This PS changes the log-runner user ID to run as the ceph user
so that it has the appropriate permissions to write to /var/log/ceph
files.
Change-Id: I4dfd956130eb3a19ca49a21145b67faf88750d6f
Currently if pg_num_min is less than the value specified in values.yaml
or overrides no change to pg_num_min is made during updates when the value
should be increased. This PS will ensure the proper value is always set.
Change-Id: I79004506b66f2084402af59f9f41cda49a929794
Corrected the counter increment and enhanced the script to handle
situation if the certificate is stuck in issuing state.
Change-Id: Ib8a84831a605bb3e5a1fc5b5a909c827ec864797
The checkDNS script which is run inside the ceph-mon pods has had
a bug for a while now. If a value of "up" is passed in, it adds
brackets around it, but then doesn't check for the brackets when
checking for a value of "up". This causes a value of "{up}" to be
written into the ceph.conf for the mon_host line and that causes
the mon_host to not be able to respond to ceph/rbd commands. Its
normally not a problem if DNS is working, but if DNS stops working
this can happen.
This patch changes the comparison to look for "{up}" instead of
"up" in three different files, which should fix the problem.
Change-Id: I89cf07b28ad8e0e529646977a0a36dd2df48966d
The ps removes kibana indices from elasticsearch when a pod
comes up. It also removes the source code in values.yaml for
the flush job since it is not needed at this point.
Change-Id: Icb0376fed4872308b26e608d5be0fbac504d802d
The corresponding attribute in roles/build-images/defaults/main.yml
is helm_repo instead of google_helm_repo.
Change-Id: Id1be29773224ea496a3550642d7ba194fd1e83c2
This reverts commit b2adfeadd8adbf5d99187106cf5d2956f0afeeab.
Reason for revert: This breaks the kubeadm jobs, lets add this
back until a proper fix is implemented.
Change-Id: I9b93c86e3747f2e768956898a27dd6d63469a8ee
This patchset fixes the following error which was recently introduced
by changing the cephcsi image version to v3.4.0:
E0816 18:37:30.966684 62307 rbd_healer.go:131] list volumeAttachments failed, err: volumeattachments.storage.k8s.io is forbidden: User "system:serviceaccount:ceph:clcp-ucp-ceph-provisioners-ceph-rbd-csi-nodeplugin" cannot list resource "volumeattachments" in API group "storage.k8s.io" at the cluster scope
E0816 18:37:30.966758 62307 driver.go:208] healer had failures, err volumeattachments.storage.k8s.io is forbidden: User "system:serviceaccount:ceph:clcp-ucp-ceph-provisioners-ceph-rbd-csi-nodeplugin" cannot list resource "volumeattachments" in API group "storage.k8s.io" at the cluster scope
Change-Id: Ia7cc61cf1df6690f25408b7aa8797e51d1c516ff
The current health check that is used for readiness and liveness
probes is considered intrusive and is prompt to produce false
positives[0]. The command is also deprecated and will be removed
in future version. Updating the probes based on current
recommenation from community[1].
Ref:
[0] https://www.rabbitmq.com/monitoring.html#deprecations
[1] https://www.rabbitmq.com/monitoring.html#health-checks
Change-Id: I83750731150ff9a276f59e3c1288129581fceba5
Elasticsearch is TLS enabled. Curator needs to be configured to use
cacert when communicating with Elasticsearch.
Change-Id: Ia78458516d6c8f975e478d85643dc4436b70b87c
This is to update ceph mon port from v1 to v2 for csi based rbd plugin.
also update cephcsi image to 3.4.0.
Change-Id: Ib6153730216dbd5a8d2f3f7b7dd0e88c7fd4389d
The googleapi repo has been causing issues and the latest
one is giving an unauthorized error when trying to download
helm tarball.
This change moves the repo to use the official helm one.
Change-Id: I52607b0ca6d650d5f5e4a95045389970faa08cfb
If grep does not find a match, it return 1 which fails the shell
script. Hence made it return true if no match is found.
Also, removed returning of error from the script becasue any failure
will cause the job to re-run which may re-renew certificates and
restart the pods again. And this can continue if the error persists.
