Ensure that https configuration overrides are only applied when
https_enabled=True and openstack certificates are installed.
Test plan:
PASS: Host-unlock on system with https_enabled=False and
no certificates triggers a reapply.
PASS: Setting https_enabled=True doesn't trigger reapply
if there are no certificates installed.
PASS: Host-unlock on system with https_enabled=True and
no certificates doesn't trigger a reapply.
PASS: Setting https_enabled=False triggers reapply independent
of certificates installed.
PASS: Setting https_enabled=True triggers reapply if
certificates are installed.
Regression:
PASS: OpenStack can be built successfully
PASS: OpenStack can be applied successfully
Signed-off-by: Maik Catrinque
<maik.wandercatrinqueandrade@windriver.com>
Co-authored-by: Rafael Falcão <Rafael.VieiraFalcao@windriver.com>
Change-Id: I0768cb9c062a3e98c4fdadfc70940582cbeb65d3
This commit gives the application plugins the ability to generate the
TLS overrides so users doesn't have to enable the certificates using
helm overrides.
I also included some overrides/tests in this patch for the telemetry
charts, although they still miss the base functionality to enable tls
on openstack-helm/-infra. This is meant to be used as basis in a
future work to enable those charts on stx-openstack properly.
TEST PLAN
PASS Installed stx-openstack without any https overrides or params
PASS Added certificates, apps remained http
PASS Modified system's https_enabled parameter, app was reapplied
with https enabled
PASS Set https_enabled=False, app was reapplied without https
PASS Reenabled https, app was reapplied with https
PASS Remove, delete, re-upload and reapply app with certs and https
already enabled on the platform
PASS Created heat stacks with https enabled
Story: 2009891
Task: 44673
Signed-off-by: Thiago Brito <thiago.brito@windriver.com>
Change-Id: I7fed324c2d2f702cc386864aa61664a8807f9b72
This change adds a _is_openstack_https_ready function to the
openstack.py plugin. It verifies if the platform has https_enabled set
to true and checks if three certificates are present: openstack,
openstack_ca and ssl_ca. If both conditions are met, it returns True.
Test Plan
PASS: Build OpenStack and verify that the generated tarball contains the
added code.
PASS: Apply the built tarball.
Signed-off-by: Gustavo Santos <gustavofaganello.santos@windriver.com>
Change-Id: I28e4bdb0785ae453830a426a731f14a0b80a0d47
This change adds the k8sapp-openstack-tox-py27 and
k8sapp-openstack-tox-py36 jobs to Zuul, also adding them to the check
and gate jobs.
That way, both CentOS (py27, py36) and Debian (py39) environments will
be included in the tests ran by Zuul.
Signed-off-by: Gustavo Santos <gustavofaganello.santos@windriver.com>
Change-Id: I0ed931e24db85d668ee26210324c895f3d0ad65e
This code is being removed as part of an effort to move the
pci-irq-affinity-agent into a openstack application container, instead
of a platform service.
Since now the service will no longer run on the platform but on a
container instead, there is no need to update the platform service
config file after the application apply and remove actions.
TEST PLAN:
PASS: Successfully build the stx-openstack application
PASS: Successfully apply the stx-openstack application
Story: 2009299
Task: 44569
Signed-off-by: Thales Elero Cervi <thaleselero.cervi@windriver.com>
Change-Id: Ic711a2e9d7c32e6e217de936b5b1c141f85e1128
VNC server is bound on all interfaces, this can be a security risk.
This change configure VNC to listen on the host cluster address. We
cannot use the loopback address because the VNC server proxy runs
on controllers while the VNC server runs on hypervisors.
Test plan:
PASS: Verify that vncserver_listen was changed to server_listen inside
nova openstack manifest (system helm-override-show)
PASS: Verify that nova-vnc.ini inside nova pod was overwritten with
server_listen=cluster_host_ip
PASS: Test live and cold migration with VNC Server binding to host
cluster ip verify that VM VNC console still works after
migrate.
Story: 2009783
Task: 44274
Signed-off-by: Iago Estrela <IagoFilipe.EstrelaBarros@windriver.com>
Change-Id: I0d60cfc7ade945734b8cd33dca800090a5d34b1f
vncserver_listen and vncserver_proxyclient_address were deprecated,
this change aims to replace them with the versioned name.
Test plan:
PASS: Verify that vncserver_listen was changed to server_listen inside
nova openstack manifest (system helm-override-show).
