From 429e5864d177ca40c32b7c6d7e22eb02799adcc6 Mon Sep 17 00:00:00 2001 From: Adam Fabian Date: Wed, 2 Apr 2025 18:31:45 -0500 Subject: [PATCH 1/9] fix: remove duplicate lines from scripts/kube-ovn-convert.sh (#938) (cherry picked from commit 35e4165e397289dca1b679a5ea9b5e686d4db946) --- scripts/kube-ovn-convert.sh | 2 -- 1 file changed, 2 deletions(-) diff --git a/scripts/kube-ovn-convert.sh b/scripts/kube-ovn-convert.sh index f1447f0ca..6b3a5b137 100755 --- a/scripts/kube-ovn-convert.sh +++ b/scripts/kube-ovn-convert.sh @@ -48,10 +48,8 @@ helmLabelMaker "clusterrole/system:kube-ovn-app" helmLabelMaker "clusterrolebindings.rbac.authorization.k8s.io/ovn" helmLabelMaker "clusterrolebindings.rbac.authorization.k8s.io/ovn-ovs" helmLabelMaker "clusterrolebindings.rbac.authorization.k8s.io/kube-ovn-cni" -helmLabelMaker "clusterrolebindings.rbac.authorization.k8s.io/kube-ovn-cni" helmLabelMaker "clusterrolebindings.rbac.authorization.k8s.io/kube-ovn-app" -helmLabelMaker "rolebindings.rbac.authorization.k8s.io/ovn" helmLabelMaker "rolebindings.rbac.authorization.k8s.io/ovn" helmLabelMaker "rolebindings.rbac.authorization.k8s.io/kube-ovn-cni" helmLabelMaker "rolebindings.rbac.authorization.k8s.io/kube-ovn-app" From 31d40ea7c3c3eb0c8001f34f2ae528e22759d361 Mon Sep 17 00:00:00 2001 From: Ken Crandall Date: Wed, 2 Apr 2025 16:42:40 -0700 Subject: [PATCH 2/9] fix: lab script needs to install git on Debian (#936) * fix: lab script needs to install git on Debian * feat: add git install to first code block Signed-off-by: Kevin Carter --------- Signed-off-by: Kevin Carter Co-authored-by: Kevin Carter (cherry picked from commit 8a7e53b79e5bf674b0443990951a56af8e46446c) --- scripts/hyperconverged-lab.sh | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/scripts/hyperconverged-lab.sh b/scripts/hyperconverged-lab.sh index aadbc7bb9..cc147b09e 100755 --- a/scripts/hyperconverged-lab.sh +++ b/scripts/hyperconverged-lab.sh @@ -318,6 +318,10 @@ fi ssh -o ForwardAgent=yes -o UserKnownHostsFile=/dev/null -t ${SSH_USERNAME}@${JUMP_HOST_VIP} < /dev/null; then + echo "git could not be found, installing..." + sudo apt update && sudo apt install -y git +fi if [ ! -d "/opt/genestack" ]; then sudo git clone --recurse-submodules -j4 https://github.com/rackerlabs/genestack /opt/genestack else From 72c873b5e6bb2e76d4d11bd8d9b702c8a8288f79 Mon Sep 17 00:00:00 2001 From: Chris Breu Date: Thu, 3 Apr 2025 15:19:32 -0500 Subject: [PATCH 3/9] fix: Correct non-set value to pick up openstack default (#940) (cherry picked from commit 7f5e3c58ae754939b3eff0526658431a31df8d88) --- .../barbican/barbican-helm-overrides.yaml | 2 +- .../ceilometer/ceilometer-helm-overrides.yaml | 2 +- .../cinder/cinder-helm-overrides.yaml | 2 +- .../designate/designate-helm-overrides.yaml | 2 +- .../glance/glance-helm-overrides.yaml | 2 +- .../heat/heat-helm-overrides.yaml | 2 +- .../keystone/keystone-helm-overrides.yaml | 2 +- .../magnum/magnum-helm-overrides.yaml | 2 +- .../neutron/neutron-helm-overrides.yaml | 2 +- .../octavia/octavia-helm-overrides.yaml | 44 +++++++++---------- .../placement/placement-helm-overrides.yaml | 2 +- 11 files changed, 32 insertions(+), 32 deletions(-) diff --git a/base-helm-configs/barbican/barbican-helm-overrides.yaml b/base-helm-configs/barbican/barbican-helm-overrides.yaml index a8524791e..5b394a905 100644 --- a/base-helm-configs/barbican/barbican-helm-overrides.yaml +++ b/base-helm-configs/barbican/barbican-helm-overrides.yaml @@ -33,7 +33,7 @@ conf: connection_recycle_time: 600 connection_trace: true idle_timeout: 3600 - mysql_sql_mode: "" + mysql_sql_mode: {} use_db_reconnect: true pool_timeout: 60 max_retries: -1 diff --git a/base-helm-configs/ceilometer/ceilometer-helm-overrides.yaml b/base-helm-configs/ceilometer/ceilometer-helm-overrides.yaml index dd52c888a..fbcce783b 100644 --- a/base-helm-configs/ceilometer/ceilometer-helm-overrides.yaml +++ b/base-helm-configs/ceilometer/ceilometer-helm-overrides.yaml @@ -44,7 +44,7 @@ conf: connection_recycle_time: 600 connection_trace: true idle_timeout: 3600 - mysql_sql_mode: "" + mysql_sql_mode: {} use_db_reconnect: true pool_timeout: 60 