This change adds egress rules to the following charts:
- ingress
- memcache
- libvirt
- rabbitmq
These rules will be tightend down in future changes
Change-Id: I6f297d50ca4c06234c7c79986a12cccf3beb5efb
This adds support for configuring fluentd's update strategy when
deployed as a daemonset, as this was previously missed when
the changes to support both daemonsets and deployments were made
Change-Id: I5ac4fbfc0e64caaf207de42cd71c893f8d0f6ff1
Signed-off-by: Steve Wilkerson <sw5822@att.com>
This updates the Fluentd deployment template to use the helm
toolkit util for generating environment variables through the
chart's values.yaml. This adds flexibility in defining fluentd
outputs, as arbitrary environment variables can be injected and
consumed in fluentd's filters and outputs
Change-Id: I72a2c476378cc555bde1387781b4a06f13b51bc6
Signed-off-by: Steve Wilkerson <sw5822@att.com>
This updates the fluentd chart to add support for leveraging a
Kafka output. This required adding a kafka endpoint entry to the
chart's values.yaml, as well as the required template updates to
the fluentd deployment template and the addition of a secret for
kafka credentials
Depends-On: https://review.opendev.org/#/c/679297/
Change-Id: I80a487a0538f0b3704fb598da38c07feedaccb0e
Signed-off-by: Steve Wilkerson <sw5822@att.com>
This updates the grafana and nagios helm test pod templates to
use the internal endpoints for their selenium tests instead of the
public endpoints when defined
Change-Id: I1138cb29a808894d3339bc1b07c3a60804b9546f
Signed-off-by: Steve Wilkerson <sw5822@att.com>
This PS adds the ability to attach a release uuid to pods objects.
Implements: Ability to attach release_uuid to ephemeral pods
Change-Id: I0ebade75e18eced99fe16ba434558264b1793e88
This is to fix name conflict for configmap name "ceph-osd-default" when
we try to create multiple osd releases as every relase try to create configmap
with same name.
we could add relase name here but that will be a problem for sites deployed with
current logic as upgrade will delete old daemonsets and creates new ds ,so all osd
pods gets recreated at a time, by getting this from values can give us
flexibility to install multiple osd releases with out effecting currently deployed
sites.
Here is the error if we try multiple osd releases with current logic:
2019-08-27 13:54:16.690 41 ERROR armada.handlers.tiller [-] [chart=ceph-osd-sde]:
Error while installing release ceph-osd-sde: grpc._channel._Rendezvous: \
<_Rendezvous of RPC that terminated with:
status = StatusCode.UNKNOWN
details = "release ceph-osd-sde
failed: configmaps "ceph-osd-default" already exists"
Change-Id: Ibe84582b9ba04c6cbf611e943ecd0a7149c5ab2f
This commit fixes a small issue with Patroni where sometimes pg_rewind
would fail due to limitations in Postgres 9.5. To combat pg_rewind
failures, we can enable remove_data_directory_on_rewind_failure which
will cleanup the data directory on the pod and recreates it as a
replica so that the pod can restart from fresh, rather than churning in
an error state. This commit also sets
remove_data_directory_on_diverged_timelines to give Patroni a greater
ability to combat timeline divergence errors.
Change-Id: Ic9f75dbfa0dd990e2b215ed204e55cd67a5d1159
- Allow configuration of the termination grace period
for the Patroni pod with a default of 180s to ensure
the database has time to gracefully spin down, even
on slow disk.
Change-Id: I420cbd601bbffa50217b717bd4a636d48d324617
The PS allows to run the tests when both options (rgw_ks and rgw_s3)
are enabled at the same time.
Change-Id: I262baa38b7c65ff9335a3db6a6e2a454c3ff3f5f
This PS moves to drive all mariadb config via the values fed
to the chart.
Change-Id: I4ed3624737af4d5c90b1b5de451a0a0b75a5eda1
Signed-off-by: Pete Birley <pete@port.direct>
This PS updates the wsrep_provider_options to define the timeouts
explitlcitly for evs.suspect_timeout, gmcast.peer_timeout. Their
defaults are PT5S, and PT3S respectively, which are increased by
a factor of approx 5, to accomdate network instability that may
occur during node outage events.