Story: 2009783
Task: 44273
Signed-off-by: Iago Estrela <IagoFilipe.EstrelaBarros@windriver.com>
Change-Id: I7bc9087bce8926595fd1f0dbc82d722fd26b45a0
On stx-openstack, we run the nova-compute containers as user 0 (root) to
get privileged access to some of the host resources. During the latest
upversion of openstack-helm, we got in some commits that were
incompatible with our usage of the root user since the keys for ssh
access to a different compute were always placed under the 'nova' user's
folder. This commit fixes that behavior while we don't merge a
definitive fix on openstack-helm and go through a new upversion.
Test Plan:
PASS - nova-compute-ssh starting correctly after change
the sshd->ssh parameter
PASS - migrate/resize vm
Closes-Bug: #1956229
Signed-off-by: Lucas Cavalcante <lucasmedeiros.cavalcante@windriver.com>
Signed-off-by: Hugo Brito <hugo.brito@windriver.com>
Change-Id: Ic90e8e64670b8314b9a2f38b93a59361dcb7ecc9
This change will help remove some replicated code across the helm plugin
classes and reduce the amount of code under maintenance.
REGRESSION PLAN
PASS install and remove stx-openstack on StarlingX master
TEST PLAN
PASS create network segment ranges
PASS create networks/subnets
PASS create routers
PASS create images
PASS boot vm with cirros image
PASS remove vm
PASS delete images
PASS delete routers
PASS delete networks/subnets
PASS delete network segment ranges
Signed-off-by: Thiago Brito <thiago.brito@windriver.com>
Change-Id: I8927e8bd897628fb3bd7eef3df1d5c58805f6fb9
With the openstack-helm upversion, we noticed that the Panko project was
retired [1][2]. Since this chart is currently disabled by default, we
didn't notice it, but we need to take action to remove the chart
references from stx-openstack.
[1] 160529ef90
[2] http://lists.openstack.org/pipermail/openstack-discuss/2021-May/022337.html
TEST PLAN
PASS Build and install stx-openstack with the change
PASS Verified no override namespaces were generated to Panko via `system
helm-override-list` and `system helm-override-show wr-openstack
panko openstack`
FAIL (expected) Tried to enable the Panko chart using `system
helm-chart-attribute-modify --enabled true wr-openstack panko
openstack
PASS Enabled aodh, ceilometer, gnocchi and re-appplied
Story: 2009161
Task: 44072
Signed-off-by: Thiago Brito <thiago.brito@windriver.com>
Change-Id: I2dc99a5d86933b36cc635124aca779e3bb20a7d0
To make a downstream release of stx-openstack, we often have to also
rename all the app's helm and puppet plugins namespace and also change
code on sysinv. This change decouples the name of the openstack
application from its plugins in order to ease downstream development
and release.
Tests report: https://paste.opendev.org/show/810225/
Story: 2009669
Task: 43900
Depends-On: https://review.opendev.org/c/starlingx/config/+/814670
Signed-off-by: Thiago Brito <thiago.brito@windriver.com>
Change-Id: I2bce2416c613bde374a86854c746ba4ded52a842
The pci-irq-affinity-agent uses the platform keyring file to
fetch the admin password to communicate with OpenStack services,
but now that the agent is raised during the application apply it
can use the same approach the other helm charts use to get the
credentials, using it's plugin to capture the information and
generate the system overrides with the values.
This commit:
- Changes the plugin to get the credentials
- Changes the pci-irq-affinity-agent helm chart to include the
password on the chart values and use it on the agent config file
template
- Adds an init container with dependencies on libvirt and nova
compute pods, so that the agent pod is only create when those
are available
- Removes the keyring mount on the container, which will not be
needed anymore with the previous changes and is causing failure
when raising the pod
- Removes additional keyring tools
Depends-On: https://review.opendev.org/c/starlingx/utilities/+/818620
Closes-Bug: 1951245
Signed-off-by: Heitor Matsui <HeitorVieira.Matsui@windriver.com>
Change-Id: I26f993146b8a17b7602a45f0cd5d983c1d93b0c1
Previously the helm overrides for nova, cinder and glance respectively
defined 512, 256 and 256 as the PG_NUM for their Ceph pools. Until
Mimic, ceph would just issue a warning message if this number was
bigger than the number OSD * 100, now Nautilus returns an error message
and asks for expected_num_objects parameter or --yes-i-really-mean-it.