max_retries: -1 diff --git a/base-helm-configs/cinder/cinder-helm-overrides.yaml b/base-helm-configs/cinder/cinder-helm-overrides.yaml index 8042b92ab..488ff4992 100644 --- a/base-helm-configs/cinder/cinder-helm-overrides.yaml +++ b/base-helm-configs/cinder/cinder-helm-overrides.yaml @@ -93,7 +93,7 @@ conf: connection_recycle_time: 600 connection_trace: true idle_timeout: 3600 - mysql_sql_mode: "" + mysql_sql_mode: {} use_db_reconnect: true pool_timeout: 60 max_retries: -1 diff --git a/base-helm-configs/designate/designate-helm-overrides.yaml b/base-helm-configs/designate/designate-helm-overrides.yaml index b3591796e..bd2ec51a5 100644 --- a/base-helm-configs/designate/designate-helm-overrides.yaml +++ b/base-helm-configs/designate/designate-helm-overrides.yaml @@ -465,7 +465,7 @@ conf: connection_recycle_time: 600 connection_trace: true idle_timeout: 3600 - mysql_sql_mode: "" + mysql_sql_mode: {} use_db_reconnect: true pool_timeout: 60 max_retries: -1 diff --git a/base-helm-configs/glance/glance-helm-overrides.yaml b/base-helm-configs/glance/glance-helm-overrides.yaml index 9aa7de37c..59c1372cd 100644 --- a/base-helm-configs/glance/glance-helm-overrides.yaml +++ b/base-helm-configs/glance/glance-helm-overrides.yaml @@ -91,7 +91,7 @@ conf: connection_recycle_time: 600 connection_trace: true idle_timeout: 3600 - mysql_sql_mode: "" + mysql_sql_mode: {} use_db_reconnect: true pool_timeout: 60 max_retries: -1 diff --git a/base-helm-configs/heat/heat-helm-overrides.yaml b/base-helm-configs/heat/heat-helm-overrides.yaml index f260fbf3c..be4cfbaf9 100644 --- a/base-helm-configs/heat/heat-helm-overrides.yaml +++ b/base-helm-configs/heat/heat-helm-overrides.yaml @@ -31,7 +31,7 @@ conf: connection_recycle_time: 600 connection_trace: true idle_timeout: 3600 - mysql_sql_mode: "" + mysql_sql_mode: {} use_db_reconnect: true pool_timeout: 60 max_retries: -1 diff --git a/base-helm-configs/keystone/keystone-helm-overrides.yaml b/base-helm-configs/keystone/keystone-helm-overrides.yaml index d547c767b..690ea3592 100644 --- a/base-helm-configs/keystone/keystone-helm-overrides.yaml +++ b/base-helm-configs/keystone/keystone-helm-overrides.yaml @@ -42,7 +42,7 @@ conf: connection_recycle_time: 600 connection_trace: true idle_timeout: 3600 - mysql_sql_mode: "" + mysql_sql_mode: {} use_db_reconnect: true pool_timeout: 60 max_retries: -1 diff --git a/base-helm-configs/magnum/magnum-helm-overrides.yaml b/base-helm-configs/magnum/magnum-helm-overrides.yaml index 88d579ab4..c8cd9cb75 100644 --- a/base-helm-configs/magnum/magnum-helm-overrides.yaml +++ b/base-helm-configs/magnum/magnum-helm-overrides.yaml @@ -32,7 +32,7 @@ conf: connection_recycle_time: 600 connection_trace: true idle_timeout: 3600 - mysql_sql_mode: "" + mysql_sql_mode: {} use_db_reconnect: true pool_timeout: 60 max_retries: -1 diff --git a/base-helm-configs/neutron/neutron-helm-overrides.yaml b/base-helm-configs/neutron/neutron-helm-overrides.yaml index 2a38c8a0f..6f5119acc 100644 --- a/base-helm-configs/neutron/neutron-helm-overrides.yaml +++ b/base-helm-configs/neutron/neutron-helm-overrides.yaml @@ -100,7 +100,7 @@ conf: connection_recycle_time: 600 connection_trace: true idle_timeout: 3600 - mysql_sql_mode: "" + mysql_sql_mode: {} use_db_reconnect: true pool_timeout: 60 max_retries: -1 diff --git a/base-helm-configs/octavia/octavia-helm-overrides.yaml b/base-helm-configs/octavia/octavia-helm-overrides.yaml index 38970a0d3..6eb468fab 100644 --- a/base-helm-configs/octavia/octavia-helm-overrides.yaml +++ b/base-helm-configs/octavia/octavia-helm-overrides.yaml @@ -1,23 +1,23 @@ --- images: tags: - bootstrap: 'quay.io/rackspace/rackerlabs-heat:2024.1-ubuntu_jammy' - db_drop: 'quay.io/rackspace/rackerlabs-heat:2024.1-ubuntu_jammy' - db_init: 'quay.io/rackspace/rackerlabs-heat:2024.1-ubuntu_jammy' - dep_check: 'quay.io/rackspace/rackerlabs-kubernetes-entrypoint:latest-ubuntu_jammy' - image_repo_sync: 'quay.io/rackspace/rackerlabs-docker:17.07.0' - ks_endpoints: 'quay.io/rackspace/rackerlabs-heat:2024.1-ubuntu_jammy' - ks_service: 'quay.io/rackspace/rackerlabs-heat:2024.1-ubuntu_jammy' - ks_user: 