Based on spec in openstack-helm repo,
support-OCI-image-registry-with-authentication-turned-on.rst
Each Helm chart can configure an OCI image registry and
credentials to use. A Kubernetes secret is then created with these
info. Service Accounts then specify an imagePullSecret specifying
the Secret with creds for the registry. Then any pod using one
of these ServiceAccounts may pull images from an authenticated
container registry.
Change-Id: Iebda4c7a861aa13db921328776b20c14ba346269
If labels are not specified on a Job, kubernetes defaults them
to include the labels of their underlying Pod template. Helm 3
injects metadata into all resources [0] including a
`app.kubernetes.io/managed-by: Helm` label. Thus when kubernetes
sees a Job's labels they are no longer empty and thus do not get
defaulted to the underlying Pod template's labels. This is a
problem since Job labels are depended on by
- Armada pre-upgrade delete hooks
- Armada wait logic configurations
- kubernetes-entrypoint dependencies
Thus for each Job template this adds labels matching the
underlying Pod template to retain the same labels that were
present with Helm 2.
[0]: https://github.com/helm/helm/pull/7649
Change-Id: I3b6b25fcc6a1af4d56f3e2b335615074e2f04b6d
Unrestrict octal values rule since benefits of file modes readability
exceed possible issues with yaml 1.2 adoption in future k8s versions.
These issues will be addressed when/if they occur.
Also ensure osh-infra is a required project for lint job, that matters
when running job against another project.
Change-Id: Ic5e327cf40c4b09c90738baff56419a6cef132da
Signed-off-by: Andrii Ostapenko <andrii.ostapenko@att.com>
1) Updated docker image for heat to point to Stein and Bionic
2) Enabled Apparmor Job for prometheus-openstack exporter.
Change-Id: I1ee8acb848ece3c334b087309d452d5137ea0798
Signed-off-by: diwakar thyagaraj <diwakar.chitoor.thyagaraj@att.com>
The current copyright refers to a non-existent group
"openstack helm authors" with often out-of-date references that
are confusing when adding a new file to the repo.
This change removes all references to this copyright by the
non-existent group and any blank lines underneath.
Change-Id: I1882738cf9757c5350a8533876fd37b5920b5235
This change updates the prometheus-openstack-exporter
chart to pull an updated image which runs on python 3.
Co-Authored By: Bharat Khare <bk552w@att.com>
Depends On: https://review.opendev.org/686252
Change-Id: I4db500ba395b1d8417491bcde82be95a039eeb4f
This adds the affinity key to the pod spec for the grafana,
nagios, kube-state-metrics, and openstack-exporter charts as it
was previously missed
Change-Id: Ifefa88d7f33607b4d595effa5fbf72f3387e5081
Signed-off-by: Steve Wilkerson <sw5822@att.com>
This PS adds emptydirs backing the /tmp directory in pods, which
is required in most cases for full operation when using a read only
filesystem backing the container.
Additionally some yaml indent issues are resolved.
Change-Id: I8b7f1614da059783254aa6efc09facf23fca3cad
Signed-off-by: Pete Birley <pete@port.direct>
This adds the release-annotation to the pod spec for the charts in
openstack-helm-infra. This also adds missing configmap annotations
to charts in openstack-helm-infra
Change-Id: Ie23f0c16a7a21d3929e98928db2bbcef69ae6490
This adds the container security context to set
readOnlyRootFilesystem to true and allowPrivilegeEscalation to false
Change-Id: I7b2f78b51b6ff219c371893f975a30fd89f1719b
This adds ingress network policies to kube-state-metrics and
openstack-exporter using the helm-toolikit template. It also
add openstack-exporter to the network policy jobs.
Change-Id: I3bfc2f1e8a35c09e577a046ebd52346de95e5745
This adds a security context to the openstack exporter, which
changes the pod's user from root to the nobody user instead
This also adds the container security context to explicitly set
allowPrivilegeEscalation to false
Change-Id: Ie3f105ee8b489f7641b5b7256a2023ae35257343
This PS adds the ability to attach a release uuid to pods and rc
objects as desired. A follow up ps will add the ability to add arbitary
annotations to the same objects.
