Adds patches from openstack-helm and openstack-helm-infra that
enables openstack services, jobs, and friends (libvirt, memcached
mariadb, openvswitch, rabbitmq, ingress) to support taint toleration
Also adds tolerations for nova-api-proxy, stx-ks-user and
nova-ephemeral-pool
Taint toleration `node-role.kubernetes.io/master:NoSchedule` is also
enabled by default as seen in `manifest.yaml`
deleted:
- file: 0014-Add-tolerations-to-rabbitmq-chart.patch
reason: deprecated by 0017 (also was not working for rabbit jobs)
- file: 0015-Add-tolerations-to-mariadb-chart.patch
reason: deprecated by 0017 (also was not working for maria jobs)
Test Plan:
PASS: After controller node taint application is applied
PASS: If controller has no taint application is applied
FAIL (expected): After user override removing toleration apply fails
PASS: Other taint is added to controller and after user overrides apply
succceeds
Notes:
- Tested in AIO-SX (Both Virt. and Physical Machine)
- Tested with taint node-role.kubernetes.io/master:NoSchedule
- Tested with taint openstack-compute-node:NoSchedule
- Apply fails -> pods pending untolarated taints
Story: 2009232
Task: 43345
Signed-off-by: Lucas Cavalcante <lucasmedeiros.cavalcante@windriver.com>
Change-Id: I6bd0d28cdc31f07d18b3cdfda3b0282a4d3117a4
This is a small update to include a message to
warn that these overrides should not be used
separately.
Also including the --reuse-values parameter.
This makes sure that it keeps the current
configuration, adding the new override values.
Closes-Bug: #1953056
Signed-off-by: Pedro Almeida <pedro.monteiroazevedodemouraalmeida@windriver.com>
Change-Id: I0e3595d4bc9839a3e4246a206192018b927f2c5a
PCI IRQ affinity agent is unable to find the instances' PCI devices
and is failing to set IRQ affinity settings. This is happening
because the directory used by the agent, /sys/bus/pci/devices,
contains symbolic links to directories inside /sys/devices, and these
aren't available inside the container, causing the agent to fail when
it tries to read PCI devices information.
This commit changes the hostPath volume from /sys/bus/pci/devices to
/sys, so that the container will have /sys/devices mounted as well
and the agent will be able to access its contents.
Test Plan:
PASS: Verify that /sys/bus/pci/devices symbolic links are not broken
PASS: Verify that PCI IRQ affinity agent can read PCI devices info
PASS: Verify agent configuring IRQ affinity settings successfully
after booting instances with PCI affinity mask on the flavor
Regression:
PASS: Verify that openstack application can be applied successfully
PASS: Verify that no alarms are raised after applying openstack
Closes-bug: 1952660
Signed-off-by: Heitor Matsui <HeitorVieira.Matsui@windriver.com>
Change-Id: I1d6dea0a89955715975de3d3cda384e7f19bd13c
With the openstack-helm upversion, we noticed that the Panko project was
retired [1][2]. Since this chart is currently disabled by default, we
didn't notice it, but we need to take action to remove the chart
references from stx-openstack.
[1] 160529ef90
[2] http://lists.openstack.org/pipermail/openstack-discuss/2021-May/022337.html
TEST PLAN
PASS Build and install stx-openstack with the change
PASS Verified no override namespaces were generated to Panko via `system
helm-override-list` and `system helm-override-show wr-openstack
panko openstack`
FAIL (expected) Tried to enable the Panko chart using `system
helm-chart-attribute-modify --enabled true wr-openstack panko
openstack
PASS Enabled aodh, ceilometer, gnocchi and re-appplied
Story: 2009161
Task: 44072
Signed-off-by: Thiago Brito <thiago.brito@windriver.com>
Change-Id: I2dc99a5d86933b36cc635124aca779e3bb20a7d0
This patch introduces the hw:pci_irq_affinity_mask metadata.
The metadata hw:pci_irq_affinity_mask specifies which CPU cores are
interrupted due to PCI IRQ requests. It can be set as a compute flavor
extra spec, as well as a compute image or volume metadata.
