We now have a process for OSH-images image building,
using Zuul, so we should point the images by default to those
images, instead of pointing to stale images.
Without this, the osh-images build process is completely not
in use (and completely opaque to deployers), and updating the
osh-images process or patching its code has no impact on OSH.
This should fix it.
Change-Id: Ic00bd98c151669dc2485cd88e0e8c2ab05445959
This ps exposes the anti-affinity weight value, including
default, that will be consumed by the updated htk function.
Change-Id: Id8eb303674764ef8b0664f62040723aaf77e0a54
This adds a basic egress policy to the charts run by the
network-policy check. A change was recently merged requiring
the eggress tag to be in the chart but did not add it, this
addresses that
Change-Id: I60669c9351db7854cba8c69723eb783a966d2a56
This updates the Curator image to use version 5.6.0, which adds
additional actions for use, such as the ability to shrink indices.
This also adds a separate configmap and config secret for Curator,
as this allows us to use separate configmap annotations on the
Elasticsearch component pods to prevent Curator config updates
from triggering recreation of Elasticsearch components. This helps
alleviate overhead associated with Elasticsearch service restarts.
Change-Id: I0aec7756b0dc09bc3981ede950dc88f821aeca4b
This updates the Elasticsearch chart to allow for setting the
heap size per node type instead of for all nodes equally. This
also adds the required environment variable to configure whether
a node is an ingest node. This is set to false, as suggested for
elasticsearch versions <= 6.x
This also removes the ES_PLUGINS_INSTALL environment variable as
it is not used for anything in the current charts
Change-Id: I9096774db46dcbcd48b8a5448f0510984bf4108f
This PS adds emptydirs backing the /tmp directory in pods, which
is required in most cases for full operation when using a read only
filesystem backing the container.
Additionally some yaml indent issues are resolved.
Change-Id: I8b7f1614da059783254aa6efc09facf23fca3cad
Signed-off-by: Pete Birley <pete@port.direct>
This reverts commit ab86685bea6df436c93220ce63900549c19effff.
removing readOnlyRootFilesystem flag since pods are running to "crashLoopBackOff" state by implementing HTK functionality
when we have set the readOnly flag at pod without HTK functionality the changes were not effected. That is why it passed the gate.
Change-Id: Iaa6b89a6a19e8f85d02bf6d06f45570469674d4f
This adds ingress network policy for the fluent-logging, kibana
and Elasticsearch charts. This leverages the helm-toolkit template
that was used in openstack-helm for the openstack services
Change-Id: I2a89b62f1002851346e9a25de40113078e9c518f
This indents the closing {{ end }} for the check for executing the
Elasticsearch test that checks the snapshot repositories
Change-Id: I77ebb1af7ee648cc9787665bfb81dfbb1a30663a
This adds the security context snippet for the elasticsearch
prometheus exporter container to set allowPrivilegeEscalation to false
and readOnlyRootFilesystem to true
Change-Id: Ia80aa9cfc837073fae0a884de5245764147d7ded
This adds a job that will query the Elasticsearch HTTP cat API to
determine whether the desired number of nodes have been discovered
via the Zen discovery mechanism to be included in the cluster.
This aims to address issues seen when upgrading Elasticsearch,
where the snapshot repository job may trigger due to endpoints
from older pods being present. This new job will be the dependency
required by the snapshot repository job to ensure the ES cluster
has the desired number of nodes before attempting to register a
snapshot repository or interact with the cluster
Change-Id: I94fbbfdec7ca66d04acca9558e56dca3b2bc7d52
This updates the dependencies for the Elasticsearch chart to be
more cautious before proceeding. For example, this updates the
dependencies for the register snapshot job to wait until all
ES components have registered endpoints, and also updates the helm
test pod to wait for all components to have registered endpoints
and the snapshot job to have completed
Change-Id: Ie4e92bba4ae33b33cadb921bdda91ceb813e29e1
This adds the release-annotation to the pod spec for the charts in
openstack-helm-infra. This also adds missing configmap annotations
to charts in openstack-helm-infra
Change-Id: Ie23f0c16a7a21d3929e98928db2bbcef69ae6490
This removes the insertion of test dummy data and the following
query for it from the Elasticsearch helm tests. Upon upgrades,
it's possible for Elasticsearch to refuse the direct insertion of
data due to shard reallocation and due to full bulk endpoint
queues. These refusals should not be seen as test failures
Change-Id: Id53d53a7aa2b58e64932d50ca3e7a4fb1141bb3a
This updates the script used to register the elasticsearch
snapshot repositories. It will first gather a list of all
currently registered repositories, then check for the existence
of each configured repository. If the repository exists, the job
will not attempt to register the repository again. If it doesn't
exist, the job will then register the desired repository
Change-Id: I2cfd3c44f1b2b4a54c9b07be79c2c87af77c540e
This begins to break out the various location paths for the
Elasticsearch apache-proxy virtual host. These include:
- Deny all access to the update document api
- Deny all access to the update by query api
- Deny all access to the delete by query api
- Prohibit the DELETE method on all document api endpoints
This helps ensure that documents can't be updated or deleted once
indexed into Elasticsearch
Change-Id: Iaa97a9f7699a47d13c25b9e2e4249c37c29e4559
This updates the logging format and configuration for the apache
reverse proxies used for elasticsearch, kibana, nagios and
prometheus to enable logging of the remote clients used to access
these services
Change-Id: Id07e4294ea18203fbb890b78424a232c2d59cb82
This PS udpates the default image in the chart to the latest OSH image.