Neither of these options is supported by openstack-helm.
The pool creation is adjusted to take into account the number of OSDs
available to choose the PG_NUM.
The steps are:
Number of OSD times 100 minus 1;
Get the nearest power of two numbers below this result;
Limit PG_NUM to the previous defaults, as they are already high
numbers.
This logic roughly results in the same values described here:
https://docs.ceph.com/en/nautilus/rados/operations/placement-groups/#a-preselection-of-pg-num
This was done to solve an error message which demands a
expected_num_objects when PG_NUM is considered too high by ceph.
Test plan:
StarlingX builds successfully
stx-openstack is built successfully
stx-openstack is applied successfully and ceph pools are created
accordingly
It is possible to override PG_NUM on ceph pools by changing chunk_size
value through helm overrides
Closes-Bug: #1949360
Depends-On: I222bee29bcaa09a95a3706c72dd21b8ed3efbe60
Signed-off-by: Delfino Curado <delfinogomes.curadofilho@windriver.com>
Change-Id: Ia1416e64afcdf91b86afdf750bf5b3a1727db985
This change is part of an initiative to decouple the pci-irq-affinity
agent process from the platform by converting it into a resource to
be deployed along with stx-openstack application.
Depends-on: https://review.opendev.org/c/starlingx/utilities/+/814031
Story: 2009299
Task: 43656
Change-Id: Iefc1106e01cbfc874119e16b610e48a629771db1
Signed-off-by: Heitor Matsui <HeitorVieira.Matsui@windriver.com>
This commit is rebasing on upstream commit
7803000a545687ec40b0ddc41d46a6b377dea45f
and also remove some patches that were already
merged.
This change depends on the rebase of openstack-helm-infra made at
01f6571912
Patch 0005-Nova-Add-support-for-disabling-Readiness-Liveness-pr.patch
This patch was dropped because a feature that add this support was
implemented in 2020. It can be found on commit
af4e2aaadd
Patch 0007-Allow-more-generic-overrides-for-placeme.patch
Changes that this patch applies were already applied on commit
bdbea96326
Patch 0009-Disabling-helm3_hook.patch
Adding a helm3_hook in values.yaml file in case hooks needs
to be disabled
Patch 0011-Trust-public-ingress-certificate.patch
Removed in favor of using the openstack-helm implementation of tls
support. As we are dropping this patch we moved the changes to the
patch where the job is created. Commits can be found on
https://opendev.org/openstack/openstack-helm/commits/branch/master/search?q=feat%28tls%29
Patch 0012-Update-helm-tookit-dependencies-to-0.2.19.patch
Changes that this patch applies were already applied on commit
20b6b9a236
Due to changes implemented on 054affa290 (diff-9bd79f0fd832cb30fa4f4b6242b9059fbc0c81b30541b4243ff29cdf39bce621R63)
python-k8sapp-openstack/k8sapp_openstack/k8sapp_openstack/helm/cinder.py
needed to be modified so the system overrides for the ceph client matches
the name of the internal ceph cluster we that StarlingX creates and the
deployment-cinder.yaml renders without issues.
We've change the endpoints on nova-api-proxy/templates/deployment.yaml
as in upstream openstack-helm deals with TLS internally, however in
starlingx there is a workaround that forces public endpoint for openstack
services. Although after some changes on openstack-helm that came with
this rebase and using cert-manager to generate all tls internal secrets
we dont need to do this anymore.
The volume mounts for dev-pts at
python-k8sapp-openstack/k8sapp_openstack/k8sapp_openstack/helm/nova.py
were removed since this problem was fixed upstream on 04d600c5b0
Story: 2009161
Task: 43150
Change-Id: Iaf7d4bf9aa80e1d5acacdfe24743d41d4e67a8c0
Signed-off-by: Arthur Luz de Avila <arthur.luzdeavila@windriver.com>
Signed-off-by: Lucas Cavalcante <lucasmedeiros.cavalcante@windriver.com>
Change-Id: Iaf7d4bf9aa80e1d5acacdfe24743d41d4e67a8c0
Due to a recent change in fm-api's directory structure, unit tests would
fail since the virtualenv would not be able to find fm-api/setup.py.
Adjust the tox.ini to point to the correct directory. Tested locally
by running tox.ini.
