starlingx/openstack-armada-app
Code Issues Proposed changes

Partial FluxCD version of stx-openstack: identity

Browse Source 
This is continung previous work [1] of the openstack app
migration to FluxCD, adding identity related services.
This change includes the following charts:
keystone, keystone-api-proxy, barbican

Test Plan:
PASS - build-helm-charts.sh builds a basic FluxCD app tarball
PASS - application upload and overrides generated
PASS - application apply/remove/delete

[1] https://review.opendev.org/c/starlingx/openstack-armada-app/+/840432

Apply Logs: https://paste.opendev.org/show/bGZUdKlBFZei3XhF3WHq/

Story: 2009138
Task: 45462

Depends-On: https://review.opendev.org/c/starlingx/openstack-armada-app/+/855507

Signed-off-by: Thales Elero Cervi <thaleselero.cervi@windriver.com>
Co-authored-by: Rafael Falcao <rafael.vieirafalcao@windriver.com>
Change-Id: I70f9a2a5911f361315593efbe68f762155c4269e
This commit is contained in:
Thales Elero Cervi 2022-06-29 13:56:53 -03:00
parent 5cc0eb415a
commit 7f1d6f3240
13 changed files with 378 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

58
stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/manifests/barbican/barbican-static-overrides.yaml Normal file
View File

@ -0,0 +1,58 @@
#
# Copyright (c) 2022 Wind River Systems, Inc.
#
# SPDX-License-Identifier: Apache-2.0
#
---
release_group: osh-openstack-barbican
labels:
api:
node_selector_key: openstack-control-plane
node_selector_value: enabled
job:
node_selector_key: openstack-control-plane
node_selector_value: enabled
images:
tags:
barbican_api: docker.io/starlingx/stx-barbican:master-centos-stable-latest
barbican_db_sync: docker.io/starlingx/stx-barbican:master-centos-stable-latest
bootstrap: docker.io/starlingx/stx-heat:master-centos-stable-latest
db_drop: docker.io/starlingx/stx-heat:master-centos-stable-latest
db_init: docker.io/starlingx/stx-heat:master-centos-stable-latest
image_repo_sync: null
ks_endpoints: docker.io/starlingx/stx-heat:master-centos-stable-latest
ks_service: docker.io/starlingx/stx-heat:master-centos-stable-latest
ks_user: docker.io/starlingx/stx-heat:master-centos-stable-latest
scripted_test: docker.io/starlingx/stx-heat:master-centos-stable-latest
pod:
replicas:
api: 2
affinity:
anti:
type:
default: requiredDuringSchedulingIgnoredDuringExecution
tolerations:
barbican:
enabled: true
tolerations:
- key: node-role.kubernetes.io/master
operator: Exists
effect: NoSchedule
- key: openstack-compute-node
operator: Exists
effect: NoSchedule
endpoints:
oslo_messaging:
statefulset:
name: osh-openstack-rabbitmq-rabbitmq
identity:
force_public_endpoint: true
conf:
barbican:
barbican_api:
bind_host: "::"
keystone_authtoken:
auth_uri: http://keystone.openstack.svc.cluster.local:80/v3
auth_url: http://keystone.openstack.svc.cluster.local:80/v3
...

0
stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/manifests/barbican/barbican-system-overrides.yaml Normal file
View File

39
stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/manifests/barbican/helmrelease.yaml Normal file
View File

@ -0,0 +1,39 @@
#
# Copyright (c) 2022 Wind River Systems, Inc.
#
# SPDX-License-Identifier: Apache-2.0
#
---
apiVersion: "helm.toolkit.fluxcd.io/v2beta1"
kind: HelmRelease
metadata:
name: barbican
labels:
chart_group: openstack-barbican
spec:
releaseName: osh-openstack-barbican
chart:
spec:
chart: barbican
version: 0.2.7
sourceRef:
kind: HelmRepository
name: starlingx
interval: 5m
timeout: 30m
test:
enable: false
upgrade:
disableHooks: false
dependsOn:
- name: keystone
namespace: openstack
valuesFrom:
- kind: Secret
name: barbican-static-overrides
valuesKey: barbican-static-overrides.yaml
- kind: Secret
name: barbican-system-overrides
valuesKey: barbican-system-overrides.yaml
...