Test Plan Status
1. New metadata is added to the supported metadata list PASSED
on compute flavor, compute image and volume metadata
2. New metadata can be set to a value PASSED
on compute flavor, compute image and/or volume metadata
3. New metadata can be changed value and/or deleted PASSED
on compute flavor, compute image and/or volume metadata
4. New metadata persists when re-applying OpenStack PASSED
Regression
1. New metadata is added to the supported metadata list PASSED
on compute flavor, compute image and volume metadata
2. New metadata can be set a value, changed valued and deleted PASSED
on compute flavor, compute image and volume metadata
Story: 2009299
Task: 43861
Signed-off-by: rferraz <RogerioOliveira.Ferraz@windriver.com>
Change-Id: I0f94e8cddcff744306a01ce275c697cb39f8c5e7
To make a downstream release of stx-openstack, we often have to also
rename all the app's helm and puppet plugins namespace and also change
code on sysinv. This change decouples the name of the openstack
application from its plugins in order to ease downstream development
and release.
Tests report: https://paste.opendev.org/show/810225/
Story: 2009669
Task: 43900
Depends-On: https://review.opendev.org/c/starlingx/config/+/814670
Signed-off-by: Thiago Brito <thiago.brito@windriver.com>
Change-Id: I2bce2416c613bde374a86854c746ba4ded52a842
The pci-irq-affinity-agent uses the platform keyring file to
fetch the admin password to communicate with OpenStack services,
but now that the agent is raised during the application apply it
can use the same approach the other helm charts use to get the
credentials, using it's plugin to capture the information and
generate the system overrides with the values.
This commit:
- Changes the plugin to get the credentials
- Changes the pci-irq-affinity-agent helm chart to include the
password on the chart values and use it on the agent config file
template
- Adds an init container with dependencies on libvirt and nova
compute pods, so that the agent pod is only create when those
are available
- Removes the keyring mount on the container, which will not be
needed anymore with the previous changes and is causing failure
when raising the pod
- Removes additional keyring tools
Depends-On: https://review.opendev.org/c/starlingx/utilities/+/818620
Closes-Bug: 1951245
Signed-off-by: Heitor Matsui <HeitorVieira.Matsui@windriver.com>
Change-Id: I26f993146b8a17b7602a45f0cd5d983c1d93b0c1
On commit 03d78718966e85eb0094ed48062d9d33f3519f85 of
openstack-helm a new image was introduced to execute the db
migrations as a "latest" form. This commit pins the version of
that image for stx-openstack to a fixed version to avoid that
future image builds of porthole-mysqlclient-utility breaks the
app.
Closes-Bug: #1951444
Signed-off-by: Thiago Brito <thiago.brito@windriver.com>
Change-Id: I2b599578858c9212fb61419f166d4db8527f884d
The stx-openstack apply is failing with a timeout condition,
caused by failure while trying to pull the image of the agent from
the local registry. This is caused by missing imagePullSecrets on
the daemonset definition, so this commit creates the ServiceAccount
with the imagePullSecrets and use it on the spec.
Closes-Bug: 1951245
Change-Id: I5e408539e001bbe867812db8c614d47cea1ae225
Signed-off-by: Heitor Matsui <HeitorVieira.Matsui@windriver.com>
Previously the helm overrides for nova, cinder and glance respectively
defined 512, 256 and 256 as the PG_NUM for their Ceph pools. Until
Mimic, ceph would just issue a warning message if this number was
bigger than the number OSD * 100, now Nautilus returns an error message
and asks for expected_num_objects parameter or --yes-i-really-mean-it.
Neither of these options is supported by openstack-helm.
The pool creation is adjusted to take into account the number of OSDs
available to choose the PG_NUM.
The steps are:
Number of OSD times 100 minus 1;
Get the nearest power of two numbers below this result;
Limit PG_NUM to the previous defaults, as they are already high
numbers.
This logic roughly results in the same values described here:
https://docs.ceph.com/en/nautilus/rados/operations/placement-groups/#a-preselection-of-pg-num
This was done to solve an error message which demands a
expected_num_objects when PG_NUM is considered too high by ceph.