'quay.io/rackspace/rackerlabs-heat:2024.1-ubuntu_jammy' - octavia_api: 'quay.io/rackspace/rackerlabs-octavia-ovn:2024.1-ubuntu_jammy-1737651745' - octavia_db_sync: 'quay.io/rackspace/rackerlabs-octavia-ovn:2024.1-ubuntu_jammy-1737651745' - octavia_health_manager: 'quay.io/rackspace/rackerlabs-octavia-ovn:2024.1-ubuntu_jammy-1737651745' - octavia_health_manager_init: 'quay.io/rackspace/rackerlabs-heat:2024.1-ubuntu_jammy' - octavia_housekeeping: 'quay.io/rackspace/rackerlabs-octavia-ovn:2024.1-ubuntu_jammy-1737651745' - octavia_worker: 'quay.io/rackspace/rackerlabs-octavia-ovn:2024.1-ubuntu_jammy-1737651745' - openvswitch_vswitchd: 'docker.io/kolla/centos-source-openvswitch-vswitchd:rocky' - rabbit_init: 'quay.io/rackspace/rackerlabs-rabbitmq:3.13-management' - test: 'quay.io/rackspace/rackerlabs-xrally-openstack:2.0.0' + bootstrap: "quay.io/rackspace/rackerlabs-heat:2024.1-ubuntu_jammy" + db_drop: "quay.io/rackspace/rackerlabs-heat:2024.1-ubuntu_jammy" + db_init: "quay.io/rackspace/rackerlabs-heat:2024.1-ubuntu_jammy" + dep_check: "quay.io/rackspace/rackerlabs-kubernetes-entrypoint:latest-ubuntu_jammy" + image_repo_sync: "quay.io/rackspace/rackerlabs-docker:17.07.0" + ks_endpoints: "quay.io/rackspace/rackerlabs-heat:2024.1-ubuntu_jammy" + ks_service: "quay.io/rackspace/rackerlabs-heat:2024.1-ubuntu_jammy" + ks_user: "quay.io/rackspace/rackerlabs-heat:2024.1-ubuntu_jammy" + octavia_api: "quay.io/rackspace/rackerlabs-octavia-ovn:2024.1-ubuntu_jammy-1737651745" + octavia_db_sync: "quay.io/rackspace/rackerlabs-octavia-ovn:2024.1-ubuntu_jammy-1737651745" + octavia_health_manager: "quay.io/rackspace/rackerlabs-octavia-ovn:2024.1-ubuntu_jammy-1737651745" + octavia_health_manager_init: "quay.io/rackspace/rackerlabs-heat:2024.1-ubuntu_jammy" + octavia_housekeeping: "quay.io/rackspace/rackerlabs-octavia-ovn:2024.1-ubuntu_jammy-1737651745" + octavia_worker: "quay.io/rackspace/rackerlabs-octavia-ovn:2024.1-ubuntu_jammy-1737651745" + openvswitch_vswitchd: "docker.io/kolla/centos-source-openvswitch-vswitchd:rocky" + rabbit_init: "quay.io/rackspace/rackerlabs-rabbitmq:3.13-management" + test: "quay.io/rackspace/rackerlabs-xrally-openstack:2.0.0" dependencies: static: @@ -69,7 +69,7 @@ conf: connection_recycle_time: 600 connection_trace: true idle_timeout: 3600 - mysql_sql_mode: "" + mysql_sql_mode: {} use_db_reconnect: true pool_timeout: 60 max_retries: -1 @@ -90,7 +90,7 @@ conf: endpoint_type: internalURL valid_interfaces: internal nova: - enable_anti_affinity: 'True' + enable_anti_affinity: "True" endpoint_type: internalURL oslo_concurrency: lock_path: /tmp/octavia @@ -106,15 +106,15 @@ conf: # https://opendev.org/openstack/oslo.messaging/commit/36fb5bceabe08a982ebd52e4a8f005cd26fdf6b8 heartbeat_rate: 3 heartbeat_timeout_threshold: 60 - # NOTE (deprecation warning) heartbeat_in_pthread will be deprecated in 2024.2 + # NOTE (deprecation warning) heartbeat_in_pthread will be deprecated in 2024.2 heartbeat_in_pthread: True # Setting lower kombu_reconnect_delay should resolve issue with HA failing when one node is down # https://lists.openstack.org/pipermail/openstack-discuss/2023-April/033314.html # https://review.opendev.org/c/openstack/oslo.messaging/+/866617 kombu_reconnect_delay: 0.5 ovn: - ovn_nb_connection: 'tcp:127.0.0.1:6641' - ovn_sb_connection: 'tcp:127.0.0.1:6642' + ovn_nb_connection: "tcp:127.0.0.1:6641" + ovn_sb_connection: "tcp:127.0.0.1:6642" service_auth: insecure: true octavia_api_uwsgi: diff --git a/base-helm-configs/placement/placement-helm-overrides.yaml b/base-helm-configs/placement/placement-helm-overrides.yaml index 63258bdb7..d03652d23 100644 --- a/base-helm-configs/placement/placement-helm-overrides.yaml +++ b/base-helm-configs/placement/placement-helm-overrides.yaml @@ -54,7 +54,7 @@ conf: connection_recycle_time: 600 connection_trace: true idle_timeout: 3600 - mysql_sql_mode: "" + mysql_sql_mode: {} use_db_reconnect: true pool_timeout: 60 max_retries: -1 From 36d6b186d8095ef4b227e644c51c268eaaa8e695 Mon Sep 17 00:00:00 2001 From: James Denton Date: Fri, 4 Apr 2025 11:26:14 -0500 Subject: [PATCH 4/9] Update hyperconverged lab script to fix deployment issues (#942) (cherry picked