20
stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/manifests/barbican/kustomization.yaml Normal file
View File

@ -0,0 +1,20 @@
#
# Copyright (c) 2022 Wind River Systems, Inc.
#
# SPDX-License-Identifier: Apache-2.0
#
---
namespace: openstack
resources:
- helmrelease.yaml
secretGenerator:
- name: barbican-static-overrides
files:
- barbican-static-overrides.yaml
- name: barbican-system-overrides
files:
- barbican-system-overrides.yaml
generatorOptions:
disableNameSuffixHash: true
...

41
stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/manifests/keystone-api-proxy/helmrelease.yaml Normal file
View File

@ -0,0 +1,41 @@
#
# Copyright (c) 2022 Wind River Systems, Inc.
#
# SPDX-License-Identifier: Apache-2.0
#
---
apiVersion: "helm.toolkit.fluxcd.io/v2beta1"
kind: HelmRelease
metadata:
name: keystone-api-proxy
labels:
chart_group: openstack-keystone-api-proxy
spec:
releaseName: osh-openstack-keystone-api-proxy
chart:
spec:
chart: keystone-api-proxy
version: 0.1.0
sourceRef:
kind: HelmRepository
name: starlingx
interval: 5m
timeout: 30m
test:
enable: false
install:
disableHooks: false
upgrade:
disableHooks: false
dependsOn:
- name: keystone
namespace: openstack
valuesFrom:
- kind: Secret
name: keystone-api-proxy-static-overrides
valuesKey: keystone-api-proxy-static-overrides.yaml
- kind: Secret
name: keystone-api-proxy-system-overrides
valuesKey: keystone-api-proxy-system-overrides.yaml
...

22
stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/manifests/keystone-api-proxy/keystone-api-proxy-static-overrides.yaml Normal file
View File

@ -0,0 +1,22 @@
#
# Copyright (c) 2022 Wind River Systems, Inc.
#
# SPDX-License-Identifier: Apache-2.0
#
---
release_group: osh-openstack-keystone-api-proxy
endpoints:
identity:
force_public_endpoint: true
images:
tags:
keystone_api_proxy: docker.io/starlingx/stx-keystone-api-proxy:master-centos-stable-latest
ks_endpoints: docker.io/starlingx/stx-heat:master-centos-stable-latest
conf:
keystone_api_proxy:
identity:
bind_host: "::"
remote_host: keystone.openstack.svc.cluster.local
remote_port: 80
...

0
stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/manifests/keystone-api-proxy/keystone-api-proxy-system-overrides.yaml Normal file
View File

20
stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/manifests/keystone-api-proxy/kustomization.yaml Normal file
View File

@ -0,0 +1,20 @@
#
# Copyright (c) 2022 Wind River Systems, Inc.
#
# SPDX-License-Identifier: Apache-2.0
#
---
namespace: openstack
resources:
- helmrelease.yaml
secretGenerator:
- name: keystone-api-proxy-static-overrides
files:
- keystone-api-proxy-static-overrides.yaml
- name: keystone-api-proxy-system-overrides
files:
- keystone-api-proxy-system-overrides.yaml
generatorOptions:
disableNameSuffixHash: true
...

41
stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/manifests/keystone/helmrelease.yaml Normal file
View File

@ -0,0 +1,41 @@
#
# Copyright (c) 2022 Wind River Systems, Inc.
#
# SPDX-License-Identifier: Apache-2.0
#
---
apiVersion: "helm.toolkit.fluxcd.io/v2beta1"
kind: HelmRelease
metadata:
name: keystone
labels:
chart_group: openstack-keystone
spec:
releaseName: osh-openstack-keystone
chart:
spec:
chart: keystone
version: 0.2.13
sourceRef:
kind: HelmRepository
name: starlingx
interval: 5m
timeout: 30m
test:
enable: false
install:
disableHooks: false
upgrade:
disableHooks: false
dependsOn:
- name: rabbitmq
namespace: openstack
valuesFrom:
- kind: Secret
name: keystone-static-overrides
valuesKey: keystone-static-overrides.yaml
- kind: Secret
name: keystone-system-overrides
valuesKey: keystone-system-overrides.yaml
...

