This adds a test for the podsecuritypolicy chart, as well as a script
to reconfigure minikube with PodSecurityPolity enabled when appropriate.
This change doesn't add the PSP chart to the existing tests, because
the psp chart will have secure defaults in the future, which may
interfere with other charts by default; and it doesn't enable the
admission controller broadly, because turning the AC on without
providing a podsecuritypolicy will break k8s functionality.
Change-Id: I9fd14bb118189cd4ead177b79e39aadbc2096b4a
This updates the logging format and configuration for the apache
reverse proxies used for elasticsearch, kibana, nagios and
prometheus to enable logging of the remote clients used to access
these services
Change-Id: Id07e4294ea18203fbb890b78424a232c2d59cb82
The current gnocchi chart doesn't purge the resources/metrics for
the deleted openstack resources. This commit adds a cron job to
periodically purge the deleted resources data from gnocchi database.
By default, cron job runs daily and purges the deleted resources with
its associcated metrics which have lived more that 1 day.
Change-Id: Id45b92b91bb7668b35c3b5a7379283de51a1256a
Story: 2005016
Task: 29494
Signed-off-by: Angie Wang <angie.wang@windriver.com>
Currently there is a bug in the beast code that makes it fail
during the initial lookup for a keystone user map. For the time
being we will continue to use civetweb when keystone is present
until this issue is resolved.
Change-Id: I56bcd77f38adb3763d35f46443c1403816d1dcea
This removes set -x from the templates for the user creation
scripts for the mariadb and postgresql user templates, and it
also removes the set -x from the helm-toolkit job for creating
s3 users. This prevents sensitive credentials from being
displayed to the console when these scripts are run
Change-Id: I0a78d8190fbbae1b300b74ca560d76dedaaf6fc1
This updates daemonsets and deployments from extensions/v1beta1 to
apps/v1. These templates were either missed or overlooked when
added, and this change brings them up to the same api version used
for all other daemonsets and deployments
Change-Id: I6d2aba7791ad5eabd23785c01aed01d4f8e53d39
There is no "make {package}" line in 030-ceph.sh file.
It causes a failure to execute the shell script.
Change-Id: If787abd7711a02313b6a2acae8a888b5609f27df
This PS updates the pod security context snippet to support
a more sane values layout.
Change-Id: Id25441802a23e2dd00ad656cec2428432359dbe5
Signed-off-by: Pete Birley <pete@port.direct>
DELETECOLLECTION for some things like namespaces can be very slow. As
it's not critical it should be safe to ignore it.
Change-Id: I513b2af45b703a73d20a98a7a770776632ae4b39
This adds the required services to the openstack-support job to
deploy ceph radosgateway with keystone auth enabled. This expands
coverage for radosgateway helm tests in the openstack-helm-infra
repository
Change-Id: I3a5505ad3d3400563694ef063b4e6777ba34c414
This PS increases the feedback give by the rabbitmq test pod
Change-Id: If8aa713017eccaf100c6186cd569a6a0f4b021e9
Signed-off-by: Pete Birley <pete@port.direct>
This PS moves the readyness check to simply checking if the ampq
port is open, both simplifying it and also correctly indicating if
the process is ready to serve requests.
Change-Id: I38416c8bf3b242fa344875da13f81e5bbc1983c7
Signed-off-by: Pete Birley <pete@port.direct>
This PS fixes the k8s prod security context example.
Change-Id: I1b1d6875dda852bebb428708d4acf9c460360510
Signed-off-by: Pete Birley <pete@port.direct>
This updates the kubernetes version used when deploying via
kubeadm to v1.12.2, which matches what is deployed via minikube
for the single node jobs
This required updating the apiVersion in the kubeadm configuration
file template, as well as removing the --cadvisor-port flag from
the kubelet args, as this has been removed entirely
Change-Id: I26573de35529ce44e91e6d4d4530f608b8cee476
This updates the network policy test that gets executed at the
conclusion of the network-policy job. As long as nsenter is used,
we need to account for situations where nsenter executing wget
fails due to invalid credentials. Since this validates the policy
successfully allows ingress traffic while still exiting with an
error code (6 for invalid credentials vs 4 for connection
timeouts), we should consider those scenarios successes.
This also updates the flags used for wget. Instead of using spider
mode, this enables flags for: recursive mode, not creating
directories, and deleting results after execution. This allows for
the testing of exporter endpoint paths explicitly.
Change-Id: I2d51e8ed5a153c2a6796e0df9b3fe5f710a947f9
Image files could contain whitespace after carriage return and newline
characters; patch excludes "*.png" files from openstack-helm-lint job.
Change-Id: I6aef5f2f34637f018fd56a3bb8121d5829c600a2
The change that modified the output configurations for fluentd
accidentally removed the type_name from the default elasticsearch
output, which prevents the output from using the fluent template
that's defined in the chart. This replaces the type_name for that
output
Change-Id: I2098ca8c243d55f0446ea623a80b5b40e3acff8c
This change adds a job to the Grafana chart that allows for the
changing of the grafana admin user password if required, as
Grafana only allows the changing of this password via the
grafana-admin CLI or via an http call that requires both the old
and new password
Change-Id: I59a5d26edc4aa4da16e80c5454ecdebbae3a1d15
This executes the helm tests for the single node jobs in
openstack-helm-infra for rabbitmq, elasticsearch, fluent-logging,
prometheus, and grafana.
Change-Id: I0109cfbe6adeb9e24d513c8313d964323634b8da
This implementation is to add readiness probe to ovs-db pod.
The goal is to check if the db.sock is connected by executing ovs-vsctl
command to list the Open_vswitch configuration table.
Change-Id: Idd4382d95d07ffff94a30bcb7ac132b88e9d6de1
