This commit adds a helm chart that deploys a rolebinding to the openstack
application to allow deployments to the openstack namespace after
PodSecurityPolicy plugin is enabled on the Kubernetes cluster.
Change-Id: I57d3a31c9fcc7e03499e605d6d722fdb36004339
Partial-bug: 1878900
Depends-On: https://review.opendev.org/#/c/734408/
Depends-On: https://review.opendev.org/#/c/735998/
Signed-off-by: Jerry Sun <jerry.sun@windriver.com>
This adds support for Helm v3.
- 'helm init' and initialization is no longer required
- 'chartmuseum' is used as a drop-in replacement for 'helm serv'
- all Charts require the tag: apiVersion: v1 (or v2)
This updates ingress chart to specify apiVersion.
Change-Id: Ie41cde4ad450b63a78a0a677995e9c28eefd9798
Story: 2007000
Task: 39327
Depends-On: https://review.opendev.org/719962
Signed-off-by: Jim Gauld <james.gauld@windriver.com>
This creates a new package spec called python-k8sapp-openstack that will
hold all the stevedore plugins needed to support the application. This
spec will build two packages python-k8sapp-openstack and
python-k8sapp-openstack-wheels.
These packages are included in the build dependencies for the
stx-openstack-helm application package build where the wheels file is
included in the application tarball.
The helm and armada plugins have been relocated to this repo and
provided in a k8sapp_openstack python module. This module will be
extracted from the wheels and installed on the platform via the sysinv
application framework. The module will be made available when the
application is enabled.
Change-Id: I342308fbff23d29bfdf64a07dbded4bae01b79fd
Depends-On: https://review.opendev.org/#/c/688191/
Story: 2006537
Task: 36978
Signed-off-by: Robert Church <robert.church@windriver.com>
Since nginx-ingress-controller app was removed for external facing
ingress (https://review.opendev.org/#/c/724385/), updating the app
version to mark the change.
Story: 2007360
Task: 39596
Change-Id: Ied28669dd10fc19549812848f4aa28b147fb6245
Signed-off-by: Sabeel Ansari <Sabeel.Ansari@windriver.com>
This update contains changes to deploy and config the dcdbsync instance
for containerized openstack services, including:
- Added helm charts to create dcdbsync identities in containerized
keystone, including user, endpoint, project-role assignment etc.
The overall procedure is, during stx-openstack app application,
dcdbsync identities will be created in containerized keystone. After
stx-openstack is successfully applied the dcdbsync runtime puppet is
called to generate the configuration file for openstack dcdbsync
instance with some information retrieved from helm (particularly
keystone passwords). Finally sm runtime is called to bring up the
dcdbsync service into running. When stx-openstack app is removed,
openstack dcdbsync instance will be cleanup with configuration file
removed and service deprovisioned and stopped.
Change-Id: If4bf60753593e286c3dbe2c2f97c40f6ccbbb5b1
Story: 2004766
Task: 36104
Signed-off-by: Andy Ning <andy.ning@windriver.com>
The helm charts contain references to images for all
configurations, however some of those configurations
are not being enabled, and so the docker images are never
used.
This change prevents armada from downloading docker images
that are not being used by the armada manifest.
It requires an enhancement in sysinv to handle the null
reference.
The following images are unused and have been replaced
in the manifest with null (or the appropriate reference)
- kolla/ubuntu-source-nova-novncproxy: referenced by
novnc_assets and must point to the nova image.
- xrally/xrally-openstack: used when "test" is enabled,
referenced by cinder, ceilometer, glance, heat, keystone,
nova, neutron, panko.
- openstackhelm/ceph-daemon: referenced by ceph_rgw.
- openstackhelm/neutron: referenced by openstack-ingress.
- osixia/keepalived: referenced by openstack-ingress.
- prom/memcached-exporter: referenced by openstack-memcached.
- docker: referenced by image_repo_sync image tags in almost
every chart.
- kbudde/rabbitmq-exporter: referenced by openstack-rabbitmq.
- prom/mysqld-exporter: referenced by openstack-mariadb
Change-Id: Ide26ddaf3537b8b9595104a683339554aea71b48
Closes-Bug: 1841611
Depends-On: https://review.opendev.org/#/c/680067/
Signed-off-by: Al Bailey <Al.Bailey@windriver.com>
Relocation of helm charts required some modifications to
the spec and relocation of the makefile..