from commit 74182dd17e61638ffa09725e36c6144fd1e47fe9) --- scripts/hyperconverged-lab.sh | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/scripts/hyperconverged-lab.sh b/scripts/hyperconverged-lab.sh index cc147b09e..54d509e7c 100755 --- a/scripts/hyperconverged-lab.sh +++ b/scripts/hyperconverged-lab.sh @@ -290,7 +290,7 @@ fi echo "Waiting for the jump host to be ready" COUNT=0 -while ! ssh -o ConnectTimeout=2 -o ConnectionAttempts=3 -o UserKnownHostsFile=/dev/null -q ${SSH_USERNAME}@${JUMP_HOST_VIP} exit; do +while ! ssh -o StrictHostKeyChecking=no -o ConnectTimeout=2 -o ConnectionAttempts=3 -o UserKnownHostsFile=/dev/null -q ${SSH_USERNAME}@${JUMP_HOST_VIP} exit; do sleep 2 echo "SSH is not ready, Trying again..." COUNT=$((COUNT+1)) @@ -307,16 +307,16 @@ if [ "${HYPERCONVERGED_DEV:-false}" = "true" ]; then echo "HYPERCONVERGED_DEV is true, but we've failed to determine the base genestack directory" exit 1 fi - ssh -o ForwardAgent=yes -o UserKnownHostsFile=/dev/null -t ${SSH_USERNAME}@${JUMP_HOST_VIP} \ + ssh -o StrictHostKeyChecking=no -o ForwardAgent=yes -o UserKnownHostsFile=/dev/null -t ${SSH_USERNAME}@${JUMP_HOST_VIP} \ "timeout 1m bash -c 'while ! sudo apt update; do sleep 2; done' && sudo apt install -y rsync git" echo "Copying the development source code to the jump host" rsync -az \ - -e "ssh -o ForwardAgent=yes -o UserKnownHostsFile=/dev/null" \ + -e "ssh -o StrictHostKeyChecking=no -o ForwardAgent=yes -o UserKnownHostsFile=/dev/null" \ --rsync-path="sudo rsync" \ $(readlink -fn ${SCRIPT_DIR}/../) ${SSH_USERNAME}@${JUMP_HOST_VIP}:/opt/ fi -ssh -o ForwardAgent=yes -o UserKnownHostsFile=/dev/null -t ${SSH_USERNAME}@${JUMP_HOST_VIP} < /dev/null; then echo "git could not be found, installing..." @@ -620,7 +620,7 @@ fi EOC # Run host and K8S setup -ssh -o ForwardAgent=yes -o UserKnownHostsFile=/dev/null -t ${SSH_USERNAME}@${JUMP_HOST_VIP} < Date: Mon, 7 Apr 2025 08:43:50 -0500 Subject: [PATCH 5/9] feat: add kustomize to kube-ovn (#932) This will ensure that our deployment of kube-ovn-controller is scoped to only nodes that are labled with the following labels: * "kube-ovn/role": "master" * "kubernetes.io/os": "linux" Signed-off-by: Kevin Carter (cherry picked from commit a6960a6f51f20046127c688d83251786ef98b41d) --- .../kube-ovn/base/kube-ovn-nodeSelector-patch.yaml | 5 +++++ base-kustomize/kube-ovn/base/kustomization.yaml | 12 ++++++++++++ bin/install-kube-ovn.sh | 2 ++ 3 files changed, 19 insertions(+) create mode 100644 base-kustomize/kube-ovn/base/kube-ovn-nodeSelector-patch.yaml create mode 100644 base-kustomize/kube-ovn/base/kustomization.yaml diff --git a/base-kustomize/kube-ovn/base/kube-ovn-nodeSelector-patch.yaml b/base-kustomize/kube-ovn/base/kube-ovn-nodeSelector-patch.yaml new file mode 100644 index 000000000..3527cda2f --- /dev/null +++ b/base-kustomize/kube-ovn/base/kube-ovn-nodeSelector-patch.yaml @@ -0,0 +1,5 @@ +- op: replace + path: "/spec/template/spec/nodeSelector" + value: + "kubernetes.io/os": "linux" + "kube-ovn/role": "master" diff --git a/base-kustomize/kube-ovn/base/kustomization.yaml b/base-kustomize/kube-ovn/base/kustomization.yaml new file mode 100644 index 000000000..8a384bde9 --- /dev/null +++ b/base-kustomize/kube-ovn/base/kustomization.yaml @@ -0,0 +1,12 @@ +sortOptions: + order: fifo + +resources: + - all.yaml + +patches: + - path: kube-ovn-nodeSelector-patch.yaml + target: + kind: Deployment + name: kube-ovn-controller + namespace: kube-system diff --git a/bin/install-kube-ovn.sh b/bin/install-kube-ovn.sh index d063f3682..1a9e87231 100755 --- a/bin/install-kube-ovn.sh +++ b/bin/install-kube-ovn.sh @@ -37,6 +37,8 @@ for dir in "$GLOBAL_OVERRIDES_DIR" "$SERVICE_CONFIG_DIR"; do fi done +HELM_CMD+=" --post-renderer /etc/genestack/kustomize/kustomize.sh" +HELM_CMD+=" --post-renderer-args kube-ovn/overlay" HELM_CMD+=" $@" From 06ce52b57e7202d1cb60088390bf8da1c7aefb41 Mon Sep 17 00:00:00 2001 From: Chris Breu Date: Tue, 8 Apr 2025 08:24:39 -0500 Subject: [PATCH 6/9] fix: (pip-wheel) include require packages to build wheels (#946) (cherry picked from commit 828a2ec7a9172e3a74c2bb3b901249831f6c3360) --- bootstrap.