From 783894f9b6b85b635a6e07eb4e6de0a84b7c7f48 Mon Sep 17 00:00:00 2001 From: cuttingedge1109 <53085803+cuttingedge1109@users.noreply.github.com> Date: Sun, 23 Mar 2025 03:25:06 +1100 Subject: [PATCH 01/11] add masakari --- charts/masakari/.helmignore | 23 + charts/masakari/Chart.lock | 6 + charts/masakari/Chart.yaml | 17 + .../masakari/charts/helm-toolkit/Chart.yaml | 12 + .../charts/helm-toolkit/requirements.lock | 3 + .../charts/helm-toolkit/requirements.yaml | 15 + .../_authenticated_endpoint_uri_lookup.tpl | 58 ++ ...nticated_transport_endpoint_uri_lookup.tpl | 121 +++ .../endpoints/_endpoint_host_lookup.tpl | 90 +++ .../endpoints/_endpoint_port_lookup.tpl | 41 + .../endpoints/_endpoint_token_lookup.tpl | 36 + .../_host_and_port_endpoint_uri_lookup.tpl | 59 ++ .../_hostname_fqdn_endpoint_lookup.tpl | 76 ++ .../_hostname_namespaced_endpoint_lookup.tpl | 40 + ...e_namespaced_endpoint_namespace_lookup.tpl | 38 + .../_hostname_short_endpoint_lookup.tpl | 61 ++ .../_keystone_endpoint_name_lookup.tpl | 34 + .../_keystone_endpoint_path_lookup.tpl | 48 ++ .../_keystone_endpoint_scheme_lookup.tpl | 55 ++ .../_keystone_endpoint_uri_lookup.tpl | 52 ++ ...ce_name_endpoint_with_namespace_lookup.tpl | 61 ++ .../manifests/_ceph-storageclass.tpl | 111 +++ .../templates/manifests/_certificates.tpl | 108 +++ .../templates/manifests/_ingress.tpl | 729 ++++++++++++++++++ .../templates/manifests/_job-bootstrap.tpl | 142 ++++ .../manifests/_job-db-drop-mysql.tpl | 171 ++++ .../manifests/_job-db-init-mysql.tpl | 170 ++++ .../templates/manifests/_job-db-sync.tpl | 138 ++++ .../templates/manifests/_job-ks-endpoints.tpl | 131 ++++ .../templates/manifests/_job-ks-service.tpl | 125 +++ .../templates/manifests/_job-ks-user.yaml.tpl | 155 ++++ .../manifests/_job-rabbit-init.yaml.tpl | 130 ++++ .../manifests/_job-s3-bucket.yaml.tpl | 148 ++++ .../templates/manifests/_job-s3-user.yaml.tpl | 160 ++++ .../manifests/_job_image_repo_sync.tpl | 119 +++ .../templates/manifests/_network_policy.tpl | 238 ++++++ .../manifests/_secret-registry.yaml.tpl | 78 ++ .../templates/manifests/_secret-tls.yaml.tpl | 119 +++ .../templates/manifests/_service-ingress.tpl | 43 ++ .../scripts/_create-s3-bucket.sh.tpl | 35 + .../templates/scripts/_create-s3-user.sh.tpl | 65 ++ .../templates/scripts/_db-drop.py.tpl | 152 ++++ .../templates/scripts/_db-init.py.tpl | 166 ++++ .../templates/scripts/_db-pg-init.sh.tpl | 69 ++ .../templates/scripts/_image-repo-sync.sh.tpl | 24 + .../templates/scripts/_ks-domain-user.sh.tpl | 72 ++ .../templates/scripts/_ks-endpoints.sh.tpl | 79 ++ .../templates/scripts/_ks-service.sh.tpl | 76 ++ .../templates/scripts/_ks-user.sh.tpl | 108 +++ .../templates/scripts/_rabbit-init.sh.tpl | 111 +++ .../templates/scripts/_rally_test.sh.tpl | 88 +++ .../db-backup-restore/_backup_main.sh.tpl | 701 +++++++++++++++++ .../db-backup-restore/_restore_main.sh.tpl | 616 +++++++++++++++ .../snippets/_custom_job_annotations.tpl | 76 ++ .../snippets/_custom_pod_annotations.tpl | 76 ++ .../snippets/_custom_secret_annotations.tpl | 81 ++ .../templates/snippets/_image.tpl | 60 ++ .../snippets/_keystone_openrc_env_vars.tpl | 142 ++++ .../snippets/_keystone_secret_openrc.tpl | 32 + .../_keystone_user_create_env_vars.tpl | 90 +++ .../_kubernetes_apparmor_configmap.tpl | 68 ++ ...ernetes_apparmor_loader_init_container.tpl | 75 ++ .../snippets/_kubernetes_apparmor_volumes.tpl | 68 ++ ..._kubernetes_container_security_context.tpl | 48 ++ .../_kubernetes_entrypoint_init_container.tpl | 209 +++++ .../snippets/_kubernetes_kubectl_params.tpl | 20 + ...es_mandatory_access_control_annotation.tpl | 60 ++ .../snippets/_kubernetes_metadata_labels.tpl | 51 ++ .../_kubernetes_pod_anti_affinity.tpl | 89 +++ .../_kubernetes_pod_image_pull_secret.tpl | 45 ++ .../snippets/_kubernetes_pod_rbac_roles.tpl | 69 ++ .../_kubernetes_pod_rbac_serviceaccount.tpl | 75 ++ .../_kubernetes_pod_security_context.tpl | 67 ++ .../templates/snippets/_kubernetes_probes.tpl | 55 ++ .../snippets/_kubernetes_resources.tpl | 53 ++ .../_kubernetes_seccomp_annotation.tpl | 47 ++ .../snippets/_kubernetes_tolerations.tpl | 45 ++ .../_kubernetes_upgrades_daemonset.tpl | 33 + .../_kubernetes_upgrades_deployment.tpl | 27 + .../_kubernetes_upgrades_statefulset.tpl | 51 ++ .../snippets/_mon_host_from_k8s_ep.sh.tpl | 68 ++ .../snippets/_prometheus_pod_annotations.tpl | 33 + .../_prometheus_service_annotations.tpl | 35 + .../templates/snippets/_release_uuid.tpl | 29 + .../snippets/_rgw_s3_admin_env_vars.tpl | 32 + .../_rgw_s3_bucket_user_env_vars_rook.tpl | 28 + .../snippets/_rgw_s3_secret_creds.tpl | 29 + .../snippets/_rgw_s3_user_env_vars.tpl | 34 + .../templates/snippets/_tls_volume.tpl | 47 ++ .../templates/snippets/_tls_volume_mount.tpl | 82 ++ .../snippets/_values_template_renderer.tpl | 87 +++ .../templates/tls/_tls_generate_certs.tpl | 94 +++ .../utils/_comma_joined_service_list.tpl | 46 ++ .../templates/utils/_configmap_templater.tpl | 30 + .../templates/utils/_daemonset_overrides.tpl | 269 +++++++ .../templates/utils/_dependency_resolver.tpl | 40 + .../helm-toolkit/templates/utils/_hash.tpl | 21 + .../templates/utils/_host_list.tpl | 44 ++ .../templates/utils/_image_sync_list.tpl | 25 + .../templates/utils/_joinListWithComma.tpl | 31 + .../_joinListWithCommaAndSingleQuotes.tpl | 32 + .../templates/utils/_joinListWithPrefix.tpl | 32 + .../templates/utils/_joinListWithSpace.tpl | 31 + .../helm-toolkit/templates/utils/_merge.tpl | 135 ++++ .../templates/utils/_template.tpl | 21 + .../helm-toolkit/templates/utils/_to_ini.tpl | 51 ++ .../utils/_to_k8s_env_secret_vars.tpl | 46 ++ .../templates/utils/_to_k8s_env_vars.tpl | 39 + .../templates/utils/_to_kv_list.tpl | 42 + .../templates/utils/_to_oslo_conf.tpl | 75 ++ .../masakari/charts/helm-toolkit/values.yaml | 16 + charts/masakari/requirements.lock | 6 + charts/masakari/requirements.yaml | 4 + .../masakari/templates/bin/_manage-db.sh.tpl | 19 + .../templates/bin/_masakari-api.sh.tpl | 28 + .../templates/bin/_masakari-engine.sh.tpl | 29 + .../bin/_masakari-host-monitor.sh.tpl | 29 + .../bin/_masakari-instance-monitor.sh.tpl | 29 + .../bin/_masakari-monitors-init.sh.tpl | 23 + .../bin/_masakari-process-monitor.sh.tpl | 29 + charts/masakari/templates/configmap-bin.yaml | 50 ++ charts/masakari/templates/configmap-etc.yaml | 140 ++++ .../templates/daemonset-host-monitor.yaml | 141 ++++ .../templates/daemonset-instance-monitor.yaml | 132 ++++ .../templates/daemonset-process-monitor.yaml | 132 ++++ charts/masakari/templates/deployment-api.yaml | 119 +++ .../masakari/templates/deployment-engine.yaml | 99 +++ charts/masakari/templates/job-db-drop.yaml | 19 + charts/masakari/templates/job-db-init.yaml | 28 + charts/masakari/templates/job-db-sync.yaml | 76 ++ .../masakari/templates/job-ks-endpoints.yaml | 26 + charts/masakari/templates/job-ks-service.yaml | 26 + charts/masakari/templates/job-ks-user.yaml | 26 + .../masakari/templates/job-rabbitmq-init.yaml | 26 + charts/masakari/templates/pbd-api.yaml | 27 + charts/masakari/templates/secret-db.yaml | 35 + .../masakari/templates/secret-keystone.yaml | 30 + .../masakari/templates/secret-rabbitmq.yaml | 35 + .../masakari/templates/secret-registry.yaml | 17 + charts/masakari/templates/service-api.yaml | 37 + charts/masakari/values.yaml | 629 +++++++++++++++ roles/keycloak/tasks/main.yml | 176 ++--- roles/masakari/README.md | 1 + roles/masakari/defaults/main.yml | 30 + roles/masakari/meta/main.yml | 40 + roles/masakari/tasks/main.yml | 33 + roles/masakari/vars/main.yml | 44 ++ roles/pacemaker/README.md | 1 + roles/pacemaker/defaults/main.yml | 19 + roles/pacemaker/handlers/main.yml | 19 + roles/pacemaker/meta/main.yml | 32 + roles/pacemaker/tasks/main.yml | 113 +++ roles/pacemaker/templates/corosync.conf.j2 | 58 ++ 153 files changed, 12284 insertions(+), 87 deletions(-) create mode 100644 charts/masakari/.helmignore create mode 100644 charts/masakari/Chart.lock create mode 100644 charts/masakari/Chart.yaml create mode 100644 charts/masakari/charts/helm-toolkit/Chart.yaml create mode 100644 charts/masakari/charts/helm-toolkit/requirements.lock create mode 100644 charts/masakari/charts/helm-toolkit/requirements.yaml create mode 100644 charts/masakari/charts/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl create mode 100644 charts/masakari/charts/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl create mode 100644 charts/masakari/charts/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl create mode 100644 charts/masakari/charts/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl create mode 100644 charts/masakari/charts/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl create mode 100644 charts/masakari/charts/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl create mode 100644 charts/masakari/charts/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl create mode 100644 charts/masakari/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl create mode 100644 charts/masakari/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_namespace_lookup.tpl create mode 100644 charts/masakari/charts/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl create mode 100644 charts/masakari/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl create mode 100644 charts/masakari/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl create mode 100644 charts/masakari/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl create mode 100644 charts/masakari/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl create mode 100644 charts/masakari/charts/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl create mode 100644 charts/masakari/charts/helm-toolkit/templates/manifests/_ceph-storageclass.tpl create mode 100644 charts/masakari/charts/helm-toolkit/templates/manifests/_certificates.tpl create mode 100644 charts/masakari/charts/helm-toolkit/templates/manifests/_ingress.tpl create mode 100644 charts/masakari/charts/helm-toolkit/templates/manifests/_job-bootstrap.tpl create mode 100644 charts/masakari/charts/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl create mode 100644 charts/masakari/charts/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl create mode 100644 charts/masakari/charts/helm-toolkit/templates/manifests/_job-db-sync.tpl create mode 100644 charts/masakari/charts/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl create mode 100644 charts/masakari/charts/helm-toolkit/templates/manifests/_job-ks-service.tpl create mode 100644 charts/masakari/charts/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl create mode 100644 charts/masakari/charts/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl create mode 100644 charts/masakari/charts/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl create mode 100644 charts/masakari/charts/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl create mode 100644 charts/masakari/charts/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl create mode 100644 charts/masakari/charts/helm-toolkit/templates/manifests/_network_policy.tpl create mode 100644 charts/masakari/charts/helm-toolkit/templates/manifests/_secret-registry.yaml.tpl create mode 100644 charts/masakari/charts/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl create mode 100644 charts/masakari/charts/helm-toolkit/templates/manifests/_service-ingress.tpl create mode 100644 charts/masakari/charts/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl create mode 100644 charts/masakari/charts/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl create mode 100644 charts/masakari/charts/helm-toolkit/templates/scripts/_db-drop.py.tpl create mode 100644 charts/masakari/charts/helm-toolkit/templates/scripts/_db-init.py.tpl create mode 100644 charts/masakari/charts/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl create mode 100644 charts/masakari/charts/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl create mode 100644 charts/masakari/charts/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl create mode 100644 charts/masakari/charts/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl create mode 100644 charts/masakari/charts/helm-toolkit/templates/scripts/_ks-service.sh.tpl create mode 100644 charts/masakari/charts/helm-toolkit/templates/scripts/_ks-user.sh.tpl create mode 100644 charts/masakari/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl create mode 100644 charts/masakari/charts/helm-toolkit/templates/scripts/_rally_test.sh.tpl create mode 100644 charts/masakari/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl create mode 100644 charts/masakari/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl create mode 100644 charts/masakari/charts/helm-toolkit/templates/snippets/_custom_job_annotations.tpl create mode 100644 charts/masakari/charts/helm-toolkit/templates/snippets/_custom_pod_annotations.tpl create mode 100644 charts/masakari/charts/helm-toolkit/templates/snippets/_custom_secret_annotations.tpl create mode 100644 charts/masakari/charts/helm-toolkit/templates/snippets/_image.tpl create mode 100644 charts/masakari/charts/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl create mode 100644 charts/masakari/charts/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl create mode 100644 charts/masakari/charts/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl create mode 100644 charts/masakari/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl create mode 100644 charts/masakari/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl create mode 100644 charts/masakari/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl create mode 100644 charts/masakari/charts/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl create mode 100644 charts/masakari/charts/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl create mode 100644 charts/masakari/charts/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl create mode 100644 charts/masakari/charts/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl create mode 100644 charts/masakari/charts/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl create mode 100644 charts/masakari/charts/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl create mode 100644 charts/masakari/charts/helm-toolkit/templates/snippets/_kubernetes_pod_image_pull_secret.tpl create mode 100644 charts/masakari/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl create mode 100644 charts/masakari/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl create mode 100644 charts/masakari/charts/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl create mode 100644 charts/masakari/charts/helm-toolkit/templates/snippets/_kubernetes_probes.tpl create mode 100644 charts/masakari/charts/helm-toolkit/templates/snippets/_kubernetes_resources.tpl create mode 100644 charts/masakari/charts/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl create mode 100644 charts/masakari/charts/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl create mode 100644 charts/masakari/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl create mode 100644 charts/masakari/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl create mode 100644 charts/masakari/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl create mode 100644 charts/masakari/charts/helm-toolkit/templates/snippets/_mon_host_from_k8s_ep.sh.tpl create mode 100644 charts/masakari/charts/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl create mode 100644 charts/masakari/charts/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl create mode 100644 charts/masakari/charts/helm-toolkit/templates/snippets/_release_uuid.tpl create mode 100644 charts/masakari/charts/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl create mode 100644 charts/masakari/charts/helm-toolkit/templates/snippets/_rgw_s3_bucket_user_env_vars_rook.tpl create mode 100644 charts/masakari/charts/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl create mode 100644 charts/masakari/charts/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl create mode 100644 charts/masakari/charts/helm-toolkit/templates/snippets/_tls_volume.tpl create mode 100644 charts/masakari/charts/helm-toolkit/templates/snippets/_tls_volume_mount.tpl create mode 100644 charts/masakari/charts/helm-toolkit/templates/snippets/_values_template_renderer.tpl create mode 100644 charts/masakari/charts/helm-toolkit/templates/tls/_tls_generate_certs.tpl create mode 100644 charts/masakari/charts/helm-toolkit/templates/utils/_comma_joined_service_list.tpl create mode 100644 charts/masakari/charts/helm-toolkit/templates/utils/_configmap_templater.tpl create mode 100644 charts/masakari/charts/helm-toolkit/templates/utils/_daemonset_overrides.tpl create mode 100644 charts/masakari/charts/helm-toolkit/templates/utils/_dependency_resolver.tpl create mode 100644 charts/masakari/charts/helm-toolkit/templates/utils/_hash.tpl create mode 100644 charts/masakari/charts/helm-toolkit/templates/utils/_host_list.tpl create mode 100644 charts/masakari/charts/helm-toolkit/templates/utils/_image_sync_list.tpl create mode 100644 charts/masakari/charts/helm-toolkit/templates/utils/_joinListWithComma.tpl create mode 100644 charts/masakari/charts/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl create mode 100644 charts/masakari/charts/helm-toolkit/templates/utils/_joinListWithPrefix.tpl create mode 100644 charts/masakari/charts/helm-toolkit/templates/utils/_joinListWithSpace.tpl create mode 100644 charts/masakari/charts/helm-toolkit/templates/utils/_merge.tpl create mode 100644 charts/masakari/charts/helm-toolkit/templates/utils/_template.tpl create mode 100644 charts/masakari/charts/helm-toolkit/templates/utils/_to_ini.tpl create mode 100644 charts/masakari/charts/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl create mode 100644 charts/masakari/charts/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl create mode 100644 charts/masakari/charts/helm-toolkit/templates/utils/_to_kv_list.tpl create mode 100644 charts/masakari/charts/helm-toolkit/templates/utils/_to_oslo_conf.tpl create mode 100644 charts/masakari/charts/helm-toolkit/values.yaml create mode 100644 charts/masakari/requirements.lock create mode 100644 charts/masakari/requirements.yaml create mode 100644 charts/masakari/templates/bin/_manage-db.sh.tpl create mode 100644 charts/masakari/templates/bin/_masakari-api.sh.tpl create mode 100644 charts/masakari/templates/bin/_masakari-engine.sh.tpl create mode 100644 charts/masakari/templates/bin/_masakari-host-monitor.sh.tpl create mode 100644 charts/masakari/templates/bin/_masakari-instance-monitor.sh.tpl create mode 100644 charts/masakari/templates/bin/_masakari-monitors-init.sh.tpl create mode 100644 charts/masakari/templates/bin/_masakari-process-monitor.sh.tpl create mode 100644 charts/masakari/templates/configmap-bin.yaml create mode 100644 charts/masakari/templates/configmap-etc.yaml create mode 100644 charts/masakari/templates/daemonset-host-monitor.yaml create mode 100644 charts/masakari/templates/daemonset-instance-monitor.yaml create mode 100644 charts/masakari/templates/daemonset-process-monitor.yaml create mode 100644 charts/masakari/templates/deployment-api.yaml create mode 100644 charts/masakari/templates/deployment-engine.yaml create mode 100644 charts/masakari/templates/job-db-drop.yaml create mode 100644 charts/masakari/templates/job-db-init.yaml create mode 100644 charts/masakari/templates/job-db-sync.yaml create mode 100644 charts/masakari/templates/job-ks-endpoints.yaml create mode 100644 charts/masakari/templates/job-ks-service.yaml create mode 100644 charts/masakari/templates/job-ks-user.yaml create mode 100644 charts/masakari/templates/job-rabbitmq-init.yaml create mode 100644 charts/masakari/templates/pbd-api.yaml create mode 100644 charts/masakari/templates/secret-db.yaml create mode 100644 charts/masakari/templates/secret-keystone.yaml create mode 100644 charts/masakari/templates/secret-rabbitmq.yaml create mode 100644 charts/masakari/templates/secret-registry.yaml create mode 100644 charts/masakari/templates/service-api.yaml create mode 100644 charts/masakari/values.yaml create mode 100644 roles/masakari/README.md create mode 100644 roles/masakari/defaults/main.yml create mode 100644 roles/masakari/meta/main.yml create mode 100644 roles/masakari/tasks/main.yml create mode 100644 roles/masakari/vars/main.yml create mode 100644 roles/pacemaker/README.md create mode 100644 roles/pacemaker/defaults/main.yml create mode 100644 roles/pacemaker/handlers/main.yml create mode 100644 roles/pacemaker/meta/main.yml create mode 100644 roles/pacemaker/tasks/main.yml create mode 100644 roles/pacemaker/templates/corosync.conf.j2 diff --git a/charts/masakari/.helmignore b/charts/masakari/.helmignore new file mode 100644 index 0000000000..0e8a0eb36f --- /dev/null +++ b/charts/masakari/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/masakari/Chart.lock b/charts/masakari/Chart.lock new file mode 100644 index 0000000000..9858cc06f1 --- /dev/null +++ b/charts/masakari/Chart.lock @@ -0,0 +1,6 @@ +dependencies: +- name: helm-toolkit + repository: file://../../openstack-helm-infra/helm-toolkit + version: 2024.2.0 +digest: sha256:c7a58b17e9e684f6cecff16ec0974cf93c379f21414a16da4a1b36f49a618e82 +generated: "2024-12-24T16:14:48.900349987Z" diff --git a/charts/masakari/Chart.yaml b/charts/masakari/Chart.yaml new file mode 100644 index 0000000000..38df000195 --- /dev/null +++ b/charts/masakari/Chart.yaml @@ -0,0 +1,17 @@ +apiVersion: v2 +appVersion: v1.0.0 +dependencies: +- name: helm-toolkit + repository: file://../../openstack-helm-infra/helm-toolkit + version: '>= 0.1.0' +description: OpenStack-Helm Masakari +home: https://docs.openstack.org/developer/masakari +icon: https://www.openstack.org/themes/openstack/images/project-mascots/Masakari/OpenStack_Project_masakari_vertical.png +maintainers: +- name: OpenStack-Helm Authors +name: masakari +sources: +- https://opendev.org/openstack/masakari +- https://opendev.org/openstack/masakari-monitors +- https://opendev.org/openstack/openstack-helm +version: 2024.2.0 diff --git a/charts/masakari/charts/helm-toolkit/Chart.yaml b/charts/masakari/charts/helm-toolkit/Chart.yaml new file mode 100644 index 0000000000..d4c0ea20c1 --- /dev/null +++ b/charts/masakari/charts/helm-toolkit/Chart.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +appVersion: v1.0.0 +description: OpenStack-Helm Helm-Toolkit +home: https://docs.openstack.org/openstack-helm +icon: https://www.openstack.org/themes/openstack/images/project-mascots/OpenStack-Helm/OpenStack_Project_OpenStackHelm_vertical.png +maintainers: +- name: OpenStack-Helm Authors +name: helm-toolkit +sources: +- https://opendev.org/openstack/openstack-helm-infra +- https://opendev.org/openstack/openstack-helm +version: 0.2.69 diff --git a/charts/masakari/charts/helm-toolkit/requirements.lock b/charts/masakari/charts/helm-toolkit/requirements.lock new file mode 100644 index 0000000000..e28bc5d934 --- /dev/null +++ b/charts/masakari/charts/helm-toolkit/requirements.lock @@ -0,0 +1,3 @@ +dependencies: [] +digest: sha256:643d5437104296e21d906ecb15b2c96ad278f20cfc4af53b12bb6069bd853726 +generated: "0001-01-01T00:00:00Z" diff --git a/charts/masakari/charts/helm-toolkit/requirements.yaml b/charts/masakari/charts/helm-toolkit/requirements.yaml new file mode 100644 index 0000000000..27fb08a138 --- /dev/null +++ b/charts/masakari/charts/helm-toolkit/requirements.yaml @@ -0,0 +1,15 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +--- +dependencies: [] +... diff --git a/charts/masakari/charts/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl b/charts/masakari/charts/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl new file mode 100644 index 0000000000..d7390d8bed --- /dev/null +++ b/charts/masakari/charts/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl @@ -0,0 +1,58 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Resolves database, or basic auth, style endpoints +values: | + endpoints: + cluster_domain_suffix: cluster.local + oslo_db: + auth: + admin: + username: root + password: password + service_username: + username: username + password: password + hosts: + default: mariadb + host_fqdn_override: + default: null + path: /dbname + scheme: mysql+pymysql + port: + mysql: + default: 3306 +usage: | + {{ tuple "oslo_db" "internal" "service_username" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" }} +return: | + mysql+pymysql://serviceuser:password@mariadb.default.svc.cluster.local:3306/dbname +*/}} + +{{- define "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" -}} +{{- $type := index . 0 -}} +{{- $endpoint := index . 1 -}} +{{- $userclass := index . 2 -}} +{{- $port := index . 3 -}} +{{- $context := index . 4 -}} +{{- $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }} +{{- $userMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userclass }} +{{- $endpointUser := index $userMap "username" }} +{{- $endpointPass := index $userMap "password" | urlquery }} +{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }} +{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }} +{{- $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }} +{{- printf "%s://%s:%s@%s:%s%s" $endpointScheme $endpointUser $endpointPass $endpointHost $endpointPort $endpointPath -}} +{{- end -}} diff --git a/charts/masakari/charts/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl b/charts/masakari/charts/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl new file mode 100644 index 0000000000..b9ac9d9ab4 --- /dev/null +++ b/charts/masakari/charts/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl @@ -0,0 +1,121 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Resolves endpoint string suitible for use with oslo.messaging transport url + See: https://docs.openstack.org/oslo.messaging/latest/reference/transport.html#oslo_messaging.TransportURL +examples: + - values: | + endpoints: + cluster_domain_suffix: cluster.local + oslo_messaging: + auth: + cinder: + username: cinder + password: password + statefulset: + replicas: 2 + name: rabbitmq-rabbitmq + hosts: + default: rabbitmq + host_fqdn_override: + default: null + path: /cinder + scheme: rabbit + port: + amqp: + default: 5672 + usage: | + {{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }} + return: | + rabbit://cinder:password@rabbitmq-rabbitmq-0.rabbitmq.default.svc.cluster.local:5672,cinder:password@rabbitmq-rabbitmq-1.rabbitmq.default.svc.cluster.local:5672/cinder + - values: | + endpoints: + cluster_domain_suffix: cluster.local + oslo_messaging: + auth: + cinder: + username: cinder + password: password + statefulset: null + hosts: + default: rabbitmq + host_fqdn_override: + default: null + path: /cinder + scheme: rabbit + port: + amqp: + default: 5672 + usage: | + {{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }} + return: | + rabbit://cinder:password@rabbitmq.default.svc.cluster.local:5672/cinder + - values: | + endpoints: + cluster_domain_suffix: cluster.local + oslo_messaging: + auth: + cinder: + username: cinder + password: password + statefulset: + replicas: 2 + name: rabbitmq-rabbitmq + hosts: + default: rabbitmq + host_fqdn_override: + default: rabbitmq.openstackhelm.org + path: /cinder + scheme: rabbit + port: + amqp: + default: 5672 + usage: | + {{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }} + return: | + rabbit://cinder:password@rabbitmq.openstackhelm.org:5672/cinder +*/}} + +{{- define "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" -}} +{{- $type := index . 0 -}} +{{- $endpoint := index . 1 -}} +{{- $userclass := index . 2 -}} +{{- $port := index . 3 -}} +{{- $context := index . 4 -}} +{{- $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }} +{{- $userMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userclass }} +{{- $ssMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "statefulset" | default false}} +{{- $hostFqdnOverride := index $context.Values.endpoints ( $type | replace "-" "_" ) "host_fqdn_override" }} +{{- $endpointUser := index $userMap "username" }} +{{- $endpointPass := index $userMap "password" | urlquery }} +{{- $endpointHostSuffix := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }} +{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }} +{{- $local := dict "endpointCredsAndHosts" list -}} +{{- if not (or (index $hostFqdnOverride $endpoint | default ( index $hostFqdnOverride "default" ) ) ( not $ssMap ) ) }} +{{- $endpointHostPrefix := $ssMap.name }} +{{- range $podInt := until ( atoi (print $ssMap.replicas ) ) }} +{{- $endpointCredAndHost := printf "%s:%s@%s-%d.%s:%s" $endpointUser $endpointPass $endpointHostPrefix $podInt $endpointHostSuffix $endpointPort }} +{{- $_ := set $local "endpointCredsAndHosts" ( append $local.endpointCredsAndHosts $endpointCredAndHost ) }} +{{- end }} +{{- else }} +{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }} +{{- $endpointCredAndHost := printf "%s:%s@%s:%s" $endpointUser $endpointPass $endpointHost $endpointPort }} +{{- $_ := set $local "endpointCredsAndHosts" ( append $local.endpointCredsAndHosts $endpointCredAndHost ) }} +{{- end }} +{{- $endpointCredsAndHosts := include "helm-toolkit.utils.joinListWithComma" $local.endpointCredsAndHosts }} +{{- $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }} +{{- printf "%s://%s%s" $endpointScheme $endpointCredsAndHosts $endpointPath }} +{{- end -}} diff --git a/charts/masakari/charts/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl b/charts/masakari/charts/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl new file mode 100644 index 0000000000..fb8bbe7d39 --- /dev/null +++ b/charts/masakari/charts/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl @@ -0,0 +1,90 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Resolves either the fully qualified hostname, of if defined in the host field + IPv4 for an endpoint. +examples: + - values: | + endpoints: + cluster_domain_suffix: cluster.local + oslo_db: + hosts: + default: mariadb + host_fqdn_override: + default: null + usage: | + {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }} + return: | + mariadb.default.svc.cluster.local + - values: | + endpoints: + cluster_domain_suffix: cluster.local + oslo_db: + hosts: + default: + host: mariadb + host_fqdn_override: + default: null + usage: | + {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }} + return: | + mariadb.default.svc.cluster.local + - values: | + endpoints: + cluster_domain_suffix: cluster.local + oslo_db: + hosts: + default: 127.0.0.1 + host_fqdn_override: + default: null + usage: | + {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }} + return: | + 127.0.0.1 + - values: | + endpoints: + cluster_domain_suffix: cluster.local + oslo_db: + hosts: + default: + host: 127.0.0.1 + host_fqdn_override: + default: null + usage: | + {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }} + return: | + 127.0.0.1 +*/}} + +{{- define "helm-toolkit.endpoints.endpoint_host_lookup" -}} +{{- $type := index . 0 -}} +{{- $endpoint := index . 1 -}} +{{- $context := index . 2 -}} +{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }} +{{- $endpointScheme := $endpointMap.scheme }} +{{- $_ := set $context.Values "__endpointHost" ( index $endpointMap.hosts $endpoint | default $endpointMap.hosts.default ) }} +{{- if kindIs "map" $context.Values.__endpointHost }} +{{- $_ := set $context.Values "__endpointHost" ( index $context.Values.__endpointHost "host" ) }} +{{- end }} +{{- $endpointHost := $context.Values.__endpointHost }} +{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointHost }} +{{- $endpointHostname := printf "%s" $endpointHost }} +{{- printf "%s" $endpointHostname -}} +{{- else }} +{{- $endpointHostname := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }} +{{- printf "%s" $endpointHostname -}} +{{- end }} +{{- end -}} diff --git a/charts/masakari/charts/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl b/charts/masakari/charts/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl new file mode 100644 index 0000000000..447efe7661 --- /dev/null +++ b/charts/masakari/charts/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl @@ -0,0 +1,41 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Resolves the port for an endpoint +values: | + endpoints: + cluster_domain_suffix: cluster.local + oslo_db: + port: + mysql: + default: 3306 +usage: | + {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} +return: | + 3306 +*/}} + +{{- define "helm-toolkit.endpoints.endpoint_port_lookup" -}} +{{- $type := index . 0 -}} +{{- $endpoint := index . 1 -}} +{{- $port := index . 2 -}} +{{- $context := index . 3 -}} +{{- $typeYamlSafe := $type | replace "-" "_" }} +{{- $endpointMap := index $context.Values.endpoints $typeYamlSafe }} +{{- $endpointPortMAP := index $endpointMap.port $port }} +{{- $endpointPort := index $endpointPortMAP $endpoint | default ( index $endpointPortMAP "default" ) }} +{{- printf "%1.f" $endpointPort -}} +{{- end -}} diff --git a/charts/masakari/charts/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl b/charts/masakari/charts/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl new file mode 100644 index 0000000000..3a268c0f77 --- /dev/null +++ b/charts/masakari/charts/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl @@ -0,0 +1,36 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Gets the token for an endpoint +values: | + endpoints: + keystone: + auth: + admin: + token: zh78JzXgw6YUKy2e +usage: | + {{ tuple "keystone" "admin" . | include "helm-toolkit.endpoints.endpoint_token_lookup" }} +return: | + zh78JzXgw6YUKy2e +*/}} + +{{- define "helm-toolkit.endpoints.endpoint_token_lookup" -}} +{{- $type := index . 0 -}} +{{- $userName := index . 1 -}} +{{- $context := index . 2 -}} +{{- $serviceToken := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userName "token" }} +{{- printf "%s" $serviceToken -}} +{{- end -}} diff --git a/charts/masakari/charts/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl b/charts/masakari/charts/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl new file mode 100644 index 0000000000..6877b7bfb0 --- /dev/null +++ b/charts/masakari/charts/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl @@ -0,0 +1,59 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Resolves 'hostname:port' for an endpoint +examples: + - values: | + endpoints: + cluster_domain_suffix: cluster.local + oslo_db: + hosts: + default: mariadb + host_fqdn_override: + default: null + port: + mysql: + default: 3306 + usage: | + {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }} + return: | + mariadb.default.svc.cluster.local:3306 + - values: | + endpoints: + cluster_domain_suffix: cluster.local + oslo_db: + hosts: + default: 127.0.0.1 + host_fqdn_override: + default: null + port: + mysql: + default: 3306 + usage: | + {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }} + return: | + 127.0.0.1:3306 +*/}} + +{{- define "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" -}} +{{- $type := index . 0 -}} +{{- $endpoint := index . 1 -}} +{{- $port := index . 2 -}} +{{- $context := index . 3 -}} +{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }} +{{- $endpointHostname := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }} +{{- printf "%s:%s" $endpointHostname $endpointPort -}} +{{- end -}} diff --git a/charts/masakari/charts/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl b/charts/masakari/charts/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl new file mode 100644 index 0000000000..26374e348a --- /dev/null +++ b/charts/masakari/charts/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl @@ -0,0 +1,76 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Resolves the fully qualified hostname for an endpoint +examples: + - values: | + endpoints: + cluster_domain_suffix: cluster.local + oslo_db: + hosts: + default: mariadb + host_fqdn_override: + default: null + usage: | + {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }} + return: | + mariadb.default.svc.cluster.local + - values: | + endpoints: + cluster_domain_suffix: cluster.local + oslo_db: + hosts: + default: mariadb + host_fqdn_override: + default: mariadb.openstackhelm.openstack.org + usage: | + {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }} + return: | + mariadb.openstackhelm.openstack.org + - values: | + endpoints: + cluster_domain_suffix: cluster.local + oslo_db: + hosts: + default: mariadb + host_fqdn_override: + default: + host: mariadb.openstackhelm.openstack.org + usage: | + {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }} + return: | + mariadb.openstackhelm.openstack.org +*/}} + +{{- define "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" -}} +{{- $type := index . 0 -}} +{{- $endpoint := index . 1 -}} +{{- $context := index . 2 -}} +{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }} +{{- $endpointHostNamespaced := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }} +{{- $endpointClusterHostname := printf "%s.svc.%s" $endpointHostNamespaced $context.Values.endpoints.cluster_domain_suffix }} +{{- $_ := set $context.Values "__FQDNendpointHostDefault" ( index $endpointMap.host_fqdn_override "default" | default "" ) }} +{{- if kindIs "map" $context.Values.__FQDNendpointHostDefault }} +{{- $_ := set $context.Values "__FQDNendpointHostDefault" ( index $context.Values.__FQDNendpointHostDefault "host" ) }} +{{- end }} +{{- if kindIs "map" (index $endpointMap.host_fqdn_override $endpoint) }} +{{- $endpointHostname := index $endpointMap.host_fqdn_override $endpoint "host" | default $context.Values.__FQDNendpointHostDefault | default $endpointClusterHostname }} +{{- printf "%s" $endpointHostname -}} +{{- else }} +{{- $endpointHostname := index $endpointMap.host_fqdn_override $endpoint | default $context.Values.__FQDNendpointHostDefault | default $endpointClusterHostname }} +{{- printf "%s" $endpointHostname -}} +{{- end -}} +{{- end -}} diff --git a/charts/masakari/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl b/charts/masakari/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl new file mode 100644 index 0000000000..9d60393770 --- /dev/null +++ b/charts/masakari/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl @@ -0,0 +1,40 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Resolves the namespace scoped hostname for an endpoint +values: | + endpoints: + oslo_db: + hosts: + default: mariadb + host_fqdn_override: + default: null +usage: | + {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }} +return: | + mariadb.default +*/}} + +{{- define "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" -}} +{{- $type := index . 0 -}} +{{- $endpoint := index . 1 -}} +{{- $context := index . 2 -}} +{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }} +{{- $namespace := $endpointMap.namespace | default $context.Release.Namespace }} +{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} +{{- $endpointClusterHostname := printf "%s.%s" $endpointHost $namespace }} +{{- printf "%s" $endpointClusterHostname -}} +{{- end -}} diff --git a/charts/masakari/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_namespace_lookup.tpl b/charts/masakari/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_namespace_lookup.tpl new file mode 100644 index 0000000000..cc4d4de622 --- /dev/null +++ b/charts/masakari/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_namespace_lookup.tpl @@ -0,0 +1,38 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Resolves the namespace scoped hostname for an endpoint +values: | + endpoints: + oslo_db: + hosts: + default: mariadb + host_fqdn_override: + default: null +usage: | + {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_namespace_lookup" }} +return: | + default +*/}} + +{{- define "helm-toolkit.endpoints.hostname_namespaced_endpoint_namespace_lookup" -}} +{{- $type := index . 0 -}} +{{- $endpoint := index . 1 -}} +{{- $context := index . 2 -}} +{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }} +{{- $namespace := $endpointMap.namespace | default $context.Release.Namespace }} +{{- printf "%s" $namespace -}} +{{- end -}} diff --git a/charts/masakari/charts/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl b/charts/masakari/charts/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl new file mode 100644 index 0000000000..f23c624f53 --- /dev/null +++ b/charts/masakari/charts/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl @@ -0,0 +1,61 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Resolves the short hostname for an endpoint +examples: + - values: | + endpoints: + oslo_db: + hosts: + default: mariadb + host_fqdn_override: + default: null + usage: | + {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} + return: | + mariadb + - values: | + endpoints: + oslo_db: + hosts: + default: + host: mariadb + host_fqdn_override: + default: null + usage: | + {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} + return: | + mariadb +*/}} + +{{- define "helm-toolkit.endpoints.hostname_short_endpoint_lookup" -}} +{{- $type := index . 0 -}} +{{- $endpoint := index . 1 -}} +{{- $context := index . 2 -}} +{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }} +{{- $endpointScheme := $endpointMap.scheme }} +{{- $_ := set $context.Values "__endpointHost" ( index $endpointMap.hosts $endpoint | default $endpointMap.hosts.default ) }} +{{- if kindIs "map" $context.Values.__endpointHost }} +{{- $_ := set $context.Values "__endpointHost" ( index $context.Values.__endpointHost "host" ) }} +{{- end }} +{{- $endpointHost := $context.Values.__endpointHost }} +{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointHost }} +{{- printf "%s" $type -}} +{{- else }} +{{- $endpointHostname := printf "%s" $endpointHost }} +{{- printf "%s" $endpointHostname -}} +{{- end }} +{{- end -}} diff --git a/charts/masakari/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl b/charts/masakari/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl new file mode 100644 index 0000000000..e31c0ebe6e --- /dev/null +++ b/charts/masakari/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl @@ -0,0 +1,34 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Resolves the service name for an service type +values: | + endpoints: + identity: + name: keystone +usage: | + {{ tuple identity . | include "keystone_endpoint_name_lookup" }} +return: | + "keystone" +*/}} + +{{- define "helm-toolkit.endpoints.keystone_endpoint_name_lookup" -}} +{{- $type := index . 0 -}} +{{- $context := index . 1 -}} +{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }} +{{- $endpointName := index $endpointMap "name" }} +{{- $endpointName | quote -}} +{{- end -}} diff --git a/charts/masakari/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl b/charts/masakari/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl new file mode 100644 index 0000000000..b2ec6486c0 --- /dev/null +++ b/charts/masakari/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl @@ -0,0 +1,48 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +# FIXME(portdirect): it appears the port input here serves no purpose, +# and should be removed. In addition this function is bugged, do we use it? + +{{/* +abstract: | + Resolves the path for an endpoint +values: | + endpoints: + cluster_domain_suffix: cluster.local + oslo_db: + path: + default: /dbname + port: + mysql: + default: 3306 +usage: | + {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }} +return: | + /dbname +*/}} + +{{- define "helm-toolkit.endpoints.keystone_endpoint_path_lookup" -}} +{{- $type := index . 0 -}} +{{- $endpoint := index . 1 -}} +{{- $port := index . 2 -}} +{{- $context := index . 3 -}} +{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }} +{{- if kindIs "string" $endpointMap.path }} +{{- printf "%s" $endpointMap.path | default "/" -}} +{{- else -}} +{{- $endpointPath := index $endpointMap.path $endpoint | default $endpointMap.path.default | default "/" }} +{{- printf "%s" $endpointPath -}} +{{- end -}} +{{- end -}} diff --git a/charts/masakari/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl b/charts/masakari/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl new file mode 100644 index 0000000000..b35cb0b747 --- /dev/null +++ b/charts/masakari/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl @@ -0,0 +1,55 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +# FIXME(portdirect): it appears the port input here serves no purpose, +# and should be removed. In addition this function is bugged, do we use it? + +{{/* +abstract: | + Resolves the scheme for an endpoint +values: | + endpoints: + cluster_domain_suffix: cluster.local + oslo_db: + scheme: + default: + mysql+pymysql + port: + mysql: + default: 3306 +usage: | + {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }} +return: | + mysql+pymysql +*/}} + +# This function returns the scheme for a service, it takes an tuple +# input in the form: service-type, endpoint-class, port-name. eg: +# { tuple "etcd" "internal" "client" . | include "helm-toolkit.endpoints.keystone_scheme_lookup" } +# will return the scheme setting for this particular endpoint. In other words, for most endpoints +# it will return either 'http' or 'https' + +{{- define "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" -}} +{{- $type := index . 0 -}} +{{- $endpoint := index . 1 -}} +{{- $port := index . 2 -}} +{{- $context := index . 3 -}} +{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }} +{{- if kindIs "string" $endpointMap.scheme }} +{{- printf "%s" $endpointMap.scheme | default "http" -}} +{{- else -}} +{{- $endpointScheme := index $endpointMap.scheme $endpoint | default $endpointMap.scheme.default | default "http" }} +{{- printf "%s" $endpointScheme -}} +{{- end -}} +{{- end -}} diff --git a/charts/masakari/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl b/charts/masakari/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl new file mode 100644 index 0000000000..8d0819cd16 --- /dev/null +++ b/charts/masakari/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl @@ -0,0 +1,52 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + This function helps resolve uri style endpoints. It will omit the port for + http when 80 is used, and 443 in the case of https. +values: | + endpoints: + cluster_domain_suffix: cluster.local + oslo_db: + hosts: + default: mariadb + host_fqdn_override: + default: null + path: /dbname + scheme: mysql+pymysql + port: + mysql: + default: 3306 +usage: | + {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }} +return: | + mysql+pymysql://mariadb.default.svc.cluster.local:3306/dbname +*/}} + +{{- define "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" -}} +{{- $type := index . 0 -}} +{{- $endpoint := index . 1 -}} +{{- $port := index . 2 -}} +{{- $context := index . 3 -}} +{{- $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }} +{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }} +{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }} +{{- $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }} +{{- if or ( and ( eq $endpointScheme "http" ) ( eq $endpointPort "80" ) ) ( and ( eq $endpointScheme "https" ) ( eq $endpointPort "443" ) ) -}} +{{- printf "%s://%s%s" $endpointScheme $endpointHost $endpointPath -}} +{{- else -}} +{{- printf "%s://%s:%s%s" $endpointScheme $endpointHost $endpointPort $endpointPath -}} +{{- end -}} +{{- end -}} diff --git a/charts/masakari/charts/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl b/charts/masakari/charts/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl new file mode 100644 index 0000000000..cf2ef3874d --- /dev/null +++ b/charts/masakari/charts/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl @@ -0,0 +1,61 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + This function returns endpoint ":" pair from an endpoint + definition. This is used in kubernetes-entrypoint to support dependencies + between different services in different namespaces. + returns: the endpoint namespace and the service name, delimited by a colon + + Normally, the service name is constructed dynamically from the hostname + however when an ip address is used as the hostname, we default to + namespace:endpointCategoryName in order to construct a valid service name + however this can be overridden to a custom service name by defining + .service.name within the endpoint definition +values: | + endpoints: + cluster_domain_suffix: cluster.local + oslo_db: + namespace: foo + hosts: + default: mariadb + host_fqdn_override: + default: null +usage: | + {{ tuple oslo_db internal . | include "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" }} +return: | + foo:mariadb +*/}} + +{{- define "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" -}} +{{- $type := index . 0 -}} +{{- $endpoint := index . 1 -}} +{{- $context := index . 2 -}} +{{- $typeYamlSafe := $type | replace "-" "_" }} +{{- $endpointMap := index $context.Values.endpoints $typeYamlSafe }} +{{- with $endpointMap -}} +{{- $endpointName := index .hosts $endpoint | default .hosts.default }} +{{- $endpointNamespace := .namespace | default $context.Release.Namespace }} +{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointName }} +{{- if .service.name }} +{{- printf "%s:%s" $endpointNamespace .service.name -}} +{{- else -}} +{{- printf "%s:%s" $endpointNamespace $typeYamlSafe -}} +{{- end -}} +{{- else -}} +{{- printf "%s:%s" $endpointNamespace $endpointName -}} +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/charts/masakari/charts/helm-toolkit/templates/manifests/_ceph-storageclass.tpl b/charts/masakari/charts/helm-toolkit/templates/manifests/_ceph-storageclass.tpl new file mode 100644 index 0000000000..18453eef45 --- /dev/null +++ b/charts/masakari/charts/helm-toolkit/templates/manifests/_ceph-storageclass.tpl @@ -0,0 +1,111 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Creates a manifest for kubernete ceph storageclass +examples: + - values: | + manifests: + storageclass: true + storageclass: + rbd: + provision_storage_class: true + provisioner: "ceph.com/rbd" + metadata: + default_storage_class: true + name: general + parameters: + #We will grab the monitors value based on helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup + pool: rbd + admin_id: admin + ceph_configmap_name: "ceph-etc" + admin_secret_name: "pvc-ceph-conf-combined-storageclass" + admin_secret_namespace: ceph + user_id: admin + user_secret_name: "pvc-ceph-client-key" + image_format: "2" + image_features: layering + cephfs: + provision_storage_class: true + provisioner: "ceph.com/cephfs" + metadata: + name: cephfs + parameters: + admin_id: admin + admin_secret_name: "pvc-ceph-cephfs-client-key" + admin_secret_namespace: ceph + usage: | + {{- range $storageclass, $val := .Values.storageclass }} + {{ dict "storageclass_data" $val "envAll" $ | include "helm-toolkit.manifests.ceph-storageclass" }} + {{- end }} + return: | + --- + apiVersion: storage.k8s.io/v1 + kind: StorageClass + metadata: + annotations: + storageclass.kubernetes.io/is-default-class: "true" + name: general + provisioner: ceph.com/rbd + parameters: + monitors: ceph-mon..svc.:6789 + adminId: admin + adminSecretName: pvc-ceph-conf-combined-storageclass + adminSecretNamespace: ceph + pool: rbd + userId: admin + userSecretName: pvc-ceph-client-key + image_format: "2" + image_features: layering + --- + apiVersion: storage.k8s.io/v1 + kind: StorageClass + metadata: + name: cephfs + provisioner: ceph.com/cephfs + parameters: + monitors: ceph-mon..svc.:6789 + adminId: admin + adminSecretName: pvc-ceph-cephfs-client-key + adminSecretNamespace: ceph +*/}} + +{{- define "helm-toolkit.manifests.ceph-storageclass" -}} +{{- $envAll := index . "envAll" -}} +{{- $monHost := $envAll.Values.conf.ceph.global.mon_host -}} +{{- if empty $monHost -}} +{{- $monHost = tuple "ceph_mon" "internal" "mon" $envAll | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" -}} +{{- end -}} +{{- $storageclassData := index . "storageclass_data" -}} +--- +{{- if $storageclassData.provision_storage_class }} +apiVersion: storage.k8s.io/v1 +kind: StorageClass +metadata: +{{- if $storageclassData.metadata.default_storage_class }} + annotations: + storageclass.kubernetes.io/is-default-class: "true" +{{- end }} + name: {{ $storageclassData.metadata.name }} +provisioner: {{ $storageclassData.provisioner }} +parameters: + monitors: {{ $monHost }} +{{- range $attr, $value := $storageclassData.parameters }} + {{ $attr }}: {{ $value | quote }} +{{- end }} +allowVolumeExpansion: true + +{{- end }} +{{- end }} diff --git a/charts/masakari/charts/helm-toolkit/templates/manifests/_certificates.tpl b/charts/masakari/charts/helm-toolkit/templates/manifests/_certificates.tpl new file mode 100644 index 0000000000..8be771e6ce --- /dev/null +++ b/charts/masakari/charts/helm-toolkit/templates/manifests/_certificates.tpl @@ -0,0 +1,108 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Creates a certificate using jetstack +examples: + - values: | + endpoints: + dashboard: + host_fqdn_override: + default: + host: null + tls: + secretName: keystone-tls-api + issuerRef: + name: ca-issuer + duration: 2160h + organization: + - ACME + commonName: keystone-api.openstack.svc.cluster.local + privateKey: + size: 2048 + usages: + - server auth + - client auth + dnsNames: + - cluster.local + issuerRef: + name: ca-issuer + usage: | + {{- $opts := dict "envAll" . "service" "dashboard" "type" "internal" -}} + {{ $opts | include "helm-toolkit.manifests.certificates" }} + return: | + --- + apiVersion: cert-manager.io/v1 + kind: Certificate + metadata: + name: keystone-tls-api + namespace: NAMESPACE + spec: + commonName: keystone-api.openstack.svc.cluster.local + dnsNames: + - cluster.local + duration: 2160h + issuerRef: + name: ca-issuer + privateKey: + size: 2048 + organization: + - ACME + secretName: keystone-tls-api + usages: + - server auth + - client auth +*/}} + +{{- define "helm-toolkit.manifests.certificates" -}} +{{- $envAll := index . "envAll" -}} +{{- $service := index . "service" -}} +{{- $type := index . "type" | default "" -}} +{{- $slice := index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" -}} +{{/* Put in some sensible default value if one is not provided by values.yaml */}} +{{/* If a dnsNames list is not in the values.yaml, it can be overridden by a passed-in parameter. + This allows user to use other HTK method to determine the URI and pass that into this method.