Unrestrict octal values rule since benefits of file modes readability
exceed possible issues with yaml 1.2 adoption in future k8s versions.
These issues will be addressed when/if they occur.
Also ensure osh-infra is a required project for lint job, that matters
when running job against another project.
Change-Id: Ic5e327cf40c4b09c90738baff56419a6cef132da
Signed-off-by: Andrii Ostapenko <andrii.ostapenko@att.com>
This commit rewrites lint job to make template linting available.
Currently yamllint is run in warning mode against all templates
rendered with default values. Duplicates detected and issues will be
addressed in subsequent commits.
Also all y*ml files are added for linting and corresponding code changes
are made. For non-templates warning rules are disabled to improve
readability. Chart and requirements yamls are also modified in the name
of consistency.
Change-Id: Ife6727c5721a00c65902340d95b7edb0a9c77365
Use nginx-ingress-controller:0.32.0 and change user to 101
intead of 33 which is suported by this image.
Change-Id: I38679e350ec352f13074055b7e08b98df1090fbf
In 0.30.0 (busybox inside) the "find" tool doesn't support
"writable" option, so use "perm" instead. Also get rid of
several system calls by means of make all by one command.
Change-Id: Ia4f7bc01fb61f4f32c21c50d8c4e870d0244c868
Some infra charts still have old ocata xenial images as default. This
should bring them up to date with the OSH charts.
Change-Id: If8454b6d0fe52387bf6327501ee4ff87f56e87b8
Signed-off-by: Tin Lam <tin@irrational.io>
The current copyright refers to a non-existent group
"openstack helm authors" with often out-of-date references that
are confusing when adding a new file to the repo.
This change removes all references to this copyright by the
non-existent group and any blank lines underneath.
Change-Id: I1882738cf9757c5350a8533876fd37b5920b5235
This patch set updates and tests the apiVersion for rbac.authorization.k8s.io
from v1beta1 to v1 in preparation for its removal in k8s 1.20.
Change-Id: I4e68db1f75ff72eee55ecec93bd59c68c179c627
Signed-off-by: Tin Lam <tin@irrational.io>
nginx-ingress-controller 0.26.1 introduces configurable parameters for
streamPort and profilerPort, and changes the default for statusPort.
This change allows those parameters to be configured, while maintaining
compatibility with earlier versions of nginx-ingress.controller. It also
modifies the default status port value from 18080 to 10246.
Reference: https://github.com/kubernetes/ingress-nginx/blob/master/Changelog.md#0261
Change-Id: I88a7315f2ed47c31b8c2862ce1ad47b590b32137
k8s 1.14 first enabled Ingress in the networking.k8s.io/v1beta1 API
group, while still serving it in the extensions/v1beta1 API group. The
extensions/v1beta1 API endpoint is deprecated in 1.16 and scheduled for
removal in 1.20. [0]
ingress-nginx 0.25.0 actually uses the networking.k8s.io/v1beta1 API,
which requires updated RBAC rules. [1]
This change updates the ClusterRole used by the ingress service account
to grant access to Ingress resources via either the extensions/v1beta1
or networking.k8s.io/v1beta1 API, aligning with the static manifests
from the kubernetes/ingress-nginx repo [2]. It does not change the
apiVersion used when creating Ingress resources.
[0] https://kubernetes.io/blog/2019/07/18/api-deprecations-in-1-16/
[1] https://github.com/kubernetes/ingress-nginx/releases/tag/nginx-0.25.0
[2] 870be3bcd8/deploy/static/mandatory.yaml (L50-L106)
Change-Id: I67d4dbdb3834ca4ac8ce90ec51c8d6414ce80a01
When the ingress pod (in routed mode, using a managed vip) moves from
one host to another, it is sometimes observed that: 1. the vip interface
is not removed on the original host, and 2. in some network topologies,
the switch fabric is unable to find the new pod.
This change updates the ingress deployment as follows:
Adds a 5s sleep before the shutdown of the ingress container in order to
allow the preStop action of the ingress-vip container to run completely.
Updates the start action of the ingress-vip-init container to check if
the vip is part of an existing connected subnet, and if so, sends a few
gratuitous ARP messages to let the switch fabric to build its ARP cache.
Change-Id: I784906865358566f42157dc2133569e4cb270cfa
This updates the ingress objects to move them back to the
extensions API. While 1.16 moves them under the networking
api, they're still rendered and deployed as extensions/ objects.