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bootstrap.sh b/bootstrap.sh index ca21a79c3..891f6f03c 100755 --- a/bootstrap.sh +++ b/bootstrap.sh @@ -32,7 +32,7 @@ apt update DEBIAN_FRONTEND=noninteractive \ apt-get -o "Dpkg::Options::=--force-confdef" \ -o "Dpkg::Options::=--force-confold" \ - -qy install make git python3-pip python3-venv jq make > ~/genestack-base-package-install.log 2>&1 + -qy install git python3-pip python3-venv python3-dev jq build-essential > ~/genestack-base-package-install.log 2>&1 if [ $? -gt 1 ]; then error "Check for ansible errors at ~/genestack-base-package-install.log" From 44b779810dc6c9eb2af041557c0a7835b12defff Mon Sep 17 00:00:00 2001 From: Chris Breu Date: Thu, 10 Apr 2025 16:41:27 -0500 Subject: [PATCH 7/9] fix: (mysql) remove secondary connection string as mariadb is not a true clustering db (not galera) (#951) (cherry picked from commit 9ba8c5ffae739cc899309f6dcc55e8d3958bab3a) --- bin/install-glance.sh | 1 - bin/install-heat.sh | 1 - bin/install-keystone.sh | 1 - bin/install-neutron.sh | 1 - bin/install-nova.sh | 3 --- bin/install-octavia.sh | 1 - bin/install-placement.sh | 1 - 7 files changed, 9 deletions(-) diff --git a/bin/install-glance.sh b/bin/install-glance.sh index 44a0290e7..3adcbac9c 100755 --- a/bin/install-glance.sh +++ b/bin/install-glance.sh @@ -24,7 +24,6 @@ HELM_CMD+=" --set endpoints.oslo_db.auth.admin.password=\"\$(kubectl --namespace HELM_CMD+=" --set endpoints.oslo_db.auth.glance.password=\"\$(kubectl --namespace openstack get secret glance-db-password -o jsonpath='{.data.password}' | base64 -d)\"" HELM_CMD+=" --set endpoints.oslo_cache.auth.memcache_secret_key=\"\$(kubectl --namespace openstack get secret os-memcached -o jsonpath='{.data.memcache_secret_key}' | base64 -d)\"" HELM_CMD+=" --set conf.glance.keystone_authtoken.memcache_secret_key=\"\$(kubectl --namespace openstack get secret os-memcached -o jsonpath='{.data.memcache_secret_key}' | base64 -d)\"" -HELM_CMD+=" --set conf.glance.database.slave_connection=\"mysql+pymysql://glance:\$(kubectl --namespace openstack get secret glance-db-password -o jsonpath='{.data.password}' | base64 -d)@mariadb-cluster-secondary.openstack.svc.cluster.local:3306/glance\"" HELM_CMD+=" --set endpoints.oslo_messaging.auth.admin.password=\"\$(kubectl --namespace openstack get secret rabbitmq-default-user -o jsonpath='{.data.password}' | base64 -d)\"" HELM_CMD+=" --set endpoints.oslo_messaging.auth.glance.password=\"\$(kubectl --namespace openstack get secret glance-rabbitmq-password -o jsonpath='{.data.password}' | base64 -d)\"" diff --git a/bin/install-heat.sh b/bin/install-heat.sh index 77bc5ffc5..a1718dc0f 100755 --- a/bin/install-heat.sh +++ b/bin/install-heat.sh @@ -26,7 +26,6 @@ HELM_CMD+=" --set endpoints.oslo_db.auth.admin.password=\"\$(kubectl --namespace HELM_CMD+=" --set endpoints.oslo_db.auth.heat.password=\"\$(kubectl --namespace openstack get secret heat-db-password -o jsonpath='{.data.password}' | base64 -d)\"" HELM_CMD+=" --set endpoints.oslo_cache.auth.memcache_secret_key=\"\$(kubectl --namespace openstack get secret os-memcached -o jsonpath='{.data.memcache_secret_key}' | base64 -d)\"" HELM_CMD+=" --set conf.heat.keystone_authtoken.memcache_secret_key=\"\$(kubectl --namespace openstack get secret os-memcached -o jsonpath='{.data.memcache_secret_key}' | base64 -d)\"" -HELM_CMD+=" --set conf.heat.database.slave_connection=\"mysql+pymysql://heat:\$(kubectl --namespace openstack get secret heat-db-password -o jsonpath='{.data.password}' | base64 -d)@mariadb-cluster-secondary.openstack.svc.cluster.local:3306/heat\"" HELM_CMD+=" --set endpoints.oslo_messaging.auth.admin.password=\"\$(kubectl --namespace openstack get secret rabbitmq-default-user -o jsonpath='{.data.password}' | base64 -d)\"" HELM_CMD+=" --set endpoints.oslo_messaging.auth.heat.password=\"\$(kubectl --namespace openstack get secret heat-rabbitmq-password -o jsonpath='{.data.password}' | base64 -d)\"" diff --git a/bin/install-keystone.sh b/bin/install-keystone.sh index 54e10825a..20c0011bd 100755 --- a/bin/install-keystone.sh +++ b/bin/install-keystone.sh @@ -25,7 +25,6 @@ HELM_CMD+=" --set