Chaange-Id: I2a38b59789fd522e8163ff9b12ff847eb1fe2f3a
Change-Id: Ica456ef6c5bec2bd29f51aaeef7b5ce5e8681beb
Elasticsearch is TLS enabled. Prometheus-elasticsearch-exporter
needs to be configured to use cacert when communicating with Elasticsearch.
Change-Id: I4a87226fed541777df78733f3650363859ff01b8
The version of helm 2 that OSH has been using was older and seems
to have been removed from the googleapi repo that the jobs are
setup to use, this was causing job failures.
This change updates the version to the latest v2 release.
Change-Id: I675f539b24ea9c2355ac9eacc7dd8122c5236e5f
This chart creates a cronjob which monitors the expiry of the
certificates created by jetstack cert-manager. It rotates the
certificates and restarts the pods that mounts the certificate
secrets so that the new certificate can take effect.
Change-Id: I492b5f319cf0f2e7ccbbcf516953e17aafc1c59f
- As it will be a security violation to mount anything under /var
partition to pods , changing the mount propagation to HostToContainer
Change-Id: If7a27304507a9d1bcb9efcef4fc1146f77080a4f
This patch set adds a new Alertmanager dashboard to Grafana. Note
that a new configmap is created for this instead of using the
same configmap which includes all the dashboards. Using the same
configmap will eventually run into issue with configmap size limitation.
Change-Id: I10561c0b0b464c3b67d4a738f9f2cb70ef601b3d
This PS updates the mon-check reap-zombies python script to consider
the more recent Ceph changes, including the fact that there is now
a v1 and v2 backend. In addition, it executes the reap-zombies script
with the python3 binary, as the basic 'python' binary does not exist
in the container.
Change-Id: Id079671f03cc5ddbe694f2aa8c9d2480dc573983
This change updates the namespace-config chart to (optionally) create
RBAC rules allowing service accounts in the namespace 'use' access to an
existing Pod Security Policy in the cluster. The policy is specified as:
podSecurityPolicy:
existingPsp: name-of-existing-psp
This aligns with the PSP deprecation guidance provided to date [0],
which suggests easing the transition to the "PSP Replacement Policy" by
establishing the standard PSPs (Restricted, Baseline, and Privileged),
assigning a cluster-wide default, and binding more-permissive policies
as needed in certain namespaces.
[0] https://kubernetes.io/blog/2021/04/06/podsecuritypolicy-deprecation-past-present-and-future/
Change-Id: I46da230abf822e0cc3553561fd779444439c34a7
Wherever possible, the ceph-provisioner containers need to run
with the least amount of privilege required. In some cases there
are privileges granted but are not needed. This patchset modifies
those container's security contexts to reduce them to only what
is needed.
Change-Id: I74bd31df4af5cacc26834e645b0816bf285e8428
Wherever possible, the ceph-osd containers need to run with the
least amount of privilege required. In some cases there are
privileges granted but are not needed. This patchset modifies
those container's security contexts to reduce them to only what
is needed.
Change-Id: I0d6633efae7452fee4ce98d3e7088a55123f0a78
This is to add check to find out empty ceph mon endpoint while
generating ceph etc configmap for clients.
Change-Id: I6579a268c5f4bc458120dda66667988e5a529ee9
This change adds /var/crash as a host-path volume mount for
ceph-osd pods in order to facilitate core dump capture when
ceph-osd daemons crash.
Change-Id: Ie517c64e08b11504f71d7d570394fbdb2ac8e54e
There is an additional error status 'Service Unavailable' which can
indicate the service is temporary unavailable. Adding that error
status to the retry list in case the issue is resolved during the
backup timeframe.
Change-Id: I9e2fc1a9b33dea3858de06b10d512da98a635015
This PS enables overriding liveness/readiness probes configurations
for libvirt pods via values.yaml. In addition, updating the values
for some of the fields of the probes as the default values seem to
be too aggresive.
Change-Id: I64033a1d67461851d8f2d86905ef7068c2ec43b6
Co-authored-by: Huy Tran <ht095u@att.com>
Change-Id: Ib10379829e2989d3de385ad6d1944565b2f9953f
This ps updates the following:
- Add preStop action to allow rabbitmq node a chance to more
graceful shutdown
- Add support for RABBITMQ_FEATURE_FLAG in preparation for
future 3.8.x upgrade.
Change-Id: I25d1e4fdb9dee370382e97a5a97b2b098f5ef11f