*/}} +{{- if not (hasKey $slice "dnsNames") -}} +{{- $hostName := tuple $service $type $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" -}} +{{- $dnsNames := list $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) -}} +{{- $_ := $dnsNames | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "dnsNames" -}} +{{- end -}} +{{/* Default privateKey size to 4096. This can be overridden. */}} +{{- if not (hasKey $slice "privateKey") -}} +{{- $_ := dict "size" ( printf "%d" 4096 | atoi ) | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "privateKey" -}} +{{- else if empty (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "privateKey" "size") -}} +{{- $_ := ( printf "%d" 4096 | atoi ) | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "privateKey") "size" -}} +{{- end -}} +{{/* Default duration to 3 months. Note the min is 720h. This can be overridden. */}} +{{- if not (hasKey $slice "duration") -}} +{{- $_ := printf "%s" "2190h" | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "duration" -}} +{{- end -}} +{{/* Default renewBefore to 15 days. This can be overridden. */}} +{{- if not (hasKey $slice "renewBefore") -}} +{{- $_ := printf "%s" "360h" | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "renewBefore" -}} +{{- end -}} +{{/* Default the usage to server auth and client auth. This can be overridden. */}} +{{- if not (hasKey $slice "usages") -}} +{{- $_ := (list "server auth" "client auth") | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "usages" -}} +{{- end -}} +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "secretName" }} + namespace: {{ $envAll.Release.Namespace }} +spec: +{{ $slice | toYaml | indent 2 }} +{{- end -}} diff --git a/charts/masakari/charts/helm-toolkit/templates/manifests/_ingress.tpl b/charts/masakari/charts/helm-toolkit/templates/manifests/_ingress.tpl new file mode 100644 index 0000000000..cacb4b8133 --- /dev/null +++ b/charts/masakari/charts/helm-toolkit/templates/manifests/_ingress.tpl @@ -0,0 +1,729 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Creates a manifest for a services ingress rules. +examples: + - values: | + network: + api: + ingress: + public: true + classes: + namespace: "nginx" + cluster: "nginx-cluster" + annotations: + nginx.ingress.kubernetes.io/rewrite-target: / + secrets: + tls: + key_manager: + api: + public: barbican-tls-public + endpoints: + cluster_domain_suffix: cluster.local + key_manager: + name: barbican + hosts: + default: barbican-api + public: barbican + host_fqdn_override: + default: null + public: + host: barbican.openstackhelm.example + tls: + crt: | + FOO-CRT + key: | + FOO-KEY + ca: | + FOO-CA_CRT + path: + default: / + scheme: + default: http + public: https + port: + api: + default: 9311 + public: 80 + usage: | + {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" "pathType" "Prefix" ) -}} + return: | + --- + apiVersion: networking.k8s.io/v1 + kind: Ingress + metadata: + name: barbican + annotations: + nginx.ingress.kubernetes.io/rewrite-target: / + + spec: + ingressClassName: "nginx" + rules: + - host: barbican + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: barbican-api + port: + name: b-api + - host: barbican.default + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: barbican-api + port: + name: b-api + - host: barbican.default.svc.cluster.local + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: barbican-api + port: + name: b-api + --- + apiVersion: networking.k8s.io/v1 + kind: Ingress + metadata: + name: barbican-namespace-fqdn + annotations: + nginx.ingress.kubernetes.io/rewrite-target: / + + spec: + ingressClassName: "nginx" + tls: + - secretName: barbican-tls-public + hosts: + - barbican.openstackhelm.example + rules: + - host: barbican.openstackhelm.example + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: barbican-api + port: + name: b-api + --- + apiVersion: networking.k8s.io/v1 + kind: Ingress + metadata: + name: barbican-cluster-fqdn + annotations: + nginx.ingress.kubernetes.io/rewrite-target: / + + spec: + ingressClassName: "nginx-cluster" + tls: + - secretName: barbican-tls-public + hosts: + - barbican.openstackhelm.example + rules: + - host: barbican.openstackhelm.example + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: barbican-api + port: + name: b-api + - values: | + network: + api: + ingress: + public: true + classes: + namespace: "nginx" + cluster: "nginx-cluster" + annotations: + nginx.ingress.kubernetes.io/rewrite-target: / + secrets: + tls: + key_manager: + api: + public: barbican-tls-public + endpoints: + cluster_domain_suffix: cluster.local + key_manager: + name: barbican + hosts: + default: barbican-api + public: + host: barbican + tls: + crt: | + FOO-CRT + key: | + FOO-KEY + ca: | + FOO-CA_CRT + host_fqdn_override: + default: null + path: + default: / + scheme: + default: http + public: https + port: + api: + default: 9311 + public: 80 + usage: | + {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" "pathType" "Prefix" ) -}} + return: | + --- + apiVersion: networking.k8s.io/v1 + kind: Ingress + metadata: + name: barbican + annotations: + nginx.ingress.kubernetes.io/rewrite-target: / + + spec: + ingressClassName: "nginx" + tls: + - secretName: barbican-tls-public + hosts: + - barbican + - barbican.default + - barbican.default.svc.cluster.local + rules: + - host: barbican + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: barbican-api + port: + name: b-api + - host: barbican.default + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: barbican-api + port: + name: b-api + - host: barbican.default.svc.cluster.local + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: barbican-api + port: + name: b-api + - values: | + cert_issuer_type: issuer + network: + api: + ingress: + public: true + classes: + namespace: "nginx" + cluster: "nginx-cluster" + annotations: + nginx.ingress.kubernetes.io/secure-backends: "true" + nginx.ingress.kubernetes.io/backend-protocol: "https" + secrets: + tls: + key_manager: + api: + public: barbican-tls-public + internal: barbican-tls-api + endpoints: + cluster_domain_suffix: cluster.local + key_manager: + name: barbican + hosts: + default: barbican-api + public: + host: barbican + tls: + crt: | + FOO-CRT + key: | + FOO-KEY + ca: | + FOO-CA_CRT + host_fqdn_override: + default: null + path: + default: / + scheme: + default: http + public: https + port: + api: + default: 9311 + public: 80 + certs: + barbican_tls_api: + secretName: barbican-tls-api + issuerRef: + name: ca-issuer + kind: Issuer + usage: | + {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" "certIssuer" "ca-issuer" "pathType" "Prefix" ) -}} + return: | + --- + apiVersion: networking.k8s.io/v1 + kind: Ingress + metadata: + name: barbican + annotations: + cert-manager.io/issuer: ca-issuer + certmanager.k8s.io/issuer: ca-issuer + nginx.ingress.kubernetes.io/backend-protocol: https + nginx.ingress.kubernetes.io/secure-backends: "true" + spec: + ingressClassName: "nginx" + tls: + - secretName: barbican-tls-public-certmanager + hosts: + - barbican + - barbican.default + - barbican.default.svc.cluster.local + rules: + - host: barbican + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: barbican-api + port: + name: b-api + - host: barbican.default + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: barbican-api + port: + name: b-api + - host: barbican.default.svc.cluster.local + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: barbican-api + port: + name: b-api + + - values: | + network: + api: + ingress: + public: true + classes: + namespace: "nginx" + cluster: "nginx-cluster" + annotations: + nginx.ingress.kubernetes.io/secure-backends: "true" + nginx.ingress.kubernetes.io/backend-protocol: "https" + secrets: + tls: + key_manager: + api: + public: barbican-tls-public + internal: barbican-tls-api + endpoints: + cluster_domain_suffix: cluster.local + key_manager: + name: barbican + hosts: + default: barbican-api + public: + host: barbican + tls: + crt: | + FOO-CRT + key: | + FOO-KEY + ca: | + FOO-CA_CRT + host_fqdn_override: + default: null + path: + default: / + scheme: + default: http + public: https + port: + api: + default: 9311 + public: 80 + certs: + barbican_tls_api: + secretName: barbican-tls-api + issuerRef: + name: ca-issuer + kind: ClusterIssuer + usage: | + {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" "certIssuer" "ca-issuer" "pathType" "Prefix" ) -}} + return: | + --- + apiVersion: networking.k8s.io/v1 + kind: Ingress + metadata: + name: barbican + annotations: + cert-manager.io/cluster-issuer: ca-issuer + certmanager.k8s.io/cluster-issuer: ca-issuer + nginx.ingress.kubernetes.io/backend-protocol: https + nginx.ingress.kubernetes.io/secure-backends: "true" + spec: + ingressClassName: "nginx" + tls: + - secretName: barbican-tls-public-certmanager + hosts: + - barbican + - barbican.default + - barbican.default.svc.cluster.local + rules: + - host: barbican + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: barbican-api + port: + name: b-api + - host: barbican.default + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: barbican-api + port: + name: b-api + - host: barbican.default.svc.cluster.local + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: barbican-api + port: + name: b-api + # Sample usage for multiple DNS names associated with the same public + # endpoint and certificate + - values: | + endpoints: + cluster_domain_suffix: cluster.local + grafana: + name: grafana + hosts: + default: grafana-dashboard + public: grafana + host_fqdn_override: + public: + host: grafana.openstackhelm.example + tls: + dnsNames: + - grafana-alt.openstackhelm.example + crt: "BASE64 ENCODED CERT" + key: "BASE64 ENCODED KEY" + network: + grafana: + ingress: + classes: + namespace: "nginx" + cluster: "nginx-cluster" + annotations: + nginx.ingress.kubernetes.io/rewrite-target: / + secrets: + tls: + grafana: + grafana: + public: grafana-tls-public + usage: | + {{- $ingressOpts := dict "envAll" . "backendService" "grafana" "backendServiceType" "grafana" "backendPort" "dashboard" "pathType" "Prefix" -}} + {{ $ingressOpts | include "helm-toolkit.manifests.ingress" }} + return: | + --- + apiVersion: networking.k8s.io/v1 + kind: Ingress + metadata: + name: grafana + annotations: + nginx.ingress.kubernetes.io/rewrite-target: / + + spec: + ingressClassName: "nginx" + rules: + - host: grafana + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: grafana-dashboard + port: + name: dashboard + - host: grafana.default + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: grafana-dashboard + port: + name: dashboard + - host: grafana.default.svc.cluster.local + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: grafana-dashboard + port: + name: dashboard + --- + apiVersion: networking.k8s.io/v1 + kind: Ingress + metadata: + name: grafana-namespace-fqdn + annotations: + nginx.ingress.kubernetes.io/rewrite-target: / + + spec: + ingressClassName: "nginx" + tls: + - secretName: grafana-tls-public + hosts: + - grafana.openstackhelm.example + - grafana-alt.openstackhelm.example + rules: + - host: grafana.openstackhelm.example + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: grafana-dashboard + port: + name: dashboard + - host: grafana-alt.openstackhelm.example + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: grafana-dashboard + port: + name: dashboard + --- + apiVersion: networking.k8s.io/v1 + kind: Ingress + metadata: + name: grafana-cluster-fqdn + annotations: + nginx.ingress.kubernetes.io/rewrite-target: / + + spec: + ingressClassName: "nginx-cluster" + tls: + - secretName: grafana-tls-public + hosts: + - grafana.openstackhelm.example + - grafana-alt.openstackhelm.example + rules: + - host: grafana.openstackhelm.example + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: grafana-dashboard + port: + name: dashboard + - host: grafana-alt.openstackhelm.example + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: grafana-dashboard + port: + name: dashboard + +*/}} + +{{- define "helm-toolkit.manifests.ingress._host_rules" -}} +{{- $vHost := index . "vHost" -}} +{{- $backendName := index . "backendName" -}} +{{- $backendPort := index . "backendPort" -}} +{{- $pathType := index . "pathType" -}} +- host: {{ $vHost }} + http: + paths: + - path: / + pathType: {{ $pathType }} + backend: + service: + name: {{ $backendName }} + port: +{{- if or (kindIs "int" $backendPort) (regexMatch "^[0-9]{1,5}$" $backendPort) }} + number: {{ $backendPort | int }} +{{- else }} + name: {{ $backendPort | quote }} +{{- end }} +{{- end }} + +{{- define "helm-toolkit.manifests.ingress" -}} +{{- $envAll := index . "envAll" -}} +{{- $backendService := index . "backendService" | default "api" -}} +{{- $backendServiceType := index . "backendServiceType" -}} +{{- $backendPort := index . "backendPort" -}} +{{- $endpoint := index . "endpoint" | default "public" -}} +{{- $pathType := index . "pathType" | default "Prefix" -}} +{{- $certIssuer := index . "certIssuer" | default "" -}} +{{- $ingressName := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} +{{- $backendName := tuple $backendServiceType "internal" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} +{{- $hostName := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} +{{- $hostNameFull := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }} +{{- $certIssuerType := "cluster-issuer" -}} +{{- if $envAll.Values.cert_issuer_type }} +{{- $certIssuerType = $envAll.Values.cert_issuer_type }} +{{- end }} +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $ingressName }} + annotations: +{{- if $certIssuer }} + cert-manager.io/{{ $certIssuerType }}: {{ $certIssuer }} + certmanager.k8s.io/{{ $certIssuerType }}: {{ $certIssuer }} +{{- $slice := index $envAll.Values.endpoints $backendServiceType "host_fqdn_override" "default" "tls" -}} +{{- if (hasKey $slice "duration") }} + cert-manager.io/duration: {{ index $slice "duration" }} +{{- end }} +{{- end }} +{{ toYaml (index $envAll.Values.network $backendService "ingress" "annotations") | indent 4 }} +spec: + ingressClassName: {{ index $envAll.Values.network $backendService "ingress" "classes" "namespace" | quote }} +{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "hosts" }} +{{- if $certIssuer }} +{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }} +{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }} + tls: + - secretName: {{ printf "%s-ing" $secretName }} + hosts: +{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }} + - {{ $vHost }} +{{- end }} +{{- else }} +{{- if hasKey $host $endpoint }} +{{- $endpointHost := index $host $endpoint }} +{{- if kindIs "map" $endpointHost }} +{{- if hasKey $endpointHost "tls" }} +{{- if and ( not ( empty $endpointHost.tls.key ) ) ( not ( empty $endpointHost.tls.crt ) ) }} +{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }} +{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }} + tls: + - secretName: {{ $secretName }} + hosts: +{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }} + - {{ $vHost }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} + rules: +{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }} +{{- $hostRules := dict "vHost" $vHost "backendName" $backendName "backendPort" $backendPort "pathType" $pathType }} +{{ $hostRules | include "helm-toolkit.manifests.ingress._host_rules" | indent 4 }} +{{- end }} +{{- if not ( hasSuffix ( printf ".%s.svc.%s" $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) $hostNameFull) }} +{{- $ingressConf := $envAll.Values.network -}} +{{- $ingressClasses := ternary (tuple "namespace") (tuple "namespace" "cluster") (and (hasKey $ingressConf "use_external_ingress_controller") $ingressConf.use_external_ingress_controller) }} +{{- range $key2, $ingressController := $ingressClasses }} +{{- $vHosts := list $hostNameFull }} +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ printf "%s-%s-%s" $ingressName $ingressController "fqdn" }} + annotations: +{{ toYaml (index $envAll.Values.network $backendService "ingress" "annotations") | indent 4 }} +spec: + ingressClassName: {{ index $envAll.Values.network $backendService "ingress" "classes" $ingressController | quote }} +{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "host_fqdn_override" }} +{{- if hasKey $host $endpoint }} +{{- $endpointHost := index $host $endpoint }} +{{- if kindIs "map" $endpointHost }} +{{- if hasKey $endpointHost "tls" }} +{{- range $v := without (index $endpointHost.tls "dnsNames" | default list) $hostNameFull }} +{{- $vHosts = append $vHosts $v }} +{{- end }} +{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }} +{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }} + tls: + - secretName: {{ $secretName }} + hosts: +{{- range $vHost := $vHosts }} + - {{ $vHost }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} + rules: +{{- range $vHost := $vHosts }} +{{- $hostNameFullRules := dict "vHost" $vHost "backendName" $backendName "backendPort" $backendPort "pathType" $pathType }} +{{ $hostNameFullRules | include "helm-toolkit.manifests.ingress._host_rules" | indent 4 }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/masakari/charts/helm-toolkit/templates/manifests/_job-bootstrap.tpl b/charts/masakari/charts/helm-toolkit/templates/manifests/_job-bootstrap.tpl new file mode 100644 index 0000000000..6b77004f0d --- /dev/null +++ b/charts/masakari/charts/helm-toolkit/templates/manifests/_job-bootstrap.tpl @@ -0,0 +1,142 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +# This function creates a manifest for db creation and user management. +# It can be used in charts dict created similar to the following: +# {- $bootstrapJob := dict "envAll" . "serviceName" "senlin" -} +# { $bootstrapJob | include "helm-toolkit.manifests.job_bootstrap" } + +{{- define "helm-toolkit.manifests.job_bootstrap" -}} +{{- $envAll := index . "envAll" -}} +{{- $serviceName := index . "serviceName" -}} +{{- $jobAnnotations := index . "jobAnnotations" -}} +{{- $jobLabels := index . "jobLabels" -}} +{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}} +{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}} +{{- $podVolMounts := index . "podVolMounts" | default false -}} +{{- $podVols := index . "podVols" | default false -}} +{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}} +{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}} +{{- $configFile := index . "configFile" | default (printf "/etc/%s/%s.conf" $serviceName $serviceName ) -}} +{{- $logConfigFile := index . "logConfigFile" | default (printf "/etc/%s/logging.conf" $serviceName ) -}} +{{- $tlsSecret := index . "tlsSecret" | default "" -}} +{{- $keystoneUser := index . "keystoneUser" | default $serviceName -}} +{{- $openrc := index . "openrc" | default "true" -}} +{{- $secretBin := index . "secretBin" -}} +{{- $backoffLimit := index . "backoffLimit" | default "1000" -}} +{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}} +{{- $serviceNamePretty := $serviceName | replace "_" "-" -}} + +{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "bootstrap" }} +{{ tuple $envAll "bootstrap" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ printf "%s-%s" $serviceNamePretty "bootstrap" | quote }} + labels: +{{ tuple $envAll $serviceName "bootstrap" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} +{{- if $jobLabels }} +{{ toYaml $jobLabels | indent 4 }} +{{- end }} + annotations: +{{ tuple $serviceAccountName $envAll | include "helm-toolkit.snippets.custom_job_annotations" | indent 4 -}} +{{- if $jobAnnotations }} +{{ toYaml $jobAnnotations | indent 4 }} +{{- end }} +spec: + backoffLimit: {{ $backoffLimit }} +{{- if $activeDeadlineSeconds }} + activeDeadlineSeconds: {{ $activeDeadlineSeconds }} +{{- end }} + template: + metadata: + labels: +{{ tuple $envAll $serviceName "bootstrap" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} +{{- if $jobLabels }} +{{ toYaml $jobLabels | indent 8 }} +{{- end }} + annotations: +{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }} + spec: + serviceAccountName: {{ $serviceAccountName }} + restartPolicy: OnFailure + {{ tuple $envAll "bootstrap" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }} + nodeSelector: +{{ toYaml $nodeSelector | indent 8 }} +{{- if $tolerationsEnabled }} +{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }} +{{- end}} + initContainers: +{{ tuple $envAll "bootstrap" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} + containers: + - name: bootstrap + image: {{ $envAll.Values.images.tags.bootstrap }} + imagePullPolicy: {{ $envAll.Values.images.pull_policy }} +{{ tuple $envAll $envAll.Values.pod.resources.jobs.bootstrap | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} +{{- if eq $openrc "true" }} + env: +{{- with $env := dict "ksUserSecret" ( index $envAll.Values.secrets.identity $keystoneUser ) "useCA" (ne $tlsSecret "") }} +{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} +{{- end }} +{{- end }} + command: + - /bin/bash + - -c + - /tmp/bootstrap.sh + volumeMounts: + - name: pod-tmp + mountPath: /tmp + - name: bootstrap-sh + mountPath: /tmp/bootstrap.sh + subPath: bootstrap.sh + readOnly: true + - name: etc-service + mountPath: {{ dir $configFile | quote }} + - name: bootstrap-conf + mountPath: {{ $configFile | quote }} + subPath: {{ base $configFile | quote }} + readOnly: true + - name: bootstrap-conf + mountPath: {{ $logConfigFile | quote }} + subPath: {{ base $logConfigFile | quote }} + readOnly: true +{{ dict "enabled" (ne $tlsSecret "") "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +{{- if $podVolMounts }} +{{ $podVolMounts | toYaml | indent 12 }} +{{- end }} + volumes: + - name: pod-tmp + emptyDir: {} + - name: bootstrap-sh +{{- if $secretBin }} + secret: + secretName: {{ $secretBin | quote }} + defaultMode: 0555 +{{- else }} + configMap: + name: {{ $configMapBin | quote }} + defaultMode: 0555 +{{- end }} + - name: etc-service + emptyDir: {} + - name: bootstrap-conf + secret: + secretName: {{ $configMapEtc | quote }} + defaultMode: 0444 +{{- dict "enabled" (ne $tlsSecret "") "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +{{- if $podVols }} +{{ $podVols | toYaml | indent 8 }} +{{- end }} +{{- end }} diff --git a/charts/masakari/charts/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl b/charts/masakari/charts/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl new file mode 100644 index 0000000000..2b7ff2cdcb --- /dev/null +++ b/charts/masakari/charts/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl @@ -0,0 +1,171 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +# This function creates a manifest for db creation and user management. +# It can be used in charts dict created similar to the following: +# {- $dbToDropJob := dict "envAll" . "serviceName" "senlin" -} +# { $dbToDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" } +# +# If the service does not use oslo then the db can be managed with: +# {- $dbToDrop := dict "inputType" "secret" "adminSecret" .Values.secrets.oslo_db.admin "userSecret" .Values.secrets.oslo_db.horizon -} +# {- $dbToDropJob := dict "envAll" . "serviceName" "horizon" "dbToDrop" $dbToDrop -} +# { $dbToDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" } + +{{- define "helm-toolkit.manifests.job_db_drop_mysql" -}} +{{- $envAll := index . "envAll" -}} +{{- $serviceName := index . "serviceName" -}} +{{- $jobAnnotations := index . "jobAnnotations" -}} +{{- $jobLabels := index . "jobLabels" -}} +{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}} +{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}} +{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}} +{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}} +{{- $dbToDrop := index . "dbToDrop" | default ( dict "adminSecret" $envAll.Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "database" "configDbKey" "connection" ) -}} +{{- $dbsToDrop := default (list $dbToDrop) (index . "dbsToDrop") }} +{{- $secretBin := index . "secretBin" -}} +{{- $backoffLimit := index . "backoffLimit" | default "1000" -}} +{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}} +{{- $serviceNamePretty := $serviceName | replace "_" "-" -}} +{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}} + +{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-drop" }} +{{ tuple $envAll "db_drop" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ printf "%s-%s" $serviceNamePretty "db-drop" | quote }} + labels: +{{ tuple $envAll $serviceName "db-drop" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} +{{- if $jobLabels }} +{{ toYaml $jobLabels | indent 4 }} +{{- end }} + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-delete-policy": hook-succeeded +{{ tuple $serviceAccountName $envAll | include "helm-toolkit.snippets.custom_job_annotations" | indent 4 -}} +{{- if $jobAnnotations }} +{{ toYaml $jobAnnotations | indent 4 }} +{{- end }} +spec: + backoffLimit: {{ $backoffLimit }} +{{- if $activeDeadlineSeconds }} + activeDeadlineSeconds: {{ $activeDeadlineSeconds }} +{{- end }} + template: + metadata: + labels: +{{ tuple $envAll $serviceName "db-drop" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} +{{- if $jobLabels }} +{{ toYaml $jobLabels | indent 8 }} +{{- end }} + spec: + serviceAccountName: {{ $serviceAccountName }} + restartPolicy: OnFailure + {{ tuple $envAll "db_drop" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }} + nodeSelector: +{{ toYaml $nodeSelector | indent 8 }} +{{- if $tolerationsEnabled }} +{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }} +{{- end}} + initContainers: +{{ tuple $envAll "db_drop" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} + containers: +{{- range $key1, $dbToDrop := $dbsToDrop }} +{{ $dbToDropType := default "oslo" $dbToDrop.inputType }} + - name: {{ printf "%s-%s-%d" $serviceNamePretty "db-drop" $key1 | quote }} + image: {{ $envAll.Values.images.tags.db_drop }} + imagePullPolicy: {{ $envAll.Values.images.pull_policy }} +{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_drop | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} + env: + - name: ROOT_DB_CONNECTION + valueFrom: + secretKeyRef: + name: {{ $dbToDrop.adminSecret | quote }} + key: DB_CONNECTION +{{- if eq $dbToDropType "oslo" }} + - name: OPENSTACK_CONFIG_FILE + value: {{ $dbToDrop.configFile | quote }} + - name: OPENSTACK_CONFIG_DB_SECTION + value: {{ $dbToDrop.configDbSection | quote }} + - name: OPENSTACK_CONFIG_DB_KEY + value: {{ $dbToDrop.configDbKey | quote }} +{{- end }} +{{- if $envAll.Values.manifests.certificates }} + - name: MARIADB_X509 + value: "REQUIRE X509" +{{- end }} +{{- if eq $dbToDropType "secret" }} + - name: DB_CONNECTION + valueFrom: + secretKeyRef: + name: {{ $dbToDrop.userSecret | quote }} + key: DB_CONNECTION +{{- end }} + command: + - /tmp/db-drop.py + volumeMounts: + - name: pod-tmp + mountPath: /tmp + - name: db-drop-sh + mountPath: /tmp/db-drop.py + subPath: db-drop.py + readOnly: true + +{{- if eq $dbToDropType "oslo" }} + - name: etc-service + mountPath: {{ dir $dbToDrop.configFile | quote }} + - name: db-drop-conf + mountPath: {{ $dbToDrop.configFile | quote }} + subPath: {{ base $dbToDrop.configFile | quote }} + readOnly: true + - name: db-drop-conf + mountPath: {{ $dbToDrop.logConfigFile | quote }} + subPath: {{ base $dbToDrop.logConfigFile | quote }} + readOnly: true +{{- end }} +{{- if $envAll.Values.manifests.certificates }} +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +{{- end }} +{{- end }} + volumes: + - name: pod-tmp + emptyDir: {} + - name: db-drop-sh +{{- if $secretBin }} + secret: + secretName: {{ $secretBin | quote }} + defaultMode: 0555 +{{- else }} + configMap: + name: {{ $configMapBin | quote }} + defaultMode: 0555 +{{- end }} +{{- if $envAll.Values.manifests.certificates }} +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +{{- end }} +{{- $local := dict "configMapBinFirst" true -}} +{{- range $key1, $dbToDrop := $dbsToDrop }} +{{- $dbToDropType := default "oslo" $dbToDrop.inputType }} +{{- if and (eq $dbToDropType "oslo") $local.configMapBinFirst }} +{{- $_ := set $local "configMapBinFirst" false }} + - name: etc-service + emptyDir: {} + - name: db-drop-conf + secret: + secretName: {{ $configMapEtc | quote }} + defaultMode: 0444 +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/charts/masakari/charts/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl b/charts/masakari/charts/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl new file mode 100644 index 0000000000..b8a1dce3b3 --- /dev/null +++ b/charts/masakari/charts/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl @@ -0,0 +1,170 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +# This function creates a manifest for db creation and user management. +# It can be used in charts dict created similar to the following: +# {- $dbToInitJob := dict "envAll" . "serviceName" "senlin" -} +# { $dbToInitJob | include "helm-toolkit.manifests.job_db_init_mysql" } +# +# If the service does not use oslo then the db can be managed with: +# {- $dbToInit := dict "inputType" "secret" "adminSecret" .Values.secrets.oslo_db.admin "userSecret" .Values.secrets.oslo_db.horizon -} +# {- $dbToInitJob := dict "envAll" . "serviceName" "horizon" "dbToInit" $dbToInit -} +# { $dbToInitJob | include "helm-toolkit.manifests.job_db_init_mysql" } + +{{- define "helm-toolkit.manifests.job_db_init_mysql" -}} +{{- $envAll := index . "envAll" -}} +{{- $serviceName := index . "serviceName" -}} +{{- $jobAnnotations := index . "jobAnnotations" -}} +{{- $jobLabels := index . "jobLabels" -}} +{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}} +{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}} +{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}} +{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}} +{{- $dbToInit := index . "dbToInit" | default ( dict "adminSecret" $envAll.Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "database" "configDbKey" "connection" ) -}} +{{- $dbsToInit := default (list $dbToInit) (index . "dbsToInit") }} +{{- $secretBin := index . "secretBin" -}} +{{- $backoffLimit := index . "backoffLimit" | default "1000" -}} +{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}} +{{- $serviceNamePretty := $serviceName | replace "_" "-" -}} +{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}} + +{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-init" }} +{{ tuple $envAll "db_init" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ printf "%s-%s" $serviceNamePretty "db-init" | quote }} + labels: +{{ tuple $envAll $serviceName "db-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} +{{- if $jobLabels }} +{{ toYaml $jobLabels | indent 4 }} +{{- end }} + annotations: +{{ tuple $serviceAccountName $envAll | include "helm-toolkit.snippets.custom_job_annotations" | indent 4 -}} +{{- if $jobAnnotations }} +{{ toYaml $jobAnnotations | indent 4 }} +{{- end }} +spec: + backoffLimit: {{ $backoffLimit }} +{{- if $activeDeadlineSeconds }} + activeDeadlineSeconds: {{ $activeDeadlineSeconds }} +{{- end }} + template: + metadata: + labels: +{{ tuple $envAll $serviceName "db-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} +{{- if $jobLabels }} +{{ toYaml $jobLabels | indent 8 }} +{{- end }} + annotations: +{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }} + spec: + serviceAccountName: {{ $serviceAccountName }} + restartPolicy: OnFailure + {{ tuple $envAll "db_init" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }} + nodeSelector: +{{ toYaml $nodeSelector | indent 8 }} +{{- if $tolerationsEnabled }} +{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }} +{{- end}} + initContainers: +{{ tuple $envAll "db_init" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} + containers: +{{- range $key1, $dbToInit := $dbsToInit }} +{{ $dbToInitType := default "oslo" $dbToInit.inputType }} + - name: {{ printf "%s-%s-%d" $serviceNamePretty "db-init" $key1 | quote }} + image: {{ $envAll.Values.images.tags.db_init }} + imagePullPolicy: {{ $envAll.Values.images.pull_policy }} +{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_init | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} + env: + - name: ROOT_DB_CONNECTION + valueFrom: + secretKeyRef: + name: {{ $dbToInit.adminSecret | quote }} + key: DB_CONNECTION +{{- if eq $dbToInitType "oslo" }} + - name: OPENSTACK_CONFIG_FILE + value: {{ $dbToInit.configFile | quote }} + - name: OPENSTACK_CONFIG_DB_SECTION + value: {{ $dbToInit.configDbSection | quote }} + - name: OPENSTACK_CONFIG_DB_KEY + value: {{ $dbToInit.configDbKey | quote }} +{{- end }} +{{- if eq $dbToInitType "secret" }} + - name: DB_CONNECTION + valueFrom: + secretKeyRef: + name: {{ $dbToInit.userSecret | quote }} + key: DB_CONNECTION +{{- end }} +{{- if $envAll.Values.manifests.certificates }} + - name: MARIADB_X509 + value: "REQUIRE X509" +{{- end }} + command: + - /tmp/db-init.py + volumeMounts: + - name: pod-tmp + mountPath: /tmp + - name: db-init-sh + mountPath: /tmp/db-init.py + subPath: db-init.py + readOnly: true +{{- if eq $dbToInitType "oslo" }} + - name: etc-service + mountPath: {{ dir $dbToInit.configFile | quote }} + - name: db-init-conf + mountPath: {{ $dbToInit.configFile | quote }} + subPath: {{ base $dbToInit.configFile | quote }} + readOnly: true + - name: db-init-conf + mountPath: {{ $dbToInit.logConfigFile | quote }} + subPath: {{ base $dbToInit.logConfigFile | quote }} + readOnly: true +{{- end }} +{{- if $envAll.Values.manifests.certificates }} +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +{{- end }} +{{- end }} + volumes: + - name: pod-tmp + emptyDir: {} + - name: db-init-sh +{{- if $secretBin }} + secret: + secretName: {{ $secretBin | quote }} + defaultMode: 0555 +{{- else }} + configMap: + name: {{ $configMapBin | quote }} + defaultMode: 0555 +{{- end }} +{{- if $envAll.Values.manifests.certificates }} +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +{{- end }} +{{- $local := dict "configMapBinFirst" true -}} +{{- range $key1, $dbToInit := $dbsToInit }} +{{- $dbToInitType := default "oslo" $dbToInit.inputType }} +{{- if and (eq $dbToInitType "oslo") $local.configMapBinFirst }} +{{- $_ := set $local "configMapBinFirst" false }} + - name: etc-service + emptyDir: {} + - name: db-init-conf + secret: + secretName: {{ $configMapEtc | quote }} + defaultMode: 0444 +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/charts/masakari/charts/helm-toolkit/templates/manifests/_job-db-sync.tpl b/charts/masakari/charts/helm-toolkit/templates/manifests/_job-db-sync.tpl new file mode 100644 index 0000000000..4696c88fd2 --- /dev/null +++ b/charts/masakari/charts/helm-toolkit/templates/manifests/_job-db-sync.tpl @@ -0,0 +1,138 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +# This function creates a manifest for db migration and management. +# It can be used in charts dict created similar to the following: +# {- $dbSyncJob := dict "envAll" . "serviceName" "senlin" -} +# { $dbSyncJob | include "helm-toolkit.manifests.job_db_sync" } + +{{- define "helm-toolkit.manifests.job_db_sync" -}} +{{- $envAll := index . "envAll" -}} +{{- $serviceName := index . "serviceName" -}} +{{- $jobAnnotations := index . "jobAnnotations" -}} +{{- $jobLabels := index . "jobLabels" -}} +{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}} +{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}} +{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}} +{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}} +{{- $podVolMounts := index . "podVolMounts" | default false -}} +{{- $podVols := index . "podVols" | default false -}} +{{- $podEnvVars := index . "podEnvVars" | default false -}} +{{- $dbToSync := index . "dbToSync" | default ( dict "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "image" ( index $envAll.Values.images.tags ( printf "%s_db_sync" $serviceName )) ) -}} +{{- $secretBin := index . "secretBin" -}} +{{- $backoffLimit := index . "backoffLimit" | default "1000" -}} +{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}} +{{- $serviceNamePretty := $serviceName | replace "_" "-" -}} +{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}} + +{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-sync" }} +{{ tuple $envAll "db_sync" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ printf "%s-%s" $serviceNamePretty "db-sync" | quote }} + labels: +{{ tuple $envAll $serviceName "db-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} +{{- if $jobLabels }} +{{ toYaml $jobLabels | indent 4 }} +{{- end }} + annotations: +{{ tuple $serviceAccountName $envAll | include "helm-toolkit.snippets.custom_job_annotations" | indent 4 -}} +{{- if $jobAnnotations }} +{{ toYaml $jobAnnotations | indent 4 }} +{{- end }} +spec: + backoffLimit: {{ $backoffLimit }} +{{- if $activeDeadlineSeconds }} + activeDeadlineSeconds: {{ $activeDeadlineSeconds }} +{{- end }} + template: + metadata: + labels: +{{ tuple $envAll $serviceName "db-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} +{{- if $jobLabels }} +{{ toYaml $jobLabels | indent 8 }} +{{- end }} + annotations: +{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }} + spec: + serviceAccountName: {{ $serviceAccountName }} + restartPolicy: OnFailure + {{ tuple $envAll "db_sync" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }} + nodeSelector: +{{ toYaml $nodeSelector | indent 8 }} +{{- if $tolerationsEnabled }} +{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }} +{{- end}} + initContainers: +{{ tuple $envAll "db_sync" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} + containers: + - name: {{ printf "%s-%s" $serviceNamePretty "db-sync" | quote }} + image: {{ $dbToSync.image | quote }} + imagePullPolicy: {{ $envAll.Values.images.pull_policy | quote }} +{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_sync | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} +{{- if $podEnvVars }} + env: +{{ $podEnvVars | toYaml | indent 12 }} +{{- end }} + command: + - /bin/bash + - -c + - /tmp/db-sync.sh + volumeMounts: + - name: pod-tmp + mountPath: /tmp + - name: db-sync-sh + mountPath: /tmp/db-sync.sh + subPath: db-sync.sh + readOnly: true + - name: etc-service + mountPath: {{ dir $dbToSync.configFile | quote }} + - name: db-sync-conf + mountPath: {{ $dbToSync.configFile | quote }} + subPath: {{ base $dbToSync.configFile | quote }} + readOnly: true + - name: db-sync-conf + mountPath: {{ $dbToSync.logConfigFile | quote }} + subPath: {{ base $dbToSync.logConfigFile | quote }} + readOnly: true +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +{{- if $podVolMounts }} +{{ $podVolMounts | toYaml | indent 12 }} +{{- end }} + volumes: + - name: pod-tmp + emptyDir: {} + - name: db-sync-sh +{{- if $secretBin }} + secret: + secretName: {{ $secretBin | quote }} + defaultMode: 0555 +{{- else }} + configMap: + name: {{ $configMapBin | quote }} + defaultMode: 0555 +{{- end }} + - name: etc-service + emptyDir: {} + - name: db-sync-conf + secret: + secretName: {{ $configMapEtc | quote }} + defaultMode: 0444 +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +{{- if $podVols }} +{{ $podVols | toYaml | indent 8 }} +{{- end }} +{{- end }} diff --git a/charts/masakari/charts/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl b/charts/masakari/charts/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl new file mode 100644 index 0000000000..d69c9e6ec1 --- /dev/null +++ b/charts/masakari/charts/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl @@ -0,0 +1,131 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +# This function creates a manifest for keystone service management. +# It can be used in charts dict created similar to the following: +# {- $ksEndpointJob := dict "envAll" . "serviceName" "senlin" "serviceTypes" ( tuple "clustering" ) -} +# { $ksEndpointJob | include "helm-toolkit.manifests.job_ks_endpoints" } + +{{- define "helm-toolkit.manifests.job_ks_endpoints" -}} +{{- $envAll := index . "envAll" -}} +{{- $serviceName := index . "serviceName" -}} +{{- $serviceTypes := index . "serviceTypes" -}} +{{- $jobAnnotations := index . "jobAnnotations" -}} +{{- $jobLabels := index . "jobLabels" -}} +{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}} +{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}} +{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}} +{{- $secretBin := index . "secretBin" -}} +{{- $tlsSecret := index . "tlsSecret" | default "" -}} +{{- $backoffLimit := index . "backoffLimit" | default "1000" -}} +{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}} +{{- $serviceNamePretty := $serviceName | replace "_" "-" -}} +{{- $restartPolicy_ := "OnFailure" -}} +{{- if hasKey $envAll.Values "jobs" -}} +{{- if hasKey $envAll.Values.jobs "ks_endpoints" -}} +{{- $restartPolicy_ = $envAll.Values.jobs.ks_endpoints.restartPolicy | default $restartPolicy_ }} +{{- end }} +{{- end }} +{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}} + +{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "ks-endpoints" }} +{{ tuple $envAll "ks_endpoints" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ printf "%s-%s" $serviceNamePretty "ks-endpoints" | quote }} + labels: +{{ tuple $envAll $serviceName "ks-endpoints" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} +{{- if $jobLabels }} +{{ toYaml $jobLabels | indent 4 }} +{{- end }} + annotations: +{{ tuple $serviceAccountName $envAll | include "helm-toolkit.snippets.custom_job_annotations" | indent 4 -}} +{{- if $jobAnnotations }} +{{ toYaml $jobAnnotations | indent 4 }} +{{- end }} +spec: + backoffLimit: {{ $backoffLimit }} +{{- if $activeDeadlineSeconds }} + activeDeadlineSeconds: {{ $activeDeadlineSeconds }} +{{- end }} + template: + metadata: + labels: +{{ tuple $envAll $serviceName "ks-endpoints" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} +{{- if $jobLabels }} +{{ toYaml $jobLabels | indent 8 }} +{{- end }} + annotations: +{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }} + spec: + serviceAccountName: {{ $serviceAccountName }} + restartPolicy: {{ $restartPolicy }} + {{ tuple $envAll "ks_endpoints" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }} + nodeSelector: +{{ toYaml $nodeSelector | indent 8 }} +{{- if $tolerationsEnabled }} +{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }} +{{- end}} + initContainers: +{{ tuple $envAll "ks_endpoints" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} + containers: +{{- range $key1, $osServiceType := $serviceTypes }} +{{- range $key2, $osServiceEndPoint := tuple "admin" "internal" "public" }} + - name: {{ printf "%s-%s-%s" $osServiceType "ks-endpoints" $osServiceEndPoint | quote }} + image: {{ $envAll.Values.images.tags.ks_endpoints }} + imagePullPolicy: {{ $envAll.Values.images.pull_policy }} +{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_endpoints | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} + command: + - /bin/bash + - -c + - /tmp/ks-endpoints.sh + volumeMounts: + - name: pod-tmp + mountPath: /tmp + - name: ks-endpoints-sh + mountPath: /tmp/ks-endpoints.sh + subPath: ks-endpoints.sh + readOnly: true +{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + env: +{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }} +{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} +{{- end }} + - name: OS_SVC_ENDPOINT + value: {{ $osServiceEndPoint | quote }} + - name: OS_SERVICE_NAME + value: {{ tuple $osServiceType $envAll | include "helm-toolkit.endpoints.keystone_endpoint_name_lookup" }} + - name: OS_SERVICE_TYPE + value: {{ $osServiceType | quote }} + - name: OS_SERVICE_ENDPOINT + value: {{ tuple $osServiceType $osServiceEndPoint "api" $envAll | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | quote }} +{{- end }} +{{- end }} + volumes: + - name: pod-tmp + emptyDir: {} + - name: ks-endpoints-sh +{{- if $secretBin }} + secret: + secretName: {{ $secretBin | quote }} + defaultMode: 0555 +{{- else }} + configMap: + name: {{ $configMapBin | quote }} + defaultMode: 0555 +{{- end }} +{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +{{- end }} diff --git a/charts/masakari/charts/helm-toolkit/templates/manifests/_job-ks-service.tpl b/charts/masakari/charts/helm-toolkit/templates/manifests/_job-ks-service.tpl new file mode 100644 index 0000000000..9604c63728 --- /dev/null +++ b/charts/masakari/charts/helm-toolkit/templates/manifests/_job-ks-service.tpl @@ -0,0 +1,125 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +# This function creates a manifest for keystone service management. +# It can be used in charts dict created similar to the following: +# {- $ksServiceJob := dict "envAll" . "serviceName" "senlin" "serviceTypes" ( tuple "clustering" ) -} +# { $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" } + +{{- define "helm-toolkit.manifests.job_ks_service" -}} +{{- $envAll := index . "envAll" -}} +{{- $serviceName := index . "serviceName" -}} +{{- $serviceTypes := index . "serviceTypes" -}} +{{- $jobAnnotations := index . "jobAnnotations" -}} +{{- $jobLabels := index . "jobLabels" -}} +{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}} +{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}} +{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}} +{{- $secretBin := index . "secretBin" -}} +{{- $tlsSecret := index . "tlsSecret" | default "" -}} +{{- $backoffLimit := index . "backoffLimit" | default "1000" -}} +{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}} +{{- $serviceNamePretty := $serviceName | replace "_" "-" -}} +{{- $restartPolicy_ := "OnFailure" -}} +{{- if hasKey $envAll.Values "jobs" -}} +{{- if hasKey $envAll.Values.jobs "ks_service" -}} +{{- $restartPolicy_ = $envAll.Values.jobs.ks_service.restartPolicy | default $restartPolicy_ }} +{{- end }} +{{- end }} +{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}} + +{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "ks-service" }} +{{ tuple $envAll "ks_service" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ printf "%s-%s" $serviceNamePretty "ks-service" | quote }} + labels: +{{ tuple $envAll $serviceName "ks-service" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} +{{- if $jobLabels }} +{{ toYaml $jobLabels | indent 4 }} +{{- end }} + annotations: +{{ tuple $serviceAccountName $envAll | include "helm-toolkit.snippets.custom_job_annotations" | indent 4 -}} +{{- if $jobAnnotations }} +{{ toYaml $jobAnnotations | indent 4 }} +{{- end }} +spec: + backoffLimit: {{ $backoffLimit }} +{{- if $activeDeadlineSeconds }} + activeDeadlineSeconds: {{ $activeDeadlineSeconds }} +{{- end }} + template: + metadata: + labels: +{{ tuple $envAll $serviceName "ks-service" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} +{{- if $jobLabels }} +{{ toYaml $jobLabels | indent 8 }} +{{- end }} + annotations: +{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }} + spec: + serviceAccountName: {{ $serviceAccountName }} + restartPolicy: {{ $restartPolicy }} + {{ tuple $envAll "ks_service" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }} + nodeSelector: +{{ toYaml $nodeSelector | indent 8 }} +{{- if $tolerationsEnabled }} +{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }} +{{- end}} + initContainers: +{{ tuple $envAll "ks_service" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} + containers: +{{- range $key1, $osServiceType := $serviceTypes }} + - name: {{ printf "%s-%s" $osServiceType "ks-service-registration" | quote }} + image: {{ $envAll.Values.images.tags.ks_service }} + imagePullPolicy: {{ $envAll.Values.images.pull_policy }} +{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_service | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} + command: + - /bin/bash + - -c + - /tmp/ks-service.sh + volumeMounts: + - name: pod-tmp + mountPath: /tmp + - name: ks-service-sh + mountPath: /tmp/ks-service.sh + subPath: ks-service.sh + readOnly: true +{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + env: +{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }} +{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} +{{- end }} + - name: OS_SERVICE_NAME + value: {{ tuple $osServiceType $envAll | include "helm-toolkit.endpoints.keystone_endpoint_name_lookup" }} + - name: OS_SERVICE_TYPE + value: {{ $osServiceType | quote }} +{{- end }} + volumes: + - name: pod-tmp + emptyDir: {} + - name: ks-service-sh +{{- if $secretBin }} + secret: + secretName: {{ $secretBin | quote }} + defaultMode: 0555 +{{- else }} + configMap: + name: {{ $configMapBin | quote }} + defaultMode: 0555 +{{- end }} +{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +{{- end }} diff --git a/charts/masakari/charts/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl b/charts/masakari/charts/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl new file mode 100644 index 0000000000..58dcdc5c6d --- /dev/null +++ b/charts/masakari/charts/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl @@ -0,0 +1,155 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +# This function creates a manifest for keystone user management. +# It can be used in charts dict created similar to the following: +# {- $ksUserJob := dict "envAll" . "serviceName" "senlin" } +# { $ksUserJob | include "helm-toolkit.manifests.job_ks_user" } + +{{/* + # To enable PodSecuritycontext (PodSecurityContext/v1) define the below in values.yaml: + # example: + # values: | + # pod: + # security_context: + # ks_user: + # pod: + # runAsUser: 65534 + # To enable Container SecurityContext(SecurityContext/v1) for ks-user container define the values: + # example: + # values: | + # pod: + # security_context: + # ks_user: + # container: + # ks-user: + # runAsUser: 65534 + # readOnlyRootFilesystem: true + # allowPrivilegeEscalation: false +*/}} + +{{- define "helm-toolkit.manifests.job_ks_user" -}} +{{- $envAll := index . "envAll" -}} +{{- $serviceName := index . "serviceName" -}} +{{- $jobAnnotations := index . "jobAnnotations" -}} +{{- $jobLabels := index . "jobLabels" -}} +{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}} +{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}} +{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}} +{{- $serviceUser := index . "serviceUser" | default $serviceName -}} +{{- $secretBin := index . "secretBin" -}} +{{- $tlsSecret := index . "tlsSecret" | default "" -}} +{{- $backoffLimit := index . "backoffLimit" | default "1000" -}} +{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}} +{{- $serviceUserPretty := $serviceUser | replace "_" "-" -}} +{{- $restartPolicy_ := "OnFailure" -}} +{{- if hasKey $envAll.Values "jobs" -}} +{{- if hasKey $envAll.Values.jobs "ks_user" -}} +{{- $restartPolicy_ = $envAll.Values.jobs.ks_user.restartPolicy | default $restartPolicy_ }} +{{- end }} +{{- end }} +{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}} + +{{- $serviceAccountName := printf "%s-%s" $serviceUserPretty "ks-user" }} +{{ tuple $envAll "ks_user" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ printf "%s-%s" $serviceUserPretty "ks-user" | quote }} + labels: +{{ tuple $envAll $serviceName "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} +{{- if $jobLabels }} +{{ toYaml $jobLabels | indent 4 }} +{{- end }} + annotations: +{{ tuple $serviceAccountName $envAll | include "helm-toolkit.snippets.custom_job_annotations" | indent 4 -}} +{{- if $jobAnnotations }} +{{ toYaml $jobAnnotations | indent 4 }} +{{- end }} +spec: + backoffLimit: {{ $backoffLimit }} +{{- if $activeDeadlineSeconds }} + activeDeadlineSeconds: {{ $activeDeadlineSeconds }} +{{- end }} + template: + metadata: + labels: +{{ tuple $envAll $serviceName "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} +{{- if $jobLabels }} +{{ toYaml $jobLabels | indent 8 }} +{{- end }} + annotations: +{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }} + spec: + serviceAccountName: {{ $serviceAccountName | quote }} +{{ dict "envAll" $envAll "application" "ks_user" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} + restartPolicy: {{ $restartPolicy }} + {{ tuple $envAll "ks_user" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }} + nodeSelector: +{{ toYaml $nodeSelector | indent 8 }} +{{- if $tolerationsEnabled }} +{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }} +{{- end}} + initContainers: +{{ tuple $envAll "ks_user" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} + containers: + - name: ks-user + image: {{ $envAll.Values.images.tags.ks_user }} + imagePullPolicy: {{ $envAll.Values.images.pull_policy }} +{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} +{{ dict "envAll" $envAll "application" "ks_user" "container" "ks_user" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} + command: + - /bin/bash + - -c + - /tmp/ks-user.sh + volumeMounts: + - name: pod-tmp + mountPath: /tmp + - name: ks-user-sh + mountPath: /tmp/ks-user.sh + subPath: ks-user.sh + readOnly: true +{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + env: +{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }} +{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} +{{- end }} + - name: SERVICE_OS_SERVICE_NAME + value: {{ $serviceName | quote }} +{{- with $env := dict "ksUserSecret" (index $envAll.Values.secrets.identity $serviceUser ) }} +{{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 12 }} +{{- end }} + - name: SERVICE_OS_ROLES + {{- $serviceOsRoles := index $envAll.Values.endpoints.identity.auth $serviceUser "role" }} + {{- if kindIs "slice" $serviceOsRoles }} + value: {{ include "helm-toolkit.utils.joinListWithComma" $serviceOsRoles | quote }} + {{- else }} + value: {{ $serviceOsRoles | quote }} + {{- end }} + volumes: + - name: pod-tmp + emptyDir: {} + - name: ks-user-sh +{{- if $secretBin }} + secret: + secretName: {{ $secretBin | quote }} + defaultMode: 0555 +{{- else }} + configMap: + name: {{ $configMapBin | quote }} + defaultMode: 0555 +{{- end }} +{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +{{- end -}} diff --git a/charts/masakari/charts/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl b/charts/masakari/charts/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl new file mode 100644 index 0000000000..2cfadafe32 --- /dev/null +++ b/charts/masakari/charts/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl @@ -0,0 +1,130 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- define "helm-toolkit.manifests.job_rabbit_init" -}} +{{- $envAll := index . "envAll" -}} +{{- $serviceName := index . "serviceName" -}} +{{- $jobAnnotations := index . "jobAnnotations" -}} +{{- $jobLabels := index . "jobLabels" -}} +{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}} +{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}} +{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}} +{{- $serviceUser := index . "serviceUser" | default $serviceName -}} +{{- $secretBin := index . "secretBin" -}} +{{- $backoffLimit := index . "backoffLimit" | default "1000" -}} +{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}} +{{- $serviceUserPretty := $serviceUser | replace "_" "-" -}} +{{- $serviceNamePretty := $serviceName | replace "_" "-" -}} +{{- $tlsPath := index . "tlsPath" | default "/etc/rabbitmq/certs" -}} +{{- $tlsSecret := index . "tlsSecret" | default "" -}} + +{{- $serviceAccountName := printf "%s-%s" $serviceUserPretty "rabbit-init" }} +{{ tuple $envAll "rabbit_init" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ printf "%s-%s" $serviceUserPretty "rabbit-init" | quote }} + labels: +{{ tuple $envAll $serviceName "rabbit-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} +{{- if $jobLabels }} +{{ toYaml $jobLabels | indent 4 }} +{{- end }} + annotations: +{{ tuple $serviceAccountName $envAll | include "helm-toolkit.snippets.custom_job_annotations" | indent 4 -}} +{{- if $jobAnnotations }} +{{ toYaml $jobAnnotations | indent 4 }} +{{- end }} +spec: + backoffLimit: {{ $backoffLimit }} +{{- if $activeDeadlineSeconds }} + activeDeadlineSeconds: {{ $activeDeadlineSeconds }} +{{- end }} + template: + metadata: + labels: +{{ tuple $envAll $serviceName "rabbit-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} +{{- if $jobLabels }} +{{ toYaml $jobLabels | indent 8 }} +{{- end }} + annotations: +{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }} + spec: + serviceAccountName: {{ $serviceAccountName | quote }} + restartPolicy: OnFailure + {{ tuple $envAll "rabbit_init" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }} + nodeSelector: +{{ toYaml $nodeSelector | indent 8 }} +{{- if $tolerationsEnabled }} +{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }} +{{- end}} + initContainers: +{{ tuple $envAll "rabbit_init" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} + containers: + - name: rabbit-init + image: {{ $envAll.Values.images.tags.rabbit_init | quote }} + imagePullPolicy: {{ $envAll.Values.images.pull_policy | quote }} +{{ tuple $envAll $envAll.Values.pod.resources.jobs.rabbit_init | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} + command: + - /bin/bash + - -c + - /tmp/rabbit-init.sh + volumeMounts: + - name: pod-tmp + mountPath: /tmp + - name: rabbit-init-sh + mountPath: /tmp/rabbit-init.sh + subPath: rabbit-init.sh + readOnly: true +{{- if $envAll.Values.manifests.certificates }} +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret "path" $tlsPath | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +{{- end }} + env: + - name: RABBITMQ_ADMIN_CONNECTION + valueFrom: + secretKeyRef: + name: {{ $envAll.Values.secrets.oslo_messaging.admin }} + key: RABBITMQ_CONNECTION + - name: RABBITMQ_USER_CONNECTION + valueFrom: + secretKeyRef: + name: {{ index $envAll.Values.secrets.oslo_messaging $serviceName }} + key: RABBITMQ_CONNECTION +{{- if $envAll.Values.conf.rabbitmq }} + - name: RABBITMQ_AUXILIARY_CONFIGURATION + value: {{ toJson $envAll.Values.conf.rabbitmq | quote }} +{{- end }} +{{- if and $envAll.Values.manifests.certificates (ne $tlsSecret "") }} + - name: RABBITMQ_X509 + value: "REQUIRE X509" + - name: USER_CERT_PATH + value: {{ $tlsPath | quote }} +{{- end }} + volumes: + - name: pod-tmp + emptyDir: {} + - name: rabbit-init-sh +{{- if $secretBin }} + secret: + secretName: {{ $secretBin | quote }} + defaultMode: 0555 +{{- else }} + configMap: + name: {{ $configMapBin | quote }} + defaultMode: 0555 +{{- end }} +{{- if $envAll.Values.manifests.certificates }} +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +{{- end }} +{{- end -}} diff --git a/charts/masakari/charts/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl b/charts/masakari/charts/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl new file mode 100644 index 0000000000..b5fdc09c32 --- /dev/null +++ b/charts/masakari/charts/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl @@ -0,0 +1,148 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +# This function creates a manifest for linking an s3 bucket to an s3 user. +# It can be used in charts dict created similar to the following: +# {- $s3BucketJob := dict "envAll" . "serviceName" "elasticsearch" } +# { $s3BucketJob | include "helm-toolkit.manifests.job_s3_bucket" } + +{{- define "helm-toolkit.manifests.job_s3_bucket" -}} +{{- $envAll := index . "envAll" -}} +{{- $serviceName := index . "serviceName" -}} +{{- $jobAnnotations := index . "jobAnnotations" -}} +{{- $jobLabels := index . "jobLabels" -}} +{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}} +{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}} +{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}} +{{- $configMapCeph := index . "configMapCeph" | default (printf "ceph-etc" ) -}} +{{- $secretBin := index . "secretBin" -}} +{{- $backoffLimit := index . "backoffLimit" | default "1000" -}} +{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}} +{{- $serviceNamePretty := $serviceName | replace "_" "-" -}} +{{- $s3UserSecret := index $envAll.Values.secrets.rgw $serviceName -}} +{{- $s3Bucket := index . "s3Bucket" | default $serviceName }} +{{- $tlsCertificateSecret := index . "tlsCertificateSecret" -}} +{{- $tlsCertificatePath := index . "tlsCertificatePath" -}} + +{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "s3-bucket" }} +{{ tuple $envAll "s3_bucket" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ printf "%s-%s" $serviceNamePretty "s3-bucket" | quote }} + labels: +{{ tuple $envAll $serviceName "s3-bucket" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} +{{- if $jobLabels }} +{{ toYaml $jobLabels | indent 4 }} +{{- end }} + annotations: + {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }} +{{ tuple $serviceAccountName $envAll | include "helm-toolkit.snippets.custom_job_annotations" | indent 4 -}} +{{- if $jobAnnotations }} +{{ toYaml $jobAnnotations | indent 4 }} +{{- end }} +spec: + backoffLimit: {{ $backoffLimit }} +{{- if $activeDeadlineSeconds }} + activeDeadlineSeconds: {{ $activeDeadlineSeconds }} +{{- end }} + template: + metadata: + labels: +{{ tuple $envAll $serviceName "s3-bucket" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} +{{- if $jobLabels }} +{{ toYaml $jobLabels | indent 8 }} +{{- end }} + spec: + serviceAccountName: {{ $serviceAccountName | quote }} + restartPolicy: OnFailure + {{ tuple $envAll "s3_bucket" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }} + nodeSelector: +{{ toYaml $nodeSelector | indent 8 }} +{{- if $tolerationsEnabled }} +{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }} +{{- end}} + initContainers: +{{ tuple $envAll "s3_bucket" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} + containers: + - name: s3-bucket + image: {{ $envAll.Values.images.tags.s3_bucket }} + imagePullPolicy: {{ $envAll.Values.images.pull_policy }} +{{ tuple $envAll $envAll.Values.pod.resources.jobs.s3_bucket | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} + command: + - /bin/bash + - -c + - /tmp/create-s3-bucket.sh + env: +{{- with $env := dict "s3AdminSecret" $envAll.Values.secrets.rgw.admin }} +{{- include "helm-toolkit.snippets.rgw_s3_admin_env_vars" $env | indent 12 }} +{{- end }} +{{- include "helm-toolkit.snippets.rgw_s3_user_env_vars" $envAll | indent 12 }} + volumeMounts: + - name: pod-tmp + mountPath: /tmp + - name: s3-bucket-sh + mountPath: /tmp/create-s3-bucket.sh + subPath: create-s3-bucket.sh + readOnly: true + - name: etcceph + mountPath: /etc/ceph + - name: ceph-etc + mountPath: /etc/ceph/ceph.conf + subPath: ceph.conf + readOnly: true + {{- if empty $envAll.Values.conf.ceph.admin_keyring }} + - name: ceph-keyring + mountPath: /tmp/client-keyring + subPath: key + readOnly: true + {{ end }} +{{- if and ($tlsCertificatePath) ($tlsCertificateSecret) }} + - name: {{ $tlsCertificateSecret }} + mountPath: {{ $tlsCertificatePath }} + subPath: ca.crt + readOnly: true +{{- end }} + volumes: + - name: pod-tmp + emptyDir: {} + - name: s3-bucket-sh +{{- if $secretBin }} + secret: + secretName: {{ $secretBin | quote }} + defaultMode: 0555 +{{- else }} + configMap: + name: {{ $configMapBin | quote }} + defaultMode: 0555 +{{- end }} + - name: etcceph + emptyDir: {} + - name: ceph-etc + configMap: + name: {{ $configMapCeph | quote }} + defaultMode: 0444 + {{- if empty $envAll.Values.conf.ceph.admin_keyring }} + - name: ceph-keyring + secret: + secretName: pvc-ceph-client-key + {{ end }} +{{- if and ($tlsCertificatePath) ($tlsCertificateSecret) }} + - name: {{ $tlsCertificateSecret }} + secret: + secretName: {{ $tlsCertificateSecret }} + defaultMode: 292 +{{- end }} +{{- end -}} diff --git a/charts/masakari/charts/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl b/charts/masakari/charts/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl new file mode 100644 index 0000000000..77d1a71e98 --- /dev/null +++ b/charts/masakari/charts/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl @@ -0,0 +1,160 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +# This function creates a manifest for s3 user management. +# It can be used in charts dict created similar to the following: +# {- $s3UserJob := dict "envAll" . "serviceName" "elasticsearch" } +# { $s3UserJob | include "helm-toolkit.manifests.job_s3_user" } + +{{- define "helm-toolkit.manifests.job_s3_user" -}} +{{- $envAll := index . "envAll" -}} +{{- $serviceName := index . "serviceName" -}} +{{- $jobAnnotations := index . "jobAnnotations" -}} +{{- $jobLabels := index . "jobLabels" -}} +{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}} +{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}} +{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}} +{{- $configMapCeph := index . "configMapCeph" | default (printf "ceph-etc" ) -}} +{{- $secretBin := index . "secretBin" -}} +{{- $backoffLimit := index . "backoffLimit" | default "1000" -}} +{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}} +{{- $serviceNamePretty := $serviceName | replace "_" "-" -}} +{{- $s3UserSecret := index $envAll.Values.secrets.rgw $serviceName -}} + +{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "s3-user" }} +{{ tuple $envAll "s3_user" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ printf "%s-%s" $serviceNamePretty "s3-user" | quote }} + labels: +{{ tuple $envAll $serviceName "s3-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} +{{- if $jobLabels }} +{{ toYaml $jobLabels | indent 4 }} +{{- end }} + annotations: + "helm.sh/hook-delete-policy": before-hook-creation + {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }} +{{ tuple $serviceAccountName $envAll | include "helm-toolkit.snippets.custom_job_annotations" | indent 4 -}} +{{- if $jobAnnotations }} +{{ toYaml $jobAnnotations | indent 4 }} +{{- end }} +spec: + backoffLimit: {{ $backoffLimit }} +{{- if $activeDeadlineSeconds }} + activeDeadlineSeconds: {{ $activeDeadlineSeconds }} +{{- end }} + template: + metadata: + labels: +{{ tuple $envAll $serviceName "s3-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} +{{- if $jobLabels }} +{{ toYaml $jobLabels | indent 8 }} +{{- end }} + spec: + serviceAccountName: {{ $serviceAccountName | quote }} + restartPolicy: OnFailure + {{ tuple $envAll "s3_user" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }} + nodeSelector: +{{ toYaml $nodeSelector | indent 8 }} +{{- if $tolerationsEnabled }} +{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }} +{{- end}} + initContainers: +{{ tuple $envAll "s3_user" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} + - name: ceph-keyring-placement + image: {{ $envAll.Values.images.tags.ceph_key_placement }} + imagePullPolicy: {{ $envAll.Values.images.pull_policy }} + command: + - /tmp/ceph-admin-keyring.sh + volumeMounts: + - name: pod-tmp + mountPath: /tmp + - name: etcceph + mountPath: /etc/ceph + - name: ceph-keyring-sh + mountPath: /tmp/ceph-admin-keyring.sh + subPath: ceph-admin-keyring.sh + readOnly: true + {{- if empty $envAll.Values.conf.ceph.admin_keyring }} + - name: ceph-keyring + mountPath: /tmp/client-keyring + subPath: key + readOnly: true + {{ end }} + containers: + - name: s3-user + image: {{ $envAll.Values.images.tags.s3_user }} + imagePullPolicy: {{ $envAll.Values.images.pull_policy }} +{{ tuple $envAll $envAll.Values.pod.resources.jobs.s3_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} + command: + - /bin/bash + - -c + - /tmp/create-s3-user.sh + env: +{{- with $env := dict "s3AdminSecret" $envAll.Values.secrets.rgw.admin }} +{{- include "helm-toolkit.snippets.rgw_s3_admin_env_vars" $env | indent 12 }} +{{- end }} +{{- include "helm-toolkit.snippets.rgw_s3_user_env_vars" $envAll | indent 12 }} + - name: RGW_HOST + value: {{ tuple "ceph_object_store" "internal" "api" $envAll | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }} + volumeMounts: + - name: pod-tmp + mountPath: /tmp + - name: create-s3-user-sh + mountPath: /tmp/create-s3-user.sh + subPath: create-s3-user.sh + readOnly: true + - name: etcceph + mountPath: /etc/ceph + - name: ceph-etc + mountPath: /etc/ceph/ceph.conf + subPath: ceph.conf + readOnly: true + {{- if empty $envAll.Values.conf.ceph.admin_keyring }} + - name: ceph-keyring + mountPath: /tmp/client-keyring + subPath: key + readOnly: true + {{ end }} + volumes: + - name: pod-tmp + emptyDir: {} + - name: create-s3-user-sh +{{- if $secretBin }} + secret: + secretName: {{ $secretBin | quote }} + defaultMode: 0555 +{{- else }} + configMap: + name: {{ $configMapBin | quote }} + defaultMode: 0555 +{{- end }} + - name: ceph-keyring-sh + configMap: + name: {{ $configMapBin | quote }} + defaultMode: 0555 + - name: etcceph + emptyDir: {} + - name: ceph-etc + configMap: + name: {{ $configMapCeph | quote }} + defaultMode: 0444 + {{- if empty $envAll.Values.conf.ceph.admin_keyring }} + - name: ceph-keyring + secret: + secretName: pvc-ceph-client-key + {{ end }} +{{- end -}} diff --git a/charts/masakari/charts/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl b/charts/masakari/charts/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl new file mode 100644 index 0000000000..0906df4c9e --- /dev/null +++ b/charts/masakari/charts/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl @@ -0,0 +1,119 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +# This function creates a manifest for the image repo sync jobs. +# It can be used in charts dict created similar to the following: +# {- $imageRepoSyncJob := dict "envAll" . "serviceName" "prometheus" -} +# { $imageRepoSyncJob | include "helm-toolkit.manifests.job_image_repo_sync" } + +{{- define "helm-toolkit.manifests.job_image_repo_sync" -}} +{{- $envAll := index . "envAll" -}} +{{- $serviceName := index . "serviceName" -}} +{{- $jobAnnotations := index . "jobAnnotations" -}} +{{- $jobLabels := index . "jobLabels" -}} +{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}} +{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}} +{{- $podVolMounts := index . "podVolMounts" | default false -}} +{{- $podVols := index . "podVols" | default false -}} +{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}} +{{- $secretBin := index . "secretBin" -}} +{{- $backoffLimit := index . "backoffLimit" | default "1000" -}} +{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}} +{{- $serviceNamePretty := $serviceName | replace "_" "-" -}} + +{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "image-repo-sync" }} +{{ tuple $envAll "image_repo_sync" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ printf "%s-%s" $serviceNamePretty "image-repo-sync" | quote }} + labels: +{{ tuple $envAll $serviceName "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} +{{- if $jobLabels }} +{{ toYaml $jobLabels | indent 4 }} +{{- end }} + annotations: + "helm.sh/hook-delete-policy": before-hook-creation +{{- if $jobAnnotations }} +{{ toYaml $jobAnnotations | indent 4 }} +{{- end }} +spec: + backoffLimit: {{ $backoffLimit }} +{{- if $activeDeadlineSeconds }} + activeDeadlineSeconds: {{ $activeDeadlineSeconds }} +{{- end }} + template: + metadata: + labels: +{{ tuple $envAll $serviceName "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} +{{- if $jobLabels }} +{{ toYaml $jobLabels | indent 8 }} +{{- end }} + spec: + serviceAccountName: {{ $serviceAccountName }} + restartPolicy: OnFailure + {{ tuple $envAll "image_repo_sync" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }} + nodeSelector: +{{ toYaml $nodeSelector | indent 8 }} +{{- if $tolerationsEnabled }} +{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }} +{{- end}} + initContainers: +{{ tuple $envAll "image_repo_sync" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} + containers: + - name: image-repo-sync +{{ tuple $envAll "image_repo_sync" | include "helm-toolkit.snippets.image" | indent 10 }} +{{ tuple $envAll $envAll.Values.pod.resources.jobs.image_repo_sync | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} + env: + - name: LOCAL_REPO + value: "{{ tuple "local_image_registry" "node" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}:{{ tuple "local_image_registry" "node" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}" + - name: IMAGE_SYNC_LIST + value: "{{ include "helm-toolkit.utils.image_sync_list" $envAll }}" + command: + - /bin/bash + - -c + - /tmp/image-repo-sync.sh + volumeMounts: + - name: pod-tmp + mountPath: /tmp + - name: bootstrap-sh + mountPath: /tmp/image-repo-sync.sh + subPath: image-repo-sync.sh + readOnly: true + - name: docker-socket + mountPath: /var/run/docker.sock +{{- if $podVolMounts }} +{{ $podVolMounts | toYaml | indent 12 }} +{{- end }} + volumes: + - name: pod-tmp + emptyDir: {} + - name: bootstrap-sh +{{- if $secretBin }} + secret: + secretName: {{ $secretBin | quote }} + defaultMode: 0555 +{{- else }} + configMap: + name: {{ $configMapBin | quote }} + defaultMode: 0555 +{{- end }} + - name: docker-socket + hostPath: + path: /var/run/docker.sock +{{- if $podVols }} +{{ $podVols | toYaml | indent 8 }} +{{- end }} +{{- end }} diff --git a/charts/masakari/charts/helm-toolkit/templates/manifests/_network_policy.tpl b/charts/masakari/charts/helm-toolkit/templates/manifests/_network_policy.tpl new file mode 100644 index 0000000000..405197ab7c --- /dev/null +++ b/charts/masakari/charts/helm-toolkit/templates/manifests/_network_policy.tpl @@ -0,0 +1,238 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Creates a network policy manifest for services. +values: | + endpoints: + kube_dns: + namespace: kube-system + name: kubernetes-dns + hosts: + default: kube-dns + host_fqdn_override: + default: null + path: + default: null + scheme: http + port: + dns_tcp: + default: 53 + dns: + default: 53 + protocol: UDP + network_policy: + myLabel: + podSelector: + matchLabels: + component: api + ingress: + - from: + - podSelector: + matchLabels: + application: keystone + ports: + - protocol: TCP + port: 80 + egress: + - to: + - namespaceSelector: + matchLabels: + name: default + - namespaceSelector: + matchLabels: + name: kube-public + ports: + - protocol: TCP + port: 53 + - protocol: UDP + port: 53 +usage: | + {{ dict "envAll" . "name" "application" "label" "myLabel" | include "helm-toolkit.manifests.kubernetes_network_policy" }} + {{ dict "envAll" . "key" "myLabel" "labels" (dict "application" "myApp" "component" "myComp")}} +return: | + --- + apiVersion: networking.k8s.io/v1 + kind: NetworkPolicy + metadata: + name: RELEASE-NAME + namespace: NAMESPACE + spec: + policyTypes: + - Ingress + - Egress + podSelector: + matchLabels: + application: myLabel + component: api + ingress: + - from: + - podSelector: + matchLabels: + application: keystone + ports: + - protocol: TCP + port: 80 + egress: + - to: + - podSelector: + matchLabels: + name: default + - namespaceSelector: + matchLabels: + name: kube-public + ports: + - protocol: TCP + port: 53 + - protocol: UDP + port: 53 + --- + apiVersion: networking.k8s.io/v1 + kind: NetworkPolicy + metadata: + name: RELEASE-NAME + namespace: NAMESPACE + spec: + policyTypes: + - Ingress + - Egress + podSelector: + matchLabels: + application: myApp + component: myComp + ingress: + - from: + - podSelector: + matchLabels: + application: keystone + ports: + - protocol: TCP + port: 80 + egress: + - to: + - podSelector: + matchLabels: + name: default + - namespaceSelector: + matchLabels: + name: kube-public + ports: + - protocol: TCP + port: 53 + - protocol: UDP + port: 53 +*/}} + +{{- define "helm-toolkit.manifests.kubernetes_network_policy" -}} +{{- $envAll := index . "envAll" -}} +{{- $name := index . "name" -}} +{{- $labels := index . "labels" | default nil -}} +{{- $label := index . "key" | default (index . "label") -}} +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ $label | replace "_" "-" }}-netpol + namespace: {{ $envAll.Release.Namespace }} +spec: +{{- if hasKey (index $envAll.Values "network_policy") $label }} + policyTypes: +{{- $is_egress := false -}} +{{- if hasKey (index $envAll.Values.network_policy $label) "policyTypes" -}} +{{- if has "Egress" (index $envAll.Values.network_policy $label "policyTypes") -}} +{{- $is_egress = true -}} +{{- end -}} +{{- end -}} +{{- if or $is_egress (index $envAll.Values.network_policy $label "egress") }} + - Egress +{{ end -}} +{{- $is_ingress := false -}} +{{- if hasKey (index $envAll.Values.network_policy $label) "policyTypes" -}} +{{- if has "Ingress" (index $envAll.Values.network_policy $label "policyTypes") -}} +{{- $is_ingress = true -}} +{{- end -}} +{{- end -}} +{{- if or $is_ingress (index $envAll.Values.network_policy $label "ingress") }} + - Ingress +{{ end -}} +{{- end }} + podSelector: + matchLabels: +{{- if empty $labels }} + {{ $name }}: {{ $label }} +{{- else }} +{{ range $k, $v := $labels }} + {{ $k }}: {{ $v }} +{{- end }} +{{- end }} +{{- if hasKey (index $envAll.Values "network_policy") $label }} +{{- if hasKey (index $envAll.Values.network_policy $label) "podSelector" }} +{{- if index $envAll.Values.network_policy $label "podSelector" "matchLabels" }} +{{ index $envAll.Values.network_policy $label "podSelector" "matchLabels" | toYaml | indent 6 }} +{{ end }} +{{ end }} +{{ end }} +{{- if hasKey (index $envAll.Values "network_policy") $label }} + egress: +{{- range $key, $value := $envAll.Values.endpoints }} +{{- if kindIs "map" $value }} +{{- if or (hasKey $value "namespace") (hasKey $value "hosts") }} + - to: +{{- if index $value "namespace" }} + - namespaceSelector: + matchLabels: + name: {{ index $value "namespace" }} +{{- else if index $value "hosts" }} +{{- $defaultValue := index $value "hosts" "internal" }} +{{- if hasKey (index $value "hosts") "internal" }} +{{- $a := split "-" $defaultValue }} + - podSelector: + matchLabels: + application: {{ printf "%s" (index $a._0) | default $defaultValue }} +{{- else }} +{{- $defaultValue := index $value "hosts" "default" }} +{{- $a := split "-" $defaultValue }} + - podSelector: + matchLabels: + application: {{ printf "%s" (index $a._0) | default $defaultValue }} +{{- end }} +{{- end }} +{{- if index $value "port" }} + ports: +{{- range $k, $v := index $value "port" }} +{{- if $k }} +{{- range $pk, $pv := $v }} +{{- if and $pv (ne $pk "protocol") }} + - port: {{ $pv }} + protocol: {{ $v.protocol | default "TCP" }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- if index $envAll.Values.network_policy $label "egress" }} +{{ index $envAll.Values.network_policy $label "egress" | toYaml | indent 4 }} +{{- end }} +{{- end }} +{{- if hasKey (index $envAll.Values "network_policy") $label }} +{{- if index $envAll.Values.network_policy $label "ingress" }} + ingress: +{{ index $envAll.Values.network_policy $label "ingress" | toYaml | indent 4 }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/masakari/charts/helm-toolkit/templates/manifests/_secret-registry.yaml.tpl b/charts/masakari/charts/helm-toolkit/templates/manifests/_secret-registry.yaml.tpl new file mode 100644 index 0000000000..7ad505b558 --- /dev/null +++ b/charts/masakari/charts/helm-toolkit/templates/manifests/_secret-registry.yaml.tpl @@ -0,0 +1,78 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Creates a manifest for a authenticating a registry with a secret +examples: + - values: | + annotations: + secret: + oci_image_registry: + {{ $serviceName }}: + custom.tld/key: "value" + secrets: + oci_image_registry: + {{ $serviceName }}: {{ $keyName }} + endpoints: + oci_image_registry: + name: oci-image-registry + auth: + enabled: true + {{ $serviceName }}: + name: {{ $userName }} + password: {{ $password }} + usage: | + {{- include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) -}} + return: | + --- + apiVersion: v1 + kind: Secret + metadata: + name: {{ $secretName }} + annotations: + custom.tld/key: "value" + type: kubernetes.io/dockerconfigjson + data: + dockerconfigjson: {{ $dockerAuth }} +*/}} + +{{- define "helm-toolkit.manifests.secret_registry" }} +{{- $envAll := index . "envAll" }} +{{- $registryUser := index . "registryUser" }} +{{- $secretName := index $envAll.Values.secrets.oci_image_registry $registryUser }} +{{- $registryHost := tuple "oci_image_registry" "internal" $envAll | include "helm-toolkit.endpoints.endpoint_host_lookup" }} +{{/* +We only use "host:port" when port is non-null, else just use "host" +*/}} +{{- $registryPort := "" }} +{{- $port := $envAll.Values.endpoints.oci_image_registry.port.registry.default }} +{{- if $port }} +{{- $port = tuple "oci_image_registry" "internal" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }} +{{- $registryPort = printf ":%s" $port }} +{{- end }} +{{- $imageCredentials := index $envAll.Values.endpoints.oci_image_registry.auth $registryUser }} +{{- $dockerAuthToken := printf "%s:%s" $imageCredentials.username $imageCredentials.password | b64enc }} +{{- $dockerAuth := printf "{\"auths\": {\"%s%s\": {\"auth\": \"%s\"}}}" $registryHost $registryPort $dockerAuthToken | b64enc }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ $secretName }} + annotations: +{{ tuple "oci_image_registry" $registryUser $envAll | include "helm-toolkit.snippets.custom_secret_annotations" | indent 4 }} +type: kubernetes.io/dockerconfigjson +data: + .dockerconfigjson: {{ $dockerAuth }} +{{- end -}} diff --git a/charts/masakari/charts/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl b/charts/masakari/charts/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl new file mode 100644 index 0000000000..c800340306 --- /dev/null +++ b/charts/masakari/charts/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl @@ -0,0 +1,119 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Creates a manifest for a services public tls secret +examples: + - values: | + annotations: + secret: + tls: + key_manager_api_public: + custom.tld/key: "value" + secrets: + tls: + key_manager: + api: + public: barbican-tls-public + endpoints: + key_manager: + host_fqdn_override: + public: + tls: + crt: | + FOO-CRT + key: | + FOO-KEY + ca: | + FOO-CA_CRT + usage: | + {{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "key-manager" ) -}} + return: | + --- + apiVersion: v1 + kind: Secret + metadata: + name: barbican-tls-public + annotations: + custom.tld/key: "value" + type: kubernetes.io/tls + data: + tls.key: Rk9PLUtFWQo= + tls.crt: Rk9PLUNSVAoKRk9PLUNBX0NSVAo= + + - values: | + secrets: + tls: + key_manager: + api: + public: barbican-tls-public + endpoints: + key_manager: + host_fqdn_override: + public: + tls: + crt: | + FOO-CRT + FOO-INTERMEDIATE_CRT + FOO-CA_CRT + key: | + FOO-KEY + usage: | + {{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "key-manager" ) -}} + return: | + --- + apiVersion: v1 + kind: Secret + metadata: + name: barbican-tls-public + type: kubernetes.io/tls + data: + tls.key: Rk9PLUtFWQo= + tls.crt: Rk9PLUNSVApGT08tSU5URVJNRURJQVRFX0NSVApGT08tQ0FfQ1JUCg== +*/}} + +{{- define "helm-toolkit.manifests.secret_ingress_tls" }} +{{- $envAll := index . "envAll" }} +{{- $endpoint := index . "endpoint" | default "public" }} +{{- $backendServiceType := index . "backendServiceType" }} +{{- $backendService := index . "backendService" | default "api" }} +{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "host_fqdn_override" }} +{{- if hasKey $host $endpoint }} +{{- $endpointHost := index $host $endpoint }} +{{- if kindIs "map" $endpointHost }} +{{- if hasKey $endpointHost "tls" }} +{{- if and $endpointHost.tls.key $endpointHost.tls.crt }} + +{{- $customAnnotationKey := printf "%s_%s_%s" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ index $envAll.Values.secrets.tls ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }} + annotations: +{{ tuple "tls" $customAnnotationKey $envAll | include "helm-toolkit.snippets.custom_secret_annotations" | indent 4 }} +type: kubernetes.io/tls +data: + tls.key: {{ $endpointHost.tls.key | b64enc }} +{{- if $endpointHost.tls.ca }} + tls.crt: {{ list $endpointHost.tls.crt $endpointHost.tls.ca | join "\n" | b64enc }} +{{- else }} + tls.crt: {{ $endpointHost.tls.crt | b64enc }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/masakari/charts/helm-toolkit/templates/manifests/_service-ingress.tpl b/charts/masakari/charts/helm-toolkit/templates/manifests/_service-ingress.tpl new file mode 100644 index 0000000000..d2e7c0e8b0 --- /dev/null +++ b/charts/masakari/charts/helm-toolkit/templates/manifests/_service-ingress.tpl @@ -0,0 +1,43 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +# This function creates a manifest for a services ingress rules. +# It can be used in charts dict created similar to the following: +# {- $serviceIngressOpts := dict "envAll" . "backendServiceType" "key-manager" -} +# { $serviceIngressOpts | include "helm-toolkit.manifests.service_ingress" } + +{{- define "helm-toolkit.manifests.service_ingress" -}} +{{- $envAll := index . "envAll" -}} +{{- $backendServiceType := index . "backendServiceType" -}} +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ tuple $backendServiceType "public" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} +spec: + ports: + - name: http + port: 80 + - name: https + port: 443 + selector: + app: ingress-api +{{- if index $envAll.Values.endpoints $backendServiceType }} +{{- if index $envAll.Values.endpoints $backendServiceType "ip" }} +{{- if index $envAll.Values.endpoints $backendServiceType "ip" "ingress" }} + clusterIP: {{ (index $envAll.Values.endpoints $backendServiceType "ip" "ingress") }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/masakari/charts/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl b/charts/masakari/charts/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl new file mode 100644 index 0000000000..bf1465b238 --- /dev/null +++ b/charts/masakari/charts/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl @@ -0,0 +1,35 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- define "helm-toolkit.scripts.create_s3_bucket" }} +#!/bin/bash +set -e +CONNECTION_ARGS="--host=$RGW_HOST --host-bucket=$RGW_HOST" +if [ "$RGW_PROTO" = "http" ]; then + CONNECTION_ARGS+=" --no-ssl" +else + CONNECTION_ARGS+=" --no-check-certificate" +fi +ADMIN_AUTH_ARGS=" --access_key=$S3_ADMIN_ACCESS_KEY --secret_key=$S3_ADMIN_SECRET_KEY" +USER_AUTH_ARGS=" --access_key=$S3_ACCESS_KEY --secret_key=$S3_SECRET_KEY" +function check_rgw_s3_bucket () { + s3cmd $CONNECTION_ARGS $USER_AUTH_ARGS ls s3://$S3_BUCKET +} +function create_rgw_s3_bucket () { + s3cmd $CONNECTION_ARGS $ADMIN_AUTH_ARGS mb s3://$S3_BUCKET +} +function modify_bucket_acl () { + s3cmd $CONNECTION_ARGS $ADMIN_AUTH_ARGS setacl s3://$S3_BUCKET --acl-grant=read:$S3_USERNAME --acl-grant=write:$S3_USERNAME +} +check_rgw_s3_bucket || ( create_rgw_s3_bucket && modify_bucket_acl ) +{{- end }} \ No newline at end of file diff --git a/charts/masakari/charts/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl b/charts/masakari/charts/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl new file mode 100644 index 0000000000..08796d29c0 --- /dev/null +++ b/charts/masakari/charts/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl @@ -0,0 +1,65 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- define "helm-toolkit.scripts.create_s3_user" }} +#!/bin/bash +set -e +function create_s3_user () { + echo "Creating s3 user and key pair" + radosgw-admin user create \ + --uid=${S3_USERNAME} \ + --display-name=${S3_USERNAME} \ + --key-type=s3 \ + --access-key ${S3_ACCESS_KEY} \ + --secret-key ${S3_SECRET_KEY} +} +function update_s3_user () { + # Retrieve old access keys, if they exist + old_access_keys=$(radosgw-admin user info --uid=${S3_USERNAME} \ + | jq -r '.keys[].access_key' || true) + + if [[ ! -z ${old_access_keys} ]]; then + for access_key in $old_access_keys; do + # If current access key is the same as the key supplied, do nothing. + if [ "$access_key" == "${S3_ACCESS_KEY}" ]; then + echo "Current user and key pair exists." + continue + else + # If keys differ, remove previous key + radosgw-admin key rm --uid=${S3_USERNAME} --key-type=s3 --access-key=$access_key + fi + done + fi + + # Perform one more additional check to account for scenarios where multiple + # key pairs existed previously, but one existing key was the supplied key + current_access_key=$(radosgw-admin user info --uid=${S3_USERNAME} \ + | jq -r '.keys[].access_key' || true) + + # If the supplied key does not exist, modify the user + if [[ -z ${current_access_key} ]]; then + # Modify user with new access and secret keys + echo "Updating existing user's key pair" + radosgw-admin user modify \ + --uid=${S3_USERNAME}\ + --access-key ${S3_ACCESS_KEY} \ + --secret-key ${S3_SECRET_KEY} + fi +} +user_exists=$(radosgw-admin user info --uid=${S3_USERNAME} || true) +if [[ -z ${user_exists} ]]; then + create_s3_user +else + update_s3_user +fi +{{- end }} \ No newline at end of file diff --git a/charts/masakari/charts/helm-toolkit/templates/scripts/_db-drop.py.tpl b/charts/masakari/charts/helm-toolkit/templates/scripts/_db-drop.py.tpl new file mode 100644 index 0000000000..1e28da9caf --- /dev/null +++ b/charts/masakari/charts/helm-toolkit/templates/scripts/_db-drop.py.tpl @@ -0,0 +1,152 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- define "helm-toolkit.scripts.db_drop" }} +#!/usr/bin/env python + +# Drops db and user for an OpenStack Service: +# Set ROOT_DB_CONNECTION and DB_CONNECTION environment variables to contain +# SQLAlchemy strings for the root connection to the database and the one you +# wish the service to use. Alternatively, you can use an ini formatted config +# at the location specified by OPENSTACK_CONFIG_FILE, and extract the string +# from the key OPENSTACK_CONFIG_DB_KEY, in the section specified by +# OPENSTACK_CONFIG_DB_SECTION. + +import os +import sys +try: + import ConfigParser + PARSER_OPTS = {} +except ImportError: + import configparser as ConfigParser + PARSER_OPTS = {"strict": False} +import logging +from sqlalchemy import create_engine + +# Create logger, console handler and formatter +logger = logging.getLogger('OpenStack-Helm DB Drop') +logger.setLevel(logging.DEBUG) +ch = logging.StreamHandler() +ch.setLevel(logging.DEBUG) +formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s') + +# Set the formatter and add the handler +ch.setFormatter(formatter) +logger.addHandler(ch) + + +# Get the connection string for the service db root user +if "ROOT_DB_CONNECTION" in os.environ: + db_connection = os.environ['ROOT_DB_CONNECTION'] + logger.info('Got DB root connection') +else: + logger.critical('environment variable ROOT_DB_CONNECTION not set') + sys.exit(1) + +mysql_x509 = os.getenv('MARIADB_X509', "") +ssl_args = {} +if mysql_x509: + ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt', + 'key': '/etc/mysql/certs/tls.key', + 'cert': '/etc/mysql/certs/tls.crt'}} + +# Get the connection string for the service db +if "OPENSTACK_CONFIG_FILE" in os.environ: + os_conf = os.environ['OPENSTACK_CONFIG_FILE'] + if "OPENSTACK_CONFIG_DB_SECTION" in os.environ: + os_conf_section = os.environ['OPENSTACK_CONFIG_DB_SECTION'] + else: + logger.critical('environment variable OPENSTACK_CONFIG_DB_SECTION not set') + sys.exit(1) + if "OPENSTACK_CONFIG_DB_KEY" in os.environ: + os_conf_key = os.environ['OPENSTACK_CONFIG_DB_KEY'] + else: + logger.critical('environment variable OPENSTACK_CONFIG_DB_KEY not set') + sys.exit(1) + try: + config = ConfigParser.RawConfigParser(**PARSER_OPTS) + logger.info("Using {0} as db config source".format(os_conf)) + config.read(os_conf) + logger.info("Trying to load db config from {0}:{1}".format( + os_conf_section, os_conf_key)) + user_db_conn = config.get(os_conf_section, os_conf_key) + logger.info("Got config from {0}".format(os_conf)) + except: + logger.critical("Tried to load config from {0} but failed.".format(os_conf)) + raise +elif "DB_CONNECTION" in os.environ: + user_db_conn = os.environ['DB_CONNECTION'] + logger.info('Got config from DB_CONNECTION env var') +else: + logger.critical('Could not get db config, either from config file or env var') + sys.exit(1) + +# Root DB engine +try: + root_engine_full = create_engine(db_connection) + root_user = root_engine_full.url.username + root_password = root_engine_full.url.password + drivername = root_engine_full.url.drivername + host = root_engine_full.url.host + port = root_engine_full.url.port + root_engine_url = ''.join([drivername, '://', root_user, ':', root_password, '@', host, ':', str (port)]) + root_engine = create_engine(root_engine_url, connect_args=ssl_args) + connection = root_engine.connect() + connection.close() + logger.info("Tested connection to DB @ {0}:{1} as {2}".format( + host, port, root_user)) +except: + logger.critical('Could not connect to database as root user') + raise + +# User DB engine +try: + user_engine = create_engine(user_db_conn, connect_args=ssl_args) + # Get our user data out of the user_engine + database = user_engine.url.database + user = user_engine.url.username + password = user_engine.url.password + logger.info('Got user db config') +except: + logger.critical('Could not get user database config') + raise + +# Delete DB +try: + with root_engine.connect() as connection: + connection.execute("DROP DATABASE IF EXISTS {0}".format(database)) + try: + connection.commit() + except AttributeError: + pass + logger.info("Deleted database {0}".format(database)) +except: + logger.critical("Could not drop database {0}".format(database)) + raise + +# Delete DB User +try: + with root_engine.connect() as connection: + connection.execute("DROP USER IF EXISTS {0}".format(user)) + try: + connection.commit() + except AttributeError: + pass + logger.info("Deleted user {0}".format(user)) +except: + logger.critical("Could not delete user {0}".format(user)) + raise + +logger.info('Finished DB Management') +{{- end }} diff --git a/charts/masakari/charts/helm-toolkit/templates/scripts/_db-init.py.tpl b/charts/masakari/charts/helm-toolkit/templates/scripts/_db-init.py.tpl new file mode 100644 index 0000000000..110cd98ebb --- /dev/null +++ b/charts/masakari/charts/helm-toolkit/templates/scripts/_db-init.py.tpl @@ -0,0 +1,166 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- define "helm-toolkit.scripts.db_init" }} +#!/usr/bin/env python + +# Creates db and user for an OpenStack Service: +# Set ROOT_DB_CONNECTION and DB_CONNECTION environment variables to contain +# SQLAlchemy strings for the root connection to the database and the one you +# wish the service to use. Alternatively, you can use an ini formatted config +# at the location specified by OPENSTACK_CONFIG_FILE, and extract the string +# from the key OPENSTACK_CONFIG_DB_KEY, in the section specified by +# OPENSTACK_CONFIG_DB_SECTION. + +import os +import sys +try: + import ConfigParser + PARSER_OPTS = {} +except ImportError: + import configparser as ConfigParser + PARSER_OPTS = {"strict": False} +import logging +from sqlalchemy import create_engine + +# Create logger, console handler and formatter +logger = logging.getLogger('OpenStack-Helm DB Init') +logger.setLevel(logging.DEBUG) +ch = logging.StreamHandler() +ch.setLevel(logging.DEBUG) +formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s') + +# Set the formatter and add the handler +ch.setFormatter(formatter) +logger.addHandler(ch) + + +# Get the connection string for the service db root user +if "ROOT_DB_CONNECTION" in os.environ: + db_connection = os.environ['ROOT_DB_CONNECTION'] + logger.info('Got DB root connection') +else: + logger.critical('environment variable ROOT_DB_CONNECTION not set') + sys.exit(1) + +mysql_x509 = os.getenv('MARIADB_X509', "") +ssl_args = {} +if mysql_x509: + ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt', + 'key': '/etc/mysql/certs/tls.key', + 'cert': '/etc/mysql/certs/tls.crt'}} + +# Get the connection string for the service db +if "OPENSTACK_CONFIG_FILE" in os.environ: + os_conf = os.environ['OPENSTACK_CONFIG_FILE'] + if "OPENSTACK_CONFIG_DB_SECTION" in os.environ: + os_conf_section = os.environ['OPENSTACK_CONFIG_DB_SECTION'] + else: + logger.critical('environment variable OPENSTACK_CONFIG_DB_SECTION not set') + sys.exit(1) + if "OPENSTACK_CONFIG_DB_KEY" in os.environ: + os_conf_key = os.environ['OPENSTACK_CONFIG_DB_KEY'] + else: + logger.critical('environment variable OPENSTACK_CONFIG_DB_KEY not set') + sys.exit(1) + try: + config = ConfigParser.RawConfigParser(**PARSER_OPTS) + logger.info("Using {0} as db config source".format(os_conf)) + config.read(os_conf) + logger.info("Trying to load db config from {0}:{1}".format( + os_conf_section, os_conf_key)) + user_db_conn = config.get(os_conf_section, os_conf_key) + logger.info("Got config from {0}".format(os_conf)) + except: + logger.critical("Tried to load config from {0} but failed.".format(os_conf)) + raise +elif "DB_CONNECTION" in os.environ: + user_db_conn = os.environ['DB_CONNECTION'] + logger.info('Got config from DB_CONNECTION env var') +else: + logger.critical('Could not get db config, either from config file or env var') + sys.exit(1) + +# Root DB engine +try: + root_engine_full = create_engine(db_connection) + root_user = root_engine_full.url.username + root_password = root_engine_full.url.password + drivername = root_engine_full.url.drivername + host = root_engine_full.url.host + port = root_engine_full.url.port + root_engine_url = ''.join([drivername, '://', root_user, ':', root_password, '@', host, ':', str (port)]) + root_engine = create_engine(root_engine_url, connect_args=ssl_args) + connection = root_engine.connect() + connection.close() + logger.info("Tested connection to DB @ {0}:{1} as {2}".format( + host, port, root_user)) +except: + logger.critical('Could not connect to database as root user') + raise + +# User DB engine +try: + user_engine = create_engine(user_db_conn, connect_args=ssl_args) + # Get our user data out of the user_engine + database = user_engine.url.database + user = user_engine.url.username + password = user_engine.url.password + logger.info('Got user db config') +except: + logger.critical('Could not get user database config') + raise + +# Create DB +try: + with root_engine.connect() as connection: + connection.execute("CREATE DATABASE IF NOT EXISTS {0}".format(database)) + try: + connection.commit() + except AttributeError: + pass + logger.info("Created database {0}".format(database)) +except: + logger.critical("Could not create database {0}".format(database)) + raise + +# Create DB User +try: + with root_engine.connect() as connection: + connection.execute( + "CREATE USER IF NOT EXISTS \'{0}\'@\'%%\' IDENTIFIED BY \'{1}\' {2}".format( + user, password, mysql_x509)) + connection.execute( + "GRANT ALL ON `{0}`.* TO \'{1}\'@\'%%\'".format(database, user)) + try: + connection.commit() + except AttributeError: + pass + logger.info("Created user {0} for {1}".format(user, database)) +except: + logger.critical("Could not create user {0} for {1}".format(user, database)) + raise + +# Test connection +try: + connection = user_engine.connect() + connection.close() + logger.info("Tested connection to DB @ {0}:{1}/{2} as {3}".format( + host, port, database, user)) +except: + logger.critical('Could not connect to database as user') + raise + +logger.info('Finished DB Management') +{{- end }} diff --git a/charts/masakari/charts/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl b/charts/masakari/charts/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl new file mode 100644 index 0000000000..4d7dfaa378 --- /dev/null +++ b/charts/masakari/charts/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl @@ -0,0 +1,69 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +{{- define "helm-toolkit.scripts.pg_db_init" }} +#!/bin/bash +set -ex + +if [[ ! -v DB_HOST ]]; then + echo "environment variable DB_HOST not set" + exit 1 +elif [[ ! -v DB_ADMIN_USER ]]; then + echo "environment variable DB_ADMIN_USER not set" + exit 1 +elif [[ ! -v PGPASSWORD ]]; then + echo "environment variable PGPASSWORD not set" + exit 1 +elif [[ ! -v DB_PORT ]]; then + echo "environment variable DB_PORT not set" + exit 1 +elif [[ ! -v USER_DB_USER ]]; then + echo "environment variable USER_DB_USER not set" + exit 1 +elif [[ ! -v USER_DB_PASS ]]; then + echo "environment variable USER_DB_PASS not set" + exit 1 +elif [[ ! -v USER_DB_NAME ]]; then + echo "environment variable USER_DB_NAME not set" + exit 1 +else + echo "Got DB connection info" +fi + +pgsql_superuser_cmd () { + DB_COMMAND="$1" + if [[ ! -z $2 ]]; then + EXPORT PGDATABASE=$2 + fi + /usr/bin/psql \ + -h ${DB_HOST} \ + -p ${DB_PORT} \ + -U ${DB_ADMIN_USER} \ + --command="${DB_COMMAND}" +} + +#create db +pgsql_superuser_cmd "SELECT 1 FROM pg_database WHERE datname = '$USER_DB_NAME'" | grep -q "(1 row)" || pgsql_superuser_cmd "CREATE DATABASE $USER_DB_NAME" + +#create db user +pgsql_superuser_cmd "SELECT * FROM pg_roles WHERE rolname = '$USER_DB_USER';" | grep -q "(1 row)" || \ + pgsql_superuser_cmd "CREATE ROLE ${USER_DB_USER} LOGIN PASSWORD '$USER_DB_PASS';" + +#Set password everytime. This is required for cases when we would want password rotation to take effect and set the updated password for a user. +pgsql_superuser_cmd "SELECT * FROM pg_roles WHERE rolname = '$USER_DB_USER';" && pgsql_superuser_cmd "ALTER USER ${USER_DB_USER} with password '$USER_DB_PASS'" + +#give permissions to user +pgsql_superuser_cmd "GRANT ALL PRIVILEGES ON DATABASE $USER_DB_NAME to $USER_DB_USER;" + +#revoke all privileges from PUBLIC role +pgsql_superuser_cmd "REVOKE ALL ON DATABASE $USER_DB_NAME FROM PUBLIC;" +{{- end }} diff --git a/charts/masakari/charts/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl b/charts/masakari/charts/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl new file mode 100644 index 0000000000..e41abe3275 --- /dev/null +++ b/charts/masakari/charts/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl @@ -0,0 +1,24 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- define "helm-toolkit.scripts.image_repo_sync" }} +#!/bin/sh +set -ex + +IFS=','; for IMAGE in ${IMAGE_SYNC_LIST}; do + docker pull ${IMAGE} + docker tag ${IMAGE} ${LOCAL_REPO}/${IMAGE} + docker push ${LOCAL_REPO}/${IMAGE} +done +{{- end }} diff --git a/charts/masakari/charts/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl b/charts/masakari/charts/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl new file mode 100644 index 0000000000..8755cd5f34 --- /dev/null +++ b/charts/masakari/charts/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl @@ -0,0 +1,72 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- define "helm-toolkit.scripts.keystone_domain_user" }} +#!/bin/bash + +# Copyright 2017 Pete Birley +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -ex + +# Manage domain +SERVICE_OS_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \ + --description="Service Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_DOMAIN_NAME}" \ + "${SERVICE_OS_DOMAIN_NAME}") + +# Display domain +openstack domain show "${SERVICE_OS_DOMAIN_ID}" + +# Manage user +SERVICE_OS_USERID=$(openstack user create --or-show --enable -f value -c id \ + --domain="${SERVICE_OS_DOMAIN_ID}" \ + --description "Service User for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_DOMAIN_NAME}" \ + --password="${SERVICE_OS_PASSWORD}" \ + "${SERVICE_OS_USERNAME}") + +# Manage user password (we do this to ensure the password is updated if required) +openstack user set --password="${SERVICE_OS_PASSWORD}" "${SERVICE_OS_USERID}" + +# Display user +openstack user show "${SERVICE_OS_USERID}" + +# Manage role +SERVICE_OS_ROLE_ID=$(openstack role show -f value -c id \ + "${SERVICE_OS_ROLE}" || openstack role create -f value -c id \ + "${SERVICE_OS_ROLE}" ) + +# Manage user role assignment +openstack role add \ + --domain="${SERVICE_OS_DOMAIN_ID}" \ + --user="${SERVICE_OS_USERID}" \ + --user-domain="${SERVICE_OS_DOMAIN_ID}" \ + "${SERVICE_OS_ROLE_ID}" + +# Display user role assignment +openstack role assignment list \ + --role="${SERVICE_OS_ROLE_ID}" \ + --user-domain="${SERVICE_OS_DOMAIN_ID}" \ + --user="${SERVICE_OS_USERID}" +{{- end }} diff --git a/charts/masakari/charts/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl b/charts/masakari/charts/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl new file mode 100644 index 0000000000..e400bcd55d --- /dev/null +++ b/charts/masakari/charts/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl @@ -0,0 +1,79 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- define "helm-toolkit.scripts.keystone_endpoints" }} +#!/bin/bash + +# Copyright 2017 Pete Birley +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -ex + +# Get Service ID +OS_SERVICE_ID=$( openstack service list -f csv --quote none | \ + grep ",${OS_SERVICE_NAME},${OS_SERVICE_TYPE}$" | \ + sed -e "s/,${OS_SERVICE_NAME},${OS_SERVICE_TYPE}//g" ) + +# Get Endpoint ID if it exists +OS_ENDPOINT_ID=$( openstack endpoint list -f csv --quote none | \ + grep "^[a-z0-9]*,${OS_REGION_NAME},${OS_SERVICE_NAME},${OS_SERVICE_TYPE},True,${OS_SVC_ENDPOINT}," | \ + awk -F ',' '{ print $1 }' ) + +# Making sure only a single endpoint exists for a service within a region +if [ "$(echo $OS_ENDPOINT_ID | wc -w)" -gt "1" ]; then + echo "More than one endpoint found, cleaning up" + for ENDPOINT_ID in $OS_ENDPOINT_ID; do + openstack endpoint delete ${ENDPOINT_ID} + done + unset OS_ENDPOINT_ID +fi + +# Determine if Endpoint needs updated +if [[ ${OS_ENDPOINT_ID} ]]; then + OS_ENDPOINT_URL_CURRENT=$(openstack endpoint show ${OS_ENDPOINT_ID} -f value -c url) + if [ "${OS_ENDPOINT_URL_CURRENT}" == "${OS_SERVICE_ENDPOINT}" ]; then + echo "Endpoints Match: no action required" + OS_ENDPOINT_UPDATE="False" + else + echo "Endpoints Dont Match: removing existing entries" + openstack endpoint delete ${OS_ENDPOINT_ID} + OS_ENDPOINT_UPDATE="True" + fi +else + OS_ENDPOINT_UPDATE="True" +fi + +# Update Endpoint if required +if [[ "${OS_ENDPOINT_UPDATE}" == "True" ]]; then + OS_ENDPOINT_ID=$( openstack endpoint create -f value -c id \ + --region="${OS_REGION_NAME}" \ + "${OS_SERVICE_ID}" \ + ${OS_SVC_ENDPOINT} \ + "${OS_SERVICE_ENDPOINT}" ) +fi + +# Display the Endpoint +openstack endpoint show ${OS_ENDPOINT_ID} +{{- end }} diff --git a/charts/masakari/charts/helm-toolkit/templates/scripts/_ks-service.sh.tpl b/charts/masakari/charts/helm-toolkit/templates/scripts/_ks-service.sh.tpl new file mode 100644 index 0000000000..8356b36230 --- /dev/null +++ b/charts/masakari/charts/helm-toolkit/templates/scripts/_ks-service.sh.tpl @@ -0,0 +1,76 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- define "helm-toolkit.scripts.keystone_service" }} +#!