endpoints.identity.auth.admin.password=\"\$(kubectl --namespac HELM_CMD+=" --set endpoints.oslo_db.auth.admin.password=\"\$(kubectl --namespace openstack get secret mariadb -o jsonpath='{.data.root-password}' | base64 -d)\"" HELM_CMD+=" --set endpoints.oslo_cache.auth.memcache_secret_key=\"\$(kubectl --namespace openstack get secret os-memcached -o jsonpath='{.data.memcache_secret_key}' | base64 -d)\"" HELM_CMD+=" --set endpoints.oslo_db.auth.keystone.password=\"\$(kubectl --namespace openstack get secret keystone-db-password -o jsonpath='{.data.password}' | base64 -d)\"" -HELM_CMD+=" --set conf.keystone.database.slave_connection=\"mysql+pymysql://keystone:\$(kubectl --namespace openstack get secret keystone-db-password -o jsonpath='{.data.password}' | base64 -d)@mariadb-cluster-secondary.openstack.svc.cluster.local:3306/keystone\"" HELM_CMD+=" --set endpoints.oslo_messaging.auth.admin.password=\"\$(kubectl --namespace openstack get secret rabbitmq-default-user -o jsonpath='{.data.password}' | base64 -d)\"" HELM_CMD+=" --set endpoints.oslo_messaging.auth.keystone.password=\"\$(kubectl --namespace openstack get secret keystone-rabbitmq-password -o jsonpath='{.data.password}' | base64 -d)\"" diff --git a/bin/install-neutron.sh b/bin/install-neutron.sh index 386dadbe4..29daf4daa 100755 --- a/bin/install-neutron.sh +++ b/bin/install-neutron.sh @@ -33,7 +33,6 @@ HELM_CMD+=" --set endpoints.oslo_db.auth.admin.password=\"\$(kubectl --namespace HELM_CMD+=" --set endpoints.oslo_db.auth.neutron.password=\"\$(kubectl --namespace openstack get secret neutron-db-password -o jsonpath='{.data.password}' | base64 -d)\"" HELM_CMD+=" --set endpoints.oslo_cache.auth.memcache_secret_key=\"\$(kubectl --namespace openstack get secret os-memcached -o jsonpath='{.data.memcache_secret_key}' | base64 -d)\"" HELM_CMD+=" --set conf.neutron.keystone_authtoken.memcache_secret_key=\"\$(kubectl --namespace openstack get secret os-memcached -o jsonpath='{.data.memcache_secret_key}' | base64 -d)\"" -HELM_CMD+=" --set conf.neutron.database.slave_connection=\"mysql+pymysql://neutron:\$(kubectl --namespace openstack get secret neutron-db-password -o jsonpath='{.data.password}' | base64 -d)@mariadb-cluster-secondary.openstack.svc.cluster.local:3306/neutron\"" HELM_CMD+=" --set endpoints.oslo_messaging.auth.admin.password=\"\$(kubectl --namespace openstack get secret rabbitmq-default-user -o jsonpath='{.data.password}' | base64 -d)\"" HELM_CMD+=" --set endpoints.oslo_messaging.auth.neutron.password=\"\$(kubectl --namespace openstack get secret neutron-rabbitmq-password -o jsonpath='{.data.password}' | base64 -d)\"" HELM_CMD+=" --set conf.neutron.ovn.ovn_nb_connection=\"tcp:\$(kubectl --namespace kube-system get service ovn-nb -o jsonpath='{.spec.clusterIP}:{.spec.ports[0].port}')\"" diff --git a/bin/install-nova.sh b/bin/install-nova.sh index e3dd3d112..a5db259ae 100755 --- a/bin/install-nova.sh +++ b/bin/install-nova.sh @@ -36,9 +36,6 @@ HELM_CMD+=" --set endpoints.oslo_db_cell0.auth.admin.password=\"\$(kubectl --nam HELM_CMD+=" --set endpoints.oslo_db_cell0.auth.nova.password=\"\$(kubectl --namespace openstack get secret nova-db-password -o jsonpath='{.data.password}' | base64 -d)\"" HELM_CMD+=" --set endpoints.oslo_cache.auth.memcache_secret_key=\"\$(kubectl --namespace openstack get secret os-memcached -o jsonpath='{.data.memcache_secret_key}' | base64 -d)\"" HELM_CMD+=" --set conf.nova.keystone_authtoken.memcache_secret_key=\"\$(kubectl --namespace openstack get secret os-memcached -o jsonpath='{.data.memcache_secret_key}' | base64 -d)\"" -HELM_CMD+=" --set conf.nova.database.slave_connection=\"mysql+pymysql://nova:\$(kubectl --namespace openstack get secret nova-db-password -o jsonpath='{.data.password}' | base64 -d)@mariadb-cluster-secondary.openstack.svc.cluster.local:3306/nova\"" -HELM_CMD+=" --set conf.nova.api_database.slave_connection=\"mysql+pymysql://nova:\$(kubectl --namespace openstack get secret nova-db-password -o jsonpath='{.data.password}' | base64 -d)@mariadb-cluster-secondary.openstack.svc.cluster.local:3306/nova_api\"" -HELM_CMD+=" --set