Test plan:
StarlingX builds successfully
stx-openstack is built successfully
stx-openstack is applied successfully and ceph pools are created
accordingly
It is possible to override PG_NUM on ceph pools by changing chunk_size
value through helm overrides
Closes-Bug: #1949360
Depends-On: I222bee29bcaa09a95a3706c72dd21b8ed3efbe60
Signed-off-by: Delfino Curado <delfinogomes.curadofilho@windriver.com>
Change-Id: Ia1416e64afcdf91b86afdf750bf5b3a1727db985
This change is part of an initiative to decouple the pci-irq-affinity
agent process from the platform by converting it into a resource to
be deployed along with stx-openstack application.
Depends-on: https://review.opendev.org/c/starlingx/utilities/+/814031
Story: 2009299
Task: 43656
Change-Id: Iefc1106e01cbfc874119e16b610e48a629771db1
Signed-off-by: Heitor Matsui <HeitorVieira.Matsui@windriver.com>
This commit is rebasing on upstream commit
7803000a545687ec40b0ddc41d46a6b377dea45f
and also remove some patches that were already
merged.
This change depends on the rebase of openstack-helm-infra made at
01f6571912
Patch 0005-Nova-Add-support-for-disabling-Readiness-Liveness-pr.patch
This patch was dropped because a feature that add this support was
implemented in 2020. It can be found on commit
af4e2aaadd
Patch 0007-Allow-more-generic-overrides-for-placeme.patch
Changes that this patch applies were already applied on commit
bdbea96326
Patch 0009-Disabling-helm3_hook.patch
Adding a helm3_hook in values.yaml file in case hooks needs
to be disabled
Patch 0011-Trust-public-ingress-certificate.patch
Removed in favor of using the openstack-helm implementation of tls
support. As we are dropping this patch we moved the changes to the
patch where the job is created. Commits can be found on
https://opendev.org/openstack/openstack-helm/commits/branch/master/search?q=feat%28tls%29
Patch 0012-Update-helm-tookit-dependencies-to-0.2.19.patch
Changes that this patch applies were already applied on commit
20b6b9a236
Due to changes implemented on 054affa290 (diff-9bd79f0fd832cb30fa4f4b6242b9059fbc0c81b30541b4243ff29cdf39bce621R63)
python-k8sapp-openstack/k8sapp_openstack/k8sapp_openstack/helm/cinder.py
needed to be modified so the system overrides for the ceph client matches
the name of the internal ceph cluster we that StarlingX creates and the
deployment-cinder.yaml renders without issues.
We've change the endpoints on nova-api-proxy/templates/deployment.yaml
as in upstream openstack-helm deals with TLS internally, however in
starlingx there is a workaround that forces public endpoint for openstack
services. Although after some changes on openstack-helm that came with
this rebase and using cert-manager to generate all tls internal secrets
we dont need to do this anymore.
The volume mounts for dev-pts at
python-k8sapp-openstack/k8sapp_openstack/k8sapp_openstack/helm/nova.py
were removed since this problem was fixed upstream on 04d600c5b0
Story: 2009161
Task: 43150
Change-Id: Iaf7d4bf9aa80e1d5acacdfe24743d41d4e67a8c0
Signed-off-by: Arthur Luz de Avila <arthur.luzdeavila@windriver.com>
Signed-off-by: Lucas Cavalcante <lucasmedeiros.cavalcante@windriver.com>
Change-Id: Iaf7d4bf9aa80e1d5acacdfe24743d41d4e67a8c0
This change will add the capability to pass extra local_settings
configurations to be rendered on by the template and allow for either
new configuration options to be enabled through overrides or the
defaults on the template to be overwritten when necessary.
Story: 2009662
Task: 43857
(cherry-picked from d0bd3dbb50a0995ec4adc6ebc654dad819ef68c2)
Signed-off-by: Thiago Brito <thiago.brito@windriver.com>
Change-Id: Ia4b69e7b361349ee5b2484fa92d438dea6502d7f
As gnocchi is disabled by default on stx-openstack, this problem
didn't surfaced during the upversion of osh-i. This patch fixes
the chart version for gnocchi for the commit currently in use.
