @@
+#
+# Copyright (c) 2022 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+apiVersion: "helm.toolkit.fluxcd.io/v2beta1"
+kind: HelmRelease
+metadata:
+  name: barbican
+  labels:
+    chart_group: openstack-barbican
+spec:
+  releaseName: osh-openstack-barbican
+  chart:
+    spec:
+      chart: barbican
+      version: 0.2.7
+      sourceRef:
+        kind: HelmRepository
+        name: starlingx
+  interval: 5m
+  timeout: 30m
+  test:
+    enable: false
+  upgrade:
+    disableHooks: false
+  dependsOn:
+    - name: keystone
+      namespace: openstack
+  valuesFrom:
+    - kind: Secret
+      name: barbican-static-overrides
+      valuesKey: barbican-static-overrides.yaml
+    - kind: Secret
+      name: barbican-system-overrides
+      valuesKey: barbican-system-overrides.yaml
--- a/stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/manifests/barbican/kustomization.yaml
+++ b/stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/manifests/barbican/kustomization.yaml
@ -0,0 +1,18 @@
+#
+# Copyright (c) 2022 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+namespace: openstack
+resources:
+  - helmrelease.yaml
+secretGenerator:
+  - name: barbican-static-overrides
+    files:
+      - barbican-static-overrides.yaml
+  - name: barbican-system-overrides
+    files:
+      - barbican-system-overrides.yaml
+generatorOptions:
+  disableNameSuffixHash: true
--- a/stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/manifests/keystone-api-proxy/helmrelease.yaml
+++ b/stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/manifests/keystone-api-proxy/helmrelease.yaml
@ -0,0 +1,39 @@
+#
+# Copyright (c) 2022 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+apiVersion: "helm.toolkit.fluxcd.io/v2beta1"
+kind: HelmRelease
+metadata:
+  name: keystone-api-proxy
+  labels:
+    chart_group: openstack-keystone-api-proxy
+spec:
+  releaseName: osh-openstack-keystone-api-proxy
+  chart:
+    spec:
+      chart: keystone-api-proxy
+      version: 0.1.0
+      sourceRef:
+        kind: HelmRepository
+        name: starlingx
+  interval: 5m
+  timeout: 30m
+  test:
+    enable: false
+  install:
+    disableHooks: false
+  upgrade:
+    disableHooks: false
+  dependsOn:
+    - name: keystone
+      namespace: openstack
+  valuesFrom:
+    - kind: Secret
+      name: keystone-api-proxy-static-overrides
+      valuesKey: keystone-api-proxy-static-overrides.yaml
+    - kind: Secret
+      name: keystone-api-proxy-system-overrides
+      valuesKey: keystone-api-proxy-system-overrides.yaml
--- a/stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/manifests/keystone-api-proxy/keystone-api-proxy-static-overrides.yaml
+++ b/stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/manifests/keystone-api-proxy/keystone-api-proxy-static-overrides.yaml
@ -0,0 +1,19 @@
+#
+# Copyright (c) 2022 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+endpoints:
+  identity:
+    force_public_endpoint: true
+images:
+  tags:
+    keystone_api_proxy: docker.io/starlingx/stx-keystone-api-proxy:master-centos-stable-latest
+    ks_endpoints: docker.io/starlingx/stx-heat:master-centos-stable-latest
+conf:
+  keystone_api_proxy:
+    identity:
+      bind_host: "::"
+      remote_host: keystone.openstack.svc.cluster.local
+      remote_port: 80
--- a/stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/manifests/keystone-api-proxy/keystone-api-proxy-system-overrides.yaml
+++ b/stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/manifests/keystone-api-proxy/keystone-api-proxy-system-overrides.yaml
--- a/stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/manifests/keystone-api-proxy/kustomization.yaml
+++ b/stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/manifests/keystone-api-proxy/kustomization.yaml
@ -0,0 +1,18 @@
+#
+# Copyright (c) 2022 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+namespace: openstack
+resources:
+  - helmrelease.yaml
+secretGenerator:
+  - name: keystone-api-proxy-static-overrides
+    files:
+      - keystone-api-proxy-static-overrides.yaml
+  - name: keystone-api-proxy-system-overrides
+    files:
+      - keystone-api-proxy-system-overrides.yaml
+generatorOptions:
+  disableNameSuffixHash: true
--- a/stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/manifests/keystone/helmrelease.yaml
+++ b/stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/manifests/keystone/helmrelease.yaml
@ -0,0 +1,39 @@
+#
+# Copyright (c) 2022 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+apiVersion: "helm.toolkit.fluxcd.io/v2beta1"
+kind: HelmRelease
+metadata:
+  name: keystone
+  labels:
+    chart_group: openstack-keystone
+spec:
+  releaseName: osh-openstack-keystone
+  chart:
+    spec:
+      chart: keystone
+      version: 0.2.13
+      sourceRef:
+        kind: HelmRepository
+        name: starlingx
+  interval: 5m
+  timeout: 30m
+  test:
+    enable: false
+  install:
+    disableHooks: false
+  upgrade:
+    disableHooks: false
+  dependsOn:
+    - name: rabbitmq
+      namespace: openstack
+  valuesFrom:
+    - kind: Secret
+      name: keystone-static-overrides
+      valuesKey: keystone-static-overrides.yaml
+    - kind: Secret
+      name: keystone-system-overrides
+      valuesKey: keystone-system-overrides.yaml
--- a/stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/manifests/keystone/keystone-static-overrides.yaml
