This begins building documentation for the LMA services included
in openstack-helm-infra. This includes documentation for: kibana,
elasticsearch, fluent-logging, grafana, prometheus, and nagios
Change-Id: Iaa24be04748e76fabca998972398802e7e921ef1
Signed-off-by: Steve Wilkerson <wilkers.steve@gmail.com>
This updates the Elasticsearch image used for s3 bucket creation
to use the same ceph daemon image used in the ceph-rgw chart now
that the Mimic release is supported
Change-Id: I416a283b8ac41f6b360d20aac1be8374c07badcd
Change the release of Ceph from 12.2.3 (Luminous) to latest 13.2.2
(Mimic). Additionally use supported RHEL/Centos Images rather then
Ubuntu images, which are now considered deprecated by Redhat.
- Uplift all Ceph images to the latest 13.2.2 ceph-container images.
- RadosGW by default will now use the Beast backend.
- RadosGW has relaxed settings enabled for S3 naming conventions.
- Increased RadosGW resource limits due to backend change.
- All Luminous specific tests now test for both Luminous/Mimic.
- Gate scripts will remove all none required ceph packages. This is
required to not conflict with the pid/gid that the Redhat container
uses.
Change-Id: I9c00f3baa6c427e6223596ade95c65c331e763fb
This updates the helm-toolkit manifest template and scipts for
creating an S3 bucket and linking it to a user. This moves away
from the previous python implementation that used rgwadmin, and
instead uses s3cmd for a cleaner approach that can support more
recent versions of ceph
Change-Id: I305062a5daa063bfe21a12448d7a3957bca00bf4
This removes unused pod-etc-apache volumes from the charts that
use an apache sidecar container as a reverse proxy.
Change-Id: Ibafff3b53f9d3c20f5aed30d40ee6470cb515a8a
This adds the container security context to grafana, which
explicitly sets allowPrivilegeEscalation to false
Change-Id: I3723a0c96699b9a517dafa2df08bf8cc916bf117
This adds a security context to the openstack exporter, which
changes the pod's user from root to the nobody user instead
This also adds the container security context to explicitly set
allowPrivilegeEscalation to false
Change-Id: Ie3f105ee8b489f7641b5b7256a2023ae35257343
This adds a security context to the mysql prometheus exporter pod,
which changes the user from root to the nobody user (uid 99 here)
instead
This also adds the container security context to explicitly set
allowPrivilegeEscalation to false
Change-Id: I5ddebb059e3c31c231fdc4c24190a65f23e37785
This adds the security context to the memcached prometheus
exporter pod, which changes the default user from root to the
nobody user instead
This also adds the container security context to explicitly set
allowPrivilegeEscalation to false
Change-Id: I3401c1a67f17cef49a478be98f9ab42691b84d66
This adds a chart that will generate arbitrary Kubernetes
PodSecurityPolicy objects, and ClusterRoles to provide access to them.
It will also set up one (or zero) default bindings for generic
"categories" of subjects, as desired:
- serviceaccounts
- authenticated users
- unauthenticated users
The default values specify a highly permissive security policy that is
bound by default to serviceaccounts and authenticated users. The policy
is expected to be refined over time, and should be overridden by
operators per their workloads and security needs.
Change-Id: I69917217f85881b2627706abce66c7044b40a448
This adds the security context snipper to the alertmanager pod.
This changes the default user from root to the nobody user instead
This also adds the container security context to explicitly set
allowPrivilegeEscalation to false
Change-Id: Ie4423c57e871a03ab4baea346ac777c9f2ca3e2e
This adds the security context snippet for the elasticsearch
prometheus exporter pod. This changes the pod's user from root to
the nobody user instead
This also adds the container security context to explicitly set
allowPrivilegeEscalation to false
Change-Id: If692fccaf4dd362b28fecb4656036289a3a97122
This adds the security context snippet to the fluentd and
fluentd exporter templates. This changes the users for these two
pods from root to the nobody user instead
This also adds the container security context to explicitly set
allowPrivilegeEscalation to false
Change-Id: Ibf1da152f4aa78d425bbd00f514c2787d8ad9c5f
This updates the kube-state-metrics chart to include the pod
security context on the pod template. This changes the pod's
user from root to the nobody user instead
This also adds the container security context to explicitly set
allowPrivilegeEscalation to false
Change-Id: I17748b299a6e7a394cae63a0e713c49fbf68b4eb
This PS fixes a typo in the cephfs provisioner name, which was being given the
same key as rbd to look for.
Change-Id: I84dc541a103fc61feb1998ab41edd602c17e2b6f
Signed-off-by: Pete Birley <pete@port.direct>
This updates the Grafana chart to include the pod security context
on the grafana pod. This changes the pod's user from root to the
grafana user instead
Change-Id: Id64853640f1941001b83566865defe93227b4291
Use Kibana REST API to create Kibana index patterns and set a default
index pattern.
Script calling Kibana REST API is executed using a Job, and the specific
index patterns are configurable in values.yaml.
Change-Id: I1ca6dd9609e6d62d1ce749ee09e1490d51659709
This adds an input to Fluentbit for capturing all qemu instance
logs in /var/log/libvirt/qemu/, and adds an Elasticsearch output
for those entries
Change-Id: I0802023f9861a5944e7989fd5469133c325349e7
- Split off duplicate code across multiple bash scripts into a common
file.
- Simplify the way journals are detected for block devices.
- Cleanup unused portions of the code.
- Standardize the syntax across all the code.
- Use sgdisk for zapping disks rather then ceph-disk.
Change-Id: I13e4a89cab3ee454dd36b5cdedfa2f341bf50b87
This modifies the libvirt chart to write logs directly to the
host by default. This also modifies the fluentbit and fluentd
charts to capture libvirt logs from the host and index them into
Elasticsearch
Change-Id: I0bbc49d2c0d4cf4895f797e48f309f308ffd021f