Depends-On: https://review.opendev.org/c/starlingx/fault/+/806046
Depends-On: https://review.opendev.org/c/starlingx/openstack-armada-app/+/809276
Story: 2009101
Task: 43091
Signed-off-by: Charles Short <charles.short@windriver.com>
Change-Id: I957b905111d2710a3fda228f1659165dbb36a9ac
Re-enabling some of the disabled tox warnings present on
the pylint.rc file
Re-enabling:
W1646: invalid-str-codec
Story: 2006796
Task: 43329
Signed-off-by: Bernardo Decco <bernardo.deccodesiqueira@windriver.com>
Change-Id: I2fdb91154510e839cab4804a5ef223f2cdd58cec
A lot of work has gone into making sure that StarlingX is python3
compatible. To ensure future compatibility, enable the python3
portability checks. Disable the checks that are raising errors.
Another set of commits will address the offending code.
Add following suppress warnings in pylint.rc:
- W1618: no-absolute-import
- W1646: invalid-str-codec
Depends-On: https://review.opendev.org/c/starlingx/openstack-armada-app/+/808768
Story: 2006796
Task: 43190
Signed-off-by: Bernardo Decco <bernardo.deccodesiqueira@windriver.com>
Change-Id: Ib46f8a67042c40823ef870773cf7159763738e06
Remove unused import so the code complies with pylint and works with
zuul gates
Story: 2006796
Task: 43190
Signed-off-by: Fabricio Henrique Ramos <fabriciohenrique.ramos@windriver.com>
Change-Id: I1f8e80777340020c0f1671df46e098c500913045
Setting custom domain for ingress endpoints breaks apply.
osh-nova and osh-nova-api-proxy are trying to use the same domain,
both starting with 'nova'. This causes a kubernetes error.
Signed-off-by: Lucas Cavalcante <lucasmedeiros.cavalcante@windriver.com>
Closes-bug: 1938342
Change-Id: Ic284b83425917102a652330f8349aed38731f9df
Stx-openstack app is not a RPM installed app which
doesn't support auto-update.
Change-Id: Iec0233910c9e7725c12767138e25b3bd314f82b0
Story: 2007960
Task: 42833
Depends-On: https://review.opendev.org/c/starlingx/config/+/800821/
Signed-off-by: Angie Wang <angie.wang@windriver.com>
This fix is specific for AIO-SX because when node is unlocked/enabled/
available the vim_progress_status could still be services-disabled.
The status need a few more seconds to become services-enabled.
Add a pre-check in openstack-armada-app/lifecycle_openstack.py to check
AIO-SX node stable state before perform_app_apply. It prevents
stx-openstack apply being triggered manually during initialization
stage after node unlock.
Closes-bug: 1929775
Signed-off-by: Yvonne Ding <yvonne.ding@windriver.com>
Change-Id: I563f77f617a68092b59f6cb38f5fb436a7933498
Change I61514389b616db754b0d2f35deb0101f90dbdd02 removed the deprecated
property vcpu_pin_set in favor of the newer cpu_shared_set and
cpu_dedicated_set, but those new configs are placed under the [compute]
section of nova.conf instead of [DEFAULT]. This is causing VMs to be
scheduled on platform reserved cores. This commit will fix it.
Closes-Bug: #1928683
Signed-off-by: Thiago Brito <thiago.brito@windriver.com>
Change-Id: I541760619f4c79c66a2bf22715afdc873b8343ce
The current network.dashboard.ingress.annotations in horizon's
values.yaml helm charts do not include the kubernetes property
'proxy-body-size'. This makes the resulting nginx.conf file in ingress
add the default rule 'max_body_size 1m' to the horizon servers,
which limits all http requests' size inside horizon to 1MiB, making it
impossible to upload images larger than that to glance using the
horizon GUI, for example.
This change adds said property to the horizon overrides, making
horizon's servers in nginx.conf include a 'max_body_size' of 2500MiB,
which makes uploading images up to that size possible again.
Story: 2008692
Task: 41996
Change-Id: I91888ce238d5304c08eb1e97918989b8f93ee34f
Deploy with rook-ceph, without "system storage-backend-add ceph"
there is no object storage-ceph in database. As current openstack
helm plugin fixed on object storage-ceph, in rook-ceph case
use a fixed override setting
Story: 2005527
Task: 39914
Depends-On: https://review.opendev.org/#/c/713084/
Change-Id: Ied852d60e8b15d55865747e0b6f4b54f2392d6df
Signed-off-by: Martin, Chen <haochuan.z.chen@intel.com>
A big chunk of logic is moved from sysinv conductor to application
itself.