Story: 2009161
Task: 43151
Signed-off-by: Thiago Brito <thiago.brito@windriver.com>
Change-Id: Idff4175d3952c0cb83ef346ee1b91a0c8cc6ae71
Openstack is not showing the buttons to Create / Delete / Edit a
Role when using the admin user with admin project, as a result
the admin user can only work with the default Roles created by
Openstack.
Horizon has some features that were rewritten with Angular, the
Role view is one that was rewritten with angular. According to
Horizon documentation, there are necessary configurations that
need to be supplied in Horizon configuration to allow the features
in Angular to work properly.
We found out that the Horizon
REST_API_REQUIRED_SETTINGS configuration key from
local_settings file is overriden in openstack-armada-app, but it
doesn't have the value OPENSTACK_KEYSTONE_BACKEND
that is necessary to the Role view to work properly.
This is fix has the goal to add the
OPENSTACK_KEYSTONE_BACKEND value in the
REST_API_REQUIRED_SETTINGS configuration key.
Closes-Bug: #1946384
Change-Id: I83563595ee30963ed506685cec24729d9a456268
Signed-off-by: Ricardo Sarto <Ricardo.SoaresSarto@windriver.com>
This review updates openstack-helm-infra to commit
8351fdd0f1228717342c2accc96977b0cdc36dc3 and removes patches that were
merged on osh-i; fixes the remaining patches to the current diffs and do
minor adaptations to make osh-i work on StarlingX.
Story: 2009161
Task: 43151
Signed-off-by: Thiago Brito <thiago.brito@windriver.com>
Change-Id: I36159b0264a79c3727b20e6ff1b7831183e47c3a
Since the env option and fixtures depending on it were not in use
by any RBAC test anymore, they were removed from code.
Fixtures removed:
- env
Story: 2009156
Task: 43128
Signed-off-by: Rafael Fayan <RafaelShibana.Fayan@windriver.com>
Change-Id: I15c3758263c3ec00385e063cad03f82f92fbd21d
Due to a recent change in fm-api's directory structure, unit tests would
fail since the virtualenv would not be able to find fm-api/setup.py.
Adjust the tox.ini to point to the correct directory. Tested locally
by running tox.ini.
Depends-On: https://review.opendev.org/c/starlingx/fault/+/806046
Depends-On: https://review.opendev.org/c/starlingx/openstack-armada-app/+/809276
Story: 2009101
Task: 43091
Signed-off-by: Charles Short <charles.short@windriver.com>
Change-Id: I957b905111d2710a3fda228f1659165dbb36a9ac
Re-enabling some of the disabled tox warnings present on
the pylint.rc file
Re-enabling:
W1646: invalid-str-codec
Story: 2006796
Task: 43329
Signed-off-by: Bernardo Decco <bernardo.deccodesiqueira@windriver.com>
Change-Id: I2fdb91154510e839cab4804a5ef223f2cdd58cec
A lot of work has gone into making sure that StarlingX is python3
compatible. To ensure future compatibility, enable the python3
portability checks. Disable the checks that are raising errors.
Another set of commits will address the offending code.
Add following suppress warnings in pylint.rc:
- W1618: no-absolute-import
- W1646: invalid-str-codec
Depends-On: https://review.opendev.org/c/starlingx/openstack-armada-app/+/808768
Story: 2006796
Task: 43190
Signed-off-by: Bernardo Decco <bernardo.deccodesiqueira@windriver.com>
Change-Id: Ib46f8a67042c40823ef870773cf7159763738e06
Remove unused import so the code complies with pylint and works with
zuul gates
Story: 2006796
Task: 43190
Signed-off-by: Fabricio Henrique Ramos <fabriciohenrique.ramos@windriver.com>
Change-Id: I1f8e80777340020c0f1671df46e098c500913045
The Help URL at user's dropdown located on the top right corner is
taking the user, by default, to the latest release documentation,
which changes over time and is not the current release used by
stx-openstack. Also this change allows the URL to be easily replaced
as desired via helm-overrides.