/bin/bash + +# Copyright 2017 Pete Birley +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -ex + +# Service boilerplate description +OS_SERVICE_DESC="${OS_REGION_NAME}: ${OS_SERVICE_NAME} (${OS_SERVICE_TYPE}) service" + +# Get Service ID if it exists +unset OS_SERVICE_ID + +# FIXME - There seems to be an issue once in a while where the +# openstack service list fails and encounters an error message such as: +# Unable to establish connection to +# https://keystone-api.openstack.svc.cluster.local:5000/v3/auth/tokens: +# ('Connection aborted.', OSError("(104, 'ECONNRESET')",)) +# During an upgrade scenario, this would cause the OS_SERVICE_ID to be blank +# and it would attempt to create a new service when it was not needed. +# This duplciate service would sometimes be used by other services such as +# Horizon and would give an 'Invalid Service Catalog' error. +# This loop allows for a 'retry' of the openstack service list in an +# attempt to get the service list as expected if it does ecounter an error. +# This loop and recheck can be reverted once the underlying issue is addressed. + +# If OS_SERVICE_ID is blank then wait a few seconds to give it +# additional time and try again +for i in $(seq 3) +do + OS_SERVICE_ID=$( openstack service list -f csv --quote none | \ + grep ",${OS_SERVICE_NAME},${OS_SERVICE_TYPE}$" | \ + sed -e "s/,${OS_SERVICE_NAME},${OS_SERVICE_TYPE}//g" ) + + # If the service was found, go ahead and exit successfully. + if [[ -n "${OS_SERVICE_ID}" ]]; then + exit 0 + fi + + sleep 2 +done + +# If we've reached this point and a Service ID was not found, +# then create the service +OS_SERVICE_ID=$(openstack service create -f value -c id \ + --name="${OS_SERVICE_NAME}" \ + --description "${OS_SERVICE_DESC}" \ + --enable \ + "${OS_SERVICE_TYPE}") +{{- end }} diff --git a/charts/masakari/charts/helm-toolkit/templates/scripts/_ks-user.sh.tpl b/charts/masakari/charts/helm-toolkit/templates/scripts/_ks-user.sh.tpl new file mode 100644 index 0000000000..b45f798340 --- /dev/null +++ b/charts/masakari/charts/helm-toolkit/templates/scripts/_ks-user.sh.tpl @@ -0,0 +1,108 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- define "helm-toolkit.scripts.keystone_user" }} +#!/bin/bash + +# Copyright 2017 Pete Birley +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -ex + +shopt -s nocasematch + +if [[ "${SERVICE_OS_PROJECT_DOMAIN_NAME}" == "Default" ]] +then + PROJECT_DOMAIN_ID="default" +else + # Manage project domain + PROJECT_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \ + --description="Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_PROJECT_DOMAIN_NAME}" \ + "${SERVICE_OS_PROJECT_DOMAIN_NAME}") +fi + +if [[ "${SERVICE_OS_USER_DOMAIN_NAME}" == "Default" ]] +then + USER_DOMAIN_ID="default" +else + # Manage user domain + USER_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \ + --description="Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_USER_DOMAIN_NAME}" \ + "${SERVICE_OS_USER_DOMAIN_NAME}") +fi + +shopt -u nocasematch + +# Manage user project +USER_PROJECT_DESC="Service Project for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_PROJECT_DOMAIN_NAME}" +USER_PROJECT_ID=$(openstack project create --or-show --enable -f value -c id \ + --domain="${PROJECT_DOMAIN_ID}" \ + --description="${USER_PROJECT_DESC}" \ + "${SERVICE_OS_PROJECT_NAME}"); + +# Manage user +USER_DESC="Service User for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_USER_DOMAIN_NAME}/${SERVICE_OS_SERVICE_NAME}" +USER_ID=$(openstack user create --or-show --enable -f value -c id \ + --domain="${USER_DOMAIN_ID}" \ + --project-domain="${PROJECT_DOMAIN_ID}" \ + --project="${USER_PROJECT_ID}" \ + --description="${USER_DESC}" \ + "${SERVICE_OS_USERNAME}"); + +# Manage user password (we do this in a seperate step to ensure the password is updated if required) +set +x +echo "Setting user password via: openstack user set --password=xxxxxxx ${USER_ID}" +openstack user set --password="${SERVICE_OS_PASSWORD}" "${USER_ID}" +set -x + +function ks_assign_user_role () { + if [[ "$SERVICE_OS_ROLE" == "admin" ]] + then + USER_ROLE_ID="$SERVICE_OS_ROLE" + else + USER_ROLE_ID=$(openstack role create --or-show -f value -c id "${SERVICE_OS_ROLE}"); + fi + + # Manage user role assignment + openstack role add \ + --user="${USER_ID}" \ + --user-domain="${USER_DOMAIN_ID}" \ + --project-domain="${PROJECT_DOMAIN_ID}" \ + --project="${USER_PROJECT_ID}" \ + "${USER_ROLE_ID}" +} + +# Manage user service role +IFS=',' +for SERVICE_OS_ROLE in ${SERVICE_OS_ROLES}; do + ks_assign_user_role +done + +# Manage user member role +: ${MEMBER_OS_ROLE:="member"} +export USER_ROLE_ID=$(openstack role create --or-show -f value -c id \ + "${MEMBER_OS_ROLE}"); +ks_assign_user_role +{{- end }} diff --git a/charts/masakari/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl b/charts/masakari/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl new file mode 100644 index 0000000000..3739f9554d --- /dev/null +++ b/charts/masakari/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl @@ -0,0 +1,111 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- define "helm-toolkit.scripts.rabbit_init" }} +#!/bin/bash +set -e +# Extract connection details +RABBIT_HOSTNAME=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \ + awk -F'[@]' '{print $2}' | \ + awk -F'[:/]' '{print $1}') +RABBIT_PORT=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \ + awk -F'[@]' '{print $2}' | \ + awk -F'[:/]' '{print $2}') + +# Extract Admin User creadential +RABBITMQ_ADMIN_USERNAME=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \ + awk -F'[@]' '{print $1}' | \ + awk -F'[//:]' '{print $4}') +RABBITMQ_ADMIN_PASSWORD=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \ + awk -F'[@]' '{print $1}' | \ + awk -F'[//:]' '{print $5}') + +# Extract User creadential +RABBITMQ_USERNAME=$(echo "${RABBITMQ_USER_CONNECTION}" | \ + awk -F'[@]' '{print $1}' | \ + awk -F'[//:]' '{print $4}') +RABBITMQ_PASSWORD=$(echo "${RABBITMQ_USER_CONNECTION}" | \ + awk -F'[@]' '{print $1}' | \ + awk -F'[//:]' '{print $5}') + +# Extract User vHost +RABBITMQ_VHOST=$(echo "${RABBITMQ_USER_CONNECTION}" | \ + awk -F'[@]' '{print $2}' | \ + awk -F'[:/]' '{print $3}') +# Resolve vHost to / if no value is set +RABBITMQ_VHOST="${RABBITMQ_VHOST:-/}" + +function rabbitmqadmin_cli () { + if [ -n "$RABBITMQ_X509" ] + then + rabbitmqadmin \ + --ssl \ + --ssl-disable-hostname-verification \ + --ssl-ca-cert-file="${USER_CERT_PATH}/ca.crt" \ + --ssl-cert-file="${USER_CERT_PATH}/tls.crt" \ + --ssl-key-file="${USER_CERT_PATH}/tls.key" \ + --host="${RABBIT_HOSTNAME}" \ + --port="${RABBIT_PORT}" \ + --username="${RABBITMQ_ADMIN_USERNAME}" \ + --password="${RABBITMQ_ADMIN_PASSWORD}" \ + ${@} + else + rabbitmqadmin \ + --host="${RABBIT_HOSTNAME}" \ + --port="${RABBIT_PORT}" \ + --username="${RABBITMQ_ADMIN_USERNAME}" \ + --password="${RABBITMQ_ADMIN_PASSWORD}" \ + ${@} + fi +} + +echo "Managing: User: ${RABBITMQ_USERNAME}" +rabbitmqadmin_cli \ + declare user \ + name="${RABBITMQ_USERNAME}" \ + password="${RABBITMQ_PASSWORD}" \ + tags="user" + +echo "Deleting Guest User" +rabbitmqadmin_cli \ + delete user \ + name="guest" || true + +if [ "${RABBITMQ_VHOST}" != "/" ] +then + echo "Managing: vHost: ${RABBITMQ_VHOST}" + rabbitmqadmin_cli \ + declare vhost \ + name="${RABBITMQ_VHOST}" +else + echo "Skipping root vHost declaration: vHost: ${RABBITMQ_VHOST}" +fi + +echo "Managing: Permissions: ${RABBITMQ_USERNAME} on ${RABBITMQ_VHOST}" +rabbitmqadmin_cli \ + declare permission \ + vhost="${RABBITMQ_VHOST}" \ + user="${RABBITMQ_USERNAME}" \ + configure=".*" \ + write=".*" \ + read=".*" + +if [ ! -z "$RABBITMQ_AUXILIARY_CONFIGURATION" ] +then + echo "Applying additional configuration" + echo "${RABBITMQ_AUXILIARY_CONFIGURATION}" > /tmp/rmq_definitions.json + rabbitmqadmin_cli import /tmp/rmq_definitions.json +fi + +{{- end }} diff --git a/charts/masakari/charts/helm-toolkit/templates/scripts/_rally_test.sh.tpl b/charts/masakari/charts/helm-toolkit/templates/scripts/_rally_test.sh.tpl new file mode 100644 index 0000000000..c08d320755 --- /dev/null +++ b/charts/masakari/charts/helm-toolkit/templates/scripts/_rally_test.sh.tpl @@ -0,0 +1,88 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- define "helm-toolkit.scripts.rally_test" -}} +#!/bin/bash +set -ex +{{- $rallyTests := index . 0 }} + +: "${RALLY_ENV_NAME:="openstack-helm"}" +: "${OS_INTERFACE:="public"}" +: "${RALLY_CLEANUP:="true"}" + +if [ "x$RALLY_CLEANUP" == "xtrue" ]; then + function rally_cleanup { + openstack user delete \ + --domain="${SERVICE_OS_USER_DOMAIN_NAME}" \ + "${SERVICE_OS_USERNAME}" +{{ $rallyTests.clean_up | default "" | indent 4 }} + } + trap rally_cleanup EXIT +fi + +function create_or_update_db () { + revisionResults=$(rally db revision) + if [ $revisionResults = "None" ] + then + rally db create + else + rally db upgrade + fi +} + +create_or_update_db + +cat > /tmp/rally-config.json << EOF +{ + "openstack": { + "auth_url": "${OS_AUTH_URL}", + "region_name": "${OS_REGION_NAME}", + "endpoint_type": "${OS_INTERFACE}", + "admin": { + "username": "${OS_USERNAME}", + "password": "${OS_PASSWORD}", + "user_domain_name": "${OS_USER_DOMAIN_NAME}", + "project_name": "${OS_PROJECT_NAME}", + "project_domain_name": "${OS_PROJECT_DOMAIN_NAME}" + }, + "users": [ + { + "username": "${SERVICE_OS_USERNAME}", + "password": "${SERVICE_OS_PASSWORD}", + "project_name": "${SERVICE_OS_PROJECT_NAME}", + "user_domain_name": "${SERVICE_OS_USER_DOMAIN_NAME}", + "project_domain_name": "${SERVICE_OS_PROJECT_DOMAIN_NAME}" + } + ], + "https_insecure": false, + "https_cacert": "${OS_CACERT}" + } +} +EOF +rally deployment create --file /tmp/rally-config.json --name "${RALLY_ENV_NAME}" +rm -f /tmp/rally-config.json +rally deployment use "${RALLY_ENV_NAME}" +rally deployment check +{{- if $rallyTests.run_tempest }} +rally verify create-verifier --name "${RALLY_ENV_NAME}-tempest" --type tempest +SERVICE_TYPE="$(rally deployment check | grep "${RALLY_ENV_NAME}" | awk -F \| '{print $3}' | tr -d ' ' | tr -d '\n')" +rally verify start --pattern "tempest.api.${SERVICE_TYPE}*" +rally verify delete-verifier --id "${RALLY_ENV_NAME}-tempest" --force +{{- end }} +rally task validate /etc/rally/rally_tests.yaml +rally task start /etc/rally/rally_tests.yaml +rally task sla-check +rally env cleanup +rally deployment destroy --deployment "${RALLY_ENV_NAME}" +{{- end }} diff --git a/charts/masakari/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl b/charts/masakari/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl new file mode 100644 index 0000000000..695cb2e477 --- /dev/null +++ b/charts/masakari/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl @@ -0,0 +1,701 @@ +{{- define "helm-toolkit.scripts.db-backup-restore.backup_main" }} +#!/bin/bash + +# This file contains a database backup framework which database scripts +# can use to perform a backup. The idea here is that the database-specific +# functions will be implemented by the various databases using this script +# (like mariadb, postgresql or etcd for example). The database-specific +# script will need to first "source" this file like this: +# source /tmp/backup_main.sh +# +# Then the script should call the main backup function (backup_databases): +# backup_databases [scope] +# [scope] is an optional parameter, defaulted to "all". If only one specific +# database is required to be backed up then this parameter will +# contain the name of the database; otherwise all are backed up. +# +# The framework will require the following variables to be exported: +# +# export DB_NAMESPACE Namespace where the database(s) reside +# export DB_NAME Name of the database system +# export LOCAL_DAYS_TO_KEEP Number of days to keep the local backups +# export REMOTE_DAYS_TO_KEEP Number of days to keep the remote backups +# export ARCHIVE_DIR Local location where the backup tarballs should +# be stored. (full directory path) +# export BACK_UP_MODE Determines the mode of backup taken. +# export REMOTE_BACKUP_ENABLED "true" if remote backup enabled; false +# otherwise +# export CONTAINER_NAME Name of the container on the RGW to store +# the backup tarball. +# export STORAGE_POLICY Name of the storage policy defined on the +# RGW which is intended to store backups. +# RGW access variables: +# export OS_REGION_NAME Name of the region the RGW resides in +# export OS_AUTH_URL Keystone URL associated with the RGW +# export OS_PROJECT_NAME Name of the project associated with the +# keystone user +# export OS_USERNAME Name of the keystone user +# export OS_PASSWORD Password of the keystone user +# export OS_USER_DOMAIN_NAME Keystone domain the project belongs to +# export OS_PROJECT_DOMAIN_NAME Keystone domain the user belongs to +# export OS_IDENTITY_API_VERSION Keystone API version to use +# +# export REMOTE_BACKUP_RETRIES Number of retries to send backup to remote +# in case of any temporary failures. +# export MIN_DELAY_SEND_REMOTE Minimum seconds to delay before sending backup +# to remote to stagger backups being sent to RGW +# export MAX_DELAY_SEND_REMOTE Maximum seconds to delay before sending backup +# to remote to stagger backups being sent to RGW. +# A random number between min and max delay is generated +# to set the delay. +# +# RGW backup throttle limits variables: +# export THROTTLE_BACKUPS_ENABLED Boolean variableto control backup functionality +# export THROTTLE_LIMIT Number of simultaneous RGW upload sessions +# export THROTTLE_LOCK_EXPIRE_AFTER Time in seconds to expire flag file is orphaned +# export THROTTLE_RETRY_AFTER Time in seconds to wait before retry +# export THROTTLE_CONTAINER_NAME Name of RGW container to place flag falies into +# +# The database-specific functions that need to be implemented are: +# dump_databases_to_directory [scope] +# where: +# is the full directory path to dump the database files +# into. This is a temporary directory for this backup only. +# is the full directory path where error logs are to be +# written by the application. +# [scope] set to "all" if all databases are to be backed up; or +# set to the name of a specific database to be backed up. +# This optional parameter is defaulted to "all". +# returns: 0 if no errors; 1 if any errors occurred +# +# This function is expected to dump the database file(s) to the specified +# directory path. If this function completes successfully (returns 0), the +# framework will automatically tar/zip the files in that directory and +# name the tarball appropriately according to the proper conventions. +# +# verify_databases_backup_archives [scope] +# returns: 0 if no errors; 1 if any errors occurred +# +# This function is expected to verify the database backup archives. If this function +# completes successfully (returns 0), the +# framework will automatically starts remote backup upload. +# +# +# The functions in this file will take care of: +# 1) Calling "dump_databases_to_directory" and then compressing the files, +# naming the tarball properly, and then storing it locally at the specified +# local directory. +# 2) Sending the tarball built to the remote gateway, to be stored in the +# container configured to store database backups. +# 3) Removing local backup tarballs which are older than the number of days +# specified by the "LOCAL_DAYS_TO_KEEP" variable. +# 4) Removing remote backup tarballs (from the remote gateway) which are older +# than the number of days specified by the "REMOTE_DAYS_TO_KEEP" variable. +# 5) Controlling remote storage gateway load from client side and throttling it +# by using a dedicated RGW container to store flag files defining upload session +# in progress +# +# Note: not using set -e in this script because more elaborate error handling +# is needed. + +log_backup_error_exit() { + MSG=$1 + ERRCODE=${2:-0} + log ERROR "${DB_NAME}_backup" "${DB_NAMESPACE} namespace: ${MSG}" + rm -f $ERR_LOG_FILE + rm -rf $TMP_DIR + exit 0 +} + +log_verify_backup_exit() { + MSG=$1 + ERRCODE=${2:-0} + log ERROR "${DB_NAME}_verify_backup" "${DB_NAMESPACE} namespace: ${MSG}" + rm -f $ERR_LOG_FILE + # rm -rf $TMP_DIR + exit 0 +} + + +log() { + #Log message to a file or stdout + #TODO: This can be convert into mail alert of alert send to a monitoring system + #Params: $1 log level + #Params: $2 service + #Params: $3 message + #Params: $4 Destination + LEVEL=$1 + SERVICE=$2 + MSG=$3 + DEST=$4 + DATE=$(date +"%m-%d-%y %H:%M:%S") + if [[ -z "$DEST" ]]; then + echo "${DATE} ${LEVEL}: $(hostname) ${SERVICE}: ${MSG}" + else + echo "${DATE} ${LEVEL}: $(hostname) ${SERVICE}: ${MSG}" >>$DEST + fi +} + +# Generate a random number between MIN_DELAY_SEND_REMOTE and +# MAX_DELAY_SEND_REMOTE +random_number() { + diff=$((${MAX_DELAY_SEND_REMOTE} - ${MIN_DELAY_SEND_REMOTE} + 1)) + echo $(($(( ${RANDOM} % ${diff} )) + ${MIN_DELAY_SEND_REMOTE} )) +} + +#Get the day delta since the archive file backup +seconds_difference() { + ARCHIVE_DATE=$( date --date="$1" +%s ) + if [[ $? -ne 0 ]]; then + SECOND_DELTA=0 + fi + CURRENT_DATE=$( date +%s ) + SECOND_DELTA=$(($CURRENT_DATE-$ARCHIVE_DATE)) + if [[ "$SECOND_DELTA" -lt 0 ]]; then + SECOND_DELTA=0 + fi + echo $SECOND_DELTA +} + +# Send the specified tarball file at the specified filepath to the +# remote gateway. +send_to_remote_server() { + FILEPATH=$1 + FILE=$2 + + # Grab the list of containers on the remote site + RESULT=$(openstack container list 2>&1) + + if [[ $? -eq 0 ]]; then + echo $RESULT | grep $CONTAINER_NAME + if [[ $? -ne 0 ]]; then + # Find the swift URL from the keystone endpoint list + SWIFT_URL=$(openstack catalog show object-store -c endpoints | grep public | awk '{print $4}') + if [[ $? -ne 0 ]]; then + log WARN "${DB_NAME}_backup" "Unable to get object-store enpoints from keystone catalog." + return 2 + fi + + # Get a token from keystone + TOKEN=$(openstack token issue -f value -c id) + if [[ $? -ne 0 ]]; then + log WARN "${DB_NAME}_backup" "Unable to get keystone token." + return 2 + fi + + # Create the container + RES_FILE=$(mktemp -p /tmp) + curl -g -i -X PUT ${SWIFT_URL}/${CONTAINER_NAME} \ + -H "X-Auth-Token: ${TOKEN}" \ + -H "X-Storage-Policy: ${STORAGE_POLICY}" 2>&1 > $RES_FILE + + if [[ $? -ne 0 || $(grep "HTTP" $RES_FILE | awk '{print $2}') -ge 400 ]]; then + log WARN "${DB_NAME}_backup" "Unable to create container ${CONTAINER_NAME}" + cat $RES_FILE + rm -f $RES_FILE + return 2 + fi + rm -f $RES_FILE + + swift stat $CONTAINER_NAME + if [[ $? -ne 0 ]]; then + log WARN "${DB_NAME}_backup" "Unable to retrieve container ${CONTAINER_NAME} details after creation." + return 2 + fi + fi + else + echo $RESULT | grep -E "HTTP 401|HTTP 403" + if [[ $? -eq 0 ]]; then + log ERROR "${DB_NAME}_backup" "Access denied by keystone: ${RESULT}" + return 1 + else + echo $RESULT | grep -E "ConnectionError|Failed to discover available identity versions|Service Unavailable|HTTP 50" + if [[ $? -eq 0 ]]; then + log WARN "${DB_NAME}_backup" "Could not reach the RGW: ${RESULT}" + # In this case, keystone or the site/node may be temporarily down. + # Return slightly different error code so the calling code can retry + return 2 + else + log ERROR "${DB_NAME}_backup" "Could not get container list: ${RESULT}" + return 1 + fi + fi + fi + + # load balance delay + DELAY=$((1 + ${RANDOM} % 30)) + echo "Sleeping for ${DELAY} seconds to spread the load in time..." + sleep ${DELAY} + + #--------------------------------------------------------------------------- + # Remote backup throttling + export THROTTLE_BACKUPS_ENABLED=$(echo $THROTTLE_BACKUPS_ENABLED | sed 's/"//g') + if $THROTTLE_BACKUPS_ENABLED; then + # Remove Quotes from the constants which were added due to reading + # from secret. + export THROTTLE_LIMIT=$(echo $THROTTLE_LIMIT | sed 's/"//g') + export THROTTLE_LOCK_EXPIRE_AFTER=$(echo $THROTTLE_LOCK_EXPIRE_AFTER | sed 's/"//g') + export THROTTLE_RETRY_AFTER=$(echo $THROTTLE_RETRY_AFTER | sed 's/"//g') + export THROTTLE_CONTAINER_NAME=$(echo $THROTTLE_CONTAINER_NAME | sed 's/"//g') + + # load balance delay + RESULT=$(openstack container list 2>&1) + + if [[ $? -eq 0 ]]; then + echo $RESULT | grep $THROTTLE_CONTAINER_NAME + if [[ $? -ne 0 ]]; then + # Find the swift URL from the keystone endpoint list + SWIFT_URL=$(openstack catalog show object-store -c endpoints | grep public | awk '{print $4}') + if [[ $? -ne 0 ]]; then + log WARN "${DB_NAME}_backup" "Unable to get object-store enpoints from keystone catalog." + return 2 + fi + + # Get a token from keystone + TOKEN=$(openstack token issue -f value -c id) + if [[ $? -ne 0 ]]; then + log WARN "${DB_NAME}_backup" "Unable to get keystone token." + return 2 + fi + + # Create the container + RES_FILE=$(mktemp -p /tmp) + curl -g -i -X PUT ${SWIFT_URL}/${THROTTLE_CONTAINER_NAME} \ + -H "X-Auth-Token: ${TOKEN}" \ + -H "X-Storage-Policy: ${STORAGE_POLICY}" 2>&1 > $RES_FILE + + if [[ $? -ne 0 || $(grep "HTTP" $RES_FILE | awk '{print $2}') -ge 400 ]]; then + log WARN "${DB_NAME}_backup" "Unable to create container ${THROTTLE_CONTAINER_NAME}" + cat $RES_FILE + rm -f $RES_FILE + return 2 + fi + rm -f $RES_FILE + + swift stat $THROTTLE_CONTAINER_NAME + if [[ $? -ne 0 ]]; then + log WARN "${DB_NAME}_backup" "Unable to retrieve container ${THROTTLE_CONTAINER_NAME} details after creation." + return 2 + fi + fi + else + echo $RESULT | grep -E "HTTP 401|HTTP 403" + if [[ $? -eq 0 ]]; then + log ERROR "${DB_NAME}_backup" "Access denied by keystone: ${RESULT}" + return 1 + else + echo $RESULT | grep -E "ConnectionError|Failed to discover available identity versions|Service Unavailable|HTTP 50" + if [[ $? -eq 0 ]]; then + log WARN "${DB_NAME}_backup" "Could not reach the RGW: ${RESULT}" + # In this case, keystone or the site/node may be temporarily down. + # Return slightly different error code so the calling code can retry + return 2 + else + log ERROR "${DB_NAME}_backup" "Could not get container list: ${RESULT}" + return 1 + fi + fi + fi + + NUMBER_OF_SESSIONS=$(openstack object list $THROTTLE_CONTAINER_NAME -f value | wc -l) + log INFO "${DB_NAME}_backup" "There are ${NUMBER_OF_SESSIONS} remote sessions right now." + while [[ ${NUMBER_OF_SESSIONS} -ge ${THROTTLE_LIMIT} ]] + do + log INFO "${DB_NAME}_backup" "Current number of active uploads is ${NUMBER_OF_SESSIONS}>=${THROTTLE_LIMIT}!" + log INFO "${DB_NAME}_backup" "Retrying in ${THROTTLE_RETRY_AFTER} seconds...." + sleep ${THROTTLE_RETRY_AFTER} + NUMBER_OF_SESSIONS=$(openstack object list $THROTTLE_CONTAINER_NAME -f value | wc -l) + log INFO "${DB_NAME}_backup" "There are ${NUMBER_OF_SESSIONS} remote sessions right now." + done + + # Create a lock file in THROTTLE_CONTAINER + THROTTLE_FILEPATH=$(mktemp -d) + THROTTLE_FILE=${CONTAINER_NAME}.lock + date +%s > $THROTTLE_FILEPATH/$THROTTLE_FILE + + # Create an object to store the file + openstack object create --name $THROTTLE_FILE $THROTTLE_CONTAINER_NAME $THROTTLE_FILEPATH/$THROTTLE_FILE + if [[ $? -ne 0 ]]; then + log WARN "${DB_NAME}_backup" "Cannot create throttle container object ${THROTTLE_FILE}!" + return 2 + fi + + swift post $THROTTLE_CONTAINER_NAME $THROTTLE_FILE -H "X-Delete-After:${THROTTLE_LOCK_EXPIRE_AFTER}" + if [[ $? -ne 0 ]]; then + log WARN "${DB_NAME}_backup" "Cannot set throttle container object ${THROTTLE_FILE} expiration header!" + return 2 + fi + openstack object show $THROTTLE_CONTAINER_NAME $THROTTLE_FILE + if [[ $? -ne 0 ]]; then + log WARN "${DB_NAME}_backup" "Unable to retrieve throttle container object $THROTTLE_FILE after creation." + return 2 + fi + fi + + #--------------------------------------------------------------------------- + + # Create an object to store the file + openstack object create --name $FILE $CONTAINER_NAME $FILEPATH/$FILE + if [[ $? -ne 0 ]]; then + log WARN "${DB_NAME}_backup" "Cannot create container object ${FILE}!" + return 2 + fi + + openstack object show $CONTAINER_NAME $FILE + if [[ $? -ne 0 ]]; then + log WARN "${DB_NAME}_backup" "Unable to retrieve container object $FILE after creation." + return 2 + fi + + # Remote backup verification + MD5_REMOTE=$(openstack object show $CONTAINER_NAME $FILE -f json | jq -r ".etag") + MD5_LOCAL=$(cat ${FILEPATH}/${FILE} | md5sum | awk '{print $1}') + log INFO "${DB_NAME}_backup" "Obtained MD5 hash for the file $FILE in container $CONTAINER_NAME." + log INFO "${DB_NAME}_backup" "Local MD5 hash is ${MD5_LOCAL}." + log INFO "${DB_NAME}_backup" "Remote MD5 hash is ${MD5_REMOTE}." + if [[ "${MD5_LOCAL}" == "${MD5_REMOTE}" ]]; then + log INFO "${DB_NAME}_backup" "The local backup & remote backup MD5 hash values are matching for file $FILE in container $CONTAINER_NAME." + else + log ERROR "${DB_NAME}_backup" "Mismatch between the local backup & remote backup MD5 hash values" + return 2 + fi + rm -f ${REMOTE_FILE} + + #--------------------------------------------------------------------------- + # Remote backup throttling + export THROTTLE_BACKUPS_ENABLED=$(echo $THROTTLE_BACKUPS_ENABLED | sed 's/"//g') + if $THROTTLE_BACKUPS_ENABLED; then + # Remove flag file + # Delete an object to remove the flag file + openstack object delete $THROTTLE_CONTAINER_NAME $THROTTLE_FILE + if [[ $? -ne 0 ]]; then + log WARN "${DB_NAME}_backup" "Cannot delete throttle container object ${THROTTLE_FILE}" + return 0 + else + log INFO "${DB_NAME}_backup" "The throttle container object ${THROTTLE_FILE} has been successfully removed." + fi + rm -f ${THROTTLE_FILEPATH}/${THROTTLE_FILE} + fi + + #--------------------------------------------------------------------------- + + log INFO "${DB_NAME}_backup" "Created file $FILE in container $CONTAINER_NAME successfully." + return 0 +} + +# This function attempts to store the built tarball to the remote gateway, +# with built-in logic to handle error cases like: +# 1) Network connectivity issues - retries for a specific amount of time +# 2) Authorization errors - immediately logs an ERROR and returns +store_backup_remotely() { + FILEPATH=$1 + FILE=$2 + + count=1 + while [[ ${count} -le ${REMOTE_BACKUP_RETRIES} ]]; do + # Store the new archive to the remote backup storage facility. + send_to_remote_server $FILEPATH $FILE + SEND_RESULT="$?" + + # Check if successful + if [[ $SEND_RESULT -eq 0 ]]; then + log INFO "${DB_NAME}_backup" "Backup file ${FILE} successfully sent to RGW." + return 0 + elif [[ $SEND_RESULT -eq 2 ]]; then + if [[ ${count} -ge ${REMOTE_BACKUP_RETRIES} ]]; then + log ERROR "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to the RGW in " \ + "${REMOTE_BACKUP_RETRIES} retries. Errors encountered. Exiting." + break + fi + # Temporary failure occurred. We need to retry + log WARN "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to RGW due to connection issue." + sleep_time=$(random_number) + log INFO "${DB_NAME}_backup" "Sleeping ${sleep_time} seconds waiting for RGW to become available..." + sleep ${sleep_time} + log INFO "${DB_NAME}_backup" "Retrying..." + else + log ERROR "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to the RGW. Errors encountered. Exiting." + break + fi + + # Increment the counter + count=$((count+1)) + done + + return 1 +} + + +function get_archive_date(){ +# get_archive_date function returns correct archive date +# for different formats of archives' names +# the old one: ....tar.gz +# the new one: ..
...tar.gz + local A_FILE="$1" + awk -F. '{print $(NF-2)}' <<< ${A_FILE} | tr -d "Z" +} + +# This function takes a list of archives' names as an input +# and creates a hash table where keys are number of seconds +# between current date and archive date (see seconds_difference), +# and values are space separated archives' names +# +# +------------+---------------------------------------------------------------------------------------------------------+ +# | 1265342678 | "tmp/mysql.backup.auto.2022-02-14T10:13:13Z.tar.gz" | +# +------------+---------------------------------------------------------------------------------------------------------+ +# | 2346254257 | "tmp/mysql.backup.auto.2022-02-11T10:13:13Z.tar.gz tmp/mysql.backup.manual.2022-02-11T10:13:13Z.tar.gz" | +# +------------+---------------------------------------------------------------------------------------------------------+ +# <...> +# +------------+---------------------------------------------------------------------------------------------------------+ +# | 6253434567 | "tmp/mysql.backup.manual.2022-02-01T10:13:13Z.tar.gz" | +# +------------+---------------------------------------------------------------------------------------------------------+ +# We will use the explained above data stracture to cover rare, but still +# possible case, when we have several backups of the same date. E.g. +# one manual, and one automatic. + +declare -A fileTable +create_hash_table() { +unset fileTable +fileList=$@ + for ARCHIVE_FILE in ${fileList}; do + # Creating index, we will round given ARCHIVE_DATE to the midnight (00:00:00) + # to take in account a possibility, that we can have more than one scheduled + # backup per day. + ARCHIVE_DATE=$(get_archive_date ${ARCHIVE_FILE}) + ARCHIVE_DATE=$(date --date=${ARCHIVE_DATE} +%D) + log INFO "${DB_NAME}_backup" "Archive date to build index: ${ARCHIVE_DATE}" + INDEX=$(seconds_difference ${ARCHIVE_DATE}) + if [[ -z fileTable[${INDEX}] ]]; then + fileTable[${INDEX}]=${ARCHIVE_FILE} + else + fileTable[${INDEX}]="${fileTable[${INDEX}]} ${ARCHIVE_FILE}" + fi + echo "INDEX: ${INDEX} VALUE: ${fileTable[${INDEX}]}" + done +} + +function get_backup_prefix() { +# Create list of all possible prefixes in a format: +# . to cover a possible situation +# when different backups of different databases and/or +# namespaces share the same local or remote storage. + ALL_FILES=($@) + PREFIXES=() + for fname in ${ALL_FILES[@]}; do + prefix=$(basename ${fname} | cut -d'.' -f1,2 ) + for ((i=0; i<${#PREFIXES[@]}; i++)) do + if [[ ${PREFIXES[${i}]} == ${prefix} ]]; then + prefix="" + break + fi + done + if [[ ! -z ${prefix} ]]; then + PREFIXES+=(${prefix}) + fi + done +} + +remove_old_local_archives() { + SECONDS_TO_KEEP=$(( $((${LOCAL_DAYS_TO_KEEP}))*86400)) + log INFO "${DB_NAME}_backup" "Deleting backups older than ${LOCAL_DAYS_TO_KEEP} days (${SECONDS_TO_KEEP} seconds)" + if [[ -d $ARCHIVE_DIR ]]; then + count=0 + # We iterate over the hash table, checking the delta in seconds (hash keys), + # and minimum number of backups we must have in place. List of keys has to be sorted. + for INDEX in $(tr " " "\n" <<< ${!fileTable[@]} | sort -n -); do + ARCHIVE_FILE=${fileTable[${INDEX}]} + if [[ ${INDEX} -lt ${SECONDS_TO_KEEP} || ${count} -lt ${LOCAL_DAYS_TO_KEEP} ]]; then + ((count++)) + log INFO "${DB_NAME}_backup" "Keeping file(s) ${ARCHIVE_FILE}." + else + log INFO "${DB_NAME}_backup" "Deleting file(s) ${ARCHIVE_FILE}." + rm -f ${ARCHIVE_FILE} + if [[ $? -ne 0 ]]; then + # Log error but don't exit so we can finish the script + # because at this point we haven't sent backup to RGW yet + log ERROR "${DB_NAME}_backup" "Failed to cleanup local backup. Cannot remove some of ${ARCHIVE_FILE}" + fi + fi + done + else + log WARN "${DB_NAME}_backup" "The local backup directory ${$ARCHIVE_DIR} does not exist." + fi +} + +prepare_list_of_remote_backups() { + BACKUP_FILES=$(mktemp -p /tmp) + DB_BACKUP_FILES=$(mktemp -p /tmp) + openstack object list $CONTAINER_NAME > $BACKUP_FILES + if [[ $? -ne 0 ]]; then + log_backup_error_exit \ + "Failed to cleanup remote backup. Could not obtain a list of current backup files in the RGW" + fi + # Filter out other types of backup files + cat $BACKUP_FILES | grep $DB_NAME | grep $DB_NAMESPACE | awk '{print $2}' > $DB_BACKUP_FILES +} + +# The logic implemented with this function is absolutely similar +# to the function remove_old_local_archives (see above) +remove_old_remote_archives() { + count=0 + SECONDS_TO_KEEP=$((${REMOTE_DAYS_TO_KEEP}*86400)) + log INFO "${DB_NAME}_backup" "Deleting backups older than ${REMOTE_DAYS_TO_KEEP} days (${SECONDS_TO_KEEP} seconds)" + for INDEX in $(tr " " "\n" <<< ${!fileTable[@]} | sort -n -); do + ARCHIVE_FILE=${fileTable[${INDEX}]} + if [[ ${INDEX} -lt ${SECONDS_TO_KEEP} || ${count} -lt ${REMOTE_DAYS_TO_KEEP} ]]; then + ((count++)) + log INFO "${DB_NAME}_backup" "Keeping remote backup(s) ${ARCHIVE_FILE}." + else + log INFO "${DB_NAME}_backup" "Deleting remote backup(s) ${ARCHIVE_FILE} from the RGW" + openstack object delete ${CONTAINER_NAME} ${ARCHIVE_FILE} || log WARN "${DB_NAME}_backup" \ + "Failed to cleanup remote backup. Cannot delete container object ${ARCHIVE_FILE}" + fi + done + + # Cleanup now that we're done. + for fd in ${BACKUP_FILES} ${DB_BACKUP_FILES}; do + if [[ -f ${fd} ]]; then + rm -f ${fd} + else + log WARN "${DB_NAME}_backup" "Can not delete a temporary file ${fd}" + fi + done +} + +# Main function to backup the databases. Calling functions need to supply: +# 1) The directory where the final backup will be kept after it is compressed. +# 2) A temporary directory to use for placing database files to be compressed. +# Note: this temp directory will be deleted after backup is done. +# 3) Optional "scope" parameter indicating what database to back up. Defaults +# to "all". +backup_databases() { + SCOPE=${1:-"all"} + + # Create necessary directories if they do not exist. + mkdir -p $ARCHIVE_DIR || log_backup_error_exit \ + "Backup of the ${DB_NAME} database failed. Cannot create directory ${ARCHIVE_DIR}!" + export TMP_DIR=$(mktemp -d) || log_backup_error_exit \ + "Backup of the ${DB_NAME} database failed. Cannot create temp directory!" + + # Create temporary log file + export ERR_LOG_FILE=$(mktemp -p /tmp) || log_backup_error_exit \ + "Backup of the ${DB_NAME} database failed. Cannot create log file!" + + # It is expected that this function will dump the database files to the $TMP_DIR + dump_databases_to_directory $TMP_DIR $ERR_LOG_FILE $SCOPE + + # If successful, there should be at least one file in the TMP_DIR + if [[ $? -ne 0 || $(ls $TMP_DIR | wc -w) -eq 0 ]]; then + cat $ERR_LOG_FILE + log_backup_error_exit "Backup of the ${DB_NAME} database failed and needs attention." + fi + + log INFO "${DB_NAME}_backup" "Databases dumped successfully. Creating tarball..." + + NOW=$(date +"%Y-%m-%dT%H:%M:%SZ") + if [[ -z "${BACK_UP_MODE}" ]]; then + TARBALL_FILE="${DB_NAME}.${DB_NAMESPACE}.${SCOPE}.${NOW}.tar.gz" + else + TARBALL_FILE="${DB_NAME}.${DB_NAMESPACE}.${SCOPE}.${BACK_UP_MODE}.${NOW}.tar.gz" + fi + + cd $TMP_DIR || log_backup_error_exit \ + "Backup of the ${DB_NAME} database failed. Cannot change to directory $TMP_DIR" + + #Archive the current database files + tar zcvf $ARCHIVE_DIR/$TARBALL_FILE * + if [[ $? -ne 0 ]]; then + log_backup_error_exit \ + "Backup ${DB_NAME} to local file system failed. Backup tarball could not be created." + fi + + # Get the size of the file + ARCHIVE_SIZE=$(ls -l $ARCHIVE_DIR/$TARBALL_FILE | awk '{print $5}') + + log INFO "${DB_NAME}_backup" "Tarball $TARBALL_FILE created successfully." + + cd $ARCHIVE_DIR + + #Only delete the old archive after a successful archive + export LOCAL_DAYS_TO_KEEP=$(echo $LOCAL_DAYS_TO_KEEP | sed 's/"//g') + if [[ "$LOCAL_DAYS_TO_KEEP" -gt 0 ]]; then + get_backup_prefix $(ls -1 ${ARCHIVE_DIR}/*.gz) + for ((i=0; i<${#PREFIXES[@]}; i++)); do + echo "Working with prefix: ${PREFIXES[i]}" + create_hash_table $(ls -1 ${ARCHIVE_DIR}/${PREFIXES[i]}*.gz) + remove_old_local_archives + done + fi + + # Local backup verification process + + # It is expected that this function will verify the database backup files + if verify_databases_backup_archives ${SCOPE}; then + log INFO "${DB_NAME}_backup_verify" "Databases backup verified successfully. Uploading verified backups to remote location..." + else + # If successful, there should be at least one file in the TMP_DIR + if [[ $(ls $TMP_DIR | wc -w) -eq 0 ]]; then + cat $ERR_LOG_FILE + fi + log_verify_backup_exit "Verify of the ${DB_NAME} database backup failed and needs attention." + exit 1 + fi + + # Remove the temporary directory and files as they are no longer needed. + rm -rf $TMP_DIR + rm -f $ERR_LOG_FILE + + # Remote backup + REMOTE_BACKUP=$(echo $REMOTE_BACKUP_ENABLED | sed 's/"//g') + if $REMOTE_BACKUP; then + # Remove Quotes from the constants which were added due to reading + # from secret. + export REMOTE_BACKUP_RETRIES=$(echo $REMOTE_BACKUP_RETRIES | sed 's/"//g') + export MIN_DELAY_SEND_REMOTE=$(echo $MIN_DELAY_SEND_REMOTE | sed 's/"//g') + export MAX_DELAY_SEND_REMOTE=$(echo $MAX_DELAY_SEND_REMOTE | sed 's/"//g') + export REMOTE_DAYS_TO_KEEP=$(echo $REMOTE_DAYS_TO_KEEP | sed 's/"//g') + + store_backup_remotely $ARCHIVE_DIR $TARBALL_FILE + if [[ $? -ne 0 ]]; then + # This error should print first, then print the summary as the last + # thing that the user sees in the output. + log ERROR "${DB_NAME}_backup" "Backup ${TARBALL_FILE} could not be sent to remote RGW." + echo "==================================================================" + echo "Local backup successful, but could not send to remote RGW." + echo "Backup archive name: $TARBALL_FILE" + echo "Backup archive size: $ARCHIVE_SIZE" + echo "==================================================================" + # Because the local backup was successful, exit with 0 so the pod will not + # continue to restart and fill the disk with more backups. The ERRORs are + # logged and alerting system should catch those errors and flag the operator. + exit 0 + fi + + #Only delete the old archive after a successful archive + if [[ "$REMOTE_DAYS_TO_KEEP" -gt 0 ]]; then + prepare_list_of_remote_backups + get_backup_prefix $(cat $DB_BACKUP_FILES) + for ((i=0; i<${#PREFIXES[@]}; i++)); do + echo "Working with prefix: ${PREFIXES[i]}" + create_hash_table $(cat ${DB_BACKUP_FILES} | grep ${PREFIXES[i]}) + remove_old_remote_archives + done + fi + + echo "==================================================================" + echo "Local backup and backup to remote RGW successful!" + echo "Backup archive name: $TARBALL_FILE" + echo "Backup archive size: $ARCHIVE_SIZE" + echo "==================================================================" + else + # Remote backup is not enabled. This is ok; at least we have a local backup. + log INFO "${DB_NAME}_backup" "Skipping remote backup, as it is not enabled." + + echo "==================================================================" + echo "Local backup successful!" + echo "Backup archive name: $TARBALL_FILE" + echo "Backup archive size: $ARCHIVE_SIZE" + echo "==================================================================" + fi +} +{{- end }} \ No newline at end of file diff --git a/charts/masakari/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl b/charts/masakari/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl new file mode 100644 index 0000000000..093dd2cc9b --- /dev/null +++ b/charts/masakari/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl @@ -0,0 +1,616 @@ +{{- define "helm-toolkit.scripts.db-backup-restore.restore_main" }} +#!/bin/bash + +# This file contains a database restore framework which database scripts +# can use to perform a backup. The idea here is that the database-specific +# functions will be implemented by the various databases using this script +# (like mariadb, postgresql or etcd for example). The database-specific +# script will need to first "source" this file like this: +# source /tmp/restore_main.sh +# +# Then the script should call the main CLI function (cli_main): +# cli_main +# where: +# is the list of arguments given by the user +# +# The framework will require the following variables to be exported: +# +# export DB_NAMESPACE Namespace where the database(s) reside +# export DB_NAME Name of the database system +# export ARCHIVE_DIR Location where the backup tarballs should +# be stored. (full directory path which +# should already exist) +# export CONTAINER_NAME Name of the container on the RGW where +# the backups are stored. +# RGW access variables: +# export OS_REGION_NAME Name of the region the RGW resides in +# export OS_AUTH_URL Keystone URL associated with the RGW +# export OS_PROJECT_NAME Name of the project associated with the +# keystone user +# export OS_USERNAME Name of the keystone user +# export OS_PASSWORD Password of the keystone user +# export OS_USER_DOMAIN_NAME Keystone domain the project belongs to +# export OS_PROJECT_DOMAIN_NAME Keystone domain the user belongs to +# export OS_IDENTITY_API_VERSION Keystone API version to use +# +# The database-specific functions that need to be implemented are: +# get_databases +# where: +# is the full directory path where the decompressed +# database files reside +# is the full path of the file to write the database +# names into, one database per line +# returns: 0 if no errors; 1 if any errors occurred +# +# This function is expected to extract the database names from the +# uncompressed database files found in the given "tmp_dir", which is +# the staging directory for database restore. The database names +# should be written to the given "db_file", one database name per +# line. +# +# get_tables +# is the name of the database to get the tables from +# is the full directory path where the decompressed +# database files reside +# is the full path of the file to write the table +# names into, one table per line +# returns: 0 if no errors; 1 if any errors occurred +# +# This function is expected to extract the table names from the given +# database, found in the uncompressed database files located in the +# given "tmp_dir", which is the staging directory for database restore. +# The table names should be written to the given "table_file", one +# table name per line. +# +# get_rows +# is the name of the table to get the rows from +# is the name of the database the table resides in +# is the full directory path where the decompressed +# database files reside +# is the full path of the file to write the table +# row data into, one row (INSERT statement) per line +# returns: 0 if no errors; 1 if any errors occurred +# +# This function is expected to extract the rows from the given table +# in the given database, found in the uncompressed database files +# located in the given "tmp_dir", which is the staging directory for +# database restore. The table rows should be written to the given +# "rows_file", one row (INSERT statement) per line. +# +# get_schema +# is the name of the table to get the schema from +# is the name of the database the table resides in +# is the full directory path where the decompressed +# database files reside +# is the full path of the file to write the table +# schema data into +# returns: 0 if no errors; 1 if any errors occurred +# +# This function is expected to extract the schema from the given table +# in the given database, found in the uncompressed database files +# located in the given "tmp_dir", which is the staging directory for +# database restore. The table schema and related alterations and +# grant information should be written to the given "schema_file". +# +# restore_single_db +# where: +# is the name of the database to be restored +# is the full directory path where the decompressed +# database files reside +# returns: 0 if no errors; 1 if any errors occurred +# +# This function is expected to restore the database given as "db_name" +# using the database files located in the "tmp_dir". The framework +# will delete the "tmp_dir" and the files in it after the restore is +# complete. +# +# restore_all_dbs +# where: +# is the full directory path where the decompressed +# database files reside +# returns: 0 if no errors; 1 if any errors occurred +# +# This function is expected to restore all of the databases which +# are backed up in the database files located in the "tmp_dir". The +# framework will delete the "tmp_dir" and the files in it after the +# restore is complete. +# +# The functions in this file will take care of: +# 1) The CLI parameter parsing for the arguments passed in by the user. +# 2) The listing of either local or remote archive files at the request +# of the user. +# 3) The retrieval/download of an archive file located either in the local +# file system or remotely stored on an RGW. +# 4) Calling either "restore_single_db" or "restore_all_dbs" when the user +# chooses to restore a database or all databases. +# 5) The framework will call "get_databases" when it needs a list of +# databases when the user requests a database list or when the user +# requests to restore a single database (to ensure it exists in the +# archive). Similarly, the framework will call "get_tables", "get_rows", +# or "get_schema" when it needs that data requested by the user. +# + +usage() { + ret_val=$1 + echo "Usage:" + echo "Restore command options" + echo "=============================" + echo "help" + echo "list_archives [remote]" + echo "list_databases [remote]" + echo "list_tables [remote]" + echo "list_rows [remote]" + echo "list_schema [remote]" + echo "restore [remote]" + echo " where = | ALL" + echo "delete_archive [remote]" + clean_and_exit $ret_val "" +} + +#Exit cleanly with some message and return code +clean_and_exit() { + RETCODE=$1 + MSG=$2 + + # Clean/remove temporary directories/files + rm -rf $TMP_DIR + rm -f $RESULT_FILE + + if [[ "x${MSG}" != "x" ]]; then + echo $MSG + fi + exit $RETCODE +} + +determine_resulting_error_code() { + RESULT="$1" + + echo ${RESULT} | grep "HTTP 404" + if [[ $? -eq 0 ]]; then + echo "Could not find the archive: ${RESULT}" + return 1 + else + echo ${RESULT} | grep "HTTP 401" + if [[ $? -eq 0 ]]; then + echo "Could not access the archive: ${RESULT}" + return 1 + else + echo ${RESULT} | grep "HTTP 503" + if [[ $? -eq 0 ]]; then + echo "RGW service is unavailable. ${RESULT}" + # In this case, the RGW may be temporarily down. + # Return slightly different error code so the calling code can retry + return 2 + else + echo ${RESULT} | grep "ConnectionError" + if [[ $? -eq 0 ]]; then + echo "Could not reach the RGW: ${RESULT}" + # In this case, keystone or the site/node may be temporarily down. + # Return slightly different error code so the calling code can retry + return 2 + else + echo "Archive ${ARCHIVE} could not be retrieved: ${RESULT}" + return 1 + fi + fi + fi + fi + return 0 +} + +# Retrieve a list of archives from the RGW. +retrieve_remote_listing() { + RESULT=$(openstack container show $CONTAINER_NAME 2>&1) + if [[ $? -eq 0 ]]; then + # Get the list, ensureing that we only pick up the right kind of backups from the + # requested namespace + openstack object list $CONTAINER_NAME | grep $DB_NAME | grep $DB_NAMESPACE | awk '{print $2}' > $TMP_DIR/archive_list + if [[ $? -ne 0 ]]; then + echo "Container object listing could not be obtained." + return 1 + else + echo "Archive listing successfully retrieved." + fi + else + determine_resulting_error_code "${RESULT}" + return $? + fi + return 0 +} + +# Retrieve a single archive from the RGW. +retrieve_remote_archive() { + ARCHIVE=$1 + + RESULT=$(openstack object save --file $TMP_DIR/$ARCHIVE $CONTAINER_NAME $ARCHIVE 2>&1) + if [[ $? -ne 0 ]]; then + determine_resulting_error_code "${RESULT}" + return $? + else + echo "Archive $ARCHIVE successfully retrieved." + fi + return 0 +} + +# Delete an archive from the RGW. +delete_remote_archive() { + ARCHIVE=$1 + + RESULT=$(openstack object delete ${CONTAINER_NAME} ${ARCHIVE} 2>&1) + if [[ $? -ne 0 ]]; then + determine_resulting_error_code "${RESULT}" + return $? + else + echo "Archive ${ARCHIVE} successfully deleted." + fi + return 0 +} + +# Display all archives +list_archives() { + REMOTE=$1 + + if [[ "x${REMOTE^^}" == "xREMOTE" ]]; then + retrieve_remote_listing + if [[ $? -eq 0 && -e $TMP_DIR/archive_list ]]; then + echo + echo "All Archives from RGW Data Store" + echo "==============================================" + cat $TMP_DIR/archive_list | sort + clean_and_exit 0 "" + else + clean_and_exit 1 "ERROR: Archives could not be retrieved from the RGW." + fi + elif [[ "x${REMOTE}" == "x" ]]; then + if [[ -d $ARCHIVE_DIR ]]; then + archives=$(find $ARCHIVE_DIR/ -iname "*.gz" -print | sort) + echo + echo "All Local Archives" + echo "==============================================" + for archive in $archives + do + echo $archive | cut -d '/' -f8- + done + clean_and_exit 0 "" + else + clean_and_exit 1 "ERROR: Local archive directory is not available." + fi + else + usage 1 + fi +} + +# Retrieve the archive from the desired location and decompress it into +# the restore directory +get_archive() { + ARCHIVE_FILE=$1 + REMOTE=$2 + + if [[ "x$REMOTE" == "xremote" ]]; then + echo "Retrieving archive ${ARCHIVE_FILE} from the remote RGW..." + retrieve_remote_archive $ARCHIVE_FILE + if [[ $? -ne 0 ]]; then + clean_and_exit 1 "ERROR: Could not retrieve remote archive: $ARCHIVE_FILE" + fi + elif [[ "x$REMOTE" == "x" ]]; then + if [[ -e $ARCHIVE_DIR/$ARCHIVE_FILE ]]; then + cp $ARCHIVE_DIR/$ARCHIVE_FILE $TMP_DIR/$ARCHIVE_FILE + if [[ $? -ne 0 ]]; then + clean_and_exit 1 "ERROR: Could not copy local archive to restore directory." + fi + else + clean_and_exit 1 "ERROR: Local archive file could not be found." + fi + else + usage 1 + fi + + echo "Decompressing archive $ARCHIVE_FILE..." + cd $TMP_DIR + tar zxvf - < $TMP_DIR/$ARCHIVE_FILE 1>/dev/null + if [[ $? -ne 0 ]]; then + clean_and_exit 1 "ERROR: Archive decompression failed." + fi +} + +# Display all databases from an archive +list_databases() { + ARCHIVE_FILE=$1 + REMOTE=$2 + WHERE="local" + + if [[ -n ${REMOTE} ]]; then + WHERE="remote" + fi + + # Get the archive from the source location (local/remote) + get_archive $ARCHIVE_FILE $REMOTE + + # Expectation is that the database listing will be put into + # the given file one database per line + get_databases $TMP_DIR $RESULT_FILE + if [[ "$?" -ne 0 ]]; then + clean_and_exit 1 "ERROR: Could not retrieve databases from $WHERE archive $ARCHIVE_FILE." + fi + + if [[ -f "$RESULT_FILE" ]]; then + echo " " + echo "Databases in the $WHERE archive $ARCHIVE_FILE" + echo "================================================================================" + cat $RESULT_FILE + else + clean_and_exit 1 "ERROR: Databases file missing. Could not list databases from $WHERE archive $ARCHIVE_FILE." + fi +} + +# Display all tables of a database from an archive +list_tables() { + ARCHIVE_FILE=$1 + DATABASE=$2 + REMOTE=$3 + WHERE="local" + + if [[ -n ${REMOTE} ]]; then + WHERE="remote" + fi + + # Get the archive from the source location (local/remote) + get_archive $ARCHIVE_FILE $REMOTE + + # Expectation is that the database listing will be put into + # the given file one table per line + get_tables $DATABASE $TMP_DIR $RESULT_FILE + if [[ "$?" -ne 0 ]]; then + clean_and_exit 1 "ERROR: Could not retrieve tables for database ${DATABASE} from $WHERE archive $ARCHIVE_FILE." + fi + + if [[ -f "$RESULT_FILE" ]]; then + echo " " + echo "Tables in database $DATABASE from $WHERE archive $ARCHIVE_FILE" + echo "================================================================================" + cat $RESULT_FILE + else + clean_and_exit 1 "ERROR: Tables file missing. Could not list tables of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE." + fi +} + +# Display all rows of the given database table from an archive +list_rows() { + ARCHIVE_FILE=$1 + DATABASE=$2 + TABLE=$3 + REMOTE=$4 + WHERE="local" + + if [[ -n ${REMOTE} ]]; then + WHERE="remote" + fi + + # Get the archive from the source location (local/remote) + get_archive $ARCHIVE_FILE $REMOTE + + # Expectation is that the database listing will be put into + # the given file one table per line + get_rows $DATABASE $TABLE $TMP_DIR $RESULT_FILE + if [[ "$?" -ne 0 ]]; then + clean_and_exit 1 "ERROR: Could not retrieve rows in table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE." + fi + + if [[ -f "$RESULT_FILE" ]]; then + echo " " + echo "Rows in table $TABLE of database $DATABASE from $WHERE archive $ARCHIVE_FILE" + echo "================================================================================" + cat $RESULT_FILE + else + clean_and_exit 1 "ERROR: Rows file missing. Could not list rows in table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE." + fi +} + +# Display the schema information of the given database table from an archive +list_schema() { + ARCHIVE_FILE=$1 + DATABASE=$2 + TABLE=$3 + REMOTE=$4 + WHERE="local" + + if [[ -n ${REMOTE} ]]; then + WHERE="remote" + fi + + # Get the archive from the source location (local/remote) + get_archive $ARCHIVE_FILE $REMOTE + + # Expectation is that the schema information will be placed into + # the given schema file. + get_schema $DATABASE $TABLE $TMP_DIR $RESULT_FILE + if [[ "$?" -ne 0 ]]; then + clean_and_exit 1 "ERROR: Could not retrieve schema for table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE." + fi + + if [[ -f "$RESULT_FILE" ]]; then + echo " " + echo "Schema for table $TABLE of database $DATABASE from $WHERE archive $ARCHIVE_FILE" + echo "================================================================================" + cat $RESULT_FILE + else + clean_and_exit 1 "ERROR: Schema file missing. Could not list schema for table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE." + fi +} + +# Delete an archive +delete_archive() { + ARCHIVE_FILE=$1 + REMOTE=$2 + WHERE="local" + + if [[ -n ${REMOTE} ]]; then + WHERE="remote" + fi + + if [[ "${WHERE}" == "remote" ]]; then + delete_remote_archive ${ARCHIVE_FILE} + if [[ $? -ne 0 ]]; then + clean_and_exit 1 "ERROR: Could not delete remote archive: ${ARCHIVE_FILE}" + fi + else # Local + if [[ -e ${ARCHIVE_DIR}/${ARCHIVE_FILE} ]]; then + rm -f ${ARCHIVE_DIR}/${ARCHIVE_FILE} + if [[ $? -ne 0 ]]; then + clean_and_exit 1 "ERROR: Could not delete local archive." + fi + else + clean_and_exit 1 "ERROR: Local archive file could not be found." + fi + fi + + echo "Successfully deleted archive ${ARCHIVE_FILE} from ${WHERE} storage." +} + + +# Return 1 if the given database exists in the database file. 0 otherwise. +database_exists() { + DB=$1 + + grep "${DB}" ${RESULT_FILE} + if [[ $? -eq 0 ]]; then + return 1 + fi + return 0 +} + +# This is the main CLI interpreter function +cli_main() { + ARGS=("$@") + + # Create the ARCHIVE DIR if it's not already there. + mkdir -p $ARCHIVE_DIR + + # Create temp directory for a staging area to decompress files into + export TMP_DIR=$(mktemp -d) + + # Create a temp file for storing list of databases (if needed) + export RESULT_FILE=$(mktemp -p /tmp) + + case "${ARGS[0]}" in + "help") + usage 0 + ;; + + "list_archives") + if [[ ${#ARGS[@]} -gt 2 ]]; then + usage 1 + elif [[ ${#ARGS[@]} -eq 1 ]]; then + list_archives + else + list_archives ${ARGS[1]} + fi + clean_and_exit 0 + ;; + + "list_databases") + if [[ ${#ARGS[@]} -lt 2 || ${#ARGS[@]} -gt 3 ]]; then + usage 1 + elif [[ ${#ARGS[@]} -eq 2 ]]; then + list_databases ${ARGS[1]} + else + list_databases ${ARGS[1]} ${ARGS[2]} + fi + ;; + + "list_tables") + if [[ ${#ARGS[@]} -lt 3 || ${#ARGS[@]} -gt 4 ]]; then + usage 1 + elif [[ ${#ARGS[@]} -eq 3 ]]; then + list_tables ${ARGS[1]} ${ARGS[2]} + else + list_tables ${ARGS[1]} ${ARGS[2]} ${ARGS[3]} + fi + ;; + + "list_rows") + if [[ ${#ARGS[@]} -lt 4 || ${#ARGS[@]} -gt 5 ]]; then + usage 1 + elif [[ ${#ARGS[@]} -eq 4 ]]; then + list_rows ${ARGS[1]} ${ARGS[2]} ${ARGS[3]} + else + list_rows ${ARGS[1]} ${ARGS[2]} ${ARGS[3]} ${ARGS[4]} + fi + ;; + + "list_schema") + if [[ ${#ARGS[@]} -lt 4 || ${#ARGS[@]} -gt 5 ]]; then + usage 1 + elif [[ ${#ARGS[@]} -eq 4 ]]; then + list_schema ${ARGS[1]} ${ARGS[2]} ${ARGS[3]} + else + list_schema ${ARGS[1]} ${ARGS[2]} ${ARGS[3]} ${ARGS[4]} + fi + ;; + + "restore") + REMOTE="" + if [[ ${#ARGS[@]} -lt 3 || ${#ARGS[@]} -gt 4 ]]; then + usage 1 + elif [[ ${#ARGS[@]} -eq 4 ]]; then + REMOTE=${ARGS[3]} + fi + + ARCHIVE=${ARGS[1]} + DB_SPEC=${ARGS[2]} + + #Get all the databases in that archive + get_archive $ARCHIVE $REMOTE + + if [[ "$( echo $DB_SPEC | tr '[a-z]' '[A-Z]')" != "ALL" ]]; then + # Expectation is that the database listing will be put into + # the given file one database per line + get_databases $TMP_DIR $RESULT_FILE + if [[ "$?" -ne 0 ]]; then + clean_and_exit 1 "ERROR: Could not get the list of databases to restore." + fi + + if [[ ! $DB_NAMESPACE == "kube-system" ]]; then + #check if the requested database is available in the archive + database_exists $DB_SPEC + if [[ $? -ne 1 ]]; then + clean_and_exit 1 "ERROR: Database ${DB_SPEC} does not exist." + fi + fi + + echo "Restoring Database $DB_SPEC And Grants" + restore_single_db $DB_SPEC $TMP_DIR + if [[ "$?" -eq 0 ]]; then + echo "Single database restored successfully." + else + clean_and_exit 1 "ERROR: Single database restore failed." + fi + clean_and_exit 0 "" + else + echo "Restoring All The Databases. This could take a few minutes..." + restore_all_dbs $TMP_DIR + if [[ "$?" -eq 0 ]]; then + echo "All databases restored successfully." + else + clean_and_exit 1 "ERROR: Database restore failed." + fi + clean_and_exit 0 "" + fi + ;; + "delete_archive") + if [[ ${#ARGS[@]} -lt 2 || ${#ARGS[@]} -gt 3 ]]; then + usage 1 + elif [[ ${#ARGS[@]} -eq 2 ]]; then + delete_archive ${ARGS[1]} + else + delete_archive ${ARGS[1]} ${ARGS[2]} + fi + ;; + *) + usage 1 + ;; + esac + + clean_and_exit 0 "" +} +{{- end }} diff --git a/charts/masakari/charts/helm-toolkit/templates/snippets/_custom_job_annotations.tpl b/charts/masakari/charts/helm-toolkit/templates/snippets/_custom_job_annotations.tpl new file mode 100644 index 0000000000..fc426142fd --- /dev/null +++ b/charts/masakari/charts/helm-toolkit/templates/snippets/_custom_job_annotations.tpl @@ -0,0 +1,76 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Adds custom annotations to the job spec of a component. +examples: + - values: | + annotations: + job: + default: + custom.tld/key: "value" + custom.tld/key2: "value2" + keystone_domain_manage: + another.tld/foo: "bar" + usage: | + {{ tuple "keystone_domain_manage" . | include "helm-toolkit.snippets.custom_job_annotations" }} + return: | + another.tld/foo: bar + - values: | + annotations: + job: + default: + custom.tld/key: "value" + custom.tld/key2: "value2" + keystone_domain_manage: + another.tld/foo: "bar" + usage: | + {{ tuple "keystone_bootstrap" . | include "helm-toolkit.snippets.custom_job_annotations" }} + return: | + custom.tld/key: "value" + custom.tld/key2: "value2" + - values: | + annotations: + job: + default: + custom.tld/key: "value" + custom.tld/key2: "value2" + keystone_domain_manage: + another.tld/foo: "bar" + keystone_bootstrap: + usage: | + {{ tuple "keystone_bootstrap" . | include "helm-toolkit.snippets.custom_job_annotations" }} + return: | + custom.tld/key: "value" + custom.tld/key2: "value2" +*/}} + +{{- define "helm-toolkit.snippets.custom_job_annotations" -}} +{{- $envAll := index . 