+++ b/stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/manifests/keystone/keystone-static-overrides.yaml
@ -0,0 +1,114 @@
+#
+# Copyright (c) 2022 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+manifests:
+  job_credential_cleanup: false
+endpoints:
+  oslo_messaging:
+    statefulset:
+      name: osh-openstack-rabbitmq-rabbitmq
+  identity:
+    name: keystone
+    namespace: openstack
+    force_public_endpoint: true
+labels:
+  api:
+    node_selector_key: openstack-control-plane
+    node_selector_value: enabled
+  job:
+    node_selector_key: openstack-control-plane
+    node_selector_value: enabled
+images:
+  tags:
+    bootstrap: docker.io/starlingx/stx-heat:master-centos-stable-latest
+    db_drop: docker.io/starlingx/stx-heat:master-centos-stable-latest
+    db_init: docker.io/starlingx/stx-heat:master-centos-stable-latest
+    image_repo_sync: null
+    keystone_api: docker.io/starlingx/stx-keystone:master-centos-stable-latest
+    keystone_credential_rotate: docker.io/starlingx/stx-keystone:master-centos-stable-latest
+    keystone_credential_setup: docker.io/starlingx/stx-keystone:master-centos-stable-latest
+    keystone_credential_cleanup: null
+    keystone_db_sync: docker.io/starlingx/stx-keystone:master-centos-stable-latest
+    keystone_domain_manage: docker.io/starlingx/stx-keystone:master-centos-stable-latest
+    keystone_fernet_rotate: docker.io/starlingx/stx-keystone:master-centos-stable-latest
+    keystone_fernet_setup: docker.io/starlingx/stx-keystone:master-centos-stable-latest
+    ks_user: docker.io/starlingx/stx-heat:master-centos-stable-latest
+    test: null
+pod:
+  user:
+    keystone:
+      uid: 0
+  replicas:
+    api: 2
+  affinity:
+    anti:
+      type:
+        default: requiredDuringSchedulingIgnoredDuringExecution
+  tolerations:
+    keystone:
+      enabled: true
+      tolerations:
+      - key: node-role.kubernetes.io/master
+        operator: Exists
+        effect: NoSchedule
+      - key: openstack-compute-node
+        operator: Exists
+        effect: NoSchedule
+  security_context:
+    keystone:
+      pod:
+        runAsUser: 0
+conf:
+  wsgi_keystone: |
+    {{- $portInt := tuple "identity" "internal" "api" $ | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+
+    Listen :::{{ $portInt }}
+
+    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
+    LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy
+
+    SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
+    CustomLog /dev/stdout combined env=!forwarded
+    CustomLog /dev/stdout proxy env=forwarded
+    WSGISocketPrefix /var/run/httpd/wsgi
+
+    <VirtualHost *:{{ $portInt }}>
+        WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP} python-home=/var/lib/openstack socket-user=apache
+        WSGIProcessGroup keystone-public
+        WSGIScriptAlias / /var/www/cgi-bin/keystone/keystone-wsgi-public
+        WSGIApplicationGroup %{GLOBAL}
+        WSGIPassAuthorization On
+        <IfVersion >= 2.4>
+          ErrorLogFormat "%{cu}t %M"
+        </IfVersion>
+        ErrorLog /dev/stdout
+
+        SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
+        CustomLog /dev/stdout combined env=!forwarded
+        CustomLog /dev/stdout proxy env=forwarded
+    </VirtualHost>
+bootstrap:
+  script: |
+    #NOTE(gagehugo): As of Rocky, keystone creates a member role by default
+    openstack role create --or-show member
+    openstack role add \
+          --user="${OS_USERNAME}" \
+          --user-domain="${OS_USER_DOMAIN_NAME}" \
+          --project-domain="${OS_PROJECT_DOMAIN_NAME}" \
+          --project="${OS_PROJECT_NAME}" \
+          "member"
+    # admin needs the admin role for the default domain
+    openstack role add \
+          --user="${OS_USERNAME}" \
+          --domain="${OS_DEFAULT_DOMAIN}" \
+          "admin"
+
+    #STX: exempt admin from auth faillockout
+    TOKEN=$(openstack token issue -c id -f value)
+    USER_ID=$(openstack user show ${OS_USERNAME} -c id -f value)
+    REQ_URL="http://keystone.openstack.svc.cluster.local/v3/users/${USER_ID}"
+    DATA_JSON="{\"user\": {\"options\": {\"ignore_lockout_failure_attempts\": true}}}"
+    curl -X PATCH -H "X-Auth-Token: ${TOKEN}" -H "Content-Type: application/json" -d "${DATA_JSON}" "${REQ_URL}"
--- a/stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/manifests/keystone/keystone-system-overrides.yaml
+++ b/stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/manifests/keystone/keystone-system-overrides.yaml
--- a/stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/manifests/keystone/kustomization.yaml
+++ b/stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/manifests/keystone/kustomization.yaml
@ -0,0 +1,18 @@
+#
+# Copyright (c) 2022 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+namespace: openstack
+resources:
+  - helmrelease.yaml
+secretGenerator:
+  - name: keystone-static-overrides
+    files:
+      - keystone-static-overrides.yaml
+  - name: keystone-system-overrides
+    files:
+      - keystone-system-overrides.yaml
+generatorOptions:
+  disableNameSuffixHash: true
--- a/stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/manifests/kustomization.yaml
+++ b/stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/manifests/kustomization.yaml
@ -16,3 +16,4 @@ resources:
  - garbd
  - memcached
  - rabbitmq
+  - keystone