This PS updates the ceph charts to make /etc/ceph an emptydir
uniformly across all charts, both ensuring no default config is loaded,
and also permitting read-only filesystems to back the containers.
Additionally /run is uniformly applied across all long running pods
as a memory backed emptydir.
Change-Id: I00d1b15758b7eb4476fb950ddcb38db9a5149ad0
Signed-off-by: Pete Birley <pete@port.direct>
This PS updates to use security context macros from HTK, in line
with other charts.
Change-Id: I5ca0af17eccc4856baef871cf199554aad075ebe
Signed-off-by: Pete Birley <pete@port.direct>
This adds a security context to the postgresql exporter, which
changes the pod's user from root to the nobody user instead
This also adds the container security context to set
allowPrivilegeEscalation to false and readOnlyRootFilesystem to true
Change-Id: Ibe49f77ed2d0a588b5abe175318edd1c82a57cca
This PS improves the securityu options for the ovs-db pod
by specifying running as a non-root user, using read only
filesystems for the containers and also preventing
privilege escalation. A subsequent ps will move to use the
helm toolkit functions that allow the control of these params.
Change-Id: I94fbf5b851be68f6fb4a1f9809ad12776e8a80b3
Signed-off-by: Pete Birley <pete@port.direct>
This PS updates the helm test script to remove the rally user by
default following a test run.
Change-Id: I5a28244f8f8bd8ef485cb45cc922601d631adff1
Depends-On: https://review.openstack.org/#/c/643206/
Signed-off-by: Pete Birley <pete@port.direct>
This PS adds emptydirs backing the /tmp directory in pods, which
is required in most cases for full operation when using a read only
filesystem backing the container.
Additionally some yaml indent issues are resolved.
Change-Id: I8b7f1614da059783254aa6efc09facf23fca3cad
Signed-off-by: Pete Birley <pete@port.direct>
This updates the post-run pod logs task to gather logs from any
failed containers, allowing for identifying issues associated with
pods that fail to start in the gate jobs
Change-Id: I9195f319a064f84f62d2aa558df05f8f81b9abea
This updates the prometheus chart to include the pod
security context on the pod template. This changes the pod's
user from root to the nobody user instead
This also adds the container security context to explicitly set
allowPrivilegeEscalation to false and readOnlyRootFilesystem to true
Change-Id: I2a3a4b77d9b25c086dc23b4fd66dca92872c422d
This reverts commit 244f177ecb2574e8984b8590655af491e49420b4.
removing readOnlyRootFilesystem flag since pods are running to "crashLoopBackOff" state by implementing HTK functionality
when we have set the readOnly flag at pod without HTK functionality the changes were not effected. That is why it passed the gate.
Change-Id: I6920956b881fa358a37003d21a7b76602e2ac61c
This reverts commit ab86685bea6df436c93220ce63900549c19effff.
removing readOnlyRootFilesystem flag since pods are running to "crashLoopBackOff" state by implementing HTK functionality
when we have set the readOnly flag at pod without HTK functionality the changes were not effected. That is why it passed the gate.
Change-Id: Iaa6b89a6a19e8f85d02bf6d06f45570469674d4f
This updates the Calico-etcd chart to include the pod
security context on the pod template
This also adds the container security context to set
readOnlyRootFilesystem to true
Change-Id: I10ff398d7a552d5287d841ca39c77ea097f7e67e
This reverts commit e20242fbdb3de6a2a7e42f2026937a4a17c88d09.
removing readOnlyRootFilesystem flag since pods are running to "crashLoopBackOff" state by implementing HTK functionality
when we have set the readOnly flag at pod without HTK functionality the changes were not effected. That is why it passed the gate.
Change-Id: I6027be601b4241b26b0fbc3c70c886714dac4a48
This adds ingress network policy for the fluent-logging, kibana
and Elasticsearch charts. This leverages the helm-toolkit template
that was used in openstack-helm for the openstack services
Change-Id: I2a89b62f1002851346e9a25de40113078e9c518f
This updates the ceph-provisioners chart to include the pod
security context on the pod template
This also adds the container security context to set allowPrivilegeEscalation
to false and readOnlyRootFilesystem to true
Change-Id: Iee49ffe17f2cd08fc978461269b654d3b2cb4406
This updates the tiller chart to include the pod
security context on the pod template
This also adds the container security context to set
allowPrivilegeEscalation to false
Change-Id: Ic0d87ba2e933444ebe8a6d59d7bb74aae81a051d
I believe when we have set the readOnly flag at pod without HTK functionality the changes were not reflected. That is why it passed the gate.
Later with HTK functionality the gates never passed and I have tested that in various ways and finally I had to unset the readOnly flag
This reverts commit 598040bea05737ea1ee2460ba8675ed7c061e63a.
Change-Id: Icf8d3cc60045926ab60b9735ee1e8202c15df9d5
This PS temporaily removes the mysql_upgrade logic as it breaks
mariabackup as currently implemented.
Change-Id: I1f74d104b004ddb641d354dfee82557b18c3677a
Signed-off-by: Pete Birley <pete@port.direct>
Trivial fix. This patch set fixes inconsistent indentations in YAML file.
Change-Id: I98ed9680d93f9c21e44b7da8462c9ce3607350bd
Signed-off-by: Tin Lam <tin@irrational.io>
This indents the closing {{ end }} for the check for executing the
Elasticsearch test that checks the snapshot repositories
Change-Id: I77ebb1af7ee648cc9787665bfb81dfbb1a30663a
This allows to pass a new env var into shell scripts, for value
overrides, with Zuul's help (value_overrides can be part of the
job definition).
Change-Id: Ia5dcecb73f4b872fd8fb65d3cd0bf69c19addf07