Change-Id: Ie5cdd06d91299e5e2632b70cb9b50a7ad14f62b1
Signed-off-by: Pete Birley <pete@port.direct>
This commit enables overriding liveness/readiness probes
configurations for openvswitch pods from values.yaml
Change-Id: I4ec2b9e88bf8ed57e8ac9293f333969b63cef335
This change makes rabbitmq container run with the rabbitmq user
instead of the root user. As the rabbitmq user doesn't have write
access to '/run' directory, the templates are updated to use the
'/tmp' directory instead which the rabbitmq user has write access
to.
Change-Id: Ia35c3f741fefe3172c93bb042bf8d26bf7672cfc
This disables the cephfs provisioner in the multinode
periodic jobs. It seems the helm tests for the ceph
provisioner chart that test cephfs fail more often than
not in the multinode jobs while passing reliably in the
single node check and gate jobs. As cephfs is still
gated, disabling the cephfs provisioner in the periodic
jobs allows for further investigation into this issue
without causing potential regressions
Change-Id: I36e68cc2e446afac8769fb9ab753105909341f24
Signed-off-by: Steve Wilkerson <sw5822@att.com>
Systemd units run as the root user by default; however, environment
variables in spawned processes are not populated for the root user
unless "User=root" is specified for a particular unit [0]. This change
adds the "User=root" declaration to the Kubelet systemd unit so that
Kubelet will look in the root user's home directory for Docker
configuration information. Without this change, Docker configuration
information, such as authentication keys for private repositories, are
ignored by Kubelet even though the Docker daemon honors them.
[0] https://www.freedesktop.org/software/systemd/man/systemd.exec.html#Environment%20variables%20in%20spawned%20processes
Change-Id: I209de0f4f04c078d39b1e8bf18195e51e965cbf3
Signed-off-by: Drew Walters <andrew.walters@att.com>
Added new X-Content-Type-Options: nosniff header to make sure the browser
does not try to detect a different Content-Type than what is actually
sent (can lead to XSS)
Added new X-Frame-Options: sameorigin header to protect against
drag and drop clickjacking attacks in older browsers
Added new Content-Security-Policy: script-src self for implementation
Added new HTTP Security header X-XSS-Protection:1 mode=block to
sanitize the page, when a XSS attack is detected, the browser will
prevent rendering of the page
Change-Id: Ic79bbb96484a7f1a497c001883783338fd26a47a
This updates the Minikube deployment to patch the tiller-deploy
service to add a port definition for the http (44135) port for
tiller, which is used to expose metrics for Prometheus to scrape
Change-Id: I2eb5d4001c37935674ce64012b2744030addc127
Signed-off-by: Steve Wilkerson <sw5822@att.com>
This removes the artifacts associated with images for libvirt,
mariadb, and vbmc from openstack-helm-infra as these images now
live in openstack-helm-images.
Change-Id: I5c97d2db89068c71ec1a56a5ac17007682711182
Signed-off-by: Steve Wilkerson <sw5822@att.com>
- Change the Postgres configuration to use x509 client
certs for authenticating the connections for replicating
between Patroni nodes. This is a straightforward solution
for support credential rotation for the replication user.
Password authentication is problematic due to the declartive
nature of helm charts and requiring an existing replication
connection to replicate the rotated password.
Change-Id: I0c5456a01b3a36fee8ee4c986d25c4a1d807cb77
This PS udpated the reset node function to leave the assets generated
via init containers in place when resetting the node.
Change-Id: Iac52ca82e95bb372dbcbca0eeea3b262215e9c12
Signed-off-by: Pete Birley <pete@port.direct>
This adds a cron job to manually verify all snapshot repositories
are registered to any active master and data nodes. This is to
address scenarios where master and data nodes do not have the
desired snapshot repositories registered following node outages
or reboots
Change-Id: Ie6f42e95c3ca4dc2ec70f2852a2bde11e59ec097
Signed-off-by: Steve Wilkerson <sw5822@att.com>