Change-Id: Iceedba457a03387f6fc44eb763a00fd57f9d84a5
Signed-off-by: Pete Birley <pete@port.direct>
In most cases, the ingress controller's nodeSelector key and value
are "node-role.kubernetes.io/ingress" and "true".
Using quote to treat the nodeSelector value as a string.
Change-Id: Ie1745629b90795e4d888d85f35565e6d6350e09b
This adds missing readiness probes to the following charts in
openstack-helm-infra: elasticsearch, fluent-logging, kibana,
nagios, prometheus-kube-state-metrics, prometheus-node-exporter,
and prometheus-openstack-exporter
Change-Id: I6a2635b08667c31eadb1b05ba848c658935a17e5
This PS moves to use the current ga version for kubernetes daemonsets,
additionally any remaining deployments that were using the
`extensions/v1beta1` have been updated to `apps/v1`.
Story: 2002205
Task: 21735
Change-Id: If9703162dc472af1e6096bf2b9062802fd5ce8ab
Signed-off-by: Pete Birley <pete@port.direct>
This moves the charts in openstack-helm-infra closer towards a
standard structure. It addresses multiple deviations, including:
missing resources for init containers, incorrect indents for
disabled resources in some charts, incorrect indents for volumes
and volumemounts added via values, missing resources for some
helm test templates, missing helm-toolkit image functions, and
moving the resource template declarations to be under the image
template declarations
Change-Id: I4834a5d476ef7fc69c5583caacc0229050f20a76
This ps proposes adding a common template for the image_repo_sync
jobs for consumption by the charts
Change-Id: I48476d1e4fd94bd1b08b13b46983e3d999f8d8ca
This ps adds more granular node selectors for the charts in osh
infra to match what is currently done in osh
Change-Id: I8957a95053b9fb3ea329fd37ff049cd223a7695d
This PS simplify the logic for dyanmicly merging the image management
depenencies into pod deps when active.
Change-Id: I0cf6c93173bc5fbce697ac15be8697d3b1326d0a
This PS moves existing dynamic common dependencies under a
'dynamic.common' key to simplify the yaml tree.
Change-Id: I4332bcfdf11197488e7bd5d8cf4c25565ea1c7b6
This PS moves static dependencies unser a 'static' key to allow
expansion to cover dynamic dependencies.
Change-Id: Ia0e853564955e0fbbe5a9e91a8b8924c703b1b02
Adds "helm-toolkit.utils.merge" which is a replacement for the
upstream sprig "merge" function which didn't quite do what we
wanted, specifically it didn't merge slices, it just overrode
one with the other. This PS also updates existing callsites
of the sprig merge with "helm-toolkit.utils.merge".
Change-Id: I456349558d4cf941d1bcb07fc76d0688b0a10782
There was a change in the upstream reference httpd image for
apache that changed how modules were built for apache.
This change adds the required fix to accomodate the change.
See isssue here https://github.com/docker-library/httpd/pull/87
The Elasticsearch image tag was updated to accomodate the kernel
versions used in the gate as part of the kernel update playbook
See https://github.com/elastic/elasticsearch/issues/28349#issuecomment-360233779
The openstack-exporter binary was changed to reflect changes made
to the openstack-exporter image
Change-Id: I1deb9e7cde794421dd33fade566c2a9fdb5007e6
This adds checks for the fields in the service annotations for
prometheus, similar to the checks made for the pod annotations.
It also moves prometheus annotations under a prometheus: key
under a top-level monitoring tree to allow for other monitoring
mechanisms independent of the endpoints tree
Change-Id: I4be6d6ad8e74e8ca52bd224ceddad785577bf6c7
This PS adds keystone user management to the prometheus-openstack-exporter
chart, and also performs some spring cleaning.
Change-Id: I69e40c523867f751ecd8c63169aefdfdf4eb5cd2
Removes an unused context declaration from the prometheus service
annotation template in helm-toolkit, and removes all references to
it
Change-Id: I57612c1504cf046f367ee10d26ef3062ebe528d3
This exporter provides a means for Prometheus to gather openstack
service metrics related to overlying openstack-helm deployments
Change-Id: I5f1789c62b4547add0c67edb51540f712bf43da8