Story: 2006166
Task: 35687
Depends-On: I5c34bf66a3631e86e22684412e01c02980e9ae30
Change-Id: If27d138708c580df168797a3878e349fde2c6d19
Signed-off-by: Scott Little <scott.little@windriver.com>
Upgrading from kubernetes 1.13.5 to 1.15.0 meant the config
needed to be updated to handle whatever was deprecated or dropped
in 1.14 and 1.15.
1) Removed "ConfigMapAndSecretChangeDetectionStrategy = Watch"
reported by https://github.com/kubernetes/kubernetes/issues/74412
because this was a golang deficiency, and is fixed by the newer
version of golang.
2) Enforced the kubernetes 1.15.3 version
3) Updated v1alpha3 to v1beta2, since alpha3 was dropped in 1.14
changed fields for beta1 and beta2 are mentioned in these docs:
https://godoc.org/k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1beta1https://godoc.org/k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1beta2
4) cgroup validation checking now includes the pids subfolder.
5) Update ceph-config-helper to v1.15 kubernetes compatable
This means that the stx-openstack version check needed to be increased
Change-Id: Ibe3d5960c5dee1d217d01fbb56c785581dd1b42c
Story: 2005860
Task: 35841
Depends-On: https://review.opendev.org/#/c/671150
Signed-off-by: Al Bailey <Al.Bailey@windriver.com>
Extend the helm_charts API to support an enable attribute. This
attribute is set on application upload and stored in the existing
system_overrides element of the helm_overrides table.
Changes include
- Add application metadata support for disabling charts on application
upload.
- Add the system helm-chart-attribute-modify command to allow enabling
and disabling charts from the command-line. This removes the current
implementation of adding a faux label via the system host-label-assign
command to enable and disable charts.
- Add a --long option to helm-override-list to enable easy viewing of
what charts are enabled for a given application
- Enhance the ArmadaManifestOperator to make this a base class for
application specific operator classes. Introduce classes for the
stx-openstack and platform-integ-apps manifests with specific
knowledge of the charts and chart groups within each class.
- Use stevedore to load the application specific manifest operators.
This will allow future packaging of manifest operators with new
application tarballs.
- Move the helm chart definition from the common/constants.py to
helm/common.py. This limits helm/armada specific data leakage outside
of the helm directory, which we may carve out of sysinv in the future.
- Clean up the code related to the faux labels: LABEL_IRONIC,
LABEL_BARBICAN, and LABEL_TELEMETRY
- Rework the manifest update code in the plugins to include checks for
if the chart for a given application has been disabled.
Change-Id: If284f622ceac48c4ffd74e7022fdd390971d0fd8
Closes-Bug: #1833746
Depends-On: I418f0fe4978946a44e512c3025817fb27216c078
Signed-off-by: Robert Church <robert.church@windriver.com>
This update adds support for an application version_check plugin,
which is called during the system application-upload command as
a validation step. This verifies that the application being loaded
is supported by the current application plugin code.
Change-Id: I9b854ff5d74065812cde90a6531e1be21fc73adb
Closes-Bug: 1833425
Signed-off-by: Don Penney <don.penney@windriver.com>
Currenty sysinv generates overrides only for default and backup
Ceph pools. Adding a new Ceph storage backend does not make it
available to stx-openstack application.
Iterate all Ceph storage backend and create corresponding
Ceph pool overrides which are then used by Cinder Helm
chart to setup Cinder configuration and pool access.
Change-Id: I2ca84406238e6c7462709822b303e25176fb9c8a
Depends-On: I29c7d3ed118f4a6726f2ea887a165f256bc32fd5
Story: 2003909
Task: 30351
Signed-off-by: Daniel Badea <daniel.badea@windriver.com>
this chart is added as a part of "stx-openstack" application,
in the same chart group as openstack-ingress chart, so that
when "nginx-ingress-controller" starts working, http and https
ports are allowed for nginx which accepts http/https requests
and forwards to internal services accordingly.
In the following LP#1827246, the http request of opening console
of VM instance is sent to nginx 80 first, and then nginx forwards
the request to "nova-novncproxy" at port 6080 internally.
Closes-Bug: 1827246
Change-Id: I183f7edc92f1a9e0bdedad0afe35e3d03e20e7d5
Signed-off-by: yhu6 <yong.hu@intel.com>
To properly enable Cinder volume backup, the following configuration
changes are required:
- For Cinder, enable 'CephBackupDriver' as the Cinder backup_driver and
'cinder' as the rbd_user for each Cinder backend
- For libvirt, enable Ceph and use 'cinder-volume-rbd-keyring' for the
Ceph client user secret. This will create a libvirt secret that will
be used with the 'cinder' user.