This move prevents issues from arising where older versions of
kubernetes might still be deployed during an upgrade, as the
move to the networking API is nonfunctional at this time
Change-Id: I814bbc833b5b9f79f34aefc60b9c1f9890bca826
Signed-off-by: Steve Wilkerson <sw5822@att.com>
This updates the kubernetes-entrypoint image reference to consume
the publicly available kubernetes-entrypoint image that is built
and maintained under the airshipit namespace, as the stackanetes
image is no longer actively maintained
Change-Id: I5bfdc156ae228ab16da57569ac6b05a9a125cb6a
Signed-off-by: Steve Wilkerson <sw5822@att.com>
This updates the kubeadm and minikube Kubernetes deployments to
deploy version 1.16.2
Change-Id: I324f9665a24c9383c59376fb77cdb853facd0f18
Signed-off-by: Steve Wilkerson <sw5822@att.com>
This change adds network policy overrides for multiple infra
services for the openstack-helm network policy gate.
Change-Id: If051ec1749cb9ed1e289f0cf82a8876371e36531
This change adds egress rules to the following charts:
- ingress
- memcache
- libvirt
- rabbitmq
These rules will be tightend down in future changes
Change-Id: I6f297d50ca4c06234c7c79986a12cccf3beb5efb
This PS cleans up the container dir entirely on container restart,
as sometimes remnets of previous runs can cause issues.
Change-Id: I873667a8a57bca6096cbe777ee83ef8648a368d4
Signed-off-by: Pete Birley <pete@port.direct>
Currently, we are getting `bind-address: null` in ingress-conf for ingress pod in kube-system namespace
In that case, nginx starting on 0.0.0.0:80 which breaks other ingress controllers, such as maas-ingress.
All further ingress controllers can't start because they can't bind on 80 port.
Change-Id: Ie7e9563bf14fe347969bea0d3c900c8d87d06de0
Added new HTTP Security header Content-Security-Policy:self to make
sure the browser does not allow any cross-site scripting attacks.
Added new HTTP Security header X-Permitted-Cross-Domain-Policies:none
To prevent web client to load data from the current domain.
Added new HTTP Security header X-XSS-Protection:1 mode=block to
sanitize the page, when a XSS attack is detected, the browser will
prevent rendering of the page.
Change-Id: Ief137738f4b793f49f3632e25339c6f49492fd80
This updates the helm version from 2.13.1 to 2.14.1
Change-Id: I619351d846253bf17caa922ad7f7b0ff19c778a2
Signed-off-by: Steve Wilkerson <sw5822@att.com>
This PS updates the ingress controller configmap to be valid with
k8s schema validation turned on.
Change-Id: Ibbc82be62398ee63eb353aa58f1ebdf98e66b30d
Signed-off-by: Pete Birley <pete@port.direct>
When there are multiple keepalived instances in same network space,
equal keepalived router-ids cause conflict (now default router-id number
is 100). So we have to specify keepalived's router_id for VRRP peering.
This commit make keepalived route-id configurable, so that we can
prevent keepalived conflict caused by default keepalived router-id.
Change-Id: Ia92a8b64205ab52ad15237e9fdeaacb61aae6400
This PS cleans the prometheus-nginx.socket on startup of the container,
which is required to allow the container, as opposed to the pod, restart.
Change-Id: I7906e85a200f6fb92467371218b4e5957add39f4
Signed-off-by: Pete Birley <pete@port.direct>
This updates the etcd chart to include the pod
security context on the pod template.
This also adds the container security context to set
readOnlyRootFilesystem to true
Change-Id: I9bf05ab5c21f9afbe269e1566cfecd20b3c086c0
We now have a process for OSH-images image building,
using Zuul, so we should point the images by default to those
images, instead of pointing to stale images.
Without this, the osh-images build process is completely not
in use (and completely opaque to deployers), and updating the
osh-images process or patching its code has no impact on OSH.
This should fix it.
Change-Id: Ic00bd98c151669dc2485cd88e0e8c2ab05445959
This ps exposes the anti-affinity weight value, including
default, that will be consumed by the updated htk function.
Change-Id: Id8eb303674764ef8b0664f62040723aaf77e0a54
Provide overrides for openSUSE images where those are available.
Currently for the ingress chart these are only the neutron images.
Change-Id: I37b220592f39c266e7812371ea8e5500fb393a9f
This PS adds emptydirs backing the /tmp directory in pods, which
is required in most cases for full operation when using a read only
filesystem backing the container.
Additionally some yaml indent issues are resolved.
Change-Id: I8b7f1614da059783254aa6efc09facf23fca3cad
Signed-off-by: Pete Birley <pete@port.direct>
This adds the release-annotation to the pod spec for the charts in
openstack-helm-infra. This also adds missing configmap annotations
to charts in openstack-helm-infra
Change-Id: Ie23f0c16a7a21d3929e98928db2bbcef69ae6490
