starlingx/openstack-armada-app
Code Issues Proposed changes
5d949b63ba
openstack-armada-app/openstack-helm/files/0003-Nova-chart-Support-ephemeral-pool-creation.patch
Lucas Cavalcante de4ac1007a Add tolerations to openstack services 
Adds patches from openstack-helm and openstack-helm-infra that
enables openstack services, jobs, and friends (libvirt, memcached
mariadb, openvswitch, rabbitmq, ingress) to support taint toleration

Also adds tolerations for nova-api-proxy, stx-ks-user and
nova-ephemeral-pool

Taint toleration `node-role.kubernetes.io/master:NoSchedule` is also
enabled by default as seen in `manifest.yaml`

deleted:
  - file: 0014-Add-tolerations-to-rabbitmq-chart.patch
    reason: deprecated by 0017 (also was not working for rabbit jobs)
  - file: 0015-Add-tolerations-to-mariadb-chart.patch
    reason: deprecated by 0017 (also was not working for maria jobs)

Test Plan:

PASS: After controller node taint application is applied
PASS: If controller has no taint application is applied
FAIL (expected): After user override removing toleration apply fails
PASS: Other taint is added to controller and after user overrides apply
succceeds

Notes:
 - Tested in AIO-SX (Both Virt. and Physical Machine)
 - Tested with taint node-role.kubernetes.io/master:NoSchedule
 - Tested with taint openstack-compute-node:NoSchedule
 - Apply fails -> pods pending untolarated taints

Story: 2009232
Task: 43345

Signed-off-by: Lucas Cavalcante <lucasmedeiros.cavalcante@windriver.com>
Change-Id: I6bd0d28cdc31f07d18b3cdfda3b0282a4d3117a4
2021-12-03 08:35:21 -03:00