Closes-Bug: #1940318
Signed-off-by: Heitor Matsui <HeitorVieira.Matsui@windriver.com>
Change-Id: I74b7218356518ac1407091b010949ed90abd169d
Adding a certificate and ca_certificate using:
`certificate-install -m {openstack | openstack_ca}` ends up breaking
openstack application. OS-STX forces public endpoint and when such
endpoint has TLS enabled everything breaks, therefore based on the
implementation of tls support for openstack-helm that enables tls
for the openstack services we picked the trust cert code without
actually enabling tls backends
Signed-off-by: Lucas Cavalcante <lucasmedeiros.cavalcante@windriver.com>
Change-Id: I2dfc7c12defcc948fcdc353251301980e65f3011
Closes-Bug: 1937260
In a DX scenario, after lock-unlock a controller the remaining MariaDB
instance (lets say maria-server0) goes to a Non-Primary + Initializing
State (non-operational). After that it remains searching for the now
deleted pod (maria-server1) but using the old IP, the one before the
restart. maria-server0 flags the old IP as delayed and suspect for
eviction, however being a Non-Primary member it cannot in fact evict
the old node and start looking for new members. Setting a LivenessProbe
that detects nonoperational members and restart them fixes this, as the
recreated pod starts looking for a cluster to join.
Closes-Bug: #1938346
Signed-off-by: Thiago Brito <thiago.brito@windriver.com>
Change-Id: I38d788f720cbd6bd13b6b6147db6f3d2a2ff9c92
In the event of an uncontrolled reboot on a Standard configuration,
we were seeing a behavior where the MariaDB pods kept trying to elect a
leader and restarting until the pods get to CrashLoopBackoff. After
checking the logs closely and reproducing the problem quite easily by
deleting both pods at the same time, we came to the conclusion that the
cluster wasn't having enough time to elect a new leader and recover from
the crash. This patch increases the timeout for the startup probe of the
mariadb statefulset with some slack to allow databases that are in
production to fully resync the data between the 2 pods.
Closes-Bug: #1938346
Signed-off-by: Thiago Brito <thiago.brito@windriver.com>
Change-Id: I19e49dab55f3a8661fa71be315093029adb0947e
Setting custom domain for ingress endpoints breaks apply.
osh-nova and osh-nova-api-proxy are trying to use the same domain,
both starting with 'nova'. This causes a kubernetes error.
Signed-off-by: Lucas Cavalcante <lucasmedeiros.cavalcante@windriver.com>
Closes-bug: 1938342
Change-Id: Ic284b83425917102a652330f8349aed38731f9df
Stx-openstack app is not a RPM installed app which
doesn't support auto-update.
Change-Id: Iec0233910c9e7725c12767138e25b3bd314f82b0
Story: 2007960
Task: 42833
Depends-On: https://review.opendev.org/c/starlingx/config/+/800821/
Signed-off-by: Angie Wang <angie.wang@windriver.com>
When loading a custom theme, the current configuration also loads the
StarlingX theme which is not available on the Openstack Horizon image.
This fix removes the loading of the StarlingX theme and fixes the logic
so other themes are enabled when the custom one is not.
Closes-Bug: #1935859
Signed-off-by: Thiago Brito <thiago.brito@windriver.com>
Change-Id: I14975ee07210875f0e5c49c13e3371a18c4b2261
execfile is python2.x only, therefore this code breaks any python3
installation that uses brandend platform horizon
Signed-off-by: Lucas Cavalcante <lucasmedeiros.cavalcante@windriver.com>
Change-Id: Ide48191e970d0df4481a44b892ba0d15e9f44604
Closes-Bug: 1933667
This fix is specific for AIO-SX because when node is unlocked/enabled/
available the vim_progress_status could still be services-disabled.
The status need a few more seconds to become services-enabled.
Add a pre-check in openstack-armada-app/lifecycle_openstack.py to check
AIO-SX node stable state before perform_app_apply. It prevents
stx-openstack apply being triggered manually during initialization
stage after node unlock.
Closes-bug: 1929775
Signed-off-by: Yvonne Ding <yvonne.ding@windriver.com>
Change-Id: I563f77f617a68092b59f6cb38f5fb436a7933498