This PS remvoes the stable helm repo, if present, to improve the
build time of patches.
Change-Id: Id6ec86e5ff426994b12adf4ca8e80eda2e52f147
Signed-off-by: Pete Birley <pete@port.direct>
This adds '|| true' to the curl command for gathering metrics from
prometheus exporters in the postrun job. After the move to
minikube for single node jobs, the headless services for the
kubernetes components no longer work as intended. The addition of
'|| true' allows the post run job to continue through the list
of services tied to the prometheus exporters without the task
failing outright
Change-Id: I56f0f56b799c3df9b2bd66a2c2044d71473606e3
This updates the registry chart to include the pod
security context on the pod template
This also adds the container security context
Change-Id: I36b6a2cf291dda2f991843c07ba116f3bf936d03
This PS adds the security context macros to the ceph-client chart,
and moves the default to read-only-rootfs for all containers.
Change-Id: I2fe03f31cc59e1cda2bf0396ae6e3aca5c440a16
Signed-off-by: Pete Birley <pete@port.direct>
This PS updates the ceph charts to make /etc/ceph an emptydir
uniformly across all charts, both ensuring no default config is loaded,
and also permitting read-only filesystems to back the containers.
Additionally /run is uniformly applied across all long running pods
as a memory backed emptydir.
Change-Id: I00d1b15758b7eb4476fb950ddcb38db9a5149ad0
Signed-off-by: Pete Birley <pete@port.direct>
This PS fixes the use of the security context macros for the
calico chart.
Change-Id: I2ed8a5e994726b625d76a2c308895441c7d174a9
Signed-off-by: Pete Birley <pete@port.direct>
This PS updates to use security context macros from HTK, in line
with other charts.
Change-Id: I5ca0af17eccc4856baef871cf199554aad075ebe
Signed-off-by: Pete Birley <pete@port.direct>
This adds a security context to the postgresql exporter, which
changes the pod's user from root to the nobody user instead
This also adds the container security context to set
allowPrivilegeEscalation to false and readOnlyRootFilesystem to true
Change-Id: Ibe49f77ed2d0a588b5abe175318edd1c82a57cca
This PS improves the securityu options for the ovs-db pod
by specifying running as a non-root user, using read only
filesystems for the containers and also preventing
privilege escalation. A subsequent ps will move to use the
helm toolkit functions that allow the control of these params.
Change-Id: I94fbf5b851be68f6fb4a1f9809ad12776e8a80b3
Signed-off-by: Pete Birley <pete@port.direct>
This PS updates the helm test script to remove the rally user by
default following a test run.
Change-Id: I5a28244f8f8bd8ef485cb45cc922601d631adff1
Depends-On: https://review.openstack.org/#/c/643206/
Signed-off-by: Pete Birley <pete@port.direct>
This PS adds emptydirs backing the /tmp directory in pods, which
is required in most cases for full operation when using a read only
filesystem backing the container.
Additionally some yaml indent issues are resolved.
Change-Id: I8b7f1614da059783254aa6efc09facf23fca3cad
Signed-off-by: Pete Birley <pete@port.direct>
This updates the post-run pod logs task to gather logs from any
failed containers, allowing for identifying issues associated with
pods that fail to start in the gate jobs
Change-Id: I9195f319a064f84f62d2aa558df05f8f81b9abea
This updates the prometheus chart to include the pod
security context on the pod template. This changes the pod's
user from root to the nobody user instead
This also adds the container security context to explicitly set
allowPrivilegeEscalation to false and readOnlyRootFilesystem to true
Change-Id: I2a3a4b77d9b25c086dc23b4fd66dca92872c422d
This reverts commit 244f177ecb2574e8984b8590655af491e49420b4.
removing readOnlyRootFilesystem flag since pods are running to "crashLoopBackOff" state by implementing HTK functionality
when we have set the readOnly flag at pod without HTK functionality the changes were not effected. That is why it passed the gate.
Change-Id: I6920956b881fa358a37003d21a7b76602e2ac61c
This reverts commit ab86685bea6df436c93220ce63900549c19effff.
removing readOnlyRootFilesystem flag since pods are running to "crashLoopBackOff" state by implementing HTK functionality
when we have set the readOnly flag at pod without HTK functionality the changes were not effected. That is why it passed the gate.
Change-Id: Iaa6b89a6a19e8f85d02bf6d06f45570469674d4f
This updates the Calico-etcd chart to include the pod
security context on the pod template
This also adds the container security context to set
readOnlyRootFilesystem to true
Change-Id: I10ff398d7a552d5287d841ca39c77ea097f7e67e
This reverts commit e20242fbdb3de6a2a7e42f2026937a4a17c88d09.
removing readOnlyRootFilesystem flag since pods are running to "crashLoopBackOff" state by implementing HTK functionality
when we have set the readOnly flag at pod without HTK functionality the changes were not effected. That is why it passed the gate.
Change-Id: I6027be601b4241b26b0fbc3c70c886714dac4a48
This adds ingress network policy for the fluent-logging, kibana
and Elasticsearch charts. This leverages the helm-toolkit template
that was used in openstack-helm for the openstack services
Change-Id: I2a89b62f1002851346e9a25de40113078e9c518f
This updates the ceph-provisioners chart to include the pod
security context on the pod template
This also adds the container security context to set allowPrivilegeEscalation
to false and readOnlyRootFilesystem to true
Change-Id: Iee49ffe17f2cd08fc978461269b654d3b2cb4406
This updates the tiller chart to include the pod
security context on the pod template
This also adds the container security context to set
allowPrivilegeEscalation to false
Change-Id: Ic0d87ba2e933444ebe8a6d59d7bb74aae81a051d
I believe when we have set the readOnly flag at pod without HTK functionality the changes were not reflected. That is why it passed the gate.
Later with HTK functionality the gates never passed and I have tested that in various ways and finally I had to unset the readOnly flag
This reverts commit 598040bea05737ea1ee2460ba8675ed7c061e63a.
Change-Id: Icf8d3cc60045926ab60b9735ee1e8202c15df9d5