1 -}} +{{- $component := index . 0 | replace "-" "_" -}} +{{- if (hasKey $envAll.Values "annotations") -}} +{{- if (hasKey $envAll.Values.annotations "job") -}} +{{- $annotationsMap := $envAll.Values.annotations.job -}} +{{- $defaultAnnotations := dict -}} +{{- if (hasKey $annotationsMap "default" ) -}} +{{- $defaultAnnotations = $annotationsMap.default -}} +{{- end -}} +{{- $annotations := index $annotationsMap $component | default $defaultAnnotations -}} +{{- if (not (empty $annotations)) -}} +{{- toYaml $annotations -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/charts/masakari/charts/helm-toolkit/templates/snippets/_custom_pod_annotations.tpl b/charts/masakari/charts/helm-toolkit/templates/snippets/_custom_pod_annotations.tpl new file mode 100644 index 0000000000..ecff6e96a6 --- /dev/null +++ b/charts/masakari/charts/helm-toolkit/templates/snippets/_custom_pod_annotations.tpl @@ -0,0 +1,76 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Adds custom annotations to the pod spec of a component. +examples: + - values: | + annotations: + pod: + default: + custom.tld/key: "value" + custom.tld/key2: "value2" + nova_compute: + another.tld/foo: "bar" + usage: | + {{ tuple "nova_compute" . | include "helm-toolkit.snippets.custom_pod_annotations" }} + return: | + another.tld/foo: bar + - values: | + annotations: + pod: + default: + custom.tld/key: "value" + custom.tld/key2: "value2" + nova_compute: + another.tld/foo: "bar" + usage: | + {{ tuple "nova_api" . | include "helm-toolkit.snippets.custom_pod_annotations" }} + return: | + custom.tld/key: "value" + custom.tld/key2: "value2" + - values: | + annotations: + pod: + default: + custom.tld/key: "value" + custom.tld/key2: "value2" + nova_compute: + another.tld/foo: "bar" + nova_api: + usage: | + {{ tuple "nova_api" . | include "helm-toolkit.snippets.custom_pod_annotations" }} + return: | + custom.tld/key: "value" + custom.tld/key2: "value2" +*/}} + +{{- define "helm-toolkit.snippets.custom_pod_annotations" -}} +{{- $component := index . 0 -}} +{{- $envAll := index . 1 -}} +{{- if (hasKey $envAll.Values "annotations") -}} +{{- if (hasKey $envAll.Values.annotations "pod") -}} +{{- $annotationsMap := $envAll.Values.annotations.pod -}} +{{- $defaultAnnotations := dict -}} +{{- if (hasKey $annotationsMap "default" ) -}} +{{- $defaultAnnotations = $annotationsMap.default -}} +{{- end -}} +{{- $annotations := index $annotationsMap $component | default $defaultAnnotations -}} +{{- if (not (empty $annotations)) -}} +{{- toYaml $annotations -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/charts/masakari/charts/helm-toolkit/templates/snippets/_custom_secret_annotations.tpl b/charts/masakari/charts/helm-toolkit/templates/snippets/_custom_secret_annotations.tpl new file mode 100644 index 0000000000..19c438088b --- /dev/null +++ b/charts/masakari/charts/helm-toolkit/templates/snippets/_custom_secret_annotations.tpl @@ -0,0 +1,81 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Adds custom annotations to the secret spec of a component. +examples: + - values: | + annotations: + secret: + default: + custom.tld/key: "value" + custom.tld/key2: "value2" + identity: + admin: + another.tld/foo: "bar" + usage: | + {{ tuple "identity" "admin" . | include "helm-toolkit.snippets.custom_secret_annotations" }} + return: | + another.tld/foo: bar + - values: | + annotations: + secret: + default: + custom.tld/key: "value" + custom.tld/key2: "value2" + identity: + admin: + another.tld/foo: "bar" + usage: | + {{ tuple "oslo_db" "admin" . | include "helm-toolkit.snippets.custom_secret_annotations" }} + return: | + custom.tld/key: "value" + custom.tld/key2: "value2" + - values: | + annotations: + secret: + default: + custom.tld/key: "value" + custom.tld/key2: "value2" + identity: + admin: + another.tld/foo: "bar" + oslo_db: + admin: + usage: | + {{ tuple "oslo_db" "admin" . | include "helm-toolkit.snippets.custom_secret_annotations" }} + return: | + custom.tld/key: "value" + custom.tld/key2: "value2" +*/}} + +{{- define "helm-toolkit.snippets.custom_secret_annotations" -}} +{{- $secretType := index . 0 -}} +{{- $userClass := index . 1 | replace "-" "_" -}} +{{- $envAll := index . 2 -}} +{{- if (hasKey $envAll.Values "annotations") -}} +{{- if (hasKey $envAll.Values.annotations "secret") -}} +{{- $annotationsMap := index $envAll.Values.annotations.secret $secretType | default dict -}} +{{- $defaultAnnotations := dict -}} +{{- if (hasKey $envAll.Values.annotations.secret "default" ) -}} +{{- $defaultAnnotations = $envAll.Values.annotations.secret.default -}} +{{- end -}} +{{- $annotations := index $annotationsMap $userClass | default $defaultAnnotations -}} +{{- if (not (empty $annotations)) -}} +{{- toYaml $annotations -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/charts/masakari/charts/helm-toolkit/templates/snippets/_image.tpl b/charts/masakari/charts/helm-toolkit/templates/snippets/_image.tpl new file mode 100644 index 0000000000..678b8447f8 --- /dev/null +++ b/charts/masakari/charts/helm-toolkit/templates/snippets/_image.tpl @@ -0,0 +1,60 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Resolves an image reference to a string, and its pull policy +values: | + images: + tags: + test_image: docker.io/port/test:version-foo + image_foo: quay.io/airshipit/kubernetes-entrypoint:latest-ubuntu_focal + pull_policy: IfNotPresent + local_registry: + active: true + exclude: + - image_foo + endpoints: + cluster_domain_suffix: cluster.local + local_image_registry: + name: docker-registry + namespace: docker-registry + hosts: + default: localhost + internal: docker-registry + node: localhost + host_fqdn_override: + default: null + port: + registry: + node: 5000 +usage: | + {{ tuple . "test_image" | include "helm-toolkit.snippets.image" }} +return: | + image: "localhost:5000/docker.io/port/test:version-foo" + imagePullPolicy: IfNotPresent +*/}} + +{{- define "helm-toolkit.snippets.image" -}} +{{- $envAll := index . 0 -}} +{{- $image := index . 1 -}} +{{- $imageTag := index $envAll.Values.images.tags $image -}} +{{- if and ($envAll.Values.images.local_registry.active) (not (has $image $envAll.Values.images.local_registry.exclude )) -}} +{{- $registryPrefix := printf "%s:%s" (tuple "local_image_registry" "node" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup") (tuple "local_image_registry" "node" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup") -}} +image: {{ printf "%s/%s" $registryPrefix $imageTag | quote }} +{{- else -}} +image: {{ $imageTag | quote }} +{{- end }} +imagePullPolicy: {{ $envAll.Values.images.pull_policy }} +{{- end -}} diff --git a/charts/masakari/charts/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl b/charts/masakari/charts/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl new file mode 100644 index 0000000000..2f209fe63d --- /dev/null +++ b/charts/masakari/charts/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl @@ -0,0 +1,142 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Returns a set of container enviorment variables, equivlant to an openrc for + use with keystone based command line clients. +values: | + secrets: + identity: + admin: example-keystone-admin +usage: | + {{ include "helm-toolkit.snippets.keystone_openrc_env_vars" ( dict "ksUserSecret" .Values.secrets.identity.admin ) }} +return: | + - name: OS_IDENTITY_API_VERSION + value: "3" + - name: OS_AUTH_URL + valueFrom: + secretKeyRef: + name: example-keystone-admin + key: OS_AUTH_URL + - name: OS_REGION_NAME + valueFrom: + secretKeyRef: + name: example-keystone-admin + key: OS_REGION_NAME + - name: OS_INTERFACE + valueFrom: + secretKeyRef: + name: example-keystone-admin + key: OS_INTERFACE + - name: OS_ENDPOINT_TYPE + valueFrom: + secretKeyRef: + name: example-keystone-admin + key: OS_INTERFACE + - name: OS_PROJECT_DOMAIN_NAME + valueFrom: + secretKeyRef: + name: example-keystone-admin + key: OS_PROJECT_DOMAIN_NAME + - name: OS_PROJECT_NAME + valueFrom: + secretKeyRef: + name: example-keystone-admin + key: OS_PROJECT_NAME + - name: OS_USER_DOMAIN_NAME + valueFrom: + secretKeyRef: + name: example-keystone-admin + key: OS_USER_DOMAIN_NAME + - name: OS_USERNAME + valueFrom: + secretKeyRef: + name: example-keystone-admin + key: OS_USERNAME + - name: OS_PASSWORD + valueFrom: + secretKeyRef: + name: example-keystone-admin + key: OS_PASSWORD + - name: OS_CACERT + valueFrom: + secretKeyRef: + name: example-keystone-admin + key: OS_CACERT +*/}} + +{{- define "helm-toolkit.snippets.keystone_openrc_env_vars" }} +{{- $useCA := .useCA -}} +{{- $ksUserSecret := .ksUserSecret }} +- name: OS_IDENTITY_API_VERSION + value: "3" +- name: OS_AUTH_URL + valueFrom: + secretKeyRef: + name: {{ $ksUserSecret }} + key: OS_AUTH_URL +- name: OS_REGION_NAME + valueFrom: + secretKeyRef: + name: {{ $ksUserSecret }} + key: OS_REGION_NAME +- name: OS_INTERFACE + valueFrom: + secretKeyRef: + name: {{ $ksUserSecret }} + key: OS_INTERFACE +- name: OS_ENDPOINT_TYPE + valueFrom: + secretKeyRef: + name: {{ $ksUserSecret }} + key: OS_INTERFACE +- name: OS_PROJECT_DOMAIN_NAME + valueFrom: + secretKeyRef: + name: {{ $ksUserSecret }} + key: OS_PROJECT_DOMAIN_NAME +- name: OS_PROJECT_NAME + valueFrom: + secretKeyRef: + name: {{ $ksUserSecret }} + key: OS_PROJECT_NAME +- name: OS_USER_DOMAIN_NAME + valueFrom: + secretKeyRef: + name: {{ $ksUserSecret }} + key: OS_USER_DOMAIN_NAME +- name: OS_USERNAME + valueFrom: + secretKeyRef: + name: {{ $ksUserSecret }} + key: OS_USERNAME +- name: OS_PASSWORD + valueFrom: + secretKeyRef: + name: {{ $ksUserSecret }} + key: OS_PASSWORD +- name: OS_DEFAULT_DOMAIN + valueFrom: + secretKeyRef: + name: {{ $ksUserSecret }} + key: OS_DEFAULT_DOMAIN +{{- if $useCA }} +- name: OS_CACERT + valueFrom: + secretKeyRef: + name: {{ $ksUserSecret }} + key: OS_CACERT +{{- end }} +{{- end }} diff --git a/charts/masakari/charts/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl b/charts/masakari/charts/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl new file mode 100644 index 0000000000..f6276576c8 --- /dev/null +++ b/charts/masakari/charts/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl @@ -0,0 +1,32 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- define "helm-toolkit.snippets.keystone_secret_openrc" }} +{{- $userClass := index . 0 -}} +{{- $identityEndpoint := index . 1 -}} +{{- $context := index . 2 -}} +{{- $userContext := index $context.Values.endpoints.identity.auth $userClass }} +OS_AUTH_URL: {{ tuple "identity" $identityEndpoint "api" $context | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc }} +OS_REGION_NAME: {{ $userContext.region_name | b64enc }} +OS_INTERFACE: {{ $userContext.interface | default "internal" | b64enc }} +OS_PROJECT_DOMAIN_NAME: {{ $userContext.project_domain_name | b64enc }} +OS_PROJECT_NAME: {{ $userContext.project_name | b64enc }} +OS_USER_DOMAIN_NAME: {{ $userContext.user_domain_name | b64enc }} +OS_USERNAME: {{ $userContext.username | b64enc }} +OS_PASSWORD: {{ $userContext.password | b64enc }} +OS_DEFAULT_DOMAIN: {{ $userContext.default_domain_id | default "default" | b64enc }} +{{- if $userContext.cacert }} +OS_CACERT: {{ $userContext.cacert | b64enc }} +{{- end }} +{{- end }} diff --git a/charts/masakari/charts/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl b/charts/masakari/charts/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl new file mode 100644 index 0000000000..648711beb2 --- /dev/null +++ b/charts/masakari/charts/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl @@ -0,0 +1,90 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Returns a set of container enviorment variables, for use with the keystone + user management jobs. +values: | + secrets: + identity: + service_user: example-keystone-user +usage: | + {{ include "helm-toolkit.snippets.keystone_user_create_env_vars" ( dict "ksUserSecret" .Values.secrets.identity.service_user "useCA" true ) }} +return: | + - name: SERVICE_OS_REGION_NAME + valueFrom: + secretKeyRef: + name: example-keystone-user + key: OS_REGION_NAME + - name: SERVICE_OS_PROJECT_DOMAIN_NAME + valueFrom: + secretKeyRef: + name: example-keystone-user + key: OS_PROJECT_DOMAIN_NAME + - name: SERVICE_OS_PROJECT_NAME + valueFrom: + secretKeyRef: + name: example-keystone-user + key: OS_PROJECT_NAME + - name: SERVICE_OS_USER_DOMAIN_NAME + valueFrom: + secretKeyRef: + name: example-keystone-user + key: OS_USER_DOMAIN_NAME + - name: SERVICE_OS_USERNAME + valueFrom: + secretKeyRef: + name: example-keystone-user + key: OS_USERNAME + - name: SERVICE_OS_PASSWORD + valueFrom: + secretKeyRef: + name: example-keystone-user + key: OS_PASSWORD +*/}} + +{{- define "helm-toolkit.snippets.keystone_user_create_env_vars" }} +{{- $ksUserSecret := .ksUserSecret }} +- name: SERVICE_OS_REGION_NAME + valueFrom: + secretKeyRef: + name: {{ $ksUserSecret }} + key: OS_REGION_NAME +- name: SERVICE_OS_PROJECT_DOMAIN_NAME + valueFrom: + secretKeyRef: + name: {{ $ksUserSecret }} + key: OS_PROJECT_DOMAIN_NAME +- name: SERVICE_OS_PROJECT_NAME + valueFrom: + secretKeyRef: + name: {{ $ksUserSecret }} + key: OS_PROJECT_NAME +- name: SERVICE_OS_USER_DOMAIN_NAME + valueFrom: + secretKeyRef: + name: {{ $ksUserSecret }} + key: OS_USER_DOMAIN_NAME +- name: SERVICE_OS_USERNAME + valueFrom: + secretKeyRef: + name: {{ $ksUserSecret }} + key: OS_USERNAME +- name: SERVICE_OS_PASSWORD + valueFrom: + secretKeyRef: + name: {{ $ksUserSecret }} + key: OS_PASSWORD +{{- end }} diff --git a/charts/masakari/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl b/charts/masakari/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl new file mode 100644 index 0000000000..8ca102806d --- /dev/null +++ b/charts/masakari/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl @@ -0,0 +1,68 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Renders a configmap used for loading custom AppArmor profiles. +values: | + pod: + mandatory_access_control: + type: apparmor + configmap_apparmor: true + apparmor_profiles: |- + my_apparmor-v1.profile: |- + #include + profile my-apparmor-v1 flags=(attach_disconnected,mediate_deleted) { + + } +usage: | + {{ dict "envAll" . "component" "myComponent" | include "helm-toolkit.snippets.kubernetes_apparmor_configmap" }} +return: | +apiVersion: v1 +kind: ConfigMap +metadata: + name: releaseName-myComponent-apparmor + namespace: myNamespace +data: + my_apparmor-v1.profile: |- + #include + profile my-apparmor-v1 flags=(attach_disconnected,mediate_deleted) { + + } +*/}} +{{- define "helm-toolkit.snippets.kubernetes_apparmor_configmap" -}} +{{- $envAll := index . "envAll" -}} +{{- $component := index . "component" -}} +{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}} +{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}} +{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}} +{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}} +{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }} +{{- $mapName := printf "%s-%s-%s" $envAll.Release.Name $component "apparmor" -}} +{{- if $envAll.Values.conf.apparmor_profiles }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ $mapName }} + namespace: {{ $envAll.Release.Namespace }} +data: +{{ $envAll.Values.conf.apparmor_profiles | toYaml | indent 2 }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/masakari/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl b/charts/masakari/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl new file mode 100644 index 0000000000..f231fe6598 --- /dev/null +++ b/charts/masakari/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl @@ -0,0 +1,75 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Renders the init container used for apparmor loading. +values: | + images: + tags: + apparmor_loader: my-repo.io/apparmor-loader:1.0.0 + pod: + mandatory_access_control: + type: apparmor + configmap_apparmor: true + apparmor-loader: unconfined +usage: | + {{ dict "envAll" . | include "helm-toolkit.snippets.kubernetes_apparmor_loader_init_container" }} +return: | + - name: apparmor-loader + image: my-repo.io/apparmor-loader:1.0.0 + args: + - /profiles + securityContext: + privileged: true + volumeMounts: + - name: sys + mountPath: /sys + readOnly: true + - name: includes + mountPath: /etc/apparmor.d + readOnly: true + - name: profiles + mountPath: /profiles + readOnly: true +*/}} +{{- define "helm-toolkit.snippets.kubernetes_apparmor_loader_init_container" -}} +{{- $envAll := index . "envAll" -}} +{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}} +{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}} +{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}} +{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}} +{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }} +- name: apparmor-loader + image: {{ $envAll.Values.images.tags.apparmor_loader }} + args: + - /profiles + securityContext: + privileged: true + volumeMounts: + - name: sys + mountPath: /sys + readOnly: true + - name: includes + mountPath: /etc/apparmor.d + readOnly: true + - name: profiles + mountPath: /profiles + readOnly: true +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/masakari/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl b/charts/masakari/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl new file mode 100644 index 0000000000..baebaa3cba --- /dev/null +++ b/charts/masakari/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl @@ -0,0 +1,68 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Renders the volumes used by the apparmor loader. +values: | + pod: + mandatory_access_control: + type: apparmor + configmap_apparmor: true +inputs: | + envAll: "Environment or Context." + component: "Name of the component used for the name of configMap." + requireSys: "Boolean. True if it needs the hostpath /sys in volumes." +usage: | + {{ dict "envAll" . "component" "keystone" "requireSys" true | include "helm-toolkit.snippets.kubernetes_apparmor_volumes" }} +return: | +- name: sys + hostPath: + path: /sys +- name: includes + hostPath: + path: /etc/apparmor.d +- name: profiles + configMap: + name: RELEASENAME-keystone-apparmor + defaultMode: 0555 +*/}} +{{- define "helm-toolkit.snippets.kubernetes_apparmor_volumes" -}} +{{- $envAll := index . "envAll" -}} +{{- $component := index . "component" -}} +{{- $requireSys := index . "requireSys" | default false -}} +{{- $configName := printf "%s-%s-%s" $envAll.Release.Name $component "apparmor" -}} +{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}} +{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}} +{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}} +{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}} +{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }} +{{- if $requireSys }} +- name: sys + hostPath: + path: /sys +{{- end }} +- name: includes + hostPath: + path: /etc/apparmor.d +- name: profiles + configMap: + name: {{ $configName | quote }} + defaultMode: 0555 +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/masakari/charts/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl b/charts/masakari/charts/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl new file mode 100644 index 0000000000..4741497e2b --- /dev/null +++ b/charts/masakari/charts/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl @@ -0,0 +1,48 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Renders securityContext for a Kubernetes container. + For container level, see here: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.13/#securitycontext-v1-core +examples: + - values: | + pod: + security_context: + myApp: + container: + foo: + runAsUser: 34356 + readOnlyRootFilesystem: true + usage: | + {{ dict "envAll" . "application" "myApp" "container" "foo" | include "helm-toolkit.snippets.kubernetes_container_security_context" }} + return: | + securityContext: + readOnlyRootFilesystem: true + runAsUser: 34356 +*/}} + +{{- define "helm-toolkit.snippets.kubernetes_container_security_context" -}} +{{- $envAll := index . "envAll" -}} +{{- $application := index . "application" -}} +{{- $container := index . "container" -}} +{{- if hasKey $envAll.Values.pod "security_context" }} +{{- if hasKey ( index $envAll.Values.pod.security_context ) $application }} +{{- if hasKey ( index $envAll.Values.pod.security_context $application "container" ) $container }} +securityContext: +{{ toYaml ( index $envAll.Values.pod.security_context $application "container" $container ) | indent 2 }} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/charts/masakari/charts/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl b/charts/masakari/charts/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl new file mode 100644 index 0000000000..ad628daca1 --- /dev/null +++ b/charts/masakari/charts/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl @@ -0,0 +1,209 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Returns a container definition for use with the kubernetes-entrypoint image + from stackanetes. +values: | + images: + tags: + dep_check: quay.io/airshipit/kubernetes-entrypoint:latest-ubuntu_focal + pull_policy: IfNotPresent + local_registry: + active: true + exclude: + - dep_check + dependencies: + dynamic: + common: + local_image_registry: + jobs: + - calico-image-repo-sync + services: + - endpoint: node + service: local_image_registry + static: + calico_node: + services: + - endpoint: internal + service: etcd + custom_resources: + - apiVersion: argoproj.io/v1alpha1 + kind: Workflow + name: wf-example + fields: + - key: "status.phase" + value: "Succeeded" + endpoints: + local_image_registry: + namespace: docker-registry + hosts: + default: localhost + node: localhost + etcd: + hosts: + default: etcd + # NOTE (portdirect): if the stanza, or a portion of it, under `pod` is not + # specififed then the following will be used as defaults: + # pod: + # security_context: + # kubernetes_entrypoint: + # container: + # kubernetes_entrypoint: + # runAsUser: 65534 + # readOnlyRootFilesystem: true + # allowPrivilegeEscalation: false + pod: + security_context: + kubernetes_entrypoint: + container: + kubernetes_entrypoint: + runAsUser: 0 + readOnlyRootFilesystem: false +usage: | + {{ tuple . "calico_node" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" }} +return: | + - name: init + image: "quay.io/airshipit/kubernetes-entrypoint:latest-ubuntu_focal" + imagePullPolicy: IfNotPresent + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: false + runAsUser: 0 + + env: + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: INTERFACE_NAME + value: eth0 + - name: PATH + value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/ + - name: DEPENDENCY_SERVICE + value: "default:etcd,docker-registry:localhost" + - name: DEPENDENCY_JOBS + value: "calico-image-repo-sync" + - name: DEPENDENCY_DAEMONSET + value: "" + - name: DEPENDENCY_CONTAINER + value: "" + - name: DEPENDENCY_POD_JSON + value: "" + - name: DEPENDENCY_CUSTOM_RESOURCE + value: "[{\"apiVersion\":\"argoproj.io/v1alpha1\",\"kind\":\"Workflow\",\"namespace\":\"default\",\"name\":\"wf-example\",\"fields\":[{\"key\":\"status.phase\",\"value\":\"Succeeded\"}]}]" + command: + - kubernetes-entrypoint + volumeMounts: + [] +*/}} + +{{- define "helm-toolkit.snippets.kubernetes_entrypoint_init_container._default_security_context" -}} +Values: + pod: + security_context: + kubernetes_entrypoint: + container: + kubernetes_entrypoint: + runAsUser: 65534 + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false +{{- end -}} + +{{- define "helm-toolkit.snippets.kubernetes_entrypoint_init_container" -}} +{{- $envAll := index . 0 -}} +{{- $component := index . 1 -}} +{{- $mounts := index . 2 -}} + +{{- $_ := set $envAll.Values "__kubernetes_entrypoint_init_container" dict -}} +{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" dict -}} +{{- if and ($envAll.Values.images.local_registry.active) (ne $component "image_repo_sync") -}} +{{- if eq $component "pod_dependency" -}} +{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}} +{{- else -}} +{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}} +{{- end -}} +{{- else -}} +{{- if eq $component "pod_dependency" -}} +{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.pod_dependency ) -}} +{{- else -}} +{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.dependencies.static $component ) -}} +{{- end -}} +{{- end -}} + +{{- if and ($envAll.Values.manifests.job_rabbit_init) (hasKey $envAll.Values.dependencies "dynamic") -}} +{{- if $envAll.Values.dependencies.dynamic.job_rabbit_init -}} +{{- if eq $component "pod_dependency" -}} +{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) (index $envAll.Values.dependencies.dynamic.job_rabbit_init $component) ) -}} +{{- else -}} +{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) (index $envAll.Values.dependencies.dynamic.job_rabbit_init $component)) -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{- $deps := $envAll.Values.__kubernetes_entrypoint_init_container.deps }} +{{- range $deps.custom_resources }} +{{- $_ := set . "namespace" $envAll.Release.Namespace -}} +{{- end -}} +{{- $default_security_context := include "helm-toolkit.snippets.kubernetes_entrypoint_init_container._default_security_context" . | fromYaml }} +{{- $patchedEnvAll := mergeOverwrite $default_security_context $envAll }} +- name: init +{{ tuple $envAll "dep_check" | include "helm-toolkit.snippets.image" | indent 2 }} +{{- dict "envAll" $patchedEnvAll "application" "kubernetes_entrypoint" "container" "kubernetes_entrypoint" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 2 }} + env: + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: INTERFACE_NAME + value: eth0 + - name: PATH + value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/ + - name: DEPENDENCY_SERVICE + value: "{{ tuple $deps.services $envAll | include "helm-toolkit.utils.comma_joined_service_list" }}" +{{- if $deps.jobs -}} + {{- if kindIs "string" (index $deps.jobs 0) }} + - name: DEPENDENCY_JOBS + value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.jobs }}" + {{- else }} + - name: DEPENDENCY_JOBS_JSON + value: {{- toJson $deps.jobs | quote -}} + {{- end -}} +{{- end }} + - name: DEPENDENCY_DAEMONSET + value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.daemonset }}" + - name: DEPENDENCY_CONTAINER + value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.container }}" + - name: DEPENDENCY_POD_JSON + value: {{ if $deps.pod }}{{ toJson $deps.pod | quote }}{{ else }}""{{ end }} + - name: DEPENDENCY_CUSTOM_RESOURCE + value: {{ if $deps.custom_resources }}{{ toJson $deps.custom_resources | quote }}{{ else }}""{{ end }} + command: + - kubernetes-entrypoint + volumeMounts: +{{ toYaml $mounts | indent 4 }} +{{- end -}} diff --git a/charts/masakari/charts/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl b/charts/masakari/charts/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl new file mode 100644 index 0000000000..34a7da33a4 --- /dev/null +++ b/charts/masakari/charts/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl @@ -0,0 +1,20 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- define "helm-toolkit.snippets.kubernetes_kubectl_params" -}} +{{- $envAll := index . 0 -}} +{{- $application := index . 1 -}} +{{- $component := index . 2 -}} +{{ print "-l application=" $application " -l component=" $component }} +{{- end -}} diff --git a/charts/masakari/charts/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl b/charts/masakari/charts/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl new file mode 100644 index 0000000000..92d3ea5cbf --- /dev/null +++ b/charts/masakari/charts/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl @@ -0,0 +1,60 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Renders mandatory access control annotations for a list of containers + driven by values.yaml. As of now, it can only generate an apparmor + annotation, but in the future could generate others. +values: | + pod: + mandatory_access_control: + type: apparmor + myPodName: + myContainerName: localhost/myAppArmor + mySecondContainerName: localhost/secondProfile # optional + myThirdContainerName: localhost/thirdProfile # optional +usage: | + {{ dict "envAll" . "podName" "myPodName" "containerNames" (list "myContainerName" "mySecondContainerName" "myThirdContainerName") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" }} +return: | + container.apparmor.security.beta.kubernetes.io/myContainerName: localhost/myAppArmor + container.apparmor.security.beta.kubernetes.io/mySecondContainerName: localhost/secondProfile + container.apparmor.security.beta.kubernetes.io/myThirdContainerName: localhost/thirdProfile +note: | + The number of container underneath is a variable arguments. It loops through + all the container names specified. +*/}} +{{- define "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" -}} +{{- $envAll := index . "envAll" -}} +{{- $podName := index . "podName" -}} +{{- $containerNames := index . "containerNames" -}} +{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}} +{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}} +{{- $macType := $envAll.Values.pod.mandatory_access_control.type -}} +{{- if $macType -}} +{{- if eq $macType "apparmor" -}} +{{- if hasKey $envAll.Values.pod.mandatory_access_control $podName -}} +{{- range $name := $containerNames -}} +{{- $apparmorProfile := index $envAll.Values.pod.mandatory_access_control $podName $name -}} +{{- if $apparmorProfile }} +container.apparmor.security.beta.kubernetes.io/{{ $name }}: {{ $apparmorProfile }} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} + diff --git a/charts/masakari/charts/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl b/charts/masakari/charts/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl new file mode 100644 index 0000000000..48b53fa105 --- /dev/null +++ b/charts/masakari/charts/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl @@ -0,0 +1,51 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Renders a set of standardised labels +values: | + release_group: null + pod: + labels: + default: + label1.example.com: value + bar: + label2.example.com: bar +usage: | + {{ tuple . "foo" "bar" | include "helm-toolkit.snippets.kubernetes_metadata_labels" }} +return: | + release_group: RELEASE-NAME + application: foo + component: bar + label1.example.com: value + label2.example.com: bar +*/}} + +{{- define "helm-toolkit.snippets.kubernetes_metadata_labels" -}} +{{- $envAll := index . 0 -}} +{{- $application := index . 1 -}} +{{- $component := index . 2 -}} +release_group: {{ $envAll.Values.release_group | default $envAll.Release.Name }} +application: {{ $application }} +component: {{ $component }} +{{- if ($envAll.Values.pod).labels }} +{{- if hasKey $envAll.Values.pod.labels $component }} +{{ index $envAll.Values.pod "labels" $component | toYaml }} +{{- end -}} +{{- if hasKey $envAll.Values.pod.labels "default" }} +{{ $envAll.Values.pod.labels.default | toYaml }} +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/charts/masakari/charts/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl b/charts/masakari/charts/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl new file mode 100644 index 0000000000..fabbcf8d99 --- /dev/null +++ b/charts/masakari/charts/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl @@ -0,0 +1,89 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Renders kubernetes anti affinity rules, this function supports both hard + 'requiredDuringSchedulingIgnoredDuringExecution' and soft + 'preferredDuringSchedulingIgnoredDuringExecution' types. +values: | + pod: + affinity: + anti: + topologyKey: + default: kubernetes.io/hostname + type: + default: requiredDuringSchedulingIgnoredDuringExecution + weight: + default: 10 +usage: | + {{ tuple . "appliction_x" "component_y" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" }} +return: | + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: release_group + operator: In + values: + - RELEASE-NAME + - key: application + operator: In + values: + - appliction_x + - key: component + operator: In + values: + - component_y + topologyKey: kubernetes.io/hostname +*/}} + +{{- define "helm-toolkit.snippets.kubernetes_pod_anti_affinity._match_expressions" -}} +{{- $envAll := index . "envAll" -}} +{{- $application := index . "application" -}} +{{- $component := index . "component" -}} +{{- $expressionRelease := dict "key" "release_group" "operator" "In" "values" ( list ( $envAll.Values.release_group | default $envAll.Release.Name ) ) -}} +{{- $expressionApplication := dict "key" "application" "operator" "In" "values" ( list $application ) -}} +{{- $expressionComponent := dict "key" "component" "operator" "In" "values" ( list $component ) -}} +{{- list $expressionRelease $expressionApplication $expressionComponent | toYaml }} +{{- end -}} + +{{- define "helm-toolkit.snippets.kubernetes_pod_anti_affinity" -}} +{{- $envAll := index . 0 -}} +{{- $application := index . 1 -}} +{{- $component := index . 2 -}} +{{- $antiAffinityType := index $envAll.Values.pod.affinity.anti.type $component | default $envAll.Values.pod.affinity.anti.type.default }} +{{- $antiAffinityKey := index $envAll.Values.pod.affinity.anti.topologyKey $component | default $envAll.Values.pod.affinity.anti.topologyKey.default }} +podAntiAffinity: +{{- $matchExpressions := include "helm-toolkit.snippets.kubernetes_pod_anti_affinity._match_expressions" ( dict "envAll" $envAll "application" $application "component" $component ) -}} +{{- if eq $antiAffinityType "preferredDuringSchedulingIgnoredDuringExecution" }} + {{ $antiAffinityType }}: + - podAffinityTerm: + labelSelector: + matchExpressions: +{{ $matchExpressions | indent 10 }} + topologyKey: {{ $antiAffinityKey }} +{{- if $envAll.Values.pod.affinity.anti.weight }} + weight: {{ index $envAll.Values.pod.affinity.anti.weight $component | default $envAll.Values.pod.affinity.anti.weight.default }} +{{- else }} + weight: 10 +{{- end -}} +{{- else if eq $antiAffinityType "requiredDuringSchedulingIgnoredDuringExecution" }} + {{ $antiAffinityType }}: + - labelSelector: + matchExpressions: +{{ $matchExpressions | indent 8 }} + topologyKey: {{ $antiAffinityKey }} +{{- end -}} +{{- end -}} diff --git a/charts/masakari/charts/helm-toolkit/templates/snippets/_kubernetes_pod_image_pull_secret.tpl b/charts/masakari/charts/helm-toolkit/templates/snippets/_kubernetes_pod_image_pull_secret.tpl new file mode 100644 index 0000000000..74173dcef4 --- /dev/null +++ b/charts/masakari/charts/helm-toolkit/templates/snippets/_kubernetes_pod_image_pull_secret.tpl @@ -0,0 +1,45 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Renders image pull secrets for a pod +values: | + pod: + image_pull_secrets: + default: + - name: some-pull-secret + bar: + - name: another-pull-secret +usage: | + {{ tuple . "bar" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" }} +return: | + imagePullSecrets: + - name: some-pull-secret + - name: another-pull-secret +*/}} + +{{- define "helm-toolkit.snippets.kubernetes_image_pull_secrets" -}} +{{- $envAll := index . 0 -}} +{{- $application := index . 1 -}} +{{- if ($envAll.Values.pod).image_pull_secrets }} +imagePullSecrets: +{{- if hasKey $envAll.Values.pod.image_pull_secrets $application }} +{{ index $envAll.Values.pod "image_pull_secrets" $application | toYaml | indent 2 }} +{{- end -}} +{{- if hasKey $envAll.Values.pod.image_pull_secrets "default" }} +{{ $envAll.Values.pod.image_pull_secrets.default | toYaml | indent 2 }} +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/charts/masakari/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl b/charts/masakari/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl new file mode 100644 index 0000000000..90a7a65173 --- /dev/null +++ b/charts/masakari/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl @@ -0,0 +1,69 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- define "helm-toolkit.snippets.kubernetes_pod_rbac_roles" -}} +{{- $envAll := index . 0 -}} +{{- $deps := index . 1 -}} +{{- $saName := index . 2 | replace "_" "-" }} +{{- $saNamespace := index . 3 -}} +{{- $releaseName := $envAll.Release.Name }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ $releaseName }}-{{ $saName }} + namespace: {{ $saNamespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ $releaseName }}-{{ $saNamespace }}-{{ $saName }} +subjects: + - kind: ServiceAccount + name: {{ $saName }} + namespace: {{ $saNamespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ $releaseName }}-{{ $saNamespace }}-{{ $saName }} + namespace: {{ $saNamespace }} +rules: + - apiGroups: + - "" + - extensions + - batch + - apps + verbs: + - get + - list + resources: + {{- range $k, $v := $deps -}} + {{ if eq $v "daemonsets" }} + - daemonsets + {{- end -}} + {{ if eq $v "jobs" }} + - jobs + {{- end -}} + {{ if or (eq $v "pods") (eq $v "daemonsets") (eq $v "jobs") }} + - pods + {{- end -}} + {{ if eq $v "services" }} + - services + - endpoints + {{- end -}} + {{ if eq $v "secrets" }} + - secrets + {{- end -}} + {{- end -}} +{{- end -}} diff --git a/charts/masakari/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl b/charts/masakari/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl new file mode 100644 index 0000000000..bc2045e5f2 --- /dev/null +++ b/charts/masakari/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl @@ -0,0 +1,75 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- define "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" -}} +{{- $envAll := index . 0 -}} +{{- $component := index . 1 -}} +{{- $saName := index . 2 -}} +{{- $saNamespace := $envAll.Release.Namespace }} +{{- $randomKey := randAlphaNum 32 }} +{{- $allNamespace := dict $randomKey "" }} + +{{- $_ := set $envAll.Values "__kubernetes_entrypoint_init_container" dict -}} +{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" dict -}} +{{- if and ($envAll.Values.images.local_registry.active) (ne $component "image_repo_sync") -}} +{{- if eq $component "pod_dependency" -}} +{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}} +{{- else -}} +{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}} +{{- end -}} +{{- else -}} +{{- if eq $component "pod_dependency" -}} +{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.pod_dependency ) -}} +{{- else -}} +{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.dependencies.static $component ) -}} +{{- end -}} +{{- end -}} +{{- $deps := $envAll.Values.__kubernetes_entrypoint_init_container.deps }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ $saName }} + namespace: {{ $saNamespace }} +{{- if $envAll.Values.manifests.secret_registry }} +{{- if $envAll.Values.endpoints.oci_image_registry.auth.enabled }} +imagePullSecrets: + - name: {{ index $envAll.Values.secrets.oci_image_registry $envAll.Chart.Name }} +{{- end -}} +{{- end -}} +{{- range $k, $v := $deps -}} +{{- if eq $k "services" }} +{{- range $serv := $v }} +{{- $endpointMap := index $envAll.Values.endpoints $serv.service }} +{{- $endpointNS := $endpointMap.namespace | default $saNamespace }} +{{- if not (contains "services" ((index $allNamespace $endpointNS) | default "")) }} +{{- $_ := set $allNamespace $endpointNS (printf "%s%s" "services," ((index $allNamespace $endpointNS) | default "")) }} +{{- end -}} +{{- end -}} +{{- else if and (eq $k "jobs") $v }} +{{- $_ := set $allNamespace $saNamespace (printf "%s%s" "jobs," ((index $allNamespace $saNamespace) | default "")) }} +{{- else if and (eq $k "daemonset") $v }} +{{- $_ := set $allNamespace $saNamespace (printf "%s%s" "daemonsets," ((index $allNamespace $saNamespace) | default "")) }} +{{- else if and (eq $k "pod") $v }} +{{- $_ := set $allNamespace $saNamespace (printf "%s%s" "pods," ((index $allNamespace $saNamespace) | default "")) }} +{{- else if and (eq $k "secret") $v }} +{{- $_ := set $allNamespace $saNamespace (printf "%s%s" "secrets," ((index $allNamespace $saNamespace) | default "")) }} +{{- end -}} +{{- end -}} +{{- $_ := unset $allNamespace $randomKey }} +{{- range $ns, $vv := $allNamespace }} +{{- $resourceList := (splitList "," (trimSuffix "," $vv)) }} +{{- tuple $envAll $resourceList $saName $ns | include "helm-toolkit.snippets.kubernetes_pod_rbac_roles" }} +{{- end -}} +{{- end -}} diff --git a/charts/masakari/charts/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl b/charts/masakari/charts/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl new file mode 100644 index 0000000000..3a4fbaa8bc --- /dev/null +++ b/charts/masakari/charts/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl @@ -0,0 +1,67 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Renders securityContext for a Kubernetes pod. + For pod level, seurity context see here: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.13/#podsecuritycontext-v1-core +examples: + - values: | + pod: + # NOTE: The 'user' key is deprecated, and will be removed shortly. + user: + myApp: + uid: 34356 + security_context: + myApp: + pod: + runAsNonRoot: true + usage: | + {{ dict "envAll" . "application" "myApp" | include "helm-toolkit.snippets.kubernetes_pod_security_context" }} + return: | + securityContext: + runAsUser: 34356 + runAsNonRoot: true + - values: | + pod: + security_context: + myApp: + pod: + runAsUser: 34356 + runAsNonRoot: true + usage: | + {{ dict "envAll" . "application" "myApp" | include "helm-toolkit.snippets.kubernetes_pod_security_context" }} + return: | + securityContext: + runAsNonRoot: true + runAsUser: 34356 +*/}} + +{{- define "helm-toolkit.snippets.kubernetes_pod_security_context" -}} +{{- $envAll := index . "envAll" -}} +{{- $application := index . "application" -}} +securityContext: +{{- if hasKey $envAll.Values.pod "user" }} +{{- if hasKey $envAll.Values.pod.user $application }} +{{- if hasKey ( index $envAll.Values.pod.user $application ) "uid" }} + runAsUser: {{ index $envAll.Values.pod.user $application "uid" }} +{{- end -}} +{{- end -}} +{{- end -}} +{{- if hasKey $envAll.Values.pod "security_context" }} +{{- if hasKey ( index $envAll.Values.pod.security_context ) $application }} +{{ toYaml ( index $envAll.Values.pod.security_context $application "pod" ) | indent 2 }} +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/charts/masakari/charts/helm-toolkit/templates/snippets/_kubernetes_probes.tpl b/charts/masakari/charts/helm-toolkit/templates/snippets/_kubernetes_probes.tpl new file mode 100644 index 0000000000..7470760e03 --- /dev/null +++ b/charts/masakari/charts/helm-toolkit/templates/snippets/_kubernetes_probes.tpl @@ -0,0 +1,55 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Renders kubernetes liveness and readiness probes for containers +values: | + pod: + probes: + api: + default: + readiness: + enabled: true + params: + initialDelaySeconds: 30 + timeoutSeconds: 30 +usage: | + {{- define "probeTemplate" }} + httpGet: + path: /status + port: 9090 + {{- end }} + {{ dict "envAll" . "component" "api" "container" "default" "type" "readiness" "probeTemplate" (include "probeTemplate" . | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" }} +return: | + readinessProbe: + httpGet: + path: /status + port: 9090 + initialDelaySeconds: 30 + timeoutSeconds: 30 +*/}} + +{{- define "helm-toolkit.snippets.kubernetes_probe" -}} +{{- $envAll := index . "envAll" -}} +{{- $component := index . "component" -}} +{{- $container := index . "container" -}} +{{- $type := index . "type" -}} +{{- $probeTemplate := index . "probeTemplate" -}} +{{- $probeOpts := index $envAll.Values.pod.probes $component $container $type -}} +{{- if $probeOpts.enabled -}} +{{- $probeOverides := index $probeOpts "params" | default dict -}} +{{ dict ( printf "%sProbe" $type ) (mergeOverwrite $probeTemplate $probeOverides ) | toYaml }} +{{- end -}} +{{- end -}} diff --git a/charts/masakari/charts/helm-toolkit/templates/snippets/_kubernetes_resources.tpl b/charts/masakari/charts/helm-toolkit/templates/snippets/_kubernetes_resources.tpl new file mode 100644 index 0000000000..24d30cf329 --- /dev/null +++ b/charts/masakari/charts/helm-toolkit/templates/snippets/_kubernetes_resources.tpl @@ -0,0 +1,53 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +Note: This function is deprecated and will be removed in the future. + +abstract: | + Renders kubernetes resource limits for pods +values: | + pod: + resources: + enabled: true + api: + requests: + memory: "128Mi" + cpu: "100m" + limits: + memory: "1024Mi" + cpu: "2000m" + hugepages-1Gi: "1Gi" + +usage: | + {{ include "helm-toolkit.snippets.kubernetes_resources" ( tuple . .Values.pod.resources.api ) }} +return: | + resources: + limits: + cpu: "2000m" + memory: "1024Mi" + hugepages-1Gi: "1Gi" + requests: + cpu: "100m" + memory: "128Mi +*/}} + +{{- define "helm-toolkit.snippets.kubernetes_resources" -}} +{{- $envAll := index . 0 -}} +{{- $component := index . 1 -}} +{{- if $envAll.Values.pod.resources.enabled -}} +resources: +{{ toYaml $component | trim | indent 2 }} +{{- end -}} +{{- end -}} diff --git a/charts/masakari/charts/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl b/charts/masakari/charts/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl new file mode 100644 index 0000000000..555ffb051a --- /dev/null +++ b/charts/masakari/charts/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl @@ -0,0 +1,47 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Renders seccomp annotations for a list of containers driven by values.yaml. +values: | + pod: + seccomp: + myPodName: + myContainerName: localhost/mySeccomp + mySecondContainerName: localhost/secondProfile # optional + myThirdContainerName: localhost/thirdProfile # optional +usage: | + {{ dict "envAll" . "podName" "myPodName" "containerNames" (list "myContainerName" "mySecondContainerName" "myThirdContainerName") | include "helm-toolkit.snippets.kubernetes_seccomp_annotation" }} +return: | + container.seccomp.security.alpha.kubernetes.io/myContainerName: localhost/mySeccomp + container.seccomp.security.alpha.kubernetes.io/mySecondContainerName: localhost/secondProfile + container.seccomp.security.alpha.kubernetes.io/myThirdContainerName: localhost/thirdProfile +note: | + The number of container underneath is a variable arguments. It loops through + all the container names specified. +*/}} +{{- define "helm-toolkit.snippets.kubernetes_seccomp_annotation" -}} +{{- $envAll := index . "envAll" -}} +{{- $podName := index . "podName" -}} +{{- $containerNames := index . "containerNames" -}} +{{- if hasKey (index $envAll.Values.pod "seccomp") $podName -}} +{{- range $name := $containerNames -}} +{{- $seccompProfile := index $envAll.Values.pod.seccomp $podName $name -}} +{{- if $seccompProfile }} +container.seccomp.security.alpha.kubernetes.io/{{ $name }}: {{ $seccompProfile }} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/charts/masakari/charts/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl b/charts/masakari/charts/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl new file mode 100644 index 0000000000..e4af6a62a0 --- /dev/null +++ b/charts/masakari/charts/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl @@ -0,0 +1,45 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Renders kubernetes tolerations for pods +values: | + pod: + tolerations: + api: + enabled: true + tolerations: + - key: node-role.kubernetes.io/master + operator: Exists + - key: node-role.kubernetes.io/node + operator: Exists + +usage: | + {{ include "helm-toolkit.snippets.kubernetes_tolerations" ( tuple . .Values.pod.tolerations.api ) }} +return: | + tolerations: + - key: node-role.kubernetes.io/master + operator: Exists + - key: node-role.kubernetes.io/node + operator: Exists +*/}} + +{{- define "helm-toolkit.snippets.kubernetes_tolerations" -}} +{{- $envAll := index . 0 -}} +{{- $component := index . 1 -}} +{{- $pod := index $envAll.Values.pod.tolerations $component }} +tolerations: +{{ toYaml $pod.tolerations }} +{{- end -}} diff --git a/charts/masakari/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl b/charts/masakari/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl new file mode 100644 index 0000000000..69cee47216 --- /dev/null +++ b/charts/masakari/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl @@ -0,0 +1,33 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- define "helm-toolkit.snippets.kubernetes_upgrades_daemonset" -}} +{{- $envAll := index . 