- For nova, enable the rbd_secret_uuid shared with libvirt and set the
'rbd_user' to cinder.
- Update the chart group initialization sequence, so that
'openstack-cinder' is initialized prior to 'openstack-compute-kit'.
This is done because 'cinder-volume-rbd-keyring' is created by Cinder
and is required by libvirt to successfully initialize.
With these configuration changes:
- Cinder volumes were created
- Cinder volumes were backed up
- Instances were booted by volume (from Cinder)
- Instances were booted by image (from Ceph ephemeral disks)
Change-Id: I29c7d3ed118f4a6726f2ea887a165f256bc32fd5
Depends-On: https://review.opendev.org/#/c/664619/
Story: 2004520
Task: 28266
Signed-off-by: Robert Church <robert.church@windriver.com>
Add a helm chart for configuring and starting openstack
clients pods. The pod is configured with admin credentials
and launched on a controller node.
Change-Id: I4dea49301fd778db9a9ddf900a752831bd455fda
Signed-off-by: Stefan Dinescu <stefan.dinescu@windriver.com>
Story: 2005312
Task: 30557
This will remove the rbd-provisioner and ceph-pools-audit charts from
the stx-openstack application and enable it to use the default platform
storage provisioner.
Changes include:
- Update the rbd-provsioner and ceph-pools-audit helm plugin to provide
overrides for the namespace defined by
HELM_NS_STORAGE_PROVISIONER (currently: kube-system).
- Update the cinder, glance, gnocchi, and nova helm plugins use the
existing ceph-pool-kube-rbd secret for Ceph client access. This
allows removing the pvc-ceph-client-key generation from the
rbd-provisioner chart.
- Add functions to kube_app.py to create/delete the required Ceph user
secret for all namespaces of a supported application. This provides
support for PVCs within the application's namespace(s). In the case
of stx-openstack, this covers any claims made from the 'openstack'
namespace.
- Add functions to kube_app.py to support creating and deleting app
specific resources that are not handled by the application charts.
Using this enables copying the 'ceph-etc' configmap from the
provisioner namespace to the openstack namespace for application use.
- Add support through the kubernetes API to copy a secret from one
namespace to another.
- Add support through the kubernetes API to get, create, delete, and
copy configmaps.
- Remove the rbd-provisioner and ceph-pools-audit stevedore plugins
from the stx-openstack application. Also, re-number the plugins.
- Update the RBD provisioner to support creating namespaces and Ceph
user secrets for additional namespaces other than that which the
provisioner is installed. Also, enable PVCs for default
namespaces (default and kube-public) against the 'general'
storageclass.
Change-Id: I387e315545d2c99a1b6baa90d30bdb2a4e08f315
Depends-On: I67dba3f1a3a6e7c8169719ee622ddd533c69be31
Story: 2005424
Task: 30679
Signed-off-by: Robert Church <robert.church@windriver.com>
Add a new helm repository, 'stx-platform', designed to hold charts that
need to be delivered as part of the basic platform. These charts will be
installed via RPMs as part of install and patching.
Update the existing stx-openstack armada application manifests to
reference the new location of the existing 'starlingx' repo. The
'starlingx' repo will be renamed with a future commit to 'stx-apps'.
Enable multiple repository support when generating helm overrides for
the chart location.
This updates both the puppet manifests and ansible playbook for initial
and subsequent configuration scenarios.
Change-Id: I0caaa878a6c6781d038b48b8caa2aa507ee9568a
Depends-On: I4b1a3615a6bd5d0bdd834a1cdf27c05d5a1057a0
Depends-On: I096d5ac126efc97f9a0a0f54f1e02323d936281c
Story: 2005424
Task: 30644
Signed-off-by: Robert Church <robert.church@windriver.com>
This commit allows to create the fm-rest-api tgz file
inside stx-openstack-helm RPM package which includes the
fm-rest-api helm chart.
Story: 2004008
Task: 29987
Depends-On: https://review.openstack.org/637120
Change-Id: I9778a0a3c904f1c762dc92cab76c1af75a4bd5d0
Signed-off-by: Mario Alfredo Carrillo Arevalo <mario.alfredo.c.arevalo@intel.com>
This update adds the required helm charts, manifest and
overrides to deploy the containerized keystone-api-proxy.