conf.nova.cell0_database.slave_connection=\"mysql+pymysql://nova:\$(kubectl --namespace openstack get secret nova-db-password -o jsonpath='{.data.password}' | base64 -d)@mariadb-cluster-secondary.openstack.svc.cluster.local:3306/nova_cell0\"" HELM_CMD+=" --set endpoints.oslo_messaging.auth.admin.password=\"\$(kubectl --namespace openstack get secret rabbitmq-default-user -o jsonpath='{.data.password}' | base64 -d)\"" HELM_CMD+=" --set endpoints.oslo_messaging.auth.nova.password=\"\$(kubectl --namespace openstack get secret nova-rabbitmq-password -o jsonpath='{.data.password}' | base64 -d)\"" HELM_CMD+=" --set network.ssh.public_key=\"\$(kubectl -n openstack get secret nova-ssh-keypair -o jsonpath='{.data.public_key}' | base64 -d)\"\$'\n'" diff --git a/bin/install-octavia.sh b/bin/install-octavia.sh index 5cf42e226..81ee51580 100755 --- a/bin/install-octavia.sh +++ b/bin/install-octavia.sh @@ -29,7 +29,6 @@ HELM_CMD+=" --set endpoints.oslo_messaging.auth.admin.password=\"\$(kubectl --na HELM_CMD+=" --set endpoints.oslo_messaging.auth.octavia.password=\"\$(kubectl --namespace openstack get secret octavia-rabbitmq-password -o jsonpath='{.data.password}' | base64 -d)\"" HELM_CMD+=" --set endpoints.oslo_cache.auth.memcache_secret_key=\"\$(kubectl --namespace openstack get secret os-memcached -o jsonpath='{.data.memcache_secret_key}' | base64 -d)\"" HELM_CMD+=" --set conf.octavia.keystone_authtoken.memcache_secret_key=\"\$(kubectl --namespace openstack get secret os-memcached -o jsonpath='{.data.memcache_secret_key}' | base64 -d)\"" -HELM_CMD+=" --set conf.octavia.database.slave_connection=\"mysql+pymysql://octavia:\$(kubectl --namespace openstack get secret octavia-db-password -o jsonpath='{.data.password}' | base64 -d)@mariadb-cluster-secondary.openstack.svc.cluster.local:3306/octavia\"" HELM_CMD+=" --set conf.octavia.certificates.ca_private_key_passphrase=\"\$(kubectl --namespace openstack get secret octavia-certificates -o jsonpath='{.data.password}' | base64 -d)\"" HELM_CMD+=" --set conf.octavia.ovn.ovn_nb_connection=\"tcp:\$(kubectl --namespace kube-system get service ovn-nb -o jsonpath='{.spec.clusterIP}:{.spec.ports[0].port}')\"" HELM_CMD+=" --set conf.octavia.ovn.ovn_sb_connection=\"tcp:\$(kubectl --namespace kube-system get service ovn-sb -o jsonpath='{.spec.clusterIP}:{.spec.ports[0].port}')\"" diff --git a/bin/install-placement.sh b/bin/install-placement.sh index 090723bf0..2ea2471a5 100755 --- a/bin/install-placement.sh +++ b/bin/install-placement.sh @@ -28,7 +28,6 @@ HELM_CMD+=" --set endpoints.oslo_db.auth.placement.password=\"\$(kubectl --names HELM_CMD+=" --set endpoints.oslo_cache.auth.memcache_secret_key=\"\$(kubectl --namespace openstack get secret os-memcached -o jsonpath='{.data.memcache_secret_key}' | base64 -d)\"" HELM_CMD+=" --set endpoints.oslo_db.auth.nova_api.password=\"\$(kubectl --namespace openstack get secret nova-db-password -o jsonpath='{.data.password}' | base64 -d)\"" HELM_CMD+=" --set conf.placement.keystone_authtoken.memcache_secret_key=\"\$(kubectl --namespace openstack get secret os-memcached -o jsonpath='{.data.memcache_secret_key}' | base64 -d)\"" -HELM_CMD+=" --set conf.placement.placement_database.slave_connection=\"mysql+pymysql://placement:\$(kubectl --namespace openstack get secret placement-db-password -o jsonpath='{.data.password}' | base64 -d)@mariadb-cluster-secondary.openstack.svc.cluster.local:3306/placement\"" HELM_CMD+=" --post-renderer /etc/genestack/kustomize/kustomize.sh" HELM_CMD+=" --post-renderer-args placement/overlay" From ea9a494a79fbc0953630eed955ca734472beecdb Mon Sep 17 00:00:00 2001 From: Chris Breu Date: Thu, 10 Apr 2025 16:42:24 -0500 Subject: [PATCH 8/9] fix: (nova) empty list mysql_sql_mode to allow oslo.db to use database default (#952) (cherry picked from commit db033b85350a199f20a6d019204284ffb8a4892d) --- base-helm-configs/nova/nova-helm-overrides.