0 -}} +{{- $component := index . 1 -}} +{{- $upgradeMap := index $envAll.Values.pod.lifecycle.upgrades.daemonsets $component -}} +{{- $pod_replacement_strategy := $envAll.Values.pod.lifecycle.upgrades.daemonsets.pod_replacement_strategy -}} +{{- with $upgradeMap -}} +{{- if .enabled }} +minReadySeconds: {{ .min_ready_seconds }} +updateStrategy: + type: {{ $pod_replacement_strategy }} + {{- if $pod_replacement_strategy }} + {{- if eq $pod_replacement_strategy "RollingUpdate" }} + rollingUpdate: + maxUnavailable: {{ .max_unavailable }} + {{- end }} + {{- end }} +{{- end }} +{{- end -}} +{{- end -}} diff --git a/charts/masakari/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl b/charts/masakari/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl new file mode 100644 index 0000000000..be28cdb809 --- /dev/null +++ b/charts/masakari/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl @@ -0,0 +1,27 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- define "helm-toolkit.snippets.kubernetes_upgrades_deployment" -}} +{{- $envAll := index . 0 -}} +{{- with $envAll.Values.pod.lifecycle.upgrades.deployments -}} +revisionHistoryLimit: {{ .revision_history }} +strategy: + type: {{ .pod_replacement_strategy }} + {{- if eq .pod_replacement_strategy "RollingUpdate" }} + rollingUpdate: + maxUnavailable: {{ .rolling_update.max_unavailable }} + maxSurge: {{ .rolling_update.max_surge }} + {{- end }} +{{- end -}} +{{- end -}} diff --git a/charts/masakari/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl b/charts/masakari/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl new file mode 100644 index 0000000000..f897023fee --- /dev/null +++ b/charts/masakari/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl @@ -0,0 +1,51 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Renders upgradeStrategy configuration for Kubernetes statefulsets. + See: https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#updating-statefulsets + Types: + - RollingUpdate (default) + - OnDelete + Partitions: + - Stage updates to a statefulset by keeping pods at current version while + allowing mutations to statefulset's .spec.template +values: | + pod: + lifecycle: + upgrades: + statefulsets: + pod_replacement_strategy: RollingUpdate + partition: 2 +usage: | + {{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_statefulset" | indent 2 }} +return: | + updateStrategy: + type: RollingUpdate + rollingUpdate: + partition: 2 +*/}} + +{{- define "helm-toolkit.snippets.kubernetes_upgrades_statefulset" -}} +{{- $envAll := index . 0 -}} +{{- with $envAll.Values.pod.lifecycle.upgrades.statefulsets -}} +updateStrategy: + type: {{ .pod_replacement_strategy }} + {{ if .partition -}} + rollingUpdate: + partition: {{ .partition }} + {{- end -}} +{{- end -}} +{{- end -}} diff --git a/charts/masakari/charts/helm-toolkit/templates/snippets/_mon_host_from_k8s_ep.sh.tpl b/charts/masakari/charts/helm-toolkit/templates/snippets/_mon_host_from_k8s_ep.sh.tpl new file mode 100644 index 0000000000..fc74c6fb48 --- /dev/null +++ b/charts/masakari/charts/helm-toolkit/templates/snippets/_mon_host_from_k8s_ep.sh.tpl @@ -0,0 +1,68 @@ +{{- define "helm-toolkit.snippets.mon_host_from_k8s_ep" -}} +{{/* + +Inserts a bash function definition mon_host_from_k8s_ep() which can be used +to construct a mon_hosts value from the given namespaced endpoint. + +Usage (e.g. in _script.sh.tpl): + #!/bin/bash + + : "${NS:=ceph}" + : "${EP:=ceph-mon-discovery}" + + {{ include "helm-toolkit.snippets.mon_host_from_k8s_ep" . }} + + MON_HOST=$(mon_host_from_k8s_ep "$NS" "$EP") + + if [ -z "$MON_HOST" ]; then + # deal with failure + else + sed -i -e "s/^mon_host = /mon_host = $MON_HOST/" /etc/ceph/ceph.conf + fi +*/}} +{{` +# Construct a mon_hosts value from the given namespaced endpoint +# IP x.x.x.x with port p named "mon-msgr2" will appear as [v2:x.x.x.x/p/0] +# IP x.x.x.x with port q named "mon" will appear as [v1:x.x.x.x/q/0] +# IP x.x.x.x with ports p and q will appear as [v2:x.x.x.x/p/0,v1:x.x.x.x/q/0] +# The entries for all IPs will be joined with commas +mon_host_from_k8s_ep() { + local ns=$1 + local ep=$2 + + if [ -z "$ns" ] || [ -z "$ep" ]; then + return 1 + fi + + # We don't want shell expansion for the go-template expression + # shellcheck disable=SC2016 + kubectl get endpoints -n "$ns" "$ep" -o go-template=' + {{- $sep := "" }} + {{- range $_,$s := .subsets }} + {{- $v2port := 0 }} + {{- $v1port := 0 }} + {{- range $_,$port := index $s "ports" }} + {{- if (eq $port.name "mon-msgr2") }} + {{- $v2port = $port.port }} + {{- else if (eq $port.name "mon") }} + {{- $v1port = $port.port }} + {{- end }} + {{- end }} + {{- range $_,$address := index $s "addresses" }} + {{- $v2endpoint := printf "v2:%s:%d/0" $address.ip $v2port }} + {{- $v1endpoint := printf "v1:%s:%d/0" $address.ip $v1port }} + {{- if (and $v2port $v1port) }} + {{- printf "%s[%s,%s]" $sep $v2endpoint $v1endpoint }} + {{- $sep = "," }} + {{- else if $v2port }} + {{- printf "%s[%s]" $sep $v2endpoint }} + {{- $sep = "," }} + {{- else if $v1port }} + {{- printf "%s[%s]" $sep $v1endpoint }} + {{- $sep = "," }} + {{- end }} + {{- end }} + {{- end }}' +} +`}} +{{- end -}} diff --git a/charts/masakari/charts/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl b/charts/masakari/charts/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl new file mode 100644 index 0000000000..fec41f85d6 --- /dev/null +++ b/charts/masakari/charts/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl @@ -0,0 +1,33 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +# Appends annotations for configuring prometheus scrape jobs via pod +# annotations. The required annotations are: +# * `prometheus.io/scrape`: Only scrape pods that have a value of `true` +# * `prometheus.io/path`: If the metrics path is not `/metrics` override this. +# * `prometheus.io/port`: Scrape the pod on the indicated port instead of the +# pod's declared ports (default is a port-free target if none are declared). + +{{- define "helm-toolkit.snippets.prometheus_pod_annotations" -}} +{{- $config := index . 0 -}} +{{- if $config.scrape }} +prometheus.io/scrape: {{ $config.scrape | quote }} +{{- end }} +{{- if $config.path }} +prometheus.io/path: {{ $config.path | quote }} +{{- end }} +{{- if $config.port }} +prometheus.io/port: {{ $config.port | quote }} +{{- end }} +{{- end -}} diff --git a/charts/masakari/charts/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl b/charts/masakari/charts/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl new file mode 100644 index 0000000000..a827c4beff --- /dev/null +++ b/charts/masakari/charts/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl @@ -0,0 +1,35 @@ +{{/* +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + http://www.apache.org/licenses/LICENSE-2.0 +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +# Appends annotations for configuring prometheus scrape endpoints via +# annotations. The required annotations are: +# * `prometheus.io/scrape`: Only scrape services that have a value of `true` +# * `prometheus.io/scheme`: If the metrics endpoint is secured then you will need +# to set this to `https` & most likely set the `tls_config` of the scrape config. +# * `prometheus.io/path`: If the metrics path is not `/metrics` override this. +# * `prometheus.io/port`: If the metrics are exposed on a different port to the +# service then set this appropriately. + +{{- define "helm-toolkit.snippets.prometheus_service_annotations" -}} +{{- $config := index . 0 -}} +{{- if $config.scrape }} +prometheus.io/scrape: {{ $config.scrape | quote }} +{{- end }} +{{- if $config.scheme }} +prometheus.io/scheme: {{ $config.scheme | quote }} +{{- end }} +{{- if $config.path }} +prometheus.io/path: {{ $config.path | quote }} +{{- end }} +{{- if $config.port }} +prometheus.io/port: {{ $config.port | quote }} +{{- end }} +{{- end -}} diff --git a/charts/masakari/charts/helm-toolkit/templates/snippets/_release_uuid.tpl b/charts/masakari/charts/helm-toolkit/templates/snippets/_release_uuid.tpl new file mode 100644 index 0000000000..253920b77f --- /dev/null +++ b/charts/masakari/charts/helm-toolkit/templates/snippets/_release_uuid.tpl @@ -0,0 +1,29 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Reneders an attonation key and value for a release +values: | + release_uuid: null +usage: | + {{ tuple . | include "helm-toolkit.snippets.release_uuid" }} +return: | + "openstackhelm.openstack.org/release_uuid": "" +*/}} + +{{- define "helm-toolkit.snippets.release_uuid" -}} +{{- $envAll := index . 0 -}} +"openstackhelm.openstack.org/release_uuid": {{ $envAll.Values.release_uuid | default "" | quote }} +{{- end -}} diff --git a/charts/masakari/charts/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl b/charts/masakari/charts/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl new file mode 100644 index 0000000000..a3169ce9ff --- /dev/null +++ b/charts/masakari/charts/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl @@ -0,0 +1,32 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- define "helm-toolkit.snippets.rgw_s3_admin_env_vars" }} +{{- $s3AdminSecret := .s3AdminSecret }} +- name: S3_ADMIN_USERNAME + valueFrom: + secretKeyRef: + name: {{ $s3AdminSecret }} + key: S3_ADMIN_USERNAME +- name: S3_ADMIN_ACCESS_KEY + valueFrom: + secretKeyRef: + name: {{ $s3AdminSecret }} + key: S3_ADMIN_ACCESS_KEY +- name: S3_ADMIN_SECRET_KEY + valueFrom: + secretKeyRef: + name: {{ $s3AdminSecret }} + key: S3_ADMIN_SECRET_KEY +{{- end }} diff --git a/charts/masakari/charts/helm-toolkit/templates/snippets/_rgw_s3_bucket_user_env_vars_rook.tpl b/charts/masakari/charts/helm-toolkit/templates/snippets/_rgw_s3_bucket_user_env_vars_rook.tpl new file mode 100644 index 0000000000..08521e0fe2 --- /dev/null +++ b/charts/masakari/charts/helm-toolkit/templates/snippets/_rgw_s3_bucket_user_env_vars_rook.tpl @@ -0,0 +1,28 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- define "helm-toolkit.snippets.rgw_s3_bucket_user_env_vars_rook" }} +{{- range $s3Bucket := .Values.storage.s3.buckets }} +- name: {{ printf "%s_S3_ACCESS_KEY" ($s3Bucket.client | replace "-" "_" | upper) }} + valueFrom: + secretKeyRef: + name: {{ $s3Bucket.name }} + key: AWS_ACCESS_KEY_ID +- name: {{ printf "%s_S3_SECRET_KEY" ($s3Bucket.client | replace "-" "_" | upper) }} + valueFrom: + secretKeyRef: + name: {{ $s3Bucket.name }} + key: AWS_SECRET_ACCESS_KEY +{{- end }} +{{- end }} diff --git a/charts/masakari/charts/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl b/charts/masakari/charts/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl new file mode 100644 index 0000000000..a611a5e757 --- /dev/null +++ b/charts/masakari/charts/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl @@ -0,0 +1,29 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- define "helm-toolkit.snippets.rgw_s3_secret_creds" }} +{{- range $client, $config := .Values.storage.s3.clients -}} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ printf "%s-s3-user-secret" ( $client | replace "_" "-" | lower ) }} +type: Opaque +data: +{{- range $key, $value := $config.auth }} + {{ $key | upper }}: {{ $value | toString | b64enc}} +{{- end }} + +{{ end }} +{{- end }} diff --git a/charts/masakari/charts/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl b/charts/masakari/charts/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl new file mode 100644 index 0000000000..a3dd4314bb --- /dev/null +++ b/charts/masakari/charts/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl @@ -0,0 +1,34 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- define "helm-toolkit.snippets.rgw_s3_user_env_vars" }} +{{- range $client, $user := .Values.storage.s3.clients }} +{{- $s3secret := printf "%s-s3-user-secret" ( $client | replace "_" "-" | lower ) }} +- name: {{ printf "%s_S3_USERNAME" ($client | replace "-" "_" | upper) }} + valueFrom: + secretKeyRef: + name: {{ $s3secret }} + key: USERNAME +- name: {{ printf "%s_S3_ACCESS_KEY" ($client | replace "-" "_" | upper) }} + valueFrom: + secretKeyRef: + name: {{ $s3secret }} + key: ACCESS_KEY +- name: {{ printf "%s_S3_SECRET_KEY" ($client | replace "-" "_" | upper) }} + valueFrom: + secretKeyRef: + name: {{ $s3secret }} + key: SECRET_KEY +{{- end }} +{{- end }} diff --git a/charts/masakari/charts/helm-toolkit/templates/snippets/_tls_volume.tpl b/charts/masakari/charts/helm-toolkit/templates/snippets/_tls_volume.tpl new file mode 100644 index 0000000000..41fe3d96db --- /dev/null +++ b/charts/masakari/charts/helm-toolkit/templates/snippets/_tls_volume.tpl @@ -0,0 +1,47 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{/* +abstract: | + Renders a secret volume for tls. + + Dictionary Parameters: + enabled: boolean check if you want to conditional disable this snippet (optional) + name: name of the volume (required) + secretName: name of a kuberentes/tls secret, if not specified, use the volume name (optional) + +values: | + manifests: + certificates: true + +usage: | + {{- $opts := dict "enabled" "true" "name" "glance-tls-api" -}} + {{- $opts | include "helm-toolkit.snippets.tls_volume" -}} + +return: | + - name: glance-tls-api + secret: + secretName: glance-tls-api + defaultMode: 292 +*/}} +{{- define "helm-toolkit.snippets.tls_volume" }} +{{- $enabled := index . "enabled" -}} +{{- $name := index . "name" -}} +{{- $secretName := index . "secretName" | default $name -}} +{{- if and $enabled (ne $name "") }} +- name: {{ $name }} + secret: + secretName: {{ $secretName }} + defaultMode: 292 +{{- end }} +{{- end }} diff --git a/charts/masakari/charts/helm-toolkit/templates/snippets/_tls_volume_mount.tpl b/charts/masakari/charts/helm-toolkit/templates/snippets/_tls_volume_mount.tpl new file mode 100644 index 0000000000..9cfa81950b --- /dev/null +++ b/charts/masakari/charts/helm-toolkit/templates/snippets/_tls_volume_mount.tpl @@ -0,0 +1,82 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{/* +abstract: | + Renders a volume mount for TLS key, cert and CA. + + Dictionary Parameters: + enabled: boolean check if you want to conditional disable this snippet (optional) + name: name that of the volume and should match the volume name (required) + path: path to place tls.crt tls.key ca.crt, do not suffix with '/' (required) + certs: a tuple containing a nonempty subset of {tls.crt, tls.key, ca.crt}. + the default is the full set. (optional) + +values: | + manifests: + certificates: true + +usage: | + {{- $opts := dict "enabled" .Values.manifests.certificates "name" "glance-tls-api" "path" "/etc/glance/certs" -}} + {{- $opts | include "helm-toolkit.snippets.tls_volume_mount" -}} + +return: | + - name: glance-tls-api + mountPath: /etc/glance/certs/tls.crt + subPath: tls.crt + readOnly: true + - name: glance-tls-api + mountPath: /etc/glance/certs/tls.key + subPath: tls.key + readOnly: true + - name: glance-tls-api + mountPath: /etc/glance/certs/ca.crt + subPath: ca.crt + readOnly: true + +abstract: | + This mounts a specific issuing CA only for service validation + +usage: | + {{- $opts := dict "enabled" .Values.manifests.certificates "name" "glance-tls-api" "ca" true -}} + {{- $opts | include "helm-toolkit.snippets.tls_volume_mount" -}} + +return: | + - name: glance-tls-api + mountPath: /etc/ssl/certs/openstack-helm.crt + subPath: ca.crt + readOnly: true +*/}} +{{- define "helm-toolkit.snippets.tls_volume_mount" }} +{{- $enabled := index . "enabled" -}} +{{- $name := index . "name" -}} +{{- $path := index . "path" | default "" -}} +{{- $certs := index . "certs" | default ( tuple "tls.crt" "tls.key" "ca.crt" ) }} +{{- if $enabled }} +{{- if and (eq $path "") (ne $name "") }} +- name: {{ $name }} + mountPath: "/etc/ssl/certs/openstack-helm.crt" + subPath: ca.crt + readOnly: true +{{- else }} +{{- if ne $name "" }} +{{- range $key, $value := $certs }} +- name: {{ $name }} + mountPath: {{ printf "%s/%s" $path $value }} + subPath: {{ $value }} + readOnly: true +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/masakari/charts/helm-toolkit/templates/snippets/_values_template_renderer.tpl b/charts/masakari/charts/helm-toolkit/templates/snippets/_values_template_renderer.tpl new file mode 100644 index 0000000000..6e9d5a1844 --- /dev/null +++ b/charts/masakari/charts/helm-toolkit/templates/snippets/_values_template_renderer.tpl @@ -0,0 +1,87 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Renders out configuration sections into a format suitable for incorporation + into a config-map. Allowing various forms of input to be rendered out as + appropriate. +values: | + conf: + inputs: + - foo + - bar + some: + config_to_render: | + #We can use all of gotpl here: eg macros, ranges etc. + {{ include "helm-toolkit.utils.joinListWithComma" .Values.conf.inputs }} + config_to_complete: + #here we can fill out params, but things need to be valid yaml as input + '{{ .Release.Name }}': '{{ printf "%s-%s" .Release.Namespace "namespace" }}' + static_config: + #this is just passed though as yaml to the configmap + foo: bar +usage: | + {{- $envAll := . }} + --- + apiVersion: v1 + kind: ConfigMap + metadata: + name: application-etc + data: + {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.config_to_render "key" "config_to_render.conf") | indent 2 }} + {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.config_to_complete "key" "config_to_complete.yaml") | indent 2 }} + {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.static_config "key" "static_config.yaml") | indent 2 }} +return: | + --- + apiVersion: v1 + kind: ConfigMap + metadata: + name: application-etc + data: + config_to_render.conf: | + #We can use all of gotpl here: eg macros, ranges etc. + foo,bar + + config_to_complete.yaml: | + 'RELEASE-NAME': 'default-namespace' + + static_config.yaml: | + foo: bar +*/}} + +{{- define "helm-toolkit.snippets.values_template_renderer" -}} +{{- $envAll := index . "envAll" -}} +{{- $template := index . "template" -}} +{{- $key := index . "key" -}} +{{- $format := index . "format" | default "configMap" -}} +{{- with $envAll -}} +{{- $templateRendered := tpl ( $template | toYaml ) . }} +{{- if eq $format "Secret" }} +{{- if hasPrefix "|\n" $templateRendered }} +{{ $key }}: {{ regexReplaceAllLiteral "\n " ( $templateRendered | trimPrefix "|\n" | trimPrefix " " ) "\n" | b64enc }} +{{- else }} +{{ $key }}: {{ $templateRendered | b64enc }} +{{- end -}} +{{- else }} +{{- if hasPrefix "|\n" $templateRendered }} +{{ $key }}: | +{{ regexReplaceAllLiteral "\n " ( $templateRendered | trimPrefix "|\n" | trimPrefix " " ) "\n" | indent 2 }} +{{- else }} +{{ $key }}: | +{{ $templateRendered | indent 2 }} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/charts/masakari/charts/helm-toolkit/templates/tls/_tls_generate_certs.tpl b/charts/masakari/charts/helm-toolkit/templates/tls/_tls_generate_certs.tpl new file mode 100644 index 0000000000..6d617a182e --- /dev/null +++ b/charts/masakari/charts/helm-toolkit/templates/tls/_tls_generate_certs.tpl @@ -0,0 +1,94 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Produces a certificate from a certificate authority. If the "encode" parameter + is true, base64 encode the values for inclusion in a Kubernetes secret. +values: | + test: + hosts: + names: + - barbican.openstackhelm.example + - barbican.openstack.svc.cluster.local + ips: + - 127.0.0.1 + - 192.168.0.1 + life: 3 + # Use ca.crt and ca.key to build a customized ca, if they are provided. + # Use hosts.names[0] and life to auto-generate a ca, if ca is not provided. + ca: + crt: | + + key: | + +usage: | + {{ include "helm-toolkit.utils.tls_generate_certs" (dict "params" .Values.test) }} +return: | + ca: | + + crt: | + + exp: 2018-09-01T10:56:07.895392915-00:00 + key: | + +*/}} + +{{- define "helm-toolkit.utils.tls_generate_certs" -}} +{{- $params := index . "params" -}} +{{- $encode := index . "encode" | default false -}} +{{- $local := dict -}} + +{{- $_hosts := $params.hosts.names | default list }} +{{- if kindIs "string" $params.hosts.names }} +{{- $_ := set $local "certHosts" (list $params.hosts.names) }} +{{- else }} +{{- $_ := set $local "certHosts" $_hosts }} +{{- end }} + +{{- $_ips := $params.hosts.ips | default list }} +{{- if kindIs "string" $params.hosts.ips }} +{{- $_ := set $local "certIps" (list $params.hosts.ips) }} +{{- else }} +{{- $_ := set $local "certIps" $_ips }} +{{- end }} + +{{- if hasKey $params "ca" }} +{{- if and (hasKey $params.ca "crt") (hasKey $params.ca "key") }} +{{- $ca := buildCustomCert ($params.ca.crt | b64enc ) ($params.ca.key | b64enc ) }} +{{- $_ := set $local "ca" $ca }} +{{- end }} +{{- else }} +{{- $ca := genCA (first $local.certHosts) (int $params.life) }} +{{- $_ := set $local "ca" $ca }} +{{- end }} + +{{- $expDate := date_in_zone "2006-01-02T15:04:05Z07:00" ( date_modify (printf "+%sh" (mul $params.life 24 |toString)) now ) "UTC" }} +{{- $rawCert := genSignedCert (first $local.certHosts) ($local.certIps) ($local.certHosts) (int $params.life) $local.ca }} +{{- $certificate := dict -}} +{{- if $encode -}} +{{- $_ := b64enc $rawCert.Cert | set $certificate "crt" -}} +{{- $_ := b64enc $rawCert.Key | set $certificate "key" -}} +{{- $_ := b64enc $local.ca.Cert | set $certificate "ca" -}} +{{- $_ := b64enc $local.ca.Key | set $certificate "caKey" -}} +{{- $_ := b64enc $expDate | set $certificate "exp" -}} +{{- else -}} +{{- $_ := set $certificate "crt" $rawCert.Cert -}} +{{- $_ := set $certificate "key" $rawCert.Key -}} +{{- $_ := set $certificate "ca" $local.ca.Cert -}} +{{- $_ := set $certificate "caKey" $local.ca.Key -}} +{{- $_ := set $certificate "exp" $expDate -}} +{{- end -}} +{{- $certificate | toYaml }} +{{- end -}} diff --git a/charts/masakari/charts/helm-toolkit/templates/utils/_comma_joined_service_list.tpl b/charts/masakari/charts/helm-toolkit/templates/utils/_comma_joined_service_list.tpl new file mode 100644 index 0000000000..e26501f803 --- /dev/null +++ b/charts/masakari/charts/helm-toolkit/templates/utils/_comma_joined_service_list.tpl @@ -0,0 +1,46 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Returns a comma separated list of namespace:service pairs. +values: | + dependencies: + static: + api: + services: + - endpoint: internal + service: oslo_cache + - endpoint: internal + service: oslo_db + endpoints: + oslo_db: + namespace: foo + hosts: + default: mariadb + oslo_cache: + namespace: bar + hosts: + default: memcache +usage: | + {{ tuple .Values.dependencies.static.api.services . | include "helm-toolkit.utils.comma_joined_service_list" }} +return: | + bar:memcache,foo:mariadb +*/}} + +{{- define "helm-toolkit.utils.comma_joined_service_list" -}} +{{- $deps := index . 0 -}} +{{- $envAll := index . 1 -}} +{{- range $k, $v := $deps -}}{{- if $k -}},{{- end -}}{{ tuple $v.service $v.endpoint $envAll | include "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" }}{{- end -}} +{{- end -}} diff --git a/charts/masakari/charts/helm-toolkit/templates/utils/_configmap_templater.tpl b/charts/masakari/charts/helm-toolkit/templates/utils/_configmap_templater.tpl new file mode 100644 index 0000000000..7095c19373 --- /dev/null +++ b/charts/masakari/charts/helm-toolkit/templates/utils/_configmap_templater.tpl @@ -0,0 +1,30 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- define "helm-toolkit.utils.configmap_templater" }} +{{- $keyRoot := index . 0 -}} +{{- $configTemplate := index . 1 -}} +{{- $context := index . 2 -}} +{{ if $keyRoot.override -}} +{{ $keyRoot.override | indent 4 }} +{{- else -}} +{{- if $keyRoot.prefix -}} +{{ $keyRoot.prefix | indent 4 }} +{{- end }} +{{ tuple $configTemplate $context | include "helm-toolkit.utils.template" | indent 4 }} +{{- end }} +{{- if $keyRoot.append -}} +{{ $keyRoot.append | indent 4 }} +{{- end }} +{{- end -}} diff --git a/charts/masakari/charts/helm-toolkit/templates/utils/_daemonset_overrides.tpl b/charts/masakari/charts/helm-toolkit/templates/utils/_daemonset_overrides.tpl new file mode 100644 index 0000000000..40359f0f44 --- /dev/null +++ b/charts/masakari/charts/helm-toolkit/templates/utils/_daemonset_overrides.tpl @@ -0,0 +1,269 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- define "helm-toolkit.utils.daemonset_overrides" }} + {{- $daemonset := index . 0 }} + {{- $daemonset_yaml := index . 1 }} + {{- $configmap_include := index . 2 }} + {{- $configmap_name := index . 3 }} + {{- $context := index . 4 }} + {{- $_ := unset $context ".Files" }} + {{- $daemonset_root_name := printf (print $context.Chart.Name "_" $daemonset) }} + {{- $_ := set $context.Values "__daemonset_list" list }} + {{- $_ := set $context.Values "__default" dict }} + {{- if hasKey $context.Values.conf "overrides" }} + {{- range $key, $val := $context.Values.conf.overrides }} + + {{- if eq $key $daemonset_root_name }} + {{- range $type, $type_data := . }} + + {{- if eq $type "hosts" }} + {{- range $host_data := . }} + {{/* dictionary that will contain all info needed to generate this + iteration of the daemonset */}} + {{- $current_dict := dict }} + + {{/* set daemonset name */}} + {{/* Note: long hostnames can cause the 63 char name limit to be + exceeded. Truncate the hostname if hostname > 20 char */}} + {{- if gt (len $host_data.name) 20 }} + {{- $_ := set $current_dict "name" (substr 0 20 $host_data.name) }} + {{- else }} + {{- $_ := set $current_dict "name" $host_data.name }} + {{- end }} + + {{/* apply overrides */}} + {{- $override_conf_copy := $host_data.conf }} + {{/* Deep copy to prevent https://storyboard.openstack.org/#!/story/2005936 */}} + {{- $root_conf_copy := omit ($context.Values.conf | toYaml | fromYaml) "overrides" }} + {{- $merged_dict := mergeOverwrite $root_conf_copy $override_conf_copy }} + {{- $root_conf_copy2 := dict "conf" $merged_dict }} + {{- $context_values := omit (omit ($context.Values | toYaml | fromYaml) "conf") "__daemonset_list" }} + {{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }} + {{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }} + {{- $_ := set $current_dict "nodeData" $root_conf_copy4 }} + + {{/* Schedule to this host explicitly. */}} + {{- $nodeSelector_dict := dict }} + + {{- $_ := set $nodeSelector_dict "key" "kubernetes.io/hostname" }} + {{- $_ := set $nodeSelector_dict "operator" "In" }} + + {{- $values_list := list $host_data.name }} + {{- $_ := set $nodeSelector_dict "values" $values_list }} + + {{- $list_aggregate := list $nodeSelector_dict }} + {{- $_ := set $current_dict "matchExpressions" $list_aggregate }} + + {{/* store completed daemonset entry/info into global list */}} + {{- $list_aggregate := append $context.Values.__daemonset_list $current_dict }} + {{- $_ := set $context.Values "__daemonset_list" $list_aggregate }} + + {{- end }} + {{- end }} + + {{- if eq $type "labels" }} + {{- $_ := set $context.Values "__label_list" . }} + {{- range $label_data := . }} + {{/* dictionary that will contain all info needed to generate this + iteration of the daemonset. */}} + {{- $_ := set $context.Values "__current_label" dict }} + + {{/* set daemonset name */}} + {{- $_ := set $context.Values.__current_label "name" $label_data.label.key }} + + {{/* apply overrides */}} + {{- $override_conf_copy := $label_data.conf }} + {{/* Deep copy to prevent https://storyboard.openstack.org/#!/story/2005936 */}} + {{- $root_conf_copy := omit ($context.Values.conf | toYaml | fromYaml) "overrides" }} + {{- $merged_dict := mergeOverwrite $root_conf_copy $override_conf_copy }} + {{- $root_conf_copy2 := dict "conf" $merged_dict }} + {{- $context_values := omit (omit ($context.Values | toYaml | fromYaml) "conf") "__daemonset_list" }} + {{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }} + {{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }} + {{- $_ := set $context.Values.__current_label "nodeData" $root_conf_copy4 }} + + {{/* Schedule to the provided label value(s) */}} + {{- $label_dict := omit $label_data.label "NULL" }} + {{- $_ := set $label_dict "operator" "In" }} + {{- $list_aggregate := list $label_dict }} + {{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }} + + {{/* Do not schedule to other specified labels, with higher + precedence as the list position increases. Last defined label + is highest priority. */}} + {{- $other_labels := without $context.Values.__label_list $label_data }} + {{- range $label_data2 := $other_labels }} + {{- $label_dict := omit $label_data2.label "NULL" }} + + {{- $_ := set $label_dict "operator" "NotIn" }} + + {{- $list_aggregate := append $context.Values.__current_label.matchExpressions $label_dict }} + {{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }} + {{- end }} + {{- $_ := set $context.Values "__label_list" $other_labels }} + + {{/* Do not schedule to any other specified hosts */}} + {{- range $type, $type_data := $val }} + {{- if eq $type "hosts" }} + {{- range $host_data := . }} + {{- $label_dict := dict }} + + {{- $_ := set $label_dict "key" "kubernetes.io/hostname" }} + {{- $_ := set $label_dict "operator" "NotIn" }} + + {{- $values_list := list $host_data.name }} + {{- $_ := set $label_dict "values" $values_list }} + + {{- $list_aggregate := append $context.Values.__current_label.matchExpressions $label_dict }} + {{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }} + {{- end }} + {{- end }} + {{- end }} + + {{/* store completed daemonset entry/info into global list */}} + {{- $list_aggregate := append $context.Values.__daemonset_list $context.Values.__current_label }} + {{- $_ := set $context.Values "__daemonset_list" $list_aggregate }} + {{- $_ := unset $context.Values "__current_label" }} + + {{- end }} + {{- end }} + {{- end }} + + {{/* scheduler exceptions for the default daemonset */}} + {{- $_ := set $context.Values.__default "matchExpressions" list }} + + {{- range $type, $type_data := . }} + {{/* Do not schedule to other specified labels */}} + {{- if eq $type "labels" }} + {{- range $label_data := . }} + {{- $default_dict := omit $label_data.label "NULL" }} + + {{- $_ := set $default_dict "operator" "NotIn" }} + + {{- $list_aggregate := append $context.Values.__default.matchExpressions $default_dict }} + {{- $_ := set $context.Values.__default "matchExpressions" $list_aggregate }} + {{- end }} + {{- end }} + {{/* Do not schedule to other specified hosts */}} + {{- if eq $type "hosts" }} + {{- range $host_data := . }} + {{- $default_dict := dict }} + + {{- $_ := set $default_dict "key" "kubernetes.io/hostname" }} + {{- $_ := set $default_dict "operator" "NotIn" }} + + {{- $values_list := list $host_data.name }} + {{- $_ := set $default_dict "values" $values_list }} + + {{- $list_aggregate := append $context.Values.__default.matchExpressions $default_dict }} + {{- $_ := set $context.Values.__default "matchExpressions" $list_aggregate }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + + {{/* generate the default daemonset */}} + + {{/* set name */}} + {{- $_ := set $context.Values.__default "name" "default" }} + + {{/* no overrides apply, so copy as-is */}} + {{- $root_conf_copy1 := omit $context.Values.conf "overrides" }} + {{- $root_conf_copy2 := dict "conf" $root_conf_copy1 }} + {{- $context_values := omit $context.Values "conf" }} + {{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }} + {{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }} + {{- $_ := set $context.Values.__default "nodeData" $root_conf_copy4 }} + + {{/* add to global list */}} + {{- $list_aggregate := append $context.Values.__daemonset_list $context.Values.__default }} + {{- $_ := set $context.Values "__daemonset_list" $list_aggregate }} + + {{- range $current_dict := $context.Values.__daemonset_list }} + + {{- $context_novalues := omit $context "Values" }} + {{- $merged_dict := mergeOverwrite $context_novalues $current_dict.nodeData }} + {{- $_ := set $current_dict "nodeData" $merged_dict }} + {{/* Deep copy original daemonset_yaml */}} + {{- $_ := set $context.Values "__daemonset_yaml" ($daemonset_yaml | toYaml | fromYaml) }} + + {{/* name needs to be a DNS-1123 compliant name. Ensure lower case */}} + {{- $name_format1 := printf (print $daemonset_root_name "-" $current_dict.name) | lower }} + {{/* labels may contain underscores which would be invalid here, so we replace them with dashes + there may be other valid label names which would make for an invalid DNS-1123 name + but these will be easier to handle in future with sprig regex* functions + (not availabile in helm 2.5.1) */}} + {{- $name_format2 := $name_format1 | replace "_" "-" }} + {{/* To account for the case where the same label is defined multiple times in overrides + (but with different label values), we add a sha of the scheduling data to ensure + name uniqueness */}} + {{- $_ := set $current_dict "dns_1123_name" dict }} + {{- if hasKey $current_dict "matchExpressions" }} + {{- $_ := set $current_dict "dns_1123_name" (printf (print $name_format2 "-" ($current_dict.matchExpressions | quote | sha256sum | trunc 8))) }} + {{- else }} + {{- $_ := set $current_dict "dns_1123_name" $name_format2 }} + {{- end }} + + {{/* set daemonset metadata name */}} + {{- if not $context.Values.__daemonset_yaml.metadata }}{{- $_ := set $context.Values.__daemonset_yaml "metadata" dict }}{{- end }} + {{- if not $context.Values.__daemonset_yaml.metadata.name }}{{- $_ := set $context.Values.__daemonset_yaml.metadata "name" dict }}{{- end }} + {{- $_ := set $context.Values.__daemonset_yaml.metadata "name" $current_dict.dns_1123_name }} + + {{/* cross-reference configmap name to container volume definitions */}} + {{- $_ := set $context.Values "__volume_list" list }} + {{- range $current_volume := $context.Values.__daemonset_yaml.spec.template.spec.volumes }} + {{- $_ := set $context.Values "__volume" $current_volume }} + {{- if hasKey $context.Values.__volume "secret" }} + {{- if eq $context.Values.__volume.secret.secretName $configmap_name }} + {{- $_ := set $context.Values.__volume.secret "secretName" $current_dict.dns_1123_name }} + {{- end }} + {{- end }} + {{- $updated_list := append $context.Values.__volume_list $context.Values.__volume }} + {{- $_ := set $context.Values "__volume_list" $updated_list }} + {{- end }} + {{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec "volumes" $context.Values.__volume_list }} + + + {{/* populate scheduling restrictions */}} + {{- if hasKey $current_dict "matchExpressions" }} + {{- if not $context.Values.__daemonset_yaml.spec.template.spec }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template "spec" dict }}{{- end }} + {{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec "affinity" dict }}{{- end }} + {{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity "nodeAffinity" dict }}{{- end }} + {{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity "requiredDuringSchedulingIgnoredDuringExecution" dict }}{{- end }} + {{- $match_exprs := dict }} + {{- $_ := set $match_exprs "matchExpressions" $current_dict.matchExpressions }} + {{- $appended_match_expr := list $match_exprs }} + {{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution "nodeSelectorTerms" $appended_match_expr }} + {{- end }} + + {{/* input value hash for current set of values overrides */}} + {{- if not $context.Values.__daemonset_yaml.spec }}{{- $_ := set $context.Values.__daemonset_yaml "spec" dict }}{{- end }} + {{- if not $context.Values.__daemonset_yaml.spec.template }}{{- $_ := set $context.Values.__daemonset_yaml.spec "template" dict }}{{- end }} + {{- if not $context.Values.__daemonset_yaml.spec.template.metadata }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template "metadata" dict }}{{- end }} + {{- if not $context.Values.__daemonset_yaml.spec.template.metadata.annotations }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.metadata "annotations" dict }}{{- end }} + {{- $cmap := list $current_dict.dns_1123_name $current_dict.nodeData | include $configmap_include }} + {{- $values_hash := $cmap | quote | sha256sum }} + {{- $_ := set $context.Values.__daemonset_yaml.spec.template.metadata.annotations "configmap-etc-hash" $values_hash }} + + {{/* generate configmap */}} +--- +{{ $cmap }} + {{/* generate daemonset yaml */}} +--- +{{ $context.Values.__daemonset_yaml | toYaml }} + {{- end }} +{{- end }} diff --git a/charts/masakari/charts/helm-toolkit/templates/utils/_dependency_resolver.tpl b/charts/masakari/charts/helm-toolkit/templates/utils/_dependency_resolver.tpl new file mode 100644 index 0000000000..4a88dd8dfb --- /dev/null +++ b/charts/masakari/charts/helm-toolkit/templates/utils/_dependency_resolver.tpl @@ -0,0 +1,40 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- define "helm-toolkit.utils.dependency_resolver" }} +{{- $envAll := index . "envAll" -}} +{{- $dependencyMixinParam := index . "dependencyMixinParam" -}} +{{- $dependencyKey := index . "dependencyKey" -}} +{{- if $dependencyMixinParam -}} +{{- $_ := set $envAll.Values "pod_dependency" dict -}} +{{- if kindIs "string" $dependencyMixinParam }} +{{- if ( index $envAll.Values.dependencies.dynamic.targeted $dependencyMixinParam ) }} +{{- $_ := include "helm-toolkit.utils.merge" (tuple $envAll.Values.pod_dependency ( index $envAll.Values.dependencies.static $dependencyKey ) ( index $envAll.Values.dependencies.dynamic.targeted $dependencyMixinParam $dependencyKey ) ) -}} +{{- else }} +{{- $_ := set $envAll.Values "pod_dependency" ( index $envAll.Values.dependencies.static $dependencyKey ) }} +{{- end }} +{{- else if kindIs "slice" $dependencyMixinParam }} +{{- $_ := set $envAll.Values "__deps" ( index $envAll.Values.dependencies.static $dependencyKey ) }} +{{- range $k, $v := $dependencyMixinParam -}} +{{- if ( index $envAll.Values.dependencies.dynamic.targeted $v ) }} +{{- $_ := include "helm-toolkit.utils.merge" (tuple $envAll.Values.pod_dependency $envAll.Values.__deps ( index $envAll.Values.dependencies.dynamic.targeted $v $dependencyKey ) ) -}} +{{- $_ := set $envAll.Values "__deps" $envAll.Values.pod_dependency -}} +{{- end }} +{{- end }} +{{- end }} +{{- else -}} +{{- $_ := set $envAll.Values "pod_dependency" ( index $envAll.Values.dependencies.static $dependencyKey ) -}} +{{- end -}} +{{ $envAll.Values.pod_dependency | toYaml }} +{{- end }} diff --git a/charts/masakari/charts/helm-toolkit/templates/utils/_hash.tpl b/charts/masakari/charts/helm-toolkit/templates/utils/_hash.tpl new file mode 100644 index 0000000000..d871b62672 --- /dev/null +++ b/charts/masakari/charts/helm-toolkit/templates/utils/_hash.tpl @@ -0,0 +1,21 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- define "helm-toolkit.utils.hash" -}} +{{- $name := index . 0 -}} +{{- $context := index . 1 -}} +{{- $last := base $context.Template.Name }} +{{- $wtf := $context.Template.Name | replace $last $name -}} +{{- include $wtf $context | sha256sum | quote -}} +{{- end -}} diff --git a/charts/masakari/charts/helm-toolkit/templates/utils/_host_list.tpl b/charts/masakari/charts/helm-toolkit/templates/utils/_host_list.tpl new file mode 100644 index 0000000000..0c32136a83 --- /dev/null +++ b/charts/masakari/charts/helm-toolkit/templates/utils/_host_list.tpl @@ -0,0 +1,44 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Returns a list of unique hosts for an endpoint, in yaml. +values: | + endpoints: + cluster_domain_suffix: cluster.local + oslo_db: + hosts: + default: mariadb + host_fqdn_override: + default: mariadb +usage: | + {{ tuple "oslo_db" "internal" . | include "helm-toolkit.utils.host_list" }} +return: | + hosts: + - mariadb + - mariadb.default +*/}} + +{{- define "helm-toolkit.utils.host_list" -}} +{{- $type := index . 0 -}} +{{- $endpoint := index . 1 -}} +{{- $context := index . 2 -}} +{{- $host_fqdn := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }} +{{- $host_namespaced := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }} +{{- $host_short := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} +{{/* It is important that the FQDN host is 1st in this list, to ensure other function can use the 1st element for cert gen CN etc */}} +{{- $host_list := list $host_fqdn $host_namespaced $host_short | uniq }} +{{- dict "hosts" $host_list | toYaml }} +{{- end -}} diff --git a/charts/masakari/charts/helm-toolkit/templates/utils/_image_sync_list.tpl b/charts/masakari/charts/helm-toolkit/templates/utils/_image_sync_list.tpl new file mode 100644 index 0000000000..51923b6cb5 --- /dev/null +++ b/charts/masakari/charts/helm-toolkit/templates/utils/_image_sync_list.tpl @@ -0,0 +1,25 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- define "helm-toolkit.utils.image_sync_list" -}} +{{- $imageExcludeList := .Values.images.local_registry.exclude -}} +{{- $imageDict := .Values.images.tags -}} +{{- $local := dict "first" true -}} +{{- range $k, $v := $imageDict -}} +{{- if not $local.first -}},{{- end -}} +{{- if (not (has $k $imageExcludeList )) -}} +{{- index $imageDict $k -}} +{{- $_ := set $local "first" false -}} +{{- end -}}{{- end -}} +{{- end -}} diff --git a/charts/masakari/charts/helm-toolkit/templates/utils/_joinListWithComma.tpl b/charts/masakari/charts/helm-toolkit/templates/utils/_joinListWithComma.tpl new file mode 100644 index 0000000000..5eb5785591 --- /dev/null +++ b/charts/masakari/charts/helm-toolkit/templates/utils/_joinListWithComma.tpl @@ -0,0 +1,31 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Joins a list of values into a comma separated string +values: | + test: + - foo + - bar +usage: | + {{ include "helm-toolkit.utils.joinListWithComma" .Values.test }} +return: | + foo,bar +*/}} + +{{- define "helm-toolkit.utils.joinListWithComma" -}} +{{- $local := dict "first" true -}} +{{- range $k, $v := . -}}{{- if not $local.first -}},{{- end -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}} +{{- end -}} diff --git a/charts/masakari/charts/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl b/charts/masakari/charts/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl new file mode 100644 index 0000000000..3bc68192d5 --- /dev/null +++ b/charts/masakari/charts/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl @@ -0,0 +1,32 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Joins a list of values into a comma seperated string with single quotes + around each value. +values: | + test: + - foo + - bar +usage: | + {{ include "helm-toolkit.utils.joinListWithCommaAndSingleQuotes" .Values.test }} +return: | + 'foo','bar' +*/}} + +{{- define "helm-toolkit.utils.joinListWithCommaAndSingleQuotes" -}} +{{- $local := dict "first" true -}} +{{- range $k, $v := . -}}{{- if not $local.first -}},{{- end -}}'{{- $v -}}'{{- $_ := set $local "first" false -}}{{- end -}} +{{- end -}} diff --git a/charts/masakari/charts/helm-toolkit/templates/utils/_joinListWithPrefix.tpl b/charts/masakari/charts/helm-toolkit/templates/utils/_joinListWithPrefix.tpl new file mode 100644 index 0000000000..40ebb15649 --- /dev/null +++ b/charts/masakari/charts/helm-toolkit/templates/utils/_joinListWithPrefix.tpl @@ -0,0 +1,32 @@ +{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Joins a list of prefixed values into a space separated string +values: | + test: + - foo + - bar +usage: | + {{ tuple "prefix" .Values.test | include "helm-toolkit.utils.joinListWithPrefix" }} +return: | + prefixfoo prefixbar +*/}} + +{{- define "helm-toolkit.utils.joinListWithPrefix" -}} +{{- $prefix := index . 0 -}} +{{- $local := dict "first" true -}} +{{- range $k, $v := index . 1 -}}{{- if not $local.first -}}{{- " " -}}{{- end -}}{{- $prefix -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}} +{{- end -}} diff --git a/charts/masakari/charts/helm-toolkit/templates/utils/_joinListWithSpace.tpl b/charts/masakari/charts/helm-toolkit/templates/utils/_joinListWithSpace.tpl new file mode 100644 index 0000000000..59122807f1 --- /dev/null +++ b/charts/masakari/charts/helm-toolkit/templates/utils/_joinListWithSpace.tpl @@ -0,0 +1,31 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Joins a list of values into a space separated string +values: | + test: + - foo + - bar +usage: | + {{ include "helm-toolkit.utils.joinListWithSpace" .Values.test }} +return: | + foo bar +*/}} + +{{- define "helm-toolkit.utils.joinListWithSpace" -}} +{{- $local := dict "first" true -}} +{{- range $k, $v := . -}}{{- if not $local.first -}}{{- " " -}}{{- end -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}} +{{- end -}} diff --git a/charts/masakari/charts/helm-toolkit/templates/utils/_merge.tpl b/charts/masakari/charts/helm-toolkit/templates/utils/_merge.tpl new file mode 100644 index 0000000000..ea80546645 --- /dev/null +++ b/charts/masakari/charts/helm-toolkit/templates/utils/_merge.tpl @@ -0,0 +1,135 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +Takes a tuple of values and merges into the first (target) one each subsequent +(source) one in order. If all values to merge are maps, then the tuple can be +passed as is and the target will be the result, otherwise pass a map with a +"values" key containing the tuple of values to merge, and the merge result will +be assigned to the "result" key of the passed map. + +When merging maps, for each key in the source, if the target does not define +that key, the source value is assigned. If both define the key, then the key +values are merged using this algorithm (recursively) and the result is assigned +to the target key. Slices are merged by appending them and removing any +duplicates, and when passing a map to this function and including a +"merge_same_named" key set to true, then map items from the slices with the same +value for the "name" key will be merged with each other. Any other values are +merged by simply keeping the source, and throwing away the target. +*/}} + +{{- define "helm-toolkit.utils.merge" -}} + {{- $local := dict -}} + {{- $_ := set $local "merge_same_named" false -}} + {{- if kindIs "map" $ -}} + {{- $_ := set $local "values" $.values -}} + {{- if hasKey $ "merge_same_named" -}} + {{- $_ := set $local "merge_same_named" $.merge_same_named -}} + {{- end -}} + {{- else -}} + {{- $_ := set $local "values" $ -}} + {{- end -}} + + {{- $target := first $local.values -}} + {{- range $item := rest $local.values -}} + {{- $call := dict "target" $target "source" . "merge_same_named" $local.merge_same_named -}} + {{- $_ := include "helm-toolkit.utils._merge" $call -}} + {{- $_ := set $local "result" $call.result -}} + {{- end -}} + + {{- if kindIs "map" $ -}} + {{- $_ := set $ "result" $local.result -}} + {{- end -}} +{{- end -}} + +{{- define "helm-toolkit.utils._merge" -}} + {{- $local := dict -}} + + {{- $_ := set $ "result" $.source -}} + + {{/* + TODO: Should we `fail` when trying to merge a collection (map or slice) with + either a different kind of collection or a scalar? + */}} + + {{- if and (kindIs "map" $.target) (kindIs "map" $.source) -}} + {{- range $key, $sourceValue := $.source -}} + {{- if not (hasKey $.target $key) -}} + {{- $_ := set $local "newTargetValue" $sourceValue -}} + {{- if kindIs "map" $sourceValue -}} + {{- $copy := dict -}} + {{- $call := dict "target" $copy "source" $sourceValue -}} + {{- $_ := include "helm-toolkit.utils._merge.shallow" $call -}} + {{- $_ := set $local "newTargetValue" $copy -}} + {{- end -}} + {{- else -}} + {{- $targetValue := index $.target $key -}} + {{- $call := dict "target" $targetValue "source" $sourceValue "merge_same_named" $.merge_same_named -}} + {{- $_ := include "helm-toolkit.utils._merge" $call -}} + {{- $_ := set $local "newTargetValue" $call.result -}} + {{- end -}} + {{- $_ := set $.target $key $local.newTargetValue -}} + {{- end -}} + {{- $_ := set $ "result" $.target -}} + {{- else if and (kindIs "slice" $.target) (kindIs "slice" $.source) -}} + {{- $call := dict "target" $.target "source" $.source -}} + {{- $_ := include "helm-toolkit.utils._merge.append_slice" $call -}} + {{- if $.merge_same_named -}} + {{- $_ := set $local "result" list -}} + {{- $_ := set $local "named_items" dict -}} + {{- range $item := $call.result -}} + {{- $_ := set $local "has_name_key" false -}} + {{- if kindIs "map" $item -}} + {{- if hasKey $item "name" -}} + {{- $_ := set $local "has_name_key" true -}} + {{- end -}} + {{- end -}} + + {{- if $local.has_name_key -}} + {{- if hasKey $local.named_items $item.name -}} + {{- $named_item := index $local.named_items $item.name -}} + {{- $call := dict "target" $named_item "source" $item "merge_same_named" $.merge_same_named -}} + {{- $_ := include "helm-toolkit.utils._merge" $call -}} + {{- else -}} + {{- $copy := dict -}} + {{- $copy_call := dict "target" $copy "source" $item -}} + {{- $_ := include "helm-toolkit.utils._merge.shallow" $copy_call -}} + {{- $_ := set $local.named_items $item.name $copy -}} + {{- $_ := set $local "result" (append $local.result $copy) -}} + {{- end -}} + {{- else -}} + {{- $_ := set $local "result" (append $local.result $item) -}} + {{- end -}} + {{- end -}} + {{- else -}} + {{- $_ := set $local "result" $call.result -}} + {{- end -}} + {{- $_ := set $ "result" (uniq $local.result) -}} + {{- end -}} +{{- end -}} + +{{- define "helm-toolkit.utils._merge.shallow" -}} + {{- range $key, $value := $.source -}} + {{- $_ := set $.target $key $value -}} + {{- end -}} +{{- end -}} + +{{- define "helm-toolkit.utils._merge.append_slice" -}} + {{- $local := dict -}} + {{- $_ := set $local "result" $.target -}} + {{- range $value := $.source -}} + {{- $_ := set $local "result" (append $local.result $value) -}} + {{- end -}} + {{- $_ := set $ "result" $local.result -}} +{{- end -}} diff --git a/charts/masakari/charts/helm-toolkit/templates/utils/_template.tpl b/charts/masakari/charts/helm-toolkit/templates/utils/_template.tpl new file mode 100644 index 0000000000..da56aa0eee --- /dev/null +++ b/charts/masakari/charts/helm-toolkit/templates/utils/_template.tpl @@ -0,0 +1,21 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- define "helm-toolkit.utils.template" -}} +{{- $name := index . 0 -}} +{{- $context := index . 1 -}} +{{- $last := base $context.Template.Name }} +{{- $wtf := $context.Template.Name | replace $last $name -}} +{{ include $wtf $context }} +{{- end -}} diff --git a/charts/masakari/charts/helm-toolkit/templates/utils/_to_ini.tpl b/charts/masakari/charts/helm-toolkit/templates/utils/_to_ini.tpl new file mode 100644 index 0000000000..a159364e7d --- /dev/null +++ b/charts/masakari/charts/helm-toolkit/templates/utils/_to_ini.tpl @@ -0,0 +1,51 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Returns INI formatted output from yaml input +values: | + conf: + paste: + filter:debug: + use: egg:oslo.middleware#debug + filter:request_id: + use: egg:oslo.middleware#request_id + filter:build_auth_context: + use: egg:keystone#build_auth_context +usage: | + {{ include "helm-toolkit.utils.to_ini" .Values.conf.paste }} +return: | + [filter:build_auth_context] + use = egg:keystone#build_auth_context + [filter:debug] + use = egg:oslo.middleware#debug + [filter:request_id] + use = egg:oslo.middleware#request_id +*/}} + +{{- define "helm-toolkit.utils.to_ini" -}} +{{- range $section, $values := . -}} +{{- if kindIs "map" $values -}} +[{{ $section }}] +{{range $key, $value := $values -}} +{{- if kindIs "slice" $value -}} +{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value }} +{{else -}} +{{ $key }} = {{ $value }} +{{end -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/charts/masakari/charts/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl b/charts/masakari/charts/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl new file mode 100644 index 0000000000..885a86cc77 --- /dev/null +++ b/charts/masakari/charts/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl @@ -0,0 +1,46 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Returns yaml formatted to be used in k8s templates as container + env vars injected via secrets. This requires a secret- template to + be defined in the chart that can be used to house the desired secret + variables. For reference, see the fluentd chart. +values: | + test: + secrets: + foo: bar + +usage: | + {{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.test }} +return: | + - name: foo + valueFrom: + secretKeyRef: + name: "my-release-name-env-secret" + key: foo +*/}} + +{{- define "helm-toolkit.utils.to_k8s_env_secret_vars" -}} +{{- $context := index . 0 -}} +{{- $secrets := index . 