Change-Id: Ib8d2a72ad48049fe02560dc4405f0088890b6f64
Signed-off-by: Pete Birley <pete@port.direct>
This updates the Elasticsearch image used for s3 bucket creation
to use the same ceph daemon image used in the ceph-rgw chart now
that the Mimic release is supported
Change-Id: I416a283b8ac41f6b360d20aac1be8374c07badcd
This updates the helm-toolkit manifest template and scipts for
creating an S3 bucket and linking it to a user. This moves away
from the previous python implementation that used rgwadmin, and
instead uses s3cmd for a cleaner approach that can support more
recent versions of ceph
Change-Id: I305062a5daa063bfe21a12448d7a3957bca00bf4
This removes unused pod-etc-apache volumes from the charts that
use an apache sidecar container as a reverse proxy.
Change-Id: Ibafff3b53f9d3c20f5aed30d40ee6470cb515a8a
This adds the security context snippet for the elasticsearch
prometheus exporter pod. This changes the pod's user from root to
the nobody user instead
This also adds the container security context to explicitly set
allowPrivilegeEscalation to false
Change-Id: If692fccaf4dd362b28fecb4656036289a3a97122
This PS implements the helm toolkit function to generate the
Egress in kubernetes network policy manifest based on overrideable values.
It also enbale the K8s network policy at Osh-infra gate.
Change-Id: Icbe2a18c98dba795d15398dcdcac64228f6a7b4c
This adds a simple check to the Elasticsearch snapshot repo job
that will cause the job to fail if the repository isn't added
successfully
Change-Id: I9dca6ef545b43c52a37542319fa2f706b174c44b
This updates the Elasticsearch helm test to execute a clean on the
test index before attempting to create it, in cases where a
stranded test index may exist
Change-Id: I87533f94f6ea55b0b2f929543f8d3e75baa81bed
This removes the default Curator action configuration. As these
values will potentially be merged with any supplied overrides, it
could result in undesirable behavior. As a result, we should leave
the existing defaults commented out as a reference instead.
Change-Id: Idaf1dc8f3e476f1189058b69b841588a15deb7cd
This updates the fluentd buffer output configurations to account
for the restraints of the jobs deploying fluentd. This also
renames the fluentd configuration key from td_agent to fluentd to
reflect the fact we're no longer deploying td-agent
This also updates the Elasticsearch default replicas and overrides
the replica counts in each Elasticsearch deployment to account for
resource constraints
Change-Id: I55dee410eced99c3e1645f7452e4306ad646e601
This removes the fluentbit sidecars from the ceph-mon and ceph-osd
charts. Instead, we mount /var/log/ceph as a hostpath, and use the
fluentbit daemonset to target the mounted log files instead
This also updates the fluentd configuration to better handle the
correct configuration type for flush_interval (time vs int), as
well as updates the fluentd elasticsearch output values to help
address the gate failures resulting from the Elasticsearch bulk
endpoints failing
Change-Id: If3f2ff6371f267ed72379de25ff463079ba4cddc
This patch set implements the helm toolkit function to generate a
kubernetes network policy manifest based on overrideable values.
This also adds a chart that shuts down all the ingress and egress
traffics in the namespace. This can be used to ensure the
whitelisted network policy works as intended.
Additionally, implementation is done for some infrastructure charts.
Change-Id: I78e87ef3276e948ae4dd2eb462b4b8012251c8c8
Co-Authored-By: Mike Pham <tp6510@att.com>
Signed-off-by: Tin Lam <tin@irrational.io>
This changes the image used for various jobs and helm tests in the
osh-infra charts. This replaces the kolla heat image with the loci
based heat image used for jobs and helm tests in openstack-helm in
order to drive consistency
Change-Id: Ie9deedadb7507282fe62723ec4641dd508040364
