Implement a pod security context for the following Memcached resources:
- Memcached server deployment
Change-Id: I8628ceb246e7c435a2ddd20bf1bcecd94db8ea26
This updates the script used to register the elasticsearch
snapshot repositories. It will first gather a list of all
currently registered repositories, then check for the existence
of each configured repository. If the repository exists, the job
will not attempt to register the repository again. If it doesn't
exist, the job will then register the desired repository
Change-Id: I2cfd3c44f1b2b4a54c9b07be79c2c87af77c540e
This begins to break out the various location paths for the
Elasticsearch apache-proxy virtual host. These include:
- Deny all access to the update document api
- Deny all access to the update by query api
- Deny all access to the delete by query api
- Prohibit the DELETE method on all document api endpoints
This helps ensure that documents can't be updated or deleted once
indexed into Elasticsearch
Change-Id: Iaa97a9f7699a47d13c25b9e2e4249c37c29e4559
This PS updates the kubernetes_pod_security_context snippet, and adds a
macro for container securityContexts
'kubernetes_container_security_context.
Change-Id: I8b9c7b72f836efaf6c9dc3ad20fd8462b0d06d77
Signed-off-by: Pete Birley <pete@port.direct>
- Make the default to run the postgres database as the uid 999 which
the default image maps to the 'postgres' user
- If the database is already initialized, before starting postgres
set the 'postgres' database user password to match the declared
intended password
Change-Id: I7b0ea7a86246b098f38ef4c03dd157731f61e066
This is to resolve name conflicts of reources in case of multiple
releases required for single deployment of ceph cluster
Change-Id: Ibee5550db788ea57879837b010e22a24240237bf
Remove overrides that are already set or raised higher in the
Mimic release of Ceph for RGW.
rgw_thread_pool_size is now by default using 512
objecter_inflight_ops is now also set to 24576 by default for RGW
Change-Id: I982f6bc08954864afa5ad29923707e1bf64ba9fa
This adds a test for the podsecuritypolicy chart, as well as a script
to reconfigure minikube with PodSecurityPolity enabled when appropriate.
This change doesn't add the PSP chart to the existing tests, because
the psp chart will have secure defaults in the future, which may
interfere with other charts by default; and it doesn't enable the
admission controller broadly, because turning the AC on without
providing a podsecuritypolicy will break k8s functionality.
Change-Id: I9fd14bb118189cd4ead177b79e39aadbc2096b4a
This updates the logging format and configuration for the apache
reverse proxies used for elasticsearch, kibana, nagios and
prometheus to enable logging of the remote clients used to access
these services
Change-Id: Id07e4294ea18203fbb890b78424a232c2d59cb82
This PS adds support for PostgreSQL DB initialization ie,
- DB creation
- user creation
- Setting password
- The password is being re-set everytime using "ALTER USER" to
enable password rotation to take effect.
- Grant privileges
Change-Id: I4f14ce44d7c6802d0b78ae6f64099b3707a48b33
The current gnocchi chart doesn't purge the resources/metrics for
the deleted openstack resources. This commit adds a cron job to
periodically purge the deleted resources data from gnocchi database.
By default, cron job runs daily and purges the deleted resources with
its associcated metrics which have lived more that 1 day.
Change-Id: Id45b92b91bb7668b35c3b5a7379283de51a1256a
Story: 2005016
Task: 29494
Signed-off-by: Angie Wang <angie.wang@windriver.com>
In templates/utils/_daemonset_overrides.tpl,
$context.Values.__daemonset_yaml is used cross the loop. It is not deep
copied in each round of loop. It means that the property set in the
previous round of loop will still exist in current loop. This is not
expected.
This patch is to make a deep copy in each round of loop.
Change-Id: I4e610e4acf67d92257f9d254546ec0b5b31609fe
This adds the security context to the
kubernetes-keystone-webhook. This changes the default
user from root to the nobody user.
This also adds the container security context to
explicitly set allowPrivilegeEscalation to false
Change-Id: I54621e94f2866a4b4301baa6b570472c5fcda291
Currently there is a bug in the beast code that makes it fail
during the initial lookup for a keystone user map. For the time
being we will continue to use civetweb when keystone is present
until this issue is resolved.
Change-Id: I56bcd77f38adb3763d35f46443c1403816d1dcea
We need to change from osh-infra to openstack
because ceph-openstack-config release runs in openstack namespace.
Change-Id: I28b57abf02d2437569c7c7c8d75ec8ba19d84311
This removes set -x from the templates for the user creation
scripts for the mariadb and postgresql user templates, and it
also removes the set -x from the helm-toolkit job for creating
s3 users. This prevents sensitive credentials from being
displayed to the console when these scripts are run
Change-Id: I0a78d8190fbbae1b300b74ca560d76dedaaf6fc1
This updates daemonsets and deployments from extensions/v1beta1 to
apps/v1. These templates were either missed or overlooked when
added, and this change brings them up to the same api version used
for all other daemonsets and deployments
Change-Id: I6d2aba7791ad5eabd23785c01aed01d4f8e53d39
There is no "make {package}" line in 030-ceph.sh file.
It causes a failure to execute the shell script.
Change-Id: If787abd7711a02313b6a2acae8a888b5609f27df
This PS updates the pod security context snippet to support
a more sane values layout.
Change-Id: Id25441802a23e2dd00ad656cec2428432359dbe5
Signed-off-by: Pete Birley <pete@port.direct>
DELETECOLLECTION for some things like namespaces can be very slow. As
it's not critical it should be safe to ignore it.
Change-Id: I513b2af45b703a73d20a98a7a770776632ae4b39