339 lines
12 KiB
Diff
Raw Blame History

From 8d1a2f90284bc5c3a7fcfbae73f0bdb2e5b03320 Mon Sep 17 00:00:00 2001
From: Irina Mihai <irina.mihai@windriver.com>
Date: Tue, 26 Feb 2019 17:43:53 +0000
Subject: [PATCH] Nova chart: Support ephemeral pool creation
If libvirt images_type is rbd, then we need to have the
images_rbd_pool present. These changes add a new job
to make sure this pool exists.
Change-Id: Iee307cb54384d1c4583d00a8d28f7b1a0676d7d8
Story: 2004922
Task: 29285
Signed-off-by: Irina Mihai <irina.mihai@windriver.com>
(cherry picked from commit 0afcb0b37cdcf57436e44867bac9242d8684ce81)
Signed-off-by: Robert Church <robert.church@windriver.com>
---
nova/templates/bin/_nova-storage-init.sh.tpl | 73 +++++++++++++
nova/templates/configmap-bin.yaml | 2 +
nova/templates/job-storage-init.yaml | 153 +++++++++++++++++++++++++++
nova/values.yaml | 18 ++++
4 files changed, 246 insertions(+)
create mode 100644 nova/templates/bin/_nova-storage-init.sh.tpl
create mode 100644 nova/templates/job-storage-init.yaml
diff --git a/nova/templates/bin/_nova-storage-init.sh.tpl b/nova/templates/bin/_nova-storage-init.sh.tpl
new file mode 100644
index 0000000..416297f
--- /dev/null
+++ b/nova/templates/bin/_nova-storage-init.sh.tpl
@@ -0,0 +1,73 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -x
+if [ "x$STORAGE_BACKEND" == "xrbd" ]; then
+ SECRET=$(mktemp --suffix .yaml)
+ KEYRING=$(mktemp --suffix .keyring)
+ function cleanup {
+ rm -f ${SECRET} ${KEYRING}
+ }
+ trap cleanup EXIT
+fi
+
+set -ex
+if [ "x$STORAGE_BACKEND" == "xrbd" ]; then
+ ceph -s
+ function ensure_pool () {
+ ceph osd pool stats $1 || ceph osd pool create $1 $2
+ local test_version=$(ceph tell osd.* version | egrep -c "mimic|luminous" | xargs echo)
+ if [[ ${test_version} -gt 0 ]]; then
+ ceph osd pool application enable $1 $3
+ fi
+ size_protection=$(ceph osd pool get $1 nosizechange | cut -f2 -d: | tr -d '[:space:]')
+ ceph osd pool set $1 nosizechange 0
+ ceph osd pool set $1 size ${RBD_POOL_REPLICATION}
+ ceph osd pool set $1 nosizechange ${size_protection}
+ ceph osd pool set $1 crush_rule "${RBD_POOL_CRUSH_RULE}"
+ }
+ ensure_pool ${RBD_POOL_NAME} ${RBD_POOL_CHUNK_SIZE} "nova-ephemeral"
+
+ if USERINFO=$(ceph auth get client.${RBD_POOL_USER}); then
+ echo "Cephx user client.${RBD_POOL_USER} already exist."
+ echo "Update its cephx caps"
+ ceph auth caps client.${RBD_POOL_USER} \
+ mon "profile rbd" \
+ osd "profile rbd"
+ ceph auth get client.${RBD_POOL_USER} -o ${KEYRING}
+ else
+ # NOTE: Restrict Nova permissions to what is needed.
+ # MON Read only and RBD access to the Nova ephemeral pool only.
+ ceph auth get-or-create client.${RBD_POOL_USER} \
+ mon "profile rbd" \
+ osd "profile rbd" \
+ -o ${KEYRING}
+ fi
+
+ ENCODED_KEYRING=$(sed -n 's/^[[:blank:]]*key[[:blank:]]\+=[[:blank:]]\(.*\)/\1/p' ${KEYRING} | base64 -w0)
+ cat > ${SECRET} <<EOF
+apiVersion: v1
+kind: Secret
+metadata:
+ name: "${RBD_POOL_SECRET}"
+type: kubernetes.io/rbd
+data:
+ key: $( echo ${ENCODED_KEYRING} )
+EOF
+ kubectl apply --namespace ${NAMESPACE} -f ${SECRET}
+
+fi
+
diff --git a/nova/templates/configmap-bin.yaml b/nova/templates/configmap-bin.yaml
index c4e47fb..54571ac 100644
--- a/nova/templates/configmap-bin.yaml
+++ b/nova/templates/configmap-bin.yaml
@@ -93,6 +93,8 @@ data:
{{ tuple "bin/_nova-console-proxy-init.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
nova-console-proxy-init-assets.sh: |
{{ tuple "bin/_nova-console-proxy-init-assets.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ nova-storage-init.sh: |
+{{ tuple "bin/_nova-storage-init.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
ssh-init.sh: |
{{ tuple "bin/_ssh-init.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
ssh-start.sh: |
diff --git a/nova/templates/job-storage-init.yaml b/nova/templates/job-storage-init.yaml
new file mode 100644
index 0000000..3963926
--- /dev/null
+++ b/nova/templates/job-storage-init.yaml
@@ -0,0 +1,156 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.job_storage_init }}
+{{- $envAll := . }}
+
+{{- $serviceAccountName := "nova-storage-init" }}
+{{ tuple $envAll "storage_init" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: Role
+metadata:
+ name: {{ $serviceAccountName }}
+rules:
+ - apiGroups:
+ - ""
+ resources:
+ - secrets
+ verbs:
+ - get
+ - create
+ - update
+ - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: RoleBinding
+metadata:
+ name: {{ $serviceAccountName }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: {{ $serviceAccountName }}
+subjects:
+ - kind: ServiceAccount
+ name: {{ $serviceAccountName }}