It also configures the required chart groups for openstack
services running on System Controller.
Story: 2004766
Task: 30454
Change-Id: I3a8ac1f1ca811b3004c42a13c9bcab61e1c2f405
Signed-off-by: Tao Liu <tao.liu@windriver.com>
The cgroup folder has been changed by commit:
https://review.openstack.org/#/c/648511/
As a result the new hugepage folder was being created at:
/sys/fs/cgroup/hugetlb/k8s-infra
However the helm-chart default location was still looking at:
/sys/fs/cgroup/hugetlb/kubepods
The k8s-infra label for the cgroup folder has now been added
to the armada manifest, and libvirt pods are able to launch.
Closes-Bug: 1824567
Change-Id: I3f420dc4643b37f56cec3b38449ca9b0d3b8fe4f
Signed-off-by: Al Bailey <Al.Bailey@windriver.com>
Using SHA: af8a9ffd0873c2fbc915794e235dbd357f2adab1
which was built and tagged on April 9, 2019.
The previous Armada SHA was from Sept 2018.
The manifest.xml is updated to not generate armada warnings
for libvirt, openvswitch, nova and neutron.
The warning was:
"label_selector" not specified,
waiting with no labels may cause unintended consequences.
Story: 2005198
Task: 30436
Change-Id: I97b633d9e6e1e4574e25dc8b69500faae4b4a809
Signed-off-by: Al Bailey <Al.Bailey@windriver.com>
Required manifest updates to maintain current behavior:
- For the keystone API continue to run as root, but adjust to new
security_context override.
- Turn off AppArmor profile for nova
- Turn off readiness/liveness probes for nova-scheduler
- Turn off readiness/liveness probes for neutron agents
- Disable nova hypervisor address search that dynamically sets my_ip in
nova.conf. This will interfere with per host compute override
settings.
Change-Id: Ic8d68da7ddf30a3a1236f01dd4eb2531efbd2965
Depends-On: Ied38e5cbedbe06fd0b6f27612aa0bddf60064dea
Story: 2004520
Task: 29966
Signed-off-by: Robert Church <robert.church@windriver.com>
The rabbitmq chart requests a 256Mi PV for operational storage. With
CentOS 7.5 and 7.6 kernels, a jbd2 kernel thread hang is observed after
a long soak period. Once this occurs, a host reboot is required to
recover access to the PV.
We have been able to reliably recreate this using the stock upstream
CentOS 7.6 kernel and the latest Ceph Jewel LTS (10.2.11) version using
fsstress. This is currently pointing to a race condition in the
filesystem code.
With a reliable test available for this, other scenarios to characterize
this have been performed including using different volume sizes and
using different ext4 filesystem formatting options.
We've been unable to cause the hang using a 1Gi PV over an extended soak
period so we'll update the stx-openstack manifest to request a 1Gi PV
until the root cause and fix has been addressed in the kernel.
Change-Id: Ia0e5b7ffb049c6e3cedfb4a6d3afda597eedb18a
Related-Bug: #1814595
Signed-off-by: Robert Church <robert.church@windriver.com>
manifest-no-tests.yaml and manifest.yaml and identical except for the
"test: enabled" value. We currently only use “false”. The manifest fails
to apply when test enabled is set to true. This issue is being tracked
with https://bugs.launchpad.net/starlingx/+bug/1819021. Once the issue is
resolved with test enabled a system parameter should control setting this
config to true/false.
Story: 2003909
Task: 29878
Change-Id: Iae3450e8285b775350ab05350cbe4cf420e6e4ef
Signed-off-by: Kristine Bujold <kristine.bujold@windriver.com>
In the move of gnocchi static configurations from the overrides to
the Armada manifests, some configs were put in the wrong location.
This commit fixes this.
Story: 2003909
Task: 29535
Change-Id: Iac0ada67b7a7f6c44540c731fb505090362489a1
Signed-off-by: Kristine Bujold <kristine.bujold@windriver.com>
Move all heat static configurations from the overrides to the
Armada manifest.
This is being done so we have a consistent way of managing
containerized openstack configurations. Static configurations will
be located in the Armada manifest and dynamic configuration will be
located in the overrides files.
Story: 2003909
Task: 29455
Change-Id: Ie35b1696b9fce0458db724fc8163d5d181e0768a
Signed-off-by: Kristine Bujold <kristine.bujold@windriver.com>
Move all neutron static configurations from the overrides to the
Armada manifest.