114
stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/manifests/keystone/keystone-static-overrides.yaml Normal file
View File

@ -0,0 +1,114 @@
#
# Copyright (c) 2022 Wind River Systems, Inc.
#
# SPDX-License-Identifier: Apache-2.0
#
---
release_group: osh-openstack-keystone
manifests:
job_credential_cleanup: false
endpoints:
oslo_messaging:
statefulset:
name: osh-openstack-rabbitmq-rabbitmq
identity:
name: keystone
namespace: openstack
force_public_endpoint: true
labels:
api:
node_selector_key: openstack-control-plane
node_selector_value: enabled
job:
node_selector_key: openstack-control-plane
node_selector_value: enabled
images:
tags:
bootstrap: docker.io/starlingx/stx-heat:master-centos-stable-latest
db_drop: docker.io/starlingx/stx-heat:master-centos-stable-latest
db_init: docker.io/starlingx/stx-heat:master-centos-stable-latest
image_repo_sync: null
keystone_api: docker.io/starlingx/stx-keystone:master-centos-stable-latest
keystone_credential_rotate: docker.io/starlingx/stx-keystone:master-centos-stable-latest
keystone_credential_setup: docker.io/starlingx/stx-keystone:master-centos-stable-latest
keystone_credential_cleanup: null
keystone_db_sync: docker.io/starlingx/stx-keystone:master-centos-stable-latest
keystone_domain_manage: docker.io/starlingx/stx-keystone:master-centos-stable-latest
keystone_fernet_rotate: docker.io/starlingx/stx-keystone:master-centos-stable-latest
keystone_fernet_setup: docker.io/starlingx/stx-keystone:master-centos-stable-latest
ks_user: docker.io/starlingx/stx-heat:master-centos-stable-latest
test: null
pod:
replicas:
api: 2
affinity:
anti:
type:
default: requiredDuringSchedulingIgnoredDuringExecution
tolerations:
keystone:
enabled: true
tolerations:
- key: node-role.kubernetes.io/master
operator: Exists
effect: NoSchedule
- key: openstack-compute-node
operator: Exists
effect: NoSchedule
security_context:
keystone:
pod:
runAsUser: 0
conf:
wsgi_keystone: |
{{- $portInt := tuple "identity" "internal" "api" $ | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
Listen :::{{ $portInt }}
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy
SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
CustomLog /dev/stdout combined env=!forwarded
CustomLog /dev/stdout proxy env=forwarded
WSGISocketPrefix /var/run/httpd/wsgi
<VirtualHost *:{{ $portInt }}>
WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP} python-home=/var/lib/openstack socket-user=apache
WSGIProcessGroup keystone-public
WSGIScriptAlias / /var/www/cgi-bin/keystone/keystone-wsgi-public
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
<IfVersion >= 2.4>
ErrorLogFormat "%{cu}t %M"
</IfVersion>
ErrorLog /dev/stdout
SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
CustomLog /dev/stdout combined env=!forwarded
CustomLog /dev/stdout proxy env=forwarded
</VirtualHost>
bootstrap:
script: |
#NOTE(gagehugo): As of Rocky, keystone creates a member role by default
openstack role create --or-show member
openstack role add \
--user="${OS_USERNAME}" \
--user-domain="${OS_USER_DOMAIN_NAME}" \
--project-domain="${OS_PROJECT_DOMAIN_NAME}" \
--project="${OS_PROJECT_NAME}" \
"member"
# admin needs the admin role for the default domain
openstack role add \
--user="${OS_USERNAME}" \
--domain="${OS_DEFAULT_DOMAIN}" \
"admin"
#STX: exempt admin from auth faillockout
TOKEN=$(openstack token issue -c id -f value)
USER_ID=$(openstack user show ${OS_USERNAME} -c id -f value)
REQ_URL="http://keystone.openstack.svc.cluster.local/v3/users/${USER_ID}"
DATA_JSON="{\"user\": {\"options\": {\"ignore_lockout_failure_attempts\": true}}}"
curl -X PATCH -H "X-Auth-Token: ${TOKEN}" -H "Content-Type: application/json" -d "${DATA_JSON}" "${REQ_URL}"
...

0
stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/manifests/keystone/keystone-system-overrides.yaml Normal file
View File

20
stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/manifests/keystone/kustomization.yaml Normal file
View File

@ -0,0 +1,20 @@
#
# Copyright (c) 2022 Wind River Systems, Inc.
#
# SPDX-License-Identifier: Apache-2.0
#
---
namespace: openstack
resources:
- helmrelease.yaml
secretGenerator:
- name: keystone-static-overrides
files:
- keystone-static-overrides.yaml
- name: keystone-system-overrides
files:
- keystone-system-overrides.yaml
generatorOptions:
disableNameSuffixHash: true
...

3
stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/manifests/kustomization.yaml
View File

@ -17,4 +17,7 @@ resources:
- garbd
- memcached
- rabbitmq
- barbican
- keystone
- keystone-api-proxy
...