+ namespace: {{ $envAll.Release.Namespace }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: nova-storage-init
+spec:
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll "nova" "storage-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: OnFailure
+ nodeSelector:
+ {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }}
+{{ if $envAll.Values.pod.tolerations.nova.enabled }}
+{{ tuple $envAll "nova" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{ end }}
+ initContainers:
+{{ tuple $envAll "storage_init" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ {{ if or .Values.conf.ceph.enabled }}
+ - name: ceph-keyring-placement
+{{ tuple $envAll "nova_storage_init" | include "helm-toolkit.snippets.image" | indent 10 }}
+ securityContext:
+ runAsUser: 0
+ command:
+ - /tmp/ceph-admin-keyring.sh
+ volumeMounts:
+ - name: etcceph
+ mountPath: /etc/ceph
+ - name: nova-bin
+ mountPath: /tmp/ceph-admin-keyring.sh
+ subPath: ceph-admin-keyring.sh
+ readOnly: true
+ {{- if empty .Values.conf.ceph.admin_keyring }}
+ - name: ceph-keyring
+ mountPath: /tmp/client-keyring
+ subPath: key
+ readOnly: true
+ {{ end }}
+ {{ end }}
+ containers:
+ {{- range $ephemeralPool := .Values.conf.ceph.ephemeral_storage.rbd_pools }}
+ - name: nova-storage-init-{{- $ephemeralPool.rbd_pool_name }}
+{{ tuple $envAll "nova_storage_init" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.storage_init | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ env:
+ - name: NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ {{ if and (eq $envAll.Values.conf.ceph.ephemeral_storage.type "rbd") $envAll.Values.conf.ceph.enabled }}
+ - name: STORAGE_BACKEND
+ value: {{ $envAll.Values.conf.ceph.ephemeral_storage.type }}
+ - name: RBD_POOL_NAME
+ value: {{ $ephemeralPool.rbd_pool_name | quote }}
+ - name: RBD_POOL_USER
+ value: {{ $ephemeralPool.rbd_user | quote }}
+ - name: RBD_POOL_CRUSH_RULE
+ value: {{ $ephemeralPool.rbd_crush_rule | quote }}
+ - name: RBD_POOL_REPLICATION
+ value: {{ $ephemeralPool.rbd_replication | quote }}
+ - name: RBD_POOL_CHUNK_SIZE
+ value: {{ $ephemeralPool.rbd_chunk_size | quote }}
+ - name: RBD_POOL_SECRET
+ value: {{ $envAll.Values.secrets.ephemeral | quote }}
+ {{- end }}
+ command:
+ - /tmp/nova-storage-init.sh
+ volumeMounts:
+ - name: nova-bin
+ mountPath: /tmp/nova-storage-init.sh
+ subPath: nova-storage-init.sh
+ readOnly: true
+ {{ if or $envAll.Values.conf.ceph.enabled }}
+ - name: etcceph
+ mountPath: /etc/ceph
+ - name: ceph-etc
+ mountPath: /etc/ceph/ceph.conf
+ subPath: ceph.conf
+ readOnly: true
+ {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+ - name: ceph-keyring
+ mountPath: /tmp/client-keyring
+ subPath: key
+ readOnly: true
+ {{- end }}
+ {{- end }}
+ {{- end }}
+ volumes:
+ - name: nova-bin
+ configMap:
+ name: nova-bin
+ defaultMode: 0555
+ {{ if or .Values.conf.ceph.enabled }}
+ - name: etcceph
+ emptyDir: {}
+ - name: ceph-etc
+ configMap:
+ name: {{ .Values.ceph_client.configmap }}
+ defaultMode: 0444
+ {{- if empty .Values.conf.ceph.admin_keyring }}
+ - name: ceph-keyring
+ secret:
+ secretName: {{ .Values.ceph_client.user_secret_name }}
+ {{- end }}
+ {{- end }}
+{{- end }}
+
diff --git a/nova/values.yaml b/nova/values.yaml
index ca92907..3179231 100644
--- a/nova/values.yaml
+++ b/nova/values.yaml
@@ -87,6 +87,7 @@ images:
nova_service_cleaner: 'docker.io/openstackhelm/ceph-config-helper:latest-ubuntu_xenial'
nova_spiceproxy: docker.io/openstackhelm/nova:stein-ubuntu_bionic
nova_spiceproxy_assets: docker.io/openstackhelm/nova:stein-ubuntu_bionic
+ nova_storage_init: 'docker.io/port/ceph-config-helper:v1.10.3'
test: docker.io/xrally/xrally-openstack:2.0.0
image_repo_sync: docker.io/docker:17.07.0
nova_wait_for_computes_init: gcr.io/google_containers/hyperkube-amd64:v1.11.6
@@ -616,6 +617,14 @@ conf:
user: "cinder"
keyring: null
secret_uuid: 457eb676-33da-42ec-9a8c-9293d545c337
+ ephemeral_storage:
+ type: rbd
+ rbd_pools:
+ - rbd_pool_name: ephemeral
+ rbd_user: ephemeral
+ rbd_crush_rule: 0
+ rbd_replication: 3
+ rbd_chunk_size: 64
rally_tests:
run_tempest: false
clean_up: |
@@ -1893,6 +1902,7 @@ secrets:
compute_spice_proxy:
spiceproxy:
internal: nova-tls-spiceproxy
+ ephemeral: nova-ephemeral
# typically overridden by environmental
# values, but should include all endpoints
@@ -2572,6 +2582,13 @@ pod:
limits:
memory: "1024Mi"
cpu: "2000m"
+ storage_init:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
network_policy:
nova:
@@ -2619,6 +2636,7 @@ manifests:
job_ks_placement_service: true
job_ks_placement_user: true
job_cell_setup: true
+ job_storage_init: true
pdb_metadata: true
pdb_placement: true
pdb_osapi: true
--
1.8.3.1
View Git Blame Copy Permalink