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/base-helm-configs/nova/nova-helm-overrides.yaml b/base-helm-configs/nova/nova-helm-overrides.yaml index bc4d715f4..49c60c8d4 100644 --- a/base-helm-configs/nova/nova-helm-overrides.yaml +++ b/base-helm-configs/nova/nova-helm-overrides.yaml @@ -111,7 +111,7 @@ conf: connection_recycle_time: 600 connection_trace: true idle_timeout: 3600 - mysql_sql_mode: "" + mysql_sql_mode: {} use_db_reconnect: true pool_timeout: 60 max_retries: -1 @@ -120,7 +120,7 @@ conf: connection_recycle_time: 600 connection_trace: true idle_timeout: 3600 - mysql_sql_mode: "" + mysql_sql_mode: {} use_db_reconnect: true pool_timeout: 60 max_retries: -1 @@ -133,7 +133,7 @@ conf: connection_recycle_time: 600 connection_trace: true idle_timeout: 3600 - mysql_sql_mode: "" + mysql_sql_mode: {} use_db_reconnect: true pool_timeout: 60 max_retries: -1 From 9cef64cd558eecec663c25b9b4cb33c6a0e51d6e Mon Sep 17 00:00:00 2001 From: Dan With Date: Tue, 15 Apr 2025 09:34:57 -0500 Subject: [PATCH 9/9] Feat! (Glance): Add sane default policy for image download restrictions (#954) Converting Flex policy to default Genestack Glance policy flex-host-baseline: 85113f87560d1be9eb36e8117d66b5476710f2b2 feat(glance): image_download policy set to prevent export of Rackspace supplied images (#102) And allow tenants (within project) and glance admins to download the image. https://rackspace.atlassian.net/browse/OSPC-1210 (cherry picked from commit f5671be1af4a1d9b84a0965708684cc4cdfd3a9e) --- .../glance/glance-helm-overrides.yaml | 7 ++++ docs/openstack-glance.md | 37 +++++++++++++++++++ 2 files changed, 44 insertions(+) diff --git a/base-helm-configs/glance/glance-helm-overrides.yaml b/base-helm-configs/glance/glance-helm-overrides.yaml index 59c1372cd..404373578 100644 --- a/base-helm-configs/glance/glance-helm-overrides.yaml +++ b/base-helm-configs/glance/glance-helm-overrides.yaml @@ -116,6 +116,13 @@ conf: glance_api_uwsgi: uwsgi: processes: 4 + policy: + "admin_required": "role:admin or role:glance_admin" + "default": "role:admin or role:glance_admin" + "context_is_admin": "role:admin or role:glance_admin" + "publicize_image": "role:glance_admin" + "is_owner": "tenant:%(owner)s" + "download_image": "rule:is_owner or rule:context_is_admin" logging: logger_root: level: INFO diff --git a/docs/openstack-glance.md b/docs/openstack-glance.md index 6d32bc5e1..01922873f 100644 --- a/docs/openstack-glance.md +++ b/docs/openstack-glance.md @@ -30,6 +30,43 @@ OpenStack Glance is the image service within the OpenStack ecosystem, responsibl Before running the Glance deployment you should configure the backend which is defined in the `helm-configs/glance/glance-helm-overrides.yaml` file. The default is a making the assumption we're running with Ceph deployed by Rook so the backend is configured to be cephfs with multi-attach functionality. While this works great, you should consider all of the available storage backends and make the right decision for your environment. +## Define policy configuration + +!!! note "Information about the default policy rules used" + + The default policy allows only the glance_admin role to publicize images. + The default policy allows only the glance_admin role or owner role to download images. + These default policy roles are found in genestack/base-helm-configs/glance/glance-helm-overrides.yaml. + To modify these policies, follow the policy allow concepts in the + "Policy change to allow admin or owner to publicize image" example. + + ??? example "Default policy rules" + + ``` yaml + conf: + policy: + "admin_required": "role:admin or role:glance_admin" + "default": "role:admin or role:glance_admin" + "context_is_admin": "role:admin or role:glance_admin" + "publicize_image": "role:glance_admin" + "is_owner": "tenant:%(owner)s" + "download_image": "rule:is_owner or rule:context_is_admin" + ``` + + ??? example "Policy change to allow admin or owner to publicize image" + + ``` yaml + conf: + policy: + "admin_required": "role:admin or role:glance_admin" + "default": "role:admin or role:glance_admin" + "context_is_admin": "role:admin or role:glance_admin" + "is_owner": "tenant:%(owner)s" + "publicize_image": "rule:context_is_admin or role:is_owner" + "download_image": "rule:is_owner or rule:context_is_admin" + ``` + + ## Run the package deployment !!! example "Run the Glance deployment Script `bin/install-glance.sh`"