This is being done so we have a consistent way of managing
containerized openstack configurations. Static configurations will
be located in the Armada manifest and dynamic configuration will be
located in the overrides files.
Story: 2003909
Task: 29433
Change-Id: I5baf0bbc15912e0303955456151e69856bba0385
Signed-off-by: Kristine Bujold <kristine.bujold@windriver.com>
Move cinder static configuration from the overrides to the Armada
manifest.
Story: 2003909
Task: 29419
Change-Id: I5e213eb4dff5c3e1f2ef1edd588e60fb11501125
Signed-off-by: Kristine Bujold <kristine.bujold@windriver.com>
- new helm chart to set replication and min replication for
each Ceph pool:
-> new helm chart name: ceph-pools-audit
-> the ceph-pools-audit chart creates a CronJob that runs
every 5 minutes; the CronJob checks the replication for
each existing pool and sets it right if needed, to reflect
the attributes of the Ceph backends
-> the CronJob is needed for: charts that may not manage pool
configuration, pools created dynamically by services that
may not have the current pool configuration uploaded
(ex: swift), updating replication without reinstalling the
charts that created the pools
-> the ceph-pools-audit chart is installed after the
rbd-provisioner in the application-apply
- new overrides for the ceph-pools-audit chart that provide
the replication values from the attributes of the present
Ceph backends
- enable rados-gw by default when a Ceph backend is enabled
Change-Id: I1565268bac3ddc77e8368d2d6ab8600b3e4ed893
Story: 2004520
Task: 29034
Signed-off-by: Irina Mihai <irina.mihai@windriver.com>
Sets the following in the armada manifest
software_configs:global_index: rule:context_is_admin
stacks:global_index: rule:context_is_admin
Closes-Bug: 1814333
Change-Id: Ib037b39c320587c0220b432a4198197923396709
Signed-off-by: Al Bailey <Al.Bailey@windriver.com>
As part of the work to enable clustered database, a new helm chart is
needed to define how to run the galera arbitrator. This chart makes
use of the newly-created stx-mariadb Docker image which has the galera
arbitrator added to the upstream openstack-helm mariadb Docker image.
Since we have a new system chart, add sysinv support to handle any
system overrides. Initially this just means specifying the Docker
image.
When we go to merge this upstream, we should try to add the galera
arbitrator to the existing upstream Docker image and the existing
mariadb helm chart. One upstream dev has said that they'd be willing
to accept this.
Change-Id: If0362916d3b575adabf9d6c8cc467e488b249b7b
Story: 2004712
Task: 29054
Signed-off-by: Chris Friesen <chris.friesen@windriver.com>
This commit bypasses the helm init --client-only command
which required networking access from within mock.
This allows stx-openstack-helm to be built the same as other std packages
Story: 2004005
Task: 28794
Change-Id: I113ec91b64faebf2e7e8154e4bfbe75acc3fbf43
Depends-On: I35c9b547a98fac559793bc2ec00012f6eded8ffa
Signed-off-by: Al Bailey <Al.Bailey@windriver.com>
Add the custom StarlingX rbd-provisioner chart to the common custom
chart area of the stx-config repo. Add the chart to the stx-openstack
application RPM.
This chart is based on the content of the ceph rbd storage code
(kubernetes-incubator/external-storage):
- c463bd18 -> kubernetes-1.12.0-beta.1
Change-Id: Ib5fe40ed82bf5ffdd2eea4ebc1cd534e1b5ceacd
Story: 2004005
Task: 27802
Signed-off-by: Robert Church <robert.church@windriver.com>
Use an application RPM to build and collect application artifacts.
This follows the same mechanism that is used to build the openstack-helm
and openstack-helm-infra charts. The custom StarlingX charts are built
and the application specific armada manifests are included in the RPM.
This application RPM will be used to produce some of the required build
artifacts (custom helm tarballs + armada manifests) but is not intended
to be installed on the system. These artifacts are extracted later for
proper application packaging with additional required metadata.
Changes also include:
- Update the README describing the new layouts for applications.
- Move the nova-api-proxy chart from the common area to be included as
a chart specific to the stx-openstack app.
Change-Id: I1140760d56035249324519be93bb913e18f394d9
Story: 2004005
Task: 27801
Depends-On: I57c5ec5f3565e9e585f0935af745e495699aa28c
Signed-off-by: Robert Church <robert.church@windriver.com>