Following hooks were necessary:
pre-apply, post-apply, pre-manifest-apply, pre-apply-rbd,
pre-apply-resource, post-remove-rbd, post-remove-resource, post-remove
Change-Id: I41858c831a4af564dbdf38934d51d34489bf8a9a
Story: 2007960
Task: 41293
Signed-off-by: Dan Voiculeasa <dan.voiculeasa@windriver.com>
This patch increases the proxy-connect-timeout from 5 to 30 seconds,
avoiding the Bad Gateway 502 error when CLI commands are executed.
Closes-bug: 1908720
Change-Id: I557456e9d0550a906b6d849d682de7ea3f0f42ad
Signed-off-by: hbrito <hugo.brito@windriver.com>
Packages defined in a spec with no files do not result in an RPM
produced by the build. On a rebuild, the build tools scan the spec and
sees the package defined but does not find a corresponding RPM, and so
flags the package for a rebuild as a result.
This commit removes the empty package definition from the spec.
Partial-Bug: 1910439
Signed-off-by: Don Penney <don.penney@windriver.com>
Change-Id: Ie1f18b1592f8187900624d993434ba04b23cbcff
Starting from Ussuri, OpenStack is deprecating vcpu_pin_set
in favor of cpu_dedicated_set and cpu_shared_set. These
overriders must be supported to be generated via Starlingx
system commands.
Closes-Bug: 1904729
Change-Id: I61514389b616db754b0d2f35deb0101f90dbdd02
Signed-off-by: Zhipeng Liu <zhipengs.liu@intel.com>
admin account is used before, but if admin password is changed, flock
service cannot be notified and cannot get the new password, so flock
service like nfv-vim cannot fetch openstack vm info ever.
stx_admin account is created for this case.
Depends-On: https://review.opendev.org/753971
Closes-Bug: 1887755
Change-Id: I36f2442036bf6c98fbb0af727fddf1dd50e58330
Signed-off-by: Shuicheng Lin <shuicheng.lin@intel.com>
The correct name should be CEPH_POOL_BACKUP_CHUNK_SIZE.
Closes-Bug: 1900710
Change-Id: Ie3aa2c6009cc626c2224ea464e8bea8c719316a3
Signed-off-by: Shuicheng Lin <shuicheng.lin@intel.com>
When we apply stx-openstack with the 'mode' argument
like `system application apply restore_db`, only
some of the openstack charts must be deployed.
If kube-system-ingress chart groups is specified,
it won't be found in the armada manifest and the
openstack application will always be deployed
in the default way (deploying all the charts),
ignoring the value of the 'mode' argument.
Depends-on: https://review.opendev.org/#/c/698003/
Change-Id: I6791974e337cd3193bf2a75e9d75f48841f0676d
Story: 2006770
Task: 37780
Signed-off-by: Mihnea Saracin <Mihnea.Saracin@windriver.com>
- cinder-volumes
- cinder.backups
- images
- ephemeral
Pg_num values were increased to avoid ceph health warning
that occurs on larger systems due to the default
pg_num settings not being large enough.
Change-Id: I23feffe613c37b12dff51c73e7ced9a9c7663089
Closes-bug: 1899128
Signed-off-by: Elena Taivan <elena.taivan@windriver.com>
Currently, all of the stx-openstack services have the
replica count set to the number of the controllers.
If one of the controllers is locked their replicas
number will still be 2 which is incorrect.
We solve this by changing the number of replicas
to be equal to the number of the active controllers.
The rabbitmq and mariadb services cannot use this approach because
they are unable to work properly if their replica number
is decreased from 2 to 1. So a kubernetes toleration
is used here to allow the rabbitmq and mariadb pods to be
deployed on the locked controller.
Change-Id: I15cf2a3f62525751435ddbe66760935f3ab21d2b
Closes-Bug: 1879018
Signed-off-by: Mihnea Saracin <Mihnea.Saracin@windriver.com>
The commit that we are reverting broke the normal lock/unlock
case when stx-openstack is applied. More specifically,
the mariadb pod failed to start when stx-openstack
was applied automatically after unlock.
This reverts commit 754a1d33de7e16b454052190a2496f1a1d59c707.
Change-Id: I0f1e5854d22ed54747d0237153ada3985f29ef96