1 -}} +{{ range $key, $config := $secrets -}} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ printf "%s-%s" $context.Release.Name "env-secret" | quote }} + key: {{ $key }} +{{ end -}} +{{- end -}} diff --git a/charts/masakari/charts/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl b/charts/masakari/charts/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl new file mode 100644 index 0000000000..829dca6e08 --- /dev/null +++ b/charts/masakari/charts/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl @@ -0,0 +1,39 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Returns key value pair formatted to be used in k8s templates as container + env vars. +values: | + test: + foo: bar +usage: | + {{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.test }} +return: | + - name: foo + value: "bar" +*/}} + +{{- define "helm-toolkit.utils.to_k8s_env_vars" -}} +{{range $key, $value := . -}} +{{- if kindIs "slice" $value -}} +- name: {{ $key }} + value: {{ include "helm-toolkit.utils.joinListWithComma" $value | quote }} +{{else -}} +- name: {{ $key }} + value: {{ $value | quote }} +{{ end -}} +{{- end -}} +{{- end -}} diff --git a/charts/masakari/charts/helm-toolkit/templates/utils/_to_kv_list.tpl b/charts/masakari/charts/helm-toolkit/templates/utils/_to_kv_list.tpl new file mode 100644 index 0000000000..91bdeb692c --- /dev/null +++ b/charts/masakari/charts/helm-toolkit/templates/utils/_to_kv_list.tpl @@ -0,0 +1,42 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Returns key value pair in INI format (key = value) +values: | + conf: + libvirt: + log_level: 3 +usage: | + {{ include "helm-toolkit.utils.to_kv_list" .Values.conf.libvirt }} +return: | + log_level = 3 +*/}} + +{{- define "helm-toolkit.utils.to_kv_list" -}} +{{- range $key, $value := . -}} +{{- if kindIs "slice" $value }} +{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value | quote }} +{{- else if kindIs "string" $value }} +{{- if regexMatch "^[0-9]+$" $value }} +{{ $key }} = {{ $value }} +{{- else }} +{{ $key }} = {{ $value | quote }} +{{- end }} +{{- else }} +{{ $key }} = {{ $value }} +{{- end }} +{{- end -}} +{{- end -}} diff --git a/charts/masakari/charts/helm-toolkit/templates/utils/_to_oslo_conf.tpl b/charts/masakari/charts/helm-toolkit/templates/utils/_to_oslo_conf.tpl new file mode 100644 index 0000000000..622a86230e --- /dev/null +++ b/charts/masakari/charts/helm-toolkit/templates/utils/_to_oslo_conf.tpl @@ -0,0 +1,75 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Returns OSLO.conf formatted output from yaml input +values: | + conf: + keystone: + DEFAULT: # Keys at this level are used for section headings + max_token_size: 255 + oslo_messaging_notifications: + driver: # An example of a multistring option's syntax + type: multistring + values: + - messagingv2 + - log + oslo_messaging_notifications_stein: + driver: # An example of a csv option's syntax + type: csv + values: + - messagingv2 + - log + security_compliance: + password_expires_ignore_user_ids: + # Values in a list will be converted to a comma separated key + - "123" + - "456" +usage: | + {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.keystone }} +return: | + [DEFAULT] + max_token_size = 255 + [oslo_messaging_notifications] + driver = messagingv2 + driver = log + [oslo_messaging_notifications_stein] + driver = messagingv2,log + [security_compliance] + password_expires_ignore_user_ids = 123,456 +*/}} + +{{- define "helm-toolkit.utils.to_oslo_conf" -}} +{{- range $section, $values := . -}} +{{- if kindIs "map" $values -}} +[{{ $section }}] +{{ range $key, $value := $values -}} +{{- if kindIs "slice" $value -}} +{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value }} +{{ else if kindIs "map" $value -}} +{{- if eq $value.type "multistring" }} +{{- range $k, $multistringValue := $value.values -}} +{{ $key }} = {{ $multistringValue }} +{{ end -}} +{{ else if eq $value.type "csv" -}} +{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value.values }} +{{ end -}} +{{- else -}} +{{ $key }} = {{ $value }} +{{ end -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/charts/masakari/charts/helm-toolkit/values.yaml b/charts/masakari/charts/helm-toolkit/values.yaml new file mode 100644 index 0000000000..681a92b69f --- /dev/null +++ b/charts/masakari/charts/helm-toolkit/values.yaml @@ -0,0 +1,16 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Default values for utils. +# This is a YAML-formatted file. +# Declare name/value pairs to be passed into your templates. +# name: value diff --git a/charts/masakari/requirements.lock b/charts/masakari/requirements.lock new file mode 100644 index 0000000000..4f63a87d48 --- /dev/null +++ b/charts/masakari/requirements.lock @@ -0,0 +1,6 @@ +dependencies: +- name: helm-toolkit + repository: https://tarballs.openstack.org/openstack-helm-infra + version: 0.2.69 +digest: sha256:f971f98746c97193da5ff7a44d2401ae7d91201a49ed9f23d52359a1b6e9d0ef +generated: "0001-01-01T00:00:00Z" diff --git a/charts/masakari/requirements.yaml b/charts/masakari/requirements.yaml new file mode 100644 index 0000000000..b3d5dcfc92 --- /dev/null +++ b/charts/masakari/requirements.yaml @@ -0,0 +1,4 @@ +dependencies: +- name: helm-toolkit + repository: https://tarballs.openstack.org/openstack-helm-infra + version: 0.2.69 diff --git a/charts/masakari/templates/bin/_manage-db.sh.tpl b/charts/masakari/templates/bin/_manage-db.sh.tpl new file mode 100644 index 0000000000..460f3be88c --- /dev/null +++ b/charts/masakari/templates/bin/_manage-db.sh.tpl @@ -0,0 +1,19 @@ +#!/bin/bash + +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +exec -ex + +masakari-manage db sync \ No newline at end of file diff --git a/charts/masakari/templates/bin/_masakari-api.sh.tpl b/charts/masakari/templates/bin/_masakari-api.sh.tpl new file mode 100644 index 0000000000..0bc4e6fcd1 --- /dev/null +++ b/charts/masakari/templates/bin/_masakari-api.sh.tpl @@ -0,0 +1,28 @@ +#!/bin/bash + +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +set -ex +COMMAND="${@:-start}" + +function start () { + exec masakari-api --config-file /etc/masakari/masakari.conf +} + +function stop () { + kill -TERM 1 +} + +$COMMAND \ No newline at end of file diff --git a/charts/masakari/templates/bin/_masakari-engine.sh.tpl b/charts/masakari/templates/bin/_masakari-engine.sh.tpl new file mode 100644 index 0000000000..adb2e74ff3 --- /dev/null +++ b/charts/masakari/templates/bin/_masakari-engine.sh.tpl @@ -0,0 +1,29 @@ +#!/bin/bash + +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +set -ex + +COMMAND="${@:-start}" + +function start () { + exec masakari-engine --config-file /etc/masakari/masakari.conf +} + +function stop () { + kill -TERM 1 +} + +$COMMAND \ No newline at end of file diff --git a/charts/masakari/templates/bin/_masakari-host-monitor.sh.tpl b/charts/masakari/templates/bin/_masakari-host-monitor.sh.tpl new file mode 100644 index 0000000000..676e5a23fe --- /dev/null +++ b/charts/masakari/templates/bin/_masakari-host-monitor.sh.tpl @@ -0,0 +1,29 @@ +#!/bin/bash + +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +set -ex +COMMAND="${@:-start}" + +function start () { + exec masakari-hostmonitor --config-file /etc/masakari/masakarimonitors.conf \ + --config-file /tmp/pod-shared/masakarimonitors.conf +} + +function stop () { + kill -TERM 1 +} + +$COMMAND diff --git a/charts/masakari/templates/bin/_masakari-instance-monitor.sh.tpl b/charts/masakari/templates/bin/_masakari-instance-monitor.sh.tpl new file mode 100644 index 0000000000..07ad72ae2d --- /dev/null +++ b/charts/masakari/templates/bin/_masakari-instance-monitor.sh.tpl @@ -0,0 +1,29 @@ +#!/bin/bash + +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +set -ex +COMMAND="${@:-start}" + +function start () { + exec masakari-instancemonitor --config-file /etc/masakari/masakarimonitors.conf \ + --config-file /tmp/pod-shared/masakarimonitors.conf +} + +function stop () { + kill -TERM 1 +} + +$COMMAND diff --git a/charts/masakari/templates/bin/_masakari-monitors-init.sh.tpl b/charts/masakari/templates/bin/_masakari-monitors-init.sh.tpl new file mode 100644 index 0000000000..f0e1b88be6 --- /dev/null +++ b/charts/masakari/templates/bin/_masakari-monitors-init.sh.tpl @@ -0,0 +1,23 @@ +#!/bin/bash + +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +set -ex + +nova_compute_hostname="$COMPUTE_NODE_NAME" +cat </tmp/pod-shared/masakarimonitors.conf +[DEFAULT] +hostname=$nova_compute_hostname +EOF \ No newline at end of file diff --git a/charts/masakari/templates/bin/_masakari-process-monitor.sh.tpl b/charts/masakari/templates/bin/_masakari-process-monitor.sh.tpl new file mode 100644 index 0000000000..59d52870b9 --- /dev/null +++ b/charts/masakari/templates/bin/_masakari-process-monitor.sh.tpl @@ -0,0 +1,29 @@ +#!/bin/bash + +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +set -ex +COMMAND="${@:-start}" + +function start () { + exec masakari-processmonitor --config-file /etc/masakari/masakarimonitors.conf \ + --config-file /tmp/pod-shared/masakarimonitors.conf +} + +function stop () { + kill -TERM 1 +} + +$COMMAND diff --git a/charts/masakari/templates/configmap-bin.yaml b/charts/masakari/templates/configmap-bin.yaml new file mode 100644 index 0000000000..9b5cad177c --- /dev/null +++ b/charts/masakari/templates/configmap-bin.yaml @@ -0,0 +1,50 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.configmap_bin }} +{{- $envAll := . }} +{{- $rallyTests := .Values.conf.rally_tests }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: masakari-bin +data: + masakari-engine.sh: | +{{ tuple "bin/_masakari-engine.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} + masakari-api.sh: | +{{ tuple "bin/_masakari-api.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} + db-init.py: | +{{- include "helm-toolkit.scripts.db_init" . | indent 4 }} + manage-db.sh: | +{{ tuple "bin/_manage-db.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} + db-drop.py: | +{{- include "helm-toolkit.scripts.db_drop" . | indent 4 }} + ks-user.sh: | +{{- include "helm-toolkit.scripts.keystone_user" . | indent 4 }} + ks-service.sh: | +{{- include "helm-toolkit.scripts.keystone_service" . | indent 4 }} + ks-endpoints.sh: | +{{- include "helm-toolkit.scripts.keystone_endpoints" . | indent 4 }} + rabbit-init.sh: | +{{- include "helm-toolkit.scripts.rabbit_init" . | indent 4 }} + masakari-host-monitor.sh: | +{{ tuple "bin/_masakari-host-monitor.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} + masakari-process-monitor.sh: | +{{ tuple "bin/_masakari-process-monitor.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} + masakari-instance-monitor.sh: | +{{ tuple "bin/_masakari-instance-monitor.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} + masakari-monitors-init.sh: | +{{ tuple "bin/_masakari-monitors-init.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} +{{- end }} diff --git a/charts/masakari/templates/configmap-etc.yaml b/charts/masakari/templates/configmap-etc.yaml new file mode 100644 index 0000000000..58a290ab8d --- /dev/null +++ b/charts/masakari/templates/configmap-etc.yaml @@ -0,0 +1,140 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- define "masakari.configmap.etc" }} +{{- $configMapName := index . 0 }} +{{- $envAll := index . 1 }} +{{- with $envAll }} + +{{- if empty .Values.conf.masakari.keystone_authtoken.auth_url -}} +{{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | set .Values.conf.masakari.keystone_authtoken "auth_url" -}} +{{- end -}} + +{{- if empty .Values.conf.masakari.keystone_authtoken.region_name -}} +{{- $_ := set .Values.conf.masakari.keystone_authtoken "region_name" .Values.endpoints.identity.auth.masakari.region_name -}} +{{- end -}} +{{- if empty .Values.conf.masakari.keystone_authtoken.project_name -}} +{{- $_ := set .Values.conf.masakari.keystone_authtoken "project_name" .Values.endpoints.identity.auth.masakari.project_name -}} +{{- end -}} +{{- if empty .Values.conf.masakari.keystone_authtoken.project_domain_name -}} +{{- $_ := set .Values.conf.masakari.keystone_authtoken "project_domain_name" .Values.endpoints.identity.auth.masakari.project_domain_name -}} +{{- end -}} +{{- if empty .Values.conf.masakari.keystone_authtoken.user_domain_name -}} +{{- $_ := set .Values.conf.masakari.keystone_authtoken "user_domain_name" .Values.endpoints.identity.auth.masakari.user_domain_name -}} +{{- end -}} +{{- if empty .Values.conf.masakari.keystone_authtoken.username -}} +{{- $_ := set .Values.conf.masakari.keystone_authtoken "username" .Values.endpoints.identity.auth.masakari.username -}} +{{- end -}} +{{- if empty .Values.conf.masakari.keystone_authtoken.password -}} +{{- $_ := set .Values.conf.masakari.keystone_authtoken "password" .Values.endpoints.identity.auth.masakari.password -}} +{{- end -}} + +{{- if empty .Values.conf.masakari.keystone_authtoken.memcached_servers -}} +{{- $_ := tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" | set .Values.conf.masakari.keystone_authtoken "memcached_servers" -}} +{{- end -}} +{{- if empty .Values.conf.masakari.keystone_authtoken.memcache_secret_key -}} +{{- $_ := set .Values.conf.masakari.keystone_authtoken "memcache_secret_key" ( default ( randAlphaNum 64 ) .Values.endpoints.oslo_cache.auth.memcache_secret_key ) -}} +{{- end -}} + +{{- if empty .Values.conf.masakari.database.connection -}} +{{- $connection := tuple "oslo_db" "internal" "masakari" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" -}} +{{- if .Values.manifests.certificates -}} +{{- $_ := (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | set .Values.conf.masakari.database "connection" -}} +{{- else -}} +{{- $_ := set .Values.conf.masakari.database "connection" $connection -}} +{{- end -}} +{{- end -}} + +{{- if empty .Values.conf.masakari.DEFAULT.transport_url -}} +{{- $_ := tuple "oslo_messaging" "internal" "masakari" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" | set .Values.conf.masakari.DEFAULT "transport_url" -}} +{{- end -}} + +{{- if empty .Values.conf.masakari.DEFAULT.os_privileged_user_name -}} +{{- $_ := set .Values.conf.masakari.DEFAULT "os_privileged_user_name" .Values.endpoints.identity.auth.masakari.username }} +{{- end -}} +{{- if empty .Values.conf.masakari.DEFAULT.os_privileged_user_password -}} +{{- $_ := set .Values.conf.masakari.DEFAULT "os_privileged_user_password" .Values.endpoints.identity.auth.masakari.password }} +{{- end -}} +{{- if empty .Values.conf.masakari.DEFAULT.os_privileged_user_auth_url -}} +{{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | set .Values.conf.masakari.DEFAULT "os_privileged_user_auth_url" }} +{{- end -}} +{{- if empty .Values.conf.masakari.DEFAULT.os_privileged_user_tenant -}} +{{- $_ := set .Values.conf.masakari.DEFAULT "os_privileged_user_tenant" .Values.endpoints.identity.auth.masakari.project_name }} +{{- end -}} + +{{- if empty .Values.conf.masakari.DEFAULT.os_region_name -}} +{{- $_ := set .Values.conf.masakari.DEFAULT "os_region_name" .Values.endpoints.identity.auth.masakari.region_name }} +{{- end -}} + +{{- if empty .Values.conf.masakari.DEFAULT.os_user_domain_name -}} +{{- $_ := set .Values.conf.masakari.DEFAULT "os_user_domain_name" .Values.endpoints.identity.auth.masakari.user_domain_name }} +{{- end -}} + +{{- if empty .Values.conf.masakari.DEFAULT.os_project_domain_name -}} +{{- $_ := set .Values.conf.masakari.DEFAULT "os_project_domain_name" .Values.endpoints.identity.auth.masakari.user_domain_name }} +{{- end -}} + +{{- if empty .Values.conf.masakarimonitors.api.region -}} +{{- $_ := set .Values.conf.masakarimonitors.api "region" .Values.endpoints.identity.auth.masakari.region_name -}} +{{- end -}} + +{{- if empty .Values.conf.masakarimonitors.api.auth_url -}} +{{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | set .Values.conf.masakarimonitors.api "auth_url" }} +{{- end -}} + +{{- if empty .Values.conf.masakarimonitors.api.project_name -}} +{{- $_ := set .Values.conf.masakarimonitors.api "project_name" .Values.endpoints.identity.auth.masakari.project_name }} +{{- end -}} + +{{- if empty .Values.conf.masakarimonitors.api.project_domain_name -}} +{{- $_ := set .Values.conf.masakarimonitors.api "project_domain_name" .Values.endpoints.identity.auth.masakari.project_name }} +{{- end -}} + +{{- if empty .Values.conf.masakarimonitors.api.username -}} +{{- $_ := set .Values.conf.masakarimonitors.api "username" .Values.endpoints.identity.auth.masakari.username }} +{{- end -}} + +{{- if empty .Values.conf.masakarimonitors.api.user_domain_name -}} +{{- $_ := set .Values.conf.masakarimonitors.api "user_domain_name" .Values.endpoints.identity.auth.masakari.user_domain_name }} +{{- end -}} + +{{- if empty .Values.conf.masakarimonitors.api.password -}} +{{- $_ := set .Values.conf.masakarimonitors.api "password" .Values.endpoints.identity.auth.masakari.password }} +{{- end -}} + +{{- if empty .Values.conf.masakari.taskflow.connection -}} +{{- $connection := tuple "oslo_db" "internal" "masakari" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" -}} +{{- if .Values.manifests.certificates -}} +{{- $_ := (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | set .Values.conf.masakari.database "connection" -}} +{{- else -}} +{{- $_ := set .Values.conf.masakari.taskflow "connection" $connection -}} +{{- end -}} +{{- end -}} + +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ $configMapName }} +type: Opaque +data: + masakari.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.masakari | b64enc }} + api-paste.ini: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.paste | b64enc }} + masakarimonitors.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.masakarimonitors | b64enc }} + masakari_sudoers: {{ $envAll.Values.conf.masakari_sudoers | b64enc }} +{{- end }} +{{- end }} +{{- if .Values.manifests.configmap_etc }} +{{- list "masakari-etc" . | include "masakari.configmap.etc" }} +{{- end }} diff --git a/charts/masakari/templates/daemonset-host-monitor.yaml b/charts/masakari/templates/daemonset-host-monitor.yaml new file mode 100644 index 0000000000..a119220a6e --- /dev/null +++ b/charts/masakari/templates/daemonset-host-monitor.yaml @@ -0,0 +1,141 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.host_monitor }} +{{- $envAll := . }} +{{- $daemonset := "masakari-host-monitor" }} + +{{- $mounts_masakari_host_monitor := .Values.pod.mounts.masakari_host_monitor.masakari_host_monitor }} +{{- $mounts_masakari_host_monitor_init := .Values.pod.mounts.masakari_host_monitor.init_container }} + +{{- $serviceAccountName := "masakari-host-monitor" }} +{{- tuple $envAll "masakari_host_monitor" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: masakari-host-monitor + annotations: + {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }} + labels: +{{ tuple $envAll .Chart.Name $daemonset | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} +spec: + selector: + matchLabels: +{{ tuple $envAll .Chart.Name $daemonset | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }} +{{ tuple $envAll $daemonset | include "helm-toolkit.snippets.kubernetes_upgrades_daemonset" | indent 2 }} + template: + metadata: + labels: +{{ tuple $envAll .Chart.Name $daemonset | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} + annotations: +{{- dict "envAll" $envAll "podName" "masakari-host-monitor" "containerNames" (list "masakari-monitor") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }} +{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }} + configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} + configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} +{{ tuple "masakari_host_monitor" . | include "helm-toolkit.snippets.custom_pod_annotations" | indent 8 }} + spec: +{{ dict "envAll" $envAll "application" "masakari-host-monitor" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} + serviceAccountName: {{ $serviceAccountName }} + nodeSelector: + {{ .Values.labels.monitors.node_selector_key }}: {{ .Values.labels.monitors.node_selector_value }} + initContainers: +{{ tuple $envAll "masakari_host_monitor" $mounts_masakari_host_monitor_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} + - name: hostmonitor-init +{{ tuple $envAll "masakari_host_monitor" | include "helm-toolkit.snippets.image" | indent 10 }} +{{ tuple $envAll $envAll.Values.pod.resources.masakari_host_monitor | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} +{{ dict "envAll" $envAll "application" "masakari" "container" "masakari_host_monitor" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} + command: + - /tmp/masakari-monitors-init.sh + env: + - name: COMPUTE_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + volumeMounts: + - name: pod-tmp + mountPath: /tmp + - name: pod-shared + mountPath: /tmp/pod-shared + - name: masakari-bin + mountPath: /tmp/masakari-monitors-init.sh + subPath: masakari-monitors-init.sh + readOnly: true + hostNetwork: true + containers: + - name: masakari-host-monitor +{{ tuple $envAll "masakari_host_monitor" | include "helm-toolkit.snippets.image" | indent 10 }} +{{ tuple $envAll $envAll.Values.pod.resources.masakari_host_monitor | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} +{{ dict "envAll" $envAll "application" "masakari" "container" "masakari_host_monitor" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} + command: + - /tmp/masakari-host-monitor.sh + - start + env: + - name: COMPUTE_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + lifecycle: + preStop: + exec: + command: + - /tmp/masakari-host-monitor.sh + - stop + volumeMounts: + - name: pod-tmp + mountPath: /tmp + - name: pod-shared + mountPath: /tmp/pod-shared + - name: masakari-bin + mountPath: /tmp/masakari-host-monitor.sh + subPath: masakari-host-monitor.sh + - name: masakari-etc + mountPath: /etc/masakari/masakarimonitors.conf + subPath: masakarimonitors.conf + - name: masakari-etc + mountPath: /etc/sudoers.d/masakari_sudoers + subPath: masakari_sudoers + - name: masakarietc + mountPath: /etc/masakari + - name: varrun + mountPath: /var/run + - name: run + mountPath: /run + - name: shm + mountPath: /dev/shm + volumes: + - name: pod-tmp + emptyDir: {} + - name: pod-shared + emptyDir: {} + - name: masakarietc + emptyDir: {} + - name: shm + hostPath: + path: /dev/shm + - name: varrun + hostPath: + path: /var/run + - name: run + hostPath: + path: /run + - name: masakari-bin + configMap: + name: masakari-bin + defaultMode: 0555 + - name: masakari-etc + secret: + secretName: masakari-etc + defaultMode: 0444 +{{- end }} diff --git a/charts/masakari/templates/daemonset-instance-monitor.yaml b/charts/masakari/templates/daemonset-instance-monitor.yaml new file mode 100644 index 0000000000..cabd3f51ed --- /dev/null +++ b/charts/masakari/templates/daemonset-instance-monitor.yaml @@ -0,0 +1,132 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.instance_monitor }} +{{- $envAll := . }} +{{- $daemonset := "masakari-instance-monitor" }} + +{{- $mounts_masakari_instance_monitor := .Values.pod.mounts.masakari_instance_monitor.masakari_instance_monitor }} +{{- $mounts_masakari_instance_monitor_init := .Values.pod.mounts.masakari_instance_monitor.init_container }} + +{{- $serviceAccountName := "masakari-instance-monitor" }} +{{- tuple $envAll "masakari_instance_monitor" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: masakari-instance-monitor + annotations: + {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }} + labels: +{{ tuple $envAll .Chart.Name $daemonset | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} +spec: + selector: + matchLabels: +{{ tuple $envAll .Chart.Name $daemonset | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }} +{{ tuple $envAll $daemonset | include "helm-toolkit.snippets.kubernetes_upgrades_daemonset" | indent 2 }} + template: + metadata: + labels: +{{ tuple $envAll .Chart.Name $daemonset | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} + annotations: +{{- dict "envAll" $envAll "podName" "masakari-instance-monitor" "containerNames" (list "masakari-monitor") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }} +{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }} + configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} + configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} +{{ tuple "masakari_instance_monitor" . | include "helm-toolkit.snippets.custom_pod_annotations" | indent 8 }} + spec: +{{ dict "envAll" $envAll "application" "masakari-instance-monitor" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} + serviceAccountName: {{ $serviceAccountName }} + nodeSelector: + {{ .Values.labels.monitors.node_selector_key }}: {{ .Values.labels.monitors.node_selector_value }} + initContainers: +{{ tuple $envAll "masakari_instance_monitor" $mounts_masakari_instance_monitor_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} + - name: instancemonitor-init +{{ tuple $envAll "masakari_instance_monitor" | include "helm-toolkit.snippets.image" | indent 10 }} +{{ tuple $envAll $envAll.Values.pod.resources.masakari_instance_monitor | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} +{{ dict "envAll" $envAll "application" "masakari" "container" "masakari_instance_monitor" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} + command: + - /tmp/masakari-monitors-init.sh + env: + - name: COMPUTE_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + volumeMounts: + - name: pod-tmp + mountPath: /tmp + - name: pod-shared + mountPath: /tmp/pod-shared + - name: masakari-bin + mountPath: /tmp/masakari-monitors-init.sh + subPath: masakari-monitors-init.sh + readOnly: true + containers: + - name: masakari-instance-monitor +{{ tuple $envAll "masakari_instance_monitor" | include "helm-toolkit.snippets.image" | indent 10 }} +{{ tuple $envAll $envAll.Values.pod.resources.masakari_instance_monitor | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} +{{ dict "envAll" $envAll "application" "masakari" "container" "masakari_instance_monitor" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} + command: + - /tmp/masakari-instance-monitor.sh + - start + env: + - name: COMPUTE_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + lifecycle: + preStop: + exec: + command: + - /tmp/masakari-instance-monitor.sh + - stop + volumeMounts: + - name: pod-tmp + mountPath: /tmp + - name: pod-shared + mountPath: /tmp/pod-shared + - name: masakari-bin + mountPath: /tmp/masakari-instance-monitor.sh + subPath: masakari-instance-monitor.sh + - name: masakari-etc + mountPath: /etc/masakari/masakarimonitors.conf + subPath: masakarimonitors.conf + - name: masakarietc + mountPath: /etc/masakari + - name: varrun + mountPath: /var/run + - name: run + mountPath: /run + volumes: + - name: pod-tmp + emptyDir: {} + - name: pod-shared + emptyDir: {} + - name: masakarietc + emptyDir: {} + - name: varrun + hostPath: + path: /var/run + - name: run + hostPath: + path: /run + - name: masakari-bin + configMap: + name: masakari-bin + defaultMode: 0555 + - name: masakari-etc + secret: + secretName: masakari-etc + defaultMode: 0444 +{{- end }} diff --git a/charts/masakari/templates/daemonset-process-monitor.yaml b/charts/masakari/templates/daemonset-process-monitor.yaml new file mode 100644 index 0000000000..3274870a65 --- /dev/null +++ b/charts/masakari/templates/daemonset-process-monitor.yaml @@ -0,0 +1,132 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.process_monitor }} +{{- $envAll := . }} +{{- $daemonset := "masakari-process-monitor" }} + +{{- $mounts_masakari_process_monitor := .Values.pod.mounts.masakari_process_monitor.masakari_process_monitor }} +{{- $mounts_masakari_process_monitor_init := .Values.pod.mounts.masakari_process_monitor.init_container }} + +{{- $serviceAccountName := "masakari-process-monitor" }} +{{- tuple $envAll "masakari_process_monitor" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: masakari-process-monitor + annotations: + {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }} + labels: +{{ tuple $envAll .Chart.Name $daemonset | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} +spec: + selector: + matchLabels: +{{ tuple $envAll .Chart.Name $daemonset | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }} +{{ tuple $envAll $daemonset | include "helm-toolkit.snippets.kubernetes_upgrades_daemonset" | indent 2 }} + template: + metadata: + labels: +{{ tuple $envAll .Chart.Name $daemonset | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} + annotations: +{{- dict "envAll" $envAll "podName" "masakari-process-monitor" "containerNames" (list "masakari-monitor") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }} +{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }} + configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} + configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} +{{ tuple "masakari_process_monitor" . | include "helm-toolkit.snippets.custom_pod_annotations" | indent 8 }} + spec: +{{ dict "envAll" $envAll "application" "masakari-process-monitor" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} + serviceAccountName: {{ $serviceAccountName }} + nodeSelector: + {{ .Values.labels.monitors.node_selector_key }}: {{ .Values.labels.monitors.node_selector_value }} + initContainers: +{{ tuple $envAll "masakari_process_monitor" $mounts_masakari_process_monitor_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} + - name: procressemonitor-init +{{ tuple $envAll "masakari_instance_monitor" | include "helm-toolkit.snippets.image" | indent 10 }} +{{ tuple $envAll $envAll.Values.pod.resources.masakari_instance_monitor | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} +{{ dict "envAll" $envAll "application" "masakari" "container" "masakari_process_monitor" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} + command: + - /tmp/masakari-monitors-init.sh + env: + - name: COMPUTE_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + volumeMounts: + - name: pod-tmp + mountPath: /tmp + - name: pod-shared + mountPath: /tmp/pod-shared + - name: masakari-bin + mountPath: /tmp/masakari-monitors-init.sh + subPath: masakari-monitors-init.sh + readOnly: true + containers: + - name: masakari-process-monitor +{{ tuple $envAll "masakari_process_monitor" | include "helm-toolkit.snippets.image" | indent 10 }} +{{ tuple $envAll $envAll.Values.pod.resources.masakari_process_monitor | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} +{{ dict "envAll" $envAll "application" "masakari" "container" "masakari_process_monitor" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} + command: + - /tmp/masakari-process-monitor.sh + - start + env: + - name: COMPUTE_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + lifecycle: + preStop: + exec: + command: + - /tmp/masakari-process-monitor.sh + - stop + volumeMounts: + - name: pod-tmp + mountPath: /tmp + - name: etcmasakari + mountPath: /etc/masakari + - name: pod-shared + mountPath: /tmp/pod-shared + - name: masakari-bin + mountPath: /tmp/masakari-process-monitor.sh + subPath: masakari-process-monitor.sh + - name: masakari-etc + mountPath: /etc/masakari/masakarimonitors.conf + subPath: masakarimonitors.conf + - name: varrun + mountPath: /var/run + - name: run + mountPath: /run + volumes: + - name: pod-tmp + emptyDir: {} + - name: etcmasakari + emptyDir: {} + - name: pod-shared + emptyDir: {} + - name: varrun + hostPath: + path: /var/run + - name: run + hostPath: + path: /run + - name: masakari-bin + configMap: + name: masakari-bin + defaultMode: 0555 + - name: masakari-etc + secret: + secretName: masakari-etc + defaultMode: 0444 +{{- end }} diff --git a/charts/masakari/templates/deployment-api.yaml b/charts/masakari/templates/deployment-api.yaml new file mode 100644 index 0000000000..1f0d0e927c --- /dev/null +++ b/charts/masakari/templates/deployment-api.yaml @@ -0,0 +1,119 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- define "masakariApiLivenessProbeTemplate" }} +httpGet: + scheme: {{ tuple "instance_ha" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" | upper }} + path: / + port: {{ tuple "instance_ha" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} +{{- end }} + +{{- define "masakariApiReadinessProbeTemplate" }} +httpGet: + scheme: HTTP + path: / + port: {{ tuple "instance_ha" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} +{{- end }} + + +{{- if .Values.manifests.deployment_api }} +{{- $envAll := . }} + +{{- $mounts_masakari_api := .Values.pod.mounts.masakari_api.masakari_api }} +{{- $mounts_masakari_api_init := .Values.pod.mounts.masakari_api.init_container }} + +{{- $serviceAccountName := "masakari-api" }} +{{- tuple $envAll "masakari_api" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: masakari-api + annotations: + {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }} + labels: +{{ tuple $envAll "masakari" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} +spec: + replicas: {{ .Values.pod.replicas.masakari_api }} + selector: + matchLabels: +{{ tuple $envAll "masakari" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }} +{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }} + template: + metadata: + labels: +{{ tuple $envAll "masakari" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} + annotations: +{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }} + configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} + configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} +{{ tuple "masakari_api" . | include "helm-toolkit.snippets.custom_pod_annotations" | indent 8 }} +{{ dict "envAll" $envAll "podName" "masakari-api" "containerNames" (list "masakari-api-init" "masakari-api" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }} + spec: + serviceAccountName: {{ $serviceAccountName }} +{{ dict "envAll" $envAll "application" "masakari" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} + affinity: +{{ tuple $envAll "masakari" "api" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} + nodeSelector: + {{ .Values.labels.masakari.node_selector_key }}: {{ .Values.labels.masakari.node_selector_value }} + terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.masakari_api.timeout | default "30" }} + initContainers: +{{ tuple $envAll "masakari_api" $mounts_masakari_api_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} + containers: + - name: masakari-api +{{ tuple $envAll "masakari_api" | include "helm-toolkit.snippets.image" | indent 10 }} +{{ tuple $envAll $envAll.Values.pod.resources.masakari_api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} +{{ dict "envAll" $envAll "application" "masakari" "container" "masakari_api" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} + command: + - /tmp/masakari-api.sh + - start + lifecycle: + preStop: + exec: + command: + - /tmp/masakari-api.sh + - stop + ports: + - name: n-api + containerPort: {{ tuple "instance_ha" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} +{{ dict "envAll" $envAll "component" "masakari" "container" "default" "type" "liveness" "probeTemplate" (include "masakariApiLivenessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }} +{{ dict "envAll" $envAll "component" "masakari" "container" "default" "type" "readiness" "probeTemplate" (include "masakariApiReadinessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }} + volumeMounts: + - name: pod-tmp + mountPath: /tmp + - name: masakari-bin + mountPath: /tmp/masakari-api.sh + subPath: masakari-api.sh + - name: etcmasakari + mountPath: /etc/masakari + - name: masakari-etc + mountPath: /etc/masakari/masakari.conf + subPath: masakari.conf + - name: masakari-etc + mountPath: /etc/masakari/api-paste.ini + subPath: api-paste.ini + volumes: + - name: pod-tmp + emptyDir: {} + - name: etcmasakari + emptyDir: {} + - name: masakari-bin + configMap: + name: masakari-bin + defaultMode: 0555 + - name: masakari-etc + secret: + secretName: masakari-etc + defaultMode: 0444 +{{- end }} diff --git a/charts/masakari/templates/deployment-engine.yaml b/charts/masakari/templates/deployment-engine.yaml new file mode 100644 index 0000000000..6d36e56c43 --- /dev/null +++ b/charts/masakari/templates/deployment-engine.yaml @@ -0,0 +1,99 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.deployment_engine }} +{{- $envAll := . }} + +{{- $mounts_masakari_engine := .Values.pod.mounts.masakari_engine.masakari_engine }} +{{- $mounts_masakari_engine_init := .Values.pod.mounts.masakari_engine.init_container }} + +{{- $serviceAccountName := "masakari-engine" }} +{{- tuple $envAll "masakari_engine" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: masakari-engine + annotations: + {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }} + labels: +{{ tuple $envAll "masakari" "engine" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} +spec: + replicas: {{ .Values.pod.replicas.masakari_engine }} + selector: + matchLabels: +{{ tuple $envAll "masakari" "engine" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }} +{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }} + template: + metadata: + labels: +{{ tuple $envAll "masakari" "engine" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} + annotations: +{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }} + configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} + configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} +{{ tuple "masakari_engine" . | include "helm-toolkit.snippets.custom_pod_annotations" | indent 8 }} +{{ dict "envAll" $envAll "podName" "masakari-engine" "containerNames" (list "masakari-engine-init" "masakari-engine" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }} + spec: + serviceAccountName: {{ $serviceAccountName }} +{{ dict "envAll" $envAll "application" "masakari-engine" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} + affinity: +{{ tuple $envAll "masakari" "engine" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} + nodeSelector: + {{ .Values.labels.masakari.node_selector_key }}: {{ .Values.labels.masakari.node_selector_value }} + terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.masakari_engine.timeout | default "30" }} + initContainers: +{{ tuple $envAll "masakari_engine" $mounts_masakari_engine_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} + containers: + - name: masakari-engine +{{ tuple $envAll "masakari_engine" | include "helm-toolkit.snippets.image" | indent 10 }} +{{ tuple $envAll $envAll.Values.pod.resources.masakari_engine | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} +{{ dict "envAll" $envAll "application" "masakari" "container" "masakari_engine" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} + command: + - /tmp/masakari-engine.sh + - start + lifecycle: + preStop: + exec: + command: + - /tmp/masakari-engine.sh + - stop + volumeMounts: + - name: pod-tmp + mountPath: /tmp + - name: masakari-bin + mountPath: /tmp/masakari-engine.sh + subPath: masakari-engine.sh + readOnly: true + - name: etcmasakari + mountPath: /etc/masakari + - name: masakari-etc + mountPath: /etc/masakari/masakari.conf + subPath: masakari.conf +{{ if $mounts_masakari_engine.volumeMounts }}{{ toYaml $mounts_masakari_engine.volumeMounts | indent 12 }}{{ end }} + volumes: + - name: pod-tmp + emptyDir: {} + - name: etcmasakari + emptyDir: {} + - name: masakari-bin + configMap: + name: masakari-bin + defaultMode: 0555 + - name: masakari-etc + secret: + secretName: masakari-etc + defaultMode: 0444 +{{ if $mounts_masakari_engine.volumes}}{{ toYaml $mounts_masakari_engine.volumes | indent 8 }}{{ end }} +{{- end }} diff --git a/charts/masakari/templates/job-db-drop.yaml b/charts/masakari/templates/job-db-drop.yaml new file mode 100644 index 0000000000..5fd13229db --- /dev/null +++ b/charts/masakari/templates/job-db-drop.yaml @@ -0,0 +1,19 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.job_db_drop }} +{{- $dbToDrop := dict "inputType" "secret" "adminSecret" .Values.secrets.oslo_db.admin "userSecret" .Values.secrets.oslo_db.masakari -}} +{{- $dbDropJob := dict "envAll" . "serviceName" "masakari" "dbToDrop" $dbToDrop -}} +{{ $dbDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }} +{{- end }} diff --git a/charts/masakari/templates/job-db-init.yaml b/charts/masakari/templates/job-db-init.yaml new file mode 100644 index 0000000000..04f6dc14b4 --- /dev/null +++ b/charts/masakari/templates/job-db-init.yaml @@ -0,0 +1,28 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- define "metadata.annotations.job.db_init" }} +{{- if .Values.helm3_hook -}} +helm.sh/hook: post-install,post-upgrade +helm.sh/hook-weight: "-5" +{{- end -}} +{{- end }} + +{{- if .Values.manifests.job_db_init }} +{{- $dbInitJob := dict "envAll" . "serviceName" "masakari" -}} +{{- if .Values.helm3_hook }} +{{- $_ := set $dbInitJob "jobAnnotations" (include "metadata.annotations.job.db_init" . | fromYaml ) }} +{{- end }} +{{ $dbInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }} +{{- end }} diff --git a/charts/masakari/templates/job-db-sync.yaml b/charts/masakari/templates/job-db-sync.yaml new file mode 100644 index 0000000000..44563bce2b --- /dev/null +++ b/charts/masakari/templates/job-db-sync.yaml @@ -0,0 +1,76 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.job_db_sync }} +{{- $envAll := . }} + +{{- $serviceAccountName := "masakari-db-sync" }} +{{ tuple $envAll "db_sync" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: masakari-db-sync + annotations: + {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }} +{{- if .Values.helm3_hook }} + "helm.sh/hook": "post-install,post-upgrade" + "helm.sh/hook-weight": "-4" +{{- end }} +spec: + template: + metadata: + labels: +{{ tuple $envAll "masakari" "db-migrate" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} + annotations: +{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }} + spec: + serviceAccountName: {{ $serviceAccountName }} + restartPolicy: OnFailure + nodeSelector: + {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }} + initContainers: +{{ tuple $envAll "db_migrate" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} + containers: + - name: masakari-db-sync +{{ tuple $envAll "db_sync" | include "helm-toolkit.snippets.image" | indent 10 }} +{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_sync | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} +{{ dict "envAll" $envAll "application" "masakari" "container" "masakari_db_migrate" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} + command: + - /tmp/manage-db.sh + volumeMounts: + - name: pod-tmp + mountPath: /tmp + - name: masakari-bin + mountPath: /tmp/manage-db.sh + subPath: manage-db.sh + - name: etcmasakari + mountPath: /etc/masakari + - name: masakari-etc + mountPath: /etc/masakari/masakari.conf + subPath: masakari.conf + volumes: + - name: pod-tmp + emptyDir: {} + - name: etcmasakari + emptyDir: {} + - name: masakari-etc + secret: + secretName: masakari-etc + defaultMode: 0444 + - name: masakari-bin + configMap: + name: masakari-bin + defaultMode: 0555 +{{- end }} diff --git a/charts/masakari/templates/job-ks-endpoints.yaml b/charts/masakari/templates/job-ks-endpoints.yaml new file mode 100644 index 0000000000..fb8718ccae --- /dev/null +++ b/charts/masakari/templates/job-ks-endpoints.yaml @@ -0,0 +1,26 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- define "metadata.annotations.job.ks_endpoints" }} +helm.sh/hook: post-install,post-upgrade +helm.sh/hook-weight: "-2" +{{- end }} + +{{- if .Values.manifests.job_ks_endpoints }} +{{- $ksServiceJob := dict "envAll" . "serviceName" "masakari" "serviceTypes" ( tuple "instance-ha" ) -}} +{{- if .Values.helm3_hook }} +{{- $_ := set $ksServiceJob "jobAnnotations" (include "metadata.annotations.job.ks_endpoints" . | fromYaml ) }} +{{- end }} +{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_endpoints" }} +{{- end }} diff --git a/charts/masakari/templates/job-ks-service.yaml b/charts/masakari/templates/job-ks-service.yaml new file mode 100644 index 0000000000..a33a9bec2c --- /dev/null +++ b/charts/masakari/templates/job-ks-service.yaml @@ -0,0 +1,26 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- define "metadata.annotations.job.ks_service" }} +helm.sh/hook: post-install,post-upgrade +helm.sh/hook-weight: "-3" +{{- end }} + +{{- if .Values.manifests.job_ks_service }} +{{- $ksServiceJob := dict "envAll" . "serviceName" "masakari" "serviceTypes" ( tuple "instance-ha" ) -}} +{{- if .Values.helm3_hook }} +{{- $_ := set $ksServiceJob "jobAnnotations" (include "metadata.annotations.job.ks_service" . | fromYaml ) }} +{{- end }} +{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }} +{{- end }} diff --git a/charts/masakari/templates/job-ks-user.yaml b/charts/masakari/templates/job-ks-user.yaml new file mode 100644 index 0000000000..0f0fd2768a --- /dev/null +++ b/charts/masakari/templates/job-ks-user.yaml @@ -0,0 +1,26 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- define "metadata.annotations.job.ks_user" }} +helm.sh/hook: post-install,post-upgrade +helm.sh/hook-weight: "-1" +{{- end }} + +{{- if .Values.manifests.job_ks_user }} +{{- $ksUserJob := dict "envAll" . "serviceName" "masakari" -}} +{{- if .Values.helm3_hook }} +{{- $_ := set $ksUserJob "jobAnnotations" (include "metadata.annotations.job.ks_user" . | fromYaml ) }} +{{- end }} +{{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }} +{{- end }} diff --git a/charts/masakari/templates/job-rabbitmq-init.yaml b/charts/masakari/templates/job-rabbitmq-init.yaml new file mode 100644 index 0000000000..7965d8ed45 --- /dev/null +++ b/charts/masakari/templates/job-rabbitmq-init.yaml @@ -0,0 +1,26 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- define "metadata.annotations.job.rabbit_init" }} +helm.sh/hook: post-install,post-upgrade +helm.sh/hook-weight: "-4" +{{- end }} + +{{- if .Values.manifests.job_rabbit_init }} +{{- $rmqUserJob := dict "envAll" . "serviceName" "masakari" -}} +{{- if .Values.helm3_hook }} +{{- $_ := set $rmqUserJob "jobAnnotations" (include "metadata.annotations.job.rabbit_init" . | fromYaml) }} +{{- end }} +{{ $rmqUserJob | include "helm-toolkit.manifests.job_rabbit_init" }} +{{- end }} diff --git a/charts/masakari/templates/pbd-api.yaml b/charts/masakari/templates/pbd-api.yaml new file mode 100644 index 0000000000..04ff1b76b6 --- /dev/null +++ b/charts/masakari/templates/pbd-api.yaml @@ -0,0 +1,27 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.pdb_api }} +{{- $envAll := . }} +--- +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: masakari-api +spec: + minAvailable: {{ .Values.pod.lifecycle.disruption_budget.masakari_api.min_available }} + selector: + matchLabels: +{{ tuple $envAll "masakari" "masakari_api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }} +{{- end }} diff --git a/charts/masakari/templates/secret-db.yaml b/charts/masakari/templates/secret-db.yaml new file mode 100644 index 0000000000..a8f66c85f6 --- /dev/null +++ b/charts/masakari/templates/secret-db.yaml @@ -0,0 +1,35 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.secret_db }} +{{- $envAll := . }} +{{- range $key1, $userClass := tuple "admin" "masakari" }} +{{- $secretName := index $envAll.Values.secrets.oslo_db $userClass }} +{{- $connection := tuple "oslo_db" "internal" $userClass "mysql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ $secretName }} + annotations: +{{ tuple "oslo_db" $userClass $envAll | include "helm-toolkit.snippets.custom_secret_annotations" | indent 4 }} +type: Opaque +data: +{{- if $envAll.Values.manifests.certificates }} + DB_CONNECTION: {{ (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | b64enc -}} +{{- else }} + DB_CONNECTION: {{ $connection | b64enc -}} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/masakari/templates/secret-keystone.yaml b/charts/masakari/templates/secret-keystone.yaml new file mode 100644 index 0000000000..a33ad89c89 --- /dev/null +++ b/charts/masakari/templates/secret-keystone.yaml @@ -0,0 +1,30 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.secret_keystone }} +{{- $envAll := . }} +{{- range $key1, $userClass := tuple "admin" "masakari" "test" }} +{{- $secretName := index $envAll.Values.secrets.identity $userClass }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ $secretName }} + annotations: +{{ tuple "identity" $userClass $envAll | include "helm-toolkit.snippets.custom_secret_annotations" | indent 4 }} +type: Opaque +data: +{{- tuple $userClass "internal" $envAll | include "helm-toolkit.snippets.keystone_secret_openrc" | indent 2 -}} +{{- end }} +{{- end }} diff --git a/charts/masakari/templates/secret-rabbitmq.yaml b/charts/masakari/templates/secret-rabbitmq.yaml new file mode 100644 index 0000000000..da906348d2 --- /dev/null +++ b/charts/masakari/templates/secret-rabbitmq.yaml @@ -0,0 +1,35 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.secret_rabbitmq }} +{{- $envAll := . }} +{{- $rabbitmqProtocol := "http" }} +{{- if $envAll.Values.manifests.certificates }} +{{- $rabbitmqProtocol = "https" }} +{{- end }} +{{- range $key1, $userClass := tuple "admin" "masakari" }} +{{- $secretName := index $envAll.Values.secrets.oslo_messaging $userClass }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ $secretName }} + annotations: +{{ tuple "oslo_messaging" $userClass $envAll | include "helm-toolkit.snippets.custom_secret_annotations" | indent 4 }} +type: Opaque +data: + RABBITMQ_CONNECTION: {{ tuple "oslo_messaging" "internal" $userClass $rabbitmqProtocol $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc }} + TRANSPORT_URL: {{ tuple "oslo_messaging" "internal" $userClass "amqp" $envAll | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" | b64enc }} +{{- end }} +{{- end }} diff --git a/charts/masakari/templates/secret-registry.yaml b/charts/masakari/templates/secret-registry.yaml new file mode 100644 index 0000000000..da979b3223 --- /dev/null +++ b/charts/masakari/templates/secret-registry.yaml @@ -0,0 +1,17 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.manifests.secret_registry .Values.endpoints.oci_image_registry.auth.enabled }} +{{ include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) }} +{{- end }} diff --git a/charts/masakari/templates/service-api.yaml b/charts/masakari/templates/service-api.yaml new file mode 100644 index 0000000000..85f1395a5f --- /dev/null +++ b/charts/masakari/templates/service-api.yaml @@ -0,0 +1,37 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.service_api }} +{{- $envAll := . }} +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ tuple "instance_ha" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} +spec: + ports: + - name: n-api + port: {{ tuple "instance_ha" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} + {{ if .Values.network.masakari_api.node_port.enabled }} + nodePort: {{ .Values.network.masakari_api.node_port.port }} + {{ end }} + selector: +{{ tuple $envAll "masakari" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} + {{ if .Values.network.masakari_api.node_port.enabled }} + type: NodePort + {{ if .Values.network.masakari_api.external_policy_local }} + externalTrafficPolicy: Local + {{ end }} + {{ end }} +{{- end }} diff --git a/charts/masakari/values.yaml b/charts/masakari/values.yaml new file mode 100644 index 0000000000..f988abd65a --- /dev/null +++ b/charts/masakari/values.yaml @@ -0,0 +1,629 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +--- +images: + tags: + db_init: docker.io/openstackhelm/heat:2024.1-ubuntu_jammy + db_sync: docker.io/openstackhelm/masakari:2024.1-ubuntu_jammy + db_drop: docker.io/openstackhelm/heat:2024.1-ubuntu_jammy + ks_endpoints: docker.io/openstackhelm/heat:2024.1-ubuntu_jammy + ks_service: docker.io/openstackhelm/heat:2024.1-ubuntu_jammy + ks_user: docker.io/openstackhelm/heat:2024.1-ubuntu_jammy + masakari_api: docker.io/openstackhelm/masakari:2024.1-ubuntu_jammy + masakari_engine: docker.io/openstackhelm/masakari:2024.1-ubuntu_jammy + masakari_host_monitor: docker.io/openstackhelm/masakari-monitors:2024.1-ubuntu_jammy + masakari_process_monitor: docker.io/openstackhelm/masakari-monitors:2024.1-ubuntu_jammy + masakari_instance_monitor: docker.io/openstackhelm/masakari-monitors:2024.1-ubuntu_jammy + rabbit_init: docker.io/rabbitmq:3.13-management + dep_check: quay.io/airshipit/kubernetes-entrypoint:latest-ubuntu_focal + pull_policy: "IfNotPresent" + local_registry: + active: false + exclude: + - dep_check + - image_repo_sync + +labels: + masakari: + node_selector_key: openstack-control-plane + node_selector_value: enabled + job: + node_selector_key: openstack-control-plane + node_selector_value: enabled + monitors: + node_selector_key: openstack-compute-node + node_selector_value: enabled + test: + node_selector_key: openstack-control-plane + node_selector_value: enabled + +endpoints: + cluster_domain_suffix: cluster.local + local_image_registry: + name: docker-registry + namespace: docker-registry + hosts: + default: localhost + internal: docker-registry + node: localhost + host_fqdn_override: + default: null + port: + registry: + node: 5000 + oci_image_registry: + name: oci-image-registry + namespace: oci-image-registry + auth: + enabled: false + masakari: + username: masakari + password: password + hosts: + default: localhost + host_fqdn_override: + default: null + port: + registry: + default: null + instance_ha: + name: masakari + hosts: + default: masakari-api + public: masakari-api + host_fqdn_override: + default: null + path: + default: "/v1/%(tenant_id)s" + scheme: + default: "http" + port: + api: + default: 15868 + public: 80 + oslo_db: + auth: + admin: + username: root + password: password + secret: + tls: + internal: mariadb-tls-direct + masakari: + username: masakari + password: password + hosts: + default: mariadb + host_fqdn_override: + default: null + path: /masakari + scheme: mysql+pymysql + port: + mysql: + default: 3306 + identity: + name: keystone + auth: + admin: + region_name: RegionOne + username: admin + password: password + project_name: admin + user_domain_name: default + project_domain_name: default + masakari: + role: admin + region_name: RegionOne + username: masakari + password: password + project_name: service + user_domain_name: service + project_domain_name: service + test: + role: admin + region_name: RegionOne + username: neutron-test + password: password + project_name: test + user_domain_name: service + project_domain_name: service + hosts: + default: keystone + internal: keystone-api + host_fqdn_override: + default: null + path: + default: /v3 + scheme: + default: http + port: + api: + default: 80 + internal: 5000 + oslo_messaging: + auth: + admin: + username: rabbitmq + password: password + secret: + tls: + internal: rabbitmq-tls-direct + masakari: + username: masakari + password: password + statefulset: + replicas: 2 + name: rabbitmq-rabbitmq + hosts: + default: rabbitmq + host_fqdn_override: + default: null + path: /masakari + scheme: rabbit + port: + amqp: + default: 5672 + http: + default: 15672 + oslo_cache: + auth: + # NOTE(portdirect): this is used to define the value for keystone + # authtoken cache encryption key, if not set it will be populated + # automatically with a random value, but to take advantage of + # this feature all services should be set to use the same key, + # and memcache service. + memcache_secret_key: null + hosts: + default: memcached + host_fqdn_override: + default: null + port: + memcache: + default: 11211 + fluentd: + namespace: null + name: fluentd + hosts: + default: fluentd-logging + host_fqdn_override: + default: null + path: + default: null + scheme: "http" + port: + service: + default: 24224 + metrics: + default: 24220 + # NOTE(tp6510): these endpoints allow for things like DNS lookups and ingress + # They are using to enable the Egress K8s network policy. + kube_dns: + namespace: kube-system + name: kubernetes-dns + hosts: + default: kube-dns + host_fqdn_override: + default: null + path: + default: null + scheme: http + port: + dns: + default: 53 + protocol: UDP + ingress: + namespace: null + name: ingress + hosts: + default: ingress + port: + ingress: + default: 80 + +secrets: + identity: + admin: masakari-keystone-admin + masakari: masakari-keystone-user + test: masakari-keystone-test + oslo_db: + admin: masakari-db-admin + masakari: masakari-db-user + oslo_messaging: + admin: masakari-rabbitmq-admin + masakari: masakari-rabbitmq-user + oci_image_registry: + masakari: masakari-oci-image-registry + +dependencies: + static: + masakari_api: + jobs: + - masakari-db-sync + - masakari-ks-user + - masakari-ks-endpoints + - masakari-ks-service + services: + - endpoint: internal + service: identity + masakari_engine: + jobs: + - masakari-db-sync + - masakari-ks-user + - masakari-ks-endpoints + - masakari-ks-service + services: + - endpoint: internal + service: identity + db_init: + services: + - endpoint: internal + service: oslo_db + db_sync: + jobs: + - masakari-db-init + services: + - endpoint: internal + service: oslo_db + ks_endpoints: + jobs: + - masakari-ks-service + services: + - endpoint: internal + service: identity + ks_service: + services: + - endpoint: internal + service: identity + ks_user: + services: + - endpoint: internal + service: identity + +pod: + security_context: + masakari: + pod: + runAsUser: 42424 + container: + masakari_api: + readOnlyRootFilesystem: false + allowPrivilegeEscalation: false + runAsUser: 42424 + masakari_engine: + readOnlyRootFilesystem: false + allowPrivilegeEscalation: false + runAsUser: 42424 + masakari_db_sync: + readOnlyRootFilesystem: false + allowPrivilegeEscalation: false + runAsUser: 42424 + masakari_host_monitor: + readOnlyRootFilesystem: false + allowPrivilegeEscalation: true + runAsUser: 42424 + masakari_process_monitir: + readOnlyRootFilesystem: false + allowPrivilegeEscalation: false + runAsUser: 42424 + masakari_instance_monitor: + readOnlyRootFilesystem: false + allowPrivilegeEscalation: false + runAsUser: 0 + test: + pod: + runAsUser: 42424 + container: + horizon_test: + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + probes: + rpc_timeout: 60 + rpc_retries: 2 + masakari: + default: + liveness: + enabled: true + params: + initialDelaySeconds: 120 + periodSeconds: 90 + timeoutSeconds: 70 + readiness: + enabled: true + params: + initialDelaySeconds: 80 + periodSeconds: 90 + timeoutSeconds: 70 + masakari-engine: + default: + liveness: + enabled: true + params: + initialDelaySeconds: 30 + periodSeconds: 60 + timeoutSeconds: 15 + readiness: + enabled: true + params: + initialDelaySeconds: 30 + periodSeconds: 60 + timeoutSeconds: 15 + affinity: + anti: + type: + default: preferredDuringSchedulingIgnoredDuringExecution + topologyKey: + default: kubernetes.io/hostname + weight: + default: 10 + replicas: + masakari_api: 1 + masakari_engine: 1 + lifecycle: + upgrades: + deployments: + revision_history: 3 + pod_replacement_strategy: RollingUpdate + rolling_update: + max_unavailable: 1 + max_surge: 3 + daemonsets: + pod_replacement_strategy: RollingUpdate + compute: + enabled: true + min_ready_seconds: 0 + max_unavailable: 1 + disruption_budget: + masakari_api: + min_available: 0 + masakari_engine: + min_available: 0 + termination_grace_period: + masakari_api: + timeout: 30 + masakari_engine: + timeout: 30 + mounts: + masakari_api: + init_container: null + masakari_api: + volumeMounts: + volumes: + masakari_engine: + init_container: null + masakari_engine: + volumeMounts: + volumes: + masakari_instance_monitor: + init_container: null + masakari_instance_monitor: + volumeMounts: + volumes: + masakari_host_monitor: + init_container: null + masakari_host_monitor: + volumeMounts: + volumes: + masakari_process_monitor: + init_container: null + masakari_process_monitor: + volumeMounts: + volumes: + masakari_db_sync: + masakari_db_sync: + volumeMounts: + volumes: + masakari_db_init: + masakari_db_sync: + volumeMounts: + volumes: + masakari_ks_users: + masakari_db_sync: + volumeMounts: + volumes: + masakari_ks_service: + masakari_db_sync: + volumeMounts: + volumes: + resources: + enabled: false + masakari_api: + requests: + memory: "128Mi" + cpu: "100m" + limits: + memory: "1024Mi" + cpu: "2000m" + masakari_engine: + requests: + memory: "128Mi" + cpu: "100m" + limits: + memory: "1024Mi" + cpu: "2000m" + masakari_host_monitor: + requests: + memory: "128Mi" + cpu: "100m" + limits: + memory: "1024Mi" + cpu: "2000m" + masakari_instance_monitor: + requests: + memory: "128Mi" + cpu: "100m" + limits: + memory: "1024Mi" + cpu: "2000m" + masakari_process_monitor: + requests: + memory: "128Mi" + cpu: "100m" + limits: + memory: "1024Mi" + cpu: "2000m" + jobs: + rabbit_init: + requests: + memory: "128Mi" + cpu: "100m" + limits: + memory: "1024Mi" + cpu: "2000m" + db_init: + requests: + memory: "128Mi" + cpu: "100m" + limits: + memory: "1024Mi" + cpu: "2000m" + db_sync: + requests: + memory: "128Mi" + cpu: "100m" + limits: + memory: "1024Mi" + cpu: "2000m" + db_drop: + requests: + memory: "128Mi" + cpu: "100m" + limits: + memory: "1024Mi" + cpu: "2000m" + ks_endpoints: + requests: + memory: "128Mi" + cpu: "100m" + limits: + memory: "1024Mi" + cpu: "2000m" + ks_service: + requests: + memory: "128Mi" + cpu: "100m" + limits: + memory: "1024Mi" + cpu: "2000m" + ks_user: + requests: + memory: "128Mi" + cpu: "100m" + limits: + memory: "1024Mi" + cpu: "2000m" +conf: + paste: + composite:masakari_api: + use: call:masakari.api.urlmap:urlmap_factory + /: apiversions + /v1: masakari_api_v1 + composite:masakari_api_v1: + use: call:masakari.api.auth:pipeline_factory_v1 + keystone: cors http_proxy_to_wsgi request_id faultwrap sizelimit authtoken keystonecontext osapi_masakari_app_v1 + noauth2: cors http_proxy_to_wsgi request_id faultwrap sizelimit noauth2 osapi_masakari_app_v1 + filter:cors: + paste.filter_factory: oslo_middleware.cors:filter_factory + oslo_config_project: masakari + filter:http_proxy_to_wsgi: + paste.filter_factory: oslo_middleware.http_proxy_to_wsgi:HTTPProxyToWSGI.factory + filter:request_id: + paste.filter_factory: oslo_middleware:RequestId.factory + filter:faultwrap: + paste.filter_factory: masakari.api.openstack:FaultWrapper.factory + filter:sizelimit: + paste.filter_factory: oslo_middleware:RequestBodySizeLimiter.factory + filter:authtoken: + paste.filter_factory: keystonemiddleware.auth_token:filter_factory + filter:keystonecontext: + paste.filter_factory: masakari.api.auth:MasakariKeystoneContext.factory + filter:noauth2: + paste.filter_factory: masakari.api.auth:NoAuthMiddleware.factory + app:osapi_masakari_app_v1: + paste.app_factory: masakari.api.openstack.ha:APIRouterV1.factory + pipeline:apiversions: + pipeline: faultwrap http_proxy_to_wsgi apiversionsapp + app:apiversionsapp: + paste.app_factory: masakari.api.openstack.ha.versions:Versions.factory + masakari: + DEFAULT: + auth_strategy: keystone + duplicate_notification_detection_interval: 180 + host_failure_recovery_threads: 1 + masakari_api_workers: 1 + graceful_shutdown_timeout: 5 + keystone_authtoken: + auth_type: password + service_type: instance-ha + database: + max_retries: -1 + # Connection string is evaluated though the endpoints for taskflow. + taskflow: + connection: null + wsgi: + api_paste_config: /etc/masakari/api-paste.ini + masakarimonitors: + DEFAULT: + debug: False + api: + api_version: v1 + api_interface: internal + callback: + retry_max: 10 + retry_interval: 10 + introspectiveinstancemonitor: + guest_monitor_interval: 10 + guest_monitor_timeout: 5 + host: + monitoring_driver: default + monitoring_interval: 120 + monitoring_samples: 1 + disable_ipmi_checks: true + corosync_multicast_ports: 5405 + pacemaker_node_type: remote + masakari_sudoers: | + Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin:/var/lib/openstack/bin" + masakari-monitors ALL=(ALL:ALL) NOPASSWD: /var/lib/openstack/bin/privsep-helper + +# Note(xuxant): Hooks will break the upgrade for helm2 +# Set to false if using helm2. +helm3_hook: true + +network: + masakari_api: + node_port: + enabled: false + port: 33033 + external_policy_local: false + +manifests: + job_ks_user: true + job_db_sync: true + job_db_init: true + job_db_drop: false + job_ks_endpoints: true + job_ks_service: true + deployment_api: true + deployment_engine: true + configmap_bin: true + configmap_etc: true + secret_db: true + secret_rabbitmq: true + secret_keystone: true + secret_registry: true + job_rabbit_init: true + service_api: true + pdb_api: true + # Host Monitors in containers needs pacemaker remote. + host_monitor: false + instance_monitor: false + process_monitor: false diff --git a/roles/keycloak/tasks/main.yml b/roles/keycloak/tasks/main.yml index f1b8bba6b6..81f38302da 100644 --- a/roles/keycloak/tasks/main.yml +++ b/roles/keycloak/tasks/main.yml @@ -12,99 +12,101 @@ # License for the specific language governing permissions and limitations # under the License. -- name: Get the Kuberentes service for Percona XtraDB Cluster - run_once: true - kubernetes.core.k8s_info: - kind: Service - name: "{{ openstack_helm_endpoints.oslo_db.hosts.default }}" - namespace: openstack - register: _pxc_service +--- +- name: Install Packages + ansible.builtin.package: + name: "{{ item }}" + state: present + with_items: + - corosync + - pacemaker + when: "inventory_hostname in groups[controllers]" -- name: Install MySQL python package - ansible.builtin.pip: - name: PyMySQL +- name: Installs pacemaker-remote + ansible.builtin.package: + name: "pacemaker-remote" + state: present + when: "inventory_hostname in groups[computes]" -- name: Check MySQL ready - run_once: true - community.mysql.mysql_info: - login_host: "{{ _pxc_service.resources[0].spec.clusterIP }}" - login_user: root - login_password: "{{ openstack_helm_endpoints.oslo_db.auth.admin.password }}" - filter: - - version - register: mysql_ready - until: mysql_ready is not failed - retries: 120 - delay: 5 +- name: Generates corosync key + become: true + become_user: root + command: corosync-keygen + args: + creates: /etc/corosync/authkey + when: inventory_hostname == groups[controllers][0] + notify: Restart corosync -- name: Create Keycloak database - run_once: true - community.mysql.mysql_db: - login_host: "{{ _pxc_service.resources[0].spec.clusterIP }}" - login_user: root - login_password: "{{ openstack_helm_endpoints.oslo_db.auth.admin.password }}" - name: "{{ keycloak_database_name }}" +- name: Generate tmpfile for authkey + tempfile: + state: file + register: authkey_tempfile + changed_when: False + check_mode: no + delegate_to: localhost + when: inventory_hostname != groups[controllers][0] -- name: Create a Keycloak user - run_once: true - community.mysql.mysql_user: - login_host: "{{ _pxc_service.resources[0].spec.clusterIP }}" - login_user: root - login_password: "{{ openstack_helm_endpoints.oslo_db.auth.admin.password }}" - name: "{{ keycloak_database_username }}" - password: "{{ keycloak_database_password }}" - host: "%" - priv: "{{ keycloak_database_name }}.*:ALL" +- name: Fetch authkey for other nodes + fetch: + src: /etc/corosync/authkey + dest: "{{ authkey_tempfile.path }}" + flat: yes + delegate_to: "{{ groups[controllers][0] }}" + changed_when: False + check_mode: no + when: inventory_hostname != groups[controllers][0] -- name: Disable pxc strict mode - run_once: true - community.mysql.mysql_query: - login_host: "{{ _pxc_service.resources[0].spec.clusterIP }}" - login_user: root - login_password: "{{ openstack_helm_endpoints.oslo_db.auth.admin.password }}" - query: "set global pxc_strict_mode='PERMISSIVE'" +- name: Copy authkey to other nodes + copy: + src: "{{ authkey_tempfile.path }}" + dest: /etc/corosync/authkey + mode: "0400" + when: inventory_hostname != groups[controllers][0] + notify: Restart corosync -- name: Deploy Helm chart - run_once: true - kubernetes.core.helm: - name: "{{ keycloak_helm_release_name }}" - chart_ref: "{{ keycloak_helm_chart_ref }}" - release_namespace: "{{ keycloak_helm_release_namespace }}" - create_namespace: true - kubeconfig: "{{ keycloak_helm_kubeconfig }}" - wait: true - timeout: 10m - values: "{{ _keycloak_helm_values | combine(keycloak_helm_values, recursive=True) }}" +- name: Clean up tmpdir + file: + path: "{{ authkey_tempfile.path }}" + state: "absent" + changed_when: False + check_mode: no + delegate_to: localhost + when: inventory_hostname != groups[controllers][0] -- name: Wait until keycloak ready - kubernetes.core.k8s_info: - api_version: apps/v1 - kind: StatefulSet - name: "{{ keycloak_helm_release_name }}" - namespace: "{{ keycloak_helm_release_namespace }}" - register: _keycloak_sts - retries: 120 - delay: 5 - until: - - _keycloak_sts.resources[0].status.replicas == _keycloak_sts.resources[0].status.readyReplicas +- name: Chowns authkeys + file: + path: /etc/corosync/authkey + mode: "0400" + owner: root + notify: Restart corosync -- name: Create Keycloak Ingress - ansible.builtin.include_role: - name: ingress - vars: - ingress_name: keycloak - ingress_namespace: "{{ keycloak_helm_release_namespace }}" - ingress_class_name: "{{ keycloak_ingress_class_name }}" - ingress_host: "{{ keycloak_host }}" - ingress_service_name: "{{ keycloak_helm_release_name }}" - ingress_service_port: 80 - ingress_secret_name: "{{ keycloak_host_tls_secret_name }}" - ingress_annotations: "{{ _keycloak_ingress_annotations | combine(keycloak_ingress_annotations, recursive=True) }}" +- name: Creates corosync config + template: + src: corosync.conf.j2 + dest: /etc/corosync/corosync.conf + mode: "0400" + owner: root + notify: Restart corosync -- name: Enable pxc strict mode - run_once: true - community.mysql.mysql_query: - login_host: "{{ _pxc_service.resources[0].spec.clusterIP }}" - login_user: root - login_password: "{{ openstack_helm_endpoints.oslo_db.auth.admin.password }}" - query: "set global pxc_strict_mode='MASTER'" +- name: Creates services directory + file: + path: /etc/corosync/service.d/ + state: directory + mode: "0755" + +- name: Adds pacemaker service + copy: + src: pcmk + dest: /etc/corosync/service.d/pcmk + owner: root + mode: "0400" + notify: Restart corosync + +- name: Adds ferm filtering + template: + src: "ferm.j2" + dest: /etc/ferm/filter-input.d/60_corosync.conf + mode: "0640" + when: ferm_enabled | default(false) + tags: ferm + notify: Restart ferm diff --git a/roles/masakari/README.md b/roles/masakari/README.md new file mode 100644 index 0000000000..0085979f71 --- /dev/null +++ b/roles/masakari/README.md @@ -0,0 +1 @@ +# `masakari` diff --git a/roles/masakari/defaults/main.yml b/roles/masakari/defaults/main.yml new file mode 100644 index 0000000000..1ab5003a2f --- /dev/null +++ b/roles/masakari/defaults/main.yml @@ -0,0 +1,30 @@ +# Copyright (c) 2023 VEXXHOST, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +masakari_helm_release_name: masakari +masakari_helm_chart_path: "../../charts/masakari/" +masakari_helm_chart_ref: /usr/local/src/masakari + +masakari_helm_release_namespace: openstack +masakari_helm_kubeconfig: "{{ kubeconfig_path | default('/etc/kubernetes/admin.conf') }}" +masakari_helm_values: {} + +# Class name to use for the Ingress +masakari_ingress_class_name: "{{ atmosphere_ingress_class_name }}" + +# List of annotations to apply to the Ingress +masakari_ingress_annotations: {} + +# List of images to provision inside OpenStack +masakari_images: [] diff --git a/roles/masakari/meta/main.yml b/roles/masakari/meta/main.yml new file mode 100644 index 0000000000..6a86ed1081 --- /dev/null +++ b/roles/masakari/meta/main.yml @@ -0,0 +1,40 @@ +# Copyright (c) 2024 VEXXHOST, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +galaxy_info: + author: VEXXHOST, Inc. + description: Ansible role for OpenStack Masakari + license: Apache-2.0 + min_ansible_version: 5.5.0 + standalone: false + platforms: + - name: EL + versions: + - "8" + - "9" + - name: Ubuntu + versions: + - focal + - jammy + +dependencies: + - role: defaults + - role: openstacksdk + - role: openstack_helm_endpoints + vars: + openstack_helm_endpoints_chart: masakari + - role: vexxhost.kubernetes.upload_helm_chart + vars: + upload_helm_chart_src: "{{ masakari_helm_chart_path }}" + upload_helm_chart_dest: "{{ masakari_helm_chart_ref }}" diff --git a/roles/masakari/tasks/main.yml b/roles/masakari/tasks/main.yml new file mode 100644 index 0000000000..bfec9b83ac --- /dev/null +++ b/roles/masakari/tasks/main.yml @@ -0,0 +1,33 @@ +# Copyright (c) 2022 VEXXHOST, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +- name: Deploy Helm chart + run_once: true + kubernetes.core.helm: + name: "{{ masakari_helm_release_name }}" + chart_ref: "{{ masakari_helm_chart_ref }}" + release_namespace: "{{ masakari_helm_release_namespace }}" + create_namespace: true + kubeconfig: "{{ masakari_helm_kubeconfig }}" + values: "{{ _masakari_helm_values | combine(masakari_helm_values, recursive=True) }}" + +- name: Create Ingress + ansible.builtin.include_role: + name: openstack_helm_ingress + vars: + openstack_helm_ingress_endpoint: instance-ha + openstack_helm_ingress_service_name: masakari-api + openstack_helm_ingress_service_port: 15868 + openstack_helm_ingress_annotations: "{{ _masakari_ingress_annotations | combine(masakari_ingress_annotations) }}" + openstack_helm_ingress_class_name: "{{ masakari_ingress_class_name }}" diff --git a/roles/masakari/vars/main.yml b/roles/masakari/vars/main.yml new file mode 100644 index 0000000000..1565047ae9 --- /dev/null +++ b/roles/masakari/vars/main.yml @@ -0,0 +1,44 @@ +# Copyright (c) 2022 VEXXHOST, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +_masakari_helm_values: + endpoints: "{{ openstack_helm_endpoints }}" + images: + tags: "{{ atmosphere_images | vexxhost.atmosphere.openstack_helm_image_tags('masakari') }}" + pod: + replicas: + masakari_api: 3 + masakari_engine: 3 + conf: + masakari: + DEFAULT: + log_config_append: null + masakari_api_workers: 8 + cors: + allowed_origins: "*" + database: + connection_recycle_time: 600 + max_overflow: 50 + max_pool_size: 5 + pool_timeout: 30 + oslo_messaging_notifications: + driver: noop + manifests: + host_monitor: true + instance_monitor: true + process_monitor: false + +_masakari_ingress_annotations: + nginx.ingress.kubernetes.io/proxy-body-size: "0" + nginx.ingress.kubernetes.io/proxy-request-buffering: "off" diff --git a/roles/pacemaker/README.md b/roles/pacemaker/README.md new file mode 100644 index 0000000000..b6c8d34f0a --- /dev/null +++ b/roles/pacemaker/README.md @@ -0,0 +1 @@ +# `pacemaker` diff --git a/roles/pacemaker/defaults/main.yml b/roles/pacemaker/defaults/main.yml new file mode 100644 index 0000000000..a6baf320fa --- /dev/null +++ b/roles/pacemaker/defaults/main.yml @@ -0,0 +1,19 @@ +# Copyright (c) 2023 VEXXHOST, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +pacemaker_corosync_fqdn: false +pacemaker_corosync_group: controllers +pacemaker_remote_group: computes +pacemaker_corosync_ring_interface: "{{ undef(hint='You must specify a Pacemaker Corosync ring interface') }}" +pacemaker_remote_ring_interface: "{{ pacemaker_corosync_ring_interface }}" diff --git a/roles/pacemaker/handlers/main.yml b/roles/pacemaker/handlers/main.yml new file mode 100644 index 0000000000..d058f9d3b5 --- /dev/null +++ b/roles/pacemaker/handlers/main.yml @@ -0,0 +1,19 @@ +# Copyright (c) 2023 VEXXHOST, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +- name: Restart corosync + ansible.builtin.service: + name: corosync + state: restarted + enabled: yes diff --git a/roles/pacemaker/meta/main.yml b/roles/pacemaker/meta/main.yml new file mode 100644 index 0000000000..771491503b --- /dev/null +++ b/roles/pacemaker/meta/main.yml @@ -0,0 +1,32 @@ +# Copyright (c) 2024 VEXXHOST, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +galaxy_info: + author: VEXXHOST, Inc. + description: Ansible role for OpenStack Pacemaker + license: Apache-2.0 + min_ansible_version: 5.5.0 + standalone: false + platforms: + - name: EL + versions: + - "8" + - "9" + - name: Ubuntu + versions: + - focal + - jammy + +dependencies: + - role: defaults diff --git a/roles/pacemaker/tasks/main.yml b/roles/pacemaker/tasks/main.yml new file mode 100644 index 0000000000..59545d7cf8 --- /dev/null +++ b/roles/pacemaker/tasks/main.yml @@ -0,0 +1,113 @@ +# Copyright (c) 2022 VEXXHOST, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +--- +- name: Install Corosync + become: true + ansible.builtin.package: + name: corosync + state: present + +- name: Install Pacemaker + become: true + ansible.builtin.package: + name: pacemaker + state: present + when: inventory_hostname in groups[pacemaker_corosync_group] + +- name: Install Pacemaker Remote + become: true + ansible.builtin.package: + name: pacemaker-remote + state: present + when: inventory_hostname in groups[pacemaker_remote_group] + +- name: Generate Corosync authkey (only on first node) + become: true + ansible.builtin.command: corosync-keygen + args: + creates: /etc/corosync/authkey + when: inventory_hostname == groups[pacemaker_corosync_group][0] + notify: Restart corosync + +- name: Create temporary file to receive authkey + ansible.builtin.tempfile: + state: file + register: authkey_tempfile + changed_when: false + check_mode: no + delegate_to: localhost + when: inventory_hostname != groups[pacemaker_corosync_group][0] + +- name: Fetch authkey from first Corosync node + ansible.builtin.fetch: + src: /etc/corosync/authkey + dest: "{{ authkey_tempfile.path }}" + flat: true + delegate_to: "{{ groups[pacemaker_corosync_group][0] }}" + changed_when: false + check_mode: no + when: inventory_hostname != groups[pacemaker_corosync_group][0] + +- name: Copy authkey to current node + become: true + ansible.builtin.copy: + src: "{{ authkey_tempfile.path }}" + dest: /etc/corosync/authkey + mode: "0400" + owner: root + when: inventory_hostname != groups[pacemaker_corosync_group][0] + notify: Restart corosync + +- name: Clean up temporary authkey file + ansible.builtin.file: + path: "{{ authkey_tempfile.path }}" + state: absent + changed_when: false + check_mode: no + delegate_to: localhost + when: inventory_hostname != groups[pacemaker_corosync_group][0] + +- name: Set correct permissions for authkey + become: true + ansible.builtin.file: + path: /etc/corosync/authkey + mode: "0400" + owner: root + notify: Restart corosync + +- name: Deploy Corosync configuration + become: true + ansible.builtin.template: + src: corosync.conf.j2 + dest: /etc/corosync/corosync.conf + mode: "0400" + owner: root + notify: Restart corosync + +- name: Ensure Corosync service directory exists + become: true + ansible.builtin.file: + path: /etc/corosync/service.d/ + state: directory + mode: "0755" + +- name: Deploy Pacemaker service configuration + become: true + ansible.builtin.copy: + src: pcmk + dest: /etc/corosync/service.d/pcmk + owner: root + mode: "0400" + notify: Restart corosync diff --git a/roles/pacemaker/templates/corosync.conf.j2 b/roles/pacemaker/templates/corosync.conf.j2 new file mode 100644 index 0000000000..35ed1ccaaf --- /dev/null +++ b/roles/pacemaker/templates/corosync.conf.j2 @@ -0,0 +1,58 @@ +{% if inventory_hostname in groups[pacemaker_corosync_group] %} +{% set _pacemaker_corosync_bind_addr = ansible_facts[pacemaker_corosync_ring_interface | replace('-', '_')]['ipv4']['address'] %} +{% elif pacemaker_remote_group in groups and inventory_hostname in groups[pacemaker_remote_group] %} +{% set _pacemaker_corosync_bind_addr = ansible_facts[pacemaker_remote_ring_interface | replace('-', '_')]['ipv4']['address'] %} +{% endif %} + +totem { + version: 2 + cluster_name: {{ pacemaker_corosync_group }} +{% if pacemaker_enable_nodelist|default(true) %} + transport: udpu +{% endif %} + interface { + ringnumber: 0 + bindnetaddr: {{ _pacemaker_corosync_bind_addr }} + broadcast: yes + mcastport: 5405 + } +} + +quorum { + provider: corosync_votequorum +{% if groups[pacemaker_corosync_group]|count == 2 %} + two_node: 1 +{% else %} + wait_for_all: 1 + last_man_standing: 1 +{% endif %} +{% if not pacemaker_enable_nodelist|default(true) %} + expected_votes: {{ groups[pacemaker_corosync_group]|count }} +{% endif %} +} + +{% if pacemaker_enable_nodelist|default(true) %} +nodelist { + +{% for node in (ternary(groups[pacemaker_remote_group], []) + groups[pacemaker_corosync_group]) | sort %} +{% if node in groups[pacemaker_corosync_group] %} +{% set _pacemaker_corosync_ring_interface = pacemaker_corosync_ring_interface %} +{% elif pacemaker_remote_group in groups and inventory_hostname in groups[pacemaker_remote_group] %} +{% set _pacemaker_corosync_ring_interface = pacemaker_remote_ring_interface %} +{% endif %} + node { + ring0_addr: {{ hostvars[node]['ansible_facts'][_pacemaker_corosync_ring_interface | replace('-', '_')]['ipv4']['address'] }} + name: {{ pacemaker_corosync_fqdn | bool | ternary(hostvars[node]['ansible_facts']['fqdn'], node) }} + nodeid: {{ loop.index }} + } +{% endfor %} +{% endif %} +} +logging { + to_logfile: {{ (pacemaker_corosync_use_logfile | bool) | ternary('yes', 'no') }} + {% if pacemaker_corosync_use_logfile | bool %} + logfile: /var/log/corosync/corosync.log + {% endif %} + to_syslog: {{ (pacemaker_corosync_use_syslog | bool) | ternary('yes', 'no') }} + timestamp: on +} \ No newline at end of file From 3f4f1225b825fe9d13d7ae8845e4498c594e46fb Mon Sep 17 00:00:00 2001 From: cuttingedge1109 <53085803+cuttingedge1109@users.noreply.github.com> Date: Sun, 23 Mar 2025 03:27:45 +1100 Subject: [PATCH 02/11] revert keycloak change --- roles/keycloak/tasks/main.yml | 176 +++++++++++++++++----------------- 1 file changed, 87 insertions(+), 89 deletions(-) diff --git a/roles/keycloak/tasks/main.yml b/roles/keycloak/tasks/main.yml index 81f38302da..f1b8bba6b6 100644 --- a/roles/keycloak/tasks/main.yml +++ b/roles/keycloak/tasks/main.yml @@ -12,101 +12,99 @@ # License for the specific language governing permissions and limitations # under the License. ---- -- name: Install Packages - ansible.builtin.package: - name: "{{ item }}" - state: present - with_items: - - corosync - - pacemaker - when: "inventory_hostname in groups[controllers]" +- name: Get the Kuberentes service for Percona XtraDB Cluster + run_once: true + kubernetes.core.k8s_info: + kind: Service + name: "{{ openstack_helm_endpoints.oslo_db.hosts.default }}" + namespace: openstack + register: _pxc_service -- name: Installs pacemaker-remote - ansible.builtin.package: - name: "pacemaker-remote" - state: present - when: "inventory_hostname in groups[computes]" +- name: Install MySQL python package + ansible.builtin.pip: + name: PyMySQL -- name: Generates corosync key - become: true - become_user: root - command: corosync-keygen - args: - creates: /etc/corosync/authkey - when: inventory_hostname == groups[controllers][0] - notify: Restart corosync +- name: Check MySQL ready + run_once: true + community.mysql.mysql_info: + login_host: "{{ _pxc_service.resources[0].spec.clusterIP }}" + login_user: root + login_password: "{{ openstack_helm_endpoints.oslo_db.auth.admin.password }}" + filter: + - version + register: mysql_ready + until: mysql_ready is not failed + retries: 120 + delay: 5 -- name: Generate tmpfile for authkey - tempfile: - state: file - register: authkey_tempfile - changed_when: False - check_mode: no - delegate_to: localhost - when: inventory_hostname != groups[controllers][0] +- name: Create Keycloak database + run_once: true + community.mysql.mysql_db: + login_host: "{{ _pxc_service.resources[0].spec.clusterIP }}" + login_user: root + login_password: "{{ openstack_helm_endpoints.oslo_db.auth.admin.password }}" + name: "{{ keycloak_database_name }}" -- name: Fetch authkey for other nodes - fetch: - src: /etc/corosync/authkey - dest: "{{ authkey_tempfile.path }}" - flat: yes - delegate_to: "{{ groups[controllers][0] }}" - changed_when: False - check_mode: no - when: inventory_hostname != groups[controllers][0] +- name: Create a Keycloak user + run_once: true + community.mysql.mysql_user: + login_host: "{{ _pxc_service.resources[0].spec.clusterIP }}" + login_user: root + login_password: "{{ openstack_helm_endpoints.oslo_db.auth.admin.password }}" + name: "{{ keycloak_database_username }}" + password: "{{ keycloak_database_password }}" + host: "%" + priv: "{{ keycloak_database_name }}.*:ALL" -- name: Copy authkey to other nodes - copy: - src: "{{ authkey_tempfile.path }}" - dest: /etc/corosync/authkey - mode: "0400" - when: inventory_hostname != groups[controllers][0] - notify: Restart corosync +- name: Disable pxc strict mode + run_once: true + community.mysql.mysql_query: + login_host: "{{ _pxc_service.resources[0].spec.clusterIP }}" + login_user: root + login_password: "{{ openstack_helm_endpoints.oslo_db.auth.admin.password }}" + query: "set global pxc_strict_mode='PERMISSIVE'" -- name: Clean up tmpdir - file: - path: "{{ authkey_tempfile.path }}" - state: "absent" - changed_when: False - check_mode: no - delegate_to: localhost - when: inventory_hostname != groups[controllers][0] +- name: Deploy Helm chart + run_once: true + kubernetes.core.helm: + name: "{{ keycloak_helm_release_name }}" + chart_ref: "{{ keycloak_helm_chart_ref }}" + release_namespace: "{{ keycloak_helm_release_namespace }}" + create_namespace: true + kubeconfig: "{{ keycloak_helm_kubeconfig }}" + wait: true + timeout: 10m + values: "{{ _keycloak_helm_values | combine(keycloak_helm_values, recursive=True) }}" -- name: Chowns authkeys - file: - path: /etc/corosync/authkey - mode: "0400" - owner: root - notify: Restart corosync +- name: Wait until keycloak ready + kubernetes.core.k8s_info: + api_version: apps/v1 + kind: StatefulSet + name: "{{ keycloak_helm_release_name }}" + namespace: "{{ keycloak_helm_release_namespace }}" + register: _keycloak_sts + retries: 120 + delay: 5 + until: + - _keycloak_sts.resources[0].status.replicas == _keycloak_sts.resources[0].status.readyReplicas -- name: Creates corosync config - template: - src: corosync.conf.j2 - dest: /etc/corosync/corosync.conf - mode: "0400" - owner: root - notify: Restart corosync +- name: Create Keycloak Ingress + ansible.builtin.include_role: + name: ingress + vars: + ingress_name: keycloak + ingress_namespace: "{{ keycloak_helm_release_namespace }}" + ingress_class_name: "{{ keycloak_ingress_class_name }}" + ingress_host: "{{ keycloak_host }}" + ingress_service_name: "{{ keycloak_helm_release_name }}" + ingress_service_port: 80 + ingress_secret_name: "{{ keycloak_host_tls_secret_name }}" + ingress_annotations: "{{ _keycloak_ingress_annotations | combine(keycloak_ingress_annotations, recursive=True) }}" -- name: Creates services directory - file: - path: /etc/corosync/service.d/ - state: directory - mode: "0755" - -- name: Adds pacemaker service - copy: - src: pcmk - dest: /etc/corosync/service.d/pcmk - owner: root - mode: "0400" - notify: Restart corosync - -- name: Adds ferm filtering - template: - src: "ferm.j2" - dest: /etc/ferm/filter-input.d/60_corosync.conf - mode: "0640" - when: ferm_enabled | default(false) - tags: ferm - notify: Restart ferm +- name: Enable pxc strict mode + run_once: true + community.mysql.mysql_query: + login_host: "{{ _pxc_service.resources[0].spec.clusterIP }}" + login_user: root + login_password: "{{ openstack_helm_endpoints.oslo_db.auth.admin.password }}" + query: "set global pxc_strict_mode='MASTER'" From 738383a1d773a497a27bee3b6244fcb45edfc653 Mon Sep 17 00:00:00 2001 From: cuttingedge1109 <53085803+cuttingedge1109@users.noreply.github.com> Date: Sun, 23 Mar 2025 16:26:19 +1100 Subject: [PATCH 03/11] add pacemaker role in playbook --- molecule/aio/group_vars/all/molecule.yml | 1 + molecule/default/group_vars/all/molecule.yml | 1 + molecule/pxc/molecule.yml | 1 + molecule/shared/molecule.yml | 1 + playbooks/generate_workspace.yml | 29 ++++++++++++++++++++ playbooks/openstack.yml | 4 +++ roles/defaults/vars/main.yml | 5 ++++ roles/masakari/meta/main.yml | 1 + 8 files changed, 43 insertions(+) diff --git a/molecule/aio/group_vars/all/molecule.yml b/molecule/aio/group_vars/all/molecule.yml index ac81243076..56b51f3842 100644 --- a/molecule/aio/group_vars/all/molecule.yml +++ b/molecule/aio/group_vars/all/molecule.yml @@ -12,6 +12,7 @@ ceph_conf_overrides: value: false kubernetes_keepalived_interface: br-mgmt +pacemaker_corosync_ring_interface: br-mgmt cilium_helm_values: operator: diff --git a/molecule/default/group_vars/all/molecule.yml b/molecule/default/group_vars/all/molecule.yml index e215406528..d1a5ba8886 100644 --- a/molecule/default/group_vars/all/molecule.yml +++ b/molecule/default/group_vars/all/molecule.yml @@ -1,6 +1,7 @@ cluster_issuer_type: self-signed kubernetes_keepalived_interface: ens3 +pacemaker_corosync_ring_interface: ens3 glance_images: - name: cirros diff --git a/molecule/pxc/molecule.yml b/molecule/pxc/molecule.yml index 9514cfbf4f..3306cca179 100644 --- a/molecule/pxc/molecule.yml +++ b/molecule/pxc/molecule.yml @@ -75,6 +75,7 @@ provisioner: value: false # Kubernetes kubernetes_keepalived_interface: eth0 + pacemaker_corosync_ring_interface: eth0 kubernetes_keepalived_vrid: 42 kubernetes_keepalived_vip: 10.96.240.10 kubernetes_hostname: 10.96.240.10 diff --git a/molecule/shared/molecule.yml b/molecule/shared/molecule.yml index 507a0b2771..49a9d31a86 100644 --- a/molecule/shared/molecule.yml +++ b/molecule/shared/molecule.yml @@ -77,6 +77,7 @@ provisioner: value: false # Kubernetes kubernetes_keepalived_interface: eth0 + pacemaker_corosync_ring_interface: eth0 kubernetes_keepalived_vrid: 42 kubernetes_keepalived_vip: 10.96.240.10 kubernetes_hostname: 10.96.240.10 diff --git a/playbooks/generate_workspace.yml b/playbooks/generate_workspace.yml index faeeeff49e..edcab5ab0c 100644 --- a/playbooks/generate_workspace.yml +++ b/playbooks/generate_workspace.yml @@ -336,6 +336,35 @@ content: "{{ nova | to_nice_yaml(indent=2, width=180) }}" dest: "{{ _nova_path }}" +- name: Generate Masakari configuration for workspace + hosts: localhost + gather_facts: false + vars: + _masakari_path: "{{ workspace_path }}/group_vars/all/masakari.yml" + # Input variables + tasks: + - name: Ensure the Masakari configuration file exists + ansible.builtin.file: + path: "{{ _masakari_path }}" + state: touch + + - name: Load the current Masakari configuration into a variable + ansible.builtin.include_vars: + file: "{{ _masakari_path }}" + name: masakari + + - name: Generate Masakari values for missing variables + ansible.builtin.set_fact: + masakari: "{{ masakari | default({}) | combine({item.key: item.value}) }}" + when: item.key not in masakari + with_dict: + pacemaker_corosync_ring_interface: br-ex + + - name: Write new Masakari configuration file to disk + ansible.builtin.copy: + content: "{{ masakari | to_nice_yaml(indent=2, width=180) }}" + dest: "{{ _masakari_path }}" + - name: Generate secrets for workspace hosts: localhost gather_facts: false diff --git a/playbooks/openstack.yml b/playbooks/openstack.yml index 12c35e75e5..9a06f78e0d 100644 --- a/playbooks/openstack.yml +++ b/playbooks/openstack.yml @@ -134,6 +134,10 @@ tags: - manila + - role: masakari + tags: + - masakari + - role: horizon tags: - horizon diff --git a/roles/defaults/vars/main.yml b/roles/defaults/vars/main.yml index cf83407f94..93d2d7653d 100644 --- a/roles/defaults/vars/main.yml +++ b/roles/defaults/vars/main.yml @@ -136,6 +136,11 @@ _atmosphere_images: manila_db_sync: "{{ atmosphere_image_prefix }}registry.atmosphere.dev/library/manila:{{ atmosphere_release }}" manila_scheduler: "{{ atmosphere_image_prefix }}registry.atmosphere.dev/library/manila:{{ atmosphere_release }}" manila_share: "{{ atmosphere_image_prefix }}registry.atmosphere.dev/library/manila:{{ atmosphere_release }}" + masakari_api: "docker.io/openstackhelm/masakari:{{ atmosphere_release }}-ubuntu_jammy" + masakari_engine: "docker.io/openstackhelm/masakari:{{ atmosphere_release }}-ubuntu_jammy" + masakari_host_monitor: "docker.io/openstackhelm/masakari-monitors:{{ atmosphere_release }}-ubuntu_jammy" + masakari_process_monitor: "docker.io/openstackhelm/masakari-monitors:{{ atmosphere_release }}-ubuntu_jammy" + masakari_instance_monitor: "docker.io/openstackhelm/masakari-monitors:{{ atmosphere_release }}-ubuntu_jammy" memcached: "{{ atmosphere_image_prefix }}docker.io/library/memcached:1.6.26" netoffload: "{{ atmosphere_image_prefix }}registry.atmosphere.dev/library/netoffload:{{ atmosphere_release }}" neutron_bagpipe_bgp: "{{ atmosphere_image_prefix }}registry.atmosphere.dev/library/neutron:{{ atmosphere_release }}" diff --git a/roles/masakari/meta/main.yml b/roles/masakari/meta/main.yml index 6a86ed1081..956c298b42 100644 --- a/roles/masakari/meta/main.yml +++ b/roles/masakari/meta/main.yml @@ -38,3 +38,4 @@ dependencies: vars: upload_helm_chart_src: "{{ masakari_helm_chart_path }}" upload_helm_chart_dest: "{{ masakari_helm_chart_ref }}" + - role: pacemaker From 6c9fb7dcd9f2b3d23b78089c6c972ab2214d2526 Mon Sep 17 00:00:00 2001 From: cuttingedge1109 <53085803+cuttingedge1109@users.noreply.github.com> Date: Sun, 23 Mar 2025 18:54:22 +1100 Subject: [PATCH 04/11] add vars for masakari endpoints --- playbooks/generate_workspace.yml | 1 + .../defaults/main.yml | 30 +++++++++++++++++++ roles/openstack_helm_endpoints/vars/main.yml | 25 ++++++++++++++++ 3 files changed, 56 insertions(+) diff --git a/playbooks/generate_workspace.yml b/playbooks/generate_workspace.yml index edcab5ab0c..3cf7ce4b63 100644 --- a/playbooks/generate_workspace.yml +++ b/playbooks/generate_workspace.yml @@ -229,6 +229,7 @@ openstack_helm_endpoints_magnum_registry_host: "container-infra-registry.{{ domain_name }}" openstack_helm_endpoints_rgw_host: "object-store.{{ domain_name }}" openstack_helm_endpoints_manila_api_host: "share.{{ domain_name }}" + openstack_helm_endpoints_masakari_api_host: "instance-ha.{{ domain_name }}" - name: Write new endpoints file to disk ansible.builtin.copy: diff --git a/roles/openstack_helm_endpoints/defaults/main.yml b/roles/openstack_helm_endpoints/defaults/main.yml index 0b43abab46..1e81f68296 100644 --- a/roles/openstack_helm_endpoints/defaults/main.yml +++ b/roles/openstack_helm_endpoints/defaults/main.yml @@ -490,6 +490,36 @@ openstack_helm_endpoints_manila_keystone_password: "{{ undef(hint='You must spec # Database password for service openstack_helm_endpoints_manila_mariadb_password: "{{ undef(hint='You must specify a Manila MariaDB password') }}" + # ]]] +# .. envvar:: openstack_helm_endpoints_masakari_api_host [[[ +# +# API hostname for OpenStack Image Service +openstack_helm_endpoints_masakari_api_host: "{{ undef(hint='You must specify a Masakari API hostname') }}" + + # ]]] +# .. envvar:: openstack_helm_endpoints_masakari_region_name [[[ +# +# Region name for service +openstack_helm_endpoints_masakari_region_name: "{{ openstack_helm_endpoints_region_name }}" + + # ]]] +# .. envvar:: openstack_helm_endpoints_masakari_keystone_password [[[ +# +# Keystone password for service +openstack_helm_endpoints_masakari_keystone_password: "{{ undef(hint='You must specify a Masakari Keystone password') }}" + + # ]]] +# .. envvar:: openstack_helm_endpoints_masakari_mariadb_password [[[ +# +# Database password for service +openstack_helm_endpoints_masakari_mariadb_password: "{{ undef(hint='You must specify a Masakari MariaDB password') }}" + + # ]]] +# .. envvar:: openstack_helm_endpoints_masakari_rabbitmq_password [[[ +# +# RabbitMQ password for service +openstack_helm_endpoints_masakari_rabbitmq_password: "{{ undef(hint='You must specify a Masakari RabbitMQ password') }}" + # ]]] # .. envvar:: openstack_helm_endpoints_staffeln_mariadb_password [[[ # diff --git a/roles/openstack_helm_endpoints/vars/main.yml b/roles/openstack_helm_endpoints/vars/main.yml index 029fb6cdb0..ea7ec83d5d 100644 --- a/roles/openstack_helm_endpoints/vars/main.yml +++ b/roles/openstack_helm_endpoints/vars/main.yml @@ -118,6 +118,31 @@ _openstack_helm_endpoints_image: glance: password: "{{ openstack_helm_endpoints_glance_rabbitmq_password }}" +_openstack_helm_endpoints_instance_ha: + identity: + auth: + masakari: + region_name: "{{ openstack_helm_endpoints_masakari_region_name }}" + username: "masakari-{{ openstack_helm_endpoints_masakari_region_name }}" + password: "{{ openstack_helm_endpoints_masakari_keystone_password }}" + image: + scheme: + public: https + host_fqdn_override: + public: + host: "{{ openstack_helm_endpoints_masakari_api_host }}" + port: + api: + public: 443 + oslo_db: + auth: + masakari: + password: "{{ openstack_helm_endpoints_masakari_mariadb_password }}" + oslo_messaging: + auth: + masakari: + password: "{{ openstack_helm_endpoints_masakari_rabbitmq_password }}" + _openstack_helm_endpoints_volumev3: identity: auth: From f66db9d91341acc2ee78142670c1ad0b0537607a Mon Sep 17 00:00:00 2001 From: cuttingedge1109 <53085803+cuttingedge1109@users.noreply.github.com> Date: Sun, 23 Mar 2025 19:03:07 +1100 Subject: [PATCH 05/11] add missing image for db sync --- roles/defaults/vars/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/defaults/vars/main.yml b/roles/defaults/vars/main.yml index 93d2d7653d..4605105f97 100644 --- a/roles/defaults/vars/main.yml +++ b/roles/defaults/vars/main.yml @@ -137,6 +137,7 @@ _atmosphere_images: manila_scheduler: "{{ atmosphere_image_prefix }}registry.atmosphere.dev/library/manila:{{ atmosphere_release }}" manila_share: "{{ atmosphere_image_prefix }}registry.atmosphere.dev/library/manila:{{ atmosphere_release }}" masakari_api: "docker.io/openstackhelm/masakari:{{ atmosphere_release }}-ubuntu_jammy" + masakari_db_sync: "docker.io/openstackhelm/masakari:{{ atmosphere_release }}-ubuntu_jammy" masakari_engine: "docker.io/openstackhelm/masakari:{{ atmosphere_release }}-ubuntu_jammy" masakari_host_monitor: "docker.io/openstackhelm/masakari-monitors:{{ atmosphere_release }}-ubuntu_jammy" masakari_process_monitor: "docker.io/openstackhelm/masakari-monitors:{{ atmosphere_release }}-ubuntu_jammy" From dc1c7dac8be927219669015a14d4a2d2e9803429 Mon Sep 17 00:00:00 2001 From: cuttingedge1109 <53085803+cuttingedge1109@users.noreply.github.com> Date: Sun, 23 Mar 2025 19:18:30 +1100 Subject: [PATCH 06/11] fix image tag key for db sync --- charts/masakari/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/masakari/values.yaml b/charts/masakari/values.yaml index f988abd65a..6bebd0ca4a 100644 --- a/charts/masakari/values.yaml +++ b/charts/masakari/values.yaml @@ -14,12 +14,12 @@ images: tags: db_init: docker.io/openstackhelm/heat:2024.1-ubuntu_jammy - db_sync: docker.io/openstackhelm/masakari:2024.1-ubuntu_jammy db_drop: docker.io/openstackhelm/heat:2024.1-ubuntu_jammy ks_endpoints: docker.io/openstackhelm/heat:2024.1-ubuntu_jammy ks_service: docker.io/openstackhelm/heat:2024.1-ubuntu_jammy ks_user: docker.io/openstackhelm/heat:2024.1-ubuntu_jammy masakari_api: docker.io/openstackhelm/masakari:2024.1-ubuntu_jammy + masakari_db_sync: docker.io/openstackhelm/masakari:2024.1-ubuntu_jammy masakari_engine: docker.io/openstackhelm/masakari:2024.1-ubuntu_jammy masakari_host_monitor: docker.io/openstackhelm/masakari-monitors:2024.1-ubuntu_jammy masakari_process_monitor: docker.io/openstackhelm/masakari-monitors:2024.1-ubuntu_jammy From f94824877eb624c21ff51c99d9edccd637c8bd30 Mon Sep 17 00:00:00 2001 From: cuttingedge1109 <53085803+cuttingedge1109@users.noreply.github.com> Date: Sun, 23 Mar 2025 19:38:28 +1100 Subject: [PATCH 07/11] add svc file and enable logging --- roles/pacemaker/defaults/main.yml | 2 ++ roles/pacemaker/files/pcmk | 4 ++++ roles/pacemaker/tasks/main.yml | 15 +++++++++++++++ 3 files changed, 21 insertions(+) create mode 100644 roles/pacemaker/files/pcmk diff --git a/roles/pacemaker/defaults/main.yml b/roles/pacemaker/defaults/main.yml index a6baf320fa..98573573b9 100644 --- a/roles/pacemaker/defaults/main.yml +++ b/roles/pacemaker/defaults/main.yml @@ -17,3 +17,5 @@ pacemaker_corosync_group: controllers pacemaker_remote_group: computes pacemaker_corosync_ring_interface: "{{ undef(hint='You must specify a Pacemaker Corosync ring interface') }}" pacemaker_remote_ring_interface: "{{ pacemaker_corosync_ring_interface }}" +pacemaker_corosync_use_syslog: true +pacemaker_corosync_use_logfile: false diff --git a/roles/pacemaker/files/pcmk b/roles/pacemaker/files/pcmk new file mode 100644 index 0000000000..62ebca5d69 --- /dev/null +++ b/roles/pacemaker/files/pcmk @@ -0,0 +1,4 @@ +service { + name: pacemaker + ver: 1 +} \ No newline at end of file diff --git a/roles/pacemaker/tasks/main.yml b/roles/pacemaker/tasks/main.yml index 59545d7cf8..6c40a52261 100644 --- a/roles/pacemaker/tasks/main.yml +++ b/roles/pacemaker/tasks/main.yml @@ -96,6 +96,21 @@ owner: root notify: Restart corosync +- name: Creates log directory + ansible.builtin.file: + path: /var/log/corosync + state: directory + mode: "0775" + when: pacemaker_corosync_use_logfile | bool + +- name: Adds logrotate config for corosync + ansible.builtin.template: + src: corosync_logrotate.conf.j2 + dest: /etc/logrotate.d/corosync + mode: "0644" + owner: root + when: pacemaker_corosync_use_logfile | bool + - name: Ensure Corosync service directory exists become: true ansible.builtin.file: From 9d1c88552ae7e473fc85837941c48486b67799f6 Mon Sep 17 00:00:00 2001 From: cuttingedge1109 <53085803+cuttingedge1109@users.noreply.github.com> Date: Sun, 23 Mar 2025 19:56:20 +1100 Subject: [PATCH 08/11] fix ternary use --- roles/pacemaker/templates/corosync.conf.j2 | 32 +++++++++++-------- .../templates/corosync_logrotate.conf.j2 | 8 +++++ 2 files changed, 26 insertions(+), 14 deletions(-) create mode 100644 roles/pacemaker/templates/corosync_logrotate.conf.j2 diff --git a/roles/pacemaker/templates/corosync.conf.j2 b/roles/pacemaker/templates/corosync.conf.j2 index 35ed1ccaaf..0216235d8c 100644 --- a/roles/pacemaker/templates/corosync.conf.j2 +++ b/roles/pacemaker/templates/corosync.conf.j2 @@ -1,13 +1,13 @@ {% if inventory_hostname in groups[pacemaker_corosync_group] %} {% set _pacemaker_corosync_bind_addr = ansible_facts[pacemaker_corosync_ring_interface | replace('-', '_')]['ipv4']['address'] %} -{% elif pacemaker_remote_group in groups and inventory_hostname in groups[pacemaker_remote_group] %} +{% elif pacemaker_remote_group in groups and inventory_hostname in groups[pacemaker_remote_group] %} {% set _pacemaker_corosync_bind_addr = ansible_facts[pacemaker_remote_ring_interface | replace('-', '_')]['ipv4']['address'] %} {% endif %} totem { version: 2 cluster_name: {{ pacemaker_corosync_group }} -{% if pacemaker_enable_nodelist|default(true) %} +{% if pacemaker_enable_nodelist | default(true) %} transport: udpu {% endif %} interface { @@ -20,34 +20,38 @@ totem { quorum { provider: corosync_votequorum -{% if groups[pacemaker_corosync_group]|count == 2 %} +{% if groups[pacemaker_corosync_group] | count == 2 %} two_node: 1 {% else %} wait_for_all: 1 last_man_standing: 1 {% endif %} -{% if not pacemaker_enable_nodelist|default(true) %} - expected_votes: {{ groups[pacemaker_corosync_group]|count }} +{% if not pacemaker_enable_nodelist | default(true) %} + expected_votes: {{ groups[pacemaker_corosync_group] | count }} {% endif %} } -{% if pacemaker_enable_nodelist|default(true) %} +{% if pacemaker_enable_nodelist | default(true) %} nodelist { -{% for node in (ternary(groups[pacemaker_remote_group], []) + groups[pacemaker_corosync_group]) | sort %} -{% if node in groups[pacemaker_corosync_group] %} -{% set _pacemaker_corosync_ring_interface = pacemaker_corosync_ring_interface %} -{% elif pacemaker_remote_group in groups and inventory_hostname in groups[pacemaker_remote_group] %} -{% set _pacemaker_corosync_ring_interface = pacemaker_remote_ring_interface %} -{% endif %} +{% set remote_nodes = (pacemaker_remote_group in groups) | ternary(groups[pacemaker_remote_group], []) %} +{% set all_nodes = remote_nodes + groups[pacemaker_corosync_group] %} + +{% for node in all_nodes | sort %} +{% if node in groups[pacemaker_corosync_group] %} +{% set _pacemaker_corosync_ring_interface = pacemaker_corosync_ring_interface %} +{% elif pacemaker_remote_group in groups and node in groups[pacemaker_remote_group] %} +{% set _pacemaker_corosync_ring_interface = pacemaker_remote_ring_interface %} +{% endif %} node { ring0_addr: {{ hostvars[node]['ansible_facts'][_pacemaker_corosync_ring_interface | replace('-', '_')]['ipv4']['address'] }} name: {{ pacemaker_corosync_fqdn | bool | ternary(hostvars[node]['ansible_facts']['fqdn'], node) }} nodeid: {{ loop.index }} } {% endfor %} -{% endif %} } +{% endif %} + logging { to_logfile: {{ (pacemaker_corosync_use_logfile | bool) | ternary('yes', 'no') }} {% if pacemaker_corosync_use_logfile | bool %} @@ -55,4 +59,4 @@ logging { {% endif %} to_syslog: {{ (pacemaker_corosync_use_syslog | bool) | ternary('yes', 'no') }} timestamp: on -} \ No newline at end of file +} diff --git a/roles/pacemaker/templates/corosync_logrotate.conf.j2 b/roles/pacemaker/templates/corosync_logrotate.conf.j2 new file mode 100644 index 0000000000..58dd8641fe --- /dev/null +++ b/roles/pacemaker/templates/corosync_logrotate.conf.j2 @@ -0,0 +1,8 @@ +/var/log/corosync.log { + missingok + compress + notifempty + daily + rotate 7 + copytruncate +} \ No newline at end of file From e758eb09fd7b29568240f7fd41125be0e0aa7402 Mon Sep 17 00:00:00 2001 From: cuttingedge1109 <53085803+cuttingedge1109@users.noreply.github.com> Date: Sun, 23 Mar 2025 20:54:52 +1100 Subject: [PATCH 09/11] set molecule vars --- charts/masakari/templates/job-db-sync.yaml | 2 +- molecule/aio/group_vars/all/molecule.yml | 11 +++++++++++ 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/charts/masakari/templates/job-db-sync.yaml b/charts/masakari/templates/job-db-sync.yaml index 44563bce2b..1981eb511c 100644 --- a/charts/masakari/templates/job-db-sync.yaml +++ b/charts/masakari/templates/job-db-sync.yaml @@ -44,7 +44,7 @@ spec: {{ tuple $envAll "db_migrate" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: - name: masakari-db-sync -{{ tuple $envAll "db_sync" | include "helm-toolkit.snippets.image" | indent 10 }} +{{ tuple $envAll "magnum_db_sync" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.jobs.db_sync | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} {{ dict "envAll" $envAll "application" "masakari" "container" "masakari_db_migrate" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} command: diff --git a/molecule/aio/group_vars/all/molecule.yml b/molecule/aio/group_vars/all/molecule.yml index 56b51f3842..4bc42a2c4c 100644 --- a/molecule/aio/group_vars/all/molecule.yml +++ b/molecule/aio/group_vars/all/molecule.yml @@ -228,6 +228,17 @@ manila_helm_values: api: 1 scheduler: 1 +masakari_helm_values: + conf: + masakari: + DEFAULT: + debug: "{{ lookup('env', 'ATMOSPHERE_DEBUG') | default('false', True) }}" + masakari_api_workers: 2 + pod: + replicas: + masakari_api: 1 + masakari_engine: 1 + horizon_helm_values: conf: horizon: From 304e2b23b2a79da36061dd5d49d6b5809a33a3f8 Mon Sep 17 00:00:00 2001 From: cuttingedge1109 <53085803+cuttingedge1109@users.noreply.github.com> Date: Sun, 23 Mar 2025 20:57:58 +1100 Subject: [PATCH 10/11] fix typo --- charts/masakari/templates/job-db-sync.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/masakari/templates/job-db-sync.yaml b/charts/masakari/templates/job-db-sync.yaml index 1981eb511c..79ccb7bb47 100644 --- a/charts/masakari/templates/job-db-sync.yaml +++ b/charts/masakari/templates/job-db-sync.yaml @@ -44,7 +44,7 @@ spec: {{ tuple $envAll "db_migrate" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: - name: masakari-db-sync -{{ tuple $envAll "magnum_db_sync" | include "helm-toolkit.snippets.image" | indent 10 }} +{{ tuple $envAll "masakari_db_sync" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.jobs.db_sync | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} {{ dict "envAll" $envAll "application" "masakari" "container" "masakari_db_migrate" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} command: From d96cd301e54b8b71d36fc3e6b45dde3161eb1691 Mon Sep 17 00:00:00 2001 From: cuttingedge1109 <53085803+cuttingedge1109@users.noreply.github.com> Date: Mon, 24 Mar 2025 03:10:34 +1100 Subject: [PATCH 11/11] comment log config append --- roles/masakari/vars/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/masakari/vars/main.yml b/roles/masakari/vars/main.yml index 1565047ae9..5e899b2007 100644 --- a/roles/masakari/vars/main.yml +++ b/roles/masakari/vars/main.yml @@ -23,7 +23,7 @@ _masakari_helm_values: conf: masakari: DEFAULT: - log_config_append: null + # log_config_append: null masakari_api_workers: 8 cors: allowed_origins: "*"