Added capability in the podsecuritypolicy template to bind individual
serviceaccounts to clusterroles to enable enforcing psp at
serviceaccount level.
The idea is that the default psp can be tuned to be restrictive for all
serviceaccounts; and new psp, clusterroles, and clusterrolebindings are
defined to bind specific serviceaccounts or namespaces to permissive
podsecuritypolicies, based on the security requirements of a deployment.
Change-Id: I1b13c0e324b9a756a07d36b6e53786303f4a9f89
This change adds in a helm test to properly test cinder functionality
in the openstack-support zuul check.
Change-Id: Ie4b2b8ef9e56e9745c58ce6dc8858f5f90057b96
sometimes it is needed to use other than `openstack` CLI clients
or older versions of those in bootstrap/other scripts that do not
understand the OS_INTERFACE env var, and instead use the
OS_ENDPOINT_TYPE var (and --os-endpoint-type CLI arg) for the same
purpose.
Example is `neutron` command from python-neutronclient package.
Change-Id: I0fb7d1e9612391e8632d775b91848d3c834b9bd2
This patch currently breaks cinder helm test in the OSH cinder jobs
blocking the gate. Proposing to revert to unblock the jobs.
This reverts commit f59cb11932e30bb607a580c976871cdecd7a714c.
Change-Id: I73012ec6f4c3d751131f1c26eea9266f7abc1809
Currently OSDs are added by the ceph-osd chart with zero weight
and they get reweighted to proper weights in the ceph-client chart
after all OSDs have been deployed. This causes a problem when a
deployment is partially completed and additional OSDs are added
later. In this case the ceph-client chart has already run and the
new OSDs don't ever get weighted correctly. This change weights
OSDs properly as they are deployed instead. As noted in the
script, the noin flag may be set during the deployment to prevent
rebalancing as OSDs are added if necessary.
Added the ability to set and unset Ceph cluster flags in the
ceph-client chart.
Change-Id: Iac50352c857d874f3956776c733d09e0034a0285
This hook is enabled for post-delete and pre-upgrade triggers.
The indices deleted by this hook are Kibana's meta indices
- .kibana
- .kibana_1
- .kibana_2
etc
This is done to get around https://github.com/elastic/kibana/issues/58388
which sometimes prevents Kibana deployments from upgrading successfully.
Change-Id: I99ccc7de20c6dadb5154e4bb714dfd302a694a78
This PS adds helm-toolkit snippet in deployment spec to support
update strategy driven by values.yaml.
Change-Id: I49616abd1bbaf3930a70c0734b5c3b7ef34a9391
This adds three new variables:
- skip_queues is for ability to skip metrics for some queues
- include_queues is the opposite parameter for presice setup
- rabbit_exporters is for ability to enable/disable exporter modules
Change-Id: Ia81a9921be6c14ec2035009fd164aab4c912f328
This patchset adds a cinder deployment to the openstack-support
check in order to deploy a service that further exercises ceph
in Zuul.
Change-Id: I722049016d15c5297fdc9666c4472a1c884a7b68
The PS adds kubernetes tolerations for deployments from ceph-client,
ceph-mon, ceph-provisioners and ceph-rgw charts.
Change-Id: If96f5f2058fca6e145e537e95af39089f441ccbb
Initial commit with bootstrapping non-voting configuration
for yamllint. Yamllint checks will be switched from 'warning'
to 'enabled' in subsequent commits together with code adjustments.
Change-Id: Ie372cb9fefb310bd044b4b03064e183f0c8c003b
In catastrophic scenario where grastate.dat cannot be found, it is
better to raise an exception rather than masking it with some
default values that may not be correct. This should now just cause
the pod to crashloop rather than silently failing - potentially allowing
other problems (e.g. bad images) to be exposed.
Change-Id: I4ff927dd85214ea906c20547b020e3fd7b02e2d5
Signed-off-by: Tin Lam <tin@irrational.io>
To meet CNTT certification test requirements, added a few Ceph RGW
configuration properties: rgw_max_attr_name_len,
rgw_max_attrs_num_in_req, rgw_max_attr_size, rgw_swift_versioning_enabled.
Change-Id: Ia92a6f25147270de010cf0feba0cbdabad05459b
Signed-off-by: James Gu <james.gu@att.com>
when the force is yes, get_url moudel will download the file
every time and replace the file if the contents change, so it's
not necessary to remove the jq before get it.
Change-Id: I7337afecd1f9d7c66da46bff433016a39fd9ef7a
overrides
This allows for customizing the
indexes required by different deployment targets instead of
assuming all indexes are common for every type of deployment.
Change-Id: Iae9a35462400f7c8612ee7d0b49bfd6a20d3120c
This change updates the Elasticsearch chart for compatibility with
the latest version of the Elasticsearch exporter. There are some
breaking changes between v1.0.1 and v1.1.0 - mainly with how arguments
are handled by the program.
All of the configuration options currently available are now exposed
in values.yaml
Change-Id: I8c71d5f6ed4a8360ad886338adb8ad63471eefd1
In 0.30.0 (busybox inside) the "find" tool doesn't support
"writable" option, so use "perm" instead. Also get rid of
several system calls by means of make all by one command.
Change-Id: Ia4f7bc01fb61f4f32c21c50d8c4e870d0244c868
The PS adds possibility to override device class through
the key in values.yaml. Motivation: In some cases the device driver
is providing incorrect information about the type of device and
automatic detection is setting incorrect device class.
Change-Id: I29eb2d5100f020a20f65686ef85c0975f909b39d
This patchset adds the ability to define an elasticsearch account to
use for remote logging and centralized logging functions
Change-Id: Iec61a130db6d94218893d3544e5a82c8ca04055b
Some infra charts still have old ocata xenial images as default. This
should bring them up to date with the OSH charts.
Change-Id: If8454b6d0fe52387bf6327501ee4ff87f56e87b8
Signed-off-by: Tin Lam <tin@irrational.io>
By tying the fluent condfiguration to the release, it will be re-rendered
if the release is upgraded. This is useful in combination with [0], allowing
powerful configuration updates using helm upgrade. For example
Values:
.Values.pod.env.fluentd.vars.OUTPUT_ENABLED: true
fluent.conf:
...
{{- if .Values.pod.env.fluentd.vars.OUTPUT_ENABLED }}
<match **>
# Output Configuration here
</match>
{{- end }}
To disable this output section, issue a helm upgrade command and set the
apprpriate value to false.
helm upgrade fluentd ./fluentd --set pod.env.fluentd.vars.OUTPUT_ENABLED=false
[0] https://review.opendev.org/#/c/726880/
Change-Id: I3dce9e5c4eaf588569e8cc3e1ea3cf3bebd0c3c5
This patchset introduces the framework by which all OSH-based database
systems can use to backup and restore their databases. The framework
is refactored from the Postgresql backup and restore logic. This will
prevent alot of code duplication in the backup restore scripts across
each cluster.
In the process, some improvements needed to be made:
1) Removing the need for 2 separate containers to do the backup
and restore work to a remote gateway. This simplifies the design
and enables a higher level of robustness.
2) Adding separate "days to keep" config value for remote backup files,
as there may be different requirements for the remote files than the
local backup files.
3) Adding capability to send Storage_Policy when creating the remote
RGW swift container.
4) Making coding style improvement for readability and maintainability.
5) Fixing a deployment bug that occurs when remote backup is disabled.
Change-Id: I3a3482ad67320e89f04305b17da79abf7ad6eb45
